SamlSingleSignOnReceiver.loginUser: "User is already logged in."
jeanluc Nov 19, 2010 5:20 PMHello,
I ended up looking in org.picketlink.identity.seam.federation.SamlSingleSignOnReceiver because of the following exception:
Caused by: java.lang.RuntimeException: User is already logged in.
at org.picketlink.identity.seam.federation.SamlSingleSignOnReceiver.loginUser(SamlSingleSignOnReceiver.java:302)
at org.picketlink.identity.seam.federation.SamlSingleSignOnReceiver.processIDPResponse(SamlSingleSignOnReceiver.java:138)
at sun.reflect.GeneratedMethodAccessor1450.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.seam.util.Reflections.invoke(Reflections.java:22)
at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:32)
at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56)
at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:28)
at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:77)
at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:44)
at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:185)
at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:103)
What is happening is that some users go to the protected app, get redirected to the SSO login page (OpenAM), login and then they click the Back button of the browser. I'm not sure if this affects other apps, but my question is about that validation. Why a runtime exception for this case (which bubbles up in the application)? Wouldn't it be better to silently handle this case?
// org.picketlink.identity.seam.federation.SamlSingleSignOnReceiver
private void loginUser(HttpServletRequest httpRequest, HttpServletResponse httpResponse,
SeamSamlPrincipal principal, RequestContext requestContext) {
if (identity.isLoggedIn()) {
throw new RuntimeException("User is already logged in.");
}
Thanks,
JL