2 Replies Latest reply on Nov 23, 2010 8:57 AM by jeanluc

    SamlSingleSignOnReceiver.loginUser: "User is already logged in."

    jeanluc

      Hello,

       

      I ended up looking in org.picketlink.identity.seam.federation.SamlSingleSignOnReceiver because of the following exception:

       

       

       

      Caused by: java.lang.RuntimeException: User is already logged in.
              at org.picketlink.identity.seam.federation.SamlSingleSignOnReceiver.loginUser(SamlSingleSignOnReceiver.java:302)
              at org.picketlink.identity.seam.federation.SamlSingleSignOnReceiver.processIDPResponse(SamlSingleSignOnReceiver.java:138)
              at sun.reflect.GeneratedMethodAccessor1450.invoke(Unknown Source)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
              at java.lang.reflect.Method.invoke(Method.java:597)
              at org.jboss.seam.util.Reflections.invoke(Reflections.java:22)
              at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:32)
              at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56)
              at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:28)
              at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
              at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:77)
              at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
              at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:44)
              at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
              at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
              at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:185)
              at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:103)

             

       

      What is happening is that some users go to the protected app, get redirected to the SSO login page (OpenAM), login and then they click the Back button of the browser. I'm not sure if this affects other apps, but my question is about that validation. Why a runtime exception for this case (which bubbles up in the application)? Wouldn't it be better to silently handle this case?

       

       

       

      // org.picketlink.identity.seam.federation.SamlSingleSignOnReceiver

      private void loginUser(HttpServletRequest httpRequest, HttpServletResponse httpResponse,
                SeamSamlPrincipal principal, RequestContext requestContext) {
             if (identity.isLoggedIn()) {
                throw new RuntimeException("User is already logged in.");
             }

       

       

      Thanks,

      JL

        • 1. Re: SamlSingleSignOnReceiver.loginUser: "User is already logged in."
          marcelkolsteren

          Hi Jean Luc,

           

          Carrying on with the processing when in an erroneous state can be harmful and can make the problem even worse, is my experience. In addition, being graceful to the user can also mean being graceful to an attacker. That's why I took this somewhat harsh approach to error handling (which I also applied in other situations).

           

          I understand that in some cases silent ignorance can give a better user experience, but then the following question pops up. Silently ignoring is in fact a way of "automatic correction" of the problem at hand. That can be done in two ways, depending on how the problem is interpreted:

           

          - The problem is that the user should have been logged out already. In that case, you fix the problem by automatically logging the user out, and then in again with the fresh credentials and attributes that have just been received from the identity provider.

          - The problem is that the user didn't want to login again. In that case, you just skip the login part.

           

          I wouldn't know what approach to take. In fact the software needs to know what has been in the mind of the user when she went back to redo the login.

          1 of 1 people found this helpful
          • 2. Re: SamlSingleSignOnReceiver.loginUser: "User is already logged in."
            jeanluc

            Hi Marcel,

             

            I think the harsh approach is a little bit too harsh in this case. I cannot think of an online site where I login, click Back for whatever reason and see an "unexpected error" (the result of a RuntimeException bubbling up through Seam). I'm not sure why users would click Back (perhaps by accident or trying to go to something else in history) but what happens is that "unexpected errors" result in pager alerts to the IT support team and possibly calls to the online desk, plus the perception issue ("clicking Back caused an unexpected error?!").

             

            So out of the two options you listed, I'd prefer the latter. Now, is there a way to skip the login? I don't see where I can control this behaviour.

             

            Thanks again,

            -JL