7 Replies Latest reply on Feb 28, 2011 10:10 AM by Anil Saldanha

    Cannot forward after response has been committed

    Vladimir Albis Newbie

      Hi, many thanks for your help.

       

      My environment is the following:

      JBoss-5.1.0.GA

      idp-1.0.4.final deployed in A server

      employee-1.0.4.final deployed in B server

       

      After second test i am always getting the following exception in B server

       

      10:55:01,491 WARN  [FormAuthenticator] Unexpected error forwarding to login page

      java.lang.IllegalStateException: Cannot forward after response has been committed

              at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:320)

              at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:310)

              at org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage(FormAuthenticator.java:316)

              at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:244)

              at org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator.authenticate(SPRedirectFormAuthenticator.java:330)

              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)

              at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)

       

      When requesting for http://192.168.0.197:8080/employee-1.0.4.final/ idp login form appears with SAMLRequest parameter. After click in login button

      browser shows http://192.168.0.197:8080/employee-1.0.4.final with SAMLResponse parameter but the page is not render, JBoss logs shows the aboce exception.

       

      What am i missing?

        • 1. Cannot forward after response has been committed
          Anil Saldanha Master

          Check this cheatsheet out. http://community.jboss.org/wiki/CheatsheetPicketLinkandJBossAS

           

          You can also try out the employee-post  war file that uses SAML/POST binding.

          • 2. Re: Cannot forward after response has been committed
            Vladimir Albis Newbie

            Hi, thanks for your comments

             

            The examples are working very well in the same server, with localhost or even when i run JBoss with -b 0.0.0.0.

             

            The exception i am getting is when i have sp in a different server than idp. Redirection in URL is correct, with parameters (SAMLRequest, SAMLResponse) but a loop is created in server where sp is running showing java.lang.IllegalStateException: Cannot forward after response has been committed.

             

            I will enable logs and try to find more about this. Thank you.

            • 3. Re: Cannot forward after response has been committed
              Anil Saldanha Master

              Vladimir,  there may be a bug in the PicketLink code. So anything that you trace out of the logs may be useful.

               

              By the way, we do have the last PicketLink v2 builds.  I don't think that will help, but certainly you can give it a try.

              • 4. Cannot forward after response has been committed
                Vladimir Albis Newbie

                Hi, after checking logs, i found that this exception is happening when SP is checking whether the assertion has expired. The time in SP server system (Windows) was a couple of minutes before then the time in IDP server system (Windows). From the logs i could see that if this validation fails, IDP was again receiving the authentication request, IDP returned all okay, but the assertion was expired in SP. For testing i set the time in SP server system after IDP system server time with a difference of around 5 seconds and all went okay.

                 

                Thanks for your help.

                • 5. Cannot forward after response has been committed
                  Anil Saldanha Master

                  Vladmir,  if the assertion expirty message is logged at trace level, I will have to change it to a higher level. The expiry is an important state.  Can you just copy paste the 3-4 lines of the log message if you have it?  If not, its fine, I will figure it out.

                  • 6. Cannot forward after response has been committed
                    Vladimir Albis Newbie

                    Yes, i could, i just hope it's what you want. These are from SP. The first one is printed right before using a util class for validation. Regards

                     

                    2011-02-28 10:22:09,402 TRACE [org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil] (http-0.0.0.0-8080-1) Now=2011-02-28T10:22:09.402-04:00 ::notBefore=2011-02-28T10:22:10.487-04:00::notOnOrAfter=2011-02-28T10:27:10.487-04:00

                    2011-02-28 10:22:09,402 TRACE [org.picketlink.identity.federation.web.process.ServiceProviderBaseProcessor] (http-0.0.0.0-8080-1) Handlers are:[org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@1298c7d, org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@bde411]

                    2011-02-28 10:22:09,402 TRACE [org.picketlink.identity.federation.web.process.ServiceProviderBaseProcessor] (http-0.0.0.0-8080-1) Handlers are : [org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@1298c7d, org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@bde411]

                    2011-02-28 10:22:09,402 TRACE [org.picketlink.identity.federation.web.process.ServiceProviderBaseProcessor] (http-0.0.0.0-8080-1) Finished Processing handler:org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler

                    2011-02-28 10:22:09,402 TRACE [org.picketlink.identity.federation.web.process.ServiceProviderBaseProcessor] (http-0.0.0.0-8080-1) Finished Processing handler:org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler

                    2011-02-28 10:22:09,402 WARN  [org.apache.catalina.authenticator.FormAuthenticator] (http-0.0.0.0-8080-1) Unexpected error forwarding to login page

                    java.lang.IllegalStateException: Cannot forward after response has been committed

                    • 7. Cannot forward after response has been committed
                      Anil Saldanha Master

                      Thanks Vladimir.  I have checked and I see that we throw exceptions when the assertion has expired....

                       

                      By the way, dont forget to vote for PicketLink community. http://community.jboss.org/thread/163284?tstart=0