6 Replies Latest reply on Dec 2, 2011 10:06 AM by Pedro Igor

    ClassCastException doing a Global Logout

    Pedro Igor Master

      Hi,

       

          I have two web applications (SP 1 and SP 2) deployed in different servers and both pointing to the same IDP. The SPs are using the SPRedirectSignatureFormAuthenticator valve.

       

          When I try to do the following steps a exception is throwed:

       

               1) Call the SP 1 and do a authentication;

       

               2) Call the SP 2. At this moment Picketlink will not ask again for the credentials and the user is redirect to the index.jsp (Expected behaviour)

       

               3) The user tries to logout from SP 1 and an exception is throwed.

       

          Here is the stack trace:

       

              java.lang.RuntimeException: PL00095: Wrong type:org.picketlink.identity.federation.saml.v2.protocol.StatusResponseType

              at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.processSAMLRequestMessage(IDPWebBrowserSSOValve.java:535)

              at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:404)

              at org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve.invoke(IDPSAMLDebugValve.java:59)

              at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)

              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

              at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)

              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)

              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)

              at java.lang.Thread.run(Thread.java:662)

       

           It looks like the IDPWebBrowserSSOValve is receiving a SAMLRequest parameter with a StatusResponseType as a value. Debugging the code I realized that the SPRedirectSignatureFormAuthenticator.getDestinationQueryString is not respecting the value of the sendRequest method parameter when creating the destination URL to be used to call the IDP. If the sendRequest parameter is false the URL must be created with the SAMLResponse and not with the SAMLRequest (I think).

       

           Is this a bug or a misuse ? If a bug, I already created a patch for this.