4 Replies Latest reply on Mar 26, 2012 1:21 PM by igoncalves

Best way to handle IDP exceptions

igoncalves Mar 24, 2012 10:08 AM

Hello!

What´s the best way to handle the exceptions thrown by IDPBrowserSSOValve?

We deployed PicketLink as our authentication/authorization infrastructure and there are several applications as service provider using our structure.

When the infrastructure team are deploying some SP sometimes they have problems related with misconfiguation, keystores and such, like "PL00019 Validation check failed", "PL00058 KeyStoreKeyManager : Domain Alias missing", "IssuerNotTrust" and other.

Thus our team, as a development team we´d like to handle this exception in IDP and show a nice/userful message (instead of a white page) to the user when this happen. It would help us a lot especially in the test cycle when we have about 50 developers programming different SPs and integrating with our PicketLink.

We are looking for a way to capture the exceptions thrown by the valve and handle such exceptions. Do I need to extend the valve to handle such errors?

Thanks.

Ismael Goncalves

1. Re: Best way to handle IDP exceptions

pcraveiro Mar 26, 2012 9:03 AM (in response to igoncalves)

Hi Ismael,

    The SAML2 spec says that errors have to be returned to the Service Provider.

    If you look at the IDPBroserSSOValve, a SAMLResponse is always created in case of failures and the valve try to send it back to the SP.

    I think that the blank/white page you are facing is because the destination is not set. Please, look at the log files for an entry like this one:

          javax.servlet.ServletException: PL00092: Null Value:Destination

    Can you also attach your logs ?
Actions
2. Re: Best way to handle IDP exceptions

igoncalves Mar 26, 2012 9:33 AM (in response to pcraveiro)

Hello Pedro.

I understood. Well, all the times that we got for an example a "PL00019 Check Validation" we also got a "Null Value: destination".
If the IDPBrowserSSOValve was supposed to sent the error back to the SP I think it doesn't happening, probably due the Null Value.

In order to simulate the below exception I just changed the "alias" in my picketlink-idfed.xml IDP making it matches other certificate.

Observe that everything is setup properly because once I assign the right certificate everything works fine.

Follow is the log:

10:24:43,558 ERROR [IDPWebBrowserSSOValve] Exception in processing request:
java.security.GeneralSecurityException: PL00019: Validation check failed
        at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.processSAMLRequestMessage(IDPWebBrowserSSOValve.java:548)
        at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:404)
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
        at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
        at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)
        at java.lang.Thread.run(Thread.java:662)
10:24:44,491 ERROR [CoyoteAdapter] An exception or error occurred in the container during the request processing
javax.servlet.ServletException: PL00092: Null Value:Destination
        at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.processSAMLResponseMessage(IDPWebBrowserSSOValve.java:825)
        at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:408)
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
        at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
        at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)
        at java.lang.Thread.run(Thread.java:662)

Pedro Igor wrote:

Hi Ismael,

    The SAML2 spec says that errors have to be returned to the Service Provider.

    If you look at the IDPBroserSSOValve, a SAMLResponse is always created in case of failures and the valve try to send it back to the SP.

    I think that the blank/white page you are facing is because the destination is not set. Please, look at the log files for an entry like this one:

          javax.servlet.ServletException: PL00092: Null Value:Destination

    Can you also attach your logs ?
Actions
3. Re: Best way to handle IDP exceptions

pcraveiro Mar 26, 2012 1:25 PM (in response to igoncalves)

Hi Ismael,

I created a thread in the PL design forum to discuss about this problem and find the best solution to solve it. Here is the link https://community.jboss.org/thread/197488.

Regards.
Pedro Igor
Actions
4. Re: Best way to handle IDP exceptions

igoncalves Mar 26, 2012 1:21 PM (in response to pcraveiro)

Hi Pedro.

Thanks for helping.

As I understood, it seems there is a "gap" in this part. We are going to follow the discussion in the PL design forum.

Best Regards.

Ismael Goncalves
Pedro Igor wrote:

Hi Ismael,

I created a thread in the PL design forum do discuss about this problem and find the best solution to solve it. Here is the link https://community.jboss.org/wiki/HandlingErrosDuringASP-InitiatedAuthentication.

Regards.
Pedro Igor
Actions

Go to original post