4 Replies Latest reply on Mar 26, 2012 1:21 PM by Ismael Gonçalves

    Best way to handle IDP exceptions

    Ismael Gonçalves Newbie

      Hello!

       

      What´s the best way to handle the exceptions thrown by IDPBrowserSSOValve?

       

      We deployed PicketLink as our authentication/authorization infrastructure and there are several applications as service provider using our structure.

       

      When the infrastructure team are deploying some SP sometimes they have problems related with misconfiguation, keystores and such, like "PL00019 Validation check failed", "PL00058 KeyStoreKeyManager : Domain Alias missing", "IssuerNotTrust" and other.

       

      Thus our team, as a development team we´d like to handle this exception in IDP and show a nice/userful message (instead of a white page) to the user when this happen. It would help us a lot especially in the test cycle when we have about 50 developers programming different SPs and integrating with our PicketLink.

       

      We are looking for a way to capture the exceptions thrown by the valve and handle such exceptions. Do I need to extend the valve to handle such errors?

       

      Thanks.

       

      Ismael Goncalves

        • 1. Re: Best way to handle IDP exceptions
          Pedro Igor Master

          Hi Ismael,

           

              The SAML2 spec says that errors have to be returned to the Service Provider.

           

              If you look at the IDPBroserSSOValve, a SAMLResponse is always created in case of failures and the valve try to send it back to the SP.

           

              I think that the blank/white page you are facing is because the destination is not set. Please, look at the log files for an entry like this one:

           

                    javax.servlet.ServletException: PL00092: Null Value:Destination

           

              Can you also attach your logs ?

          • 2. Re: Best way to handle IDP exceptions
            Ismael Gonçalves Newbie

            Hello Pedro.

             

            I understood. Well, all the times that we got for an example a "PL00019 Check Validation" we also got a "Null Value: destination".

            If the IDPBrowserSSOValve was supposed to sent the error back to the SP I think it doesn't happening, probably due the Null Value.

             

            In order to simulate the below exception I just changed the "alias" in my picketlink-idfed.xml IDP making it matches other certificate.

             

            Observe that everything is setup properly because once I assign the right certificate everything works fine.

             

            Follow is the log:

             

            10:24:43,558 ERROR [IDPWebBrowserSSOValve] Exception in processing request:

            java.security.GeneralSecurityException: PL00019: Validation check failed

                    at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.processSAMLRequestMessage(IDPWebBrowserSSOValve.java:548)

                    at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:404)

                    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)

                    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

                    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

                    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

                    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

                    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

                    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

                    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

                    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)

                    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599)

                    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)

                    at java.lang.Thread.run(Thread.java:662)

            10:24:44,491 ERROR [CoyoteAdapter] An exception or error occurred in the container during the request processing

            javax.servlet.ServletException: PL00092: Null Value:Destination

                    at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.processSAMLResponseMessage(IDPWebBrowserSSOValve.java:825)

                    at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:408)

                    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)

                    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

                    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

                    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

                    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

                    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

                    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

                    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

                    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)

                    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599)

                    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)

                    at java.lang.Thread.run(Thread.java:662)

             

             

            Pedro Igor wrote:

             

            Hi Ismael,

             

                The SAML2 spec says that errors have to be returned to the Service Provider.

             

                If you look at the IDPBroserSSOValve, a SAMLResponse is always created in case of failures and the valve try to send it back to the SP.

             

                I think that the blank/white page you are facing is because the destination is not set. Please, look at the log files for an entry like this one:

             

                      javax.servlet.ServletException: PL00092: Null Value:Destination

             

                Can you also attach your logs ?

            • 3. Re: Best way to handle IDP exceptions
              Pedro Igor Master

              Hi Ismael,

               

                  I created a thread in the PL design forum to discuss about this problem and find the best solution to solve it. Here is the link https://community.jboss.org/thread/197488.

               

              Regards.

              Pedro Igor

              • 4. Re: Best way to handle IDP exceptions
                Ismael Gonçalves Newbie

                Hi Pedro.

                 

                Thanks for helping.

                 

                As I understood, it seems there is a "gap" in this part.  We are going to follow the discussion in the PL design forum.

                 

                Best Regards.

                 

                Ismael Goncalves

                Pedro Igor wrote:

                 

                Hi Ismael,

                 

                    I created a thread in the PL design forum do discuss about this problem and find the best solution to solve it. Here is the link https://community.jboss.org/wiki/HandlingErrosDuringASP-InitiatedAuthentication.

                 

                Regards.

                Pedro Igor