5 Replies Latest reply on Dec 27, 2012 1:54 PM by meetoblivion

    Re: Host "change password"-page on IDP

    mksplg

      It works to host a JSF index site if there is a index.jsf and index.xhtml present.

       

      However it's apparently not possible to link any resources (images/css) in the page. For example when adding an image with <h:graphicImage library="gfx" name="test.png"/> the image is shown but this exception is thrown:

       

      An exception or error occurred in the container during the request processing: java.lang.IllegalStateException: Cannot forward after response has been committed
                at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:417) [jbossweb-7.0.10.Final.jar:]
                at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:407) [jbossweb-7.0.10.Final.jar:]
                at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.invoke(AbstractIDPValve.java:399) [picketlink-jbas7-2.1.5.Final.jar:2.1.5.Final]
                at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:154) [jboss-as-web-7.1.0.Final.jar:7.1.0.Final]
                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.10.Final.jar:]
                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.10.Final.jar:]
                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.10.Final.jar:]
                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.10.Final.jar:]
                at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.10.Final.jar:]
                at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.10.Final.jar:]
                at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.10.Final.jar:]
                at java.lang.Thread.run(Thread.java:679) [rt.jar:1.6.0_24]
      
      

       

      If the image is linked directly with <img src="resources/gfx/test.png"/> the same exception is thrown but nothing is displayed.

       

      Maybe this has something to do with Picketlink intercepting ALL requests (even requests to stuff that has no <auth-constraint/>s defined and trying to load "/hosted/" instead. Is there anything I miss here, or is this expected?

        • 1. Re: Host "change password"-page on IDP
          anil.saldhana

          We intercept only secured resources. Maybe the security constraints are not properly defined?

          • 2. Re: Host "change password"-page on IDP
            mksplg

            I tried with the Quickstart example. I just deployed the idp.war from https://repository.jboss.org/nexus/service/local/artifact/maven/redirect?r=releases&g=org.picketlink.quickstarts&a=picketlink-quickstarts&v=2.1.5-2012Sep04&e=zip&c=webapps-jboss-as7.

             

            When I'm not logged in I can get the image from http://localhost:8080/idp/images/picketlink-banner-1180px.png fine. However if I try to get the image after I have logged in, I get the Exception mentioned in the previous post.

            • 3. Re: Host "change password"-page on IDP
              tim.kutz

              I am seeing the same exception, on any attempt to access a secured resource in the idp application, once authentication has succeeded.  What appears to be happening, is that after the resource itself is streamed, the IDP sends the html form that would normally take you back to the SP application.  You can force this behavior easily, by doing the following steps to your IDP application:

               

              1 - set up a welcome-file entry, in web.xml:

               

              <welcome-file-list>

                <welcome-file>Welcome.jsp</welcome-file>

              </welcome-file-list>

               

              2 - Create a trivial page for the welcome-file:

               

              <html>

              <body>

              This is the welcome page.  It won't work properly.

              </body>

              </html>

               

              3 - Deploy the idp application.

               

              4 - Go to the idp url directly (not from an SP).

               

              The end result of these steps, is that you will get the welcome page you configured to show up in Chrome or FF (IE won't display at all, but will show a progress bar that will never complete), but will have the form page also load, and re-submit back to the application.  This will continue in a loop until you stop the browser, or close the server.  A view source on the page in Chrome will show you your page, followed by the PicketLink generated forward page, such as:

               

              <html>

              <body>

              This is the welcome page.  It won't work properly.

              </body>

              </html>

               

              <HTML><HEAD><TITLE>HTTP Post Binding Response (Response)</TITLE></HEAD><BODY Onload="document.forms[0].submit()"><FORM METHOD="POST" ACTION="http://my.server.com/appname/"><INPUT TYPE="HIDDEN" NAME="SAMLResponse" VALUE="--LONG_BASE_64_ENCODED_STRING_HERE--"/></FORM></BODY></HTML>

              • 4. Re: Host "change password"-page on IDP
                meetoblivion

                I'm reproducing this as well.  I'm using AS7.1.1 w/ Picketlink 2.0.3.  I exposed an open id authentication process on top of my saml, so the SP redirects to my login page.  From the login page they can choose their open ID provider which does an HTTP request to the IDP (my app), forwards to the OpenID Provider (google) and then redirects back to me.  The rest resource for the result is just trying to do an HTTP redirect to the resulting page on the SP (there's only 1 SP in this case), when that occurs I'm getting this hosted url error, in my case a 404.

                • 5. Re: Host "change password"-page on IDP
                  meetoblivion

                  Just as an update.

                   

                  I ended up finding a fix for this issue.  I ended up creating a custom version of IDPWebBrowserSSOValve that avoids the redirect based on configuration.