7 Replies Latest reply: Jun 12, 2012 1:40 PM by Pedro Igor RSS

Need help with Picketlink on Jboss7 + Apache HTTP Server

Karl Gross Newbie

Dear all,

 

has anyone experience with Picketlink provided in Jboss7.1.1 together with Apache HTTP Server? I can run the Picketlink example without any problem on Jboss7 Server standalone. As far as I also want to use Apache HTTP Server together with JBoss7 through AJP, the IDP could not redirect the user to the SP after I submited the login form. But if I click the submit button twice, the user can also be redirected to the SP. Has anyone also met this problem?

  • 1. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
    Pedro Igor Apprentice

    Hi Karl,

     

        Which binding are you using in the SP: POST or REDIRECT ? Are you using Strict Post Binding on the IDP ?

     

        I'll try to simulate this problem.

     

    Regards.

    Pedro Igor

  • 2. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
    Karl Gross Newbie

    Hi Pedro,

    I appreciate your help. I am using POST bindings. After setting IDPWebBrowserSSOValve with Strict Post Binding according to the the post https://issues.jboss.org/browse/PLFED-271, I have still the same problem.

     

    For you to simulate the problem, let me explain the setup of my projects in more detail:

     

    I have one IDP and two SPs. The IDP and SP1 are running on one server, but with different domain names, SP2 is running on a different server. The Problem should be reproducable only with IDP and SP1.

     

    Jboss Setup

    IDP:

    jboss-web.xml

    <jboss-web>

      <security-domain>idp</security-domain>

      <valve>

         <class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>

         <param>

            <param-name>signOutgoingMessages</param-name>

            <param-value>false</param-value>

         </param>

         <param>

            <param-name>ignoreIncomingSignatures</param-name>

            <param-value>true</param-value>

         </param>

         <param>

        <param-name>characterEncoding</param-name>

        <param-value>UTF-8</param-value>

         </param>

         <param>

            <param-name>strictPostBinding</param-name>

        <param-value>true</param-value>

         </param>

       </valve>

    </jboss-web>

     

    picketlink-handlers.xml

    <Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler"/>

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>    

       <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>

    </Handlers>

     

    picketlink-idfed.xml

    <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:1.0" >

    <IdentityURL>${idp.url}</IdentityURL>

    <Trust>

       <Domains>sso-idp.server.internal,sso-sp1.server.internal,sso-sp2.server.internal</Domains>

    </Trust>

    </PicketLinkIDP>

     

    standalone.xml

    <system-properties>

        <property name="idp.url" value="https://sso-idp.server.internal/idp/"/>

    </system-properties>

     

    SP1:

    picketlink-handlers.xml

    <Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>  

    </Handlers>

     

    picketlink-idfed.xml

    <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0" ServerEnvironment="tomcat">

    <IdentityURL>${idp.url}</IdentityURL>

    <ServiceURL>${sp1.url}</ServiceURL>

    </PicketLinkSP>

     

    jboss-web.xml

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">

    <jboss-web>

        <security-domain flushOnSessionInvalidation="true">sp1</security-domain>

        <valve>

                 <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.SPPostFormAuthenticator</class-name>

            <param>

                <param-name>characterEncoding</param-name>

                <param-value>UTF-8</param-value>

            </param>

           </valve>

    </jboss-web>

     

    standalone.xml

    <system-properties>

          <property name="idp.url" value="https://sso-idp.server.internal/idp/"/>

          <property name="sp1.url" value="https://sso-sp1.server.internal/sp1/"/>

    </system-properties>

     

    Apache config

    IDP:

    <VirtualHost *:80>

            ServerName sso-idp.server.internal

            DocumentRoot /var/www

     

            RedirectMatch temp ^.*$ https://sso-idp.server.internal

    </VirtualHost>

     

    <IfModule mod_ssl.c>

    <VirtualHost *:443>

            SSLEngine on

            ServerName sso-idp.server.internal

            DocumentRoot /var/www

     

            #SetEnvIf User-Agent ".*MSIE.*" \

            #       nokeepalive ssl-unclean-shutdown \

            #       downgrade-1.0 force-response-1.0

     

            BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

            BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown

     

            ProxyRequests off

            ProxyTimeout 900

     

            <Location /idp>

                    Allow from all

                    ProxyPass        ajp://localhost:20917/idp

                    ProxyPassReverse ajp://localhost:20917/idp

            </Location>

     

            RedirectMatch temp ^/$ /idp

    </VirtualHost>

    </IfModule>

     

    SP1:

    <VirtualHost *:80>

            ServerName sso-sp1.server.internal

            DocumentRoot /var/www

     

            RedirectMatch temp ^.*$ https://sso-sp1.server.internal

    </VirtualHost>

     

    <IfModule mod_ssl.c>

    <VirtualHost *:443>

            SSLEngine on

            ServerName sso-sp1.server.internal

            DocumentRoot /var/www

     

            #SetEnvIf User-Agent ".*MSIE.*" \

            #       nokeepalive ssl-unclean-shutdown \

            #       downgrade-1.0 force-response-1.0

     

            BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

            BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown

     

            ProxyRequests off

            ProxyTimeout 900

     

            <Location /sp1>

                    Allow from all

                    ProxyPass        ajp://localhost:20857/sp1

                    ProxyPassReverse ajp://localhost:20857/sp1

            </Location>

     

            RedirectMatch temp ^/$ /sp1

     

    </VirtualHost>

    </IfModule>

  • 3. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
    Karl Gross Newbie

    Hi Pedro,

     

    did you have chance to reproduce the problem?

     

    I have also packed a minimal testcase in JBoss Community https://community.jboss.org/message/739961#739961

     

    Best Regards,

    Karl

  • 4. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
    Pedro Igor Apprentice

    Hi Karl,

     

        I did some tests considering the following scenario:

     

      • One Apache installation with two VirtualHosts (sso-idp.server.internal,sso-sp.server.internal). SSL enabled. Basically, the same config as you described.

     

        I did a test using the HTTP Redirect Binding and worked fine. However, when using the POST binding i run into the same problem. Just after a second click on the login button i'm redirect to the SP.

     

        Can you try to use the REDIRECT binding to see if it works for you too ? Meantime I`ll investigate why is not working with the POST binding.

     

    Regards.

    Pedro Igor

  • 5. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
    Pedro Igor Apprentice

    Karl,

     

        Can you execute a test using the POST binding without the SSL configuration ?

     

    Regards.

    Pedro Igor

  • 6. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
    Karl Gross Newbie

    Hi Pedro,

     

    thank you for investigating this problem. I have actually already tried POST binding without SSL like the testcase posted in JBoss Community. The Problem happens only with the combination of Apache AJP proxy and Pickeltink Post bindings. In debug mode I found that JBoss was trapped in the method socketReader0 without backing to the restoreRequest method of FormAutheticator. Using HTTP proxy instead of AJP proxy can also avoid the problem.

     

    Stack trace of JBoss 7.1.1 and Java6 with Apache AJP proxy:

    java.net.SocketInputStream.socketRead0(Native Method)

    java.net.SocketInputStream.read(SocketInputStream.java:129)

    org.apache.coyote.ajp.AjpProcessor.read(AjpProcessor.java:1131)

    org.apache.coyote.ajp.AjpProcessor.readMessage(AjpProcessor.java:1213)

    org.apache.coyote.ajp.AjpProcessor.receive(AjpProcessor.java:1152)

    org.apache.coyote.ajp.AjpProcessor$SocketInputBuffer.doRead(AjpProcessor.java:1278)

    org.apache.coyote.Request.doRead(Request.java:438)

    org.apache.catalina.connector.InputBuffer.realReadBytes(InputBuffer.java:347)

    org.apache.tomcat.util.buf.ByteChunk.substract(ByteChunk.java:420)

    org.apache.catalina.connector.InputBuffer.read(InputBuffer.java:379)

    org.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:162)

    org.apache.catalina.authenticator.FormAuthenticator.restoreRequest(FormAuthenticator.java:491)

    org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:228)

    org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455)

    org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:332)

    org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)

    org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)

    org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

    org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

    org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)

    org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:505)

    org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:445)

    org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)

    java.lang.Thread.run(Thread.java:662)

     

    Best Regards,

     

    Karl

  • 7. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
    Pedro Igor Apprentice

    Hi Karl,

     

        I also realized that during my debugging session. I`m not understanding why this is happening. The problem is that jbossweb is hanging when reading the inpustream from the request when trying to restore the saved request (stored during the j_security_check processing).

     

        I`m not sure if this is a PL issue. But i`ll create a JIRA for investigation.

     

        https://issues.jboss.org/browse/PLFED-339

     

    Thanks.

    Pedro Igor