PicketLink Federated Identity
  1. PicketLink Federated Identity
  2. PLFED-324

RuntimeException on global logout with SAML2AttributeHandler

    Details

    • Type: Bug Bug
    • Status: Resolved Resolved (View Workflow)
    • Priority: Major Major
    • Resolution: Done
    • Affects Version/s: PLFED_2.0.3.Final, PLFED_2.1.1.Final
    • Fix Version/s: PLFED_2.1.4.final
    • Component/s: SAML
    • Labels:
      None
    • Environment:
      JBoss 7.1.0, JBoss 7.1.1
    • Estimated Difficulty:
      Low
    • Similar Issues:
      Show 10 results 

      Description

      I am using the SAML2AttributeHandler to send the email, firstname and lastname from the IDP to a SP. When I try to logout by adding "?GLO=true" to the current URL, the SAML2AttributeHandler throws an exception Assertion not found in the handler request on the SP side.

      11:41:56,801 ERROR org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator (http-localhost-127.0.0.1-8080-1) Server Exception:: java.lang.RuntimeException: PL00092: Null Value:Assertion not found in the handler request:

      {CONFIGURATION=org.picketlink.identity.federation.core.config.SPType@60b24245}

      at org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler.handleIDPResponse(SAML2AttributeHandler.java:175) picketlink-fed-2.0.3.Final.jar:2.0.3.Final
      at org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler.handleStatusResponseType(SAML2AttributeHandler.java:146) picketlink-fed-2.0.3.Final.jar:2.0.3.Final
      at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:72) picketlink-fed-2.0.3.Final.jar:2.0.3.Final
      at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:174) picketlink-fed-2.0.3.Final.jar:2.0.3.Final
      at org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator.handleSAMLResponse(SPRedirectFormAuthenticator.java:264) picketlink-bindings-2.0.3.Final.jar:2.0.3.Final
      at org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator.authenticate(SPRedirectFormAuthenticator.java:170) picketlink-bindings-2.0.3.Final.jar:2.0.3.Final
      at org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator.authenticate(SPRedirectFormAuthenticator.java:121) picketlink-bindings-2.0.3.Final.jar:2.0.3.Final
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) jbossweb-7.0.10.Final.jar:
      at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:154) jboss-as-web-7.1.0.Final.jar:7.1.0.Final
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) jbossweb-7.0.10.Final.jar:
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) jbossweb-7.0.10.Final.jar:
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) jbossweb-7.0.10.Final.jar:
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) jbossweb-7.0.10.Final.jar:
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) jbossweb-7.0.10.Final.jar:
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) jbossweb-7.0.10.Final.jar:
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) jbossweb-7.0.10.Final.jar:
      at java.lang.Thread.run(Thread.java:679) SAML2AttributeHandler and Global logout

        Activity

        Hide
        Mark Lassiter
        added a comment -

        We were able to reproduce this issue in our application. The problem appears to be this block of code which is called and trips when the logout response is received back from the IDP:

        AssertionType assertion = (AssertionType) request.getOptions().get(GeneralConstants.ASSERTION);
        if (assertion == null)
        throw new RuntimeException(ErrorCodes.NULL_VALUE + "Assertion not found in the handler request:"
        + request.getOptions());

        We have validated it with JBoss AS 7.1.0 and JBoss EAP 6.0.0. I have also validated that it still exists with picketlink 2.1.2 by updating my JBoss EAP 6.0.0 picketlink modules.

        We worked around the issue by extending the Attribute Handler and overriding the method to add a check before calling the inherited functionality. This works and everything tests out OK.

        Thanks,
        Mark

        Show
        Mark Lassiter
        added a comment - We were able to reproduce this issue in our application. The problem appears to be this block of code which is called and trips when the logout response is received back from the IDP: AssertionType assertion = (AssertionType) request.getOptions().get(GeneralConstants.ASSERTION); if (assertion == null) throw new RuntimeException(ErrorCodes.NULL_VALUE + "Assertion not found in the handler request:" + request.getOptions()); We have validated it with JBoss AS 7.1.0 and JBoss EAP 6.0.0. I have also validated that it still exists with picketlink 2.1.2 by updating my JBoss EAP 6.0.0 picketlink modules. We worked around the issue by extending the Attribute Handler and overriding the method to add a check before calling the inherited functionality. This works and everything tests out OK. Thanks, Mark
        Anil Saldhana
        made changes -
        Field Original Value New Value
        Assignee Anil Saldhana [ anil.saldhana ] Pedro Igor [ pcraveiro ]
        Anil Saldhana
        made changes -
        Fix Version/s PLFED_2.1.4.final [ 12319824 ]
        Forum Reference https://community.jboss.org/thread/199696 https://community.jboss.org/thread/199696
        Hide
        Pedro Igor
        added a comment -

        When using the SAML2AttributeHandler on the SP side, it should not handle LogoutRequestType neither StatusResponseType from the IDP.

        Also, the AttributeManager was being called during the logout process on the IDP side if the AttributeManager attribute was defined.

        Show
        Pedro Igor
        added a comment - When using the SAML2AttributeHandler on the SP side, it should not handle LogoutRequestType neither StatusResponseType from the IDP. Also, the AttributeManager was being called during the logout process on the IDP side if the AttributeManager attribute was defined.
        Pedro Igor
        made changes -
        Pedro Igor
        made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Done [ 1 ]

          People

          • Assignee:
            Pedro Igor
            Reporter:
            Markus Plangg
          • Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: