rewrite and picketlink: IllegalStateException

Splash Forums Rewrite Users rewrite and picketlink: IllegalStateException

This topic contains 8 replies, has 3 voices, and was last updated by  reinhard hobler 2 years, 8 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #25428

    reinhard hobler
    Participant

    We are using Picketlink (version 2.1.6) with some of our web-applications. By doing this, we provide SSO functionality for the participating applications.

    As we are on a JBoss 7 the authenthicator for the identity-provider is “org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve” adn for the service-providers it is “org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator”.

    I have a simple rewrite rule
    .addRule(Join.path("/customer").to("/faces/jsf/customer.xhtml"))

    and an index.html which for brings me to that page if context-root is called.
    <meta http-equiv="Refresh" content="0; URL=customer">

    If the user is logged in (i.e. authenticated) it works also with ‘directly’ call the customer-url: http://host:port/customerapplication/customer

    Problem is when the user is not logged in. As the page is secured now picketlink identy-provider “intercepts” and asks for the user-credentials. After that I get an IllegalStateException:

    java.lang.IllegalStateException: JBWEB000232: Cannot forward after response has been committed
    	at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:492)
    	at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:482)
    	at org.ocpsoft.rewrite.servlet.impl.HttpRewriteResultHandler.handleResult(HttpRewriteResultHandler.java:38)
    	at org.ocpsoft.rewrite.servlet.RewriteFilter.rewrite(RewriteFilter.java:263)
    	at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:188)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
    	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
    	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
    	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
    	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
    	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
    	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
    	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
    	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336)
    	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
    	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
    	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920)
    	at java.lang.Thread.run(Thread.java:722)

    If I remove the rewrite rule and call http://host:port/customerapplication/faces/jsf/customer.xhtml everything works fine and I get correctly forwarded to my jsf-page once I provided the credentials.

    #25429

    Could you explain this a bit more:

    picketlink identy-provider “intercepts” and asks for the user-credentials

    What does PicketLink exactly do? Does it forward to another page? Or does it redirect the user?

    And how did you configure PicketLink? Is it a filter? Did you place it before or after the RewriteFilter?

    #25436

    reinhard hobler
    Participant

    I’m not with my work-computer at the moment, but as far as I remember it is a redirect. We use the confiuration defaults for picketlink (of course with our own JAAS login-module when it comes to the security domain itself).

    Here, you can find some information on what picketlink actually does and how it is working: http://docs.jboss.org/picketlink/2/2.1.7.Final/reference/html_single/

    #25438

    Thanks for the link. I’ll have a look at it later.

    I also created an issue to track this issue as I think I’m able to reproduce it:

    https://github.com/ocpsoft/rewrite/issues/151

    #25439

    reinhard hobler
    Participant

    ok thanks !

    If you need additional info please let me know.

    #25440

    I think you will be able to work around this issue by adding this rule to in front of all the other rules:

    .addRule()
    .when(Direction.isInbound())
    .perform(new HttpOperation() {
       @Override
       public void performHttp(HttpServletRewrite event, EvaluationContext context)
       {
          if(event.getResponse().isCommitted()) {
             event.setFlow(ServletRewriteFlow.ABORT_REQUEST);
          }
       }
    })
    
    #25446

    reinhard hobler
    Participant

    Hey cool !!!

    workaround is working …

    thanks a lot

    #25476

    Okay, just an update. This issue is actually a bug in PicketLink, so until it’s fixed there, I also recommend using Christian’s workaround. Glad you got it fixed!

    #25484

    reinhard hobler
    Participant

    Thanks for the update !

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

Comments are closed.