rewrite and picketlink: IllegalStateException

Splash Forums Rewrite Users rewrite and picketlink: IllegalStateException

This topic contains 8 replies, has 3 voices, and was last updated by  reinhard hobler 8 years, 1 month ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
  • #25428

    reinhard hobler

    We are using Picketlink (version 2.1.6) with some of our web-applications. By doing this, we provide SSO functionality for the participating applications.

    As we are on a JBoss 7 the authenthicator for the identity-provider is “org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve” adn for the service-providers it is “org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator”.

    I have a simple rewrite rule

    and an index.html which for brings me to that page if context-root is called.
    <meta http-equiv="Refresh" content="0; URL=customer">

    If the user is logged in (i.e. authenticated) it works also with ‘directly’ call the customer-url: http://host:port/customerapplication/customer

    Problem is when the user is not logged in. As the page is secured now picketlink identy-provider “intercepts” and asks for the user-credentials. After that I get an IllegalStateException:

    java.lang.IllegalStateException: JBWEB000232: Cannot forward after response has been committed
    	at org.apache.catalina.core.ApplicationDispatcher.doForward(
    	at org.apache.catalina.core.ApplicationDispatcher.forward(
    	at org.ocpsoft.rewrite.servlet.impl.HttpRewriteResultHandler.handleResult(
    	at org.ocpsoft.rewrite.servlet.RewriteFilter.rewrite(
    	at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(
    	at org.apache.catalina.core.StandardWrapperValve.invoke(
    	at org.apache.catalina.core.StandardContextValve.invoke(
    	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(
    	at org.apache.catalina.core.StandardHostValve.invoke(
    	at org.apache.catalina.valves.ErrorReportValve.invoke(
    	at org.apache.catalina.core.StandardEngineValve.invoke(
    	at org.apache.catalina.connector.CoyoteAdapter.service(
    	at org.apache.coyote.http11.Http11Processor.process(
    	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(

    If I remove the rewrite rule and call http://host:port/customerapplication/faces/jsf/customer.xhtml everything works fine and I get correctly forwarded to my jsf-page once I provided the credentials.


    Could you explain this a bit more:

    picketlink identy-provider “intercepts” and asks for the user-credentials

    What does PicketLink exactly do? Does it forward to another page? Or does it redirect the user?

    And how did you configure PicketLink? Is it a filter? Did you place it before or after the RewriteFilter?


    reinhard hobler

    I’m not with my work-computer at the moment, but as far as I remember it is a redirect. We use the confiuration defaults for picketlink (of course with our own JAAS login-module when it comes to the security domain itself).

    Here, you can find some information on what picketlink actually does and how it is working:


    Thanks for the link. I’ll have a look at it later.

    I also created an issue to track this issue as I think I’m able to reproduce it:


    reinhard hobler

    ok thanks !

    If you need additional info please let me know.


    I think you will be able to work around this issue by adding this rule to in front of all the other rules:

    .perform(new HttpOperation() {
       public void performHttp(HttpServletRewrite event, EvaluationContext context)
          if(event.getResponse().isCommitted()) {

    reinhard hobler

    Hey cool !!!

    workaround is working …

    thanks a lot


    Okay, just an update. This issue is actually a bug in PicketLink, so until it’s fixed there, I also recommend using Christian’s workaround. Glad you got it fixed!


    reinhard hobler

    Thanks for the update !

Viewing 9 posts - 1 through 9 (of 9 total)

The forum ‘Rewrite Users’ is closed to new topics and replies.

Comments are closed.