You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "gonzalad (JIRA)" <ji...@apache.org> on 2017/02/28 12:46:45 UTC
[jira] [Updated] (FEDIZ-192) SAML customSTSParameter not propagated
when using form-login
[ https://issues.apache.org/jira/browse/FEDIZ-192?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
gonzalad updated FEDIZ-192:
---------------------------
Description:
When I use customSTSParameter with a form-login, the customSTSParameter parameter isn't sent to my Validator class :
this kind of code [CustomUTValidator|https://github.com/apache/cxf-fediz/blob/d18087dd4081d932d57c8677880059d1c3472690/systests/custom/src/test/java/custom/CustomUTValidator.java#L56] will return a null value.
The issue is caused by Spring Security which redirects the user to a /login page (without the original parameters, hence STSUPAuthenticationProvider hasn't access to the customSTSParameter).
To reproduce this issue :
* mvn clean install fediz.
* edit cxf-fediz/systests/custom/target/tomcat/idp/webapps/fediz-idp/WEB-INF/config/security-up-config.xml.
** add under security:http pattern="/federation/up/**" :
{code}
<security:custom-filter before="FORM_LOGIN_FILTER" ref="requestContextFilter"/>
{code}
** comment <security:http-basic />
** uncomment
{code}
<security:form-login login-page='/federation/up/login'
login-processing-url="/federation/up/login.do"
authentication-failure-url="/federation/up/login?error"
default-target-url="/"
username-parameter="username"
password-parameter="password"
/>
{code}
* run CustomParametersTest#testCustomParameterViaRP() unit test.
Set the necessary ports (i.e. -Didp.https.port=20001 -Drp.https.port=20002)
* Put a breakpoint to stop the test once the sample, IDP and STS servers are started.
* Open a browser and https://localhost:20002/fedizhelloworld/secure/fedservlet
* You're redirected to idp
* Login with alice credentials
You'll get a `Login Failed` (because custom parameter hasn't been propagated : realm variable is null in CustomUTValidator)
was:
When I use customSTSParameter with a form-login, the customSTSParameter parameter isn't sent to my Validator class :
this kind of code [CustomUTValidator|https://github.com/apache/cxf-fediz/blob/d18087dd4081d932d57c8677880059d1c3472690/systests/custom/src/test/java/custom/CustomUTValidator.java#L56] will return a null value.
To reproduce this issue :
* mvn clean install fediz.
* edit cxf-fediz/systests/custom/target/tomcat/idp/webapps/fediz-idp/WEB-INF/config/security-up-config.xml.
** add under security:http pattern="/federation/up/**" :
{code}
<security:custom-filter before="FORM_LOGIN_FILTER" ref="requestContextFilter"/>
{code}
** comment <security:http-basic />
** uncomment
{code}
<security:form-login login-page='/federation/up/login'
login-processing-url="/federation/up/login.do"
authentication-failure-url="/federation/up/login?error"
default-target-url="/"
username-parameter="username"
password-parameter="password"
/>
{code}
* run CustomParametersTest#testCustomParameterViaRP() unit test.
Set the necessary ports (i.e. -Didp.https.port=20001 -Drp.https.port=20002)
* Put a breakpoint to stop the test once the sample, IDP and STS servers are started.
* Open a browser and https://localhost:20002/fedizhelloworld/secure/fedservlet
* You're redirected to idp
* Login with alice credentials
You'll get a `Login Failed` (because custom parameter hasn't been propagated : realm variable is null in CustomUTValidator)
> SAML customSTSParameter not propagated when using form-login
> ------------------------------------------------------------
>
> Key: FEDIZ-192
> URL: https://issues.apache.org/jira/browse/FEDIZ-192
> Project: CXF-Fediz
> Issue Type: Bug
> Affects Versions: 1.4.0
> Reporter: gonzalad
>
> When I use customSTSParameter with a form-login, the customSTSParameter parameter isn't sent to my Validator class :
> this kind of code [CustomUTValidator|https://github.com/apache/cxf-fediz/blob/d18087dd4081d932d57c8677880059d1c3472690/systests/custom/src/test/java/custom/CustomUTValidator.java#L56] will return a null value.
> The issue is caused by Spring Security which redirects the user to a /login page (without the original parameters, hence STSUPAuthenticationProvider hasn't access to the customSTSParameter).
> To reproduce this issue :
> * mvn clean install fediz.
> * edit cxf-fediz/systests/custom/target/tomcat/idp/webapps/fediz-idp/WEB-INF/config/security-up-config.xml.
> ** add under security:http pattern="/federation/up/**" :
> {code}
> <security:custom-filter before="FORM_LOGIN_FILTER" ref="requestContextFilter"/>
> {code}
> ** comment <security:http-basic />
> ** uncomment
> {code}
> <security:form-login login-page='/federation/up/login'
> login-processing-url="/federation/up/login.do"
> authentication-failure-url="/federation/up/login?error"
> default-target-url="/"
> username-parameter="username"
> password-parameter="password"
> />
> {code}
> * run CustomParametersTest#testCustomParameterViaRP() unit test.
> Set the necessary ports (i.e. -Didp.https.port=20001 -Drp.https.port=20002)
> * Put a breakpoint to stop the test once the sample, IDP and STS servers are started.
> * Open a browser and https://localhost:20002/fedizhelloworld/secure/fedservlet
> * You're redirected to idp
> * Login with alice credentials
> You'll get a `Login Failed` (because custom parameter hasn't been propagated : realm variable is null in CustomUTValidator)
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)