You have to set the session as a cookie in the wrappped servlet request. Otherwise framework will not pick the session with respect to this flow.
On Fri, Jan 19, 2018 at 12:22 AM, Kanapriya Kuleswararajan < [email protected]> wrote: > Hi Malithi, > > Thanks for the suggestion, I wrapped the relevant parameters which is > mentioned in the following endpoint [1] as per the off-line discussion and > directly invoke the Java API [2] instead of forward the wrapper object to > the common auth endpoint. Now I got an different error [3]. > > [1] > */commonauth?commonAuthLogout=true&type={type}&commonAuthCallerPath={some-url}&relyingParty={sp-name}* > > [2] https://github.com/Kanapriya/saml-sso-outbound/blob/master/ > components/org.wso2.carbon.identity.application.authenticator.samlsso/src/ > main/java/org/wso2/carbon/identity/application/authenticator/samlsso/ > SAML2FederatedLogoutRequestHandler.java#L131 > > [3] > > [2018-01-19 00:10:36,771] DEBUG {org.wso2.carbon.identity. > application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} > - retrieving authentication request from cache.. > [2018-01-19 00:10:36,772] ERROR {org.wso2.carbon.identity. > application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} > - Exception in Authentication Framework > org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: > Invalid authentication request. Session data key : > 23b80283629e8b46fff6978874f46cf34664c78abd168d9d47dff7031dffde7e > at org.wso2.carbon.identity.application.authentication. > framework.handler.request.impl.DefaultRequestCoordinator.handle( > DefaultRequestCoordinator.java:111) > at org.wso2.carbon.identity.application.authentication.framework. > CommonAuthenticationHandler.doPost(CommonAuthenticationHandler.java:46) > at org.wso2.carbon.identity.application.authentication.framework. > CommonAuthenticationHandler.doGet(CommonAuthenticationHandler.java:37) > at org.wso2.carbon.identity.application.authenticator.samlsso. > SAML2FederatedLogoutRequestHandler.initiateLogRequest( > SAML2FederatedLogoutRequestHandler.java:139) > at org.wso2.carbon.identity.application.authenticator.samlsso. > SAML2FederatedLogoutRequestHandler.doPost(SAML2FederatedLogoutRequestHan > dler.java:82) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) > at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service( > ContextPathServletAdaptor.java:37) > at org.eclipse.equinox.http.servlet.internal. > ServletRegistration.service(ServletRegistration.java:61) > at org.eclipse.equinox.http.servlet.internal.ProxyServlet. > processAlias(ProxyServlet.java:128) > at org.eclipse.equinox.http.servlet.internal.ProxyServlet. > service(ProxyServlet.java:60) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) > at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet. > service(DelegationServlet.java:68) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:303) > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:208) > at org.apache.tomcat.websocket.server.WsFilter.doFilter( > WsFilter.java:52) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:241) > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:208) > at org.owasp.csrfguard.CsrfGuardFilter.doFilter( > CsrfGuardFilter.java:72) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:241) > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:208) > at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter. > doFilter(CharacterSetFilter.java:65) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:241) > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:208) > at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter( > HttpHeaderSecurityFilter.java:124) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:241) > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:208) > at org.apache.catalina.core.StandardWrapperValve.invoke( > StandardWrapperValve.java:219) > at org.apache.catalina.core.StandardContextValve.invoke( > StandardContextValve.java:110) > at org.apache.catalina.authenticator.AuthenticatorBase.invoke( > AuthenticatorBase.java:506) > at org.apache.catalina.core.StandardHostValve.invoke( > StandardHostValve.java:169) > at org.apache.catalina.valves.ErrorReportValve.invoke( > ErrorReportValve.java:103) > at org.wso2.carbon.identity.context.rewrite.valve. > TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80) > at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke( > AuthorizationValve.java:91) > at org.wso2.carbon.identity.auth.valve.AuthenticationValve. > invoke(AuthenticationValve.java:60) > at org.wso2.carbon.tomcat.ext.valves.CompositeValve. > continueInvocation(CompositeValve.java:99) > at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1. > invoke(CarbonTomcatValve.java:47) > at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke( > TenantLazyLoaderValve.java:57) > at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer. > invokeValves(TomcatValveContainer.java:47) > at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke( > CompositeValve.java:62) > at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValv > e.invoke(CarbonStuckThreadDetectionValve.java:159) > at org.apache.catalina.valves.AccessLogValve.invoke( > AccessLogValve.java:962) > at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke( > CarbonContextCreatorValve.java:57) > at org.apache.catalina.core.StandardEngineValve.invoke( > StandardEngineValve.java:116) > at org.apache.catalina.connector.CoyoteAdapter.service( > CoyoteAdapter.java:445) > at org.apache.coyote.http11.AbstractHttp11Processor.process( > AbstractHttp11Processor.java:1115) > at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler. > process(AbstractProtocol.java:637) > at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor. > doRun(NioEndpoint.java:1775) > at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor. > run(NioEndpoint.java:1734) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run( > TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > > Appreciate your input on this. > > Thanks, > Kanapriya > > Kanapriya Kuleswararajan > Software Engineer > Mobile : - 0774894438 > Mail : - [email protected] > LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/ > WSO2, Inc. > lean . enterprise . middleware > > > On Thu, Jan 18, 2018 at 10:31 PM, Malithi Edirisinghe <[email protected]> > wrote: > >> Hi Kanapriya, >> >> So seems you have dispatched back to the servlet transport. With this you >> won't be able to respond back to the federated IdP as the response is >> committed. Instead, follow the approach at [1]. There you wrap request and >> response and directly invoke the Java API, which will return the request >> and response handled by the servlet endpoint. Then you can verify and >> respond back to the federated IdP. >> >> [1] https://github.com/wso2-extensions/identity-inbound-auth >> -saml/blob/5.3.x/components/org.wso2.carbon.identity.sso. >> saml/src/main/java/org/wso2/carbon/identity/sso/saml/ >> servlet/SAMLSSOProviderServlet.java#L1219 >> >> Thanks, >> Malithi. >> >> On Thu, Jan 18, 2018 at 7:29 PM, Kanapriya Kuleswararajan < >> [email protected]> wrote: >> >>> Please find the error log below : >>> >>> ERROR {org.apache.catalina.core.ApplicationDispatcher} - >>> Servlet.service() for servlet bridgeservlet threw exception >>> java.lang.StringIndexOutOfBoundsException: String index out of range: -1 >>> at java.lang.String.substring(String.java:1967) >>> at org.eclipse.equinox.http.servlet.internal.ProxyServlet.servi >>> ce(ProxyServlet.java:70) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>> at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service >>> (DelegationServlet.java:68) >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>> lter(ApplicationFilterChain.java:303) >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>> licationFilterChain.java:208) >>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte >>> r.java:52) >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>> lter(ApplicationFilterChain.java:241) >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>> licationFilterChain.java:208) >>> at org.apache.catalina.core.ApplicationDispatcher.invoke(Applic >>> ationDispatcher.java:743) >>> at org.apache.catalina.core.ApplicationDispatcher.processReques >>> t(ApplicationDispatcher.java:485) >>> at org.apache.catalina.core.ApplicationDispatcher.doForward(App >>> licationDispatcher.java:410) >>> at org.apache.catalina.core.ApplicationDispatcher.forward(Appli >>> cationDispatcher.java:337) >>> at org.eclipse.equinox.http.servlet.internal.RequestDispatcherA >>> daptor.forward(RequestDispatcherAdaptor.java:30) >>> at org.eclipse.equinox.http.helper.ContextPathServletAdaptor$Re >>> questDispatcherAdaptor.forward(ContextPathServletAdaptor.java:362) >>> at org.wso2.carbon.identity.application.authenticator.samlsso.S >>> AML2FederatedLogoutRequestHandler.initiateLogRequest(SAML2Fe >>> deratedLogoutRequestHandler.java:136) >>> at org.wso2.carbon.identity.application.authenticator.samlsso.S >>> AML2FederatedLogoutRequestHandler.doPost(SAML2FederatedLogou >>> tRequestHandler.java:79) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>> at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.se >>> rvice(ContextPathServletAdaptor.java:37) >>> at org.eclipse.equinox.http.servlet.internal.ServletRegistratio >>> n.service(ServletRegistration.java:61) >>> at org.eclipse.equinox.http.servlet.internal.ProxyServlet.proce >>> ssAlias(ProxyServlet.java:128) >>> at org.eclipse.equinox.http.servlet.internal.ProxyServlet.servi >>> ce(ProxyServlet.java:60) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>> at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service >>> (DelegationServlet.java:68) >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>> lter(ApplicationFilterChain.java:303) >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>> licationFilterChain.java:208) >>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte >>> r.java:52) >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>> lter(ApplicationFilterChain.java:241) >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>> licationFilterChain.java:208) >>> at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter >>> .java:72) >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>> lter(ApplicationFilterChain.java:241) >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>> licationFilterChain.java:208) >>> at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilte >>> r(CharacterSetFilter.java:65) >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>> lter(ApplicationFilterChain.java:241) >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>> licationFilterChain.java:208) >>> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilte >>> r(HttpHeaderSecurityFilter.java:124) >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>> lter(ApplicationFilterChain.java:241) >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>> licationFilterChain.java:208) >>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar >>> dWrapperValve.java:219) >>> at org.apache.catalina.core.StandardContextValve.invoke(Standar >>> dContextValve.java:110) >>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(A >>> uthenticatorBase.java:506) >>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo >>> stValve.java:169) >>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >>> rtValve.java:103) >>> at org.wso2.carbon.identity.context.rewrite.valve.TenantContext >>> RewriteValve.invoke(TenantContextRewriteValve.java:80) >>> at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invo >>> ke(AuthorizationValve.java:91) >>> at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invo >>> ke(AuthenticationValve.java:60) >>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInv >>> ocation(CompositeValve.java:99) >>> at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke >>> (CarbonTomcatValve.java:47) >>> at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(Tena >>> ntLazyLoaderValve.java:57) >>> at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invok >>> eValves(TomcatValveContainer.java:47) >>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(Comp >>> ositeValve.java:62) >>> at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetection >>> Valve.invoke(CarbonStuckThreadDetectionValve.java:159) >>> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogVa >>> lve.java:962) >>> at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve. >>> invoke(CarbonContextCreatorValve.java:57) >>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard >>> EngineValve.java:116) >>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >>> apter.java:445) >>> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs >>> tractHttp11Processor.java:1115) >>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler >>> .process(AbstractProtocol.java:637) >>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >>> (NioEndpoint.java:1775) >>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(N >>> ioEndpoint.java:1734) >>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.r >>> un(TaskThread.java:61) >>> at java.lang.Thread.run(Thread.java:745) >>> >>> Thanks, >>> Kanapriya >>> >>> Kanapriya Kuleswararajan >>> Software Engineer >>> Mobile : - 0774894438 >>> Mail : - [email protected] >>> LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/ >>> WSO2, Inc. >>> lean . enterprise . middleware >>> >>> >>> On Thu, Jan 18, 2018 at 7:27 PM, Kanapriya Kuleswararajan < >>> [email protected]> wrote: >>> >>>> Hi All, >>>> >>>> >>>>>> b) - At number 5 in the diagram, i.e. when the logout request is >>>>>> received, we wrap the request and response and send over to our >>>>>> common-auth servelet. Here before invoking the common-auth servelet, we >>>>>> will retrieve session Id from the map (using the SAML Session Index) and >>>>>> set it in the wrapper object. >>>>>> >>>>> >>>>> Request which forwards to the commonauth endpoint will have a format >>>>> similar to following, >>>>> >>>>> */commonauth?commonAuthLogout=true&type={type}&commonAuthCallerPath={some-url}&relyingParty={sp-name}* >>>>> NOTE: Need to verify whether relyingParty parameter is required or not. >>>>> >>>>> After logout from the framework, the saml-sso outbound component will >>>>> verify the response and will build a valid SAML2 logout response and send >>>>> back to the federated IdP. >>>>> >>>> >>>> I have created a Servlet endpoint [1] to access SAML logout request >>>> from FIDP and register this Servlet as service [2]. Here, I get the session >>>> id using the session index and set it inside wrapper object and forward >>>> that to the commonauth endpoint. When I sent a logout request from FIDP, >>>> FIDP is logged out but SP is is not getting logged out even we sent the >>>> sessionID to invalidate the session and observe the error [1] at the back >>>> end. >>>> >>>> Is there anything I need to do more than this? >>>> >>>> [1] https://github.com/Kanapriya/saml-sso-outbound/blob/master/c >>>> omponents/org.wso2.carbon.identity.application.authenticator >>>> .samlsso/src/main/java/org/wso2/carbon/identity/application/ >>>> authenticator/samlsso/SAML2FederatedLogoutRequestHandler.java >>>> >>>> [2] https://github.com/Kanapriya/saml-sso-outbound/blob/master/c >>>> omponents/org.wso2.carbon.identity.application.authenticator >>>> .samlsso/src/main/java/org/wso2/carbon/identity/application/ >>>> authenticator/samlsso/internal/SAMLSSOAuthenticatorServiceCo >>>> mponent.java#L74 >>>> >>>> Thanks, >>>> Kanapriya >>>> >>>> >>>>> >>>>> >>>>>> >>>>>> @Thanuja and Malithi: Please add anything that I have missed. And >>>>>> also appreciate code snippets for above (a) and (b). >>>>>> >>>>>> After the POC implementation, we will have another review. >>>>>> >>>>>> thank you, >>>>>> Dimuthu >>>>>> >>>>>> -- >>>>>> Dimuthu Leelarathne >>>>>> Director, Solutions Architecture >>>>>> >>>>>> WSO2, Inc. (http://wso2.com) >>>>>> email: [email protected] >>>>>> Mobile: +94773661935 <+94%2077%20366%201935> >>>>>> Blog: http://muthulee.blogspot.com >>>>>> >>>>>> Lean . Enterprise . Middleware >>>>>> >>>>> >>>>> [1] - https://github.com/wso2/carbon-identity-framework/blob/5.1 >>>>> 1.x/components/authentication-framework/org.wso2.carbon.iden >>>>> tity.application.authentication.framework/src/main/java/org/ >>>>> wso2/carbon/identity/application/authentication/framework/ut >>>>> il/FrameworkUtils.java#L1258 >>>>> >>>>> >>>>> <https://github.com/wso2/carbon-identity-framework/blob/5.11.x/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkUtils.java#L1258>[2] >>>>> - https://github.com/wso2/carbon-identity-framework/blob/5.1 >>>>> 1.x/components/authentication-framework/org.wso2.carbon.iden >>>>> tity.application.authentication.framework/src/main/java/org/ >>>>> wso2/carbon/identity/application/authentication/framework/Au >>>>> thenticationDataPublisher.java >>>>> >>>>> [3] - https://github.com/wso2-extensions/identity-governance/blo >>>>> b/master/components/org.wso2.carbon.identity.captcha/src/mai >>>>> n/java/org/wso2/carbon/identity/captcha/validator/FailLoginA >>>>> ttemptValidator.java >>>>> >>>>> [4] - https://github.com/wso2/carbon-identity-framework/blob/5.1 >>>>> 1.x/components/authentication-framework/org.wso2.carbon.iden >>>>> tity.application.authentication.framework/src/main/java/org/ >>>>> wso2/carbon/identity/application/authentication/framework/mo >>>>> del/CommonAuthRequestWrapper.java >>>>> >>>>> [5] - https://github.com/wso2/carbon-identity-framework/blob/5.1 >>>>> 1.x/components/authentication-framework/org.wso2.carbon.iden >>>>> tity.application.authentication.framework/src/main/java/org/ >>>>> wso2/carbon/identity/application/authentication/framework/mo >>>>> del/CommonAuthResponseWrapper.java >>>>> >>>>> >>>>> Thanks, >>>>> Thanuja >>>>> -- >>>>> *Thanuja Lakmal* >>>>> Associate Technical Lead >>>>> WSO2 Inc. http://wso2.com/ >>>>> *lean.enterprise.middleware* >>>>> Mobile: +94715979891 >>>>> >>>> >>>> >>> >> >> >> -- >> >> *Malithi Edirisinghe* >> Associate Technical Lead >> WSO2 Inc. >> >> Mobile : +94 (0) 718176807 >> [email protected] >> > > -- *Malithi Edirisinghe* Associate Technical Lead WSO2 Inc. Mobile : +94 (0) 718176807 [email protected]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
