Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13934

saml2error.jsp fails with exception when malformed SAML2 response given



    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.5.1, 6.0.0,,,,,, 6.5.0
    • 13.5.3, 14.1.2, 6.0.1,, 5.5.2, 7.0.0, 6.5.3
    • SAML
    • Rank:
    • AM Sustaining Sprint 57
    • 2
    • Yes
    • No
    • No
    • Yes and I used the same an in the description


      Bug description

      When the IDP returns a invalid SAML2 response the SP handles this and ends up in the saml2error.jsp page with

      type Status report
      message An exception occurred processing JSP page /saml2/jsp/saml2error.jsp at line 146
      143: } 
      144: if (((errorMessage == null) || (errorMessage.length() == 0)) && 
      145: (errorCode != null)) { 
      146: errorMessage = SAML2Utils.bundle.getString(errorCode); 
      147: } 
      148: int sc = HttpServletResponse.SC_INTERNAL_SERVER_ERROR; 
      149: if (httpStatusCode != null) { 
      description The server encountered an internal error that prevented it from fulfilling this request.

      However one can also implement the Java Servlet error-page web.xml mechanism
      to trap all error 500 too.

      How to reproduce the issue

      1. Install IDP and SP
      2. Intercept IDP response and message the SAMLResponse thru some proxy and make the response errorneous
      3. Observe the exception seen
      Expected behaviour
      The same error page like the rest where it does not expose Code line numbers.
      Current behaviour
      The error shows the saml2error.jsp pages and code as it broke inside the error page which should not.

      Work around

      Use a custom saml2error.jsp (https://backstage.forgerock.com/docs/am/5.5/reference/#global-federation-common where you can use a customized saml2 error page) or
      wrap the code sam2lerror.jsp for that line 146 with a try/catch block

      try {
         errorMessage = SAML2Utils.bundle.getString(errorCode); 
      } catch (java.util.MissingResourceException ex) {
         errorMessage = "Error code: "+errorCode;

      Code fixes

      1. libSAML2.properties is missing the getResponseError property

      So need to add something like this

      getResponseError=Error getting response

      2. The saml2error.jsp should be harden like above to trap undefined
      error codes




            chee-weng.chea C-Weng C
            chee-weng.chea C-Weng C
            0 Vote for this issue
            2 Start watching this issue