Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14740

idpSingleLogoutRedirect throws error 500 IllegalStateException on SLO

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.0.0, 6.0.0.6, 6.5.0, 7.0.0
    • Fix Version/s: 6.5.2, 6.0.1, 7.0.0, 5.5.2
    • Component/s: None
    • Labels:
    • Sprint:
      AM Sustaining Sprint 61, AM Sustaining Sprint 62
    • Story Points:
      1
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When performing a SAML SP initiated SLO in a multi-protocol SLO, IDP returns error 500.  Web container logs indicate '_java.lang.IllegalStateException: Cannot forward after response has been committed' for idpSingleLogoutRedirect.jsp. 

      This is a duplicate of OPENAM-11225 in terms of symptoms, but failing at a different place within the jsp.

      How to reproduce the issue

      Have not been able to reproduce internally.  The following steps are those used to replicate OPENAM-14539 and create a test environment where OPENAM-11225 was also reproduced.

      Summary:

      Setup 4 AM instances, 7.0.0 snapshot, running in tomcat, accessed over http:

      1. IdP: idp.amtest2.com:9080 (cookie domain of idp.amtest2.com), port ranges of 59xxx
      2. SAML SP 1: sp.amtest2.com (sp.amtest2.com), port ranges of 57xxx
      3. SAML SP 2: sp.amtest2.com (openam2.amtest2.com), port ranges of 54xxx
      4. WS-Fed SP: openam.amtest2.com (openam.amtest2.com), port ranges of 50xxx

      SAML SSO configuration:

      1. In IdP, created a hosted IdP in top level realm, cot test_idp, signing key test and attribute mapping of mail -> mail.
      2. In SAML SP: created a hosted SP in top level realm, cot test_sp.  
      3. In SAML SP, created a remote IdP, using metadata url of http://idp.amtest2.com:9080/access/saml2/jsp/exportmetadata.jsp.
      4. in SAML IdP, created a remote SP, using attribute mapping of mail -> mail, using metadata url of: http://sp.amtest2.com:7080/access/saml2/jsp/exportmetadata.jsp.
      5. in SAML SP, edited hosted SP and set auto federation enabled, and attribute to be mail.  Set top level realm, Authentication settings -> User profile to be dynamic. 
      6. in IdP, for top level realm user demo, edited this and set an email address of demo@amtest2.com.
      7. Verified that an SP initiated SAML SSO succeeded: http://sp.amtest2.com:7080/access/saml2/jsp/spSSOInit.jsp?idpEntityID=http://idp.amtest2.com:9080/access&metaAlias=/sp . I was redirected to IdP, logged in as demo user and then saw 'Single sign-on succeeded' on SP.
      8. Repeated steps 2 to 7 for the second SP, openam2.amtest2.com.

      WS-Fed configuration:

      1. On WS-Fed SP, in Admin console, navigated to top level realm, Federation and Legacy view.  Clicked New Entity, chose WS-Fed and then set /wsfedsp as the Entity Identifier and wsfedsp as the Service Provider -> Meta alias.  Clicked create.  Edited the resulting entity and set SP -> Attribute mapper to be *=.*  Unchecked Assertion signed.  Created COT test_sp and added the entity to this.
      2. On IdP, repeated above to create WS-Fed entity of /wsfedidp as the Entity Identifier and wsfedidp as the Identity Provider -> Meta Alias.  Added this to the existing test_idp COT.
      3. Installed ssoadm AM-SSOAdminTools-5.1.2.3.zip and configured to communicate with WS-Fed SP instance.  
      4. Repeated the above step to install ssoadm and configure to communicate with the IdP instance.
      5. Using ssoadm, exported the existing wsfedsp entity from the WS-Fed SP: access/bin/ssoadm export-entity -u amadmin -f /opt/ssoadm_5.5.1/passwd.txt -v -e / -y /wsfedsp -c wsfed -m /tmp/SP_standard.xml -x /tmp/SP_extended.xml.
      6. Edited the extended metadata file exported, to change 'hosted="true"' to 'hosted="false"'. Also changed the COT name from test_sp to test_idp.
      7. Using ssoadm for the IdP instance, repeated the above to export the WS-Fed IdP metadata: access/bin/ssoadm export-entity -u amadmin -f /opt/ssoadm_5.5.1/passwd.txt -v -e / -y /wsfedidp -c wsfed -m /tmp/IdP_standard.xml -x /tmp/IdP_extended.xml.
      8. From ssoadm instance for WS-Fed SP, imported metadata for remote WS-Fed IdP (ssoadm 5.1.1.4 or later is needed for this to succeed): access/bin/ssoadm import-entity -u amadmin -f /opt/ssoadm_5.5.1/passwd.txt -v -e / -t test_sp -c wsfed -m /tmp/IdP_standard.xml -x /tmp/IdP_extended.xml
      9. From ssoadm instance for IdP, import the remote WS-Fed entities: access/bin/ssoadm import-entity -u amadmin -f /opt/ssoadm_5.5.1/passwd.txt -v -e / -t test_idp -c wsfed -m /tmp/SP_standard.xml -x /tmp/SP_extended.xml
      10. Tested WS-Fed SP initiated SSO: http://openam.amtest2.com:8080/access/WSFederationServlet/metaAlias/wsfedsp?goto=http://openam.amtest2.com:8080/access

      Issue reproduction:

      1. Perform a WS-Fed SSO: http://openam.amtest2.com:8080/access/WSFederationServlet/metaAlias/wsfedsp?goto=http://openam.amtest2.com:8080/access
      2. In separate tab, same browser (so same session can be shared), perform SAML SSO: http://sp.amtest2.com:7080/access/saml2/jsp/spSSOInit.jsp?idpEntityID=http://idp.amtest2.com:9080/access&metaAlias=/sp
      3. In a third tab, perform SAML SSO from second SP: http://openam2.amtest2.com:4080/access/saml2/jsp/spSSOInit.jsp?idpEntityID=http://idp.amtest2.com:9080/access&metaAlias=/sp
      4. Then in browser tab for first SAML SP above, perform SP initiated SLO: http://sp.amtest2.com:7080/access/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=/sp&idpEntityID=http%3A%2F%2Fidp.amtest2.com%3A9080%2Faccess 
      Expected behaviour
      End user should see message 'SP initiated single logout succeeded'.
      Current behaviour
      In AM 5.5.1, Customer reports seeing error 500, with container log file showing:
      
      Caused by: java.lang.IllegalStateException: Cannot forward after response has been committed
      	at
      at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:328)
      	at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:318)
      	at org.apache.jasper.runtime.PageContextImpl.doForward(PageContextImpl.java:741)
      	at org.apache.jasper.runtime.PageContextImpl.forward(PageContextImpl.java:711)
      	at org.apache.jsp.saml2.jsp.idpSingleLogoutPOST_jsp._jspService(idpSingleLogoutPOST_jsp.java:188)
      	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
      	... 33 more
      org.apache.jasper.JasperException: An exception occurred processing JSP page /saml2/jsp/idpSingleLogoutRedirect.jsp at line 125
      
      
      122:                     response.sendRedirect(relayState 
      123:                         + "&logoutStatus=logoutSuccess");
      124:                 } else {
      125:                     response.sendRedirect(relayState 
      126:                         + "?logoutStatus=logoutSuccess");
      127:                 }
      128:             } else {
      
      Note that with above reproduction steps (and also trying inclusion of RelayState on the SSO or SLO urls) have not been able to reproduce what the customer sees.

      Work around

      None

      Code analysis

      Similar fix as for OPENAM-11225 looks to be required to only perform the sendRedirect calls if the response has not already been committed:

      idpSingleLogoutRedirect.jsp
                           response.sendRedirect(relayState 
      123:                         + "&logoutStatus=logoutSuccess");
      124:                 } else {
      125:                     response.sendRedirect(relayState 
      126:                         + "?logoutStatus=logoutSuccess");
      127:                 }
      128:             } else {
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                lawrence.yarham Lawrence Yarham
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: