I'm developing a simple web application with struts2 on Jboss Wildfly 10. For security is required to use Picketlink with SAML2, to use an external identity server (exposed by WSO2IS).
I created a custom Service Provider using WSO2IS, defined the security in web app, and configured picketlink in JBoss to use the ServiceProvider configured in WSO2IS.
The security filter work, when i try to open localhost:8087/MyApp SSO work and redirect on WSO2IS login page, but after the login there is always a passthrough by the samlsso provider, https : // localhost:9446/samlsso, that show a page that redirect over the target action (with also a "POST" button).
The problem is that or pressing the button or with auto redirect the action called return to home.action, and i can't navigate in the pages of the app. Any link i call, trough web buttons, call the proper action, then is redirected (i suppose by picketlink) over the samlsso with a token (for example https : // localhost:9446/samlsso?SAMLRequest= the token) and then return to home.action.
All the action have return type "tyles", and 2 json result for ajax call.
Here the detail of what i have configured:
Jboss-web.xml
<jboss-web>
<context-root>MYAPP</context-root>
<security-domain>MYAPP_SD</security-domain>
</jboss-web>
Web.xml configured as below:
<security-constraint>
<web-resource-collection>
<web-resource-name>NoLock</web-resource-name>
<url-pattern>/css/*</url-pattern>
<url-pattern>/images/*</url-pattern>
<url-pattern>/img/*</url-pattern>
<url-pattern>/js/*</url-pattern>
<url-pattern>/jsp/*</url-pattern>
<url-pattern>/struts/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>MYAPPContext</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Application/MyAppRole</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>Application/MyAppRole</role-name>
</security-role>
The role Application/MyAppRole is defined into wso2 Identity server configuring a new Service Proveder called MyAppRole. I added some users on it.
In Jboss, in configuration->subsystem->security i created a Security Domain MyApp_SD, with authentication code "
org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule"
Even in Jboss, in configuration->picketlink, i created a new "MyApp_Federation", over the security domain "MyApp_SD" (trusted domain localhost:8087), and into the Federation i created a new Service Provider called MyApp.war, even over MyApp_SD as Security Domain, and with the SAMLHandler configured as follow:
- SAML2LogOutHandler: class name org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler
- RolesGenerationHandler: class name org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler
- SAML2AuthenticationHandler: class name
org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler, with the following handler parameters:- ASSERTION_SESSION_ATTRIBUTE_NAME: org.picketlink.sp.assertion
- DISABLE_ROLE_PICKING: false
- CLOCK_SKEW_MILIS: 120000
- ROLE_KEY: http : // wso2.org/claims/role
- SAML2AttributeHandler: class name org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler, with the following handler paramters:
- ATTRIBUTE_CHOOSE_FRIENDLY_NAME: false
So, there is something wrong in my configuration? Is a problem of web.xml constraint, struts2 action configuration, or picketlink configuration?
So, i found the problem and is the use of incognito mode in firefox. Using the normal mode the actions links are automatically modified with the jsessionid and all work good. However, i have to edit all the javascript methods that generates an url and the ajax actions js to add the jsessionid.