We are using Spring SAML Solution :
we are having issues while SAML LOGOUT We invoke URL : /saml/logout without any inactivity it works normally and logout the user
but when we invoke same urlafter 1 or 2 hours of inactivity it thows stack overflow error below are the logs
Please help Thanks in advance
<[ServletContext#236322167[app:PS module:smp path:null spec-version:3.0]] Servlet failed with an Exception java.lang.StackOverflowError at javax.servlet.http.HttpServletRequestWrapper.getRequestURI(HttpServletRequestWrapper.java:230) at javax.servlet.http.HttpServletRequestWrapper.getRequestURI(HttpServletRequestWrapper.java:230) at org.springframework.security.saml.util.SAMLUtil.processFilter(SAMLUtil.java:201) at org.springframework.security.saml.SAMLLogoutFilter.requiresLogout(SAMLLogoutFilter.java:175)
Also using spring SAML security extension for our e-commerce website and we are also facing same issue. From tests we did, it seems to happen when we force the global logout form our SP after the IdP session alread expired. But like previous post , assuming that the issue is on SP spring side.
thanks for any feedback from everyone as this error is not very elegant on our website.
Stéphane
Related
We have a Spring SAML SP service set up that allows our customers to use SAML to login to our applications. Our Spring SAML app has a max assertion age configured as 12 hours and users have their assertion ages expired often. Currently when they try to login with a session older then the max assertion they get an error. They then have to logout of their IDP, then login and try again.
They are able to get around expired sessions by setting a max assertion age in the configuration of our SP on the IDP side to something less then our 12 hours max. Then their IDP correctly prompts for reauth. I'd like to force reauth when their assertion is expired from our SP side. Is there a way to do that? I know using SAMLEntry point you can force auth all of the time, but we want to only reauth when we need them to.
this statement:
Currently when they try to login with a session older then the max
assertion they get an error. They then have to logout of their IDP,
then login and try again.
indicates that there's a problem on the IdP side (that is, they are killing their sessions early, or something similar), not yours. If you send a user with a standard SP-init AuthnRequest, the IdP should honor it. If the user has to log out of their IdP, that's the IdP's issue to resolve, not yours.
If you're not using the standard SP-init/AuthnRequest mechanism, then you need to update your question, and explain exactly your process.
Im facing a problem which I cannot solve by myself.
I am using Spring Boot and Spring's spring-boot-starter-oauth2-client to connect to my IDP.
I configured my settings and when the User hits a #Secured endpoint, one gets redirected to the IDP's login form.
After successful login the User becomes redirected to the initial request and is now logged in.
This is all working fine until the requested token expires.
Now I was wondering if I can refresh the Token using the refresh token ?
Is there a way to do that ?
Thanks for any help.
Detlef
Our application is a Spring Boot application and we have gotten a requirement to implement OAuth2 authorization with the IdentityServer3 as the provider.
However, with everything set up properly, we keep getting the error The client application is not known or is not authorized. when redirected to the login screen of the SSO system.
Using postman, we are able to access the login screen when clicking 'Get New Access Token'
Using AdvanceRestClient, we get the same error as our Spring Boot application.
Checking the log of these 2 tools, i found that on postman, the request will POST to the Access Token URL first, while on both Spring Boot security and the AdvanceRESTClient, it will generate a GET URI to the authorize URL.
Example of POSTMAN:
POST https://login.xxx.com.my/LoginHost/core/connect/token
Example of AdvanceRESTClient first request:
GET https://login.xxxx.com.my/LoginHost/core/connect/authorize?response_type=code&client_id=xxx.web&redirect_uri=https%3A%2F%2Fauth.advancedrestclient.com%2Foauth-popup.html&scope=openid%20email%20profile&state=XXX
This is confusing. Which behaviour is correct? And why is there a difference there?
Hope anyone can help with this. Thanks.
* UPDATE 1 *
POSTMAN settings:
AdvanceRESTClient:
After looking at the console logs of both client, it seems that the issue is caused by the redirect-url. After changing the redirect url on AdvancedRestClient to match with postman settings then it works.
My web-application developed on Vaadin - Servlet using Tomcat server.
When user clicks logout link, session timeout error is coming and then after some time it is automatically redirecting to login page.
Previously the redirection was so fast that user was unable to see this timeout error.
But now after some version update in Vaadin, user is able to see this error.
Suggest a way to resolve this issue.
I am thinking of finding a way to stop the browser from showing the error message for session-timeout , when the session is timed out using logout button.
How to achieve it. Or is there a better solution you can suggest?
Thanks in advance.
Before invalidating the session disabling the Push Mode.
Page.getCurrent().setLocation(location);
UI.getCurrent().getPushConfiguration().setPushMode(PushMode.DISABLED);
session.getSession().invalidate();
This will work fine.
The problem comes because support for Push is not fully implemented by all servers. So on some servers this problem may not arise.
With above logic you can also set Transport.LONG_POLLING which works fine for all servers.
At my project I use Spring Security and GWT with url-like internationalization (http://....html?locale=en). Login and logout functions work very well, but here is another hitch: when user login he got localization-like URL (for example http://localhost:8000/Admin/app/Admin.html?locale=en) but after he close window (without logout) and coming back at URL http://localhost:8000/Admin/ he take authorization by Spring Security with session and login at system without "?locale=" param, so he got default language.
The main question is - how can I interrupt between two process (after Spring say - "Ok! it a good user - comin!" and before he throw user a link to coming) so that I can add locale to his URL ?
Thanks.
You can implement a custom AuthenticationSuccessHandler to add parameters to the request on authentication success. See this question.