1

I'm trying to disable the session store as I do not require it for my use case where we are the SP and the IdP sends the SAMLResponse identifying the subject which allows me to create a jwt for my user. I am using dropwizard-pac4j (if that matters) and attempted to disable the sesssion using the configuration's sessionEnabled flag set to false. However, when creating the SAML2Credentials from the posted SAMLObject from the IdP, I notice that pac4j is doing the following

 protected SAML2Credentials buildSAML2Credentials(final SAML2MessageContext context,
                                                     final Response response) {
        final var subjectAssertion = context.getSubjectAssertion();

        final var samlAttributes = collectAssertionAttributes(subjectAssertion);
        final var attributes = SAML2Credentials.SAMLAttribute.from(configuration.getSamlAttributeConverter(), samlAttributes);

        final var samlNameId = determineNameID(context, attributes);
        final var sessionIndex = getSessionIndex(subjectAssertion);
        final var sloKey = computeSloKey(sessionIndex, samlNameId);
        if (sloKey != null) {
            logoutHandler.recordSession(context.getWebContext(), context.getSessionStore(), sloKey);
        }
...

The sessionIndex and sloKey are non-null, but DefaultLogoutHandler::recordSession will get called with a session store that has no session, which throws an error.

Here's a partial stack trace

! java.lang.IllegalStateException: No SessionManager
! at org.eclipse.jetty.server.Request.getSession(Request.java:1555)
! at org.eclipse.jetty.server.Request.getSession(Request.java:1534)
! at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:229)
! at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
! at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
! at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
! at java.base/java.lang.reflect.Method.invoke(Method.java:568)
! at org.glassfish.hk2.utilities.reflection.ReflectionHelper.invoke(ReflectionHelper.java:1268)
! at org.jvnet.hk2.internal.MethodInterceptorImpl.internalInvoke(MethodInterceptorImpl.java:85)
! at org.jvnet.hk2.internal.MethodInterceptorImpl.invoke(MethodInterceptorImpl.java:101)
! at org.jvnet.hk2.internal.MethodInterceptorInvocationHandler.invoke(MethodInterceptorInvocationHandler.java:39)
! at jdk.proxy3/jdk.proxy3.$Proxy148.getSession(Unknown Source)
! at org.pac4j.jax.rs.servlet.pac4j.ServletSessionStore.getHttpSession(ServletSessionStore.java:34)
! at org.pac4j.jax.rs.servlet.pac4j.ServletSessionStore.getSessionId(ServletSessionStore.java:93)
! at org.pac4j.core.logout.handler.DefaultLogoutHandler.recordSession(DefaultLogoutHandler.java:40)
! at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.buildSAML2Credentials(SAML2AuthnResponseValidator.java:112)
! at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validate(SAML2AuthnResponseValidator.java:98)
! at org.pac4j.saml.profile.impl.AbstractSAML2MessageReceiver.receiveMessage(AbstractSAML2MessageReceiver.java:53)

Curious how I can disable sessions and skip providing a SessionFactory?

Edit on 8/15 after updating to v5.0.1-SNAPSHOT or jax-rs-pac4j

We modified our dependency from library("pac4jJaxCore", "org.pac4j.jax-rs", "core").version("5.0.0") to library("pac4jJaxCore", "org.pac4j.jax-rs", "core").version("v5.0.1-SNAPSHOT"), set the configuration enableSession: false and ran again with no luck. Here's the stacktrace:

java.lang.IllegalStateException: No SessionManager
! at org.eclipse.jetty.server.Request.getSession(Request.java:1555)
! at org.eclipse.jetty.server.Request.getSession(Request.java:1534)
! at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:229)
! at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
! at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
! at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
! at java.base/java.lang.reflect.Method.invoke(Method.java:568)
! at org.glassfish.hk2.utilities.reflection.ReflectionHelper.invoke(ReflectionHelper.java:1268)
! at org.jvnet.hk2.internal.MethodInterceptorImpl.internalInvoke(MethodInterceptorImpl.java:85)
! at org.jvnet.hk2.internal.MethodInterceptorImpl.invoke(MethodInterceptorImpl.java:101)
! at org.jvnet.hk2.internal.MethodInterceptorInvocationHandler.invoke(MethodInterceptorInvocationHandler.java:39)
! at jdk.proxy3/jdk.proxy3.$Proxy160.getSession(Unknown Source)
! at org.pac4j.jax.rs.servlet.pac4j.ServletSessionStore.getHttpSession(ServletSessionStore.java:34)
! at org.pac4j.jax.rs.servlet.pac4j.ServletSessionStore.getSessionId(ServletSessionStore.java:93)
! at org.pac4j.core.logout.handler.DefaultLogoutHandler.recordSession(DefaultLogoutHandler.java:40)
! at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.buildSAML2Credentials(SAML2AuthnResponseValidator.java:112)
! at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validate(SAML2AuthnResponseValidator.java:98)
! at org.pac4j.saml.profile.impl.AbstractSAML2MessageReceiver.receiveMessage(AbstractSAML2MessageReceiver.java:53)
! at org.pac4j.saml.sso.impl.SAML2WebSSOProfileHandler.receive(SAML2WebSSOProfileHandler.java:35)
! at org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor.receiveLogin(SAML2CredentialsExtractor.java:71)
! at org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor.extract(SAML2CredentialsExtractor.java:66)
! at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:71)
! at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:145)
! at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:75)
! at org.pac4j.jax.rs.filters.CallbackFilter.filter(CallbackFilter.java:46)
! at org.pac4j.jax.rs.filters.AbstractFilter.filter(AbstractFilter.java:47)
! at org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:108)
! at org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:44)
! at org.glassfish.jersey.process.internal.Stages.process(Stages.java:173)
! at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:248)
! at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
! at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
! at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
! at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
! at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
! at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
! at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:235)
! at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684)
! at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394)
! at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346)
! at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358)
! at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:311)
! at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
! at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
! at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)
! at io.dropwizard.servlets.ThreadNameFilter.doFilter(ThreadNameFilter.java:35)
! at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
! at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
! at io.dropwizard.jersey.filter.AllowedMethodsFilter.handle(AllowedMethodsFilter.java:46)
! at io.dropwizard.jersey.filter.AllowedMethodsFilter.doFilter(AllowedMethodsFilter.java:40)
! at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
! at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
! at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:313)
! at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:267)
! at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
! at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
! at org.eclipse.jetty.servlets.HeaderFilter.doFilter(HeaderFilter.java:112)
! at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
! at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
! at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:89)
! at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
! at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
! at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
! at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
! at com.seasonhealth.core.web.filters.TestModeFilter.doFilter(TestModeFilter.kt:32)
! at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
! at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
! at com.seasonhealth.core.web.filters.ErrorLoggingFilter.doFilter(ErrorLoggingFilter.kt:90)
! at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
! at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
! at com.seasonhealth.core.web.filters.LoggingContextFilter.doFilter(LoggingContextFilter.kt:35)
! at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:210)
! at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
! at com.seasonhealth.core.web.bundle.corellationid.CorrelationIdServletFilter.doFilter(CorrelationIdServletFilter.kt:33)
! at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
! at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
! at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
! at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
! at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384)
! at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
! at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
! at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
! at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306)
! at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
! at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
! at io.dropwizard.metrics.jetty10.InstrumentedHandler.handle(InstrumentedHandler.java:310)
! at io.dropwizard.jetty.RoutingHandler.handle(RoutingHandler.java:52)
! at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
! at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:822)
! at io.dropwizard.jetty.ZipExceptionHandlingGzipHandler.handle(ZipExceptionHandlingGzipHandler.java:26)
! at org.eclipse.jetty.server.handler.RequestLogHandler.handle(RequestLogHandler.java:46)
! at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:173)
! at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
! at org.eclipse.jetty.server.Server.handle(Server.java:563)
! at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505)
! at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
! at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
! at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
! at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
! at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
! at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
! at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
! at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
! at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
Mustafa Shabib
  • 798
  • 12
  • 35

1 Answers1

0

I think we have a bug here: the getSessionId method of the ServletSessionStore class should not throw an exception but return an Optional.empty().

Which version of jax-rs-pac4j do you use?

jleleu
  • 2,309
  • 1
  • 13
  • 9
  • Thanks @jleleu - Here's what we're pulling in for dropwizard 3: library("dropwizardPac4j", "org.pac4j", "dropwizard-pac4j").version("5.3.0") library("pac4jCore", "org.pac4j", "pac4j-core").version("5.7.1") library("pac4jJaxCore", "org.pac4j.jax-rs", "core").version("5.0.0") library("pac4jJaxParent", "org.pac4j.jax-rs", "parent").version("5.0.0") library("pac4jSaml", "org.pac4j", "pac4j-saml").version("5.7.1") – – Mustafa Shabib Aug 10 '23 at 03:51
  • OK. Can you try `jax-rs-pac4j` v5.0.1-SNAPSHOT? – jleleu Aug 11 '23 at 08:56
  • I updated my question above with results of that test, we still have the same issue unfortunately @jleleu – Mustafa Shabib Aug 16 '23 at 00:36
  • Strange and disappointing! Can you do some debugging in `ServletSessionStore`, line 34 to see why the exception is not caught by the `try`/`catch` block? – jleleu Aug 21 '23 at 09:08