|
Do you have a custon login.jsp? Looks like something required is missing.
You could look at the login_jsp.java to see exactly what is failing.
Jim
Our users didn't bother... :/
> In Tomcat log i can below error message
> ---------------------------------------
> 08-Sep-2010 14:23:31 org.apache.catalina.core.ApplicationDispatcher invoke
> SEVERE: Servlet.service() for servlet jsp threw exception
> java.lang.NullPointerException
> at org.apache.jsp.login_jsp._jspService(login_jsp.java:80)
This looks like the NPE I wrote about 3 months ago. Peter Schober's
solution fixed it, see
http://groups.google.com/group/shibboleth-users/browse_thread/thread/a9ad13b75d21af08.
In short: check whether the loginContext object is null before using it
in the JSP.
Regards,
Etienne
The code this example was based on came from someone else (speak up!),
but anyway: Could this be included in the default login page for the
next release (2.2)?
There's no loginContext != NULL check in REL_2 and login.jsp in trunk
looks even more stripped down.
Should we file a bug?
-peter
-Halm
Many thanks for your reply.
We have changed 'login.jsp' as below. But users are still getting blank screen.
Could you please help. I have enclosed 'idp-process.log' and 'tomcat.log'. <%@ page import="edu.internet2.middleware.shibboleth.idp.authn.LoginContext" %>
<%@ page import="edu.internet2.middleware.shibboleth.idp.session.*" %> <%@ page import="edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper" %> <%@ page import="org.opensaml.saml2.metadata.*" %> <%
response.setHeader("Cache-Control","no-cache,no-store,must-revalidate"); response.setHeader("Pragma", "no-cache"); response.setDateHeader("Expires", -1); %> <% LoginContext loginContext = HttpServletHelper.getLoginContext(HttpServletHelper.getStorageService(application),
Session userSession = HttpServletHelper.getUserSession(request); %> <html>
<head> <title>Shibboleth Identity Provider - Login</title> </head> <body> <img src="<%= request.getContextPath() %>/images/logo.jpg" /> <h2>Shibboleth Identity Provider Login to Service Provider</h2> <p>Existing Session: <%= userSession != null %><br/></p> <% if ("true".equals(request.getAttribute("loginFailed"))) { %> <p><font color="red">Authentication Failed</font></p> <% } %> <% if(request.getAttribute("actionUrl") != null){ %> <form action="<%=request.getAttribute("actionUrl")%>" method="post"> <% }else{ %> <form action="j_security_check" method="post"> <% } %> <table> <tr> <td>Username:</td> <td><input name="j_username" type="text" tabindex="1" /></td> </tr> <tr> <td>Password:</td> <td><input name="j_password" type="password" tabindex="2" /></td> </tr> <tr> <td colspan="2"><input type="submit" value="Login" tabindex="3" /></td> </tr> </table> </form> </body> </html> idp-process.log --------------- 09:33:29.892 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:296] - LoginContext not bound to HTTP request, retrieving it from storage service 09:33:29.893 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:299] - LoginContext key cookie was not present in request 09:33:29.895 - ERROR [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:143] - Unable to redirect to login page. |
... 27 common frames omitted
09:33:30.618 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:105] - Attempting to retrieve IdP session cookie. 09:33:30.619 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:111] - Found IdP session cookie. 09:33:30.619 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:71] - Updating IdP session activity time and adding session object to the request Tomcat.log ----------- Sep 10, 2010 9:33:29 AM org.apache.catalina.core.ApplicationDispatcher invoke |
SEVERE: Servlet.service() for servlet jsp threw exception java.lang.NullPointerException at org.apache.jsp.login_jsp._jspService(login_jsp.java:80) |
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
|
Because per the code you sent you did /not/ change login.jsp to check
for a null loginContext, which is the only change Etienne mentioned
and what is part of the code he referred you to.
In case you just sent the wrong code (and did in fact add the check)
did you run the install script again to include the changed jsp file
in the WAR?
-peter
Dear Peter,
Thank you very much. It helps a lot.
I have changed the 'login.jsp' script as below and redeployed idp. By making below change if any users come with loginContext == null value. They are going to get 'Error' message instead of login.jsp. Is that how it should work or i'm missing some point.
Could you please update. |
<%@ page import="edu.internet2.middleware.shibboleth.idp.authn.LoginContext" %>
<%@ page import="edu.internet2.middleware.shibboleth.idp.session.*" %> <%@ page import="edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper" %> <%@ page import="org.opensaml.saml2.metadata.*" %> <% response.setHeader("Cache-Control","no-cache,no-store,must-revalidate"); response.setHeader("Pragma", "no-cache"); response.setDateHeader("Expires", -1); %> <% LoginContext loginContext = HttpServletHelper.getLoginContext(HttpServletHelper.getStorageService(application), Session userSession = HttpServletHelper.getUserSession(request); %> <html> <head> <title>Shibboleth Identity Provider - Login</title> </head> <body> <img src="<%= request.getContextPath() %>/images/logo.jpg" /> <h2>Shibboleth Identity Provider Login to Service Provider</h2> <p>Existing Session: <%= userSession != null %><br/></p> |
<% if(loginContext != null){ %>
|
<% if ("true".equals(request.getAttribute("loginFailed"))) { %> <p><font color="red">Authentication Failed</font></p> <% } %> <% if(request.getAttribute("actionUrl") != null){ %> <form action="<%=request.getAttribute("actionUrl")%>" method="post"> <% }else{ %> <form action="j_security_check" method="post"> <% } %> <table> <tr> <td>Username:</td> <td><input name="j_username" type="text" tabindex="1" /></td> </tr> <tr> <td>Password:</td> <td><input name="j_password" type="password" tabindex="2" /></td> </tr> <tr> <td colspan="2"><input type="submit" value="Login" tabindex="3" /></td> </tr> </table> </form> |
<% } %>
<% } else { %> <h1>Error</h1> <% } %> </body>
</html> Many thanks
Regards
John.p
|
|
That's how it works. What happens in the case of a null loginContext
is now up to your imagination. Besides outputing a real error message
(which explains why people end up here and how to avoid that) you
could also generate an HTTP redirect off to some other URL. That other
URL might be where you webmaster likes to edit and update such error
messages, or (per Paul Hethmon's suggestion from back in April) it
could also be be a "default" SAML SP's home URL (which in turn would
trigger a login at the IdP and back to that SP), etc.
-peter
Please keep replies to the list.
> >when loginContext==null
> >Redirecting to a default" SAML SP's home URL
>
> It won't work for our situvation. since its all genuiue users trying
> to access some SP and getting redirected to our IdP and facing blank
> screen problem.� If we force then to some default SP it will create
> more confusion.
I doubt that's really what is happening (accessing an SP, getting
redirected to the IdP), but anyway:
Then don't redirect elsewhere (as this, too, was just a suggestion)
and display something slightly more helpful than the current
<h1>Error</h1> from login.jsp.
But you'll find that whatever you do your users will still be confused
(given your description of reactions to alterntives). You now at least
have the chance to improve upon the error message (the one you had
before you checked for null loginContext).
No matter what you do, unmodified behaviour on part of your users will
still lead to an error (of your chosing).
There is no --dont-suck parameter for the IdP that will make this user
behaviour magically work. It there were, it'd better be enabled by default.
-peter