After performing SLO from a Shibboleth IdP in IE/Edge, attempting to log in again results in a ConstraintViolationException:
net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Context cannot be null or empty at net.shibboleth.utilities.java.support.logic.Constraint.isNotNull(Constraint.java:227)
(no further stacktrace provided in the logs)
When running with logging in DEBUG, this is preceded by a logging line:
[net.shibboleth.idp.session.impl.StorageBackedSessionManager:792] [10.8.0.237] - Performing primary lookup on session ID
Note the lack of a session identifier following the words "session ID" where there would usually be one.
This seems to be caused by an Expire setting not getting set on the shib_idp_session during logout, just a Max-Age=0 setting, which IE does not support. The result is that shib_idp_session gets set to a blank string, which is then passed back to Shibboleth when next logging in.
Deleting the shib_idp_session cookie using the browser developer tools makes things start working again.
Environment
Shibboleth 3.3.3 running inside Tomcat 8.5.9 on Oracle Java 1.8.0_121 on RHEL7. The MemcachedStorageService backend is in use for session storage.
I've not explicitly set that, no (and I've just double checked to make sure I haven't), so it does seem odd that I need to explicitly set it.
Unidentified Legacy Account
March 13, 2017 at 4:40 PM
(edited)
That looks like what I did (though I explicitly set the className too, but that's not actually required).
Scott Cantor
March 13, 2017 at 3:17 PM
Also, it seems like this should be defaulting to true anyway. Did you explicitly set org.apache.catalina.STRICT_SERVLET_COMPLIANCE to true? That defaults to false, and the documentation says that setting it to true is what makes alwaysAddExpires default to false.
Scott Cantor
March 13, 2017 at 3:14 PM
I added an example to the Tomcat8 page, if you could verify or correct that example I'd appreciate it.
After performing SLO from a Shibboleth IdP in IE/Edge, attempting to log in again results in a ConstraintViolationException:
net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Context cannot be null or empty
at net.shibboleth.utilities.java.support.logic.Constraint.isNotNull(Constraint.java:227)
(no further stacktrace provided in the logs)
When running with logging in DEBUG, this is preceded by a logging line:
[net.shibboleth.idp.session.impl.StorageBackedSessionManager:792] [10.8.0.237] - Performing primary lookup on session ID
Note the lack of a session identifier following the words "session ID" where there would usually be one.
This seems to be caused by an Expire setting not getting set on the shib_idp_session during logout, just a Max-Age=0 setting, which IE does not support. The result is that shib_idp_session gets set to a blank string, which is then passed back to Shibboleth when next logging in.
Deleting the shib_idp_session cookie using the browser developer tools makes things start working again.