]
Pedro Igor commented on WFLY-9892:
----------------------------------
[~olukas], the signature value is changing whenever the element is read. PL is generating
the signature element and value correctly but because of indentation, carriage return is
included as {{ }}.
The tests pointed out by Honza are not related with this issue in particular.
{{SAMLAssertionWrappingAttackTestCase}} is failing because the attack asserted by the test
is not possible anymore with xmlsec:2.1.1 because you can not have a {{samlp:Respnse}}
inside a {{xmldsig:Signature}} element. The library is more restrict ....
The {{DomElementToStaxWritingTestCase}} is failing just because we are not closing the
"writer".
Will investigate now the infamous {{ }} and give you more details.
Upgrade org.apache.santuario.xmlsec to 2.1.1. caused regression in
PicketLinkSTS
--------------------------------------------------------------------------------
Key: WFLY-9892
URL:
https://issues.jboss.org/browse/WFLY-9892
Project: WildFly
Issue Type: Bug
Components: Security
Affects Versions: 12.0.0.Beta1
Reporter: Ondrej Lukas
Assignee: Pedro Igor
Priority: Blocker
Attachments: ejb-security-picketlink.zip, ejb-test.jar, picketlink-sts.war,
sts-config.properties
When token from PicketLink STS is issued and signed then it is not able to be used for
authentication through Remoting in WildFly 12 (i.e. it cannot be set as
{{remote.connection.main.password}} property which can be used in PicketLink
{{org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule}}). It seems
it is caused by upgrade of org.apache.santuario.xmlsec to version 2.1.1. [1]. When
WILDFLY11_HOME/modules/system/layers/base/org/apache/santuario/xmlsec/main/xmlsec-2.0.8.jar
is placed to WildFly 12 modules then it works correctly.
We report it as a blocker since it is regression - application which works correctly on
WildFly 11 stops to work on WildFly 12 - users are not able to authenticate through
Remoting with signed tokens from PicketLink STS correctly.
Remoting fails due to following exception:
{code}
java.lang.IllegalArgumentException: ELY05131: Invalid ASCII control "0xA"
at
org.wildfly.security.sasl.util.StringPrep.forbidAsciiControl(StringPrep.java:117)
at org.wildfly.security.sasl.util.StringPrep.encode(StringPrep.java:295)
at org.wildfly.security.sasl.util.StringPrep.encode(StringPrep.java:196)
at
org.wildfly.security.sasl.plain.PlainSaslClient.evaluateChallenge(PlainSaslClient.java:95)
at
org.wildfly.security.sasl.util.AbstractDelegatingSaslClient.evaluateChallenge(AbstractDelegatingSaslClient.java:54)
at
org.wildfly.security.sasl.util.PrivilegedSaslClient.lambda$evaluateChallenge$0(PrivilegedSaslClient.java:55)
at java.security.AccessController.doPrivileged(Native Method)
at
org.wildfly.security.sasl.util.PrivilegedSaslClient.evaluateChallenge(PrivilegedSaslClient.java:55)
at
org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.lambda$handleEvent$1(ClientConnectionOpenListener.java:460)
at
org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:926)
at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
at java.lang.Thread.run(Thread.java:748)
{code}
It is caused by different formating value of SignatureValue in assertion. In WildFly 11
SignatureValue looks like:
{code}
<dsig:SignatureValue
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">nFVkKrXTyYEQ...
{code}
In WildFly 12 it looks like (there are end of lines):
{code}
<dsig:SignatureValue
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">cUNpFJIZlLYr...;
qlTOT8UrOyxrR4yYAmJ/e5s+f4gys926+tbiraT/3/wG8wM/Lvcjvk5Ap69zODuRYpypsWfA4jrI
7TTBXVPGy8g4KUdnFviUiTuFTc2Ghgxp53AmUuLis/THyP28jE7+28//q8bi/bQrFwHC6tWX67+N
K1duFCOcQ6IPIKeVrePZz55Ivgl+WWdkF6uYCz5IdMzurhzmeQ3K8DAMIxz/MG67VWJIOnuGNWF7
nmdye5zd9AFcRsr1XadvZJCbGNfuc89AL5inCg==</dsig:SignatureValue>
{code}
[1]
https://github.com/wildfly/wildfly/commit/536de514829f2187abf1126c8916a04...