[
https://issues.jboss.org/browse/WFLY-9892?page=com.atlassian.jira.plugin....
]
David Lloyd resolved WFLY-9892.
-------------------------------
Resolution: Won't Fix
The attached test is reading the content of the XML element verbatim, and passing it
directly in as a credential, however this will not work: the credential must be a base-64
encoded value, but the definition of the base64Binary schema type allows whitespace,
making it not a valid base-64 value. The upgrade must have changed the output formatting
in a way compatible with all involved specs, but incompatible with this (essentially
broken) test.
The correct approach for the test is to read the element content and convert it to a valid
base64 string. For the purposes of the test, that would probably entail simply removing
all whitespace from the string, but the generally "correct" approach would be to
use a base64Binary-compliant decoder to convert the data in to bytes, and then use a
base64-compliant encoder to convert the data to a valid base64 string again.
IOW, the test is broken and needs to be corrected.
Upgrade org.apache.santuario.xmlsec to 2.1.1. caused regression in
PicketLinkSTS
--------------------------------------------------------------------------------
Key: WFLY-9892
URL:
https://issues.jboss.org/browse/WFLY-9892
Project: WildFly
Issue Type: Bug
Components: Security
Affects Versions: 12.0.0.Beta1
Reporter: Ondrej Lukas
Priority: Blocker
Attachments: ejb-security-picketlink.zip, ejb-test.jar, picketlink-sts.war,
sts-config.properties
When token from PicketLink STS is issued and signed then it is not able to be used for
authentication through Remoting in WildFly 12 (i.e. it cannot be set as
{{remote.connection.main.password}} property which can be used in PicketLink
{{org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule}}). It seems
it is caused by upgrade of org.apache.santuario.xmlsec to version 2.1.1. [1]. When
WILDFLY11_HOME/modules/system/layers/base/org/apache/santuario/xmlsec/main/xmlsec-2.0.8.jar
is placed to WildFly 12 modules then it works correctly.
We report it as a blocker since it is regression - application which works correctly on
WildFly 11 stops to work on WildFly 12 - users are not able to authenticate through
Remoting with signed tokens from PicketLink STS correctly.
Remoting fails due to following exception:
{code}
java.lang.IllegalArgumentException: ELY05131: Invalid ASCII control "0xA"
at
org.wildfly.security.sasl.util.StringPrep.forbidAsciiControl(StringPrep.java:117)
at org.wildfly.security.sasl.util.StringPrep.encode(StringPrep.java:295)
at org.wildfly.security.sasl.util.StringPrep.encode(StringPrep.java:196)
at
org.wildfly.security.sasl.plain.PlainSaslClient.evaluateChallenge(PlainSaslClient.java:95)
at
org.wildfly.security.sasl.util.AbstractDelegatingSaslClient.evaluateChallenge(AbstractDelegatingSaslClient.java:54)
at
org.wildfly.security.sasl.util.PrivilegedSaslClient.lambda$evaluateChallenge$0(PrivilegedSaslClient.java:55)
at java.security.AccessController.doPrivileged(Native Method)
at
org.wildfly.security.sasl.util.PrivilegedSaslClient.evaluateChallenge(PrivilegedSaslClient.java:55)
at
org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.lambda$handleEvent$1(ClientConnectionOpenListener.java:460)
at
org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:926)
at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
at java.lang.Thread.run(Thread.java:748)
{code}
It is caused by different formating value of SignatureValue in assertion. In WildFly 11
SignatureValue looks like:
{code}
<dsig:SignatureValue
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">nFVkKrXTyYEQ...
{code}
In WildFly 12 it looks like (there are end of lines):
{code}
<dsig:SignatureValue
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">cUNpFJIZlLYr...;
qlTOT8UrOyxrR4yYAmJ/e5s+f4gys926+tbiraT/3/wG8wM/Lvcjvk5Ap69zODuRYpypsWfA4jrI
7TTBXVPGy8g4KUdnFviUiTuFTc2Ghgxp53AmUuLis/THyP28jE7+28//q8bi/bQrFwHC6tWX67+N
K1duFCOcQ6IPIKeVrePZz55Ivgl+WWdkF6uYCz5IdMzurhzmeQ3K8DAMIxz/MG67VWJIOnuGNWF7
nmdye5zd9AFcRsr1XadvZJCbGNfuc89AL5inCg==</dsig:SignatureValue>
{code}
[1]
https://github.com/wildfly/wildfly/commit/536de514829f2187abf1126c8916a04...
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)