]
Ondrej Lukas reassigned WFLY-9892:
----------------------------------
Assignee: (was: Darran Lofthouse)
Upgrade org.apache.santuario.xmlsec to 2.1.1. caused regression in
PicketLinkSTS
--------------------------------------------------------------------------------
Key: WFLY-9892
URL:
https://issues.jboss.org/browse/WFLY-9892
Project: WildFly
Issue Type: Bug
Components: Security
Affects Versions: 12.0.0.Beta1
Reporter: Ondrej Lukas
Priority: Blocker
Attachments: ejb-security-picketlink.zip, ejb-test.jar, picketlink-sts.war,
sts-config.properties
When token from PicketLink STS is issued and signed then it is not able to be used for
authentication through Remoting in WildFly 12 (i.e. it cannot be set as
{{remote.connection.main.password}} property which can be used in PicketLink
{{org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule}}). It seems
it is caused by upgrade of org.apache.santuario.xmlsec to version 2.1.1. [1]. When
WILDFLY11_HOME/modules/system/layers/base/org/apache/santuario/xmlsec/main/xmlsec-2.0.8.jar
is placed to WildFly 12 modules then it works correctly.
We report it as a blocker since it is regression - application which works correctly on
WildFly 11 stops to work on WildFly 12 - users are not able to authenticate through
Remoting with signed tokens from PicketLink STS correctly.
Remoting fails due to following exception:
{code}
java.lang.IllegalArgumentException: ELY05131: Invalid ASCII control "0xA"
at
org.wildfly.security.sasl.util.StringPrep.forbidAsciiControl(StringPrep.java:117)
at org.wildfly.security.sasl.util.StringPrep.encode(StringPrep.java:295)
at org.wildfly.security.sasl.util.StringPrep.encode(StringPrep.java:196)
at
org.wildfly.security.sasl.plain.PlainSaslClient.evaluateChallenge(PlainSaslClient.java:95)
at
org.wildfly.security.sasl.util.AbstractDelegatingSaslClient.evaluateChallenge(AbstractDelegatingSaslClient.java:54)
at
org.wildfly.security.sasl.util.PrivilegedSaslClient.lambda$evaluateChallenge$0(PrivilegedSaslClient.java:55)
at java.security.AccessController.doPrivileged(Native Method)
at
org.wildfly.security.sasl.util.PrivilegedSaslClient.evaluateChallenge(PrivilegedSaslClient.java:55)
at
org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.lambda$handleEvent$1(ClientConnectionOpenListener.java:460)
at
org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:926)
at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
at java.lang.Thread.run(Thread.java:748)
{code}
It is caused by different formating value of SignatureValue in assertion. In WildFly 11
SignatureValue looks like:
{code}
<dsig:SignatureValue
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">nFVkKrXTyYEQ...
{code}
In WildFly 12 it looks like (there are end of lines):
{code}
<dsig:SignatureValue
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">cUNpFJIZlLYr...;
qlTOT8UrOyxrR4yYAmJ/e5s+f4gys926+tbiraT/3/wG8wM/Lvcjvk5Ap69zODuRYpypsWfA4jrI
7TTBXVPGy8g4KUdnFviUiTuFTc2Ghgxp53AmUuLis/THyP28jE7+28//q8bi/bQrFwHC6tWX67+N
K1duFCOcQ6IPIKeVrePZz55Ivgl+WWdkF6uYCz5IdMzurhzmeQ3K8DAMIxz/MG67VWJIOnuGNWF7
nmdye5zd9AFcRsr1XadvZJCbGNfuc89AL5inCg==</dsig:SignatureValue>
{code}
[1]
https://github.com/wildfly/wildfly/commit/536de514829f2187abf1126c8916a04...