Change By: Geoff Thieme (01/Nov/13 2:26 PM)
Description: Validating signatures from ASFS STS is failing. My picketlink.xml has <PicketLinkSP SupportsSignatures="true". I previously had it working when using JBoss6  Community  with picketlink 2.1.7.

The error is:
11:51:47,759 ERROR [org.apache.catalina.connector] (http-/0.0.0.0:8443-1) JBWEB001018: An exception or error occurred in the container during the request processing: java.lang.LinkageError: loader constraint violation in interface itable initialization: when resolving method "org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(Ljavax/xml/crypto/dsig/XMLSignContext;)V" the class loader (instance of org/jboss/modules/ModuleClassLoader) of the current class, org/apache/jcp/xml/dsig/internal/dom/DOMXMLSignature, and the class loader (instance of <bootloader>) for interface javax/xml/crypto/dsig/XMLSignature have different Class objects for the type ture.sign(Ljavax/xml/crypto/dsig/XMLSignContext;)V used in the signature
at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshal(DOMXMLSignatureFactory.java:186)
at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshalXMLSignature(DOMXMLSignatureFactory.java:146)
at org.picketlink.identity.federation.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:492) [picketlink-federation-2.5.2.Final.jar:]
at org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:308) [picketlink-federation-2.5.2.Final.jar:]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyPostBindingSignature(SAML2SignatureValidationHandler.java:117) [picketlink-federation-2.5.2.Final.jar:]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:88) [picketlink-federation-2.5.2.Final.jar:]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleStatusResponseType(SAML2SignatureValidationHandler.java:57) [picketlink-federation-2.5.2.Final.jar:]
at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:66) [picketlink-federation-2.5.2.Final.jar:]
at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:102) [picketlink-federation-2.5.2.Final.jar:]
at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:83) [picketlink-federation-2.5.2.Final.jar:]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:455) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:333) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:261) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:447) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.Alpha1-redhat-4.jar:7.2.0.Alpha1-redhat-4]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]

I'm assuming javax/xml/crypto/dsig/XMLSignContext is coming from org.apache.santuario.xmlsec. I noticed that picketlink is using org.apache.santuario.xmlsec version=1.5.1 and JBoss is usingorg.apache.santuario.xmlsec version=1.5.3. Would updating the xmlsec version in https://github.com/picketlink/picketlink/blob/master/modules/federation/pom.xml to 1.5.3 resolve this issue?

ADFS is returning the SAML2 token as a URL arg. If ADFS can be changed to return the token as a POST, would that also resolve the issue?
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira