Message Title

Dustin Minnich created an issue

PLINK-445

Issue Type:	Bug
Affects Versions:	PLINK_2.1.X
Assignee:	Anil Saldhana
Components:	Federation
Created:	28/May/14 10:40 AM
Environment:	RHEL 6.5 JBoss EAP 6.2.1.GA (AS 7.3.1.Final-redhat-3
Priority:	Major
Reporter:	Dustin Minnich

Picketlink should accept AuthnRequest's that don't contain AssertionConsumerServiceURL's. We are trying to get mod_auth_melon to work with a picketlink and are getting Null Pointer Exception errors. Note that http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf does list this as optional AssertionConsumerServiceURL [Optional].

An example AuthN request is below:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8A3AAE5D9A63886676369AC1A278787B" Version="2.0" IssueInstant="2014-05-28T14:32:00Z" Destination="https://saml.deviam.redhat.com/idp/" Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" ForceAuthn="false" IsPassive="false"><saml:Issuer>https://dmtest.int-idp.dev.ext.devlab.redhat.com/secret/endpoint/metadata</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_8A3AAE5D9A63886676369AC1A278787B">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>EDZ0rxmafl1n51Y5HUqAC9Z9DXw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Ry5EVC5mFivZuZivf101AJO9azfCuEMxKPlM0IixG9srsUylyjVgOlbhY3x5A3Iq
W10Xo1BqoQ6ZQELBybw2Cb2x1YaJaew0HWjj7sQ5u5c9bY9nQ4IVFHq8xVb60Tfu
ykN7Jdj8tF3gl1beLq5rn5zS2eGqaBZ3j5amWF+eYTArumZC1qv9mPeHnB4ojaWB
3NXb1IiSOGZt0yh1jUGAnhaQp5spTTUN8HJrPFKBxJQyAVYPEimQXfpscJ8x26OJ
AvAB9GXYYknyH7KF/Mpr/laXqIW/3LidocDj/w5+oo0trKrLtCzjFSkz4L5MWkkq
3BL6I+pJMPg+Q+4XzcJ9sg==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIDpTCCAo2gAwIBAgIJAIwj1ok2VVfwMA0GCSqGSIb3DQEBBQUAMGkxCzAJBgNV
BAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBwwHUmFsZWln
aDEQMA4GA1UECgwHUmVkIEhhdDEMMAoGA1UECwwDSUFNMQ8wDQYDVQQDDAZtZWxs
b24wHhcNMTQwNTIyMTg0NTI1WhcNMjQwNTIxMTg0NTI1WjBpMQswCQYDVQQGEwJV
UzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxEDAO
BgNVBAoMB1JlZCBIYXQxDDAKBgNVBAsMA0lBTTEPMA0GA1UEAwwGbWVsbG9uMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzc/X+QdqOO2YhzwoKebWn2qH
glomvfCukvWytSqnvUqXnD4ao5jA1b9/w6tqiyCACQZLqfdXpQF6nRr0rZZey5wT
xbd1h40c3sy9zqnLiEEXOyQOXFQBkJyn8uBIe4ZaX5ZsyxBgFnOjn8ree/G4Loqb
/B/x7D/dswBR4A6kIL7+K/X7lr8GKR6idb8zYbld3f1Z8TDIpkkbQ6kqjwJppYdf
ep2QTuVLEs7orkeC+UWQzuwb1PoQkWDwGDlbO7t1bdjLIxyawgeP/6LIACMQXTS1
WzJ9rfPQIzsgpfVogep4dIKfVov9MP+ZN0XswoWMhS9v5jfnSyo/e8JgWzy6sQID
AQABo1AwTjAdBgNVHQ4EFgQU8Rc0HOZLkQwl/hBeVHJWS1LdrnAwHwYDVR0jBBgw
FoAU8Rc0HOZLkQwl/hBeVHJWS1LdrnAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQUFAAOCAQEAXbH80nx5NRPoatP+579aapGGAO1+8EmTz6jSVGJq6cRKrK/aiol+
PQ9M75VLj29ohP56XBqflIYpJQmwWLXZW/uhT8Tc3lFHJRvRHtS16L1TBLElZZGo
945fFzU22CnZSn3o6fvWgqgC6/YCacCxRkaKsfPMl7enfnQ2WBZQDV9KfAo+aNu8
mzXVXubAdlk45NqwQ6SFTaG0vK6+bumantzWUgQBXZ3MmM3hcn507uLx92mSQ6EQ
KsB/GXdB2HYgUebTAllbQpGUgAnM3BQWbdLLqc0+YUwYd8063qgCFnJsXCgUa0rF
+5bb9LTl/JwKR4Xw4YTvtPQMJ86/ADWxGQ==</X509Certificate>
</X509Data>
</KeyInfo>
</Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest>

An example error is below:
2014-05-28 10:33:26,230 TRACE [org.picketlink.identity.federation] (http-/10.7.25.151:8080-1) Final attribute map size: 6
2014-05-28 10:33:26,230 TRACE [org.picketlink.identity.federation] (http-/10.7.25.151:8080-1) Handlers are=[org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler@4bd9398a, org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@1f81733a, org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@a83aa68, org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler@1dd658e9, org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler@4aa2b22e, org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler@260956]
2014-05-28 10:33:26,230 TRACE [org.picketlink.identity.federation] (http-/10.7.25.151:8080-1) Domains that IDP trusts = samlsp01.intranet.dev.int.devlab.redhat.com,gitlab01.intranet.dev.int.phx1.redhat.com,samlsp02.intranet.dev.int.devlab.redhat.com,vkumar-sp.devlab.phx1.redhat.com,am-qa-internal.devlab.redhat.com,ams-mpatercz.devlab.redhat.com,vkumar.devlab.redhat.com,projects01.code.deveis.devlab.phx1.redhat.com,dmtest.int-idp.dev.ext.devlab.redhat.com and issuer domain = dmtest.int-idp.dev.ext.devlab.redhat.com
2014-05-28 10:33:26,230 ERROR [org.picketlink.identity.federation] (http-/10.7.25.151:8080-1) PLFED000253: Exception in processing request: java.lang.NullPointerException
at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$IDPAuthenticationHandler.handleRequestType(SAML2AuthenticationHandler.java:172) [picketlink-core.jar:2.1.9.SP2]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler.handleRequestType(SAML2AuthenticationHandler.java:124) [picketlink-core.jar:2.1.9.SP2]
at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:730) [picketlink-jbas7.jar:2.1.9.SP2]
at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.handleSAMLMessage(AbstractIDPValve.java:329) [picketlink-jbas7.jar:2.1.9.SP2]
at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.invoke(AbstractIDPValve.java:284) [picketlink-jbas7.jar:2.1.9.SP2]
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559) [jbossweb.jar:7.3.0.Final]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web.jar:7.3.1.Final-redhat-4]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb.jar:7.3.0.Final]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb.jar:7.3.0.Final]
at org.jboss.as.web.sso.ClusteredSingleSignOn.invoke(ClusteredSingleSignOn.java:356) [jboss-as-web.jar:7.3.1.Final-redhat-4]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb.jar:7.3.0.Final]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb.jar:7.3.0.Final]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb.jar:7.3.0.Final]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb.jar:7.3.0.Final]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb.jar:7.3.0.Final]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]

2014-05-28 10:33:26,232 TRACE [org.picketlink.identity.federation] (http-/10.7.25.151:8080-1) SAML Response Document: <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_e66a293f-b278-4733-a4e3-002bb2ecb496" Version="2.0" IssueInstant="2014-05-28T14:33:26.231Z"><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/></samlp:Status></samlp:Response>
2014-05-28 10:33:26,235 TRACE [org.picketlink.identity.federation] (http-/10.7.25.151:8080-1) Document to be signed=<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_e66a293f-b278-4733-a4e3-002bb2ecb496" IssueInstant="2014-05-28T14:33:26.231Z" Version="2.0"><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/></samlp:Status></samlp:Response>
2014-05-28 10:33:26,235 DEBUG [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (http-/10.7.25.151:8080-1) Marshalling Reference
2014-05-28 10:33:26,235 DEBUG [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (http-/10.7.25.151:8080-1) Adding digestValueElem
2014-05-28 10:33:26,236 DEBUG [org.apache.xml.security.utils.resolver.ResourceResolver] (http-/10.7.25.151:8080-1) check resolvability by class org.apache.xml.security.utils.resolver.ResourceResolver
2014-05-28 10:33:26,236 DEBUG [org.apache.xml.security.utils.resolver.implementations.ResolverFragment] (http-/10.7.25.151:8080-1) State I can resolve reference: "#ID_e66a293f-b278-4733-a4e3-002bb2ecb496"
2014-05-28 10:33:26,236 DEBUG [org.apache.xml.security.utils.resolver.implementations.ResolverFragment] (http-/10.7.25.151:8080-1) Try to catch an Element with ID ID_e66a293f-b278-4733-a4e3-002bb2ecb496 and Element was [samlp:Response: null]
2014-05-28 10:33:26,236 DEBUG [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (http-/10.7.25.151:8080-1) URIDereferencer class name: org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer
2014-05-28 10:33:26,236 DEBUG [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (http-/10.7.25.151:8080-1) Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData
2014-05-28 10:33:26,236 DEBUG [org.apache.xml.security.transforms.Transform] (http-/10.7.25.151:8080-1) Create URI "http://www.w3.org/2000/09/xmldsig#enveloped-signature" class "class org.apache.xml.security.transforms.implementations.TransformEnvelopedSignature"
2014-05-28 10:33:26,236 DEBUG [org.apache.xml.security.transforms.Transform] (http-/10.7.25.151:8080-1) The NodeList is [dsig:Transform: null]
2014-05-28 10:33:26,236 DEBUG [org.apache.xml.security.utils.ElementProxy] (http-/10.7.25.151:8080-1) setElement(dsig:Transform, "null"
2014-05-28 10:33:26,236 DEBUG [org.apache.jcp.xml.dsig.internal.dom.ApacheTransform] (http-/10.7.25.151:8080-1) Created transform for algorithm: http://www.w3.org/2000/09/xmldsig#enveloped-signature
2014-05-28 10:33:26,237 DEBUG [org.apache.jcp.xml.dsig.internal.dom.ApacheTransform] (http-/10.7.25.151:8080-1) ApacheData = true
2014-05-28 10:33:26,237 DEBUG [org.apache.xml.security.transforms.Transform] (http-/10.7.25.151:8080-1) Create URI "http://www.w3.org/2001/10/xml-exc-c14n#" class "class org.apache.xml.security.transforms.implementations.TransformC14NExclusive"
2014-05-28 10:33:26,237 DEBUG [org.apache.xml.security.transforms.Transform] (http-/10.7.25.151:8080-1) The NodeList is [dsig:Transform: null]
2014-05-28 10:33:26,237 DEBUG [org.apache.xml.security.utils.ElementProxy] (http-/10.7.25.151:8080-1) setElement(dsig:Transform, "null"
2014-05-28 10:33:26,237 DEBUG [org.apache.jcp.xml.dsig.internal.dom.ApacheCanonicalizer] (http-/10.7.25.151:8080-1) Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
2014-05-28 10:33:26,238 DEBUG [org.apache.jcp.xml.dsig.internal.dom.ApacheCanonicalizer] (http-/10.7.25.151:8080-1) ApacheData = true
2014-05-28 10:33:26,238 DEBUG [org.apache.jcp.xml.dsig.internal.DigesterOutputStream] (http-/10.7.25.151:8080-1) Pre-digested input:
2014-05-28 10:33:26,249 DEBUG [org.apache.jcp.xml.dsig.internal.DigesterOutputStream] (http-/10.7.25.151:8080-1) <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="ID_e66a293f-b278-4733-a4e3-002bb2ecb496" IssueInstant="2014-05-28T14:33:26.231Z" Version="2.0"><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"></samlp:StatusCode></samlp:Status></samlp:Response>
2014-05-28 10:33:26,249 DEBUG [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (http-/10.7.25.151:8080-1) Reference object uri = #ID_e66a293f-b278-4733-a4e3-002bb2ecb496
2014-05-28 10:33:26,249 DEBUG [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (http-/10.7.25.151:8080-1) Reference digesting completed
2014-05-28 10:33:26,249 DEBUG [org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod] (http-/10.7.25.151:8080-1) Signature provider:SunRsaSign version 1.7
2014-05-28 10:33:26,251 DEBUG [org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod] (http-/10.7.25.151:8080-1) Signing with key: sun.security.rsa.RSAPrivateCrtKeyImpl@ffe4b831
2014-05-28 10:33:26,251 DEBUG [org.apache.xml.security.transforms.Transform] (http-/10.7.25.151:8080-1) Create URI "http://www.w3.org/2001/10/xml-exc-c14n#WithComments" class "class org.apache.xml.security.transforms.implementations.TransformC14NExclusiveWithComments"
2014-05-28 10:33:26,251 DEBUG [org.apache.xml.security.transforms.Transform] (http-/10.7.25.151:8080-1) The NodeList is [dsig:CanonicalizationMethod: null]
2014-05-28 10:33:26,251 DEBUG [org.apache.xml.security.utils.ElementProxy] (http-/10.7.25.151:8080-1) setElement(dsig:CanonicalizationMethod, "null"
2014-05-28 10:33:26,251 DEBUG [org.apache.jcp.xml.dsig.internal.dom.ApacheCanonicalizer] (http-/10.7.25.151:8080-1) Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#WithComments
2014-05-28 10:33:26,251 DEBUG [org.apache.jcp.xml.dsig.internal.dom.ApacheCanonicalizer] (http-/10.7.25.151:8080-1) isNodeSet() = true
2014-05-28 10:33:26,252 DEBUG [org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo] (http-/10.7.25.151:8080-1) Canonicalized SignedInfo:
2014-05-28 10:33:26,252 DEBUG [org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo] (http-/10.7.25.151:8080-1) <dsig:SignedInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"></dsig:CanonicalizationMethod><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></dsig:SignatureMethod><dsig:Reference URI="#ID_e66a293f-b278-4733-a4e3-002bb2ecb496"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></dsig:Transform><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>BaELWlSHKxtQ6nZE0rTQ7KeqLRw=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo>
2014-05-28 10:33:26,252 DEBUG [org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo] (http-/10.7.25.151:8080-1) Data to be signed/verified:PGRzaWc6U2lnbmVkSW5mbyB4bWxuczpkc2lnPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHNpZzpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jV2l0aENvbW1lbnRzIj48L2RzaWc6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD48ZHNpZzpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiPjwvZHNpZzpTaWduYXR1cmVNZXRob2Q+PGRzaWc6UmVmZXJlbmNlIFVSST0iI0lEX2U2NmEyOTNmLWIyNzgtNDczMy1hNGUzLTAwMmJiMmVjYjQ5NiI+PGRzaWc6VHJhbnNmb3Jtcz48ZHNpZzpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSI+PC9kc2lnOlRyYW5zZm9ybT48ZHNpZzpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHNpZzpUcmFuc2Zvcm0+PC9kc2lnOlRyYW5zZm9ybXM+PGRzaWc6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHNpZzpEaWdlc3RNZXRob2Q+PGRzaWc6RGlnZXN0VmFsdWU+QmFFTFdsU0hLeHRRNm5aRTByVFE3S2VxTFJ3PTwvZHNpZzpEaWdlc3RWYWx1ZT48L2RzaWc6UmVmZXJlbmNlPjwvZHNpZzpTaWduZWRJbmZvPg==
2014-05-28 10:33:26,268 INFO [stdout] (http-/10.7.25.151:8080-1) java.lang.NullPointerException

More info and possible patches:
https://community.jboss.org/thread/212244
https://code.google.com/p/modmellon/issues/detail?id=27
https://code.google.com/p/modmellon/issues/detail?id=28

Add Comment

This message was sent by Atlassian JIRA