Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ?
by Adam Dong
Hi,
Any previous successful usage of putting ServiceProviderAuthenticator as a Valve in Tomcat, by adding it in a web app's META-INF/context.xml like below (as opposed to adding it in jboss-web.xml on Jboss) ?
<Context>
<Valve className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"/>
</Context>
I tried with Tomcat 7 and get some complaints (see below) about ServiceProviderAuthenticator overriding final method start()but the valve seemed being pulled in.
java.lang.VerifyError: class org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator overrides final method start.()V
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRule.java:144)
at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1288)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509)
at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:182)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1342)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2770)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:648)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1561)
at org.apache.catalina.startup.ContextConfig.processContextConfig(ContextConfig.java:637)
at org.apache.catalina.startup.ContextConfig.contextConfig(ContextConfig.java:599)
at org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:837)
at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:385)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1247)
at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1898)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
I tried with Tomcat 6 and the valve didn't get pulled in the request path, just as if it were not there.
Any experience or idea ?
Thanks,
Adam Dong
10 years, 2 months
PicketLink 2.7 and XXE
by Benjamin Bentmann
Hi,
a couple days back [0], I noticed that PicketLink 2.7.0.Beta1 was
released but seems to miss changes to its DocumentUtil to disable entity
expansion as done for e.g. the 2.6.x branch.
I'm not sure whether my Github comment reached anybody so I figured I
make another attempt via this channel to ensure the potential issue
doesn't fall through the cracks.
Bye,
Benjamin
[0]
https://github.com/picketlink/picketlink/commit/e81bf14ea6dbbc1570b79f44f...
10 years, 3 months
About keeping SPFilter more up-to-date
by Adam Dong
Hi, guys,
The current SPFilter doesn't support
1. signing AuthnRequest
2. decrypting Assertion NameID (it seems to support validating assertion signature, but I didn't get that far yet)
3. loading/understanding the standard IDP metadata file (example below).
Is my understanding above correct ?
The reason I'm using the filter and not the valve is because I have to support web containers other than JBoss.
If I need those three things, should I go ahead and code them myself (and after testing, I could contribute back to the community, with the permission of my company) ?
Or is there effort already under-way ?
Or better yet, these are already done and ready to be shared ?
Thanks for any feed back.
Adam Dong
---------------------------------------- example IDP metadata file --------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8" standalone="true"?>
-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://idp.ssocircle.com">
-<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">
-<KeyDescriptor use="signing">
-<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-<ds:X509Data>
<ds:X509Certificate> MIICjDCCAXSgAwIBAgIFAJRvxcMwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMCREUxEjAQBgNV BAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMTEwNTE3MTk1NzIxWhcNMTYwODE3MTk1NzIx WjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NPQ2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNV BAMTEWlkcC5zc29jaXJjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/ aC2gMqRVVaLdPJJEwpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78 fP1cmt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4KU6zCsM62 2Kvp5wW67QIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBHAwDQYJKoZIhvcNAQEEBQADggEB AJ0heua7mFO3QszdGu1NblGaTDXtf6Txte0zpYIt+8YUcza2SaZXXvCLb9DvGxW1TJWaZpPGpHz5 tLXJbdYQn7xTAnL4yQOKN6uNqUA/aTVgyyUJkWZt2giwEsWUvG0UBMSPS1tp2pV2c6/olIcbdYU6 ZecUz6N24sSS7itEBC6nwCVBoHOL8u6MsfxMLDzJIPBI68UZjz3IMKTDUDv6U9DtYmXLc8iMVZBn cYJn9NgNi3ghl9fYPpHcc6QbXeDUjhdzXXUqG+hB6FabGqdTdkIZwoi4gNpyr3kacKRVWJssDgak eL2MoDNqJyQ0fXC6Ze3f79CKy/WjeU5FLwDZR0Q= </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
-<KeyDescriptor use="encryption">
-<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-<ds:X509Data>
<ds:X509Certificate> MIICjDCCAXSgAwIBAgIFAJRvxcMwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMCREUxEjAQBgNV BAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMTEwNTE3MTk1NzIxWhcNMTYwODE3MTk1NzIx WjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NPQ2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNV BAMTEWlkcC5zc29jaXJjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/ aC2gMqRVVaLdPJJEwpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78 fP1cmt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4KU6zCsM62 2Kvp5wW67QIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBHAwDQYJKoZIhvcNAQEEBQADggEB AJ0heua7mFO3QszdGu1NblGaTDXtf6Txte0zpYIt+8YUcza2SaZXXvCLb9DvGxW1TJWaZpPGpHz5 tLXJbdYQn7xTAnL4yQOKN6uNqUA/aTVgyyUJkWZt2giwEsWUvG0UBMSPS1tp2pV2c6/olIcbdYU6 ZecUz6N24sSS7itEBC6nwCVBoHOL8u6MsfxMLDzJIPBI68UZjz3IMKTDUDv6U9DtYmXLc8iMVZBn cYJn9NgNi3ghl9fYPpHcc6QbXeDUjhdzXXUqG+hB6FabGqdTdkIZwoi4gNpyr3kacKRVWJssDgak eL2MoDNqJyQ0fXC6Ze3f79CKy/WjeU5FLwDZR0Q= </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
-<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
<xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>
</EncryptionMethod>
</KeyDescriptor>
<ArtifactResolutionService Location="https://idp.ssocircle.com:443/sso/ArtifactResolver/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" isDefault="true" index="0"/>
<SingleLogoutService Location="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle"/>
<SingleLogoutService Location="https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle"/>
<SingleLogoutService Location="https://idp.ssocircle.com:443/sso/IDPSloSoap/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<ManageNameIDService Location="https://idp.ssocircle.com:443/sso/IDPMniRedirect/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPMniRedirect/metaAlias/ssocircle"/>
<ManageNameIDService Location="https://idp.ssocircle.com:443/sso/IDPMniPOSTmetaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPMniPOST/metaAlias/ssocircle"/>
<ManageNameIDService Location="https://idp.ssocircle.com:443/sso/IDPMniSoap/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
<SingleSignOnService Location="https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<SingleSignOnService Location="https://idp.ssocircle.com:443/sso/SSOPOST/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<SingleSignOnService Location="https://idp.ssocircle.com:443/sso/SSOSoap/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<NameIDMappingService Location="https://idp.ssocircle.com:443/sso/NIMSoap/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
</IDPSSODescriptor>
</EntityDescriptor>
10 years, 3 months
