[jboss-jira] [JBoss JIRA] Closed: (JBID-233) NPE on missing SAML token when calling a saml-secured WS
Stefan Guilhen (JIRA)
jira-events at lists.jboss.org
Thu Jan 7 15:00:31 EST 2010
[ https://jira.jboss.org/jira/browse/JBID-233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Guilhen closed JBID-233.
-------------------------------
Resolution: Done
I have fixed the NPEs in StandardRequestHandler by checking the targets (cancel/renew/validate) for null values. If a require target is null, a more appropriate exception is thrown.
Tests that verify if STS responds with the expected exceptions when invalid requests are made have also been added.
> NPE on missing SAML token when calling a saml-secured WS
> --------------------------------------------------------
>
> Key: JBID-233
> URL: https://jira.jboss.org/jira/browse/JBID-233
> Project: JBoss Identity
> Issue Type: Bug
> Components: Identity-Federation
> Affects Versions: IDFED-1.0.0.GA
> Environment: SOA-P 5.0 ER6, ESB 4.7
> Reporter: Martin Vecera
> Assignee: Stefan Guilhen
> Attachments: security_saml_token.tar.bz2
>
>
> When there is a web service secured using handler chain and org.picketlink.identity.federation.core.wstrust.handlers.STSSaml20Handler and the token (<Assertion ... />) is missing a NPE is thrown.
> Some security exception like when the token is broken should be thrown.
> The attached reproducer is a quickstart example for ESB 4.7 (should be installed in samples/quickstart directory and executed using ant deploy, ant runtest).
> The exception now is:
> 15:39:52,332 ERROR [SOAPFaultHelperJAXWS] SOAP request exception
> java.lang.NullPointerException
> at org.picketlink.identity.federation.core.wstrust.StandardRequestHandler.validate(StandardRequestHandler.java:377)
> at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.handleTokenRequest(PicketLinkSTS.java:150)
> at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:90)
> at sun.reflect.GeneratedMethodAccessor602.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.jboss.wsf.container.jboss50.invocation.InvocationHandlerJSE.invoke(InvocationHandlerJSE.java:108)
> at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:221)
> at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:468)
> at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:293)
> at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:203)
> at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:129)
> at org.jboss.wsf.common.servlet.AbstractEndpointServlet.service(AbstractEndpointServlet.java:85)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525)
> at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
> at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
> at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
> at java.lang.Thread.run(Thread.java:619)
> It should be something like:
> 15:35:10,652 ERROR [HandlerChainExecutor] Exception during handler processing
> javax.xml.ws.WebServiceException: Could not validate security token org.jboss.ws.core.soap.SOAPElementImpl at 5fa7bb73[[Assertion: null]]
> at org.picketlink.identity.federation.core.wstrust.handlers.STSSecurityHandler.handleMessage(STSSecurityHandler.java:186)
> at org.picketlink.identity.federation.core.wstrust.handlers.STSSecurityHandler.handleMessage(STSSecurityHandler.java:112)
> at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:305)
> at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:142)
> at org.jboss.ws.core.jaxws.handler.HandlerDelegateJAXWS.callRequestHandlerChain(HandlerDelegateJAXWS.java:97)
> at org.jboss.ws.core.server.ServiceEndpointInvoker.callRequestHandlerChain(ServiceEndpointInvoker.java:124)
> at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:199)
> at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:468)
> at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:293)
> at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:203)
> at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:129)
> at org.jboss.soa.esb.actions.soap.SOAPProcessor.process(SOAPProcessor.java:187)
> at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.processPipeline(ActionProcessingPipeline.java:634)
> at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.access$000(ActionProcessingPipeline.java:84)
> at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline$1.run(ActionProcessingPipeline.java:1006)
> at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline$1.run(ActionProcessingPipeline.java:1003)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:454)
> at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.processPipeline(ActionProcessingPipeline.java:573)
> at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.process(ActionProcessingPipeline.java:419)
> at org.jboss.soa.esb.listeners.message.MessageAwareListener$TransactionalRunner.run(MessageAwareListener.java:540)
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> at java.lang.Thread.run(Thread.java:619)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list