From asyd at asyd.net Mon Sep 1 18:53:13 2014 From: asyd at asyd.net (Bruno Bonfils) Date: Tue, 2 Sep 2014 00:53:13 +0200 Subject: [security-dev] GLO Logout URL Message-ID: <20140901225313.GA30790@gendo.asyd.net> Hello, I'm working on integration between PicketLink (as SP) and OpenAM (as IdP), using the picketlink-federation-saml-sp-with-metadata example. While I succedeed to get login working, when I click on the Logout link, I'm redirected to the SingleSignOnService URL (with a logout assertion) instead of the SingleLogoutService one (see the sp-metadata.xml attachment). As you can see, the "Destination" in the LogoutRequest is correct, but the POST is send to another URL: --8<-- POST http://idp.tests.opencsi.com/openam/SSOPOST/metaAlias/example/idp HTTP/1.1 Host: idp.tests.opencsi.com --8<-- Note the SSOPOST is only referenced as SingleSignOnService in the metadata.xml I tried to read the picketlink code souce, but I'm not a java developper, so I don't understand when the getLogoutURL function of CoreConfigUtil is called! By the way, I was not able to find the code source (in git) of picketlink versions used in JBoss EAP (like the 2.5.3.SP10 used in JBoss EAP 6.3, only a 2.5.3Beta can be found in github) it doesn't help debugging! Is the tag/branch available somewhere? Thanks! -- http://www.opencsi.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: sp-metadata.xml Type: application/xml Size: 6017 bytes Desc: not available Url : http://lists.jboss.org/pipermail/security-dev/attachments/20140902/3f65f818/attachment.rdf -------------- next part -------------- http://picketlink.priv.opencsi.com:8080/sales-metadata/ ... bbonfils s22d353c174136859bd469b70e3c39292661aca101 From adamdong at vidder.com Fri Sep 5 02:17:45 2014 From: adamdong at vidder.com (Adam Dong) Date: Fri, 5 Sep 2014 06:17:45 +0000 Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? References: <4353f8a8c91a4704a7e6b58671be22d8@CY1PR0401MB0939.namprd04.prod.outlook.com> <732618262.12677383.1409170272740.JavaMail.zimbra@redhat.com> <415821d98f084fd18081403b3bcad1e5@BY2PR0401MB0934.namprd04.prod.outlook.com> <2050570752.13563095.1409315829957.JavaMail.zimbra@redhat.com> Message-ID: <439a683881dd4436b1a04615876e35c3@BY2PR0401MB0934.namprd04.prod.outlook.com> Pedro, I finally had time to try that jar file on Tomcat 7 (no Jboss), now there is no more complaint during loading of my simple one-page (index.jsp) web app with the following META-INF/context.xml: However, when I try to access my index page, there is no SAML traffic, the index page just showed up. I further tried to sub-class ServiceProviderAuthenticator with a default constructor to print out a line to show that it is instantiated. I used that class as the valve. The log did prove that the valve is instantiated during loading time. But an access to the web app (well, just the index page) didn't cause any SAML interaction at all. So what am I missing ? Did I misunderstand how ServiceProviderAuthenticator is supposed to be used ? Thanks, Adam PS: I examined the source code for ServiceProviderAuthenticator, its parent AbstractSPFormAuthenticator, and its grandparent BaseFormAuthenticator, I was expecting to see the implemention of invoke(request, response) method with similar logic as in SPFilter's doFilter(request, response) method. But neither of the 3 classes implement invoke(...) method, why is that ? How does SAML processing come into the picture then ? Another general question, is picket link SAML offering widely used in commercial products ? -----Original Message----- From: Adam Dong Sent: Friday, August 29, 2014 3:00 PM To: 'Pedro Igor Silva' Cc: security-dev at lists.jboss.org Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Pedro Igor, Thank you so much. I will try it out and report the result back to this email group. Adam Dong -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, August 29, 2014 5:37 AM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Hi Adam, This is the right GAV: org.picketlink.distribution picketlink-tomcat7 ${picketlink.version} The picketlink-tomact7-single can not be used alone. Try to download from here: https://repository.jboss.org/nexus/content/groups/public/org/picketlink/distribution/picketlink-tomcat7/2.6.0.Final/picketlink-tomcat7-2.6.0.Final.jar Regards. Pedro Igor ----- Original Message ----- From: "Adam Dong" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Wednesday, August 27, 2014 10:18:32 PM Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? OK, I found picketlink-tomcat7-single-2.6.0.Final.jar on picketlink.org site, replaced picketlink-jbas7-2.6.0.Final.jar with it. Now I got java.lang.NoClassDefFoundError: org/picketlink/identity/federation/bindings/tomcat/sp/AbstractSPFormAuthenticator And I checked, indeed AbstractSPFormAuthenticator is not in picketlink-tomcat7-single-2.6.0.Final.jar, but in picketlink-jbas7-2.6.0.Final.jar. Is picketlink-tomcat7-single-2.6.0.Final.jar missing a few files ? Should I grab those missing file from jbas7 jar file and put them into tomcat7 jar file ? Would they be compatible ? To check the compatibility, I found the following. ServiceProviderAuthenticator.class in picketlink-tomcat7-single-2.6.0.Final.jar: 1667 Sun Jun 22 03:04:00 PDT 2014 org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class The same class in picketlink-jbas7-2.6.0.Final.jar: 978 Sun Jun 22 03:03:56 PDT 2014 org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class They are different. Is that correct ? Can I trust the AbstractSPFormAuthenticator.class in jbas7 jar file to work with ServiceProviderAuthenticator.class in tomcat7 jar file ? Thanks, Adam Dong -----Original Message----- From: Adam Dong Sent: Wednesday, August 27, 2014 2:29 PM To: 'Pedro Igor Silva' Cc: security-dev at lists.jboss.org Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Pedro, The following are the jar files I put under /lib (I first put them under my web app's WEB-INF/lib directory but tomcat couldn't find them): bcprov-jdk15on-151.jar jboss-logging-3.1.0.GA.jar jboss-security-spi-4.0.18.final.jar log4j-1.2.16.jar picketlink-common-2.6.0.Final.jar picketlink-config-2.6.0.Final.jar picketlink-federation-2.6.0.Final.jar picketlink-jbas7-2.6.0.Final.jar Where do I get that jar file you mentioned ? All the picketlink related jar files I got are from picketlink-installer-2.6.0.Final.zip, and in there the jar file you mentioned is not present. Thanks, Adam Dong -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Wednesday, August 27, 2014 1:11 PM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Which jar are u using ? picketlink-tomcat7-X.jar ? ----- Original Message ----- From: "Adam Dong" To: security-dev at lists.jboss.org Sent: Wednesday, August 27, 2014 3:18:51 PM Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Hi, Any previous successful usage of putting ServiceProviderAuthenticator as a Valve in Tomcat, by adding it in a web app?s META-INF/context.xml like below (as opposed to adding it in jboss-web.xml on Jboss) ? I tried with Tomcat 7 and get some complaints (see below) about ServiceProviderAuthenticator overriding final method start()but the valve seemed being pulled in. java.lang.VerifyError: class org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator overrides final method start.()V at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:800) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:449) at java.net.URLClassLoader.access$100(URLClassLoader.java:71) at java.net.URLClassLoader$1.run(URLClassLoader.java:361) at java.net.URLClassLoader$1.run(URLClassLoader.java:355) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:354) at java.lang.ClassLoader.loadClass(ClassLoader.java:425) at java.lang.ClassLoader.loadClass(ClassLoader.java:358) at org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRule.java:144) at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1288) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509) at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:182) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1342) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2770) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777) at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213) at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:648) at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1561) at org.apache.catalina.startup.ContextConfig.processContextConfig(ContextConfig.java:637) at org.apache.catalina.startup.ContextConfig.contextConfig(ContextConfig.java:599) at org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:837) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:385) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1247) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1898) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) I tried with Tomcat 6 and the valve didn?t get pulled in the request path, just as if it were not there. Any experience or idea ? Thanks, Adam Dong _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Fri Sep 5 08:31:05 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 5 Sep 2014 08:31:05 -0400 (EDT) Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? In-Reply-To: <439a683881dd4436b1a04615876e35c3@BY2PR0401MB0934.namprd04.prod.outlook.com> References: <4353f8a8c91a4704a7e6b58671be22d8@CY1PR0401MB0939.namprd04.prod.outlook.com> <732618262.12677383.1409170272740.JavaMail.zimbra@redhat.com> <415821d98f084fd18081403b3bcad1e5@BY2PR0401MB0934.namprd04.prod.outlook.com> <2050570752.13563095.1409315829957.JavaMail.zimbra@redhat.com> <439a683881dd4436b1a04615876e35c3@BY2PR0401MB0934.namprd04.prod.outlook.com> Message-ID: <1729983233.17694524.1409920265957.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Adam Dong" > To: "Pedro Igor Silva" > Cc: security-dev at lists.jboss.org > Sent: Friday, September 5, 2014 3:17:45 AM > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? > > Pedro, > > I finally had time to try that jar file on Tomcat 7 (no Jboss), now there is > no more complaint during loading of my simple one-page (index.jsp) web app > with the following META-INF/context.xml: > > className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"/> > > > However, when I try to access my index page, there is no SAML traffic, the > index page just showed up. > > I further tried to sub-class ServiceProviderAuthenticator with a default > constructor to print out a line to show that it is instantiated. > I used that class as the valve. The log did prove that the valve is > instantiated during loading time. But an access to the web app (well, just > the index page) didn't cause any SAML interaction at all. > > So what am I missing ? Did I misunderstand how ServiceProviderAuthenticator > is supposed to be used ? You are probably missing something here. Please, ping me on IRC next week so we can get this working for you. > > Thanks, > Adam > > PS: I examined the source code for ServiceProviderAuthenticator, its parent > AbstractSPFormAuthenticator, and its grandparent BaseFormAuthenticator, I > was expecting to see the implemention of invoke(request, response) method > with similar logic as in SPFilter's doFilter(request, response) method. But > neither of the 3 classes implement invoke(...) method, why is that ? How > does SAML processing come into the picture then ? The authenticate method should be called in this case. > > Another general question, is picket link SAML offering widely used in > commercial products ? There are a plenty of use cases where PL SAML is being used. Now, most of them is based on JBoss EAP. > > > > > -----Original Message----- > From: Adam Dong > Sent: Friday, August 29, 2014 3:00 PM > To: 'Pedro Igor Silva' > Cc: security-dev at lists.jboss.org > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > Pedro Igor, > > Thank you so much. I will try it out and report the result back to this email > group. > > Adam Dong > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Friday, August 29, 2014 5:37 AM > To: Adam Dong > Cc: security-dev at lists.jboss.org > Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > Hi Adam, > > This is the right GAV: > > > org.picketlink.distribution > picketlink-tomcat7 > ${picketlink.version} > > > The picketlink-tomact7-single can not be used alone. Try to download from > here: > > https://repository.jboss.org/nexus/content/groups/public/org/picketlink/distribution/picketlink-tomcat7/2.6.0.Final/picketlink-tomcat7-2.6.0.Final.jar > > Regards. > Pedro Igor > > ----- Original Message ----- > From: "Adam Dong" > To: "Pedro Igor Silva" > Cc: security-dev at lists.jboss.org > Sent: Wednesday, August 27, 2014 10:18:32 PM > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > > OK, I found picketlink-tomcat7-single-2.6.0.Final.jar on picketlink.org site, > replaced picketlink-jbas7-2.6.0.Final.jar with it. Now I got > > java.lang.NoClassDefFoundError: > org/picketlink/identity/federation/bindings/tomcat/sp/AbstractSPFormAuthenticator > > And I checked, indeed AbstractSPFormAuthenticator is not in > picketlink-tomcat7-single-2.6.0.Final.jar, but in > picketlink-jbas7-2.6.0.Final.jar. > > Is picketlink-tomcat7-single-2.6.0.Final.jar missing a few files ? > Should I grab those missing file from jbas7 jar file and put them into > tomcat7 jar file ? > Would they be compatible ? > > > > To check the compatibility, I found the following. > ServiceProviderAuthenticator.class in > picketlink-tomcat7-single-2.6.0.Final.jar: > 1667 Sun Jun 22 03:04:00 PDT 2014 > org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class > > The same class in picketlink-jbas7-2.6.0.Final.jar: > 978 Sun Jun 22 03:03:56 PDT 2014 > org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class > > > They are different. Is that correct ? Can I trust the > AbstractSPFormAuthenticator.class in jbas7 jar file to work with > ServiceProviderAuthenticator.class in tomcat7 jar file ? > > Thanks, > Adam Dong > > > -----Original Message----- > From: Adam Dong > Sent: Wednesday, August 27, 2014 2:29 PM > To: 'Pedro Igor Silva' > Cc: security-dev at lists.jboss.org > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > > Pedro, > > The following are the jar files I put under /lib (I first put > them under my web app's WEB-INF/lib directory but tomcat couldn't find > them): > > bcprov-jdk15on-151.jar > jboss-logging-3.1.0.GA.jar > jboss-security-spi-4.0.18.final.jar > log4j-1.2.16.jar > picketlink-common-2.6.0.Final.jar > picketlink-config-2.6.0.Final.jar > picketlink-federation-2.6.0.Final.jar > picketlink-jbas7-2.6.0.Final.jar > > Where do I get that jar file you mentioned ? All the picketlink related jar > files I got are from picketlink-installer-2.6.0.Final.zip, and in there the > jar file you mentioned is not present. > > Thanks, > Adam Dong > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Wednesday, August 27, 2014 1:11 PM > To: Adam Dong > Cc: security-dev at lists.jboss.org > Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > Which jar are u using ? picketlink-tomcat7-X.jar ? > > > > ----- Original Message ----- > From: "Adam Dong" > To: security-dev at lists.jboss.org > Sent: Wednesday, August 27, 2014 3:18:51 PM > Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly > instead of in Jboss ? > > > > Hi, > > > > Any previous successful usage of putting ServiceProviderAuthenticator as a > Valve in Tomcat, by adding it in a web app?s META-INF/context.xml like below > (as opposed to adding it in jboss-web.xml on Jboss) ? > > > > > > className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"/> > > > > > > > > I tried with Tomcat 7 and get some complaints (see below) about > ServiceProviderAuthenticator overriding final method start()but the valve > seemed being pulled in. > > > > java.lang.VerifyError: class > org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator > overrides final method start.()V > > at java.lang.ClassLoader.defineClass1(Native Method) > > at java.lang.ClassLoader.defineClass(ClassLoader.java:800) > > at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) > > at java.net.URLClassLoader.defineClass(URLClassLoader.java:449) > > at java.net.URLClassLoader.access$100(URLClassLoader.java:71) > > at java.net.URLClassLoader$1.run(URLClassLoader.java:361) > > at java.net.URLClassLoader$1.run(URLClassLoader.java:355) > > at java.security.AccessController.doPrivileged(Native Method) > > at java.net.URLClassLoader.findClass(URLClassLoader.java:354) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:425) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:358) > > at > org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRule.java:144) > > at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1288) > > at > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509) > > at > com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:182) > > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1342) > > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2770) > > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606) > > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510) > > at > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848) > > at > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777) > > at > com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) > > at > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213) > > at > com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:648) > > at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1561) > > at > org.apache.catalina.startup.ContextConfig.processContextConfig(ContextConfig.java:637) > > at > org.apache.catalina.startup.ContextConfig.contextConfig(ContextConfig.java:599) > > at org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:837) > > at > org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:385) > > at > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) > > at > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) > > at > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110) > > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139) > > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > > at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) > > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > > at > org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1247) > > at > org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1898) > > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > at java.lang.Thread.run(Thread.java:745) > > > > I tried with Tomcat 6 and the valve didn?t get pulled in the request path, > just as if it were not there. > > > > Any experience or idea ? > > > > Thanks, > > Adam Dong > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > From mcirioli at redhat.com Sat Sep 6 11:04:34 2014 From: mcirioli at redhat.com (Michael Cirioli) Date: Sat, 6 Sep 2014 11:04:34 -0400 (EDT) Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? In-Reply-To: <439a683881dd4436b1a04615876e35c3@BY2PR0401MB0934.namprd04.prod.outlook.com> References: <4353f8a8c91a4704a7e6b58671be22d8@CY1PR0401MB0939.namprd04.prod.outlook.com> <732618262.12677383.1409170272740.JavaMail.zimbra@redhat.com> <415821d98f084fd18081403b3bcad1e5@BY2PR0401MB0934.namprd04.prod.outlook.com> <2050570752.13563095.1409315829957.JavaMail.zimbra@redhat.com> <439a683881dd4436b1a04615876e35c3@BY2PR0401MB0934.namprd04.prod.outlook.com> Message-ID: <1141415420.34055653.1410015874488.JavaMail.zimbra@zmail09.collab.prod.int.phx2.redhat.com> Adam , One thing you might check is if your security domain is properly configured and you have the correct security constraints applied in web.xml for.your index.jsp.? if you have questions let me know and I can dig up some examples for you. -mike cirioli On Sep 5, 2014 2:18 AM, Adam Dong wrote: > > Pedro, > > I finally had time to try that jar file on Tomcat 7 (no Jboss), now therePedro, I finally had time to try that jar file on Tomcat 7 (no Jboss), now there is no more complaint during loading of my simple one-page (index.jsp) web app with the following META-INF/context.xml: However, when I try to access my index page, there is no SAML traffic, the index page just showed up. I further tried to sub-class ServiceProviderAuthenticator with a default constructor to print out a line to show that it is instantiated. I used that class as the valve. The log did prove that the valve is instantiated during loading time. But an access to the web app (well, just the index page) didn't cause any SAML interaction at all. So what am I missing ? Did I misunderstand how ServiceProviderAuthenticator is supposed to be used ? Thanks, Adam PS: I examined the source code for ServiceProviderAuthenticator, its parent AbstractSPFormAuthenticator, and its grandparent BaseFormAuthenticator, I was expecting to see the implemention of invoke(request, response) method with similar logic as in SPFilter's doFilter(request, response) method. But neither of the 3 classes implement invoke(...) method, why is that ? How does SAML processing come into the picture then ? Another general question, is picket link SAML offering widely used in commercial products ? -----Original Message----- From: Adam Dong Sent: Friday, August 29, 2014 3:00 PM To: 'Pedro Igor Silva' Cc: security-dev at lists.jboss.org Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Pedro Igor, Thank you so much. I will try it out and report the result back to this email group. Adam Dong -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, August 29, 2014 5:37 AM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Hi Adam, This is the right GAV: org.picketlink.distribution picketlink-tomcat7 ${picketlink.version} The picketlink-tomact7-single can not be used alone. Try to download from here: https://repository.jboss.org/nexus/content/groups/public/org/picketlink/distribution/picketlink-tomcat7/2.6.0.Final/picketlink-tomcat7-2.6.0.Final.jar Regards. Pedro Igor ----- Original Message ----- From: "Adam Dong" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Wednesday, August 27, 2014 10:18:32 PM Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? OK, I found picketlink-tomcat7-single-2.6.0.Final.jar on picketlink.org site, replaced picketlink-jbas7-2.6.0.Final.jar with it. Now I got java.lang.NoClassDefFoundError: org/picketlink/identity/federation/bindings/tomcat/sp/AbstractSPFormAuthenticator And I checked, indeed AbstractSPFormAuthenticator is not in picketlink-tomcat7-single-2.6.0.Final.jar, but in picketlink-jbas7-2.6.0.Final.jar. Is picketlink-tomcat7-single-2.6.0.Final.jar missing a few files ? Should I grab those missing file from jbas7 jar file and put them into tomcat7 jar file ? Would they be compatible ? To check the compatibility, I found the following. ServiceProviderAuthenticator.class in picketlink-tomcat7-single-2.6.0.Final.jar: 1667 Sun Jun 22 03:04:00 PDT 2014 org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class The same class in picketlink-jbas7-2.6.0.Final.jar: 978 Sun Jun 22 03:03:56 PDT 2014 org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class They are different. Is that correct ? Can I trust the AbstractSPFormAuthenticator.class in jbas7 jar file to work with ServiceProviderAuthenticator.class in tomcat7 jar file ? Thanks, Adam Dong -----Original Message----- From: Adam Dong Sent: Wednesday, August 27, 2014 2:29 PM To: 'Pedro Igor Silva' Cc: security-dev at lists.jboss.org Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Pedro, The following are the jar files I put under /lib (I first put them under my web app's WEB-INF/lib directory but tomcat couldn't find them): bcprov-jdk15on-151.jar jboss-logging-3.1.0.GA.jar jboss-security-spi-4.0.18.final.jar log4j-1.2.16.jar picketlink-common-2.6.0.Final.jar picketlink-config-2.6.0.Final.jar picketlink-federation-2.6.0.Final.jar picketlink-jbas7-2.6.0.Final.jar Where do I get that jar file you mentioned ? All the picketlink related jar files I got are from picketlink-installer-2.6.0.Final.zip, and in there the jar file you mentioned is not present. Thanks, Adam Dong -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Wednesday, August 27, 2014 1:11 PM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Which jar are u using ? picketlink-tomcat7-X.jar ? ----- Original Message ----- From: "Adam Dong" To: security-dev at lists.jboss.org Sent: Wednesday, August 27, 2014 3:18:51 PM Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Hi, Any previous successful usage of putting ServiceProviderAuthenticator as a Valve in Tomcat, by adding it in a web app?s META-INF/context.xml like below (as opposed to adding it in jboss-web.xml on Jboss) ? I tried with Tomcat 7 and get some complaints (see below) about ServiceProviderAuthenticator overriding final method start()but the valve seemed being pulled in. java.lang.VerifyError: class org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator overrides final method start.()V at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:800) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:449) at java.net.URLClassLoader.access$100(URLClassLoader.java:71) at java.net.URLClassLoader$1.run(URLClassLoader.java:361) at java.net.URLClassLoader$1.run(URLClassLoader.java:355) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:354) at java.lang.ClassLoader.loadClass(ClassLoader.java:425) at java.lang.ClassLoader.loadClass(ClassLoader.java:358) at org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRule.java:144) at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1288) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509) at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:182) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1342) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2770) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777) at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213) at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:648) at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1561) at org.apache.catalina.startup.ContextConfig.processContextConfig(ContextConfig.java:637) at org.apache.catalina.startup.ContextConfig.contextConfig(ContextConfig.java:599) at org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:837) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:385) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1247) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1898) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) I tried with Tomcat 6 and the valve didn?t get pulled in the request path, just as if it were not there. Any experience or idea ? Thanks, Adam Dong _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From adamdong at vidder.com Mon Sep 8 15:15:23 2014 From: adamdong at vidder.com (Adam Dong) Date: Mon, 8 Sep 2014 19:15:23 +0000 Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? In-Reply-To: <1141415420.34055653.1410015874488.JavaMail.zimbra@zmail09.collab.prod.int.phx2.redhat.com> References: <4353f8a8c91a4704a7e6b58671be22d8@CY1PR0401MB0939.namprd04.prod.outlook.com> <732618262.12677383.1409170272740.JavaMail.zimbra@redhat.com> <415821d98f084fd18081403b3bcad1e5@BY2PR0401MB0934.namprd04.prod.outlook.com> <2050570752.13563095.1409315829957.JavaMail.zimbra@redhat.com> <439a683881dd4436b1a04615876e35c3@BY2PR0401MB0934.namprd04.prod.outlook.com> <1141415420.34055653.1410015874488.JavaMail.zimbra@zmail09.collab.prod.int.phx2.redhat.com> Message-ID: <32fec9836d92435ab18d48e25f0b06d5@BY2PR0401MB0934.namprd04.prod.outlook.com> Thanks a lot Mike. That is exactly what I'm missing. Now the valve is working. The next problem is how to configure/pull in my own Role Validator whose useInRole() method just returns true, as opposed to using DefaultRoleValidator. With SPFilter, I could just add an init-parameter to pull in my own role validator : SPFilter org.picketlink.identity.federation.web.filters.SPFilter ROLE_VALIDATOR MyRoleValidator But with ServiceProviderAuthenticator (as a valve), I didn't find a way to do this. Any idea ? Thanks, Adam -----Original Message----- From: Michael Cirioli [mailto:mcirioli at redhat.com] Sent: Saturday, September 06, 2014 8:05 AM To: Adam Dong Cc: security-dev at lists.jboss.org; Pedro Igor Silva Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Adam , One thing you might check is if your security domain is properly configured and you have the correct security constraints applied in web.xml for.your index.jsp.? if you have questions let me know and I can dig up some examples for you. -mike cirioli On Sep 5, 2014 2:18 AM, Adam Dong wrote: > > Pedro, > > I finally had time to try that jar file on Tomcat 7 (no Jboss), now therePedro, I finally had time to try that jar file on Tomcat 7 (no Jboss), now there is no more complaint during loading of my simple one-page (index.jsp) web app with the following META-INF/context.xml: However, when I try to access my index page, there is no SAML traffic, the index page just showed up. I further tried to sub-class ServiceProviderAuthenticator with a default constructor to print out a line to show that it is instantiated. I used that class as the valve. The log did prove that the valve is instantiated during loading time. But an access to the web app (well, just the index page) didn't cause any SAML interaction at all. So what am I missing ? Did I misunderstand how ServiceProviderAuthenticator is supposed to be used ? Thanks, Adam PS: I examined the source code for ServiceProviderAuthenticator, its parent AbstractSPFormAuthenticator, and its grandparent BaseFormAuthenticator, I was expecting to see the implemention of invoke(request, response) method with similar logic as in SPFilter's doFilter(request, response) method. But neither of the 3 classes implement invoke(...) method, why is that ? How does SAML processing come into the picture then ? Another general question, is picket link SAML offering widely used in commercial products ? -----Original Message----- From: Adam Dong Sent: Friday, August 29, 2014 3:00 PM To: 'Pedro Igor Silva' Cc: security-dev at lists.jboss.org Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Pedro Igor, Thank you so much. I will try it out and report the result back to this email group. Adam Dong -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, August 29, 2014 5:37 AM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Hi Adam, This is the right GAV: org.picketlink.distribution picketlink-tomcat7 ${picketlink.version} The picketlink-tomact7-single can not be used alone. Try to download from here: https://repository.jboss.org/nexus/content/groups/public/org/picketlink/distribution/picketlink-tomcat7/2.6.0.Final/picketlink-tomcat7-2.6.0.Final.jar Regards. Pedro Igor ----- Original Message ----- From: "Adam Dong" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Wednesday, August 27, 2014 10:18:32 PM Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? OK, I found picketlink-tomcat7-single-2.6.0.Final.jar on picketlink.org site, replaced picketlink-jbas7-2.6.0.Final.jar with it. Now I got java.lang.NoClassDefFoundError: org/picketlink/identity/federation/bindings/tomcat/sp/AbstractSPFormAuthenticator And I checked, indeed AbstractSPFormAuthenticator is not in picketlink-tomcat7-single-2.6.0.Final.jar, but in picketlink-jbas7-2.6.0.Final.jar. Is picketlink-tomcat7-single-2.6.0.Final.jar missing a few files ? Should I grab those missing file from jbas7 jar file and put them into tomcat7 jar file ? Would they be compatible ? To check the compatibility, I found the following. ServiceProviderAuthenticator.class in picketlink-tomcat7-single-2.6.0.Final.jar: 1667 Sun Jun 22 03:04:00 PDT 2014 org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class The same class in picketlink-jbas7-2.6.0.Final.jar: 978 Sun Jun 22 03:03:56 PDT 2014 org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class They are different. Is that correct ? Can I trust the AbstractSPFormAuthenticator.class in jbas7 jar file to work with ServiceProviderAuthenticator.class in tomcat7 jar file ? Thanks, Adam Dong -----Original Message----- From: Adam Dong Sent: Wednesday, August 27, 2014 2:29 PM To: 'Pedro Igor Silva' Cc: security-dev at lists.jboss.org Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Pedro, The following are the jar files I put under /lib (I first put them under my web app's WEB-INF/lib directory but tomcat couldn't find them): bcprov-jdk15on-151.jar jboss-logging-3.1.0.GA.jar jboss-security-spi-4.0.18.final.jar log4j-1.2.16.jar picketlink-common-2.6.0.Final.jar picketlink-config-2.6.0.Final.jar picketlink-federation-2.6.0.Final.jar picketlink-jbas7-2.6.0.Final.jar Where do I get that jar file you mentioned ? All the picketlink related jar files I got are from picketlink-installer-2.6.0.Final.zip, and in there the jar file you mentioned is not present. Thanks, Adam Dong -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Wednesday, August 27, 2014 1:11 PM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Which jar are u using ? picketlink-tomcat7-X.jar ? ----- Original Message ----- From: "Adam Dong" To: security-dev at lists.jboss.org Sent: Wednesday, August 27, 2014 3:18:51 PM Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Hi, Any previous successful usage of putting ServiceProviderAuthenticator as a Valve in Tomcat, by adding it in a web app?s META-INF/context.xml like below (as opposed to adding it in jboss-web.xml on Jboss) ? I tried with Tomcat 7 and get some complaints (see below) about ServiceProviderAuthenticator overriding final method start()but the valve seemed being pulled in. java.lang.VerifyError: class org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator overrides final method start.()V at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:800) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:449) at java.net.URLClassLoader.access$100(URLClassLoader.java:71) at java.net.URLClassLoader$1.run(URLClassLoader.java:361) at java.net.URLClassLoader$1.run(URLClassLoader.java:355) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:354) at java.lang.ClassLoader.loadClass(ClassLoader.java:425) at java.lang.ClassLoader.loadClass(ClassLoader.java:358) at org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRule.java:144) at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1288) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509) at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:182) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1342) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2770) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777) at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213) at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:648) at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1561) at org.apache.catalina.startup.ContextConfig.processContextConfig(ContextConfig.java:637) at org.apache.catalina.startup.ContextConfig.contextConfig(ContextConfig.java:599) at org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:837) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:385) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1247) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1898) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) I tried with Tomcat 6 and the valve didn?t get pulled in the request path, just as if it were not there. Any experience or idea ? Thanks, Adam Dong _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From adamdong at vidder.com Mon Sep 8 15:16:40 2014 From: adamdong at vidder.com (Adam Dong) Date: Mon, 8 Sep 2014 19:16:40 +0000 Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? In-Reply-To: <1141415420.34055653.1410015874488.JavaMail.zimbra@zmail09.collab.prod.int.phx2.redhat.com> References: <4353f8a8c91a4704a7e6b58671be22d8@CY1PR0401MB0939.namprd04.prod.outlook.com> <732618262.12677383.1409170272740.JavaMail.zimbra@redhat.com> <415821d98f084fd18081403b3bcad1e5@BY2PR0401MB0934.namprd04.prod.outlook.com> <2050570752.13563095.1409315829957.JavaMail.zimbra@redhat.com> <439a683881dd4436b1a04615876e35c3@BY2PR0401MB0934.namprd04.prod.outlook.com> <1141415420.34055653.1410015874488.JavaMail.zimbra@zmail09.collab.prod.int.phx2.redhat.com> Message-ID: <81d0ad242de048809fb22603003028f7@BY2PR0401MB0934.namprd04.prod.outlook.com> Thanks a lot Mike. That is exactly what I'm missing. Now the valve is working. The next problem is how to configure/pull in my own Role Validator whose useInRole() method just returns true, as opposed to using DefaultRoleValidator. With SPFilter, I could just add an init-parameter to pull in my own role validator : SPFilter org.picketlink.identity.federation.web.filters.SPFilter ROLE_VALIDATOR MyRoleValidator But with ServiceProviderAuthenticator (as a valve), I didn't find a way to do this. Any idea ? Thanks, Adam -----Original Message----- From: Michael Cirioli [mailto:mcirioli at redhat.com] Sent: Saturday, September 06, 2014 8:05 AM To: Adam Dong Cc: security-dev at lists.jboss.org; Pedro Igor Silva Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Adam , One thing you might check is if your security domain is properly configured and you have the correct security constraints applied in web.xml for.your index.jsp.? if you have questions let me know and I can dig up some examples for you. -mike cirioli On Sep 5, 2014 2:18 AM, Adam Dong wrote: > > Pedro, > > I finally had time to try that jar file on Tomcat 7 (no Jboss), now therePedro, I finally had time to try that jar file on Tomcat 7 (no Jboss), now there is no more complaint during loading of my simple one-page (index.jsp) web app with the following META-INF/context.xml: However, when I try to access my index page, there is no SAML traffic, the index page just showed up. I further tried to sub-class ServiceProviderAuthenticator with a default constructor to print out a line to show that it is instantiated. I used that class as the valve. The log did prove that the valve is instantiated during loading time. But an access to the web app (well, just the index page) didn't cause any SAML interaction at all. So what am I missing ? Did I misunderstand how ServiceProviderAuthenticator is supposed to be used ? Thanks, Adam PS: I examined the source code for ServiceProviderAuthenticator, its parent AbstractSPFormAuthenticator, and its grandparent BaseFormAuthenticator, I was expecting to see the implemention of invoke(request, response) method with similar logic as in SPFilter's doFilter(request, response) method. But neither of the 3 classes implement invoke(...) method, why is that ? How does SAML processing come into the picture then ? Another general question, is picket link SAML offering widely used in commercial products ? -----Original Message----- From: Adam Dong Sent: Friday, August 29, 2014 3:00 PM To: 'Pedro Igor Silva' Cc: security-dev at lists.jboss.org Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Pedro Igor, Thank you so much. I will try it out and report the result back to this email group. Adam Dong -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, August 29, 2014 5:37 AM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Hi Adam, This is the right GAV: org.picketlink.distribution picketlink-tomcat7 ${picketlink.version} The picketlink-tomact7-single can not be used alone. Try to download from here: https://repository.jboss.org/nexus/content/groups/public/org/picketlink/distribution/picketlink-tomcat7/2.6.0.Final/picketlink-tomcat7-2.6.0.Final.jar Regards. Pedro Igor ----- Original Message ----- From: "Adam Dong" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Wednesday, August 27, 2014 10:18:32 PM Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? OK, I found picketlink-tomcat7-single-2.6.0.Final.jar on picketlink.org site, replaced picketlink-jbas7-2.6.0.Final.jar with it. Now I got java.lang.NoClassDefFoundError: org/picketlink/identity/federation/bindings/tomcat/sp/AbstractSPFormAuthenticator And I checked, indeed AbstractSPFormAuthenticator is not in picketlink-tomcat7-single-2.6.0.Final.jar, but in picketlink-jbas7-2.6.0.Final.jar. Is picketlink-tomcat7-single-2.6.0.Final.jar missing a few files ? Should I grab those missing file from jbas7 jar file and put them into tomcat7 jar file ? Would they be compatible ? To check the compatibility, I found the following. ServiceProviderAuthenticator.class in picketlink-tomcat7-single-2.6.0.Final.jar: 1667 Sun Jun 22 03:04:00 PDT 2014 org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class The same class in picketlink-jbas7-2.6.0.Final.jar: 978 Sun Jun 22 03:03:56 PDT 2014 org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class They are different. Is that correct ? Can I trust the AbstractSPFormAuthenticator.class in jbas7 jar file to work with ServiceProviderAuthenticator.class in tomcat7 jar file ? Thanks, Adam Dong -----Original Message----- From: Adam Dong Sent: Wednesday, August 27, 2014 2:29 PM To: 'Pedro Igor Silva' Cc: security-dev at lists.jboss.org Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Pedro, The following are the jar files I put under /lib (I first put them under my web app's WEB-INF/lib directory but tomcat couldn't find them): bcprov-jdk15on-151.jar jboss-logging-3.1.0.GA.jar jboss-security-spi-4.0.18.final.jar log4j-1.2.16.jar picketlink-common-2.6.0.Final.jar picketlink-config-2.6.0.Final.jar picketlink-federation-2.6.0.Final.jar picketlink-jbas7-2.6.0.Final.jar Where do I get that jar file you mentioned ? All the picketlink related jar files I got are from picketlink-installer-2.6.0.Final.zip, and in there the jar file you mentioned is not present. Thanks, Adam Dong -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Wednesday, August 27, 2014 1:11 PM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Which jar are u using ? picketlink-tomcat7-X.jar ? ----- Original Message ----- From: "Adam Dong" To: security-dev at lists.jboss.org Sent: Wednesday, August 27, 2014 3:18:51 PM Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Hi, Any previous successful usage of putting ServiceProviderAuthenticator as a Valve in Tomcat, by adding it in a web app?s META-INF/context.xml like below (as opposed to adding it in jboss-web.xml on Jboss) ? I tried with Tomcat 7 and get some complaints (see below) about ServiceProviderAuthenticator overriding final method start()but the valve seemed being pulled in. java.lang.VerifyError: class org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator overrides final method start.()V at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:800) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:449) at java.net.URLClassLoader.access$100(URLClassLoader.java:71) at java.net.URLClassLoader$1.run(URLClassLoader.java:361) at java.net.URLClassLoader$1.run(URLClassLoader.java:355) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:354) at java.lang.ClassLoader.loadClass(ClassLoader.java:425) at java.lang.ClassLoader.loadClass(ClassLoader.java:358) at org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRule.java:144) at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1288) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509) at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:182) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1342) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2770) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777) at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213) at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:648) at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1561) at org.apache.catalina.startup.ContextConfig.processContextConfig(ContextConfig.java:637) at org.apache.catalina.startup.ContextConfig.contextConfig(ContextConfig.java:599) at org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:837) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:385) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1247) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1898) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) I tried with Tomcat 6 and the valve didn?t get pulled in the request path, just as if it were not there. Any experience or idea ? Thanks, Adam Dong _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Mon Sep 15 18:17:35 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 15 Sep 2014 18:17:35 -0400 (EDT) Subject: [security-dev] PicketLink 2.7.0.Beta2 In-Reply-To: <1002368190.22979070.1410818360047.JavaMail.zimbra@redhat.com> Message-ID: <485301934.22999699.1410819455653.JavaMail.zimbra@redhat.com> Hi All, PicketLink 2.7.0.Beta2 has been released. More details at http://picketlink.org/news/2014/09/15/Release-2/. Basically, bug fixes and minor improvements. Regards. Pedro Igor From adamdong at vidder.com Wed Sep 17 20:59:11 2014 From: adamdong at vidder.com (Adam Dong) Date: Thu, 18 Sep 2014 00:59:11 +0000 Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? References: <4353f8a8c91a4704a7e6b58671be22d8@CY1PR0401MB0939.namprd04.prod.outlook.com> <732618262.12677383.1409170272740.JavaMail.zimbra@redhat.com> <415821d98f084fd18081403b3bcad1e5@BY2PR0401MB0934.namprd04.prod.outlook.com> <2050570752.13563095.1409315829957.JavaMail.zimbra@redhat.com> <439a683881dd4436b1a04615876e35c3@BY2PR0401MB0934.namprd04.prod.outlook.com> <1141415420.34055653.1410015874488.JavaMail.zimbra@zmail09.collab.prod.int.phx2.redhat.com> Message-ID: Just to follow up on this: I worked around this problem by using wild card as role name in for my app: * Separately, there is a potential bug: in the quick start examples having a key store, the key pair in the store expired already: Valid from: Thu Jan 15 08:54:42 PST 2009 until: Wed Apr 15 09:54:42 PDT 2009 But xml signing and validation for assertion are still successful during SP and IDP exchanging SAML requests/responses. Should I file a bug ? By the way, I filed another bug (with the possible solution code) about two weeks ago: PLINK-567: SAML2AttributeHandler couldn't handle multiple attribute elements with the same attribute name Which release would have the fix ? Thanks, Adam Dong -----Original Message----- From: Adam Dong Sent: Monday, September 08, 2014 12:16 PM To: 'Michael Cirioli' Cc: security-dev at lists.jboss.org; Pedro Igor Silva Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Thanks a lot Mike. That is exactly what I'm missing. Now the valve is working. The next problem is how to configure/pull in my own Role Validator whose useInRole() method just returns true, as opposed to using DefaultRoleValidator. With SPFilter, I could just add an init-parameter to pull in my own role validator : SPFilter org.picketlink.identity.federation.web.filters.SPFilter ROLE_VALIDATOR MyRoleValidator But with ServiceProviderAuthenticator (as a valve), I didn't find a way to do this. Any idea ? Thanks, Adam -----Original Message----- From: Michael Cirioli [mailto:mcirioli at redhat.com] Sent: Saturday, September 06, 2014 8:05 AM To: Adam Dong Cc: security-dev at lists.jboss.org; Pedro Igor Silva Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Adam , One thing you might check is if your security domain is properly configured and you have the correct security constraints applied in web.xml for.your index.jsp.? if you have questions let me know and I can dig up some examples for you. -mike cirioli On Sep 5, 2014 2:18 AM, Adam Dong wrote: > > Pedro, > > I finally had time to try that jar file on Tomcat 7 (no Jboss), now therePedro, I finally had time to try that jar file on Tomcat 7 (no Jboss), now there is no more complaint during loading of my simple one-page (index.jsp) web app with the following META-INF/context.xml: However, when I try to access my index page, there is no SAML traffic, the index page just showed up. I further tried to sub-class ServiceProviderAuthenticator with a default constructor to print out a line to show that it is instantiated. I used that class as the valve. The log did prove that the valve is instantiated during loading time. But an access to the web app (well, just the index page) didn't cause any SAML interaction at all. So what am I missing ? Did I misunderstand how ServiceProviderAuthenticator is supposed to be used ? Thanks, Adam PS: I examined the source code for ServiceProviderAuthenticator, its parent AbstractSPFormAuthenticator, and its grandparent BaseFormAuthenticator, I was expecting to see the implemention of invoke(request, response) method with similar logic as in SPFilter's doFilter(request, response) method. But neither of the 3 classes implement invoke(...) method, why is that ? How does SAML processing come into the picture then ? Another general question, is picket link SAML offering widely used in commercial products ? -----Original Message----- From: Adam Dong Sent: Friday, August 29, 2014 3:00 PM To: 'Pedro Igor Silva' Cc: security-dev at lists.jboss.org Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Pedro Igor, Thank you so much. I will try it out and report the result back to this email group. Adam Dong -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, August 29, 2014 5:37 AM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Hi Adam, This is the right GAV: org.picketlink.distribution picketlink-tomcat7 ${picketlink.version} The picketlink-tomact7-single can not be used alone. Try to download from here: https://repository.jboss.org/nexus/content/groups/public/org/picketlink/distribution/picketlink-tomcat7/2.6.0.Final/picketlink-tomcat7-2.6.0.Final.jar Regards. Pedro Igor ----- Original Message ----- From: "Adam Dong" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Wednesday, August 27, 2014 10:18:32 PM Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? OK, I found picketlink-tomcat7-single-2.6.0.Final.jar on picketlink.org site, replaced picketlink-jbas7-2.6.0.Final.jar with it. Now I got java.lang.NoClassDefFoundError: org/picketlink/identity/federation/bindings/tomcat/sp/AbstractSPFormAuthenticator And I checked, indeed AbstractSPFormAuthenticator is not in picketlink-tomcat7-single-2.6.0.Final.jar, but in picketlink-jbas7-2.6.0.Final.jar. Is picketlink-tomcat7-single-2.6.0.Final.jar missing a few files ? Should I grab those missing file from jbas7 jar file and put them into tomcat7 jar file ? Would they be compatible ? To check the compatibility, I found the following. ServiceProviderAuthenticator.class in picketlink-tomcat7-single-2.6.0.Final.jar: 1667 Sun Jun 22 03:04:00 PDT 2014 org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class The same class in picketlink-jbas7-2.6.0.Final.jar: 978 Sun Jun 22 03:03:56 PDT 2014 org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class They are different. Is that correct ? Can I trust the AbstractSPFormAuthenticator.class in jbas7 jar file to work with ServiceProviderAuthenticator.class in tomcat7 jar file ? Thanks, Adam Dong -----Original Message----- From: Adam Dong Sent: Wednesday, August 27, 2014 2:29 PM To: 'Pedro Igor Silva' Cc: security-dev at lists.jboss.org Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Pedro, The following are the jar files I put under /lib (I first put them under my web app's WEB-INF/lib directory but tomcat couldn't find them): bcprov-jdk15on-151.jar jboss-logging-3.1.0.GA.jar jboss-security-spi-4.0.18.final.jar log4j-1.2.16.jar picketlink-common-2.6.0.Final.jar picketlink-config-2.6.0.Final.jar picketlink-federation-2.6.0.Final.jar picketlink-jbas7-2.6.0.Final.jar Where do I get that jar file you mentioned ? All the picketlink related jar files I got are from picketlink-installer-2.6.0.Final.zip, and in there the jar file you mentioned is not present. Thanks, Adam Dong -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Wednesday, August 27, 2014 1:11 PM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Which jar are u using ? picketlink-tomcat7-X.jar ? ----- Original Message ----- From: "Adam Dong" To: security-dev at lists.jboss.org Sent: Wednesday, August 27, 2014 3:18:51 PM Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? Hi, Any previous successful usage of putting ServiceProviderAuthenticator as a Valve in Tomcat, by adding it in a web app?s META-INF/context.xml like below (as opposed to adding it in jboss-web.xml on Jboss) ? I tried with Tomcat 7 and get some complaints (see below) about ServiceProviderAuthenticator overriding final method start()but the valve seemed being pulled in. java.lang.VerifyError: class org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator overrides final method start.()V at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:800) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:449) at java.net.URLClassLoader.access$100(URLClassLoader.java:71) at java.net.URLClassLoader$1.run(URLClassLoader.java:361) at java.net.URLClassLoader$1.run(URLClassLoader.java:355) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:354) at java.lang.ClassLoader.loadClass(ClassLoader.java:425) at java.lang.ClassLoader.loadClass(ClassLoader.java:358) at org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRule.java:144) at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1288) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509) at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:182) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1342) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2770) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777) at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213) at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:648) at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1561) at org.apache.catalina.startup.ContextConfig.processContextConfig(ContextConfig.java:637) at org.apache.catalina.startup.ContextConfig.contextConfig(ContextConfig.java:599) at org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:837) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:385) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1247) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1898) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) I tried with Tomcat 6 and the valve didn?t get pulled in the request path, just as if it were not there. Any experience or idea ? Thanks, Adam Dong _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Wed Sep 17 23:51:52 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 17 Sep 2014 23:51:52 -0400 (EDT) Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? In-Reply-To: References: <4353f8a8c91a4704a7e6b58671be22d8@CY1PR0401MB0939.namprd04.prod.outlook.com> <732618262.12677383.1409170272740.JavaMail.zimbra@redhat.com> <415821d98f084fd18081403b3bcad1e5@BY2PR0401MB0934.namprd04.prod.outlook.com> <2050570752.13563095.1409315829957.JavaMail.zimbra@redhat.com> <439a683881dd4436b1a04615876e35c3@BY2PR0401MB0934.namprd04.prod.outlook.com> <1141415420.34055653.1410015874488.JavaMail.zimbra@zmail09.collab.prod.int.phx2.redhat.com> Message-ID: <532132243.24860074.1411012312693.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Adam Dong" > To: security-dev at lists.jboss.org > Sent: Wednesday, September 17, 2014 9:59:11 PM > Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? > > Just to follow up on this: I worked around this problem by using wild card as > role name in for my app: > > * > Yeah, like Michael said. That was the missing part in your config. > > Separately, there is a potential bug: in the quick start examples having a > key store, the key pair in the store expired already: > > Valid from: Thu Jan 15 08:54:42 PST 2009 until: Wed Apr 15 09:54:42 > PDT 2009 > > But xml signing and validation for assertion are still successful during SP > and IDP exchanging SAML requests/responses. > Should I file a bug ? Even though it does not impact the quickstarts, better is update them. You can open a JIRA if you want. > > By the way, I filed another bug (with the possible solution code) about two > weeks ago: > PLINK-567: SAML2AttributeHandler couldn't handle multiple attribute > elements with the same attribute name > > Which release would have the fix ? Beta2 was the best version to put this issue. We had a few SAML issues fixes in this release. But we can do that in CR1. If you have a patch, please attach it to the JIRA. > > Thanks, > Adam Dong > > -----Original Message----- > From: Adam Dong > Sent: Monday, September 08, 2014 12:16 PM > To: 'Michael Cirioli' > Cc: security-dev at lists.jboss.org; Pedro Igor Silva > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > Thanks a lot Mike. That is exactly what I'm missing. Now the valve is > working. > > The next problem is how to configure/pull in my own Role Validator whose > useInRole() method just returns true, as opposed to using > DefaultRoleValidator. > > With SPFilter, I could just add an init-parameter to pull in my own role > validator : > > SPFilter > org.picketlink.identity.federation.web.filters.SPFilter > > ROLE_VALIDATOR > MyRoleValidator > > > But with ServiceProviderAuthenticator (as a valve), I didn't find a way to do > this. > > Any idea ? > > Thanks, > Adam > > -----Original Message----- > From: Michael Cirioli [mailto:mcirioli at redhat.com] > Sent: Saturday, September 06, 2014 8:05 AM > To: Adam Dong > Cc: security-dev at lists.jboss.org; Pedro Igor Silva > Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > Adam , > One thing you might check is if your security domain is properly configured > and you have the correct security constraints applied in web.xml for.your > index.jsp.? if you have questions let me know and I can dig up some examples > for you. > > -mike cirioli > > On Sep 5, 2014 2:18 AM, Adam Dong wrote: > > > > Pedro, > > > > I finally had time to try that jar file on Tomcat 7 (no Jboss), now > > therePedro, > > I finally had time to try that jar file on Tomcat 7 (no Jboss), now there is > no more complaint during loading of my simple one-page (index.jsp) web app > with the following META-INF/context.xml: > > className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"/> > > > However, when I try to access my index page, there is no SAML traffic, the > index page just showed up. > > I further tried to sub-class ServiceProviderAuthenticator with a default > constructor to print out a line to show that it is instantiated. > I used that class as the valve. The log did prove that the valve is > instantiated during loading time. But an access to the web app (well, just > the index page) didn't cause any SAML interaction at all. > > So what am I missing ? Did I misunderstand how ServiceProviderAuthenticator > is supposed to be used ? > > Thanks, > Adam > > PS: I examined the source code for ServiceProviderAuthenticator, its parent > AbstractSPFormAuthenticator, and its grandparent BaseFormAuthenticator, I > was expecting to see the implemention of invoke(request, response) method > with similar logic as in SPFilter's doFilter(request, response) method. But > neither of the 3 classes implement invoke(...) method, why is that ? How > does SAML processing come into the picture then ? > > Another general question, is picket link SAML offering widely used in > commercial products ? > > > > > -----Original Message----- > From: Adam Dong > Sent: Friday, August 29, 2014 3:00 PM > To: 'Pedro Igor Silva' > Cc: security-dev at lists.jboss.org > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > Pedro Igor, > > Thank you so much. I will try it out and report the result back to this email > group. > > Adam Dong > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Friday, August 29, 2014 5:37 AM > To: Adam Dong > Cc: security-dev at lists.jboss.org > Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > Hi Adam, > > This is the right GAV: > > > org.picketlink.distribution > picketlink-tomcat7 > ${picketlink.version} > > > The picketlink-tomact7-single can not be used alone. Try to download from > here: > > https://repository.jboss.org/nexus/content/groups/public/org/picketlink/distribution/picketlink-tomcat7/2.6.0.Final/picketlink-tomcat7-2.6.0.Final.jar > > Regards. > Pedro Igor > > ----- Original Message ----- > From: "Adam Dong" > To: "Pedro Igor Silva" > Cc: security-dev at lists.jboss.org > Sent: Wednesday, August 27, 2014 10:18:32 PM > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > > OK, I found picketlink-tomcat7-single-2.6.0.Final.jar on picketlink.org site, > replaced picketlink-jbas7-2.6.0.Final.jar with it. Now I got > > java.lang.NoClassDefFoundError: > org/picketlink/identity/federation/bindings/tomcat/sp/AbstractSPFormAuthenticator > > And I checked, indeed AbstractSPFormAuthenticator is not in > picketlink-tomcat7-single-2.6.0.Final.jar, but in > picketlink-jbas7-2.6.0.Final.jar. > > Is picketlink-tomcat7-single-2.6.0.Final.jar missing a few files ? > Should I grab those missing file from jbas7 jar file and put them into > tomcat7 jar file ? > Would they be compatible ? > > > > To check the compatibility, I found the following. > ServiceProviderAuthenticator.class in > picketlink-tomcat7-single-2.6.0.Final.jar: > 1667 Sun Jun 22 03:04:00 PDT 2014 > org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class > > The same class in picketlink-jbas7-2.6.0.Final.jar: > 978 Sun Jun 22 03:03:56 PDT 2014 > org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class > > > They are different. Is that correct ? Can I trust the > AbstractSPFormAuthenticator.class in jbas7 jar file to work with > ServiceProviderAuthenticator.class in tomcat7 jar file ? > > Thanks, > Adam Dong > > > -----Original Message----- > From: Adam Dong > Sent: Wednesday, August 27, 2014 2:29 PM > To: 'Pedro Igor Silva' > Cc: security-dev at lists.jboss.org > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > > Pedro, > > The following are the jar files I put under /lib (I first put > them under my web app's WEB-INF/lib directory but tomcat couldn't find > them): > > bcprov-jdk15on-151.jar > jboss-logging-3.1.0.GA.jar > jboss-security-spi-4.0.18.final.jar > log4j-1.2.16.jar > picketlink-common-2.6.0.Final.jar > picketlink-config-2.6.0.Final.jar > picketlink-federation-2.6.0.Final.jar > picketlink-jbas7-2.6.0.Final.jar > > Where do I get that jar file you mentioned ? All the picketlink related jar > files I got are from picketlink-installer-2.6.0.Final.zip, and in there the > jar file you mentioned is not present. > > Thanks, > Adam Dong > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Wednesday, August 27, 2014 1:11 PM > To: Adam Dong > Cc: security-dev at lists.jboss.org > Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > Which jar are u using ? picketlink-tomcat7-X.jar ? > > > > ----- Original Message ----- > From: "Adam Dong" > To: security-dev at lists.jboss.org > Sent: Wednesday, August 27, 2014 3:18:51 PM > Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly > instead of in Jboss ? > > > > Hi, > > > > Any previous successful usage of putting ServiceProviderAuthenticator as a > Valve in Tomcat, by adding it in a web app?s META-INF/context.xml like below > (as opposed to adding it in jboss-web.xml on Jboss) ? > > > > > > className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"/> > > > > > > > > I tried with Tomcat 7 and get some complaints (see below) about > ServiceProviderAuthenticator overriding final method start()but the valve > seemed being pulled in. > > > > java.lang.VerifyError: class > org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator > overrides final method start.()V > > at java.lang.ClassLoader.defineClass1(Native Method) > > at java.lang.ClassLoader.defineClass(ClassLoader.java:800) > > at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) > > at java.net.URLClassLoader.defineClass(URLClassLoader.java:449) > > at java.net.URLClassLoader.access$100(URLClassLoader.java:71) > > at java.net.URLClassLoader$1.run(URLClassLoader.java:361) > > at java.net.URLClassLoader$1.run(URLClassLoader.java:355) > > at java.security.AccessController.doPrivileged(Native Method) > > at java.net.URLClassLoader.findClass(URLClassLoader.java:354) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:425) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:358) > > at > org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRule.java:144) > > at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1288) > > at > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509) > > at > com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:182) > > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1342) > > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2770) > > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606) > > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510) > > at > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848) > > at > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777) > > at > com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) > > at > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213) > > at > com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:648) > > at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1561) > > at > org.apache.catalina.startup.ContextConfig.processContextConfig(ContextConfig.java:637) > > at > org.apache.catalina.startup.ContextConfig.contextConfig(ContextConfig.java:599) > > at org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:837) > > at > org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:385) > > at > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) > > at > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) > > at > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110) > > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139) > > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > > at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) > > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > > at > org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1247) > > at > org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1898) > > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > at java.lang.Thread.run(Thread.java:745) > > > > I tried with Tomcat 6 and the valve didn?t get pulled in the request path, > just as if it were not there. > > > > Any experience or idea ? > > > > Thanks, > > Adam Dong > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev From adamdong at vidder.com Thu Sep 18 14:35:29 2014 From: adamdong at vidder.com (Adam Dong) Date: Thu, 18 Sep 2014 18:35:29 +0000 Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? In-Reply-To: <532132243.24860074.1411012312693.JavaMail.zimbra@redhat.com> References: <4353f8a8c91a4704a7e6b58671be22d8@CY1PR0401MB0939.namprd04.prod.outlook.com> <732618262.12677383.1409170272740.JavaMail.zimbra@redhat.com> <415821d98f084fd18081403b3bcad1e5@BY2PR0401MB0934.namprd04.prod.outlook.com> <2050570752.13563095.1409315829957.JavaMail.zimbra@redhat.com> <439a683881dd4436b1a04615876e35c3@BY2PR0401MB0934.namprd04.prod.outlook.com> <1141415420.34055653.1410015874488.JavaMail.zimbra@zmail09.collab.prod.int.phx2.redhat.com> <532132243.24860074.1411012312693.JavaMail.zimbra@redhat.com> Message-ID: See comments (preceded by [AD]) embedded below. -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Wednesday, September 17, 2014 8:52 PM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? ----- Original Message ----- > From: "Adam Dong" > To: security-dev at lists.jboss.org > Sent: Wednesday, September 17, 2014 9:59:11 PM > Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? > > Just to follow up on this: I worked around this problem by using wild > card as role name in for my app: > > * > Yeah, like Michael said. That was the missing part in your config. > > Separately, there is a potential bug: in the quick start examples > having a key store, the key pair in the store expired already: > > Valid from: Thu Jan 15 08:54:42 PST 2009 until: Wed Apr 15 09:54:42 > PDT 2009 > > But xml signing and validation for assertion are still successful > during SP and IDP exchanging SAML requests/responses. > Should I file a bug ? Even though it does not impact the quickstarts, better is update them. You can open a JIRA if you want. [AD]: I am not only talking about updating the certificate, but also talking about the signature validation code checking the cert expiration time before using it. > > By the way, I filed another bug (with the possible solution code) > about two weeks ago: > PLINK-567: SAML2AttributeHandler couldn't handle multiple attribute > elements with the same attribute name > > Which release would have the fix ? Beta2 was the best version to put this issue. We had a few SAML issues fixes in this release. But we can do that in CR1. If you have a patch, please attach it to the JIRA. [AD]: I just put the code in the Jira ticket, didn't have time to learn how to submit a patch. > > Thanks, > Adam Dong > > -----Original Message----- > From: Adam Dong > Sent: Monday, September 08, 2014 12:16 PM > To: 'Michael Cirioli' > Cc: security-dev at lists.jboss.org; Pedro Igor Silva > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > Thanks a lot Mike. That is exactly what I'm missing. Now the valve is > working. > > The next problem is how to configure/pull in my own Role Validator > whose > useInRole() method just returns true, as opposed to using > DefaultRoleValidator. > > With SPFilter, I could just add an init-parameter to pull in my own > role validator : > > SPFilter > org.picketlink.identity.federation.web.filters.SPFilter > > ROLE_VALIDATOR > MyRoleValidator > > > But with ServiceProviderAuthenticator (as a valve), I didn't find a > way to do this. > > Any idea ? > > Thanks, > Adam > > -----Original Message----- > From: Michael Cirioli [mailto:mcirioli at redhat.com] > Sent: Saturday, September 06, 2014 8:05 AM > To: Adam Dong > Cc: security-dev at lists.jboss.org; Pedro Igor Silva > Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > Adam , > One thing you might check is if your security domain is properly > configured and you have the correct security constraints applied in > web.xml for.your index.jsp.? if you have questions let me know and I > can dig up some examples for you. > > -mike cirioli > > On Sep 5, 2014 2:18 AM, Adam Dong wrote: > > > > Pedro, > > > > I finally had time to try that jar file on Tomcat 7 (no Jboss), now > > therePedro, > > I finally had time to try that jar file on Tomcat 7 (no Jboss), now > there is no more complaint during loading of my simple one-page > (index.jsp) web app with the following META-INF/context.xml: > > className="org.picketlink.identity.federation.bindings.tomcat.sp.Servi > ceProviderAuthenticator"/> > > > However, when I try to access my index page, there is no SAML traffic, > the index page just showed up. > > I further tried to sub-class ServiceProviderAuthenticator with a > default constructor to print out a line to show that it is instantiated. > I used that class as the valve. The log did prove that the valve is > instantiated during loading time. But an access to the web app (well, > just the index page) didn't cause any SAML interaction at all. > > So what am I missing ? Did I misunderstand how > ServiceProviderAuthenticator is supposed to be used ? > > Thanks, > Adam > > PS: I examined the source code for ServiceProviderAuthenticator, its > parent AbstractSPFormAuthenticator, and its grandparent > BaseFormAuthenticator, I was expecting to see the implemention of > invoke(request, response) method with similar logic as in SPFilter's > doFilter(request, response) method. But neither of the 3 classes > implement invoke(...) method, why is that ? How does SAML processing come into the picture then ? > > Another general question, is picket link SAML offering widely used in > commercial products ? > > > > > -----Original Message----- > From: Adam Dong > Sent: Friday, August 29, 2014 3:00 PM > To: 'Pedro Igor Silva' > Cc: security-dev at lists.jboss.org > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > Pedro Igor, > > Thank you so much. I will try it out and report the result back to > this email group. > > Adam Dong > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Friday, August 29, 2014 5:37 AM > To: Adam Dong > Cc: security-dev at lists.jboss.org > Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > Hi Adam, > > This is the right GAV: > > > org.picketlink.distribution > picketlink-tomcat7 > ${picketlink.version} > > > The picketlink-tomact7-single can not be used alone. Try to download from > here: > > > https://repository.jboss.org/nexus/content/groups/public/org/picketlin > k/distribution/picketlink-tomcat7/2.6.0.Final/picketlink-tomcat7-2.6.0 > .Final.jar > > Regards. > Pedro Igor > > ----- Original Message ----- > From: "Adam Dong" > To: "Pedro Igor Silva" > Cc: security-dev at lists.jboss.org > Sent: Wednesday, August 27, 2014 10:18:32 PM > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > > OK, I found picketlink-tomcat7-single-2.6.0.Final.jar on > picketlink.org site, replaced picketlink-jbas7-2.6.0.Final.jar with > it. Now I got > > java.lang.NoClassDefFoundError: > org/picketlink/identity/federation/bindings/tomcat/sp/AbstractSPFormAu > thenticator > > And I checked, indeed AbstractSPFormAuthenticator is not in > picketlink-tomcat7-single-2.6.0.Final.jar, but in > picketlink-jbas7-2.6.0.Final.jar. > > Is picketlink-tomcat7-single-2.6.0.Final.jar missing a few files ? > Should I grab those missing file from jbas7 jar file and put them into > tomcat7 jar file ? > Would they be compatible ? > > > > To check the compatibility, I found the following. > ServiceProviderAuthenticator.class in > picketlink-tomcat7-single-2.6.0.Final.jar: > 1667 Sun Jun 22 03:04:00 PDT 2014 > > org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderA > uthenticator.class > > The same class in picketlink-jbas7-2.6.0.Final.jar: > 978 Sun Jun 22 03:03:56 PDT 2014 > > org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderA > uthenticator.class > > > They are different. Is that correct ? Can I trust the > AbstractSPFormAuthenticator.class in jbas7 jar file to work with > ServiceProviderAuthenticator.class in tomcat7 jar file ? > > Thanks, > Adam Dong > > > -----Original Message----- > From: Adam Dong > Sent: Wednesday, August 27, 2014 2:29 PM > To: 'Pedro Igor Silva' > Cc: security-dev at lists.jboss.org > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > > Pedro, > > The following are the jar files I put under /lib (I first > put them under my web app's WEB-INF/lib directory but tomcat couldn't > find > them): > > bcprov-jdk15on-151.jar > jboss-logging-3.1.0.GA.jar > jboss-security-spi-4.0.18.final.jar > log4j-1.2.16.jar > picketlink-common-2.6.0.Final.jar > picketlink-config-2.6.0.Final.jar > picketlink-federation-2.6.0.Final.jar > picketlink-jbas7-2.6.0.Final.jar > > Where do I get that jar file you mentioned ? All the picketlink > related jar files I got are from picketlink-installer-2.6.0.Final.zip, > and in there the jar file you mentioned is not present. > > Thanks, > Adam Dong > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Wednesday, August 27, 2014 1:11 PM > To: Adam Dong > Cc: security-dev at lists.jboss.org > Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > Which jar are u using ? picketlink-tomcat7-X.jar ? > > > > ----- Original Message ----- > From: "Adam Dong" > To: security-dev at lists.jboss.org > Sent: Wednesday, August 27, 2014 3:18:51 PM > Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > > > Hi, > > > > Any previous successful usage of putting ServiceProviderAuthenticator > as a Valve in Tomcat, by adding it in a web app?s META-INF/context.xml > like below (as opposed to adding it in jboss-web.xml on Jboss) ? > > > > > > className="org.picketlink.identity.federation.bindings.tomcat.sp.Servi > ceProviderAuthenticator"/> > > > > > > > > I tried with Tomcat 7 and get some complaints (see below) about > ServiceProviderAuthenticator overriding final method start()but the > valve seemed being pulled in. > > > > java.lang.VerifyError: class > org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderA > uthenticator > overrides final method start.()V > > at java.lang.ClassLoader.defineClass1(Native Method) > > at java.lang.ClassLoader.defineClass(ClassLoader.java:800) > > at > java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142 > ) > > at java.net.URLClassLoader.defineClass(URLClassLoader.java:449) > > at java.net.URLClassLoader.access$100(URLClassLoader.java:71) > > at java.net.URLClassLoader$1.run(URLClassLoader.java:361) > > at java.net.URLClassLoader$1.run(URLClassLoader.java:355) > > at java.security.AccessController.doPrivileged(Native Method) > > at java.net.URLClassLoader.findClass(URLClassLoader.java:354) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:425) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:358) > > at > org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRul > e.java:144) > > at > org.apache.tomcat.util.digester.Digester.startElement(Digester.java:12 > 88) > > at > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElem > ent(AbstractSAXParser.java:509) > > at > com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.e > mptyElement(AbstractXMLDocumentParser.java:182) > > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl > .scanStartElement(XMLDocumentFragmentScannerImpl.java:1342) > > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl > $FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2770) > > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XM > LDocumentScannerImpl.java:606) > > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl > .scanDocument(XMLDocumentFragmentScannerImpl.java:510) > > at > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XM > L11Configuration.java:848) > > at > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XM > L11Configuration.java:777) > > at > com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.j > ava:141) > > at > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(Abs > tractSAXParser.java:1213) > > at > com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.pa > rse(SAXParserImpl.java:648) > > at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1561) > > at > org.apache.catalina.startup.ContextConfig.processContextConfig(Context > Config.java:637) > > at > org.apache.catalina.startup.ContextConfig.contextConfig(ContextConfig. > java:599) > > at > org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:837) > > at > org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig > .java:385) > > at > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(Lifecycle > Support.java:117) > > at > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBas > e.java:90) > > at > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase. > java:402) > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110) > > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139) > > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase. > java:901) > > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877 > ) > > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > > at > org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java > :1247) > > at > org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig. > java:1898) > > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471 > ) > > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j > ava:1145) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor. > java:615) > > at java.lang.Thread.run(Thread.java:745) > > > > I tried with Tomcat 6 and the valve didn?t get pulled in the request > path, just as if it were not there. > > > > Any experience or idea ? > > > > Thanks, > > Adam Dong > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Thu Sep 18 15:38:22 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 18 Sep 2014 15:38:22 -0400 (EDT) Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? In-Reply-To: References: <4353f8a8c91a4704a7e6b58671be22d8@CY1PR0401MB0939.namprd04.prod.outlook.com> <415821d98f084fd18081403b3bcad1e5@BY2PR0401MB0934.namprd04.prod.outlook.com> <2050570752.13563095.1409315829957.JavaMail.zimbra@redhat.com> <439a683881dd4436b1a04615876e35c3@BY2PR0401MB0934.namprd04.prod.outlook.com> <1141415420.34055653.1410015874488.JavaMail.zimbra@zmail09.collab.prod.int.phx2.redhat.com> <532132243.24860074.1411012312693.JavaMail.zimbra@redhat.com> Message-ID: <1718430606.25389166.1411069102136.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Adam Dong" > To: "Pedro Igor Silva" > Cc: security-dev at lists.jboss.org > Sent: Thursday, September 18, 2014 3:35:29 PM > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ? > > See comments (preceded by [AD]) embedded below. > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Wednesday, September 17, 2014 8:52 PM > To: Adam Dong > Cc: security-dev at lists.jboss.org > Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat > directly instead of in Jboss ? > > ----- Original Message ----- > > From: "Adam Dong" > > To: security-dev at lists.jboss.org > > Sent: Wednesday, September 17, 2014 9:59:11 PM > > Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat > > directly instead of in Jboss ? > > > > Just to follow up on this: I worked around this problem by using wild > > card as role name in for my app: > > > > * > > > > Yeah, like Michael said. That was the missing part in your config. > > > > > Separately, there is a potential bug: in the quick start examples > > having a key store, the key pair in the store expired already: > > > > Valid from: Thu Jan 15 08:54:42 PST 2009 until: Wed Apr 15 09:54:42 > > PDT 2009 > > > > But xml signing and validation for assertion are still successful > > during SP and IDP exchanging SAML requests/responses. > > Should I file a bug ? > > Even though it does not impact the quickstarts, better is update them. You > can open a JIRA if you want. > > [AD]: I am not only talking about updating the certificate, but also talking > about the signature validation code checking the cert expiration time before > using it. I don't think we need that in PL. Users should take care of it. But if you want to start a discussion on that and see what others think, you can open a JIRA and I'll handle it. > > > > > By the way, I filed another bug (with the possible solution code) > > about two weeks ago: > > PLINK-567: SAML2AttributeHandler couldn't handle multiple > > attribute > > elements with the same attribute name > > > > Which release would have the fix ? > > Beta2 was the best version to put this issue. We had a few SAML issues fixes > in this release. > > But we can do that in CR1. If you have a patch, please attach it to the JIRA. > > [AD]: I just put the code in the Jira ticket, didn't have time to learn how > to submit a patch. No problem. I appreciate. Thanks. > > > > > > Thanks, > > Adam Dong > > > > -----Original Message----- > > From: Adam Dong > > Sent: Monday, September 08, 2014 12:16 PM > > To: 'Michael Cirioli' > > Cc: security-dev at lists.jboss.org; Pedro Igor Silva > > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat > > directly instead of in Jboss ? > > > > Thanks a lot Mike. That is exactly what I'm missing. Now the valve is > > working. > > > > The next problem is how to configure/pull in my own Role Validator > > whose > > useInRole() method just returns true, as opposed to using > > DefaultRoleValidator. > > > > With SPFilter, I could just add an init-parameter to pull in my own > > role validator : > > > > SPFilter > > org.picketlink.identity.federation.web.filters.SPFilter > > > > ROLE_VALIDATOR > > MyRoleValidator > > > > > > But with ServiceProviderAuthenticator (as a valve), I didn't find a > > way to do this. > > > > Any idea ? > > > > Thanks, > > Adam > > > > -----Original Message----- > > From: Michael Cirioli [mailto:mcirioli at redhat.com] > > Sent: Saturday, September 06, 2014 8:05 AM > > To: Adam Dong > > Cc: security-dev at lists.jboss.org; Pedro Igor Silva > > Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat > > directly instead of in Jboss ? > > > > Adam , > > One thing you might check is if your security domain is properly > > configured and you have the correct security constraints applied in > > web.xml for.your index.jsp.? if you have questions let me know and I > > can dig up some examples for you. > > > > -mike cirioli > > > > On Sep 5, 2014 2:18 AM, Adam Dong wrote: > > > > > > Pedro, > > > > > > I finally had time to try that jar file on Tomcat 7 (no Jboss), now > > > therePedro, > > > > I finally had time to try that jar file on Tomcat 7 (no Jboss), now > > there is no more complaint during loading of my simple one-page > > (index.jsp) web app with the following META-INF/context.xml: > > > > > className="org.picketlink.identity.federation.bindings.tomcat.sp.Servi > > ceProviderAuthenticator"/> > > > > > > However, when I try to access my index page, there is no SAML traffic, > > the index page just showed up. > > > > I further tried to sub-class ServiceProviderAuthenticator with a > > default constructor to print out a line to show that it is instantiated. > > I used that class as the valve. The log did prove that the valve is > > instantiated during loading time. But an access to the web app (well, > > just the index page) didn't cause any SAML interaction at all. > > > > So what am I missing ? Did I misunderstand how > > ServiceProviderAuthenticator is supposed to be used ? > > > > Thanks, > > Adam > > > > PS: I examined the source code for ServiceProviderAuthenticator, its > > parent AbstractSPFormAuthenticator, and its grandparent > > BaseFormAuthenticator, I was expecting to see the implemention of > > invoke(request, response) method with similar logic as in SPFilter's > > doFilter(request, response) method. But neither of the 3 classes > > implement invoke(...) method, why is that ? How does SAML processing come > > into the picture then ? > > > > Another general question, is picket link SAML offering widely used in > > commercial products ? > > > > > > > > > > -----Original Message----- > > From: Adam Dong > > Sent: Friday, August 29, 2014 3:00 PM > > To: 'Pedro Igor Silva' > > Cc: security-dev at lists.jboss.org > > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat > > directly instead of in Jboss ? > > > > Pedro Igor, > > > > Thank you so much. I will try it out and report the result back to > > this email group. > > > > Adam Dong > > > > -----Original Message----- > > From: Pedro Igor Silva [mailto:psilva at redhat.com] > > Sent: Friday, August 29, 2014 5:37 AM > > To: Adam Dong > > Cc: security-dev at lists.jboss.org > > Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat > > directly instead of in Jboss ? > > > > Hi Adam, > > > > This is the right GAV: > > > > > > org.picketlink.distribution > > picketlink-tomcat7 > > ${picketlink.version} > > > > > > The picketlink-tomact7-single can not be used alone. Try to download from > > here: > > > > > > https://repository.jboss.org/nexus/content/groups/public/org/picketlin > > k/distribution/picketlink-tomcat7/2.6.0.Final/picketlink-tomcat7-2.6.0 > > .Final.jar > > > > Regards. > > Pedro Igor > > > > ----- Original Message ----- > > From: "Adam Dong" > > To: "Pedro Igor Silva" > > Cc: security-dev at lists.jboss.org > > Sent: Wednesday, August 27, 2014 10:18:32 PM > > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat > > directly instead of in Jboss ? > > > > > > OK, I found picketlink-tomcat7-single-2.6.0.Final.jar on > > picketlink.org site, replaced picketlink-jbas7-2.6.0.Final.jar with > > it. Now I got > > > > java.lang.NoClassDefFoundError: > > org/picketlink/identity/federation/bindings/tomcat/sp/AbstractSPFormAu > > thenticator > > > > And I checked, indeed AbstractSPFormAuthenticator is not in > > picketlink-tomcat7-single-2.6.0.Final.jar, but in > > picketlink-jbas7-2.6.0.Final.jar. > > > > Is picketlink-tomcat7-single-2.6.0.Final.jar missing a few files ? > > Should I grab those missing file from jbas7 jar file and put them into > > tomcat7 jar file ? > > Would they be compatible ? > > > > > > > > To check the compatibility, I found the following. > > ServiceProviderAuthenticator.class in > > picketlink-tomcat7-single-2.6.0.Final.jar: > > 1667 Sun Jun 22 03:04:00 PDT 2014 > > > > org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderA > > uthenticator.class > > > > The same class in picketlink-jbas7-2.6.0.Final.jar: > > 978 Sun Jun 22 03:03:56 PDT 2014 > > > > org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderA > > uthenticator.class > > > > > > They are different. Is that correct ? Can I trust the > > AbstractSPFormAuthenticator.class in jbas7 jar file to work with > > ServiceProviderAuthenticator.class in tomcat7 jar file ? > > > > Thanks, > > Adam Dong > > > > > > -----Original Message----- > > From: Adam Dong > > Sent: Wednesday, August 27, 2014 2:29 PM > > To: 'Pedro Igor Silva' > > Cc: security-dev at lists.jboss.org > > Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat > > directly instead of in Jboss ? > > > > > > Pedro, > > > > The following are the jar files I put under /lib (I first > > put them under my web app's WEB-INF/lib directory but tomcat couldn't > > find > > them): > > > > bcprov-jdk15on-151.jar > > jboss-logging-3.1.0.GA.jar > > jboss-security-spi-4.0.18.final.jar > > log4j-1.2.16.jar > > picketlink-common-2.6.0.Final.jar > > picketlink-config-2.6.0.Final.jar > > picketlink-federation-2.6.0.Final.jar > > picketlink-jbas7-2.6.0.Final.jar > > > > Where do I get that jar file you mentioned ? All the picketlink > > related jar files I got are from picketlink-installer-2.6.0.Final.zip, > > and in there the jar file you mentioned is not present. > > > > Thanks, > > Adam Dong > > > > -----Original Message----- > > From: Pedro Igor Silva [mailto:psilva at redhat.com] > > Sent: Wednesday, August 27, 2014 1:11 PM > > To: Adam Dong > > Cc: security-dev at lists.jboss.org > > Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat > > directly instead of in Jboss ? > > > > Which jar are u using ? picketlink-tomcat7-X.jar ? > > > > > > > > ----- Original Message ----- > > From: "Adam Dong" > > To: security-dev at lists.jboss.org > > Sent: Wednesday, August 27, 2014 3:18:51 PM > > Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat > > directly instead of in Jboss ? > > > > > > > > Hi, > > > > > > > > Any previous successful usage of putting ServiceProviderAuthenticator > > as a Valve in Tomcat, by adding it in a web app?s META-INF/context.xml > > like below (as opposed to adding it in jboss-web.xml on Jboss) ? > > > > > > > > > > > > > className="org.picketlink.identity.federation.bindings.tomcat.sp.Servi > > ceProviderAuthenticator"/> > > > > > > > > > > > > > > > > I tried with Tomcat 7 and get some complaints (see below) about > > ServiceProviderAuthenticator overriding final method start()but the > > valve seemed being pulled in. > > > > > > > > java.lang.VerifyError: class > > org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderA > > uthenticator > > overrides final method start.()V > > > > at java.lang.ClassLoader.defineClass1(Native Method) > > > > at java.lang.ClassLoader.defineClass(ClassLoader.java:800) > > > > at > > java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142 > > ) > > > > at java.net.URLClassLoader.defineClass(URLClassLoader.java:449) > > > > at java.net.URLClassLoader.access$100(URLClassLoader.java:71) > > > > at java.net.URLClassLoader$1.run(URLClassLoader.java:361) > > > > at java.net.URLClassLoader$1.run(URLClassLoader.java:355) > > > > at java.security.AccessController.doPrivileged(Native Method) > > > > at java.net.URLClassLoader.findClass(URLClassLoader.java:354) > > > > at java.lang.ClassLoader.loadClass(ClassLoader.java:425) > > > > at java.lang.ClassLoader.loadClass(ClassLoader.java:358) > > > > at > > org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRul > > e.java:144) > > > > at > > org.apache.tomcat.util.digester.Digester.startElement(Digester.java:12 > > 88) > > > > at > > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElem > > ent(AbstractSAXParser.java:509) > > > > at > > com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.e > > mptyElement(AbstractXMLDocumentParser.java:182) > > > > at > > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl > > .scanStartElement(XMLDocumentFragmentScannerImpl.java:1342) > > > > at > > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl > > $FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2770) > > > > at > > com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XM > > LDocumentScannerImpl.java:606) > > > > at > > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl > > .scanDocument(XMLDocumentFragmentScannerImpl.java:510) > > > > at > > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XM > > L11Configuration.java:848) > > > > at > > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XM > > L11Configuration.java:777) > > > > at > > com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.j > > ava:141) > > > > at > > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(Abs > > tractSAXParser.java:1213) > > > > at > > com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.pa > > rse(SAXParserImpl.java:648) > > > > at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1561) > > > > at > > org.apache.catalina.startup.ContextConfig.processContextConfig(Context > > Config.java:637) > > > > at > > org.apache.catalina.startup.ContextConfig.contextConfig(ContextConfig. > > java:599) > > > > at > > org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:837) > > > > at > > org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig > > .java:385) > > > > at > > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(Lifecycle > > Support.java:117) > > > > at > > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBas > > e.java:90) > > > > at > > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase. > > java:402) > > > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110) > > > > at > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139) > > > > at > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase. > > java:901) > > > > at > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877 > > ) > > > > at > > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > > > > at > > org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java > > :1247) > > > > at > > org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig. > > java:1898) > > > > at > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471 > > ) > > > > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > > > > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j > > ava:1145) > > > > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor. > > java:615) > > > > at java.lang.Thread.run(Thread.java:745) > > > > > > > > I tried with Tomcat 6 and the valve didn?t get pulled in the request > > path, just as if it were not there. > > > > > > > > Any experience or idea ? > > > > > > > > Thanks, > > > > Adam Dong > > > > _______________________________________________ > > security-dev mailing list > > security-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/security-dev > > > > _______________________________________________ > > security-dev mailing list > > security-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/security-dev > > > > _______________________________________________ > > security-dev mailing list > > security-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/security-dev >