This release contains a fix where audit logging was not initialized properly on requests to the DispatcherServlet, if the DispatcherServlet's servlet path wasn't covered by the path of the SPFilter. The result can be that Audit log's can have wrong information on the client's IP address, session ID etc.
Check your configuration to see if the DispatcherServlet is covered or not by the SPFilter - if not this fix should be applied for correct audit log
Example where DispatcherServlet is not covered by SPFilter:
<servlet-mapping> <servlet-name>DispatcherServlet</servlet-name> <url-pattern>/saml/*</url-pattern></servlet-mapping><filter-mapping> <filter-name>SPFilter</filter-name> <url-pattern>/protected/*</url-pattern></filter-mapping>
Example where DispatcherServlet is covered by SPFilter:
<servlet-mapping> <servlet-name>DispatcherServlet</servlet-name> <url-pattern>/saml/*</url-pattern></servlet-mapping><filter-mapping> <filter-name>SPFilter</filter-name> <url-pattern>/*</url-pattern></filter-mapping>
Hi,
We have been using OIOSAML.java 9918 as SP and it has been working great.
I have been using IdP configured to sign assertions and everything was working fine. Recently I was playing with the IdP configuration and I changed it to sign responses as well. That too worked fine with OIOSAML.java SP.
However, when I changed the IdP cofinguration to encryptAssertions (in addition to sign responses and sign assertions), I get the following exception on SP in oiosaml-sp.log :
[2013-04-26 15:53:12,896] [WARN ] [http-8080-1] [dk.itst.oiosaml.sp.model.OIOSamlObject] The signature does not meet the requirements indicated by the SAML profile of the XML signatureorg.opensaml.xml.validation.ValidationException: SignableSAMLObject does not have a cached DOM Element. at org.opensaml.security.SAMLSignatureProfileValidator.validateReferenceURI(SAMLSignatureProfileValidator.java:146) at org.opensaml.security.SAMLSignatureProfileValidator.validateSignatureImpl(SAMLSignatureProfileValidator.java:84) at org.opensaml.security.SAMLSignatureProfileValidator.validate(SAMLSignatureProfileValidator.java:56) at dk.itst.oiosaml.sp.model.OIOSamlObject.verifySignature(OIOSamlObject.java:180) at dk.itst.oiosaml.sp.model.OIOResponse.validateResponse(OIOResponse.java:102) at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleSAMLResponse(SAMLAssertionConsumerHandler.java:131) at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handlePost(SAMLAssertionConsumerHandler.java:92) at dk.itst.oiosaml.sp.service.DispatcherServlet.doPost(DispatcherServlet.java:163) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at dk.itst.oiosaml.sp.service.SPFilter.doFilter(SPFilter.java:163) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Unknown Source)[2013-04-26 15:53:12,896] [ERROR] [http-8080-1] [dk.itst.oiosaml.sp.service.DispatcherServlet] Unable to validate Responsedk.itst.oiosaml.sp.model.validation.ValidationException: The response is not signed correctly at dk.itst.oiosaml.sp.model.OIOResponse.validateResponse(OIOResponse.java:107) at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleSAMLResponse(SAMLAssertionConsumerHandler.java:131) at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handlePost(SAMLAssertionConsumerHandler.java:92) at dk.itst.oiosaml.sp.service.DispatcherServlet.doPost(DispatcherServlet.java:163) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at dk.itst.oiosaml.sp.service.SPFilter.doFilter(SPFilter.java:163) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
The exception in oiosaml-sp-auit.log is
[ERROR] [http-8080-1] [OIOSAML_AUDIT_LOGGER] Dispatch:SAMLAssertionConsumer <-- 134.177.229.187 1C2668EE9397D73F90D490D0F14DD42B '' '' 'The response is not signed correctly'dk.itst.oiosaml.sp.model.validation.ValidationException: The response is not signed correctly at dk.itst.oiosaml.sp.model.OIOResponse.validateResponse(OIOResponse.java:107) at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleSAMLResponse(SAMLAssertionConsumerHandler.java:131) at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handlePost(SAMLAssertionConsumerHandler.java:92) at dk.itst.oiosaml.sp.service.DispatcherServlet.doPost(DispatcherServlet.java:163) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
I experimented with different settings on IdP and what I found out is that following two are the only combinations that give trouble:
- Response signed, Assertion signed, Assertions encrypted
- Response signed, Assertion not signed, Assertions encrypted.
Just to verify if it was any issue with processing signed reponses, I tried this setting and it works fine.
- Response signed, Assertion not signed, No Encryption
So processing of signed response in itself is not an issue, but combined with encrypted assertion, it seems to be causing problems. Any idea, how this can be resolved.
By the way, while going through the code, I saw a test class (test/dk/itst/oiosaml/sp/model/OIOResponseTest.java) which mentions a similar issue with opensaml 2.5.1 jar. But there is no fix mentioned there.
Will appreciate any help.
Thanks,
Madhavi
Hej Madhavi
Thank you for you're feedback. I dont really have an answer for you, except that OIOSAML first is a toolkit we have created to support the implementation of our OIOSAML profile, and second a general purpose SAML toolkit.
I does look like it fails in the part that relies on OpenSAML where we a currently using 2.5.1. I've just had a quick look at the release note for the most current (2.6.0 - See below) and does not seem like this have been adressed yet.
You have the option to implement your own Assertion Validator, as described in configuration:
oiosaml-sp.assertion.validator: FQCN of a class which implements dk.itst.oiosaml.sp.model.validation.AssertionValidator. This class is then used to perform validation of received assertions. See developer's guide for more information.
Best regardsBrian Nielsen
Changes in Release 2.6.0=============================================[JOST-135] - Opensaml prunes empty xml namespaces, that are required for correct encryption [JOST-162] - Globally enabling schema validation breaks the Signature metadata filter [JOST-169] - Update Velocity Dependency[JOST-183] - AbstractReloadingMetadataProvider code for maxRefreshDelay doesn't match documentation[JOST-184] - It would be nice if ESAPI.encodeForURL could be made to work[JOST-185] - Defaultbootstrap does not initialize the providers from the WS-Trust and WS-Policy schemas in openws[JOST-187] - Velocity initialization code uses an invalid key for the configuration properties set[JOST-188] - DefaultBootstrap is unnecessarily calling Velocity singleton initialization[JOST-190] - Backport some bugfixes from OpenSAML3[JOST-191] - Merge back misc XACML fixes from OpenSAML3[JOST-192] - org.opensaml.saml2.metadata.provider.SignatureValidationFilter => java.lang.UnsupportedOperationException[JOST-193] - Make the implementation of custom bootstrap code easier, without relying on private data from DefaultBootstrap[JOST-194] - org.opensaml.ESAPISecurityConfig should use singleton pattern like the default ESAPI reference class[JOST-195] - Use system property-based override for our custom ESAPI config rather than ESAPI locator class call [JOST-196] - On MetadataProviderCredentialResolver, expose the MetadataProvider used to construct the resolver[JOST-197] - XML providers for Async Logout extensions[JOST-198] - Configuration files for XMLObject providers often missing Type registrations[JOST-199] - SAML SOAP encoders should use the supplied outbound SOAP Envelope from the message context, if it exists [JOST-200] - Reduce memory usage of unit tests[JOST-201] - SAML1 and 2 base message encoders have incorrect selection logic in getEndpointURL()[JOST-203] - Head/body template injection for SAML binding templates[JOST-205] - MetadataProvider doesn't report error during refresh if the metadata file doesn't exist any more[JOST-206] - Setting failFastInitialization=false has no effect[JOST-207] - FilesystemMetadataProvider fetchMetadata() does not work correctly if file last modified time is older than getLastRefresh() in some cases [JOST-208] - FileBackedHTTPMetadataProvider constructor doesn't behave correctly vis-a-vis fail-fast setting if the backing file path has problems [JOST-209] - Add tests for fail-fast in HTTPMetadataProvider
Changes in Release 2.5.3=============================================[JOST-176] - SubjectConfirmationUnmarshaller processChildElement misplaces KeyInfo[JOST-179] - FileBackedHTTPMetadataProvider does not properly release HTTP connections[JOST-180] - Update dependencies[JOST-181] - Bug in marshalling an XACML Policy AttributeDesignatorType[JOST-182] - Clean up maven assembly description
Changes in Release 2.5.2=============================================[JOST-160] - Not all times in logging normalized to Zulu[JOST-163] - No way to stop AbstractReloadingMetadataProvider threads[JOST-164] - MetadataProvider minRefreshDelay cannot be set greater than 4 hours[JOST-165] - Update 3rd party runtime library dependencies[JOST-171] - org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:246 missing param in logging statement[JOST-173] - Wrong Treatment of ResponseLocation and Location in Metadata[JOST-174] - ChainingMetadataProvider calls clear() on unmodifiable list
Hi Brian,
Thanks for the suggestion. I will look into that.
Best,
Does OIOSAML.java support ECP profile? It does not look like, but just want to confirm.
Also, if the ECP support is not present currently, is there any plan of adding it in the near future?
Hi Madhavi
To be honest I've never really looked into Enhanced Client and Proxy (ECP) Profile, but I can say that it's not part of our (OIO)SAML-profile and hence not a requirement we've had for our OIOSAML-toolkits. I can't really say how much, if any, the toolkits can help you in implementing the proxy (i presume?).
Ønsker du at skrive indlæg eller blot kommentere indlæg, skal du være oprettet som bruger og logget ind.
En ny fil vil overskrive en eksisterende fil, hvis begge filer har samme navn og samme ekstension.
- (kræver login)
Der er ikke tilknyttet tags fra andre brugere