Spring til login

Digitaliser.dk

Sektioner

Aktuel side

Gruppens profilbillede

OIOSAML

304 medlemmer | Medlemsskab via fri tilmelding (Bliv medlem - kræver login )

oiosaml.java 9918

Ansvarlig: Kjeld Froberg
Version: 9918 - Publiceret: 25.04.2012 11:28
Type: Software

OBS! Der findes en nyere version af den valgte ressource. Klik her for at se den nyeste version.

NOTICE!: There has been released a new version: oiosaml.java 11147

--------------------------------------------------------------------------------

This release contains a fix where audit logging was not initialized properly on requests to the DispatcherServlet, if the DispatcherServlet's servlet path wasn't covered by the path of the SPFilter. The result can be that Audit log's can have wrong information on the client's IP address, session ID etc.

Check your configuration to see if the DispatcherServlet is covered or not by the SPFilter - if not this fix should be applied for correct audit log

Example where DispatcherServlet is not covered by SPFilter:

<servlet-mapping>
  <servlet-name>DispatcherServlet</servlet-name>
  <url-pattern>/saml/*</url-pattern>
</servlet-mapping>
<filter-mapping>
  <filter-name>SPFilter</filter-name>
  <url-pattern>/protected/*</url-pattern>
</filter-mapping>

Example where DispatcherServlet is covered by SPFilter:

<servlet-mapping>
  <servlet-name>DispatcherServlet</servlet-name>
  <url-pattern>/saml/*</url-pattern>
</servlet-mapping>
<filter-mapping>
  <filter-name>SPFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Flere oplysninger

Udvid boks
Unikt id:
558455

Artefakter

Filer og referencer
Titel Type
oiosaml.java-9918.zip application/octet-stream Download Vis supplerende information ...

Klassifikationer

Indlæg til ressource

Profilens billede

oiosaml-java bag en proxy

Thabet Al Assadi - 24.03.2014 16:36

Hej oiosaml team,

Vi har en webapplikation som kører på weblogic 10.3. Den kører fint i vores interne netværk med en URL http://lokal-app.itu.dk:8099. Men den skal også virke udefra. Derfor prøver vi at bruge en proxy, med en offentlig URL: https://offentlig-app.itu.dk/.

Naturligvis har vi opdateret vores tjenestes-metadata / service provider / SP og vores dets tilsvarende metadata på vores ID-provider / IDP, som bruger på simpleSAMLphp.

 Når man prøver at komme på applikationen hjemmefra og logger på https:// offentlig-app.itu.dk/, får man vores IDPs login side, og man kan logge på den normalt.

 

Problemet sker efter man er logget på.

Vores SP kan ikke genkende forespørgslen, og den tror, at det er en ny frisk forespørgsel, og dermed sender det tilbage til IDP'en.

 IDP'en kan se at personen allerede er logget på, og sender ham/hende tilbage til proxy'en og derfra tilbage til SP.

 De forsætter indtil man lukke browseren.

 Jeg har tjekket http trafikken mellem SP’en og IDP’en, ved at bruge FireFox plugin: SAMLtracer, som viser identiske SAML beskeder, undtagen session ID.

 Jeg har tjekket oiosaml-sp.log, og applikations log filen for en fejl, uden held. Helt ser normalt ud.

 Er der nogen kan hjælpe os med en hint, om hvad kan være oversagen til denne opførsel?

 

 

På forhånd tak

 

Thabet

Kommentarer (2)

Profilens billede 1
Uffe Seerup - 24.03.2014 22:35

Hej Thabet

Den opførsel du beskriver kan skyldes at jeres SP ikke får skrevet login billetten eller at cookie'n bliver skrevet med forkert domæne. I så fald vil browseren ikke præsentere login-billetten.

Efter login redirect'es til den oprindelige side som login blev startet fra. Hvis der nu stadig ikke er logget ind får du en tur til omkring IdP'en.

Prøv at se med Fiddler eller lignende hvilke cookies der bliver skrevet med hvilke domæner stier. Vær særlig opmærksom på om disse cookies bliver sendt tilbage til serveren fra browseren.

Håber det hjælper dig videre

Uffe 

Sæt/fjern bogmærke
+1
Profilens billede 2
Thabet Al Assadi - 27.03.2014 11:48

Hej Uffe,

Tak for svaret.

Problemet var på vores proxyserver opsætning i (ProxyPass), (ProxyPassReverse) og URL- Rewrite regler (RewriteRule).

 

Det er lidt svært at beskrive løsningen i detaljer, men det virker nu.

 Tak for hjælpen.

 

VH

 Thabet

Profilens billede

oiosaml-java on weblogic version 10.3

Thabet Al Assadi - 19.01.2014 23:30

Dear oiosaml-java team,

I am not sure if this is the right place to ask such a question, but I will give a try. Otherwise please direct me to the right forum.

Have anyone tried to use oiosaml.java-9918 on weblogic v.10.3 or any version of weblogic?

I tried to deploy the demo and I got (java.lang.IncompatibleClassChangeError) exception. I guess that it is an error related to java version. Any ideas suggestions will be very appreciated ?

 

Best regards

 

Thabet

Kommentarer (1)

Profilens billede 1
Morten Kristoffer Hansen - 22.01.2014 11:39

Hi Thabet

I don't have the answer to your question, I just wanted to make sure, that you a aware that a newer version of oiosaml.java exists: http://digitaliser.dk/resource/2530598 (version 11330)

/m

Profilens billede

Unable to validate response signature when assertion is encrypted and signed

Madhavi Shrotri - 03.05.2013 00:03

Hi,

We have been using OIOSAML.java 9918 as SP and it has been working great. 

I have been using IdP configured to sign assertions and everything was working fine. Recently I was playing with the IdP configuration and I changed it to sign responses as well. That too worked fine with OIOSAML.java SP.

However, when I changed the IdP cofinguration to encryptAssertions (in addition to sign responses and sign assertions), I get the following exception on SP in oiosaml-sp.log :

[2013-04-26 15:53:12,896] [WARN ] [http-8080-1] [dk.itst.oiosaml.sp.model.OIOSamlObject] The signature does not meet the requirements indicated by the SAML profile of the XML signature
org.opensaml.xml.validation.ValidationException: SignableSAMLObject does not have a cached DOM Element.
    at org.opensaml.security.SAMLSignatureProfileValidator.validateReferenceURI(SAMLSignatureProfileValidator.java:146)
    at org.opensaml.security.SAMLSignatureProfileValidator.validateSignatureImpl(SAMLSignatureProfileValidator.java:84)
    at org.opensaml.security.SAMLSignatureProfileValidator.validate(SAMLSignatureProfileValidator.java:56)
    at dk.itst.oiosaml.sp.model.OIOSamlObject.verifySignature(OIOSamlObject.java:180)
    at dk.itst.oiosaml.sp.model.OIOResponse.validateResponse(OIOResponse.java:102)
    at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleSAMLResponse(SAMLAssertionConsumerHandler.java:131)
    at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handlePost(SAMLAssertionConsumerHandler.java:92)
    at dk.itst.oiosaml.sp.service.DispatcherServlet.doPost(DispatcherServlet.java:163)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at dk.itst.oiosaml.sp.service.SPFilter.doFilter(SPFilter.java:163)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
    at java.lang.Thread.run(Unknown Source)
[2013-04-26 15:53:12,896] [ERROR] [http-8080-1] [dk.itst.oiosaml.sp.service.DispatcherServlet] Unable to validate Response
dk.itst.oiosaml.sp.model.validation.ValidationException: The response is not signed correctly
    at dk.itst.oiosaml.sp.model.OIOResponse.validateResponse(OIOResponse.java:107)
    at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleSAMLResponse(SAMLAssertionConsumerHandler.java:131)
    at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handlePost(SAMLAssertionConsumerHandler.java:92)
    at dk.itst.oiosaml.sp.service.DispatcherServlet.doPost(DispatcherServlet.java:163)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at dk.itst.oiosaml.sp.service.SPFilter.doFilter(SPFilter.java:163)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)

The exception in oiosaml-sp-auit.log is

[ERROR] [http-8080-1] [OIOSAML_AUDIT_LOGGER] Dispatch:SAMLAssertionConsumer <-- 134.177.229.187 1C2668EE9397D73F90D490D0F14DD42B '' '' 'The response is not signed correctly'
dk.itst.oiosaml.sp.model.validation.ValidationException: The response is not signed correctly
    at dk.itst.oiosaml.sp.model.OIOResponse.validateResponse(OIOResponse.java:107)
    at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleSAMLResponse(SAMLAssertionConsumerHandler.java:131)
    at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handlePost(SAMLAssertionConsumerHandler.java:92)
    at dk.itst.oiosaml.sp.service.DispatcherServlet.doPost(DispatcherServlet.java:163)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

I experimented with different settings on IdP and what I found out is that following two are the only combinations that give trouble:

- Response signed, Assertion signed, Assertions encrypted

- Response signed, Assertion not signed, Assertions encrypted.

Just to verify if it was any issue with processing signed reponses, I tried this setting and it works fine.

- Response signed, Assertion not signed, No Encryption

So processing of signed response in itself is not an issue, but combined with encrypted assertion, it seems to be causing problems. Any idea, how this can be resolved.

By the way, while going through the code, I saw a test class (test/dk/itst/oiosaml/sp/model/OIOResponseTest.java) which mentions a similar issue with opensaml 2.5.1 jar. But there is no fix mentioned there.

Will appreciate any help.

Thanks,

Madhavi

Kommentarer (2)

Profilens billede 1
Brian Nielsen - 03.05.2013 12:32

Hej Madhavi

Thank you for you're feedback. I dont really have an answer for you, except that OIOSAML first is a toolkit we have created to support the implementation of our OIOSAML profile, and second a general purpose SAML toolkit.

I does look like it fails in the part that relies on OpenSAML where we a currently using 2.5.1. I've just had a quick look at the release note for the most current (2.6.0 - See below) and does not seem like this have been adressed yet. 

You have the option to implement your own Assertion Validator, as described in configuration:

oiosaml-sp.assertion.validator: FQCN of a class which implements dk.itst.oiosaml.sp.model.validation.AssertionValidator. This class is then used to perform validation of received assertions. See developer's guide for more information.

Best regards
Brian Nielsen 

Changes in Release 2.6.0
=============================================
[JOST-135] - Opensaml prunes empty xml namespaces, that are required for correct encryption
[JOST-162] - Globally enabling schema validation breaks the Signature metadata filter
[JOST-169] - Update Velocity Dependency
[JOST-183] - AbstractReloadingMetadataProvider code for maxRefreshDelay doesn't match documentation
[JOST-184] - It would be nice if ESAPI.encodeForURL could be made to work
[JOST-185] - Defaultbootstrap does not initialize the providers from the WS-Trust and WS-Policy schemas in openws
[JOST-187] - Velocity initialization code uses an invalid key for the configuration properties set
[JOST-188] - DefaultBootstrap is unnecessarily calling Velocity singleton initialization
[JOST-190] - Backport some bugfixes from OpenSAML3
[JOST-191] - Merge back misc XACML fixes from OpenSAML3
[JOST-192] - org.opensaml.saml2.metadata.provider.SignatureValidationFilter => java.lang.UnsupportedOperationException
[JOST-193] - Make the implementation of custom bootstrap code easier, without relying on private data from DefaultBootstrap
[JOST-194] - org.opensaml.ESAPISecurityConfig should use singleton pattern like the default ESAPI reference class
[JOST-195] - Use system property-based override for our custom ESAPI config rather than ESAPI locator class call
[JOST-196] - On MetadataProviderCredentialResolver, expose the MetadataProvider used to construct the resolver
[JOST-197] - XML providers for Async Logout extensions
[JOST-198] - Configuration files for XMLObject providers often missing Type registrations
[JOST-199] - SAML SOAP encoders should use the supplied outbound SOAP Envelope from the message context, if it exists
[JOST-200] - Reduce memory usage of unit tests
[JOST-201] - SAML1 and 2 base message encoders have incorrect selection logic in getEndpointURL()
[JOST-203] - Head/body template injection for SAML binding templates
[JOST-205] - MetadataProvider doesn't report error during refresh if the metadata file doesn't exist any more
[JOST-206] - Setting failFastInitialization=false has no effect
[JOST-207] - FilesystemMetadataProvider fetchMetadata() does not work correctly if file last modified time is older than getLastRefresh() in some cases
[JOST-208] - FileBackedHTTPMetadataProvider constructor doesn't behave correctly vis-a-vis fail-fast setting if the backing file path has problems
[JOST-209] - Add tests for fail-fast in HTTPMetadataProvider

Changes in Release 2.5.3
=============================================
[JOST-176] - SubjectConfirmationUnmarshaller processChildElement misplaces KeyInfo
[JOST-179] - FileBackedHTTPMetadataProvider does not properly release HTTP connections
[JOST-180] - Update dependencies
[JOST-181] - Bug in marshalling an XACML Policy AttributeDesignatorType
[JOST-182] - Clean up maven assembly description

Changes in Release 2.5.2
=============================================
[JOST-160] - Not all times in logging normalized to Zulu
[JOST-163] - No way to stop AbstractReloadingMetadataProvider threads
[JOST-164] - MetadataProvider minRefreshDelay cannot be set greater than 4 hours
[JOST-165] - Update 3rd party runtime library dependencies
[JOST-171] - org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:246 missing param in logging statement
[JOST-173] - Wrong Treatment of ResponseLocation and Location in Metadata
[JOST-174] - ChainingMetadataProvider calls clear() on unmodifiable list

Profilens billede 2
Madhavi Shrotri - 03.05.2013 22:50

Hi Brian,

Thanks for the suggestion. I will look into that.

Best,

Madhavi

Profilens billede

ECP Profile support in OIOSAML.java?

Madhavi Shrotri - 15.05.2012 23:55

Does OIOSAML.java support ECP profile? It does not look like, but just want to confirm.

Also, if the ECP support is not present currently, is there any plan of adding it in the near future?

Thanks,

Madhavi

Kommentarer (1)

Profilens billede 1
Brian Nielsen - 16.05.2012 16:56

Hi Madhavi

To be honest I've never really looked into Enhanced Client and Proxy (ECP) Profile, but I can say that it's not part of our (OIO)SAML-profile and hence not a requirement we've had for our OIOSAML-toolkits. I can't really say how much, if any, the toolkits can help you in implementing the proxy (i presume?).

Best regards
Brian Nielsen

 

Ønsker du at skrive indlæg eller blot kommentere indlæg,
skal du være oprettet som bruger og logget ind.

Opret dig som Ny bruger    eller Log ind    

Tilføj fil(er)

En ny fil vil overskrive en eksisterende fil, hvis begge filer har samme navn og samme ekstension.

Tags

Tilføj dine egne tags

- (kræver login)

Andre brugeres tags til ressourcen

Der er ikke tilknyttet tags fra andre brugere

Minimér boks
Versioner
Version Dato
9918 (valgte) 25.04.2012 11:28 Vis supplerende information ...
9914 11.04.2012 14:10 Vis supplerende information ...
9352 01.12.2011 14:53 Vis supplerende information ...
8501 16.08.2011 13:25 Vis supplerende information ...
8330 03.08.2011 09:44 Vis supplerende information ...
5922 25.11.2010 09:43 Vis supplerende information ...
5681 14.09.2010 13:56 Vis supplerende information ...
5645 06.09.2010 10:40 Vis supplerende information ...
5546 03.09.2010 13:25 Vis supplerende information ...
5354 03.09.2010 13:22 Vis supplerende information ...
5272 03.09.2010 13:20 Vis supplerende information ...
5076 03.09.2010 13:10 Vis supplerende information ...
4544 03.09.2010 13:06 Vis supplerende information ...
4540 03.09.2010 13:03 Vis supplerende information ...
4340 03.09.2010 12:59 Vis supplerende information ...
4249 03.09.2010 12:56 Vis supplerende information ...
4195 03.09.2010 11:28 Vis supplerende information ...
4141 03.09.2010 11:26 Vis supplerende information ...
4126 03.09.2010 11:23 Vis supplerende information ...
3988 03.09.2010 11:18 Vis supplerende information ...
3862 03.09.2010 11:15 Vis supplerende information ...
3747 03.09.2010 11:13 Vis supplerende information ...
3196 03.09.2010 10:57 Vis supplerende information ...
11442 10.02.2014 10:55 Vis supplerende information ...
11330 21.10.2013 09:58 Vis supplerende information ...
11220 06.09.2013 09:21 Vis supplerende information ...
11147 18.07.2013 15:55 Vis supplerende information ...

Digitaliseringsstyrelsen