Spring til login

Digitaliser.dk

Sektioner

Aktuel side

Gruppens profilbillede

Digitalisér.dk

7 medlemmer | Medlemskab kræver invitation ( kræver login )

About Digitalisér.dk

Ansvarlig: Arvid Bro Thuestad
Publiceret: 17.11.2009
Type: Dokument

www.digitaliser.dk is a social network and tool for development, knowledge sharing and a forum for the digitisation of Denmark. The literal translation is Digitise.dk

Digitaliser.dk is both a formal central repository of information on data interchange standards and a big open digital playground - a creative space for everyone involved in digitising the public sector.

Digitalisér.dk aims to stimulate development and adoption of digital content and business models by utilising Web 2.0 technologies and public data and digital resources. With digitaliser.dk, the Danish government has created a new model of partnership between the tech community and government which paves the way for more direct communication between the public sector, citizens, and businesses. Citizens and businesses are no longer passive recipients of public information but participate in dialogue and knowledge sharing with the public sector.

Digitalisér.dk is also a venue that provides an uncomplicated basis for debating common public digitisation by using intuitive web-based interaction rather than formal processes. Digitalisér.dk is also intended to be of value to users outside the Danish public sector and is open for use to all, both public and private, as well as Danish and non-Danish users.

The user interface is not available in English at the moment. If you need a more detailed description of digitalisér.dk in English or should you have any suggestions or comments to digitaliser.dk you are very welcome to contact us at info@digitaliser.dk.

The Danish Agency for Digitisation invite partnerships, participation and usage.

Digitalisér.dk is established and maintained by the Danish Agency for Digitisation.

Flere oplysninger

Artefakter

Klassifikationer

Indlæg til ressource

Profilens billede

Patch to support encrypted assertions

gregw Greg - 10.04.2014

The current implementation fails due to unexpected side effects down in OpenSAML when attempting to add an assertion to a response.  OpenSAML tries to manage the XML object graph while doing this, but it has a bug and ends up setting the parent references to null.  This causes errors when attempting to use the response object later.

The solution I found was to not try to add the decrypted assertion, but rather clean up references to assertions to always check for the decrypted one stored in the instance field first, and then the response unencrypted assertion list.  The only references to the unencrypted assertion list were in OIOResponse, so the scope was isolated.

I also found we need to decrypt the assertion first for completeness, before retrieving the IDP entity ID, as we want to also check the encrypted assertion if we have one, not just the unencrypted one and the response itself.

I've attached my patch that works with OpenAM encrypted assertions.  Reply or contact me through my user account on this site if you have questions.

Vedhæftede filer

Kommentarer (1)

Profilens billede 1
Brian Nielsen - 10.04.2014

Hi gregw Greg

Thank you for you're contribution. I'll tip the folks in the OIOSAML Group thats responsible for the OIOSAML.JAVA toolkit.

Best regards
Brian Nielsen 

Profilens billede

Problem getting oiosaml.java-demo-11442.war to work

nitin gupta - 15.02.2014

I have downloaded and installed the oiosaml.java-demo-11442.war in a Jetty Server.

I have setup salesforce.com as IDP and have downloaded the metadata for this IDP. I have successfuly added this metadata to the oiosaml-demo SP configuration files.

When I try to login a user using the login link in the oiosaml-demo application, I am redirected to my salesforce IDP and I am able to successfuly authenticate in salesforce. I can see the IDP logs in salesforce and can verify that salesforce authenticated the user.

After authentication, I am redirected to my oiosaml-demo SP's AssertionConsumer URL and I get the following error message:

 ---------------------------

The request failed. The reason is:

The response is not signed correctly

Stacktrace:

dk.itst.oiosaml.sp.model.validation.ValidationException: The response is not signed correctly    at dk.itst.oiosaml.sp.model.OIOResponse.validateResponse(OIOResponse.java:108)      at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleSAMLResponse(SAMLAssertionConsumerHandler.java:133)      at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handlePost(SAMLAssertionConsumerHandler.java:94)      at dk.itst.oiosaml.sp.service.DispatcherServlet.doPost(DispatcherServlet.java:212)      at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)      at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)      at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:696)      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1568)      at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:164)      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1539)      at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:524)      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)      at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:568)      at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)      at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1110)      at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:453)      at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)      at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1044)      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)      at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:199)      at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109)      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)      at org.eclipse.jetty.server.Server.handle(Server.java:459)      at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:280)      at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:229)      at org.eclipse.jetty.io.AbstractConnection$1.run(AbstractConnection.java:505)      at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:607)      at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:536)      at java.lang.Thread.run(Thread.java:744)  

--------------------
I am trying to figure out the reason for this. I am using a self-signed certificate at the IDP. Could that be the reason for this failure?

On the startup of the OIOSAML demo applicaiton, I see the following entries in the log which indicate that the demo code is trying to check the CRL and OCSP lists which are not available as this is a self signed certificate :
=========

2014-02-15 16:31:53,714 [ERROR] OIOSAML_AUDIT_LOGGER - Dispatch:SAMLAssertionConsumer <-- 99.99.188.183 gql0neh4oby91ni4pg9je5hjr '' '' 'The response is not signed correctly'
dk.itst.oiosaml.sp.model.validation.ValidationException: The response is not signed correctly
at dk.itst.oiosaml.sp.model.OIOResponse.validateResponse(OIOResponse.java:108)
at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleSAMLResponse(SAMLAssertionConsumerHandler.java:133)
at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handlePost(SAMLAssertionConsumerHandler.java:94)
at dk.itst.oiosaml.sp.service.DispatcherServlet.doPost(DispatcherServlet.java:212)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:696)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1568)
at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:164)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1539)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:524)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:568)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1110)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:453)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1044)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:199)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:459)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:280)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:229)
at org.eclipse.jetty.io.AbstractConnection$1.run(AbstractConnection.java:505)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:607)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:536)
at java.lang.Thread.run(Thread.java:744)
2014-02-15 16:31:53,714 [ERROR] dk.itst.oiosaml.sp.service.DispatcherServlet - Unable to validate Response
dk.itst.oiosaml.sp.model.validation.ValidationException: The response is not signed correctly
at dk.itst.oiosaml.sp.model.OIOResponse.validateResponse(OIOResponse.java:108)
at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleSAMLResponse(SAMLAssertionConsumerHandler.java:133)
at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handlePost(SAMLAssertionConsumerHandler.java:94)
at dk.itst.oiosaml.sp.service.DispatcherServlet.doPost(DispatcherServlet.java:212)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:696)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1568)
at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:164)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1539)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:524)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:568)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1110)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:453)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1044)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:199)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:459)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:280)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:229)
at org.eclipse.jetty.io.AbstractConnection$1.run(AbstractConnection.java:505)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:607)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:536)
at java.lang.Thread.run(Thread.java:744)
2014-02-15 16:31:54,187 [INFO] OIOSAML_AUDIT_LOGGER - Session created at: 1392503513632, timeout after 1800 seconds
2014-02-15 16:31:54,189 [DEBUG] dk.itst.oiosaml.sp.service.util.ArtifactExtractor - Got SAMLart..:null
2014-02-15 16:31:54,189 [ERROR] OIOSAML_AUDIT_LOGGER - Dispatch:SAMLAssertionConsumer <-- 99.99.188.183 gql0neh4oby91ni4pg9je5hjr '' '' ' Parameter 'SAMLart' is null...'
java.lang.IllegalArgumentException: Parameter 'SAMLart' is null...
at dk.itst.oiosaml.sp.service.util.ArtifactExtractor.extract(ArtifactExtractor.java:78)
at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleGet(SAMLAssertionConsumerHandler.java:110)
at dk.itst.oiosaml.sp.service.DispatcherServlet.doGet(DispatcherServlet.java:182)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:696)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1568)
at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:164)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1539)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:524)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:568)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1110)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:453)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1044)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:199)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:459)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:280)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:229)
at org.eclipse.jetty.io.AbstractConnection$1.run(AbstractConnection.java:505)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:607)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:536)
at java.lang.Thread.run(Thread.java:744)
2014-02-15 16:31:54,189 [ERROR] dk.itst.oiosaml.sp.service.DispatcherServlet - Unable to validate Response
java.lang.IllegalArgumentException: Parameter 'SAMLart' is null...
at dk.itst.oiosaml.sp.service.util.ArtifactExtractor.extract(ArtifactExtractor.java:78)
at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleGet(SAMLAssertionConsumerHandler.java:110)
at dk.itst.oiosaml.sp.service.DispatcherServlet.doGet(DispatcherServlet.java:182)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:696)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1568)
at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:164)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1539)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:524)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:568)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1110)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:453)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1044)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:199)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:459)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:280)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:229)
at org.eclipse.jetty.io.AbstractConnection$1.run(AbstractConnection.java:505)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:607)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:536)
at java.lang.Thread.run(Thread.java:744)

Kommentarer (1)

Profilens billede 1
Morten Kristoffer Hansen - 17.02.2014

Hi Nitin

I think you have a better chance of getting a response to your question, if you ask it in context of the ressource in question: http://digitaliser.dk/resource/2582561 in the SAML-group.

This group has to do with the general use of Digitalisér.dk.

Hope you'll get your problem solved!

/m

Ønsker du at skrive indlæg eller blot kommentere indlæg,
skal du være oprettet som bruger og logget ind.

Opret dig som Ny bruger    eller Log ind    

Tilføj fil(er)

En ny fil vil overskrive en eksisterende fil, hvis begge filer har samme navn og samme ekstension.

Tags

Tilføj dine egne tags

- (kræver login)

Andre brugeres tags til ressourcen

Der er ikke tilknyttet tags fra andre brugere

Minimér boks
Versioner
Version Dato
Ukendt (valgte) 17.11.2009 Vis supplerende information ...

Digitaliseringsstyrelsen