1 2 3 Previous Next 34 Replies Latest reply on Apr 5, 2012 2:55 PM by tonykaska

    Looking for Test Volunteers[Seam/PicketLink]

    anil.saldhana

      I am in need of test volunteers who can test the PL2 build with their Seam test apps and report back problems.

       

      Please check out http://community.jboss.org/thread/162111?tstart=0  

      for the build.

        • 1. Re: Looking for Test Volunteers[Seam/PicketLink]
          matthew.hayes

          I'm trying to deploy the Seam test app included in the PL2 build.  The only changes I've made to the archive were to add picketlink-seam-2.0.0-SNAPSHOT.jar and picketlink-fed-2.0.0-SNAPSHOT.jar to the lib directory.

           

          I also added a jboss-classloading.xml file to the WEB-INF directory to eliminate any classloading issues, the contents

                 <classloading xmlns="urn:jboss:classloading:1.0" domain="my.loader:archive=seamsp" parent-first="false" />

           

          The saml-entities.xml file exists unaltered and the http://idp.ssocircle.com is the first entity listed.

           

          I startup I receive the following error stating that the isp.ssocircle.com SAML identity provider isn't found. 

           

          Also can you point me in the right direction for the source for the PL2 code.  I checked the various repositories and only saw the older stuff.

           

          Thanks,

          Matt

           

           

          2011-02-04 16:01:06,204 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/seam-sp]] (main) Exception sending context initialized event to listener instance of class org.jboss.seam.servlet.SeamListener

          org.jboss.seam.InstantiationException: Could not instantiate Seam component: org.picketlink.identity.seam.federation.configuration

                  at org.jboss.seam.Component.newInstance(Component.java:2144)

                  at org.jboss.seam.contexts.Contexts.startup(Contexts.java:304)

                  at org.jboss.seam.contexts.Contexts.startup(Contexts.java:278)

                  at org.jboss.seam.contexts.ServletLifecycle.endInitialization(ServletLifecycle.java:113)

                  at org.jboss.seam.init.Initialization.init(Initialization.java:740)

                  at org.jboss.seam.servlet.SeamListener.contextInitialized(SeamListener.java:36)

                  at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3910)

                  at org.apache.catalina.core.StandardContext.start(StandardContext.java:4389)

                  at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeployInternal(TomcatDeployment.java:321)

                  at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeploy(TomcatDeployment.java:145)

                  at org.jboss.web.deployers.AbstractWarDeployment.start(AbstractWarDeployment.java:461)

                  at org.jboss.web.deployers.WebModule.startModule(WebModule.java:118)

                  at org.jboss.web.deployers.WebModule.start(WebModule.java:97)

                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

                  at java.lang.reflect.Method.invoke(Method.java:597)

                  at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)

                  at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)

                  at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)

                  at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)

                  at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)

                  at org.jboss.system.microcontainer.ServiceProxy.invoke(ServiceProxy.java:206)

                  at $Proxy38.start(Unknown Source)

                  at org.jboss.system.microcontainer.StartStopLifecycleAction.installAction(StartStopLifecycleAction.java:42)

                  at org.jboss.system.microcontainer.StartStopLifecycleAction.installAction(StartStopLifecycleAction.java:37)

                  at org.jboss.dependency.plugins.action.SimpleControllerContextAction.simpleInstallAction(SimpleControllerContextAction.java:62)

                  at org.jboss.dependency.plugins.action.AccessControllerContextAction.install(AccessControllerContextAction.java:71)

                  at org.jboss.dependency.plugins.AbstractControllerContextActions.install(AbstractControllerContextActions.java:51)

                  at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:348)

                  at org.jboss.system.microcontainer.ServiceControllerContext.install(ServiceControllerContext.java:297)

                  at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1652)

                  at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:938)

                  at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:1082)

                  at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:988)

                  at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:826)

                  at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:556)

                  at org.jboss.system.ServiceController.doChange(ServiceController.java:688)

                  at org.jboss.system.ServiceController.start(ServiceController.java:460)

                  at org.jboss.system.deployers.ServiceDeployer.start(ServiceDeployer.java:163)

                  at org.jboss.system.deployers.ServiceDeployer.deploy(ServiceDeployer.java:99)

                  at org.jboss.system.deployers.ServiceDeployer.deploy(ServiceDeployer.java:46)

                  at org.jboss.deployers.spi.deployer.helpers.AbstractSimpleRealDeployer.internalDeploy(AbstractSimpleRealDeployer.java:62)

                  at org.jboss.deployers.spi.deployer.helpers.AbstractRealDeployer.deploy(AbstractRealDeployer.java:55)

                  at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(DeployerWrapper.java:179)

                  at org.jboss.deployers.plugins.deployers.DeployersImpl.doDeploy(DeployersImpl.java:1454)

                  at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1172)

                  at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1193)

                  at org.jboss.deployers.plugins.deployers.DeployersImpl.install(DeployersImpl.java:1113)

                  at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:348)

                  at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1652)

                  at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:938)

                  at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:1082)

                  at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:988)

                  at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:826)

                  at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:556)

                  at org.jboss.deployers.plugins.deployers.DeployersImpl.process(DeployersImpl.java:789)

                  at org.jboss.deployers.plugins.main.MainDeployerImpl.process(MainDeployerImpl.java:699)

                  at org.jboss.system.server.profileservice.repository.MainDeployerAdapter.process(MainDeployerAdapter.java:117)

                  at org.jboss.system.server.profileservice.repository.ProfileDeployAction.install(ProfileDeployAction.java:70)

                  at org.jboss.system.server.profileservice.repository.AbstractProfileAction.install(AbstractProfileAction.java:53)

                  at org.jboss.system.server.profileservice.repository.AbstractProfileService.install(AbstractProfileService.java:403)

                  at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:348)

                  at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1652)

                  at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:938)

                  at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:1082)

                  at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:988)

                  at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:778)

                  at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:543)

                  at org.jboss.system.server.profileservice.repository.AbstractProfileService.registerProfile(AbstractProfileService.java:308)

                  at org.jboss.system.server.profileservice.ProfileServiceBootstrap.start(ProfileServiceBootstrap.java:256)

                  at org.jboss.bootstrap.AbstractServerImpl.start(AbstractServerImpl.java:461)

                  at org.jboss.Main.boot(Main.java:221)

                  at org.jboss.Main$1.run(Main.java:556)

                  at java.lang.Thread.run(Thread.java:619)

          Caused by: java.lang.RuntimeException: Saml identity provider with entity id "http://idp.ssocircle.com" not found in metadata.

                  at org.picketlink.identity.seam.federation.configuration.SamlConfiguration.<init>(SamlConfiguration.java:88)

                  at org.picketlink.identity.seam.federation.configuration.ServiceProvider.<init>(ServiceProvider.java:94)

                  at org.picketlink.identity.seam.federation.configuration.Configuration.init(Configuration.java:76)

                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

                  at java.lang.reflect.Method.invoke(Method.java:597)

                  at org.jboss.seam.util.Reflections.invoke(Reflections.java:22)

                  at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:32)

                  at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56)

                  at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:28)

                  at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)

                  at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:44)

                  at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)

                  at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)

                  at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:185)

                  at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:103)

                  at org.picketlink.identity.seam.federation.configuration.Configuration_$$_javassist_seam_0.init(Configuration_$$_javassist_seam_0.java)

                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

                  at java.lang.reflect.Method.invoke(Method.java:597)

                  at org.jboss.seam.util.Reflections.invoke(Reflections.java:22)

                  at org.jboss.seam.util.Reflections.invokeAndWrap(Reflections.java:144)

                  at org.jboss.seam.Component.callComponentMethod(Component.java:2249)

                  at org.jboss.seam.Component.callCreateMethod(Component.java:2172)

                  at org.jboss.seam.Component.newInstance(Component.java:2132)

                  ... 74 more

          • 2. Re: Looking for Test Volunteers[Seam/PicketLink]
            anil.saldhana
            • 3. Looking for Test Volunteers[Seam/PicketLink]
              matthew.hayes

              In SMLEntityDescriptorParser (Lines 88-90) it creates the EDTDescriptorChoiceType explicitly with a IDPSSODescriptorType.

                          IDPSSODescriptorType idpSSO = parseIDPSSODescriptor(xmlEventReader);

                         

                          EDTDescriptorChoiceType edtDescChoice = new EDTDescriptorChoiceType( idpSSO );

               

              But in SamlConfigration (Lines 171-176) its trying to pull back the class using tthe superinterface class RoleDescriptorType

                                RoleDescriptorType roleDescriptor = edtDesc.getRoleDescriptor();

                                if( roleDescriptor instanceof IDPSSODescriptorType )

                                {

                                   IDPSSODescriptorType IDPSSODescriptor = (IDPSSODescriptorType) roleDescriptor;

                                   idpMetaInfo.put(entityId, IDPSSODescriptor);

                                }

               

              I would expect that in EDTDescriptorChoiceType (Lines 91-99) either second constructor needs to be removed so it rolls up to the superinterface RoleDescriptorType constructor or the subinterface constructors need to add a call similar to this.roleDescriptor = idpDescriptor;

                    public EDTDescriptorChoiceType(RoleDescriptorType roleDescriptor)

                    {

                       this.roleDescriptor = roleDescriptor;

                    }

                    public EDTDescriptorChoiceType(IDPSSODescriptorType idpDescriptor)

                    {

                       super();

                       this.idpDescriptor = idpDescriptor;

                    }

               

              Sorry for the quick explaination I haven't had a whole lot of time to look into the issue but this seems to stick out at me. 

              • 4. Looking for Test Volunteers[Seam/PicketLink]
                anil.saldhana

                Matt, let me add a test case and see what the changes need to be done...

                • 5. Re: Looking for Test Volunteers[Seam/PicketLink]
                  matthew.hayes

                  Also SamlService (Lines 61-62)

                              SamlEndpoint samlEndpoint = new SamlEndpoint(this, binding, endpoint.getLocation().toString(), endpoint

                                    .getResponseLocation().toString());

                   

                  will throw NPE since ResponseLocation is optional

                   

                            <complexType name="EndpointType">
                                <
                  sequence>
                                    <
                  any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
                                </
                  sequence>
                                <
                  attribute name="Binding" type="anyURI" use="required"/>
                                <
                  attribute name="Location" type="anyURI" use="required"/>
                                <
                  attribute name="ResponseLocation" type="anyURI" use="optional"/>
                                <
                  anyAttribute namespace="##other" processContents="lax"/>
                            </
                  complexType>

                  • 6. Looking for Test Volunteers[Seam/PicketLink]
                    anil.saldhana

                    Matt, update the picketlink-seam workspace and build it there and pick up the jar and war for your tests. I have fixed the two issues.

                    • 7. Re: Looking for Test Volunteers[Seam/PicketLink]
                      matthew.hayes

                      I will take a look at those.  I found a few more for you:

                       

                      #1 org.picketlink.identity.seam.federation.SamlMetaDataProvider (Line 93) - java.lang.UnsupportedOperationException - I believe it is an unmodifiable collection its trying to add to.  Looks like this might have already been found since at line 74 the PROTOCOL_NSURI is added to the protocolSupport List prior to constructing the SPSSODescriptorType so line 93 is redundant.

                       

                      #2 org.picketlink.identity.seam.federation.SamlMetaDataProvider (Lines 52-54) - The KeyInfo is missing the xmlns:ds attribute (Line 52), the certificate.getEncoded returns characters invalid in XML so this probably should use the KeyUtil encodeAsString (Line 53).  This is how I had modified it, not sure if the CDATA would be required, but I figured it couldn't hurt.

                                StringBuilder builder = new StringBuilder( "<ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate><![CDATA[");

                                builder.append( org.picketlink.identity.federation.api.util.KeyUtil.encodeAsString(certificate)).append( "]]></ds:X509Certificate></ds:X509Data></ds:KeyInfo>");

                               return DocumentUtil.getDocument(builder.toString()).getDocumentElement();

                       

                      #3 org.picketlink.identity.seam.federation.SamlSingleSignOnReceiver (Lines 150-154) - Looks like the getAssertions was updated at some point to return a RTChoiceType wrapper for the assertion and this code wasn't updated to handle the wrapper.

                            for (Object assertion : responseType.getAssertions() )

                            {

                               if (assertion instanceof AssertionType)

                               {

                       

                      #4 org.picketlink.identity.federation.core.saml.v2.writers (Line 94) - NYI?  Not yet implemented?? Its being called from org.picketlink.identity.seam.federation.SamlMetaDataProvider.writeMetaData(OutputStream stream) if that helps.

                               throw new RuntimeException( "NYI" );  

                       

                      #5 Still trying to track down the root of this one but maybe it looks familiar to you - I have a response that contains a valid subject confirmation but the validateSubjectAndExtractNameID in SamlSingleSignOnReceiver isn't seeing it.  I'm assuming this is a parsing error on the SP side since it does see the subject here is a snippet of the SAMLResponse XML if you happen to get to it before I do.

                             <saml:Subject>

                                  <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">HayesMa@MYCOMPANY.PVT</saml:NameID>

                                  <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                                      <saml:SubjectConfirmationData InResponseTo="ID_54c3f7eb-b577-4d59-b416-9c875eccd937" NotBefore="2011-02-09T17:44:05.637-05:00" NotOnOrAfter="2011-02-09T17:44:05.637-05:00" Recipient="http://mycomputer.mycompany.pvt:8080/seam-sp/AssertionConsumerService.seam"/>

                                  </saml:SubjectConfirmation>

                              </saml:Subject>

                      • 8. Looking for Test Volunteers[Seam/PicketLink]
                        anil.saldhana

                        Matt, I am aware of 4)  The NYI in the writer class.   Apart from that, I have fixed the others.  Update the PL seam workspace and check it out.

                        • 9. Looking for Test Volunteers[Seam/PicketLink]
                          matthew.hayes

                          Those look good, found another one regarding the validation of the subject.  The returned subject contains

                                NotBefore="2011-02-11T11:46:41.353-05:00"

                          NotOnOrAfter="2011-02-11T11:46:41.353-05:00"

                           

                          Is there a configuration option for giving a little more time for processing?

                          • 10. Looking for Test Volunteers[Seam/PicketLink]
                            anil.saldhana

                            That depends on the IDP.  This subject conditions look really bad. the assertion is valid for like 0secs.

                            • 11. Looking for Test Volunteers[Seam/PicketLink]
                              matthew.hayes

                              Yeah, I'm all for preventing man-in-the-middle attacks but not to by having to warp time.  That's from the PicketLink IDP. 

                               

                              org.picketlink.identity.federation.api.saml.v2.response.SAML2Response (Lines 178-179)

                                    subjectConfirmationData.setNotBefore(issueInstant);

                                    subjectConfirmationData.setNotOnOrAfter(issueInstant);

                              • 12. Looking for Test Volunteers[Seam/PicketLink]
                                anil.saldhana

                                I fixed https://issues.jboss.org/browse/PLFED-135  in the main PicketLink trunk.   You able to update the workspace and build it?  The jar file that has the update will be picketlink-fed-2.0.0-SNAPSHOT.jar

                                • 13. Looking for Test Volunteers[Seam/PicketLink]
                                  anil.saldhana

                                  I put in a new build out last night.  Its on the link shown above.

                                  • 14. Re: Looking for Test Volunteers[Seam/PicketLink]
                                    matthew.hayes

                                    Haven't verified yet that this is still a problem with the stuff you posted today - but here is the issue I'm seeing.

                                     

                                    On the IDP I have Negotiation 2.0.4 (trunk) falling back on a web form.  When the SP request uses a GET falling back on the form works fine.  When the SP uses a POST the authenticated request isn't returning control to the SP properly. 

                                     

                                    This is what I'm seeing -

                                     

                                    1. SP POSTs SAMLRequest to the IDP at /idp/
                                    2. IDP sends 401, then on browsers not configured for Negotiate included the login form (url is still /idp/)
                                    3. User enters username/password and the form POSTs to /idp/j_security_check

                                     

                                     

                                    It's on this POST of the form that I'm seeing the issue

                                     

                                    1. The IDPWebBrowserSSOValve doesn't see a principal so on line 255 is invokes the next valve - getNext().invoke(request, response);
                                    2. This fires off the org.jboss.security.negotiation.NegotiationAuthenticator which on line 125 after authenticating the uses forwards the request to the original URI (response.sendRedirect(response.encodeRedirectURL(requestURI));) on the IDP (/idp/)
                                    3. The IDPWebBrowserSSOValve is returned control and continues to process the request until line 521 (recycle(response);) where the request is recycled to show the POST form returning control to the requesting SP

                                     

                                    Problem is in step 3 the user already has been forwarded by the NegotiationAuthenticator to the original IDP url in step 2.  Which invokes the IDPWebBrowserSSOValve again but at this point the SAML messages no longer exist. 

                                     

                                    So the POST form to return control to the SP never gets displayed or submitted and the user remains pointed at the IDP.  This can be resolved for this scenario only by commenting out line 125 in the NegotiationAuthenticator to avoid the redirect, but that obviously isn't a permanent solution,

                                     

                                    In the log you see a this error from the forwarded request to the IDP (from step 2):

                                    2011-02-17 15:48:47,301 ERROR [org.apache.catalina.connector.CoyoteAdapter] (ajp-0.0.0.0-8009-11) An exception or error occurred in the container during the request processing

                                    java.lang.IllegalArgumentException: responseType is null

                                            at org.picketlink.identity.federation.web.util.IDPWebRequestUtil.send(IDPWebRequestUtil.java:404)

                                            at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:710)

                                            at org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve.invoke(IDPSAMLDebugValve.java:59)

                                            at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)

                                            at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

                                            at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

                                            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

                                            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

                                            at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

                                            at org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn.invoke(ClusteredSingleSignOn.java:711)

                                            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

                                            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

                                            at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:436)

                                            at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:384)

                                            at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)

                                            at java.lang.Thread.run(Thread.java:619)

                                    1 2 3 Previous Next