1 2 Previous Next 24 Replies Latest reply: Mar 7, 2012 8:54 AM by song gu RSS

Problem with SAML2AttributeHandler

Oved Ourfali Newbie

Hey,

 

I'm trying to configure the SAML2AttributeHandler.

 

The configuration in the IDP is:

  <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">

        <Option Key="ATTRIBUTE_KEYS" Value="myAttribute"/>

  </Handler>

 

But, when I start jboss I get:

16:06:29,037 ERROR [org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] Exception dealing with handler configuration:: java.lang.ClassCastException: java.lang.String cannot be cast to java.util.List

        at org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler.initHandlerConfig(SAML2AttributeHandler.java:102) [picketlink-fed-2.0.1.final.jar:2.0.1.final]

        at org.picketlink.identity.federation.core.saml.v2.util.HandlerUtil.getHandlers(HandlerUtil.java:76) [picketlink-fed-2.0.1.final.jar:2.0.1.final]

        at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.start(IDPWebBrowserSSOValve.java:1113) [picketlink-bindings-2.0.1.final.jar:2.0.1.final]

        at org.apache.catalina.core.StandardPipeline.addValve(StandardPipeline.java:450) [jbossweb-7.0.7.Final.jar:]

        at org.jboss.as.web.deployment.JBossContextConfig.processJBossWebMetaData(JBossContextConfig.java:188) [jboss-as-web-7.1.0.CR1.jar:7.1.0.CR1]

        at org.jboss.as.web.deployment.JBossContextConfig.applicationWebConfig(JBossContextConfig.java:167) [jboss-as-web-7.1.0.CR1.jar:7.1.0.CR1]

        at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:417) [jbossweb-7.0.7.Final.jar:]

        at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:182) [jbossweb-7.0.7.Final.jar:]

        at org.jboss.as.web.deployment.JBossContextConfig.lifecycleEvent(JBossContextConfig.java:161) [jboss-as-web-7.1.0.CR1.jar:7.1.0.CR1]

        at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:115) [jbossweb-7.0.7.Final.jar:]

        at org.apache.catalina.core.StandardContext.start(StandardContext.java:3790) [jbossweb-7.0.7.Final.jar:]

        at org.jboss.as.web.deployment.WebDeploymentService.start(WebDeploymentService.java:77) [jboss-as-web-7.1.0.CR1.jar:7.1.0.CR1]

        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1824)

        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1759)

        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_24]

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_24]

        at java.lang.Thread.run(Thread.java:662) [:1.6.0_24]

 

Debugging the issue indeed showed that a string is returned, and for some reason it expects a list of strings.

 

   public void initHandlerConfig(SAML2HandlerConfig handlerConfig) throws ConfigurationException

   {

      super.initHandlerConfig(handlerConfig);

 

      String attribStr = (String) this.handlerConfig.getParameter(GeneralConstants.ATTIBUTE_MANAGER);

      this.insantiateAttributeManager(attribStr);

==== FAILS HERE ====

      List<String> ak = (List<String>) this.handlerConfig.getParameter(GeneralConstants.ATTRIBUTE_KEYS);

==== FAILS HERE ====

      if (ak != null)

         this.attributeKeys.addAll(ak);

 

Help will be appreciated,

Oved

  • 1. Re: Problem with SAML2AttributeHandler
    Shane Freed Newbie

    I have the same issue. Was anything ever done about this issue?

  • 2. Re: Problem with SAML2AttributeHandler
    Anil Saldhana Master

    Maybe we have a bug here.  I will test it and get back.  Remind me if I dont answer by Monday.

  • 3. Re: Problem with SAML2AttributeHandler
    Oved Ourfali Newbie

    I did the following in the initHandlerConfig code, and it solved the exception:

      String attributeKeysString = (String) this.handlerConfig.getParameter(GeneralConstants.ATTRIBUTE_KEYS);

     

      if ( attributeKeysString != null ) {
          List<String> ak = Arrays.asList(attributeKeysString.split(","));

     

          if (ak != null)
             this.attributeKeys.addAll(ak); 
      }

     

    However, I can't see the attributes correctly in the SP side.

     

    The scenario I have is that I try to reach the SP, I get to the IDP, which calls my login module.

    In the login module I would like to add the sessionID in order to fetch it in the SP (which is using a different sessionID! - not sure why...).

    I add it using the following code:

                HttpServletRequest request = (HttpServletRequest) javax.security.jacc.PolicyContext.getContext("javax.servlet.http.HttpServletRequest");
                sessionID = request.getSession().getId();
                Map<String, Object> attributes = new HashMap<String, Object>();
                attributes.put("sessionID", sessionID);
                request.getSession().setAttribute("ATTRIBUTES", attributes);

     

    Then, at the SP level I don't see this atttibute.

     

    What am I doing wrong?

     

    Thank you,

    Oved

  • 4. Re: Problem with SAML2AttributeHandler
    Shane Freed Newbie

    Anil,

    Any progress made on this bug? Thanks in advance...

  • 5. Re: Problem with SAML2AttributeHandler
    Anil Saldhana Master

    I have a test case already on this in the workspace.

     

    http://anonsvn.jboss.org/repos/picketlink/federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2AttributeHandlerUnitTestCase.java

     

    But it does not test the valve in reality directly.  Let me update the code with a JIRA issue.

  • 6. Re: Problem with SAML2AttributeHandler
    Anil Saldhana Master

    https://issues.jboss.org/browse/PLFED-262

     

    That is the JIRA issue for the bug.  It has been fixed.

     

    Please checkout http://anonsvn.jboss.org/repos/picketlink/federation/trunk/

     

    and do   "mvn clean install -DskipTests=true"   to get updated libraries.

  • 7. Re: Problem with SAML2AttributeHandler
    Oved Ourfali Newbie

    Does it solve only the issue exception, or does it also contain some fix to make the attributes appear?

    (Trying to understand if I'm configuring something wrong or not).

     

    Comments on that will be appreciated.

    In the meantime I'll build the above, and test it.

     


    Thank you,

    Oved

  • 8. Re: Problem with SAML2AttributeHandler
    Shane Freed Newbie

    Again, I am having the same problem. I am not sure if there is a default way of getting attributes passed or not.

     

    My situation may be a bit different in that I am tying my authentication to LDAP and need to pass some LDAP attributes (i.e. "mail", or "surname") passed to the SP from the IDP.

     

    There are lots of fragmented examples, and I am trying to put them together but it is confusing. I may have to create a custom AttributeManager to do this, unless you can specify some other way.

     

    Overall, I am impressed with this functionality, just need to finalize this process.

     

    Anil, we are also looking at getting a subscription for EPP, shich I understand is integrated with PicketLink. Does it make sense to just wait for that upgrade, or will I have the same problems?

     

    Thanks in Advance for any ideas.

     

     

     

     

     

  • 9. Re: Problem with SAML2AttributeHandler
    Oved Ourfali Newbie

    I also had similar issues, and debugging mostly helped me figure out what to do.

     

    I succeeded to make it work, but during that I found a bug in picketlink, fixed it, it still didn't work, and then I found the correct way to configure things (at least I believe it is the correct way :-) ). I'm not sure if the fix I did is still required after doing the configuration right, but I had another urgent issue so I didn't get a chance to test it. Feel free to test with and without the fix. I'll be happy to hear the results.

     

    The steps I did:

    1. You should take the fix Anil mentioned in the earlier comment.

    2. Do the following fix as well in SAML2AttributeHandler.java:

       @Override

       public void initChainConfig(SAML2HandlerChainConfig handlerChainConfig) throws ConfigurationException

       {

          super.initChainConfig(handlerChainConfig);

          Object config = this.handlerChainConfig.getParameter(GeneralConstants.CONFIGURATION);

          if (config instanceof IDPType)

          {

             if ( attribManager == null ) { // ADD THIS IF!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

                 IDPType idpType = (IDPType) config;

                 String attribStr = idpType.getAttributeManager();

                 insantiateAttributeManager(attribStr);

             }

          }

       }

    As I saw that the attribute manager is set again, although it is already set, and instead of using my attribute manager inside the DelegateAttributeManager, it uses TomcatAttributeManager... Again, this fix might not be needed if you configure things as below, but I'm not sure:

     

    3. In picketlink-idfed.xml file, in the IDP:

    I also had similar issues, and debugging mostly helped me figure out what to do.

     

    I succeeded to make it work, but during that I found a bug in picketlink, fixed it, it still didn't work, and then I found the correct way to configure things (at least I believe it is the correct way :-) ). I'm not sure if the fix I did is still required after doing the configuration right, but I had another urgent issue so I didn't get a chance to test it. Feel free to test with and without the fix. I'll be happy to hear the results.

     

    The steps I did:

    1. You should take the fix Anil mentioned in the earlier comment.

    2. Do the following fix as well in SAML2AttributeHandler.java:

       @Override

       public void initChainConfig(SAML2HandlerChainConfig handlerChainConfig) throws ConfigurationException

       {

          super.initChainConfig(handlerChainConfig);

          Object config = this.handlerChainConfig.getParameter(GeneralConstants.CONFIGURATION);

          if (config instanceof IDPType)

          {

             if ( attribManager == null ) { // ADD THIS IF!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

                 IDPType idpType = (IDPType) config;

                 String attribStr = idpType.getAttributeManager();

                 insantiateAttributeManager(attribStr);

             }

          }

       }

    As I saw that the attribute manager is set again, although it is already set, and instead of using my attribute manager inside the DelegateAttributeManager, it uses TomcatAttributeManager... Again, this fix might not be needed if you configure things as below, but I'm not sure:

     

    3. In picketlink-idfed.xml file, in the IDP:

     

    <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:1.0" AttributeManager="engine.loginutils.EngineAttributeManager">

    <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>

    <Trust>

       .... put things in if you need them. I didn't use this yet.

    </Trust>

    </PicketLinkIDP>

     

    4. context.xml (IDP) - sessionID is the attribute I need:

    <Context>

            <Valve

                    className="org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve"

                    attributeList="sessionID"

                    ignoreAttributesGeneration="false"

                    signOutgoingMessages="false"

                    ignoreIncomingSignatures="true"/>

    </Context>

     

    5. jboss-web.xml (IDP) - put both attribute list and ignoreAttributeGeneration to false. Looks important, although didn't find documentation saying it is needed to get the attribute handler to work.

    <jboss-web>

      <security-domain>idp</security-domain>

      <valve>

         <class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>

         <param>

            <param-name>signOutgoingMessages</param-name>

            <param-value>false</param-value>

         </param>

         <param>

            <param-name>ignoreIncomingSignatures</param-name>

            <param-value>true</param-value>

         </param>

         <param>

            <param-name>attributeList</param-name>

            <param-value>sessionID</param-value>

         </param>

         <param>

            <param-name>ignoreAttributesGeneration</param-name>

            <param-value>false</param-value>

         </param>

       </valve>

     

    </jboss-web>

     

    6. picketlink-handlers.xml (IDP)

    <Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler"/>

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">

            <Option Key="ATTRIBUTE_MANAGER" Value="engine.loginutils.EngineAttributeManager"/>

            <Option Key="ATTRIBUTE_KEYS" Value="sessionID"/>

      </Handler>

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>

    </Handlers>

    7. picketlink-handlers (SP):

    <Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>  

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">

            <Option Key="ATTRIBUTE_CHOOSE_FRIENDLY_NAME" Value="true"/>

      </Handler>

     

    </Handlers>

     

    Code samples:

    1. My login module, I set the attribute in the login method:

                HttpServletRequest request = (HttpServletRequest) javax.security.jacc.PolicyContext.getContext("javax.servlet.http.HttpServletRequest");
                sessionID = request.getSession().getId();
                Map<String, Object> attributes = new HashMap<String, Object>();
                attributes.put("sessionID", sessionID);
                request.getSession().setAttribute("ATTRIBUTES", attributes);

     

    2. The AttributeManager:

    public class EngineAttributeManager implements AttributeManager {

     

        public Map<String, Object> getAttributes(Principal userPrincipal, List<String> attributeKeys) {

            Map<String,Object> attributes = new HashMap<String, Object>();

            HttpServletRequest request;

            try {

                request = (HttpServletRequest) javax.security.jacc.PolicyContext.getContext("javax.servlet.http.HttpServletRequest");

                HttpSession session = request.getSession();

                Object customAttributes = session.getAttribute("ATTRIBUTES");

                if ( customAttributes != null ) {

                    Map<String, Object> attributesMap = (Map<String, Object>) customAttributes;

                   

                    for ( String key : attributeKeys ) {

                        Object attribute = attributesMap.get(key);

                        if ( attribute != null) {

                            attributes.put(key, attribute);

                        }

                    }

                   

                }

            } catch (PolicyContextException e) {

                // TODO Auto-generated catch block

                e.printStackTrace();

            }

            return attributes;

        }

    }

     

    3. The SP code:

    private String getAuthenticationSession(HttpServletRequest req) {
        String sessionID = null;
        Object customAttributes = req.getSession().getAttribute("SESSION_ATTRIBUTE_MAP");
        if ( customAttributes != null ) {
               Map<String, Object> attributesMap = (Map<String, Object>) customAttributes;
               List<Object> sessionIDEntry = (List<Object>) attributesMap.get("sessionID");
               if ( sessionIDEntry != null ) {
                   sessionID = (String) sessionIDEntry.get(0);
            }
        }
        return sessionID;
    }

     

    Some questions due to the steps above:

    1. Why do we need to define the attribute manager in 2 locations? The attribute list in 3 locations? Is it really needed?

    2. Is the patch in "2" really needed?

    3. Basically, if someone will provide the exact steps to make things work that would be great, as maybe some of the steps I did are redundant.

     

    Again, as I said I didn't get a chance to start over and check exactly what's needed to make it work. It worked for me with this configuration.

     

    Hope it is helpful.

    Let me know if you test it deeper, and find out that things should be configured differently.

     

    Oved

  • 10. Re: Problem with SAML2AttributeHandler
    Shane Freed Newbie

    Wow Oved, that's alot of good information. Thanks for taking the time to publish it.

     

    My problem is that I am using 2 authenitcation sources (AD / DB) for authehtication. I need to somehow get these sources to provide an attribute to the Attribute Manager, or something like that.

     

    I did notice the problem you had in the Attribute Handler mentioned in number 2 in your list.... in addition to the if statement dont forget to change:

     

    protected AttributeManager attribManager = null

     

  • 11. Re: Problem with SAML2AttributeHandler
    Oved Ourfali Newbie

    Not sure you need that.

     

    IIRC, the attribute manager is created correctly, but then it is switched to the TomcatAttributeManager.

    So, you can leave it.

  • 12. Re: Problem with SAML2AttributeHandler
    Anil Saldhana Master

    Oved,  this is what I had in mind.

     

    The user always configures the AttributeManager in the picketlink-idfed.xml.  That is what is always used by the SAML2AttributeHandler as it is passed via the handler chain config.

     

    But sometime, you do not want to use the AttributeManager coming from the p-i.xml,  that is when you configure your own AttribM in the handler config.

  • 13. Re: Problem with SAML2AttributeHandler
    Oved Ourfali Newbie

    So, if the p-i.xml doesn't have it configured, and the p-h.xml does configure it, then it is supposed to work?

    Also, what about the place where we should configure the attributes? Where should they be defined in order to make it work.

     

    Thank you.

    Oved

  • 14. Re: Problem with SAML2AttributeHandler
    Shane Freed Newbie

    I am wondering the same thing, but more important, I do not know where to configure the Attribute Handler in the Security contect for LDAP.

     

    Are there any working examples of this config? I will keep looking...

     

    Thanks!

1 2 Previous Next