Quantcast
Channel: Spring Community Forums - SAML
Viewing all 52 articles
Browse latest View live

Using spring-ws, WSS, spring-security-saml2-core with SAML token profile

May 8, 2013, 11:22 am
$
0
0
My existing webapp supports a soap-endpoint accessed using spring-ws and secured using spring-security with XwsSecurityInterceptor. Currently it uses basic authentication and an LDAP Identity Provider (IdP).

I am migrating this app to support SAML2 token and a SAML based IdP like ssoconnect.

Ideally, I would like to leave the old vs. new authentication mechanism a deployment choice configured simply by setting a property (authn.mode with choice ldap or saml). The property will be used to import a corresponding spring config file (apllicationSecurity-ldap.xml or applicationSecurity-saml.xml)

Does any one have experience using spring-ws, WSS, spring-security-saml2-core with SAML token profile? I am wondering if XwsSecurityInterceptor will work given that XWS-Security project page says that support for SAML Token Profile is partial. In comparison the WSS4J project page does not state any such caveats in declaring its support for SAML Token Profile.

Please share any configuration / experience using spring-ws, WSS, spring-security-saml2-core with SAML token profile. Thanks.
Search

IDP initiated SAML sign on with Multi Tenant SP configuration

May 9, 2013, 9:45 am
$
0
0
I have a working setup of an IDP initiated SAML sign on to our single SP. The metadata configuration is as shown:

Code:
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
        <constructor-arg>
            <list>
                <!-- Local metadata for SP: certificate + key data for SP initiated calls. Doesn't look the keys are needed for the current IDP initiated SAML login -->
                <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                    <constructor-arg>
                        <value type="java.io.File">classpath:sp-metadata.xml</value>
                    </constructor-arg>
                    <property name="parserPool" ref="parserPool"/>
                </bean>
                <!-- IDP metadata: configured with IDP provided certificate and public key data -->
                <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                    <constructor-arg>
                        <value type="java.io.File">classpath:idp-metadata.xml</value>
                    </constructor-arg>
                    <property name="parserPool" ref="parserPool"/>
                </bean>
            </list>
        </constructor-arg>
        <property name="defaultExtendedMetadata">
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                <property name="local" value="true"/> <!-- Indicates configuration for local SP -->
                <property name="alias" value="${saml_sp_alias}"/>
                <property name="securityProfile" value="metaiop"/>
                <property name="requireArtifactResolveSigned" value="false"/>
                <property name="requireLogoutRequestSigned" value="false"/>
                <property name="requireLogoutResponseSigned" value="false"/>
                <property name="idpDiscoveryEnabled" value="false"/>
            </bean>
        </property>
        <property name="hostedSPName" value="${saml_sp_alias}"/>
    </bean>
With the above setup, the application parses the token(binding used is HTTP-POST) authenticates and logs in the user. So far so good. Now i need to be able to support multiple IDPs and SPs for my one application. SAML sign on will still be IDP initiated. I read from the documentation that Multi Tenant SP configuration is possible by using the ExtendedMetaDataDelegate bean. I'm just not sure as to how i need to use it. I tried a few things:
1. I added new "FilesystemMetadataProvider" beans with metadata for the new SP configuration to the existing CachingMetadataManager bean, but it seems like the assertion validation fails because the expected audience does not match the value in the "hostedSPName" of my metadata configuration (now that i have multiple SPs).

2. I added a new bean (in addition to the cachingMetaDataManager):

Code:
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
        <constructor-arg>
            <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                <constructor-arg>
                    <value type="java.io.File">classpath:sp-metadata-2.xml</value>
                </constructor-arg>
                <property name="parserPool" ref="parserPool"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                <property name="local" value="true"/>
                <property name="alias" value="sp-2"/>
                <property name="securityProfile" value="metaiop"/>
                <property name="requireArtifactResolveSigned" value="false"/>
                <property name="requireLogoutRequestSigned" value="false"/>
                <property name="requireLogoutResponseSigned" value="false"/>
                <property name="idpDiscoveryEnabled" value="false"/>
            </bean>
        </constructor-arg>
    </bean>
With this i don't even see the assertion being authenticated.

I'm new to this and spent a few days looking at the code and the documentation to try and figure things out. We currently use Spring security and i was very happy to find that SAML integration is possible with Spring security. I'm trying to stack SAML authentication on top of other GUI + Siteminder authentication that we currently support.
Thanks to the SAML dev team for all the great work on this. I'd appreciate a little guidance in trying to figure this problem out.

Free IdP that supports subject role management?

May 10, 2013, 6:15 am
$
0
0
I have had initial success migrating my webapp to support SAML2 using spring-security-saml2-core and ssocircle as IdP. Thanks for a terrific project.

I now need to be able to create roles and assign them to subjects within the IdP. This is not supported for the free hosted offering by ssocircle. Can any one suggest an alternative IdP (hosted or otherwise) that is supports role creation and assignment to subjects in addition to basic features available in the ssocircle hosted product. Thanks for your help.

SAMLMessageStorage implementation for DB?

May 13, 2013, 8:15 am
$
0
0
Hi,

in my case, the system contains multiple tomcats, each one of them runs a WAR that contains the sprin-sec-saml. so i'm not sure that the tomcat which sent the saml-request is the one to handle the saml-response. hence, i need to store the messages in a db, and not in-memory, counting on the session (like HttpSessionStorage does)...
does it sound reasonable?

is there an implementation of SAMLMessageStorage that suits read/writes from a DB?

integrating spring-oauth and spring-saml: does not redirect back to /oauth/authorize

May 18, 2013, 3:07 pm
$
0
0
Vladi,

I've posted this in the main security forum because I think it is relevant not only for saml ot oAuth, but maybe you will have an idea how to resolve this one...

Ohad

A really weird bug.

May 19, 2013, 8:26 pm
$
0
0
If user is logged in and he/she is inactive for a more then 1 hour (inactive means - he doesn't use the website, doesn't click on links, etc) and then if he/she try to login again they gets 401 Authentication Failed: Error validating SAML message. (See attachement).

In this case, the user should be redirected back to the IdP login page.

My server's clock also is synchronized time per 1 hour. I'm not sure about this issue because sometimes it occurs sometimes not. Please help me identify this problem.

Here is the logs:

Code:
WebSSOProfileConsumerImpl:204 - Validation of received assertion failed, assertion will be skipped
 Validation of received assertion failed, assertion will be skipped
org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAuthenticationStatement(WebSSOProfileConsumerImpl.java:522)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:300)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:202)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:81)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:78)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:581)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)

WebSSOProfileConsumerImpl:243 - Response doesn't any valid assertion which would pass subject validatio
Code:
org.apache.catalina.session.StandardManager doLoad
SEVERE: IOException while loading persisted sessions: java.io.WriteAbortedException: writing aborted; java.io.NotSerializableException: org.opensaml.saml2.core.impl.NameIDImpl
java.io.WriteAbortedException: writing aborted; java.io.NotSerializableException: org.opensaml.saml2.core.impl.NameIDImpl
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1964)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1888)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1771)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1347)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1964)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1888)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1771)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1347)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:369)
at org.apache.catalina.session.StandardSession.readObject(StandardSession.java:1595)
at org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:1060)
at org.apache.catalina.session.StandardManager.doLoad(StandardManager.java:284)
at org.apache.catalina.session.StandardManager.load(StandardManager.java:204)
at org.apache.catalina.session.StandardManager.startInternal(StandardManager.java:491)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5300)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:977)
at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1655)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
Caused by: java.io.NotSerializableException: org.opensaml.saml2.core.impl.NameIDImpl
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1180)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1528)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1493)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1416)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1174)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1528)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1493)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1416)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1174)
at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:346)
at org.apache.catalina.session.StandardSession.writeObject(StandardSession.java:1671)
at org.apache.catalina.session.StandardSession.writeObjectData(StandardSession.java:1077)
at org.apache.catalina.session.StandardManager.doUnload(StandardManager.java:432)
at org.apache.catalina.session.StandardManager.unload(StandardManager.java:353)
at org.apache.catalina.session.StandardManager.stopInternal(StandardManager.java:518)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5480)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1575)
at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1564)
... 5 more

org.apache.catalina.session.StandardManager startInternal
Attached Images

Spring security SAML and SAML attributes

May 22, 2013, 4:37 am
$
0
0
I need to integrate a spring application with an existing SAML IDP requesting some custom SAML attributes to be set in the SAML authentication request.

I've tried with the spring security SAML extension but I couldn't find a way to set SAML attributes in the SAML authentication request.

Can someone give me a hint?

Thanks

SAML Authentication integration with CAS

May 22, 2013, 2:19 pm
$
0
0
We have a suite of existing web applications(each being a seperate war file) that have SSO enabled amongst themselves through CAS using Spring Security.

Now we have a new requirement where in third party users should be able to access these applications using their own domain Id's - This would be a IDP Initiated SSO using SAML.

Can we integrate the SAML authentication with the current SSO(CAS based) using SAML Extension? If yes, then how can we integrate the two, where in once the SAML authentication is done, a valid CAS service ticket creation be triggered.

I am new to CAS, though have some experience with SAML extension. I would appreciate if some body could please guide me on this.
Search

Spring SAML Memory consumption

May 22, 2013, 9:54 pm
$
0
0
HI,
We have a standalone spring saml web application acting as a SAML service provider. Trials runs indicates high Tomcat memory utilisation by the web application. Seeing around ~0.18 MB per user session after completing SAML authentication.

Anyone see the above as an abnormality or is this expected? Any documents available to configure spring security to tune memory?

Thanks
Joe

Proxy problem

May 23, 2013, 12:29 am
$
0
0
Hi,

I have started to look into the example and try to figure out how the SAML extension works.

I have managed to build and deploy the example into WebLogic 12c, but I am not able to figure out how to make the httpMetaDataProvider access the idp-meta.xml hosted on idp.ssocircle.com through our firewall. It does not seem like it obeys the -Dhttp.proxyHost= setting.

Is there any way to configure it to go through our proxy server?

-ttjarl

Filter security exception

May 29, 2013, 1:00 am
$
0
0
My tomcat server show this error, but I can login and do the SSO. I don't know whether it is a critical error or not? I check my SAML setting and everything is OK. I cannot identify what is the problem and what cause this error. Please, help me identify the problem.

Code:
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:186)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:78)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)

Import public keys

May 29, 2013, 6:53 am
$
0
0
Hi,

My web application is integrated with Spring Security - SAML extenstion. The user is authenticated by an IDP, which its public certificate is embedded in its metadata. How can I import the IDP certificate/public key into my web application's keystore? Please suggest me.

patch

IDP initiated SSO

May 31, 2013, 2:49 am
$
0
0
Hi,

I have started looking into Spring Security SAML extension in order to implement a rather simple (?) business case, but I guess I need some assistance in order to implement it. Our business case is that we have a partner (IDP in our case) who we trust and would like to be able to do (IDP initiated) SSO into our salessystem.

I have got the Spring SAML example working and I have started building a simple testclient acting as IDP that will initiate an SSO on the Spring example app.

How do I strip the example security configuration down to the bare essentials where it will just accept a SAML response, leaving no loose ends?

Best regards,
-ttjarl

Multiple IDPs configured in runtime

May 31, 2013, 3:08 am
$
0
0
Hi,

I need to support multiple IDPs configured in runtime, metadata XML is saved to DB.
IDP should be selected automatically depending on passed HTTP param. So far I I'm considering something like this

Code:
public class SAMLContextProvider extends SAMLContextProviderImpl  {


    protected void populatePeerEntityId(SAMLMessageContext context) {
        HTTPInTransport inTransport = (HTTPInTransport) context.getInboundMessageTransport();

        String key= inTransport.getParameterValue("key");
        String peerId= database.getPeerId(key); // get peerId by passed HTTP param

        context.setPeerEntityId(peerId);

        context.setPeerUserSelected(true);
        context.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);

    }

}
Now I need to figure out how to populate corresponding metadata into context.

It looks like I also need to customize or override MetadataManager and/or create custom MetadataProvider. Though the approach is not obvious.

I would appreciate any hints.

memory leaks on 1.7 xerces

June 3, 2013, 3:56 am
$
0
0
On tomcat 7 + jdk 1.7
org.apache.xerces.jaxp.datatype.DatatypeFactoryImp l is responsable of blocking the gc of org.apache.catalina.loader.WebappClassLoader.

As JDK 7 comes with a JAXB implementation, do you think it could be better to import spring-security-saml2-core like this in a webapp ?

compile ("org.springframework.security.extensions:sprin g-security-saml2-core:$springSecuritySamlVersion")
{
exclude group: "org.slf4j", module: "jcl-over-slf4j"
exclude group: "org.slf4j", module: "log4j-over-slf4j"
exclude group: "org.apache.xerces", module: "xml-apis"
exclude group: "org.apache.xerces", module: "serializer"

---> exclude group: 'xerces', module: 'xercesImpl'
---> exclude group: 'xml-apis', module: 'xml-apis'
}

seems to working fine without it.
Search

Error decoding incoming SAML message

June 19, 2013, 12:05 pm
$
0
0
Hello,

I am trying to implement single sign on across three of my webapps using the spring SAML extension. But I am implementing the sample app given before implementing the SAML extension on my own apps. However I get this error in my browser after I sign in to the sample app:

HTTP Status 401 - Authentication Failed: Error decoding incoming SAML message

type Status report

message Authentication Failed: Error decoding incoming SAML message

description This request requires HTTP authentication.

Apache Tomcat/7.0.41


and the tomcat log says:

INFO: Server startup in 7861 ms
- No default metadata configured, generating with default values, please pre-con figure metadata for production use
- Created default metadata for system with entityID: https://localhost:8443/spri ng-security-saml2-sample/saml/metadata/alias/defaultAlias
- AuthNRequest;SUCCESS;127.0.0.1
- PKIX path construction failed for untrusted credential: [subjectName='CN=servername.local' |credential entityID='http://servername.local/adfs/services/trust']: unable to find valid certification path to requested target



I am using this guide to implement single sign on:
http://static.springsource.org/sprin...idp-guide.html

with this sample application
https://github.com/SpringSource/spri...r/saml2-sample

Using an ADFS Windows 2012 server standard

SAML logout does not work.

June 21, 2013, 12:25 am
$
0
0
Hi,
I try to logout by using
Code:
request.sendRedirect("/myProjectName/saml/logout")
and it redirects to the successful_logout url (That means I logged out successfully). But when I try to login again, the username/password seems to be remembered, instantly it redirects to the successful_login url. I think user should be navigated to login page. I'm not sure about this case. Please give me some ideas for this issue.

NotSerializableException: org.opensaml.saml2.core.impl.NameIDImpl

June 24, 2013, 2:25 am
$
0
0
Hi,

Sometimes when I start my web app using spring-security-saml2-core, version1.0.0-RC2-SNAPSHOT, I got the following exception. Do you have any idea?

SEVERE: Exception loading sessions from persistent storage
java.io.WriteAbortedException: writing aborted; java.io.NotSerializableException: org.opensaml.saml2.core.impl.NameIDImpl
at java.io.ObjectInputStream.readObject0(ObjectInputS tream.java:1410)
at java.io.ObjectInputStream.defaultReadFields(Object InputStream.java:2047)
at java.io.ObjectInputStream.readSerialData(ObjectInp utStream.java:1971)
at java.io.ObjectInputStream.readOrdinaryObject(Objec tInputStream.java:1854)
at java.io.ObjectInputStream.readObject0(ObjectInputS tream.java:1406)
at java.io.ObjectInputStream.defaultReadFields(Object InputStream.java:2047)
at java.io.ObjectInputStream.readSerialData(ObjectInp utStream.java:1971)
at java.io.ObjectInputStream.readOrdinaryObject(Objec tInputStream.java:1854)
at java.io.ObjectInputStream.readObject0(ObjectInputS tream.java:1406)
at java.io.ObjectInputStream.readObject(ObjectInputSt ream.java:409)
at org.apache.catalina.session.StandardSession.readOb ject(StandardSession.java:1470)
at org.apache.catalina.session.StandardSession.readOb jectData(StandardSession.java:972)
at org.apache.catalina.session.StandardManager.doLoad (StandardManager.java:394)
at org.apache.catalina.session.StandardManager.load(S tandardManager.java:321)
at org.apache.catalina.session.StandardManager.start( StandardManager.java:637)
at org.apache.catalina.core.ContainerBase.setManager( ContainerBase.java:438)
at org.apache.catalina.core.StandardContext.start(Sta ndardContext.java:4396)
at org.apache.catalina.core.ContainerBase.addChildInt ernal(ContainerBase.java:791)
at org.apache.catalina.core.ContainerBase.addChild(Co ntainerBase.java:771)
at org.apache.catalina.core.StandardHost.addChild(Sta ndardHost.java:526)
at org.apache.catalina.startup.HostConfig.deployWAR(H ostConfig.java:905)
at org.apache.catalina.startup.HostConfig.deployWARs( HostConfig.java:740)
at org.apache.catalina.startup.HostConfig.deployApps( HostConfig.java:500)
at org.apache.catalina.startup.HostConfig.start(HostC onfig.java:1277)
at org.apache.catalina.startup.HostConfig.lifecycleEv ent(HostConfig.java:321)
at org.apache.catalina.util.LifecycleSupport.fireLife cycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.core.ContainerBase.start(Conta inerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(Standa rdHost.java:722)
at org.apache.catalina.core.ContainerBase.start(Conta inerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(Stan dardEngine.java:443)
at org.apache.catalina.core.StandardService.start(Sta ndardService.java:516)
at org.apache.catalina.core.StandardServer.start(Stan dardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalin a.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:76)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:602)
at org.apache.catalina.startup.Bootstrap.start(Bootst rap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstr ap.java:414)
Caused by: java.io.NotSerializableException: org.opensaml.saml2.core.impl.NameIDImpl
at java.io.ObjectOutputStream.writeObject0(ObjectOutp utStream.java:1189)
at java.io.ObjectOutputStream.defaultWriteFields(Obje ctOutputStream.java:1537)
at java.io.ObjectOutputStream.writeSerialData(ObjectO utputStream.java:1502)
at java.io.ObjectOutputStream.writeOrdinaryObject(Obj ectOutputStream.java:1425)
at java.io.ObjectOutputStream.writeObject0(ObjectOutp utStream.java:1183)
at java.io.ObjectOutputStream.defaultWriteFields(Obje ctOutputStream.java:1537)
at java.io.ObjectOutputStream.writeSerialData(ObjectO utputStream.java:1502)
at java.io.ObjectOutputStream.writeOrdinaryObject(Obj ectOutputStream.java:1425)
at java.io.ObjectOutputStream.writeObject0(ObjectOutp utStream.java:1183)
at java.io.ObjectOutputStream.writeObject(ObjectOutpu tStream.java:352)
at org.apache.catalina.session.StandardSession.writeO bject(StandardSession.java:1546)
at org.apache.catalina.session.StandardSession.writeO bjectData(StandardSession.java:989)
at org.apache.catalina.session.StandardManager.doUnlo ad(StandardManager.java:517)
at org.apache.catalina.session.StandardManager.unload (StandardManager.java:463)
at org.apache.catalina.session.StandardManager.stop(S tandardManager.java:667)
at org.apache.catalina.core.StandardContext.stop(Stan dardContext.java:4611)
at org.apache.catalina.core.ContainerBase.removeChild (ContainerBase.java:924)
at org.apache.catalina.startup.HostConfig.undeployApp s(HostConfig.java:1319)
at org.apache.catalina.startup.HostConfig.stop(HostCo nfig.java:1290)
at org.apache.catalina.startup.HostConfig.lifecycleEv ent(HostConfig.java:323)
at org.apache.catalina.util.LifecycleSupport.fireLife cycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.core.ContainerBase.stop(Contai nerBase.java:1086)
at org.apache.catalina.core.ContainerBase.stop(Contai nerBase.java:1098)
at org.apache.catalina.core.StandardEngine.stop(Stand ardEngine.java:448)
at org.apache.catalina.core.StandardService.stop(Stan dardService.java:584)
at org.apache.catalina.core.StandardServer.stop(Stand ardServer.java:744)
at org.apache.catalina.startup.Catalina.stop(Catalina .java:643)
at org.apache.catalina.startup.Catalina.start(Catalin a.java:618)


patch

Static localhost address

June 27, 2013, 12:38 pm
$
0
0
I ran the example 'spring-security-saml2-sample.war' successfully, but now I have a problem with redirection address of 302 Response of HTTP (Location header) for discovery - it is always set to http://localhost/spring-security-saml2-sample/..., How can I changed to my public server address?

I found such code in SAMLEntryPoint class:

Code:
String contextPath = (String)context.getInboundMessageTransport().getAttribute("localContextPath");
discoveryURL = contextPath + discoveryUrl + "?" + "returnIDParam" + "=" + "idp" + "&" + "entityID" + "="
                + context.getLocalEntityId();
Thanks in advance,

Issue With Deploying The SAML Example War File

July 2, 2013, 9:19 am
$
0
0
Hi All,
I am trying the deploy the Spring Security SAML example from the GITHub in Weblogic 12.1 version.
After the deployment when I am trying to access the SP module by using the following URL then I am getting the below mentioned exception:

URL: http://localhost:8080/spring-security-saml2-sample

Exception:

Root cause of ServletException.
weblogic.servlet.jsp.CompilationException: Failed to compile JSP /WEB-INF/security/idpSelection.jsp
idpSelection.jsp:1:1: The validator class: "org.apache.taglibs.standard.tlv.JstlCoreTLV" has failed with the following exception: "java.lang.ClassCastException: weblogic.xml.jaxp.RegistrySAXParserFactory cannot be cast to javax.xml.parsers.SAXParserFactory".
<%@ page import="org.springframework.security.saml.metadata .MetadataManager" %>
^-----------------------------------------------------------------------------^

at weblogic.servlet.jsp.JavelinxJSPStub.reportCompila tionErrorIfNeccessary(JavelinxJSPStub.java:225)
at weblogic.servlet.jsp.JavelinxJSPStub.compilePage(J avelinxJSPStub.java:161)
at weblogic.servlet.jsp.JspStub.prepareServlet(JspStu b.java:237)
at weblogic.servlet.jsp.JspStub.prepareServlet(JspStu b.java:190)
at weblogic.servlet.internal.ServletStubImpl.execute( ServletStubImpl.java:281)
Truncated. see log file for complete stacktrace

Can anyone help me to solve this issue?
Regards,
Deb.
Viewing all 52 articles
Browse latest View live
Search