[
https://issues.apache.org/jira/browse/CXF-6237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14303229#comment-14303229
]
moshiko kasirer commented on CXF-6237:
--------------------------------------
Hi Sergey.
i was able to reproduce the problem at my dev environment again: To sum
things up:
i ran the *same test* twice:
when working with opensaml 2.6.1 XMLTOOLING 1.4.1 and *XMLSEC 1.5.6* SAML
test pass
when working with opensaml 2.6.1 XMLTOOLING 1.4.1 and *XMLSEC 2.0.2* SAML
(which is CXF 3.0.3 versions) tests fails
we debugged the code and we see that the difference is
at org.opensaml.xml.security.trust.ExplicitKeyTrustEvaluator
at this method:
public boolean validate(Credential untrustedCredential,
Iterable<Credential> trustedCredentials) {
for (Credential trustedCredential : trustedCredentials) {
if (validate(untrustedCredential, trustedCredential)) {
return true;
}
}
return false;
}
with XMLSEC 1.5.6 this method *returns true* after entering the for each
loop
with XMLSEC 2.0.2 this method *returns false* and do not even enter the for
each loop
here is the stuck trace of the failure when running with xmlsec 2.0.2 -
please note that i had to change packages name due to the company
policy.... so the below is the real trace except names were changed
14:49:20.328 [main] INFO c.a.x.c.s.a.demoSpringAuthenticationManager -
Received authentication request Principal:[]
14:49:20.328 [main] DEBUG c.a.x.c.s.a.demoSpringAuthenticationManager -
Passing authentication request to srping authentication manager
14:49:20.328 [main] DEBUG o.s.s.s.w.WebSSOProfileConsumerImpl - Verifying
message signature
14:49:20.329 [main] DEBUG o.o.s.SAMLSignatureProfileValidator - Saw
Enveloped signature transform
14:49:20.329 [main] DEBUG o.o.s.SAMLSignatureProfileValidator - Saw
Exclusive C14N signature transform
14:49:20.330 [main] DEBUG o.s.s.saml.websso.WebSSOProfileImpl - Verifying
signature
14:49:20.330 [main] DEBUG o.o.s.MetadataCredentialResolver - Forcing
on-demand metadata provider refresh if necessary
14:49:20.331 [main] DEBUG o.o.s.MetadataCredentialResolver - Attempting to
retrieve credentials from cache using index: [
https://localhost:8443/idp/shibboleth,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING
]
14:49:20.332 [main] DEBUG o.o.s.MetadataCredentialResolver - Unable to
retrieve credentials from cache using index: [
https://localhost:8443/idp/shibboleth,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING
]
14:49:20.332 [main] DEBUG o.o.s.m.p.AbstractMetadataProvider - Searching
for entity descriptor with an entity ID of
https://localhost:8443/idp/shibboleth
14:49:20.332 [main] DEBUG o.o.s.MetadataCredentialResolver - Attempting to
retrieve credentials from metadata for entity:
https://localhost:8443/idp/shibboleth
14:49:20.332 [main] DEBUG o.o.s.MetadataCredentialResolver - Retrieving
metadata for entity 'https://localhost:8443/idp/shibboleth' in role
'{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor' for protocol
'urn:oasis:names:tc:SAML:2.0:protocol'
14:49:20.332 [main] DEBUG o.o.s.m.p.ChainingMetadataProvider - Checking
child metadata provider for entity descriptor with entity ID:
https://localhost:8443/idp/shibboleth
14:49:20.332 [main] DEBUG o.o.s.m.p.AbstractMetadataProvider - Searching
for entity descriptor with an entity ID of
https://localhost:8443/idp/shibboleth
14:49:20.334 [main] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver
- Found 0 key names: []
14:49:20.334 [main] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver
- Processing KeyInfo child with qname: {
http://www.w3.org/2000/09/xmldsig#}X509Data
14:49:20.334 [main] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver
- Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider
doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data,
skipping
14:49:20.334 [main] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver
- Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider
doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data,
skipping
14:49:20.334 [main] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver
- Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data
with provider
org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
14:49:20.334 [main] DEBUG o.o.x.s.k.p.InlineX509DataProvider - Attempting
to extract credential from an X509Data
14:49:20.512 [main] DEBUG o.o.x.s.k.p.InlineX509DataProvider - Found 1
X509Certificates
14:49:20.512 [main] DEBUG o.o.x.s.k.p.InlineX509DataProvider - Found 0
X509CRLs
14:49:20.512 [main] DEBUG o.o.x.s.k.p.InlineX509DataProvider - Single
certificate was present, treating as end-entity certificate
14:49:20.513 [main] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver
- Credentials successfully extracted from child {
http://www.w3.org/2000/09/xmldsig#}X509Data by provider
org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
14:49:20.513 [main] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver
- A total of 1 credentials were resolved
14:49:20.513 [main] DEBUG o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry -
Registry could not locate evaluable criteria for criteria class
org.opensaml.xml.security.keyinfo.KeyInfoCriteria
14:49:20.514 [main] DEBUG o.s.s.s.t.MetadataCredentialResolver - Added 1
credentials resolved from metadata of entity
https://localhost:8443/idp/shibboleth
14:49:20.514 [main] DEBUG o.o.s.MetadataCredentialResolver - Added new
credential collection to cache with key: [
https://localhost:8443/idp/shibboleth,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING
]
14:49:20.514 [main] DEBUG o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry -
Registry could not locate evaluable criteria for criteria class
org.opensaml.security.MetadataCriteria
14:49:20.514 [main] DEBUG o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry -
Registry located evaluable criteria class
org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria
for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria
14:49:20.515 [main] DEBUG o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry -
Registry located evaluable criteria class
org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria
for criteria class org.opensaml.xml.security.criteria.UsageCriteria
14:49:20.515 [main] DEBUG o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry -
Registry located evaluable criteria class
org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria
for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
14:49:20.515 [main] DEBUG o.o.x.s.i.BaseSignatureTrustEngine - Attempting
to verify signature and establish trust using KeyInfo-derived credentials
14:49:20.515 [main] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver
- Found 0 key names: []
14:49:20.515 [main] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver
- Processing KeyInfo child with qname: {
http://www.w3.org/2000/09/xmldsig#}X509Data
14:49:20.515 [main] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver
- Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider
doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data,
skipping
14:49:20.515 [main] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver
- Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider
doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data,
skipping
14:49:20.515 [main] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver
- Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data
with provider
org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
14:49:20.515 [main] DEBUG o.o.x.s.k.p.InlineX509DataProvider - Attempting
to extract credential from an X509Data
14:49:20.517 [main] DEBUG o.o.x.s.k.p.InlineX509DataProvider - Found 1
X509Certificates
14:49:20.517 [main] DEBUG o.o.x.s.k.p.InlineX509DataProvider - Found 0
X509CRLs
14:49:20.517 [main] DEBUG o.o.x.s.k.p.InlineX509DataProvider - Single
certificate was present, treating as end-entity certificate
14:49:20.518 [main] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver
- Credentials successfully extracted from child {
http://www.w3.org/2000/09/xmldsig#}X509Data by provider
org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
14:49:20.518 [main] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver
- A total of 1 credentials were resolved
14:49:20.518 [main] DEBUG o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry -
Registry could not locate evaluable criteria for criteria class
org.opensaml.xml.security.keyinfo.KeyInfoCriteria
14:49:20.519 [main] DEBUG o.o.xml.signature.SignatureValidator - Attempting
to validate signature using key from supplied credential
14:49:20.519 [main] DEBUG o.o.xml.signature.SignatureValidator - Creating
XMLSignature object
14:49:20.519 [main] DEBUG o.o.xml.signature.SignatureValidator - Validating
signature with signature algorithm URI:
http://www.w3.org/2000/09/xmldsig#rsa-sha1
14:49:20.520 [main] DEBUG o.o.xml.signature.SignatureValidator - Validation
credential key algorithm 'RSA', key instance class
'sun.security.rsa.RSAPublicKeyImpl'
14:49:20.522 [main] DEBUG o.o.xml.signature.SignatureValidator - Signature
validated with key from supplied credential
14:49:20.522 [main] DEBUG o.o.x.s.i.BaseSignatureTrustEngine - Signature
validation using candidate credential was successful
14:49:20.522 [main] DEBUG o.o.x.s.i.BaseSignatureTrustEngine - Successfully
verified signature using KeyInfo-derived credential
14:49:20.522 [main] DEBUG o.o.x.s.i.BaseSignatureTrustEngine - Attempting
to establish trust of KeyInfo-derived credential
14:49:20.522 [main] DEBUG o.o.x.s.i.BaseSignatureTrustEngine - Failed to
establish trust of KeyInfo-derived credential
14:49:20.522 [main] DEBUG o.o.x.s.i.BaseSignatureTrustEngine - Failed to
verify signature and/or establish trust using any KeyInfo-derived
credentials
14:49:20.522 [main] DEBUG o.o.x.s.i.ExplicitKeySignatureTrustEngine -
Attempting to verify signature using trusted credentials
14:49:20.522 [main] DEBUG o.o.x.s.i.ExplicitKeySignatureTrustEngine -
Failed to verify signature using either KeyInfo-derived or directly trusted
credentials
14:49:20.526 [main] DEBUG o.s.s.s.SAMLAuthenticationProvider - Error
validating signature
org.opensaml.xml.validation.ValidationException: Signature is not trusted
or invalid
at
org.springframework.security.saml.websso.AbstractProfileBase.verifySignature(AbstractProfileBase.java:272)
~[spring-security-saml2-core-1.0.0.RC2.jar:1.0.0.RC2]
at
org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:115)
~[spring-security-saml2-core-1.0.0.RC2.jar:1.0.0.RC2]
at
org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:81)
~[spring-security-saml2-core-1.0.0.RC2.jar:1.0.0.RC2]
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
[spring-security-core-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at
demo.core.spring.authentication.demoSpringAuthenticationManager.doAuthenticate(demoSpringAuthenticationManager.java:93)
[classes/:na]
at
demo.core.spring.authentication.demoSpringAuthenticationManager.authenticate(demoSpringAuthenticationManager.java:55)
[classes/:na]
at
demo.core.facade.authentication.AuthenticationServicesImpl.doAuthenticate(AuthenticationServicesImpl.java:263)
[classes/:na]
at
demo.core.facade.authentication.AuthenticationServicesImpl.authenticate(AuthenticationServicesImpl.java:94)
[classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[na:1.7.0_03]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
~[na:1.7.0_03]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[na:1.7.0_03]
at java.lang.reflect.Method.invoke(Method.java:601) ~[na:1.7.0_03]
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
[spring-aop-4.0.6.RELEASE.jar:4.0.6.RELEASE]
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:201)
[spring-aop-4.0.6.RELEASE.jar:4.0.6.RELEASE]
at $Proxy13.authenticate(Unknown Source) [na:na]
at
demo.automation.component.plugins.saml.SamlPluginAuthenticationTest.testBasicAuthenticationWithOpenSamlGenerateDefaultAssertion(SamlPluginAuthenticationTest.java:305)
[test-classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[na:1.7.0_03]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
~[na:1.7.0_03]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[na:1.7.0_03]
at java.lang.reflect.Method.invoke(Method.java:601) ~[na:1.7.0_03]
at
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
[junit-4.11.jar:na]
at
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
[junit-4.11.jar:na]
at
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
[junit-4.11.jar:na]
at
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
[junit-4.11.jar:na]
at
org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
[junit-4.11.jar:na]
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
[junit-4.11.jar:na]
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
[junit-4.11.jar:na]
at
org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
[.cp/:na]
at
org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
[.cp/:na]
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:459)
[.cp/:na]
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:675)
[.cp/:na]
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:382)
[.cp/:na]
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:192)
[.cp/:na]
14:49:20.527 [main] DEBUG c.a.x.c.s.a.s.logging.demoSAMLLogger -
AuthNResponse;FAILURE;Signature is not trusted or invalid
org.opensaml.xml.validation.ValidationException: Signature is not trusted
or invalid
at
org.springframework.security.saml.websso.AbstractProfileBase.verifySignature(AbstractProfileBase.java:272)
~[spring-security-saml2-core-1.0.0.RC2.jar:1.0.0.RC2]
at
org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:115)
~[spring-security-saml2-core-1.0.0.RC2.jar:1.0.0.RC2]
at
org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:81)
~[spring-security-saml2-core-1.0.0.RC2.jar:1.0.0.RC2]
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
[spring-security-core-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at
demo.core.spring.authentication.demoSpringAuthenticationManager.doAuthenticate(demoSpringAuthenticationManager.java:93)
[classes/:na]
at
demo.core.spring.authentication.demoSpringAuthenticationManager.authenticate(demoSpringAuthenticationManager.java:55)
[classes/:na]
at
demo.core.facade.authentication.AuthenticationServicesImpl.doAuthenticate(AuthenticationServicesImpl.java:263)
[classes/:na]
at
demo.core.facade.authentication.AuthenticationServicesImpl.authenticate(AuthenticationServicesImpl.java:94)
[classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[na:1.7.0_03]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
~[na:1.7.0_03]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[na:1.7.0_03]
at java.lang.reflect.Method.invoke(Method.java:601) ~[na:1.7.0_03]
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
[spring-aop-4.0.6.RELEASE.jar:4.0.6.RELEASE]
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:201)
[spring-aop-4.0.6.RELEASE.jar:4.0.6.RELEASE]
at $Proxy13.authenticate(Unknown Source) [na:na]
at
demo.automation.component.plugins.saml.SamlPluginAuthenticationTest.testBasicAuthenticationWithOpenSamlGenerateDefaultAssertion(SamlPluginAuthenticationTest.java:305)
[test-classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[na:1.7.0_03]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
~[na:1.7.0_03]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[na:1.7.0_03]
at java.lang.reflect.Method.invoke(Method.java:601) ~[na:1.7.0_03]
at
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
[junit-4.11.jar:na]
at
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
[junit-4.11.jar:na]
at
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
[junit-4.11.jar:na]
at
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
[junit-4.11.jar:na]
at
org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
[junit-4.11.jar:na]
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
[junit-4.11.jar:na]
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
[junit-4.11.jar:na]
at
org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
[.cp/:na]
at
org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
[.cp/:na]
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:459)
[.cp/:na]
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:675)
[.cp/:na]
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:382)
[.cp/:na]
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:192)
[.cp/:na]
14:49:20.528 [main] DEBUG c.a.x.c.s.a.demoSpringAuthenticationManager -
Spring authentication manager has failed to proccess the request
14:49:20.530 [main] ERROR c.a.x.c.s.a.t.AuthenticationExceptionsFilter -
<demo_DEFAULT> <demo_DEFAULT_MESSSAGE_ID> Authentication request could not
be processed due to system problem, authentication repository may be
unavailable.
demo.core.authentication.exceptions.demoAuthenticationServiceException:
org.springframework.security.authentication.AuthenticationServiceException:
Error validating SAML message signature
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
~[na:1.7.0_03]
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
~[na:1.7.0_03]
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
~[na:1.7.0_03]
at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
~[na:1.7.0_03]
at
demo.core.spring.authentication.transformers.AuthenticationExceptionVisitor.visit(AuthenticationExceptionVisitor.java:35)
~[classes/:na]
at
demo.core.spring.authentication.transformers.AuthenticationExceptionVisitor.visit(AuthenticationExceptionVisitor.java:1)
~[classes/:na]
at
demo.common.template.visitor.DynamicVisitor.visit(DynamicVisitor.java:54)
~[classes/:na]
at
demo.core.spring.authentication.transformers.AuthenticationExceptionsTransformer.transform(AuthenticationExceptionsTransformer.java:25)
~[classes/:na]
at
demo.core.spring.authentication.transformers.AuthenticationExceptionsTransformer.transform(AuthenticationExceptionsTransformer.java:1)
~[classes/:na]
at
demo.core.spring.authentication.transformers.AuthenticationExceptionsFilter.transform(AuthenticationExceptionsFilter.java:45)
[classes/:na]
at
demo.core.spring.authentication.transformers.AuthenticationExceptionsFilter.transform(AuthenticationExceptionsFilter.java:1)
[classes/:na]
at
demo.core.spring.authentication.demoSpringAuthenticationManager.handleAuthenticationException(demoSpringAuthenticationManager.java:144)
[classes/:na]
at
demo.core.spring.authentication.demoSpringAuthenticationManager.doAuthenticate(demoSpringAuthenticationManager.java:96)
[classes/:na]
at
demo.core.spring.authentication.demoSpringAuthenticationManager.authenticate(demoSpringAuthenticationManager.java:55)
[classes/:na]
at
demo.core.facade.authentication.AuthenticationServicesImpl.doAuthenticate(AuthenticationServicesImpl.java:263)
[classes/:na]
at
demo.core.facade.authentication.AuthenticationServicesImpl.authenticate(AuthenticationServicesImpl.java:94)
[classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[na:1.7.0_03]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
~[na:1.7.0_03]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[na:1.7.0_03]
at java.lang.reflect.Method.invoke(Method.java:601) ~[na:1.7.0_03]
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
[spring-aop-4.0.6.RELEASE.jar:4.0.6.RELEASE]
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:201)
[spring-aop-4.0.6.RELEASE.jar:4.0.6.RELEASE]
at $Proxy13.authenticate(Unknown Source) [na:na]
at
demo.automation.component.plugins.saml.SamlPluginAuthenticationTest.testBasicAuthenticationWithOpenSamlGenerateDefaultAssertion(SamlPluginAuthenticationTest.java:305)
[test-classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[na:1.7.0_03]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
~[na:1.7.0_03]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[na:1.7.0_03]
at java.lang.reflect.Method.invoke(Method.java:601) ~[na:1.7.0_03]
at
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
[junit-4.11.jar:na]
at
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
[junit-4.11.jar:na]
at
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
[junit-4.11.jar:na]
at
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
[junit-4.11.jar:na]
at
org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
[junit-4.11.jar:na]
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
[junit-4.11.jar:na]
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
[junit-4.11.jar:na]
at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
[junit-4.11.jar:na]
at
org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
[.cp/:na]
at
org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
[.cp/:na]
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:459)
[.cp/:na]
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:675)
[.cp/:na]
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:382)
[.cp/:na]
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:192)
[.cp/:na]
Caused by:
org.springframework.security.authentication.AuthenticationServiceException:
Error validating SAML message signature
at
org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:96)
~[spring-security-saml2-core-1.0.0.RC2.jar:1.0.0.RC2]
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
~[spring-security-core-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at
demo.core.spring.authentication.demoSpringAuthenticationManager.doAuthenticate(demoSpringAuthenticationManager.java:93)
[classes/:na]
... 35 common frames omitted
Caused by: org.opensaml.xml.validation.ValidationException: Signature is
not trusted or invalid
at
org.springframework.security.saml.websso.AbstractProfileBase.verifySignature(AbstractProfileBase.java:272)
~[spring-security-saml2-core-1.0.0.RC2.jar:1.0.0.RC2]
at
org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:115)
~[spring-security-saml2-core-1.0.0.RC2.jar:1.0.0.RC2]
at
org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:81)
~[spring-security-saml2-core-1.0.0.RC2.jar:1.0.0.RC2]
... 37 common frames omitted
14:49:20.532 [main] DEBUG c.a.x.c.s.a.TokenProviderManagerImpl -
AuthenticationServicesImpl attempt to authenticate user [] has failed -
demo.core.authentication.exceptions.demoAuthenticationServiceException:
org.springframework.security.authentication.AuthenticationServiceException:
Error validating SAML message signature
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
at
demo.core.spring.authentication.transformers.AuthenticationExceptionVisitor.visit(AuthenticationExceptionVisitor.java:35)
at
demo.core.spring.authentication.transformers.AuthenticationExceptionVisitor.visit(AuthenticationExceptionVisitor.java:1)
at demo.common.template.visitor.DynamicVisitor.visit(DynamicVisitor.java:54)
at
demo.core.spring.authentication.transformers.AuthenticationExceptionsTransformer.transform(AuthenticationExceptionsTransformer.java:25)
at
demo.core.spring.authentication.transformers.AuthenticationExceptionsTransformer.transform(AuthenticationExceptionsTransformer.java:1)
at
demo.core.spring.authentication.transformers.AuthenticationExceptionsFilter.transform(AuthenticationExceptionsFilter.java:45)
at
demo.core.spring.authentication.transformers.AuthenticationExceptionsFilter.transform(AuthenticationExceptionsFilter.java:1)
at
demo.core.spring.authentication.demoSpringAuthenticationManager.handleAuthenticationException(demoSpringAuthenticationManager.java:144)
at
demo.core.spring.authentication.demoSpringAuthenticationManager.doAuthenticate(demoSpringAuthenticationManager.java:96)
at
demo.core.spring.authentication.demoSpringAuthenticationManager.authenticate(demoSpringAuthenticationManager.java:55)
at
demo.core.facade.authentication.AuthenticationServicesImpl.doAuthenticate(AuthenticationServicesImpl.java:263)
at
demo.core.facade.authentication.AuthenticationServicesImpl.authenticate(AuthenticationServicesImpl.java:94)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:201)
at $Proxy13.authenticate(Unknown Source)
at
demo.automation.component.plugins.saml.SamlPluginAuthenticationTest.testBasicAuthenticationWithOpenSamlGenerateDefaultAssertion(SamlPluginAuthenticationTest.java:305)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
at
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
at
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at
org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
at
org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
at
org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:459)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:675)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:382)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:192)
Caused by:
org.springframework.security.authentication.AuthenticationServiceException:
Error validating SAML message signature
at
org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:96)
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at
demo.core.spring.authentication.demoSpringAuthenticationManager.doAuthenticate(demoSpringAuthenticationManager.java:93)
... 35 more
Caused by: org.opensaml.xml.validation.ValidationException: Signature is
not trusted or invalid
at
org.springframework.security.saml.websso.AbstractProfileBase.verifySignature(AbstractProfileBase.java:272)
at
org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:115)
at
org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:81)
... 37 more
14:49:20.541 [main] DEBUG c.a.x.c.a.e.r.AuthenticationEventReporterImpl -
The audit provider dos not exists in configuration
demo.core.authentication.exceptions.demoAuthenticationServiceException:
org.springframework.security.authentication.AuthenticationServiceException:
Error validating SAML message signature
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
at
demo.core.spring.authentication.transformers.AuthenticationExceptionVisitor.visit(AuthenticationExceptionVisitor.java:35)
at
demo.core.spring.authentication.transformers.AuthenticationExceptionVisitor.visit(AuthenticationExceptionVisitor.java:1)
at demo.common.template.visitor.DynamicVisitor.visit(DynamicVisitor.java:54)
at
demo.core.spring.authentication.transformers.AuthenticationExceptionsTransformer.transform(AuthenticationExceptionsTransformer.java:25)
at
demo.core.spring.authentication.transformers.AuthenticationExceptionsTransformer.transform(AuthenticationExceptionsTransformer.java:1)
at
demo.core.spring.authentication.transformers.AuthenticationExceptionsFilter.transform(AuthenticationExceptionsFilter.java:45)
at
demo.core.spring.authentication.transformers.AuthenticationExceptionsFilter.transform(AuthenticationExceptionsFilter.java:1)
at
demo.core.spring.authentication.demoSpringAuthenticationManager.handleAuthenticationException(demoSpringAuthenticationManager.java:144)
at
demo.core.spring.authentication.demoSpringAuthenticationManager.doAuthenticate(demoSpringAuthenticationManager.java:96)
at
demo.core.spring.authentication.demoSpringAuthenticationManager.authenticate(demoSpringAuthenticationManager.java:55)
at
demo.core.facade.authentication.AuthenticationServicesImpl.doAuthenticate(AuthenticationServicesImpl.java:263)
at
demo.core.facade.authentication.AuthenticationServicesImpl.authenticate(AuthenticationServicesImpl.java:94)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:201)
at $Proxy13.authenticate(Unknown Source)
at
demo.automation.component.plugins.saml.SamlPluginAuthenticationTest.testBasicAuthenticationWithOpenSamlGenerateDefaultAssertion(SamlPluginAuthenticationTest.java:305)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
at
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
at
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at
org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
at
org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
at
org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:459)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:675)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:382)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:192)
Caused by:
org.springframework.security.authentication.AuthenticationServiceException:
Error validating SAML message signature
at
org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:96)
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at
demo.core.spring.authentication.demoSpringAuthenticationManager.doAuthenticate(demoSpringAuthenticationManager.java:93)
... 35 more
Caused by: org.opensaml.xml.validation.ValidationException: Signature is
not trusted or invalid
at
org.springframework.security.saml.websso.AbstractProfileBase.verifySignature(AbstractProfileBase.java:272)
at
org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:115)
at
org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:81)
... 37 more
thanks.
please tell me if you need something else
moshiko.
On Tue, Feb 3, 2015 at 1:22 PM, Sergey Beryozkin (JIRA) <j...@apache.org>
> CXF 3.0.3 rt-security has problems working with latest open saml version
> (2.6.1)
> --------------------------------------------------------------------------------
>
> Key: CXF-6237
> URL: https://issues.apache.org/jira/browse/CXF-6237
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security, WS-* Components
> Affects Versions: 3.0.3
> Reporter: moshiko kasirer
> Assignee: Colm O hEigeartaigh
>
> Hi,
> CXF-rt-ws-security 3.0.3 is working with wss4j of version:
> <cxf.wss4j.version>2.0.2</cxf.wss4j.version>
> an xmlsec version of version:
> <cxf.xmlsec.bundle.version>2.0.2</cxf.xmlsec.bundle.version>
> and open SAML of version:
> <cxf.opensaml.version>2.6.1</cxf.opensaml.version>
> that is problematic as from one hand CXF 3.0.3 is dependent on XMLSEC version
> 2.*+ and throws multiple no method exist exceptions when working with 1.5.5*
> XMLSEC versions
> and on the other hand the latest open SAML which is the CXF open saml version
> (2.6.1) fails on validating the SAML token when working with XMLSEC version
> 2.*
> so actually when working with both CXF 3 and OPEN SAML 2.6.1
> this will happen
> when working with xmlsec 1.5.* OPEN SAML works CXF fails
> when working with xmlsec 2.0.* CXF works OPEN SAML fails...
> you can see under open saml 2.6.1 that it holds xmlsec version 1.5.6 which is
> overrided by CXF and wss4j (2.0.2)
> can you please help me figure out a way to overcome this issue?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
