Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-317

Signature validate Error

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • PLINK_2.7.0.Beta2
    • PLINK_2.5.2.FInal
    • SAML
    • None

    Description

      Validating signatures from ASFS STS is failing. My picketlink.xml has <PicketLinkSP SupportsSignatures="true". I previously had it working when using JBoss6 Community with picketlink 2.1.7.

      The error is:
      11:51:47,759 ERROR [org.apache.catalina.connector] (http-/0.0.0.0:8443-1) JBWEB001018: An exception or error occurred in the container during the request processing: java.lang.LinkageError: loader constraint violation in interface itable initialization: when resolving method "org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(Ljavax/xml/crypto/dsig/XMLSignContext;)V" the class loader (instance of org/jboss/modules/ModuleClassLoader) of the current class, org/apache/jcp/xml/dsig/internal/dom/DOMXMLSignature, and the class loader (instance of <bootloader>) for interface javax/xml/crypto/dsig/XMLSignature have different Class objects for the type ture.sign(Ljavax/xml/crypto/dsig/XMLSignContext;)V used in the signature
      at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshal(DOMXMLSignatureFactory.java:186)
      at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshalXMLSignature(DOMXMLSignatureFactory.java:146)
      at org.picketlink.identity.federation.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:492) [picketlink-federation-2.5.2.Final.jar:]
      at org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:308) [picketlink-federation-2.5.2.Final.jar:]
      at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyPostBindingSignature(SAML2SignatureValidationHandler.java:117) [picketlink-federation-2.5.2.Final.jar:]
      at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:88) [picketlink-federation-2.5.2.Final.jar:]
      at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleStatusResponseType(SAML2SignatureValidationHandler.java:57) [picketlink-federation-2.5.2.Final.jar:]
      at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:66) [picketlink-federation-2.5.2.Final.jar:]
      at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:102) [picketlink-federation-2.5.2.Final.jar:]
      at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:83) [picketlink-federation-2.5.2.Final.jar:]
      at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:455) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]
      at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:333) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]
      at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:261) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:447) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
      at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.Alpha1-redhat-4.jar:7.2.0.Alpha1-redhat-4]
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
      at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]

      I'm assuming javax/xml/crypto/dsig/XMLSignContext is coming from org.apache.santuario.xmlsec. I noticed that picketlink is using org.apache.santuario.xmlsec version=1.5.1 and JBoss is usingorg.apache.santuario.xmlsec version=1.5.3. Would updating the xmlsec version in https://github.com/picketlink/picketlink/blob/master/modules/federation/pom.xml to 1.5.3 resolve this issue?

      ADFS is returning the SAML2 token as a URL arg. If ADFS can be changed to return the token as a POST, would that also resolve the issue?

      Attachments

        Activity

          People

            psilva@redhat.com Pedro Igor Craveiro
            gthieme_jira Geoff Thieme (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: