Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-9892

Upgrade org.apache.santuario.xmlsec to 2.1.1. caused regression in PicketLinkSTS

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Blocker
    • None
    • 12.0.0.Beta1
    • Security
    • None
    • Hide

      1) Server configuration
      Add following security domains:

      /subsystem=security/security-domain=picketlink-sts:add(cache-type=default)
/subsystem=security/security-domain=picketlink-sts/authentication=classic:add
/subsystem=security/security-domain=picketlink-sts/authentication=classic/login-module=UsersRoles:add(code=UsersRoles, flag=required, module-options=[("usersProperties"=>"users.properties"), ("rolesProperties"=>"roles.properties")])
/subsystem=security/security-domain=simple-SAML2STSLoginModule-config-external:add(cache-type=default)
/subsystem=security/security-domain=simple-SAML2STSLoginModule-config-external/authentication=classic:add
/subsystem=security/security-domain=simple-SAML2STSLoginModule-config-external/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule, flag=required, module=org.picketlink, module-options=[("configFile"=>"${jboss.server.config.dir}/sts-config.properties")])

      Add following security-realm:

      /core-service=management/security-realm=SAMLRealm:add
/core-service=management/security-realm=SAMLRealm/authentication=jaas:add(name=simple-SAML2STSLoginModule-config-external)

      Use that realm for remoting:

      /subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=security-realm,value=SAMLRealm)

      2) Copy attachted sts-config.properties to WILDFLY_HOME/standalone/configuration

      3) PicketLinkSTS deployment + EJB deployment
      Deploy both attached deployment picketlink-sts.war and ejb-test.jar

      4) Prepare client application
      Unzip attached project ejb-security-picketlink.zip and build it with mvn clean package.

      5) Execute client application
      Run mvn exec:exec - expcetion is thrown

      6) Optional - use org.apache.santuario.xmlsec from WildFly 11
      Put module WILDFLY11_HOME/modules/system/layers/base/org/apache/santuario/xmlsec/main/xmlsec-2.0.8.jar to WildFly 12 (and change it in module.xml), restart server and execute client application again - it will work correctly

      Show
      1) Server configuration Add following security domains: /subsystem=security/security-domain=picketlink-sts:add(cache-type= default ) /subsystem=security/security-domain=picketlink-sts/authentication=classic:add /subsystem=security/security-domain=picketlink-sts/authentication=classic/login-module=UsersRoles:add(code=UsersRoles, flag=required, module-options=[( "usersProperties" => "users.properties" ), ( "rolesProperties" => "roles.properties" )]) /subsystem=security/security-domain=simple-SAML2STSLoginModule-config-external:add(cache-type= default ) /subsystem=security/security-domain=simple-SAML2STSLoginModule-config-external/authentication=classic:add /subsystem=security/security-domain=simple-SAML2STSLoginModule-config-external/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule, flag=required, module=org.picketlink, module-options=[( "configFile" => "${jboss.server.config.dir}/sts-config.properties" )]) Add following security-realm: /core-service=management/security-realm=SAMLRealm:add /core-service=management/security-realm=SAMLRealm/authentication=jaas:add(name=simple-SAML2STSLoginModule-config-external) Use that realm for remoting: /subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=security-realm,value=SAMLRealm) 2) Copy attachted sts-config.properties to WILDFLY_HOME/standalone/configuration 3) PicketLinkSTS deployment + EJB deployment Deploy both attached deployment picketlink-sts.war and ejb-test.jar 4) Prepare client application Unzip attached project ejb-security-picketlink.zip and build it with mvn clean package . 5) Execute client application Run mvn exec:exec - expcetion is thrown 6) Optional - use org.apache.santuario.xmlsec from WildFly 11 Put module WILDFLY11_HOME/modules/system/layers/base/org/apache/santuario/xmlsec/main/xmlsec-2.0.8.jar to WildFly 12 (and change it in module.xml), restart server and execute client application again - it will work correctly

    Description

      When token from PicketLink STS is issued and signed then it is not able to be used for authentication through Remoting in WildFly 12 (i.e. it cannot be set as remote.connection.main.password property which can be used in PicketLink org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule). It seems it is caused by upgrade of org.apache.santuario.xmlsec to version 2.1.1. [1]. When WILDFLY11_HOME/modules/system/layers/base/org/apache/santuario/xmlsec/main/xmlsec-2.0.8.jar is placed to WildFly 12 modules then it works correctly.

      We report it as a blocker since it is regression - application which works correctly on WildFly 11 stops to work on WildFly 12 - users are not able to authenticate through Remoting with signed tokens from PicketLink STS correctly.

      Remoting fails due to following exception:

      java.lang.IllegalArgumentException: ELY05131: Invalid ASCII control "0xA"
        at org.wildfly.security.sasl.util.StringPrep.forbidAsciiControl(StringPrep.java:117)
        at org.wildfly.security.sasl.util.StringPrep.encode(StringPrep.java:295)
        at org.wildfly.security.sasl.util.StringPrep.encode(StringPrep.java:196)
        at org.wildfly.security.sasl.plain.PlainSaslClient.evaluateChallenge(PlainSaslClient.java:95)
        at org.wildfly.security.sasl.util.AbstractDelegatingSaslClient.evaluateChallenge(AbstractDelegatingSaslClient.java:54)
        at org.wildfly.security.sasl.util.PrivilegedSaslClient.lambda$evaluateChallenge$0(PrivilegedSaslClient.java:55)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.wildfly.security.sasl.util.PrivilegedSaslClient.evaluateChallenge(PrivilegedSaslClient.java:55)
        at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.lambda$handleEvent$1(ClientConnectionOpenListener.java:460)
        at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:926)
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
        at java.lang.Thread.run(Thread.java:748)

      It is caused by different formating value of SignatureValue in assertion. In WildFly 11 SignatureValue looks like:

      <dsig:SignatureValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">nFVkKrXTyYEQ9cwc9OOgySYebEtwzw4alVYP0viXzvqZAUAKtAXEBAfDB8xIOms78twlDdq79MiSvk8OrOdf126Kw/IR8JRn1fYyZ5tsIRcNoTXMgGaTqhrn/HKlLqqqHhVHrJURunqkSzTTxylA2AEPhEDD5Y7hS0W2ZZCeSvuri+PRDSTrRnuedz0yQuHQu1mZ0gjoEFbHh4Wkkn5Ac1R4gmewmmzPud+ZE6Ux4YpeHzQ8rAvZ4bDk6j+eQIRsSxFTLo5RSA3FWN8+lUNV/CSRqBPXsK7QxOaTdBgF+4NXWeExrNJ9SeVFcf9yelvReAtR2JNZ6DUY8u45KtXmLw==</dsig:SignatureValue>

      In WildFly 12 it looks like (there are end of lines):

      <dsig:SignatureValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">cUNpFJIZlLYrBDZtQSTDrq2K6PbnAHyg2qbx/D5FuB4XMjdQ5oxQjkMejLyelnA7s4GFusoLhahl&#13;
qlTOT8UrOyxrR4yYAmJ/e5s+f4gys926+tbiraT/3/wG8wM/Lvcjvk5Ap69zODuRYpypsWfA4jrI&#13;
7TTBXVPGy8g4KUdnFviUiTuFTc2Ghgxp53AmUuLis/THyP28jE7+28//q8bi/bQrFwHC6tWX67+N&#13;
K1duFCOcQ6IPIKeVrePZz55Ivgl+WWdkF6uYCz5IdMzurhzmeQ3K8DAMIxz/MG67VWJIOnuGNWF7&#13;
nmdye5zd9AFcRsr1XadvZJCbGNfuc89AL5inCg==</dsig:SignatureValue>

      [1] https://github.com/wildfly/wildfly/commit/536de514829f2187abf1126c8916a04b5dd856f4

      Attachments

        1. ejb-security-picketlink.zip
          8 kB
        2. ejb-test.jar
          3 kB
        3. picketlink-sts.war
          9 kB
        4. sts-config.properties
          0.3 kB

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-14811 7.2 - Migration Guide: Upgrade org.apache.santuario.xmlsec to 2.1.1. caused regression in PicketLinkSTS

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              psilva@redhat.com Pedro Igor Craveiro
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: