Hi,
I am trying to implement a SAML Request Assertion Consumer Service
(RACS) with Apache CXF 2.7.7
Unfortunately the response of my Identity Provider does not include a
keyInfo (which is defined optional in the SAML specification).This leads
to an exception when processing the response, because CXF tries to load
a DOM for the keyInfo.
|java.lang.NullPointerException
at org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536)
I have a valid keystore.properties file as well as the certificate on my
RACS site, but this does not chage the behaviour. Is this a bug in CXF
or did I miss something to set up for my RACS?
That's my current configuration
<bean id="consumerService"
class="org.apache.cxf.rs.security.saml.sso.RequestAssertionConsumerService">
<property name="stateProvider" ref="stateManager" />
<property name="enforceAssertionsSigned" value="false"/>
<property name="signaturePropertiesFile"
value="serviceKeystore.properties"/>
<property name="supportBase64Encoding" value="true" />
</bean>
And the response from my IDP is:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://localhost:8181/CxfOAuthServer/racs/sso"
ID="9ba6bc1d-178e-4c34-82ac-c7fb4482f339"
InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
IssueInstant="2013-11-26T09:46:48.020Z"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="176247f7-0559-400c-8e5b-dafedbe5be4a"
IssueInstant="2013-11-26T09:46:48.008Z"
Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#176247f7-0559-400c-8e5b-dafedbe5be4a">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>d2VEe93L57zXiywl0rZxlMHE3Vw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>dFzHOV7wr1IfJoW+ZC71mXDuW4ZIj9pWyJftLfCldtCPTrzVxnHBokmtlohxjlPf7M4Ox9wgnFXKlFUB5c6mHlRpG6cq4rcaYKGTf4eRU+oO54bdZ2tP5HBoZRgyd1lpZLnIG05f56vZEfALWFz2HYraC6Y6VKnwLXK6sc9frII=</ds:SignatureValue>
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
Address="127.0.0.1"
InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
NotOnOrAfter="2013-11-26T09:48:18.007Z"
Recipient="https://localhost:8181/CxfOAuthServer/racs/sso" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2013-11-26T09:46:47.989Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>http://mock-idp</saml2:AuthenticatingAuthority>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="urn:mace:dir:attribute-def:uid">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">admin</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">guest</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:sn">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Doe</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:mail">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">j.doe [ at ] example.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">j.doe [ at ] example.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:displayName">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">admin</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:givenName">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">John</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:mace:terena.org:attribute-def:schacHomeOrganization">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">example.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:cn">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">John Doe</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Thanks for your help.
I am trying to implement a SAML Request Assertion Consumer Service
(RACS) with Apache CXF 2.7.7
Unfortunately the response of my Identity Provider does not include a
keyInfo (which is defined optional in the SAML specification).This leads
to an exception when processing the response, because CXF tries to load
a DOM for the keyInfo.
|java.lang.NullPointerException
at org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536)
I have a valid keystore.properties file as well as the certificate on my
RACS site, but this does not chage the behaviour. Is this a bug in CXF
or did I miss something to set up for my RACS?
That's my current configuration
<bean id="consumerService"
class="org.apache.cxf.rs.security.saml.sso.RequestAssertionConsumerService">
<property name="stateProvider" ref="stateManager" />
<property name="enforceAssertionsSigned" value="false"/>
<property name="signaturePropertiesFile"
value="serviceKeystore.properties"/>
<property name="supportBase64Encoding" value="true" />
</bean>
And the response from my IDP is:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://localhost:8181/CxfOAuthServer/racs/sso"
ID="9ba6bc1d-178e-4c34-82ac-c7fb4482f339"
InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
IssueInstant="2013-11-26T09:46:48.020Z"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="176247f7-0559-400c-8e5b-dafedbe5be4a"
IssueInstant="2013-11-26T09:46:48.008Z"
Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://mock-idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#176247f7-0559-400c-8e5b-dafedbe5be4a">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>d2VEe93L57zXiywl0rZxlMHE3Vw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>dFzHOV7wr1IfJoW+ZC71mXDuW4ZIj9pWyJftLfCldtCPTrzVxnHBokmtlohxjlPf7M4Ox9wgnFXKlFUB5c6mHlRpG6cq4rcaYKGTf4eRU+oO54bdZ2tP5HBoZRgyd1lpZLnIG05f56vZEfALWFz2HYraC6Y6VKnwLXK6sc9frII=</ds:SignatureValue>
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
Address="127.0.0.1"
InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
NotOnOrAfter="2013-11-26T09:48:18.007Z"
Recipient="https://localhost:8181/CxfOAuthServer/racs/sso" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2013-11-26T09:46:47.989Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>http://mock-idp</saml2:AuthenticatingAuthority>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="urn:mace:dir:attribute-def:uid">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">admin</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">guest</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:sn">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Doe</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:mail">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">j.doe [ at ] example.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">j.doe [ at ] example.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:displayName">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">admin</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:givenName">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">John</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="urn:mace:terena.org:attribute-def:schacHomeOrganization">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">example.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:mace:dir:attribute-def:cn">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">John Doe</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Thanks for your help.