You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2020/11/30 07:32:00 UTC

[jira] [Closed] (FEDIZ-251) Support SAML token signature without KeyInfo

     [ https://issues.apache.org/jira/browse/FEDIZ-251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh closed FEDIZ-251.
-------------------------------------

> Support SAML token signature without KeyInfo
> --------------------------------------------
>
>                 Key: FEDIZ-251
>                 URL: https://issues.apache.org/jira/browse/FEDIZ-251
>             Project: CXF-Fediz
>          Issue Type: Improvement
>          Components: Plugin
>    Affects Versions: 1.5.0
>            Reporter: Arnaud MERGEY
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: 1.5.1
>
>
> During a SAML authentication flow, Fediz is throwning NPE when
>  signature is missing KeyInfo, which is supposed to be optional (if I
>  understand saml spec correctly).
>   
>  While processing this kind of signature
>   
>   
> {code:java}
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">             <ds:SignedInfo>                 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />                 <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />                 <ds:Reference URI="#dG09eAtYsmf1tfNVvs37uZdJd-u">                     <ds:Transforms>                         <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />                         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />                     </ds:Transforms>                     <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>XI9dqpDtmdtCEnRBFxuoWoii1Mh5kFPIsTP/qkSCfB0=</ds:DigestValue>                 </ds:Reference>             </ds:SignedInfo>             <ds:SignatureValue> QOwv36AiO9PKu4dTalBF9JoauSj6Sdc7/sirWuJLlUGNJGR29ZvnaH2vGwvYxCKR6DGhMGTh+ePB gt2qRkxaetjAQEnO71PXg24CVsCTZoNzLpsXRXRjw8K4/Jo8Lsv19gqkiD4hPRVyc/K70Op9e2pM kHF44yX/hwOgjn3A7B/c5cpcLsFyGgGBBkWKvTYV1kg4UY6C/O1ngR45h0QSiAc6bc4R26W4fbjl Q6JCo6sOGViVwbBsTmVSAtbEeEPdiWeXVc1raKA/Nfi6aKQmKhhkH4tkgR/4UwRoxnvcf47hKBx0                 05g2is0osHh1PLrioChhxdV22Mnfv9aPGb6acQ==             </ds:SignatureValue>         </ds:Signature>{code}
>  
>   
>  The NPE is
> {code:java}
> org.apache.cxf.fediz.core.processor.SAMLProcessorImpl.processSignInRequest Failed to validate token     java.lang.NullPointerException         at org.apache.cxf.fediz.core.saml.SAMLTokenValidator.validateAndProcessToken(SAMLTokenValidator.java:107)         at org.apache.cxf.fediz.core.processor.SAMLProcessorImpl.processSignInRequest(SAMLProcessorImpl.java:203)         at org.apache.cxf.fediz.core.processor.SAMLProcessorImpl.processRequest(SAMLProcessorImpl.java:114)         at org.apache.cxf.fediz.core.handler.SigninHandler.processSigninRequest(SigninHandler.java:124)         at org.apache.cxf.fediz.core.handler.SigninHandler.handleRequest(SigninHandler.java:76)         at com.semarchy.tool.jee.tomcat.FederationAuthenticator.authenticate(FederationAuthenticator.java:140)         at org.apache.cxf.fediz.tomcat8.FederationAuthenticator.doAuthenticate(FederationAuthenticator.java:231)         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:633)         at org.apache.cxf.fediz.tomcat8.FederationAuthenticator.invoke(FederationAuthenticator.java:184)         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)         at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:747)         at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:688)         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)         at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:609)         at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)         at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)         at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1623)         at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)         at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)         at java.lang.Thread.run(Thread.java:748)  {code}
>  A fix proposal for this : [https://github.com/apache/cxf-fediz/pull/60] 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)