You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by jsmith828 <je...@putnam.com> on 2015/07/24 22:04:38 UTC

Getting a server error trying to read SAML assertion

Hi,

I have CXF JAX-RS application running on Tomcat and I am trying to implement
SAML security.  The payload for the service is JSON so I thought it might be
best if I use the Authorization header to send a signed SAML assertion to
the server.  On the client I used the SamlHeaderOutInterceptor with a custom
SamlCallbackHandler to actually create and sign the assertion.  When I
execute a request to my service through my client using Membrane I can see
that the header is present:

Authorization: SAML PHNhbWwyOkFzc2VydGlvbiBJRD0...

I turned off deflation so I could even paste it into Notepad++ and base64
decode it to see the contents.  Everything looks fine.  However when the
request reaches the server I get a very obscure error from the
SamlHeaderInHandler or more specifically the AbstractSamlInHandler.  Here is
the error:

24-Jul-2015 15:27:42.429 WARNING [http-nio-8080-exec-8]
org.apache.cxf.rs.security.saml.AbstractSamlInHandler.throwFault Assertion
can not be read as
XML document
24-Jul-2015 15:27:42.430 WARNING [http-nio-8080-exec-8]
org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper.toResponse
javax.ws.rs.NotAuthorizedEx
ception: HTTP 401 Unauthorized
        at
org.apache.cxf.jaxrs.utils.SpecExceptions.toNotAuthorizedException(SpecExceptions.java:94)
        at
org.apache.cxf.jaxrs.utils.ExceptionUtils.toNotAuthorizedException(ExceptionUtils.java:130)
        at
org.apache.cxf.rs.security.saml.AbstractSamlInHandler.throwFault(AbstractSamlInHandler.java:264)
        at
org.apache.cxf.rs.security.saml.AbstractSamlInHandler.readToken(AbstractSamlInHandler.java:107)
        at
org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:96)
        at
org.apache.cxf.rs.security.saml.AbstractSamlBase64InHandler.handleToken(AbstractSamlBase64InHandler.java:53)
        at
org.apache.cxf.rs.security.saml.SamlHeaderInHandler.filter(SamlHeaderInHandler.java:52)

Again the assertion looks perfectly fine and the XML well-formed.  I was
hoping someone might have encountered this problem before and have a
solution.  Thanks in advance.




--
View this message in context: http://cxf.547215.n5.nabble.com/Getting-a-server-error-trying-to-read-SAML-assertion-tp5759446.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: Getting a server error trying to read SAML assertion

Posted by Sergey Beryozkin <sb...@gmail.com>.

Hi
On 25/07/15 16:34, jsmith828 wrote:
> Thanks Sergey!  Yes I ran the test through the NB debugger breaking on the
> throwFault method and was able to see that the original exception was
> "Cannot create a secure XMLInputFactory".  I tried a few things with my POM
> after reading this article
> (http://stackoverflow.com/questions/20114945/cxf-web-service-client-cannot-create-a-secure-xmlinputfactory)
> to see if I could get rid of it but I didn't have any luck.  I am using CXF
> 3.1.0 and I overrode my woodstox-core-asl to use 4.2.0 but that didn't work
> either.  Again I am using tomcat and I did not see any specific instructions
> for getting rid of this issue on tomcat.  To get around it I set:
>
> -Dorg.apache.cxf.stax.allowInsecureParser=1
>
> which I understand is not a safe solution.  Any help here is most
> appreciated!
>
I think in your case it should be fine, you have HTTPS, the actual 
payload is JSON, and the assertion creation is under your control.
Though I'm not sure why woodstox can be recognized in Tomcat - I did run 
few demos in Tomcat recently (I think...). What do you mean "my version 
of woodstox...", it should usually be in your CXF-based war ?

Cheers, Sergey

> Thanks
> -Jeff
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Getting-a-server-error-trying-to-read-SAML-assertion-tp5759446p5759450.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

RE: Getting a server error trying to read SAML assertion

Posted by Andrei Shakirin <as...@talend.com>.

Hi,

It sounds like old version of woodstox is picked up.
Could you try 4.4.1 version, bounds to CXF 3.1.0?
Please double check your Tomcat lib folder, JRE endorsed folders for old woodstox jars.

Regards,
Andrei. 

> -----Original Message-----
> From: jsmith828 [mailto:jeffrey_smith@putnam.com]
> Sent: Samstag, 25. Juli 2015 15:34
> To: users@cxf.apache.org
> Subject: Re: Getting a server error trying to read SAML assertion
> 
> Thanks Sergey!  Yes I ran the test through the NB debugger breaking on the
> throwFault method and was able to see that the original exception was "Cannot
> create a secure XMLInputFactory".  I tried a few things with my POM after
> reading this article
> (http://stackoverflow.com/questions/20114945/cxf-web-service-client-cannot-
> create-a-secure-xmlinputfactory)
> to see if I could get rid of it but I didn't have any luck.  I am using CXF
> 3.1.0 and I overrode my woodstox-core-asl to use 4.2.0 but that didn't work
> either.  Again I am using tomcat and I did not see any specific instructions for
> getting rid of this issue on tomcat.  To get around it I set:
> 
> -Dorg.apache.cxf.stax.allowInsecureParser=1
> 
> which I understand is not a safe solution.  Any help here is most appreciated!
> 
> Thanks
> -Jeff
> 
> 
> 
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Getting-a-
> server-error-trying-to-read-SAML-assertion-tp5759446p5759450.html
> Sent from the cxf-user mailing list archive at Nabble.com.

Re: Getting a server error trying to read SAML assertion

Posted by jsmith828 <je...@putnam.com>.

Thanks Sergey!  Yes I ran the test through the NB debugger breaking on the
throwFault method and was able to see that the original exception was 
"Cannot create a secure XMLInputFactory".  I tried a few things with my POM
after reading this article
(http://stackoverflow.com/questions/20114945/cxf-web-service-client-cannot-create-a-secure-xmlinputfactory)
to see if I could get rid of it but I didn't have any luck.  I am using CXF
3.1.0 and I overrode my woodstox-core-asl to use 4.2.0 but that didn't work
either.  Again I am using tomcat and I did not see any specific instructions
for getting rid of this issue on tomcat.  To get around it I set:

-Dorg.apache.cxf.stax.allowInsecureParser=1

which I understand is not a safe solution.  Any help here is most
appreciated!

Thanks
-Jeff



--
View this message in context: http://cxf.547215.n5.nabble.com/Getting-a-server-error-trying-to-read-SAML-assertion-tp5759446p5759450.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: Getting a server error trying to read SAML assertion

Posted by Sergey Beryozkin <sb...@gmail.com>.

Hi

I checked the code, the original exception is lost - I'll update the 
code reporting it, but it is originating from a STAX reader.

You mentioned the deflation - do you see this issue even when the 
deflation is disabled on both ends ?

Cheers, Sergey
On 24/07/15 23:04, jsmith828 wrote:
> Hi,
>
> I have CXF JAX-RS application running on Tomcat and I am trying to implement
> SAML security.  The payload for the service is JSON so I thought it might be
> best if I use the Authorization header to send a signed SAML assertion to
> the server.  On the client I used the SamlHeaderOutInterceptor with a custom
> SamlCallbackHandler to actually create and sign the assertion.  When I
> execute a request to my service through my client using Membrane I can see
> that the header is present:
>
> Authorization: SAML PHNhbWwyOkFzc2VydGlvbiBJRD0...
>
> I turned off deflation so I could even paste it into Notepad++ and base64
> decode it to see the contents.  Everything looks fine.  However when the
> request reaches the server I get a very obscure error from the
> SamlHeaderInHandler or more specifically the AbstractSamlInHandler.  Here is
> the error:
>
> 24-Jul-2015 15:27:42.429 WARNING [http-nio-8080-exec-8]
> org.apache.cxf.rs.security.saml.AbstractSamlInHandler.throwFault Assertion
> can not be read as
> XML document
> 24-Jul-2015 15:27:42.430 WARNING [http-nio-8080-exec-8]
> org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper.toResponse
> javax.ws.rs.NotAuthorizedEx
> ception: HTTP 401 Unauthorized
>          at
> org.apache.cxf.jaxrs.utils.SpecExceptions.toNotAuthorizedException(SpecExceptions.java:94)
>          at
> org.apache.cxf.jaxrs.utils.ExceptionUtils.toNotAuthorizedException(ExceptionUtils.java:130)
>          at
> org.apache.cxf.rs.security.saml.AbstractSamlInHandler.throwFault(AbstractSamlInHandler.java:264)
>          at
> org.apache.cxf.rs.security.saml.AbstractSamlInHandler.readToken(AbstractSamlInHandler.java:107)
>          at
> org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:96)
>          at
> org.apache.cxf.rs.security.saml.AbstractSamlBase64InHandler.handleToken(AbstractSamlBase64InHandler.java:53)
>          at
> org.apache.cxf.rs.security.saml.SamlHeaderInHandler.filter(SamlHeaderInHandler.java:52)
>
> Again the assertion looks perfectly fine and the XML well-formed.  I was
> hoping someone might have encountered this problem before and have a
> solution.  Thanks in advance.
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Getting-a-server-error-trying-to-read-SAML-assertion-tp5759446.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com