CAS Delegated Authentication and AttributeReleasePolicies - saml

We were able to integrate CAS 5.2.6 using delegated authentication with Azure AD (Saml Idp)
The integrated is working fine when the client webapp is deployed on Tomcat-9
The same client WAR fails in JBoss-EAP or Wildfly because of SaxParing exception
This is because Jboss is using xercesImpl for parsing Xml which fails when the xml element is numeric.
So, a standard solution will be to use AttributeResolver configuration on CAS server side to ensure that we map the attribute to standard names (vs numeric names)
Attached herewith the SAML response and CAS Client Response
<samlp:Response
Destination="https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML"
ID="_6a00b756-53f4-4702-b329-7a6af0145fa0" InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616"
IssueInstant="2018-10-04T13:22:05.275Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</Issuer>
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<Assertion ID="_337eded3-a927-4674-b78a-77259cfbf784" IssueInstant="2018-10-04T13:22:05.275Z"
Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_337eded3-a927-4674-b78a-77259cfbf784">
<Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>BkenglDOQwAFlKJ3hLrZ4vUzAg9gOD9EFUjGKH9hsI4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>...</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616"
NotOnOrAfter="2018-10-04T13:27:05.275Z"
Recipient="https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML"/></SubjectConfirmation>
</Subject>
<Conditions NotBefore="2018-10-04T13:17:05.275Z" NotOnOrAfter="2018-10-04T14:17:05.275Z">
<AudienceRestriction>
<Audience>spn:8b4fcc4d-6781-4da0-acc9-0c28a3317695</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>522b3803-a001-4675-b3b5-1d727d43585a</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>8fa1e8a3-41b8-440e-91cf-fafa246ab571</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>xxxxx#AAAA.onmicrosoft.com</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>Firstname Lastname</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2018-10-04T09:50:06.611Z"
SessionIndex="_337eded3-a927-4674-b78a-77259cfbf784">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
CAS Client Response
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88</cas:user>
<cas:attributes>
<cas:isFromNewLogin>true</cas:isFromNewLogin>
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572>8fa1e8a3-41b8-440e-91cf-fafa246ab571</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572>
<cas:authenticationDate>2018-10-04T13:22:05.643Z[Etc/UTC]</cas:authenticationDate>
<cas:clientName>MY_SAML</cas:clientName>
<cas:successfulAuthenticationHandlers>ClientAuthenticationHandler</cas:successfulAuthenticationHandlers>
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65>Firstname Lastname</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65>
<cas:notBefore>2018-10-04T13:17:05.275Z</cas:notBefore>
<cas:credentialType>ClientCredential</cas:credentialType>
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>http://schemas.microsoft.com/claims/multipleauthn</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964>522b3803-a001-4675-b3b5-1d727d43585a</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964>
<cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65>myuserID#MYDOMAIN.onmicrosoft.com</cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65>
<cas:authenticationMethod>ClientAuthenticationHandler</cas:authenticationMethod>
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572>https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572>
<cas:notOnOrAfter>2018-10-04T14:17:05.275Z</cas:notOnOrAfter>
<cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>
<cas:sessionindex>_337eded3-a927-4674-b78a-77259cfbf784</cas:sessionindex>
</cas:attributes>
</cas:authenticationSuccess>
So, we need to map this attribute - 687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65 to a standard attribute name via AttributeResolver
We have tried the following configuration but its not working out
"attributeReleasePolicy" : {
"#class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"#class" : "java.util.TreeMap",
"name" : "username",
"displayname" : "userdisplayname",
"someattrname" : "groovy { return attributes['name']}"
}
}
So, anyone who was able to map the attributeNames via AttributeReleasePolicies ?
Any help related to this configuration will be really helpful

This issue is resolved. We had to give the complete path of the attribute and not just part of the name
{
"#class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|imaps)://.*"
"name" : "SOME-NAME",
"id" : 200,
"description" : "This configuration is for app",
"evaluationOrder" : 10000
"logoutType" : "BACK_CHANNEL",
"logoutUrl" : "https://login.microsoftonline.com/522b3803-a001-4675-b3b5-1d727d43585a/saml2"
"attributeReleasePolicy" : {
"#class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"#class" : "java.util.TreeMap",
"userid" : "groovy { return attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name']}"
"displayname" : "groovy { return attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname']}"
}
}
}
So, post this configuration change, now the SAML Response is returning meaningful names
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>Elsbhy4pa-ZLcZ7OWNZ-0vKWjqzV4F7UfVYjRJTCjDY</cas:user>
<cas:attributes>
<cas:credentialType>ClientCredential</cas:credentialType>
<cas:isFromNewLogin>false</cas:isFromNewLogin>
<cas:authenticationDate>2018-10-05T09:20:07.216Z[Etc/UTC]</cas:authenticationDate>
<cas:authenticationMethod>ClientAuthenticationHandler</cas:authenticationMethod>
<cas:clientName>SOME_CLIENT</cas:clientName>
<cas:displayname>FirstName Lastname</cas:displayname>
<cas:successfulAuthenticationHandlers>ClientAuthenticationHandler</cas:successfulAuthenticationHandlers>
<cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>
<cas:userid>myusername#MYDOMAIN.onmicrosoft.com</cas:userid>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>

Related

Mulesoft Insertion into Mongo DB database

I am using a Mongo DB connector to insert data into Mongo Instance located in mLab.
I am sure I am using the correct credentials since these credentials are working when I am using them through a Java code.
But here using the Mongo DB connector constantly throws me an error as can be seen below.
org.mule.api.ConnectionException: Couldn't connect with the given
credentials org.mule.api.ConnectionException: Couldn't connect with
the given credentials at
org.mule.module.mongo.MongoCloudConnector.getDatabase(MongoCloudConnector.java:1304)
at
org.mule.module.mongo.MongoCloudConnector.connect(MongoCloudConnector.java:1173)
at
org.mule.module.mongo.connectivity.MongoCloudConnectorConnectionFactory.makeObject(MongoCloudConnectorConnectionFactory.java:56)
at
org.apache.commons.pool.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:1220)
at
org.mule.module.mongo.connectivity.MongoCloudConnectorConnectionManager.acquireConnection(MongoCloudConnectorConnectionManager.java:361)
at
org.mule.module.mongo.connectivity.MongoCloudConnectorConnectionManager.test(MongoCloudConnectorConnectionManager.java:444)
at
org.mule.tooling.metadata.api.utils.ConnectionTester.internalTestConnection(ConnectionTester.java:88)
at
org.mule.tooling.metadata.api.utils.ConnectionTester.testConnectionFor(ConnectionTester.java:113)
at
Is there something that I am missing here?
Below is the XML :
<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns:dw="http://www.mulesoft.org/schema/mule/ee/dw" xmlns:metadata="http://www.mulesoft.org/schema/mule/metadata" xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns:mongo="http://www.mulesoft.org/schema/mule/mongo" xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation"
xmlns:spring="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/ee/dw http://www.mulesoft.org/schema/mule/ee/dw/current/dw.xsd
http://www.mulesoft.org/schema/mule/mongo http://www.mulesoft.org/schema/mule/mongo/current/mule-mongo.xsd">
<http:listener-config name="HTTP_Listener_Configuration" host="0.0.0.0" port="8081" doc:name="HTTP Listener Configuration"/>
<http:request-config name="HTTP_Request_Configuration" host="developers.zomato.com" port="80" doc:name="HTTP Request Configuration"/>
<http:request-config name="HTTP_Request_Configuration1" host="api.mlab.com" port="80" doc:name="HTTP Request Configuration"/>
<mongo:config name="Mongo_DB" password="XXXXX" database="restaurant_data" host="ds241039.mlab.com" port="41039" doc:name="Mongo DB" username="XxXx"/>
<flow name="rest-webservice-applicationFlow">
<http:listener config-ref="HTTP_Listener_Configuration" path="/rest" allowedMethods="GET" doc:name="HTTP"/>
<http:request config-ref="HTTP_Request_Configuration" path="api/v2.1/search" method="GET" doc:name="HTTP">
<http:request-builder>
<http:query-param paramName="entity_id" value="1"/>
<http:query-param paramName="entity_type" value="city"/>
<http:header headerName="user-key" value="XXXXXXXXX"/>
</http:request-builder>
</http:request>
<dw:transform-message doc:name="Transform Message" metadata:id="13f7b603-ac1e-45b4-9950-32c39a20ee36">
<dw:input-payload mimeType="application/json"/>
<dw:set-payload><![CDATA[%dw 1.0
%output application/json
---
{
results_found: payload.results_found,
results_start: payload.results_start,
results_shown: payload.results_shown,
restaurants: payload.restaurants map ((restaurant , indexOfRestaurant) -> {
restaurant: {
R: restaurant.restaurant.R,
id: restaurant.restaurant.id,
name: restaurant.restaurant.name,
url: restaurant.restaurant.url,
location: restaurant.restaurant.location,
switch_to_order_menu: restaurant.restaurant.switch_to_order_menu,
cuisines: restaurant.restaurant.cuisines,
average_cost_for_two: restaurant.restaurant.average_cost_for_two,
price_range: restaurant.restaurant.price_range,
currency: restaurant.restaurant.currency,
offers: restaurant.restaurant.offers map ((offer , indexOfOffer) -> offer),
thumb: restaurant.restaurant.thumb,
user_rating: restaurant.restaurant.user_rating,
photos_url: restaurant.restaurant.photos_url,
menu_url: restaurant.restaurant.menu_url,
featured_image: restaurant.restaurant.featured_image,
has_online_delivery: restaurant.restaurant.has_online_delivery,
is_delivering_now: restaurant.restaurant.is_delivering_now,
deeplink: restaurant.restaurant.deeplink,
has_table_booking: restaurant.restaurant.has_table_booking,
events_url: restaurant.restaurant.events_url
}
})
}]]></dw:set-payload>
</dw:transform-message>
<mongo:json-to-dbobject doc:name="Mongo DB"/>
<mongo:insert-object config-ref="Mongo_DB" doc:name="Mongo DB" collection="restaurant"/>
</flow>
</mule>
The MongoDB connector uses the deprecated MONGODB-CR authentication mechanism, MLab is expecting the SCRAM-SHA-1 mechanism.
The SCRAM-SHA-1 mechanism is available in the enterprise version of Mulesoft ESB.
The connection URI configuration is available on version 4.2.0 and above. This is how you configure it:
Add the connector to pom.xml:
<dependency>
<groupId>org.mule.connectors</groupId>
<artifactId>mule-mongo-connector</artifactId>
<version>4.2.0</version>
</dependency>
Configure a connection in your flow:
<mongo:config-connection-string name="MongoDB_Config"
connectionString="mongodb://jdoe:myPass#localhost:27017?authMechanism=SCRAM-SHA-1"/>

Can you update all Mongo documents in a collection at once in Mule?

I am trying to update the Effective date in my mongoDB collection with the current date. I want to update all documents in the collection where the Effective Date is null.
How do you configure the transformer to do this? The Query Reference field info message talks about an Id and the element field looks like it needs a payload containing a document that will replace the one being updated. I am just looking to update one field and currently getting an error with my query but it does work on the mongoDB command line.
This is my query that I want to implement:
db.stores.update({"EffectiveEndDateTime" : null}, {$set : {"EffectiveEndDateTime" : "2017-01-13T18:56:55.257Z"}})
My XML configure for Mongo in Mule so far:
<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns:mongo="http://www.mulesoft.org/schema/mule/mongo" xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns:json="http://www.mulesoft.org/schema/mule/json"
xmlns:tracking="http://www.mulesoft.org/schema/mule/ee/tracking"
xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation"
xmlns:spring="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.mulesoft.org/schema/mule/json http://www.mulesoft.org/schema/mule/json/current/mule-json.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/ee/tracking http://www.mulesoft.org/schema/mule/ee/tracking/current/mule-tracking-ee.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/mongo http://www.mulesoft.org/schema/mule/mongo/current/mule-mongo.xsd">
<mongo:config name="Mongo_DB__Configuration" username="${mongodb.username}" password="${mongodb.password}" database="${mongodb.database}" host="${mongodb.host}" doc:name="Mongo DB: Configuration"/>
<flow name="deactivateCurrentDocumentsFlow">
<http:listener config-ref="httpListenerConfig" path="/mongo" allowedMethods="POST" doc:name="HTTP"/>
<mongo:update-documents-by-function config-ref="Mongo_DB__Configuration" collection="stores" function="$set : {"EffectiveEndDateTime": "2017-01-13T17:51:08.153Z" }" doc:name="Mongo DB"/>
<object-to-string-transformer doc:name="Object to String"/>
<logger level="INFO" doc:name="Logger"/>
</flow>
</mule>
Error I am getting:
Message : Failed to invoke updateDocumentsByFunction.
Payload : {NullPayload}
Payload Type : org.mule.transport.NullPayload
Element : /deactivateCurrentDocumentsFlow/processors/0 # test --------------------------------------------------------------------------------
Root Exception stack trace:
com.mongodb.MongoWriteException: Unknown modifier: $set : {"EffectiveEndDateTime": "2017-01-13T17:51:08.153Z" }
Thanks
You have to use update documents by Functions variant.
<mongo:update-documents-by-functions config-ref="Mongo_DB"
collection="myCollection" functions="$set,{"key":123}">
</mongo:update-documents-by-functions>

Apache camel cxfrs—Can't find the request for <URL> Observer

I tried to develop a rest service and expose the same via Apache Camel's CXFRS. I followed all the steps given in http://camel.apache.org/cxfrs.html and also referred to many samples given. I already referred to the question Can't find the the request for url Observer, but in my case it is a simple rest request. Below are the Service class, Route class, and cxf context used:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:camel="http://camel.apache.org/schema/spring"
xmlns:cxf="http://camel.apache.org/schema/cxf" xmlns:context="http://www.springframework.org/schema/context"
xmlns:jaxrs="http://cxf.apache.org/jaxrs"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://camel.apache.org/schema/spring
http://camel.apache.org/schema/spring/camel-spring.xsd
http://camel.apache.org/schema/cxf
http://camel.apache.org/schema/cxf/camel-cxf.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://cxf.apache.org/jaxrs
http://cxf.apache.org/schemas/jaxrs.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<context:annotation-config />
<!-- enable Spring #Component scan -->
<context:component-scan base-package="org.camelsample.rest" />
<cxf:rsServer id="rsServer" address="/rest"
serviceClass="org.camelsample.rest.service.SampleRestService"
loggingFeatureEnabled="true" loggingSizeLimit="20">
<cxf:providers>
<bean class="org.codehaus.jackson.jaxrs.JacksonJsonProvider" />
</cxf:providers>
</cxf:rsServer>
<camel:camelContext id="samplerestservice"
xmlns="http://camel.apache.org/schema/spring">
<contextScan />
<jmxAgent id="agent" createConnector="true" />
</camel:camelContext>
</beans>
The Service Class:
package org.camelsample.rest.service;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
public class SampleRestService {
#GET
#Path("/")
public String sampleService() {
return null;
}
}
The Route Class:
package org.camelsample.rest.route;
import org.apache.camel.spring.SpringRouteBuilder;
public class SampleRestRoute extends SpringRouteBuilder {
#Override
public void configure() throws Exception {
// TODO Auto-generated method stub
from("cxfrs:bean:rsServer").log("Into Sample Route").setBody(constant("Success"));
}
}
But when I try to hit and test using http://localhost:8080/rest, I always get the following error message:
2015-05-29 13:38:37.920 WARN 6744 --- [nio-8080-exec-2] o.a.c.t.servlet.ServletController : Can't find the the request for http://localhost:8080/favicon.ico's Observer
2015-05-29 13:38:40.295 WARN 6744 --- [nio-8080-exec-3] o.a.c.t.servlet.ServletController : Can't find the the request for http://localhost:8080/rest's Observer
Am using Spring boot to test the rest sample.
Does it work with this URL instead ?
http://localhost:8181/cxf/rest
If you just use address="/rest" as your address then you will probably get the default Jetty port 8181 and default CXF servlet path /cxf as the base URL.
If you specifically want to use the URL you have given then try this instead:
address="http://0.0.0.0:8080/rest"

Drools camel multiple ksession not firing

I am using drools 5.6. In camel-server.xml I have my route defined as:
<route>
<from uri="cxfrs://bean://rsServer"/>
<policy ref="droolsPolicy">
<unmarshal ref="xstream-json" />
<to uri="drools:node1" />
<marshal ref="xstream-json" />
</policy>
</route>
I am not defining a ksession. Then in my knowledge-service.xml I have 2 sessions defined (by user) that point to different DRL files. These import the same common DRL file
<drools:kbase id="kbase1" node="node1">
<drools:resources>
<drools:resource ref="ruletemplate" />
<drools:resource type="DRL" source="classpath:7.drl"/>
</drools:resources>
</drools:kbase>
<drools:ksession id="ksession-7" type="stateless" kbase="kbase1" node="node1"/>
<drools:kbase id="kbase2" node="node1">
<drools:resources>
<drools:resource ref="ruletemplate" />
<drools:resource type="DRL" source="classpath:12.drl"/>
</drools:resources>
</drools:kbase>
<drools:ksession id="ksession-12" type="stateless" kbase="kbase2" node="node1"/>
The idea is the ksession will be defined in the JSON request passed in:
{"batch-execution": { "lookup":"ksession-12", "commands": [ { "insert": { "out-identifier": ...
The server starts up and changing the lookup between 7 and 12 works. HOWEVER whatever lookup I run first is the only rule that actually fires. So if I start the server and run ksession-7 it will run successfully, then change to ksession-12 nothing happens (does not hit debugging in 12.drl)
If I then restart the server and run 12 first it will run successfully, then change to ksession-7 and nothing happens
I am confused by this and believe I am missing something. My goal is to have a common rule template with specific rules for each user. Can anyone help guide me why this is not being directed correctly (or not processing)
EDIT: Adding example
t1.drl:
package org.company.t1.rules
import org.test.*
rule "check patients age" dialect "mvel"
when
$p : Patient( age >= 10)
then
System.out.println("t1 - age greater then 10")
$ca = new Message("age greater then 10")
$p.alerts.add($ca)
end
t2.drl:
package org.company.t2.rules
import org.test.*
rule "check patients age" dialect "mvel"
when
$p : Patient( age >= 15)
then
System.out.println("t2 - age greater then 15")
$ca = new Message("age greater then 15")
$p.alerts.add($ca)
end
ruletemplate.drl:
package org.test
declare Message
text : String
end
declare Patient
id:String
age : Integer
alerts : java.util.ArrayList
end
rule "setup rule for alerts" dialect "mvel" salience 100
when
$p : Patient()
then
System.out.println("initialize array")
$p.alerts = new java.util.ArrayList();
end
knowledge-server.xml:
<drools:resource id="ruletemplate" type="DRL" source="classpath:ruletemplate.drl" />
<drools:kbase id="kbase5" node="node1">
<drools:resources>
<drools:resource ref="ruletemplate" />
<drools:resource type="DRL" source="classpath:t1.drl"/>
</drools:resources>
</drools:kbase>
<drools:kbase id="kbase6" node="node1">
<drools:resources>
<drools:resource ref="ruletemplate" />
<drools:resource type="DRL" source="classpath:t2.drl"/>
</drools:resources>
</drools:kbase>
<drools:ksession id="ksession5" type="stateless" kbase="kbase5" node="node1"/>
<drools:ksession id="ksession6" type="stateless" kbase="kbase6" node="node1"/>
First request that works:
{"batch-execution": { "lookup":"ksession5", "commands": [ { "insert": { "out-identifier": "patient", "object": { "org.test.Patient":[{"age":16}]}}},{"fire-all-rules": ""}]}}
{"execution-results":{"results":{"result":{"identifier":"patient","value":{"org.test.Patient":{"age":16,"alerts":{"org.test.Message":{"text":"age greater then 10"}}}}},"fact-handle":{"identifier":"patient","external-form":"0:2:537549803:537549803:2:DEFAULT"}}}}
Request 2: (doesnt work unless run first after server restart:
{"batch-execution": { "lookup":"ksession6", "commands": [ { "insert": { "out-identifier": "patient", "object": { "org.test.Patient":[{"age":16}]}}},{"fire-all-rules": ""}]}}
{"execution-results":{"results":{"result":{"identifier":"patient","value":{"org.test.Patient":{"age":16}}},"fact-handle":{"identifier":"patient","external-form":"0:2:552327108:552327108:2:DEFAULT"}}}}
Tailing catalina.out shows the debugger output for t1 as it was run first, but nothing on t2
What are you inserting? what kind of rules do you have in there?
Could be that the first run everything works well and the second is crashing in the back?

What is the correct format for SAML 2.0 Assertions?

We have a customer trying to use ADFS to SSO on to our web application. We are using the ComponentSpace SAML 2.0 library. The assertion being sent to us looks like:
<Assertion ID="_b8a24809-ab6b-4acd-ad6a-8bcb97bb1889" IssueInstant="2012-05-24T13:30:33.917Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://example.com/adfs/services/trust</Issuer>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">mail#example.com</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2012-05-24T13:35:33.920Z" Recipient="https://example.com/default.aspx" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2012-05-24T13:30:33.907Z" NotOnOrAfter="2012-05-24T14:30:33.907Z">
<AudienceRestriction>
<Audience>https://example.com</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>mail#example.com</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2012-05-24T13:30:33.756Z" SessionIndex="_b8a24809-ab6b-4acd-ad6a-8bcb97bb1889">
<AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
The ComponentSpace library is pulling the full SamlResponse from the HTTP post but it reports no Assertions (ie samlResponse.GetAssertions().Count == 0). If I use the ComponentSpace examples it works but I notice all of the elements I build with the ComponentSpace library are prefixed with "saml:" (as I believe it should be).
Should the ComponentSpace library be able to find the Assertion without the saml: prefix or is there a way to configure ADFS to send it correctly?
A correct SAML response should contain namespace-qualified elements
<saml2p:Response Destination="https://www.google.com/a/squaresquare.biz/acs" IssueInstant="2010-08-04T17:47:20.956Z" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" InResponseTo="djfnhepndikoonjjkeomgplmkjofobhdbdieihpa" Version="2.0" ID="_bd24b4a3514fd93800d2a43cafc98edb">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://my.ssodemo.url.demo.google.com/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_bd24b4a3514fd93800d2a43cafc98edb">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="dssaml2saml2p"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>m/lUCS3nvfGuSJFKAtIz+ZrfxTU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>PLdYgU9u5KirVrMHNSwYvk6fQ401dMbpuiDXpapKf0eOKC6pN3g7tnTEzvfOaXhkDNXVmGN+lXQ6iUDppWpdO2MbvPVZabOBPU1aAO+CWI53ciC0rYsxpFzQLLMC/7x9Wk7VFFmYEecxAJV+lTWvp8ZKXvwqZbhiTO/23EC0xconGhnwSvKjJWQuLnMMaFWSjDFYyzgsp34cR7aX/eqhhJyA/rr2uFdmgEdagAl+/17ppgHgthgK+PJtX16AALtsoXonv6uybRCX/YiDRvM1VsdwusVq5tXh9V+bTMZcgi/3Eh+Em/OZp0En8pqOngvL19U4LfqG0yJZjoDGkpHuhA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDgjCCAmqgAwIBAgIVAKgIqbzZl7+0p2qjxJFVJs3DE/jxMA0GCSqGSIb3DQEBBQUAMDAxLjAsBgNVBAMTJWh0dHA6Ly93cGgtdWJpcTI3LmhvdC5jb3JwLmdvb2dsZS5jb20wHhcNMTAwNzIxMTcxNTA5WhcNMzAwNzIxMTcxNTA5WjAwMS4wLAYDVQQDEyVodHRwOi8vd3BoLXViaXEyNy5ob3QuY29ycC5nb29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAioQsJycRmjPjB2xlH0iSGn14lNbO/jIVgiGIlzZwlPkH1s2TTdwoTKKQBSe2s8AnJ4LliXlne/qWun3peYht0+RhejtB20L+Bw/I+iKQBGpHzgIKdkPGZnemWl9KqWQ/ZYKnY2x6qMEBmhUfYZcawzs26em5a+iaYlrTJNVEZ+QwWvg2/EOJvJNyBkSfXyxia5eAHV38Uy7xn0G5Zc9ge4ckCYj6b8a/UxpPJM61KztzY5coDwReQsDBq+DciGALJPbFk4783TW...etc.etc</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" IssueInstant="2010-08-04T17:47:20.956Z" ID="_73fe28bcbb68e93df954d8e2f25097b1">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://my.ssodemo.url.demo.google.com/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">my_username</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2010-08-04T17:52:20.956Z" InResponseTo="djfnhepndikoonjjkeomgplmkjofobhdbdieihpa" Recipient="https://www.google.com/a/squaresquare.biz/acs" Address="172.24.6.38"></saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotOnOrAfter="2010-08-04T17:52:20.956Z" NotBefore="2010-08-04T17:47:20.956Z">
<saml2:AudienceRestriction>
<saml2:Audience>google.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement SessionIndex="f306dd2bff4e9b3ba9218bd70fbaa87404d38a4c79547ac1edc9436a9f222213" AuthnInstant="2010-08-04T17:47:20.953Z">
<saml2:SubjectLocality Address="172.24.6.38"></saml2:SubjectLocality>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
Namespace qualifications are optional.
It turns out that the above XML is valid (ADFS adds the namespace to the overall XML but not each element). The problem was that the ComponentSpace library has different methods for getting Signed or Encrypted Assertions and I was just calling the generic GetAssertions. ADFS was generating signed assertions and I needed to call the other function.
Here is the code we ended up with:
IList<EncryptedAssertion> encryptedAssertions = samlResponse.GetEncryptedAssertions();
if (encryptedAssertions.Count > 0 && x509Certificate != null) {
// Decrypt the assertion
EncryptedAssertion encryptedAssertion = encryptedAssertions[0];
XmlElement decryptedElement = encryptedAssertion.DecryptToXml(x509Certificate, null);
LogMessage("Decrypted assertion: " + decryptedElement.OuterXml);
// Then verify the signature.
VerifySignature(x509Certificate, decryptedElement);
samlAssertion = new SAMLAssertion(decryptedElement);
} else {
if (samlResponse.GetSignedAssertions().Count > 0) {
// Get the signed assertion and verify the signature.
XmlElement signedAssertionElement = samlResponse.GetSignedAssertions()[0];
LogMessage("Signed assertion: " + signedAssertionElement.OuterXml);
VerifySignature(x509Certificate, signedAssertionElement);
samlAssertion = new SAMLAssertion(signedAssertionElement);
} else {
// Assertion is not encrypted or signed.
if (samlResponse.GetAssertions().Count > 0) {
samlAssertion = samlResponse.GetAssertions()[0];
LogMessage("Assertion: " + samlAssertion.ToXml().OuterXml);
} else {
LogFatalError("No assertions in response");
}
}
}