We are using opensaml 2.6.1 , xmltooling 1.4.1 and spring-security-saml2-core-1.0.0. java libraries.
Wanted to check if the recent vulnerability detected in SAML implemenation VU#475445 will be applicable for these libraries.
If so how we can resolve it.
If you are running with the defaults, then you are not affected. The key is the property ignoreComments on the ParserPool bean which by default is set to "true". You can read more on this thread: https://github.com/spring-projects/spring-security-saml/issues/228
Related
We are using WSO2 identity server for user authentication in our product suite. Recently we have upgraded its version from 5.0.0 to 5.1.0.
After upgrading to WSO2 identity server 5.1.0 version we are getting following exception when we enable IWA (Integrated Windows Authentication)
TID: [-1234] [] [2016-07-21 18:46:52,606] DEBUG {waffle.servlet.spi.NegotiateSecurityFilterProvider} - security package: Negotiate, connection id: fe80:0:0:0:f1da:6adb:d83e:18d6%6:64966
TID: [-1234] [] [2016-07-21 18:46:52,622] DEBUG {waffle.servlet.spi.NegotiateSecurityFilterProvider} - token buffer: 1629 byte(s)
TID: [-1234] [] [2016-07-21 18:46:52,675] ERROR {org.apache.catalina.core.StandardWrapperValve} - Servlet.service() for servlet [bridgeservlet] in context with path [/] threw exception
com.sun.jna.platform.win32.Win32Exception: The token supplied to the function is invalid
at waffle.windows.auth.impl.WindowsAuthProviderImpl.acceptSecurityToken(WindowsAuthProviderImpl.java:137)
at waffle.servlet.spi.NegotiateSecurityFilterProvider.doFilter(NegotiateSecurityFilterProvider.java:102)
at waffle.servlet.spi.SecurityFilterProviderCollection.doFilter(SecurityFilterProviderCollection.java:116)
at org.wso2.carbon.identity.application.authenticator.iwa.servlet.IWAServelet.doPost(IWAServelet.java:89)
at org.wso2.carbon.identity.application.authenticator.iwa.servlet.IWAServelet.doGet(IWAServelet.java:64)
After searching for the problem on Google we came across following post.
https://github.com/dblock/waffle/issues/107
It looks like there was some issue in the earlier version of Waffle library which is resolved in 1.7.4 version.
WSO2 Identity server 5.1.0 comes with Waffle library version 1.6.0 (waffle-jna_1.6.0.wso2v4.jar).
Now my question is do we have any WSO2 Identity server patch available which includes the latest Waffle library (version 1.7.4 or above)?
Can we simply download the latest version of Waffle and put into “wso2is-5.1.0\repository\components\plugins” folder? Will it work?
We need to see if it resolves the above stated problem. We are unable to find any other solution to this issue.
Putting the new version in the plugins folder won't work. You'll need to follow these steps,
Get the waffle 1.7.4 wrapped as an OSGi bundle. You can refer this pom file which does the same for 1.6 version. Make sure the versions are properly updated in the new pom file.
Build from the pom file you created above to get the OSGi bundle
Put it into repository\components\dropins\ folder and restart the IS
[Validation Step][Optional] Start IS in OSGI console with wso2server.bat -DosgiConsole. Once the server is up run ss in the osgi console and locate the bundle id for org.wso2.carbon.identity.application.authenticator.iwa (This will be an integer below ~500). And then b <bundle_id> and make sure it binds the 1.7 versions of waffle packages.
I’m using the Amazon Java SDK, version 1.11.5 (I included the aws-java-sdk-1.11.5.jar in my WEB-INF/lib directory). What version of the Apache httpclient library do I need to include that is compatible with this version of the AWS SDK? I tried httpclient-4.3.4.jar, but I get the below error
15:34:25,366 ERROR [io.undertow.request] (default task-34) UT005023: Exception handling request to /pluginwiris_engine/app/service: java.lang.NoSuchMethodError: org.apache.http.conn.ssl.SSLConnectionSocketFactory.<init>(Ljavax/net/ssl/SSLContext;Ljavax/net/ssl/HostnameVerifier;)V
at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.<init>(SdkTLSSocketFactory.java:56)
at com.amazonaws.http.apache.client.impl.ApacheConnectionManagerFactory.getPreferredSocketFactory(ApacheConnectionManagerFactory.java:87)
at com.amazonaws.http.apache.client.impl.ApacheConnectionManagerFactory.create(ApacheConnectionManagerFactory.java:65)
at com.amazonaws.http.apache.client.impl.ApacheConnectionManagerFactory.create(ApacheConnectionManagerFactory.java:58)
at com.amazonaws.http.apache.client.impl.ApacheHttpClientFactory.create(ApacheHttpClientFactory.java:46)
at com.amazonaws.http.apache.client.impl.ApacheHttpClientFactory.create(ApacheHttpClientFactory.java:37)
at com.amazonaws.http.AmazonHttpClient.<init>(AmazonHttpClient.java:213)
at com.amazonaws.AmazonWebServiceClient.<init>(AmazonWebServiceClient.java:145)
at com.amazonaws.services.s3.AmazonS3Client.<init>(AmazonS3Client.java:393)
at com.amazonaws.services.s3.AmazonS3Client.<init>(AmazonS3Client.java:373)
at com.amazonaws.services.s3.AmazonS3Client.<init>(AmazonS3Client.java:355)
at com.amazonaws.services.s3.AmazonS3Client.<init>(AmazonS3Client.java:327)
at com.amazonaws.services.s3.AmazonS3Client.<init>(AmazonS3Client.java:309)
Thanks for additional help, - Dave
Looking at the source for the Java AWS SDK, under tag 1.11.5, you can see the in the POM file they have specified the following:
<httpcomponents.httpclient.version>4.5.2</httpcomponents.httpclient.version>
So I'd say HTTP Client version 4.5.2 is compatible with the AWS SDK version 1.11.5. If you are using a dependency management tool like Maven you could always just let it pull in the version of HTTP Client specified the the AWS SDK.
Look at the compile dependencies at maven repo for aws-java-sdk-core
You can see it's dependent on org.apache.httpcomponents » httpclient -- 4.5.2. Further check if you've all the dependencies of httpclient-4.5.2. You might be missing correct version of httpcore
I am getting uses constraint violation as below while installing a feature in Apache Karaf (karaf framework is felix and version is 4.2.1)
could not be resolved. Reason: Package uses conflict: Import-Package: org.apache.http.entity; version="0.0.0"
After googling , came to know that "Dependency Chain" can help in root causing the issue. but I do not know the steps to follow to get this dependency chain printed in the logs or osgi console
Example Dependency chain is given in the below URL:
Dependency chain conflicts for Hibernate and Apache Felix
Thanks in advance
If you use the felix framework this should be printed either on the console and/or in the logfile while starting the bundle.
With Karaf you also can take a look at bundle:tree-show [bundle-id]. This will show you all bundles your bundle depends on.
I am trying to implement JPA using DataNucleus in an OSGI Environment (Apache ServiceMix). I am following the guide mentioned here - http://www.datanucleus.org/products/datanucleus/jpa/osgi.html (Section under Name "JPA and OSGi")
As per the documentation here I am using the DataNucleus JPA jar. So I have Deployed this Jar on ServiceMix as follows -
osgi:install mvn:org.datanucleus/datanucleus-jpa/2.1.7
osgi:start bundleId
As this jar export the persistence provider,I have correctly changed the provider in my persistence.xml file to be org.datanucleus.jpa.PersistenceProviderImpl (which is exported by the above bundle) rather than usual org.datanucleus.api.jpa.PersistenceProviderImpl which is in a normal J2EE JPA APP.
I also have the DataNucleus Core Bundle running on my ServiceMix, which was installed on my ServiceMix using the following -
osgi:install mvn:org.datanucleus/datanucleus-core/4.0.0-release
osgi:start bundleId
Please Note: I donot have the datanucleus-api-jpa bundle running on my ServiceMix, as per the documentation, the datanucleus-jpa bundle would export the necessary classes and hence datanucleus-api-jpa bundle would not be required.
At runtime, I am getting the following error Caused by: java.lang.ClassNotFoundException: org.datanucleus.PersistenceConfiguration not found by org.datanucleus.jpa [261]
What I have noticed is that the DataNucleus Core version 4.0.0-release does not have this class, but this class exists in all previous releases (3.2.15).
I cannot deploy DataNucleus Core Version 3.2.XX onto my ServiceMix, because I have other bundles using DataNucleus Core 4.0.0-release and having both is not an option because of Singleton Creation problems.
Please let me know, if you need me to post my code, I will do so.
Please help
Cheers,
Abhijit
In conclusion, you are using incorrect/invalid jars. "datanucleus-jpa" was removed back in v2 of DataNucleus. All recent versions using "datanucleus-api-jpa" (or "datanucleus-api-jdo" if using JDO). A simple download of the DataNucleus zip file for 4.0.x would show this very clearly.
I am attempting to get EclipseLink JPA working inside the Spring dm Server OSGi environment.
Relevant frameworks and libraries downloaded from the Spring Enterprise Bundle Repository include:
dm Server 1.0.2.SR02
AspectJ Runtime 1.6.3
AspectJ Weaver 1.6.3
Spring Framework 2.5.6.A
Eclipse Persistence 1.1.0
Javax Persistence API 1.99.0
I followed the same structure as presented in the PetClinic-1.5.0 example for setting up EclipseLink JPA. Everything works until lazy-fetching is enabled (which requires proxied objects).
Once lazy-fetching is enabled, the following error suggests that load-time-weaving is not working correctly.
---- (truncated for readability)
Exception [EclipseLink-60] (Eclipse Persistence Services - 1.1.0.r3634): org.eclipse.persistence.exceptions.DescriptorExcep tion
Exception Description: The method [_persistence_setcustomer_vh] or [_persistence_getcustomer_vh] is not defined in the object [net.fractech.fds.backoffice.Job].
Internal Exception: java.lang.NoSuchMethodException: net.fractech.fds.backoffice.Job._persistence_getcu stomer_vh()
Mapping: org.eclipse.persistence.mappings.OneToOneMapping[customer]
Descriptor: RelationalDescriptor(net.fractech.fds.backoffice.J ob --> [DatabaseTable(JOBS)])
This shows that the _persistence_getcustomer_vh() and _persistence_setcustomer_vh() methods were not automatically weaved into the Job domain object.
Questions
1.) How do I determine if load-time-weaving is actually working; moreover, how do I log which load time weaving agent and weaver was started? How do I pass switches to this weaver to have it output debugging information?
I assume I started load-time-weaving with <context:load-time-weaver aspectj-weaving="on" />
2.) Many searches have revealed that I do not need to pass the -javaagent parameter to the jvm when using dm Server. Is this correct?
3.) I have assured that my domain objects in another bundle have access to the eclipse persistence classes by asserting com.springsource.org.eclipse.persistence;version="[1.1.0,1.1.0]";import-scope:=application in my eclipselink bundle and including all application bundles within a PAR. Are there any other configurations needed to enable EclipseLink JPA in Spring dm Server?
I had similar problems. First try setting eclipselink.weaving.lazy=false, or eclipselink.weaving=false if that doesn't work. I had to set the latter.
If you would like to refer to the setup I am using to see if it applies to you, I have a post about it on my site.
It is better to use Equinox Waving Springwaver
<bean id="entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
...
<property name="loadTimeWeaver">
<bean class="org.eclipse.equinox.weaving.springweaver.EquinoxAspectsLoadTimeWeaver"/>
</property>
</bean>
You don't need to use -javaagent option then.
You can find working examples with JPA and EclipseLink here http://code.google.com/p/springdm-in-action/ (see Chapter 7).
I have tried to use EquinoxAspectsLoadTimeWeaver into JPa context (with EclipseLink) but it doen't transform the model classes if your EquinoxAspectsLoadTimeWeaver bean declaration is not done into the same bundle than Model bundle.
EquinoxAspectsLoadTimeWeaver transform class ONLY for the classes stored into the bundle wich declare EquinoxAspectsLoadTimeWeaver.
I have tried the sample http://code.google.com/p/springdm-in-action/ (see Chapter 7) (thank for this sample Lukasz). The declaration of EquinoxAspectsLoadTimeWeaver avoid having the error
Caused by: java.lang.IllegalStateException: Cannot apply class transformer without LoadTimeWeaver specified
But Model classes are not transformed (woven). Weaving into EclipseLink manage for instance lazy mode. For instance if you set into the sample model Contact lazy mode like this :
public class Contact {
...
#Column(name="last_name")
#Basic(fetch=FetchType.LAZY)
private String lastName;
you will notice that lazy loading is not applied because Model Contact class is not wowen.
Regards Angelo