I need a little help with this. I'm use this project (play-pac4j-scala-demo) to test my wso2is SAML server, the only change that I make is in the openidp-feide.xml file, replaced with this content:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="https://localhost:9443/samlsso" validUntil="2023-09-23T06:57:15.396Z">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data >
<ds:X509Certificate >
MIIEVTCCAz2gAwIBAgIQIzI6SPzN4kG8sJ2/gY6QDTANBgkqhkiG9w0BAQsFADCB
hDE7MDkGA1UECwwyZ2VuZXJhdGVkIGJ5IGF2YXN0ISBhbnRpdmlydXMgZm9yIFNT
TC9UTFMgc2Nhbm5pbmcxHzAdBgNVBAoMFmF2YXN0ISBXZWIvTWFpbCBTaGllbGQx
JDAiBgNVBAMMG2F2YXN0ISBXZWIvTWFpbCBTaGllbGQgUm9vdDAeFw0xNTAxMjAy
MDA2MzlaFw0xNjAxMjAyMDA2MzlaMD8xITAfBgNVBAsTGERvbWFpbiBDb250cm9s
IFZhbGlkYXRlZDEaMBgGA1UEAwwRKi5qZndlYnBvcnRhbC5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvNSZgsBqc+0iEQL//mc/sWCKsTQTnxCEs
4FL4JN7RzoV0rftB0XkxxSdss66YeSwZ1/hN8hNkswDyL9ttlsum8r4brirJdRgI
XaXYj5gzGKWa5fhbQjeUQ3FqXQbM+ytnHvUvD4JqRgs3ccXEpHf35dk/2MtveI0b
us8IeCbvrScerbG5a6zdz2pPmlh5jRc/MQ8mHWQjYZTf4/hLMZR2iXzVAhCD59BG
aPAWUBbv4uz44xs288QDhA8Ty0+M0fHNxH6v5v1AFENMaMVwoeLb8d2VkFZK+1nm
kRTgGeVupab3k4+3XlV7QKD9EqsfDso+oAiRIrvvmAXC3BMkwEflAgMBAAGjggEF
MIIBATAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAOBgNVHQ8BAf8EBAMCBaAwUwYDVR0gBEwwSjBIBgtghkgBhv1tAQcXATA5MDcG
CCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9z
aXRvcnkvMB8GA1UdIwQYMBaAFBlpv0JwXwGkdtayZXqLgJRKp/VxMC0GA1UdEQQm
MCSCESouamZ3ZWJwb3J0YWwuY29tgg9qZndlYnBvcnRhbC5jb20wHQYDVR0OBBYE
FBpRAaygfEl1uFhj8ijqTcjA71V0MA0GCSqGSIb3DQEBCwUAA4IBAQCT7CS4yUUd
VI+oE7KGsGmTgtjEc7Ui211v5f6HUmscz2g/udFJwppKkutoRVovrVl6S64LVIpY
pgmwDCreBwxhwmn+x4W1GpQ97R9PLTW2QAh5AoBbUCT8y/RbLvxY9W9Qz5gj5RIi
NRi7i2J/omo/qh5mQfC6WRmHz91mKSv6+Ts5S+PGB30kkezYXc7KG/1z4L7nBlLs
brsIcG7fVu7fRJEyxG64ePONIm0zu4agOWd+AqBbfz6PS+RimgqGbIBNjBjJxGNi
ySG0z4s5NUsOxMgWc54HEOyTu6ULCaslrWVQqAZIYRDBoYt98LfkhDSMmT7+YN04
aWezsyuqis2V
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso" ResponseLocation="https://localhost:9443/samlsso"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9443/samlsso"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
The above is the Idp metadata. Next, in the wso2is server I created an issuer, like this:
Issuer : http://localhost:9000/callback?client_name=Saml2Client
Assertion Consumer URL *: http://localhost:9000/callback?client_name=Saml2Client
NameID format : urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Enable Attribute Profile: true
Other attributes stay with default options.
But when I try to authenticate the project (play-pac4j-scala-demo) throws this Exception:
[debug] - org.pac4j.play.CallbackController - defaultUrl : /?2
at scala.concurrent.impl.CallbackRunnable.executeWithValue(Promise.scala:40) [scala-library-2.11.6.jar:na]
at scala.concurrent.impl.Promise$DefaultPromise.tryComplete(Promise.scala:248) [scala-library-2.11.6.jar:na]
at scala.concurrent.Promise$class.complete(Promise.scala:55) [scala-library-2.11.6.jar:na]
at scala.concurrent.impl.Promise$DefaultPromise.complete(Promise.scala:153) [scala-library-2.11.6.jar:na]
at scala.concurrent.Future$$anonfun$recover$1.apply(Future.scala:324) [scala-library-2.11.6.jar:na]
at scala.concurrent.Future$$anonfun$recover$1.apply(Future.scala:324) [scala-library-2.11.6.jar:na]
at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:32) [scala-library-2.11.6.jar:na]
at play.core.j.HttpExecutionContext$$anon$2.run(HttpExecutionContext.scala:40) [play_2.11-2.4.0.jar:2.4.0]
at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40) [akka-actor_2.11-2.3.11.jar:na]
at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(AbstractDispatcher.scala:397) [akka-actor_2.11-2.3.11.jar:na]
at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) [scala-library-2.11.6.jar:na]
Caused by: org.pac4j.saml.exceptions.SamlException: IDP Metadata cannot be null
at org.pac4j.saml.sso.Saml2WebSSOProfileHandler.receiveMessage(Saml2WebSSOProfileHandler.java:127) ~[pac4j-saml-1.7.0.jar:na]
at org.pac4j.saml.client.Saml2Client.retrieveCredentials(Saml2Client.java:322) ~[pac4j-saml-1.7.0.jar:na]
at org.pac4j.saml.client.Saml2Client.retrieveCredentials(Saml2Client.java:95) ~[pac4j-saml-1.7.0.jar:na]
at org.pac4j.core.client.BaseClient.getCredentials(BaseClient.java:220) ~[pac4j-core-1.7.0.jar:na]
at org.pac4j.play.java.RequiresAuthenticationAction$6.apply(RequiresAuthenticationAction.java:202) ~[play-pac4j-java-1.5.0-SNAPSHOT.jar:na]
at org.pac4j.play.java.RequiresAuthenticationAction$6.apply(RequiresAuthenticationAction.java:194) ~[play-pac4j-java-1.5.0-SNAPSHOT.jar:na]
at play.core.j.FPromiseHelper$$anonfun$promise$2.apply(FPromiseHelper.scala:36) ~[play_2.11-2.4.0.jar:2.4.0]
at scala.concurrent.impl.Future$PromiseCompletingRunnable.liftedTree1$1(Future.scala:24) ~[scala-library-2.11.6.jar:na]
at scala.concurrent.impl.Future$PromiseCompletingRunnable.run(Future.scala:24) ~[scala-library-2.11.6.jar:na]
... 7 common frames omitted
What is wrong here? Can anyone help?
Thanks!
This indicates that the method decoder.decode was not able to determine the IDP to use from the SAML Authentication response.
If you encounter an error at this point, I assume you successfully redirect to your IDP, enter your credentials and redirect back to your application which is rather a good starting point.
Please use a debugging tool (for example SAML Tracer for Firefox) to read the SAML assertion and check if the IDP entity ID is consistent with your set-up.
I'm the creator of play-pac4j, but unfortunately no SAML specialist. I guess the SAML response from your IdP does not contain the necessary data as it's an explicit check: https://github.com/pac4j/pac4j/blob/pac4j-1.7.0/pac4j-saml/src/main/java/org/pac4j/saml/sso/Saml2WebSSOProfileHandler.java#L127 In pac4j (and pac4j-saml v1.7.1), the SAML support has evolved: maybe you should give it a try...
Related
I have been looking through the REST API documentation for both the Registry and the Governance APIs and I haven't been able to figure out how import a schema via either REST API. Is this possible?
I can create a REST Service with the governance API but the same process with a schema results in a NullPointerException
TID: [-1234] [] [2016-05-26 16:16:22,436] ERROR {org.wso2.carbon.governance.rest.api.internal.GovernanceExceptionHandler} - Exception during service invocation {org.wso2.carbon.governance.rest.api.internal.GovernanceExceptionHandler}
org.wso2.carbon.governance.api.exception.GovernanceException: Error occurred while adding the resource.
at org.wso2.carbon.governance.rest.api.Asset.importResourceWithRegistry(Asset.java:531)
at org.wso2.carbon.governance.rest.api.Asset.createGovernanceAsset(Asset.java:469)
at org.wso2.carbon.governance.rest.api.Asset.createAsset(Asset.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:209)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:613)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at org.wso2.carbon.registry.resource.services.utils.GetTextContentUtil.getByteContent(GetTextContentUtil.java:83)
I assume that this is needing some schema file, either specified by a URL or provided as a file. Is this something that I can import via the REST API?
There are 3 ways to add resources(content type rxts such as wsdl, wadl, xsd and policy) to G-Reg
1. Using registry REST API
2. Using publisher API (G-Reg 5.0.0 or above)
Create Schema:(Upload file)
Request
URL:https://<host>:<port>/publisher/assets/schema/apis/schemas?type=schema
Method: POST
Header:Cookie: JSESSIONID=<SESSION-ID>
Payload:(form data)
schema : schema
schema_file : <schema file name>.xsd
filename : <schema file name>.xsd
schema_file_name : <schema file name>.xsd
file_version : <version>
addNewSchemaFileAssetButton : Create
File Upload:
Upload the schema file. Give the field entry as ‘schema_file’
Response should be:
Status: 200 OK
To upload a zip file just change the schema_file,filename and schema_file_name values with zip file name.(I didn't test this but should work according to the source code.)
3. Using Governance API - only for hosted content type resources. (G-Reg 5.2.0 or above)
What is the version your using?
Hope these details will help you!
I am using BIRT 4.5 and Eclipse/Mars, and attempting to implement the instructions on the following page to create a web services data set:
http://developer.actuate.com/be/documentation/ihub31-dev/DAG/index.html#page/DAG%2Faccessing-data-webservice.10.4.html
The web service I am connecting to is:
http://www.webservicex.net/WeatherForecast.asmx?WSDL
All works according to the Actuate documentation given above until selecting the default options for the SOAP Response, at which point I am getting the following error.
org.eclipse.datatools.connectivity.oda.OdaException: XML data source cannot be retrieved. XML data source file is invalid or the file doesn't exist.
at org.eclipse.datatools.enablement.oda.xml.ui.wizards.XPathChoosePage.populateXMLTree(XPathChoosePage.java:482)
at org.eclipse.datatools.enablement.oda.xml.ui.wizards.XPathChoosePage.refreshControls(XPathChoosePage.java:207)
at org.eclipse.datatools.enablement.oda.xml.ui.wizards.XPathChoosePage.refresh(XPathChoosePage.java:201)
at org.eclipse.datatools.enablement.oda.ws.ui.wizards.XMLTableMappingPage.refresh(XMLTableMappingPage.java:105)
at org.eclipse.datatools.enablement.oda.ws.ui.wizards.SOAPResponsePage.getNextPage(SOAPResponsePage.java:644)
at org.eclipse.jface.wizard.WizardDialog.nextPressed(WizardDialog.java:878)
at org.eclipse.jface.wizard.WizardDialog.buttonPressed(WizardDialog.java:425)
at org.eclipse.jface.dialogs.Dialog$2.widgetSelected(Dialog.java:619)
at org.eclipse.swt.widgets.TypedListener.handleEvent(TypedListener.java:248)
at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:84)
at org.eclipse.swt.widgets.Display.sendEvent(Display.java:4230)
at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1491)
at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1514)
at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1499)
at org.eclipse.swt.widgets.Widget.notifyListeners(Widget.java:1299)
at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:4072)
at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3698)
at org.eclipse.jface.window.Window.runEventLoop(Window.java:827)
at org.eclipse.jface.window.Window.open(Window.java:803)
at org.eclipse.birt.report.designer.data.ui.actions.NewDataSetAction.createNewDataSet(NewDataSetAction.java:194)
at org.eclipse.birt.report.designer.data.ui.actions.NewDataSetAction.run(NewDataSetAction.java:182)
at org.eclipse.jface.action.Action.runWithEvent(Action.java:473)
at org.eclipse.jface.action.ActionContributionItem.handleWidgetSelection(ActionContributionItem.java:595)
at org.eclipse.jface.action.ActionContributionItem.access$2(ActionContributionItem.java:511)
at org.eclipse.jface.action.ActionContributionItem$5.handleEvent(ActionContributionItem.java:420)
at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:84)
at org.eclipse.swt.widgets.Display.sendEvent(Display.java:4230)
at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1491)
at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1514)
at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1499)
at org.eclipse.swt.widgets.Widget.notifyListeners(Widget.java:1299)
at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:4072)
at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3698)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine$4.run(PartRenderingEngine.java:1127)
at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:337)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.run(PartRenderingEngine.java:1018)
at org.eclipse.e4.ui.internal.workbench.E4Workbench.createAndRunUI(E4Workbench.java:156)
at org.eclipse.ui.internal.Workbench$5.run(Workbench.java:654)
at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:337)
at org.eclipse.ui.internal.Workbench.createAndRunWorkbench(Workbench.java:598)
at org.eclipse.ui.PlatformUI.createAndRunWorkbench(PlatformUI.java:150)
at org.eclipse.ui.internal.ide.application.IDEApplication.start(IDEApplication.java:139)
at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:196)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:134)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:104)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:380)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:235)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:669)
at org.eclipse.equinox.launcher.Main.basicRun(Main.java:608)
at org.eclipse.equinox.launcher.Main.run(Main.java:1515)
There are two answers to provide on the "Edit Soap Response" dialog:
Select SOAP Response Schema, for which I chose 'Use operation
response..."
Select Sample SOAP response message, for which I left
blank
This should be a fairly straightforward exercise of connecting BIRT to the weather service, as given by the Actuate example. Suggestions on the cause of the above stack trace and how to work around it are appreciated.
This issue is a bug with BIRT 4.5.x, perhaps prior versions as well. The details can be found on the Actuate Developer Forum:
http://developer.actuate.com/community/forum/index.php?/topic/37700-connecting-to-the-axis2-echoservice-example/
I am using two WSO2 Identity Server for back-end and Apache HTTP as front-end Load Balancer
When testing the browser the URL https://lab1.xx.xx/dashboard, I see the following error at the WSO2 console log:
TID: [0] [IS] [2015-09-10 16:59:22,846] ERROR {org.wso2.carbon.tomcat.ext.valves.CompositeValve} - Could not handle request: /portal/gadgets/user_profile/js/main.js {org.wso2.carbon.tomcat.ext.valves.CompositeValve}
javax.servlet.ServletException: Possible CSRF attack. Refer header : https://lab1.xx.xx/dashboard/
at org.wso2.carbon.ui.valve.CSRFValve.validateRefererHeader(CSRFValve.java:123)
at org.wso2.carbon.ui.valve.CSRFValve.validatePatterns(CSRFValve.java:96)
at org.wso2.carbon.ui.valve.CSRFValve.invoke(CSRFValve.java:71)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1736)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1695)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
I applied the Patch ID: WSO2-CARBON-PATCH-4.2.0-1256 and WSO2-IS-5.0.0-SP01
<CSRFPreventionConfig>
<Enabled>true</Enabled>
<Rule>allow</Rule>
<Patterns>
<Pattern>carbon</Pattern>
<Pattern>commonauth</Pattern>
<Pattern>samlsso</Pattern>
<Pattern>authenticationendpoint</Pattern>
<Pattern>wso2</Pattern>
<Pattern>oauth2</Pattern>
<Pattern>openid</Pattern>
<Pattern>openidserver</Pattern>
<Pattern>passivests</Pattern>
<Pattern>services</Pattern>
</Patterns>
<WhiteList>
<Url>https://localhost:9443</Url>
</WhiteList>
</CSRFPreventionConfig>
Any hint how to setup a CSRF Whitelist?
Regards, Raybar
Change your /repository/conf/carbon.xml file and on WhiteList element add the Url element with the text https://lab1.xx.xx.
After changing that part must appears something like:
<WhiteList>
<Url>https://localhost:9443</Url>
<Url>https://lab1.xx.xx</Url>
</WhiteList>
I add in the whitelist, but does not work, I still see the same error log.
it might be added somewhere else?
my /repository/conf/carbon.xml file:
<CSRFPreventionConfig>
<Enabled>false</Enabled>
<Rule>allow</Rule>
<Patterns>
<Pattern>carbon</Pattern>
<Pattern>commonauth</Pattern>
<Pattern>samlsso</Pattern>
<Pattern>authenticationendpoint</Pattern>
<Pattern>wso2</Pattern>
<Pattern>oauth2</Pattern>
<Pattern>openid</Pattern>
<Pattern>openidserver</Pattern>
<Pattern>passivests</Pattern>
<Pattern>services</Pattern>
<Pattern>dashboard</Pattern>
</Patterns>
<WhiteList>
<Url>https://localhost:9443</Url>
<Url>https://ssohalab2.xx.xx:9443</Url>
<Url>https://lab1.xx.xx/dashboard/*</Url>
</WhiteList>
</CSRFPreventionConfig>
https://ssohalab2.xx.xx:9443 ---> SSO Server
https://lab1.xx.xx/dashboard/* ---> Reverse Proxy
Regards, Raybar
[error] s.c.p.TwitterProvider - [securesocial] error retrieving request token
oauth.signpost.exception.OAuthNotAuthorizedException: Authorization failed (server replied with a 401). This can happen if the consumer key was not correct or the signatures did not match.
at oauth.signpost.AbstractOAuthProvider.handleUnexpectedResponse(AbstractOAuthProvider.java:243) ~[signpost-core-1.2.1.2.jar:na]
at oauth.signpost.AbstractOAuthProvider.retrieveToken(AbstractOAuthProvider.java:193) ~[signpost-core-1.2.1.2.jar:na]
at oauth.signpost.AbstractOAuthProvider.retrieveRequestToken(AbstractOAuthProvider.java:74) ~[signpost-core-1.2.1.2.jar:na]
at play.api.libs.oauth.OAuth.retrieveRequestToken(OAuth.scala:38) ~[play-ws_2.11-2.3.7.jar:2.3.7]
at securesocial.core.OAuth1Client$Default$$anonfun$retrieveRequestToken$1.apply(OAuth1Provider.scala:69) ~[securesocial_2.11-3.0-M3.jar:3.0-M3]
[error] s.c.ProviderController - Unable to log user in. An exception was thrown
securesocial.core.AuthenticationException: null
at securesocial.core.OAuth1Provider$$anonfun$authenticate$1.applyOrElse(OAuth1Provider.scala:141) ~[securesocial_2.11-3.0-M3.jar:3.0-M3]
at securesocial.core.OAuth1Provider$$anonfun$authenticate$1.applyOrElse(OAuth1Provider.scala:138) ~[securesocial_2.11-3.0-M3.jar:3.0-M3]
at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:36) [scala-library-2.11.6.jar:na]
at scala.util.Failure$$anonfun$recover$1.apply(Try.scala:215) [scala-library-2.11.6.jar:na]
at scala.util.Try$.apply(Try.scala:191) [scala-library-2.11.6.jar:na]
I want to check a requests. How I do setting the logger into sbt subproject(jar files)?
I am evaluating SSO with WSO2 Identity Server. I ran into following problem/scenario. I have one or several SSO ServiceProvider (aka websites). I have one WSO2 Identity Server. I want commercial customers to be able to manage their users themself, and that users to be able to login into the same ServiceProviders.
I set up a Service provider, I can login into it, with users defined in wso2 itself. I set up a tenant. I added same issuer in the tenant and globally. I can generally login into the sso protected site with a global user. I can login with a tenant user, but:
When the request gets back, after the login, I see following error on screen (and in logs):
org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Signature validation failed for SAML Response
org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.validateSignature(SAML2SSOManager.java:467)
org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:215)
org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:142)
org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:87)
I see also a lot in the logs, ending with
16:45:39.399 [http-bio-8080-exec-1] WARN o.a.x.s.signature.XMLSignature - Signature verification failed.
16:45:39.399 [http-bio-8080-exec-1] DEBUG o.o.xml.signature.SignatureValidator - Signature did not validate against the credential's key`
directly prior to the exception. If I simply hit F5, I am logged in and can use the site (meaning that my SSOAgentSesisonBean returns a valid subject).
If I try to logout from this session, I receive an error now on the opposite site, in the WSO2 IS:
TID: [0] [IS] [2014-05-05 16:38:54,589] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - Query string : SAMLRequest=nZLBbsIwDIZfJcqdtkCRRkTLkBASEgNpbDvsFlpDA6nNEjNtb79Ax0AcOEzKIYp%2F%2B7c%2FZzD8qq34BOcNYSbbUSIFYEGlwU0mX18mrQc5zAde17azVzPa0IGf4eMAnkXIRK%2BaUCYPDhVpb7xCXYNXXKjl6GmmOlGi9o6YCrJSjEOiQc0nt4p571Uc056NBe8pKiKNxBU4oyMEVv007cZHhxCUYjrO5BZ3ZGlH5Yq2dqc3Vbmt1xZwbUjbra1WdVWVWhdB7f0BpuhZI2eyk7TTVtIL56Wdqm5fJZ2o3UvepZgTL3DhRmsGd6tL04vuGbQ%2Fdr0MaCyIhoUUb2d2YVD5S0qdvN01ofuAtPfgjlBkHsa%2BQBjE1%2FXO1echfzr%2BT3UxIVdrvi8%2FvpiytT5JFSAb%2FpZ5syRd1gYfm3tUwrm%2FpqO%2Ff7IMywx2UyzhK85%2FRTffJ%2F8B&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=A9nB2Mt6aK%2Be8jlOau4ERjw6C1FX3ZiO%2FOzZ77oWhkNalypG7OSTYk6dndt8j4BpAeSfYEfQAh8VBhygL%2BBmcY8RFb93HpB6UnYEdoO0sQy3dhg1iZYoLEMnwScv8odbA54nXdPFT%2B%2FbTBK4rFJ6GcCphKHP9wJcwIPF0KVjKHU%3D {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet}
TID: [0] [IS] [2014-05-05 16:38:54,590] DEBUG {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Request message <?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://xxx.c.anotheria.net:9443/samlsso" ID="jnkolokodbojlkaghdjmflenfioaljlhbmhhdaac" IssueInstant="2014-05-05T14:39:02.150Z" NotOnOrAfter="2014-05-05T14:44:02.150Z" Reason="Single Logout" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">net.anotheria</saml2:Issuer><saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">xxxadmin#xxx.de</saml2:NameID><saml2p:SessionIndex/></saml2p:LogoutRequest> {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil}
TID: [0] [IS] [2014-05-05 16:38:54,595] ERROR {org.wso2.carbon.identity.sso.saml.processors.LogoutRequestProcessor} - Error Processing the Logout Request {org.wso2.carbon.identity.sso.saml.processors.LogoutRequestProcessor}
java.lang.NullPointerException
at org.wso2.carbon.identity.sso.saml.processors.LogoutRequestProcessor.process(LogoutRequestProcessor.java:116)
at org.wso2.carbon.identity.sso.saml.SAMLSSOService.validateSPInitSSORequest(SAMLSSOService.java:115)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleSPInitSSO(SAMLSSOProviderServlet.java:236)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:132)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:75)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
TID: [0] [IS] [2014-05-05 16:38:54,596] ERROR {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - Error when processing the authentication request! {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet}
org.wso2.carbon.identity.base.IdentityException: Error Processing the Logout Request
at org.wso2.carbon.identity.sso.saml.processors.LogoutRequestProcessor.process(LogoutRequestProcessor.java:206)
at org.wso2.carbon.identity.sso.saml.SAMLSSOService.validateSPInitSSORequest(SAMLSSOService.java:115)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleSPInitSSO(SAMLSSOProviderServlet.java:236)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:132)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:75)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.NullPointerException
at org.wso2.carbon.identity.sso.saml.processors.LogoutRequestProcessor.process(LogoutRequestProcessor.java:116)
... 38 more
I can login and logout with globalusers without any problems.
I assume that the error is on the first-login-return side, but I can't imagine which.
First check whether you can login to WSO2 IS with the tenant user you created.
If you created a tenant, then register the SPs in the tenant, then you should be able to login to web sites with WSO2 Identity Server as IDP, with the tenant users.
With the message you have seen, this seems to be an error in authentication. Not specific to SSO.
Thanks,
Pushpalanka