Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.2.0.CD13
Affects Version/s: 7.2.0.GA
Component/s: Documentation
Labels:
- Doc_prio_2
- docs-bulk-56

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.2.0.CD13
Git Pull Request:
https://gitlab.cee.redhat.com/red-hat-jboss-enterprise-application-platform-documentation/eap-documentation/merge_requests/4266
Steps to Reproduce:
Hide

1) Server configuration
Add following security domains:

/subsystem=security/security-domain=picketlink-sts:add(cache-type=default) /subsystem=security/security-domain=picketlink-sts/authentication=classic:add /subsystem=security/security-domain=picketlink-sts/authentication=classic/login-module=UsersRoles:add(code=UsersRoles, flag=required, module-options=[("usersProperties"=>"users.properties"), ("rolesProperties"=>"roles.properties")]) /subsystem=security/security-domain=simple-SAML2STSLoginModule-config-external:add(cache-type=default) /subsystem=security/security-domain=simple-SAML2STSLoginModule-config-external/authentication=classic:add /subsystem=security/security-domain=simple-SAML2STSLoginModule-config-external/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule, flag=required, module=org.picketlink, module-options=[("configFile"=>"${jboss.server.config.dir}/sts-config.properties")])

Add following security-realm:

/core-service=management/security-realm=SAMLRealm:add /core-service=management/security-realm=SAMLRealm/authentication=jaas:add(name=simple-SAML2STSLoginModule-config-external)

Use that realm for remoting:

/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=security-realm,value=SAMLRealm)

2) Copy attachted sts-config.properties to WILDFLY_HOME/standalone/configuration

3) PicketLinkSTS deployment + EJB deployment
Deploy both attached deployment picketlink-sts.war and ejb-test.jar

4) Prepare client application
Unzip attached project ejb-security-picketlink.zip and build it with mvn clean package.

5) Execute client application
Run mvn exec:exec - expcetion is thrown

6) Optional - use org.apache.santuario.xmlsec from WildFly 11
Put module WILDFLY11_HOME/modules/system/layers/base/org/apache/santuario/xmlsec/main/xmlsec-2.0.8.jar to WildFly 12 (and change it in module.xml), restart server and execute client application again - it will work correctly
Show
1) Server configuration Add following security domains: /subsystem=security/security-domain=picketlink-sts:add(cache-type= default ) /subsystem=security/security-domain=picketlink-sts/authentication=classic:add /subsystem=security/security-domain=picketlink-sts/authentication=classic/login-module=UsersRoles:add(code=UsersRoles, flag=required, module-options=[( "usersProperties" => "users.properties" ), ( "rolesProperties" => "roles.properties" )]) /subsystem=security/security-domain=simple-SAML2STSLoginModule-config-external:add(cache-type= default ) /subsystem=security/security-domain=simple-SAML2STSLoginModule-config-external/authentication=classic:add /subsystem=security/security-domain=simple-SAML2STSLoginModule-config-external/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule, flag=required, module=org.picketlink, module-options=[( "configFile" => "${jboss.server.config.dir}/sts-config.properties" )]) Add following security-realm: /core-service=management/security-realm=SAMLRealm:add /core-service=management/security-realm=SAMLRealm/authentication=jaas:add(name=simple-SAML2STSLoginModule-config-external) Use that realm for remoting: /subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=security-realm,value=SAMLRealm) 2) Copy attachted sts-config.properties to WILDFLY_HOME/standalone/configuration 3) PicketLinkSTS deployment + EJB deployment Deploy both attached deployment picketlink-sts.war and ejb-test.jar 4) Prepare client application Unzip attached project ejb-security-picketlink.zip and build it with mvn clean package . 5) Execute client application Run mvn exec:exec - expcetion is thrown 6) Optional - use org.apache.santuario.xmlsec from WildFly 11 Put module WILDFLY11_HOME/modules/system/layers/base/org/apache/santuario/xmlsec/main/xmlsec-2.0.8.jar to WildFly 12 (and change it in module.xml), restart server and execute client application again - it will work correctly

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

When token from PicketLink STS is issued and signed then it is not able to be used for authentication through Remoting in WildFly 12 (i.e. it cannot be set as remote.connection.main.password property which can be used in PicketLink org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule). It seems it is caused by upgrade of org.apache.santuario.xmlsec to version 2.1.1. [1]. When WILDFLY11_HOME/modules/system/layers/base/org/apache/santuario/xmlsec/main/xmlsec-2.0.8.jar is placed to WildFly 12 modules then it works correctly.

We report it as a blocker since it is regression - application which works correctly on WildFly 11 stops to work on WildFly 12 - users are not able to authenticate through Remoting with signed tokens from PicketLink STS correctly.

Remoting fails due to following exception:

java.lang.IllegalArgumentException: ELY05131: Invalid ASCII control "0xA"
        at org.wildfly.security.sasl.util.StringPrep.forbidAsciiControl(StringPrep.java:117)
        at org.wildfly.security.sasl.util.StringPrep.encode(StringPrep.java:295)
        at org.wildfly.security.sasl.util.StringPrep.encode(StringPrep.java:196)
        at org.wildfly.security.sasl.plain.PlainSaslClient.evaluateChallenge(PlainSaslClient.java:95)
        at org.wildfly.security.sasl.util.AbstractDelegatingSaslClient.evaluateChallenge(AbstractDelegatingSaslClient.java:54)
        at org.wildfly.security.sasl.util.PrivilegedSaslClient.lambda$evaluateChallenge$0(PrivilegedSaslClient.java:55)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.wildfly.security.sasl.util.PrivilegedSaslClient.evaluateChallenge(PrivilegedSaslClient.java:55)
        at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.lambda$handleEvent$1(ClientConnectionOpenListener.java:460)
        at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:926)
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
        at java.lang.Thread.run(Thread.java:748)

It is caused by different formating value of SignatureValue in assertion. In WildFly 11 SignatureValue looks like:

<dsig:SignatureValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">nFVkKrXTyYEQ9cwc9OOgySYebEtwzw4alVYP0viXzvqZAUAKtAXEBAfDB8xIOms78twlDdq79MiSvk8OrOdf126Kw/IR8JRn1fYyZ5tsIRcNoTXMgGaTqhrn/HKlLqqqHhVHrJURunqkSzTTxylA2AEPhEDD5Y7hS0W2ZZCeSvuri+PRDSTrRnuedz0yQuHQu1mZ0gjoEFbHh4Wkkn5Ac1R4gmewmmzPud+ZE6Ux4YpeHzQ8rAvZ4bDk6j+eQIRsSxFTLo5RSA3FWN8+lUNV/CSRqBPXsK7QxOaTdBgF+4NXWeExrNJ9SeVFcf9yelvReAtR2JNZ6DUY8u45KtXmLw==</dsig:SignatureValue>

In WildFly 12 it looks like (there are end of lines):

<dsig:SignatureValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">cUNpFJIZlLYrBDZtQSTDrq2K6PbnAHyg2qbx/D5FuB4XMjdQ5oxQjkMejLyelnA7s4GFusoLhahl&#13;
qlTOT8UrOyxrR4yYAmJ/e5s+f4gys926+tbiraT/3/wG8wM/Lvcjvk5Ap69zODuRYpypsWfA4jrI&#13;
7TTBXVPGy8g4KUdnFviUiTuFTc2Ghgxp53AmUuLis/THyP28jE7+28//q8bi/bQrFwHC6tWX67+N&#13;
K1duFCOcQ6IPIKeVrePZz55Ivgl+WWdkF6uYCz5IdMzurhzmeQ3K8DAMIxz/MG67VWJIOnuGNWF7&#13;
nmdye5zd9AFcRsr1XadvZJCbGNfuc89AL5inCg==</dsig:SignatureValue>

[1] https://github.com/wildfly/wildfly/commit/536de514829f2187abf1126c8916a04b5dd856f4

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

ejb-security-picketlink.zip
8 kB
2018/05/29 10:18 AM
ejb-test.jar
3 kB
2018/05/29 10:18 AM
picketlink-sts.war
9 kB
2018/05/29 10:18 AM
sts-config.properties
0.3 kB
2018/05/29 10:18 AM

clones

WFLY-9892 Upgrade org.apache.santuario.xmlsec to 2.1.1. caused regression in PicketLinkSTS

Closed

is related to

WINDUPRULE-367 EAP 7.2 Migration: Rule warning EJB Clients about Picketlink STS token format change

Dev Complete

Assignee:: Sande Gilda (Inactive)

Reporter:: Sande Gilda (Inactive)

Tester:: Ondrej Kotek

QA Contact:: Ondrej Kotek

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2018/05/29 10:18 AM

Updated:: 2022/09/09 7:10 AM

Resolved:: 2018/06/19 4:18 PM

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates