Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-766

Implicit namespace declaration of <Signature/> causes XPathStylesheetDOM3Exception

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • PLINK_2.5.2.FInal
    • BASE
    • None
    • Hide

      1. untar reproducer_xmlns.tar.gz
      2. cd reproducer_xmlns
      3. copy dist/reproducer_xmlns.war to $JBOSS_HOME/standalone/deployments
      4. copy idp.truststore to to $JBOSS_HOME/standalone/configuration
      5. add the following lines into standalone.xml

                      <security-domain name="saml-token-local-validation" cache-type="default">
                    <authentication>
                        <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingLoginModule" flag="required">
                            <module-option name="roleKey" value="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"/>
                            <module-option name="localValidationSecurityDomain" value="saml-token-local-validation"/>
                        </login-module>
                    </authentication>
                    <jsse keystore-password="123456" keystore-url="${jboss.server.config.dir}/idp.truststore"/>
                </security-domain>

      6. run `ant test`

      Show
      1. untar reproducer_xmlns.tar.gz 2. cd reproducer_xmlns 3. copy dist/reproducer_xmlns.war to $JBOSS_HOME/standalone/deployments 4. copy idp.truststore to to $JBOSS_HOME/standalone/configuration 5. add the following lines into standalone.xml <security-domain name= "saml-token-local-validation" cache-type= " default " > <authentication> <login-module code= "org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingLoginModule" flag= "required" > <module-option name= "roleKey" value= "http: //schemas.microsoft.com/ws/2008/06/identity/claims/role" /> <module-option name= "localValidationSecurityDomain" value= "saml-token-local-validation" /> </login-module> </authentication> <jsse keystore-password= "123456" keystore-url= "${jboss.server.config.dir}/idp.truststore" /> </security-domain> 6. run `ant test`

    Description

      A web service secured by WS-trust/SAML STS is deployed on EAP6.4.x. If the namespace of `<Signature/>` in an assersion in a webservice request is declared implicitly like:

      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <CanonicalizationMethod xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
        <SignatureMethod xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <Reference xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" URI="#ID_57501112-83ce-41fe-828c-d538b13432e6">

      it throws XPathStylesheetDOM3Exception as follows:

      20:13:15,332 ERROR [org.picketlink.common] (http-/127.0.0.1:8080-2) Unexpected error: javax.xml.xpath.XPathExpressionException: org.apache.xpath.domapi.XPathStylesheetDOM3Exception: Prefix must resolve to a namespace: null
        at org.apache.xpath.jaxp.XPathImpl.evaluate(XPathImpl.java:295)
        at org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule.getX509Certificate(SAMLTokenCertValidatingCommonLoginModule.java:465) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
        at org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule.validateSAMLCredential(SAMLTokenCertValidatingCommonLoginModule.java:421) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
        at org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule.login(SAMLTokenCertValidatingCommonLoginModule.java:276) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_102]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_102]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_102]
        at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) [rt.jar:1.8.0_102]
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587) [rt.jar:1.8.0_102]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:424) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:363) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:351) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:156) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at org.picketlink.trust.jbossws.handler.AbstractWSAuthenticationHandler.handleInbound(AbstractWSAuthenticationHandler.java:83) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
        at org.picketlink.trust.jbossws.handler.AbstractPicketLinkTrustHandler.handleMessage(AbstractPicketLinkTrustHandler.java:259) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
        at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandleMessage(HandlerChainInvoker.java:359) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandlerChain(HandlerChainInvoker.java:255) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeProtocolHandlers(HandlerChainInvoker.java:132) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.jboss.wsf.stack.cxf.interceptor.HandlerAuthInterceptor$JBossWSHandlerChainInvoker.invokeProtocolHandlers(HandlerAuthInterceptor.java:114)
        at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessageInternal(SOAPHandlerInterceptor.java:169) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterceptor.java:124) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterceptor.java:71) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) [cxf-api-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-api-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249) [cxf-rt-transports-http-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:97)
        at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:131)
        at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) [cxf-rt-transports-http-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) [cxf-rt-transports-http-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2]
        at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136)
        at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.3.1.Final-redhat-1.jar:2.3.1.Final-redhat-1]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_102]
Caused by: org.apache.xpath.domapi.XPathStylesheetDOM3Exception: Prefix must resolve to a namespace: null
        at org.apache.xpath.compiler.XPathParser.errorForDOM3(XPathParser.java:655)
        at org.apache.xpath.compiler.Lexer.mapNSTokens(Lexer.java:647)
        at org.apache.xpath.compiler.Lexer.tokenize(Lexer.java:274)
        at org.apache.xpath.compiler.Lexer.tokenize(Lexer.java:98)
        at org.apache.xpath.compiler.XPathParser.initXPath(XPathParser.java:112)
        at org.apache.xpath.XPath.<init>(XPath.java:178)
        at org.apache.xpath.XPath.<init>(XPath.java:266)
        at org.apache.xpath.jaxp.XPathImpl.eval(XPathImpl.java:195)
        at org.apache.xpath.jaxp.XPathImpl.evaluate(XPathImpl.java:281)
        ... 52 more

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. PLINK-768 [GSS] (7.x) Implicit namespace declaration of <Signature/> causes XPathStylesheetDOM3Exception

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              psilva@redhat.com Pedro Igor Craveiro
              rhn-support-hokuda Hisanobu Okuda
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated: