Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-768

[GSS] (7.x) Implicit namespace declaration of <Signature/> causes XPathStylesheetDOM3Exception

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • None
    • PLINK_2.5.2.FInal
    • BASE
    • None
    • Hide

      1. untar reproducer_xmlns.tar.gz
      2. cd reproducer_xmlns
      3. copy dist/reproducer_xmlns.war to $JBOSS_HOME/standalone/deployments
      4. copy idp.truststore to to $JBOSS_HOME/standalone/configuration
      5. add the following lines into standalone.xml

                      <security-domain name="saml-token-local-validation" cache-type="default">
                    <authentication>
                        <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingLoginModule" flag="required">
                            <module-option name="roleKey" value="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"/>
                            <module-option name="localValidationSecurityDomain" value="saml-token-local-validation"/>
                        </login-module>
                    </authentication>
                    <jsse keystore-password="123456" keystore-url="${jboss.server.config.dir}/idp.truststore"/>
                </security-domain>

      6. run `ant test`

      Show
      1. untar reproducer_xmlns.tar.gz 2. cd reproducer_xmlns 3. copy dist/reproducer_xmlns.war to $JBOSS_HOME/standalone/deployments 4. copy idp.truststore to to $JBOSS_HOME/standalone/configuration 5. add the following lines into standalone.xml <security-domain name= "saml-token-local-validation" cache-type= " default " > <authentication> <login-module code= "org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingLoginModule" flag= "required" > <module-option name= "roleKey" value= "http: //schemas.microsoft.com/ws/2008/06/identity/claims/role" /> <module-option name= "localValidationSecurityDomain" value= "saml-token-local-validation" /> </login-module> </authentication> <jsse keystore-password= "123456" keystore-url= "${jboss.server.config.dir}/idp.truststore" /> </security-domain> 6. run `ant test`

      A web service secured by WS-trust/SAML STS is deployed on EAP6.4.x. If the namespace of `<Signature/>` in an assersion in a webservice request is declared implicitly like:

      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <CanonicalizationMethod xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
        <SignatureMethod xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <Reference xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" URI="#ID_57501112-83ce-41fe-828c-d538b13432e6">

      it throws XPathStylesheetDOM3Exception as follows:

      20:13:15,332 ERROR [org.picketlink.common] (http-/127.0.0.1:8080-2) Unexpected error: javax.xml.xpath.XPathExpressionException: org.apache.xpath.domapi.XPathStylesheetDOM3Exception: Prefix must resolve to a namespace: null
        at org.apache.xpath.jaxp.XPathImpl.evaluate(XPathImpl.java:295)
        at org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule.getX509Certificate(SAMLTokenCertValidatingCommonLoginModule.java:465) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
        at org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule.validateSAMLCredential(SAMLTokenCertValidatingCommonLoginModule.java:421) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
        at org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule.login(SAMLTokenCertValidatingCommonLoginModule.java:276) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_102]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_102]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_102]
        at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) [rt.jar:1.8.0_102]
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587) [rt.jar:1.8.0_102]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:424) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:363) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:351) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:156) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at org.picketlink.trust.jbossws.handler.AbstractWSAuthenticationHandler.handleInbound(AbstractWSAuthenticationHandler.java:83) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
        at org.picketlink.trust.jbossws.handler.AbstractPicketLinkTrustHandler.handleMessage(AbstractPicketLinkTrustHandler.java:259) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
        at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandleMessage(HandlerChainInvoker.java:359) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandlerChain(HandlerChainInvoker.java:255) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeProtocolHandlers(HandlerChainInvoker.java:132) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.jboss.wsf.stack.cxf.interceptor.HandlerAuthInterceptor$JBossWSHandlerChainInvoker.invokeProtocolHandlers(HandlerAuthInterceptor.java:114)
        at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessageInternal(SOAPHandlerInterceptor.java:169) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterceptor.java:124) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterceptor.java:71) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) [cxf-api-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-api-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249) [cxf-rt-transports-http-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:97)
        at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:131)
        at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) [cxf-rt-transports-http-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) [cxf-rt-transports-http-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2]
        at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136)
        at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.3.1.Final-redhat-1.jar:2.3.1.Final-redhat-1]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_102]
Caused by: org.apache.xpath.domapi.XPathStylesheetDOM3Exception: Prefix must resolve to a namespace: null
        at org.apache.xpath.compiler.XPathParser.errorForDOM3(XPathParser.java:655)
        at org.apache.xpath.compiler.Lexer.mapNSTokens(Lexer.java:647)
        at org.apache.xpath.compiler.Lexer.tokenize(Lexer.java:274)
        at org.apache.xpath.compiler.Lexer.tokenize(Lexer.java:98)
        at org.apache.xpath.compiler.XPathParser.initXPath(XPathParser.java:112)
        at org.apache.xpath.XPath.<init>(XPath.java:178)
        at org.apache.xpath.XPath.<init>(XPath.java:266)
        at org.apache.xpath.jaxp.XPathImpl.eval(XPathImpl.java:195)
        at org.apache.xpath.jaxp.XPathImpl.evaluate(XPathImpl.java:281)
        ... 52 more

              psilva@redhat.com Pedro Igor Craveiro
              rhn-support-dehort Derek Horton
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: