2 Replies Latest reply on Apr 11, 2007 11:30 AM by ajls

    Problem with SAML in cookies

    ajls

      I am having problems retrieving the SAML from the cookie. My SAML token is truncated to '<Response xmlns=\'. A little bit of adventure through Tomcat's src led me to:

      org/apache/tomcat/util/http/Cookies.java

      By changing dbg to "1", recompiling and adding the created tomcat-util.jar
      to $JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/ .... I get this output:

      15:26:16,489 INFO [Server] JBoss (MX MicroKernel) [4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)] Started in 36s:640ms
      15:27:14,692 INFO [STDOUT] ************ Cookies: Parsing b[]: JSESSIONID=v6lOu62iJ2ex2+nX9TlZMg**; JSESSIONIDSSO=7D1F4DAA170B31403D3994E56293C03A; token="<Response xmlns=\"urn:oasis:names:tc:SAML:1.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:1.0:protocol\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" IssueInstant=\"2007-04-11T14:27:11.207Z\" MajorVersion=\"1\" MinorVersion=\"1\" ResponseID=\"_7922e48bab03a7ed1fbb56da51a0e188\"><Status><StatusCode Value=\"samlp:Success\"></StatusCode></Status><Assertion xmlns=\"urn:oasis:names:tc:SAML:1.0:assertion\" AssertionID=\"_e4d7d1360f820ceaf6ca4327e639b822\" IssueInstant=\"2007-04-11T14:27:11.426Z\" Issuer=\"HarpoonWebUI\" MajorVersion=\"1\" MinorVersion=\"1\"><AuthenticationStatement AuthenticationInstant=\"2007-04-11T14:27:11.207Z\" AuthenticationMethod=\"urn:oasis:names:tc:SAML:1.0:am:password\"><Subject><NameIdentifier Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\">admin</NameIdentifier></Subject></AuthenticationStatement><AttributeStatement><Subject><NameIdentifier Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\">admin</NameIdentifier></Subject><Attribute AttributeName=\"secret\" AttributeNamespace=\"jbosssso:secret\"><AttributeValue>99ce561dbb1f3c11a6bfbf5910800d844439d7ae02fbceec1c21e80d823009b7a1655f93384e7b7a148f7735e1135e843da328ff7f32aebec6c24373344e462b805abda1309587efef553a29dd2cf470166a5dd8c2bddb384edbfa49f6b1037a48432b5b46f57a18035f09a2ff4c7b4df95d4aba62fb17d5b808f541a665899cd50274c773c8a0e03ab661170c3a40710b4c8b3e318a89694a661581b4f61fca38ba166bf8de0d69a133fa3a7e81ade47847df7fad75268beab3b7259ffdbc6b0332b2d59053613ff099496b1c8f6ee99cbb333f1505903d9cfdd451effa28dce13aa2d03b5387c7d7c1a7580202e8161e8b9ad6c7881f655e4105f95dca0160aefce6400dd0c35aa38311c1c41b6635c00c30487782537be4d91b60a4724229a3e29f4deb1c66ca03ac4a1d3aa61efba5da366e0c36d7b5ef48966043e909754931fbf78583f4e679f04a29561b87c30ebee0a46d966fc5edf9fdcad73ce7081317d872abb6bbd749c2ea540c47838a4ebe51e36a5b9339e58822189ca22340c6b8749541235bb666ef4975729f1249a2e0403d9bc653a96777dc9f737bb65bcf03ccc2a63f24206f016f2a32f6e9cf4822d2a68ccf6227af89052c98becf2e0e05117d61f92ef41f74fd723e0e50dbb40bbab4fec9792c3a928e8f50031113e9556ac6dccfb770135250e3f9bdc5ebdeb2e943569a10b396ce88834becbcac</AttributeValue></Attribute></AttributeStatement></Assertion></Response>"
      15:27:14,692 INFO [STDOUT] ************ Cookies: Start: 450 2836
      15:27:14,692 INFO [STDOUT] ************ Cookies: SN: 450
      15:27:14,692 INFO [STDOUT] ************ Cookies: DELIM: 460 =
      15:27:14,692 INFO [STDOUT] ************ Cookies: New: JSESSIONIDX=Xv6lOu62iJ2ex2+nX9TlZMg**
      15:27:14,692 INFO [STDOUT] ************ Cookies: Start: 486 2836
      15:27:14,692 INFO [STDOUT] ************ Cookies: SN: 487
      15:27:14,692 INFO [STDOUT] ************ Cookies: DELIM: 500 =
      15:27:14,692 INFO [STDOUT] ************ Cookies: New: JSESSIONIDSSOX=X7D1F4DAA170B31403D3994E56293C03A
      15:27:14,692 INFO [STDOUT] ************ Cookies: Start: 534 2836
      15:27:14,692 INFO [STDOUT] ************ Cookies: SN: 535
      15:27:14,692 INFO [STDOUT] ************ Cookies: DELIM: 540 =
      15:27:14,692 INFO [STDOUT] ************ Cookies: New: tokenX=X<Response xmlns=\
      15:27:14,692 INFO [STDOUT] ************ Cookies: Start: 560 2836
      15:27:14,692 INFO [STDOUT] ************ Cookies: SN: 560
      15:27:14,692 INFO [STDOUT] ************ Cookies: DELIM: 598 x
      15:27:14,692 INFO [STDOUT] ************ Cookies: New: urn:oasis:names:tc:SAML:1.0:protocol\"X=Xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:1.0:protocol\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" IssueInstant=\"2007-04-11T14:27:11.207Z\" MajorVersion=\"1\" MinorVersion=\"1\" ResponseID=\"_7922e48bab03a7ed1fbb56da51a0e188\"><Status><StatusCode Value=\"samlp:Success\"></StatusCode></Status><Assertion xmlns=\"urn:oasis:names:tc:SAML:1.0:assertion\" AssertionID=\"_e4d7d1360f820ceaf6ca4327e639b822\" IssueInstant=\"2007-04-11T14:27:11.426Z\" Issuer=\"HarpoonWebUI\" MajorVersion=\"1\" MinorVersion=\"1\"><AuthenticationStatement AuthenticationInstant=\"2007-04-11T14:27:11.207Z\" AuthenticationMethod=\"urn:oasis:names:tc:SAML:1.0:am:password\"><Subject><NameIdentifier Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\">admin</NameIdentifier></Subject></AuthenticationStatement><AttributeStatement><Subject><NameIdentifier Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\">admin</NameIdentifier></Subject><Attribute AttributeName=\"secret\" AttributeNamespace=\"jbosssso:secret\"><AttributeValue>99ce561dbb1f3c11a6bfbf5910800d844439d7ae02fbceec1c21e80d823009b7a1655f93384e7b7a148f7735e1135e843da328ff7f32aebec6c24373344e462b805abda1309587efef553a29dd2cf470166a5dd8c2bddb384edbfa49f6b1037a48432b5b46f57a18035f09a2ff4c7b4df95d4aba62fb17d5b808f541a665899cd50274c773c8a0e03ab661170c3a40710b4c8b3e318a89694a661581b4f61fca38ba166bf8de0d69a133fa3a7e81ade47847df7fad75268beab3b7259ffdbc6b0332b2d59053613ff099496b1c8f6ee99cbb333f1505903d9cfdd451effa28dce13aa2d03b5387c7d7c1a7580202e8161e8b9ad6c7881f655e4105f95dca0160aefce6400dd0c35aa38311c1c41b6635c00c30487782537be4d91b60a4724229a3e29f4deb1c66ca03ac4a1d3aa61efba5da366e0c36d7b5ef48966043e909754931fbf78583f4e679f04a29561b87c30ebee0a46d966fc5edf9fdcad73ce7081317d872abb6bbd749c2ea540c47838a4ebe51e36a5b9339e58822189ca22340c6b8749541235bb666ef4975729f1249a2e0403d9bc653a96777dc9f737bb65bcf03ccc2a63f24206f016f2a32f6e9cf4822d2a68ccf6227af89052c98becf2e0e05117d61f92ef41f74fd723e0e50dbb40bbab4fec9792c3a928e8f50031113e9556ac6dccfb770135250e3f9bdc5ebdeb2e943569a10b396ce88834becbcac</AttributeValue></Attribute></AttributeStatement></Assertion></Response>"
      
      


      One can quite easily see why I am only getting '<Response xmlns=\'

      If I tap the wire with tcpmon, I get:

      GET /sso-war-0.0.1/foo.do HTTP/1.1
      Host: d1m60q2j.my.domain:6060
      User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
      Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
      Accept-Language: en-gb,en;q=0.5
      Accept-Encoding: gzip,deflate
      Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
      Keep-Alive: 300
      Connection: keep-alive
      Cookie: JSESSIONID=v6lOu62iJ2ex2+nX9TlZMg**; JSESSIONIDSSO=7D1F4DAA170B31403D3994E56293C03A; token="<Response xmlns=\"urn:oasis:names:tc:SAML:1.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:1.0:protocol\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" IssueInstant=\"2007-04-11T14:27:11.207Z\" MajorVersion=\"1\" MinorVersion=\"1\" ResponseID=\"_7922e48bab03a7ed1fbb56da51a0e188\"><Status><StatusCode Value=\"samlp:Success\"></StatusCode></Status><Assertion xmlns=\"urn:oasis:names:tc:SAML:1.0:assertion\" AssertionID=\"_e4d7d1360f820ceaf6ca4327e639b822\" IssueInstant=\"2007-04-11T14:27:11.426Z\" Issuer=\"HarpoonWebUI\" MajorVersion=\"1\" MinorVersion=\"1\"><AuthenticationStatement AuthenticationInstant=\"2007-04-11T14:27:11.207Z\" AuthenticationMethod=\"urn:oasis:names:tc:SAML:1.0:am:password\"><Subject><NameIdentifier Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\">admin</NameIdentifier></Subject></AuthenticationStatement><AttributeStatement><Subject><NameIdentifier Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\">admin</NameIdentifier></Subject><Attribute AttributeName=\"secret\" AttributeNamespace=\"jbosssso:secret\"><AttributeValue>99ce561dbb1f3c11a6bfbf5910800d844439d7ae02fbceec1c21e80d823009b7a1655f93384e7b7a148f7735e1135e843da328ff7f32aebec6c24373344e462b805abda1309587efef553a29dd2cf470166a5dd8c2bddb384edbfa49f6b1037a48432b5b46f57a18035f09a2ff4c7b4df95d4aba62fb17d5b808f541a665899cd50274c773c8a0e03ab661170c3a40710b4c8b3e318a89694a661581b4f61fca38ba166bf8de0d69a133fa3a7e81ade47847df7fad75268beab3b7259ffdbc6b0332b2d59053613ff099496b1c8f6ee99cbb333f1505903d9cfdd451effa28dce13aa2d03b5387c7d7c1a7580202e8161e8b9ad6c7881f655e4105f95dca0160aefce6400dd0c35aa38311c1c41b6635c00c30487782537be4d91b60a4724229a3e29f4deb1c66ca03ac4a1d3aa61efba5da366e0c36d7b5ef48966043e909754931fbf78583f4e679f04a29561b87c30ebee0a46d966fc5edf9fdcad73ce7081317d872abb6bbd749c2ea540c47838a4ebe51e36a5b9339e58822189ca22340c6b8749541235bb666ef4975729f1249a2e0403d9bc653a96777dc9f737bb65bcf03ccc2a63f24206f016f2a32f6e9cf4822d2a68ccf6227af89052c98becf2e0e05117d61f92ef41f74fd723e0e50dbb40bbab4fec9792c3a928e8f50031113e9556ac6dccfb770135250e3f9bdc5ebdeb2e943569a10b396ce88834becbcac</AttributeValue></Attribute></AttributeStatement></Assertion></Response>"
      Authorization: Basic YWRtaW46YWRtaW4=
      



      Everything looks legit, bar the weird cookie truncation. My installation is pretty regular:

      Jboss-4.0.5.GA/
      Jboss-SSO-1.0.CR1/
      jdk-1.5.0_08

      win32
      firefox 2.0.0.3

      Anyone had this problem ? Has my SAML token absorbed weird formatting (i.e. CRLFs) or does Tomcat need to be tweaked ?


        • 1. Re: Problem with SAML in cookies
          soshah

          ajls-

          You need to patch your tomcat in jboss-4.0.5

          See here for details:

          For JBoss-4.0.5:

          Copy {JBOSS_SSO_INSTALL_DIR}/bin/patches/jboss-4.0.5/tomcat-util.jar to the tomcat sar file in your application server

          Also, more details are available in the README.txt file of the distribution.


          Thanks

          • 2. Re: Problem with SAML in cookies
            ajls

            Doh! Missed the README - thanks for the prompt response.

            Just as an aside, the SSO integration is quite closely coupled with J2EE HTTP, and we have requirement to have single-sign on between non-HTML/HTTP and HTML/HTTP JBoss-bound applications. i.e. non-HTTP WS where session management is being handled
            by WS-Addressing (Cookies are ruled out due to our WS architecture) and an AMF (Adobe's Active/Action Media Format) interface where session management is buried in proprietary binary.

            I am most likely going to have to build an adaptor to JBossSSO for AMF (we already have a cluster friendly non-SAML SSO between WS and AMF), but find that it will be quite hard to decouple the HTTP and SSO concerns in the current implemntation of JBossSSO. (i.e. references to javax.servlet.* classes in token management and federation server integration).

            Are there any plans on the roadmap for de-contextualising the SSO integration ? i.e. SSO2.0 - had a quick scan of JIRA but saw nothing similar - except for the Oracle SAML integration which we may also need).

            JBossSSO is looking good for us now and like the SAML integration as it fits nicely into our SOA roadmap.