-
1. Re: SAML V2 and XACMLV2 Integration Sample
anil.saldhana Apr 6, 2010 11:39 AM (in response to kirkm)* You need to endorse Xerces. "-Djava.endorsed.dirs"
* The schema files are all present in the jars.
-
2. Re: SAML V2 and XACMLV2 Integration Sample
kirkm Apr 7, 2010 9:20 AM (in response to anil.saldhana)Looking at the JBossPDP contructor, XML validation is forced on if org.jboss.security.xacml.schema.validation system property is not set. I set the property and got passed the parse problem. I ran into a minor issue with the example policyConfig.xml namespace using urn:picketlink:xacml:2.0 vs urn:jboss:xacml:2.0 but got the example working. I am attempting to modify the policy and request to a more simple example. Not being a XACML expert I am finding it difficult to get a request to satisfy the policy. Are there any debug features in the XACML engine to see how the request is being evaluated?
-
3. Re: SAML V2 and XACMLV2 Integration Sample
anil.saldhana Apr 7, 2010 10:31 AM (in response to kirkm)The JBossXACMl project has many xacml policies that you can take a look. mostly in the test cases/resources.
My blog post sshould have information on debugging etc for xacml engine.
-
4. Re: SAML V2 and XACMLV2 Integration Sample
bkrisler Apr 8, 2010 11:10 AM (in response to anil.saldhana)Hi,
Can you elaborate on this topc a bit. I too am trying to wrap my head around XACML, SAML and
JBoss. In doing so, I am running into the same problem as the original poster.
I am running JBoss 5.1.0, which has jbossxacml.jar in the common/lib directory.
I have all the PicketLink jars installed in $JBOSS_HOME/server/default/deploy/picketlink
Including the pdp-1.0.3.CR2.war example.
My run startup script includes -Djava.endorsed.dir and the jboss endorsed dir contains XercesImpl
(I have not modified the standard JBoss install)
When I start my AS, everything starts up just fine. Then when I attempt to access:
http://localhost:8080/pdp-1.0.3.CR2/SOAPServlet
I get the following in my jboss logs:
java.lang.RuntimeException: javax.xml.bind.UnmarshalException
- with linked exception:
[org.xml.sax.SAXParseException: cvc-elt.1: Cannot find the declaration of element 'ns:jbosspdp'.]
at org.jboss.security.xacml.core.JBossPDP.<init>(JBossPDP.java:102)
at org.picketlink.identity.federation.web.servlets.saml.SOAPSAMLXACMLServlet.getPDP(SOAPSAMLXACMLServlet.java:269)
at org.picketlink.identity.federation.web.servlets.saml.SOAPSAMLXACMLServlet.init(SOAPSAMLXACMLServlet.java:133)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1048)
at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:777)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:129)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.xml.bind.UnmarshalException
- with linked exception:
[org.xml.sax.SAXParseException: cvc-elt.1: Cannot find the declaration of element 'ns:jbosspdp'.]
at javax.xml.bind.helpers.AbstractUnmarshallerImpl.createUnmarshalException(AbstractUnmarshallerImpl.java:315)
at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.createUnmarshalException(UnmarshallerImpl.java:514)
at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal0(UnmarshallerImpl.java:215)
at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:184)
at javax.xml.bind.helpers.AbstractUnmarshallerImpl.unmarshal(AbstractUnmarshallerImpl.java:137)
at javax.xml.bind.helpers.AbstractUnmarshallerImpl.unmarshal(AbstractUnmarshallerImpl.java:184)
at org.jboss.security.xacml.core.JBossPDP.<init>(JBossPDP.java:97)
... 19 moreAm I doing something wrong? Is there are more basic example that I can run that demonstrates to most simple case of using XACML?
Thanks for any help.
Brian
-
5. Re: SAML V2 and XACMLV2 Integration Sample
kirkm Apr 8, 2010 1:32 PM (in response to bkrisler)Brian,
Looking at my notes, I replaced the jboss-xacml with the 2.0.4 version because I was not sure which version was provided in the app server distribution. I used the -Dorg.jboss.security.xacml.schema.validation=false as a jboss startup property. As far as making XACML understanding easier, take a look at Anils's Users Guide for JBoss XACML and put together a simple app using JBOSS XACML using the doc and sample PDP client code. It took me many iterations of client and policy changes to get a reasonable XACML understanding and get something working the way I wanted it. I got tired of redeploying the PDP service with new policies. Easier to debug policies and requests within a java application and deploy the policy once it is working.
-
6. Re: SAML V2 and XACMLV2 Integration Sample
anil.saldhana Apr 8, 2010 1:55 PM (in response to kirkm)Best is to just reuse the policies and requests in the JBossXACML source project.
-
7. Re: SAML V2 and XACMLV2 Integration Sample
bkrisler Apr 12, 2010 12:34 PM (in response to kirkm)Thanks for the info. I am making some headway with the provided examples and your suggestions, however I am now encountering an issue with the Servlet: Caused by: java.lang.ClassNotFoundException: org.jboss.security.xacml.sunxacml.finder.PolicyFinder.
I unpacked the jar and discovered that indeed, the sunxacml package does not exist. I thought I was missing a dependency,
however Chapter 7 of the Users Guide does not list any sunxacml requirement. Have you encountered this issue?
Thanks again.
Brian
-
8. Re: SAML V2 and XACMLV2 Integration Sample
bkrisler Apr 13, 2010 3:50 PM (in response to bkrisler)For reference.
I have overcome all the issues encountered by myself and the original poster.
I discovered that the issue was actually in relation to the policyConfig.xml file. A simple change of the namespace from:
<ns:jbosspdp xmlns:ns="urn:picketlink:xacml:2.0">
to
<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
resulted in the examples working without the need for the system property or the latest jboss-xacml jar.
Brian