8 Replies Latest reply on Apr 13, 2010 3:50 PM by bkrisler

SAML V2 and XACMLV2 Integration Sample

kirkm Apr 5, 2010 2:10 PM

I have been working through an examples using the SAML/XACML PDP and have run into a configuration issue with the PDP engine. Looks like the SAX parser has validation checking turned on and wants policyConfig.xml to have a valid schema. The error I am getting is SAXParseException cvc-elt.1 - Cannot find declaration of element ns:jbosspdp. Where can checking be disabled? Is there a schema available for the configuration file?

1. Re: SAML V2 and XACMLV2 Integration Sample

anil.saldhana Apr 6, 2010 11:39 AM (in response to kirkm)

* You need to endorse Xerces. "-Djava.endorsed.dirs"
* The schema files are all present in the jars.
Actions
2. Re: SAML V2 and XACMLV2 Integration Sample

kirkm Apr 7, 2010 9:20 AM (in response to anil.saldhana)

Looking at the JBossPDP contructor, XML validation is forced on if org.jboss.security.xacml.schema.validation system property is not set. I set the property and got passed the parse problem. I ran into a minor issue with the example policyConfig.xml namespace using urn:picketlink:xacml:2.0 vs urn:jboss:xacml:2.0 but got the example working. I am attempting to modify the policy and request to a more simple example. Not being a XACML expert I am finding it difficult to get a request to satisfy the policy. Are there any debug features in the XACML engine to see how the request is being evaluated?
Actions
3. Re: SAML V2 and XACMLV2 Integration Sample

anil.saldhana Apr 7, 2010 10:31 AM (in response to kirkm)

The JBossXACMl project has many xacml policies that you can take a look. mostly in the test cases/resources.

My blog post sshould have information on debugging etc for xacml engine.
Actions

4. Re: SAML V2 and XACMLV2 Integration Sample

bkrisler Apr 8, 2010 11:10 AM (in response to anil.saldhana)

Hi,

Can you elaborate on this topc a bit. I too am trying to wrap my head around XACML, SAML and

JBoss. In doing so, I am running into the same problem as the original poster.

I am running JBoss 5.1.0, which has jbossxacml.jar in the common/lib directory.

I have all the PicketLink jars installed in $JBOSS_HOME/server/default/deploy/picketlink

Including the pdp-1.0.3.CR2.war example.

My run startup script includes -Djava.endorsed.dir and the jboss endorsed dir contains XercesImpl

(I have not modified the standard JBoss install)

When I start my AS, everything starts up just fine. Then when I attempt to access:

http://localhost:8080/pdp-1.0.3.CR2/SOAPServlet

I get the following in my jboss logs:

java.lang.RuntimeException: javax.xml.bind.UnmarshalException
 - with linked exception:
[org.xml.sax.SAXParseException: cvc-elt.1: Cannot find the declaration of element 'ns:jbosspdp'.]
    at org.jboss.security.xacml.core.JBossPDP.<init>(JBossPDP.java:102)
    at org.picketlink.identity.federation.web.servlets.saml.SOAPSAMLXACMLServlet.getPDP(SOAPSAMLXACMLServlet.java:269)
    at org.picketlink.identity.federation.web.servlets.saml.SOAPSAMLXACMLServlet.init(SOAPSAMLXACMLServlet.java:133)
    at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1048)
    at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:777)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:129)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:619)
Caused by: javax.xml.bind.UnmarshalException
 - with linked exception:
[org.xml.sax.SAXParseException: cvc-elt.1: Cannot find the declaration of element 'ns:jbosspdp'.]
    at javax.xml.bind.helpers.AbstractUnmarshallerImpl.createUnmarshalException(AbstractUnmarshallerImpl.java:315)
    at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.createUnmarshalException(UnmarshallerImpl.java:514)
    at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal0(UnmarshallerImpl.java:215)
    at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:184)
    at javax.xml.bind.helpers.AbstractUnmarshallerImpl.unmarshal(AbstractUnmarshallerImpl.java:137)
    at javax.xml.bind.helpers.AbstractUnmarshallerImpl.unmarshal(AbstractUnmarshallerImpl.java:184)
    at org.jboss.security.xacml.core.JBossPDP.<init>(JBossPDP.java:97)
    ... 19 more

Am I doing something wrong? Is there are more basic example that I can run that demonstrates to most simple case of using XACML?

Thanks for any help.

Brian

5. Re: SAML V2 and XACMLV2 Integration Sample

kirkm Apr 8, 2010 1:32 PM (in response to bkrisler)

Brian,

Looking at my notes, I replaced the jboss-xacml with the 2.0.4 version because I was not sure which version was provided in the app server distribution. I used the -Dorg.jboss.security.xacml.schema.validation=false as a jboss startup property. As far as making XACML understanding easier, take a look at Anils's Users Guide for JBoss XACML and put together a simple app using JBOSS XACML using the doc and sample PDP client code. It took me many iterations of client and policy changes to get a reasonable XACML understanding and get something working the way I wanted it. I got tired of redeploying the PDP service with new policies. Easier to debug policies and requests within a java application and deploy the policy once it is working.
Actions
6. Re: SAML V2 and XACMLV2 Integration Sample

anil.saldhana Apr 8, 2010 1:55 PM (in response to kirkm)

Best is to just reuse the policies and requests in the JBossXACML source project.
Actions
7. Re: SAML V2 and XACMLV2 Integration Sample

bkrisler Apr 12, 2010 12:34 PM (in response to kirkm)

Thanks for the info. I am making some headway with the provided examples and your suggestions, however I am now encountering an issue with the Servlet: Caused by: java.lang.ClassNotFoundException: org.jboss.security.xacml.sunxacml.finder.PolicyFinder.

I unpacked the jar and discovered that indeed, the sunxacml package does not exist. I thought I was missing a dependency,
however Chapter 7 of the Users Guide does not list any sunxacml requirement. Have you encountered this issue?

Thanks again.

Brian
Actions
8. Re: SAML V2 and XACMLV2 Integration Sample

bkrisler Apr 13, 2010 3:50 PM (in response to bkrisler)

For reference.

I have overcome all the issues encountered by myself and the original poster.

I discovered that the issue was actually in relation to the policyConfig.xml file. A simple change of the namespace from:

<ns:jbosspdp xmlns:ns="urn:picketlink:xacml:2.0">

to

<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">

resulted in the examples working without the need for the system property or the latest jboss-xacml jar.

Brian
Actions

Go to original post