-
15. Re: Major security leak PicketLink and testing on ADFSv2
pipo1000 Aug 9, 2010 4:01 AM (in response to anil.saldhana)I have tested the trunk and.... it works!
Thanks alot for you effort and I will try to write a wiki article on how to configure AFSv2 with Tomcat Picketlink.
-
16. Re: Major security leak PicketLink and testing on ADFSv2
anil.saldhana Sep 17, 2010 4:05 PM (in response to pipo1000)Edwin.
PL 1.0.4.final is released. http://anil-identity.blogspot.com/2010/09/picketlink-104final-released.html
Now you can finish your article here with the 1.0.4 code.
-
17. Re: Major security leak PicketLink and testing on ADFSv2
pipo1000 Sep 28, 2010 9:26 AM (in response to anil.saldhana)I have tested the final on ADFSv2 and it works ok. I have made a lot of screenshots how to configure ADFS and made a first draft for my company (in Dutch) so I am working on the documentation.
I keep you posted.
-
18. Re: Major security leak PicketLink and testing on ADFSv2
girishkrsharma Oct 26, 2010 10:15 AM (in response to pipo1000)Guys,
Any update when this article is going to be available?
Thanks!
-
19. Re: Major security leak PicketLink and testing on ADFSv2
anil.saldhana Oct 26, 2010 10:40 AM (in response to girishkrsharma)Girish, Edwin has highlighted the steps above. Please try it out in your setup and report back.
-
20. Re: Major security leak PicketLink and testing on ADFSv2
anil.saldhana Nov 1, 2010 11:10 AM (in response to pipo1000)Edwin, come on. Finish the article. The wait is killing.
-
21. Re: Major security leak PicketLink and testing on ADFSv2
pipo1000 Nov 2, 2010 4:09 AM (in response to anil.saldhana)I just have added the latest parts to my document.I have uploaded a PDF document with all the steps however the document needs still some serious editing as part of it is still in the Dutch language and the order of things is not 100% correct. But I think all the steps are there;
http://community.jboss.org/wiki/HowtoconfigurePicketlinkonTomcatwithMicrosoftADFSv2
-
22. Re: Major security leak PicketLink and testing on ADFSv2
anil.saldhana Nov 2, 2010 12:32 PM (in response to pipo1000)Edwin, thanks a lot. This PDF should be useful to people who want to configure PicketLink with ADFS2 on JBoss/Tomcat.
-
23. Re: Major security leak PicketLink and testing on ADFSv2
acoliver Dec 15, 2010 10:24 AM (in response to pipo1000)Has anyone else gotten this to work?
Trunk (2010-12-15) gives me:
org.w3c.dom.DOMException: NAMESPACE_ERR: An attempt is made to create or changean object in a way which is incorrect with regard to namespaces.^Mat org.apache.xerces.dom.AttrNSImpl.setName(Unknown Source)^Mat org.apache.xerces.dom.AttrNSImpl.<init>(Unknown Source)^Mat org.apache.xerces.dom.CoreDocumentImpl.createAttributeNS(Unknown Source)^Mat org.apache.xerces.dom.ElementImpl.setAttributeNS(Unknown Source)^Mat org.picketlink.identity.federation.core.util.TransformerUtil$PicketLinkStaxToDOMTransformer.handleStartElement(TransformerUtil.java:309)^Mat org.picketlink.identity.federation.core.util.TransformerUtil$PicketLinkStaxToDOMTransformer.transform(TransformerUtil.java:169)^Mat org.picketlink.identity.federation.core.util.TransformerUtil.transform(TransformerUtil.java:111)^Mat org.picketlink.identity.federation.core.parsers.util.StaxParserUtil.getDOMElement(StaxParserUtil.java:113)^Mat org.picketlink.identity.federation.core.parsers.saml.SAMLAssertionParser.parse(SAMLAssertionParser.java:124)^Mat org.picketlink.identity.federation.core.parsers.saml.SAMLResponseParser.parse(SAMLResponseParser.java:81)^Mat org.picketlink.identity.federation.core.parsers.saml.SAMLParser.parse(SAMLParser.java:86)^Morg.w3c.dom.DOMException: NAMESPACE_ERR: An attempt is made to create or change
an object in a way which is incorrect with regard to namespaces.^M
at org.apache.xerces.dom.AttrNSImpl.setName(Unknown Source)^M
at org.apache.xerces.dom.AttrNSImpl.<init>(Unknown Source)^M
at org.apache.xerces.dom.CoreDocumentImpl.createAttributeNS(Unknown Sour
ce)^M
at org.apache.xerces.dom.ElementImpl.setAttributeNS(Unknown Source)^M
at org.picketlink.identity.federation.core.util.TransformerUtil$PicketLi
nkStaxToDOMTransformer.handleStartElement(TransformerUtil.java:309)^M
at org.picketlink.identity.federation.core.util.TransformerUtil$PicketLi
nkStaxToDOMTransformer.transform(TransformerUtil.java:169)^M
at org.picketlink.identity.federation.core.util.TransformerUtil.transfor
m(TransformerUtil.java:111)^M
at org.picketlink.identity.federation.core.parsers.util.StaxParserUtil.g
etDOMElement(StaxParserUtil.java:113)^M
at org.picketlink.identity.federation.core.parsers.saml.SAMLAssertionPar
ser.parse(SAMLAssertionParser.java:124)^M
at org.picketlink.identity.federation.core.parsers.saml.SAMLResponsePars
er.parse(SAMLResponseParser.java:81)^M
at org.picketlink.identity.federation.core.parsers.saml.SAMLParser.parse
(SAMLParser.java:86)^M
where 1.0.4 gives me:
java.lang.ClassCastException: org.picketlink.identity.federation.saml.v2.asserti
on.SubjectConfirmationType cannot be cast to org.picketlink.identity.federation.
saml.v2.assertion.NameIDType
at org.picketlink.identity.federation.web.handlers.saml2.SAML2Authentica
tionHandler$SPAuthenticationHandler.handleSAMLResponse(SAML2AuthenticationHandle
r.java:364)
at org.picketlink.identity.federation.web.handlers.saml2.SAML2Authentica
tionHandler$SPAuthenticationHandler.handleStatusResponseType(SAML2Authentication
Handler.java:303)
at org.picketlink.identity.federation.web.handlers.saml2.SAML2Authentica
tionHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:109)
at org.picketlink.identity.federation.web.process.SAMLHandlerChainProces
sor.callHandlerChain(SAMLHandlerChainProcessor.java:74)
at org.picketlink.identity.federation.web.process.ServiceProviderSAMLRes
ponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:164)
at org.picketlink.identity.federation.bindings.tomcat.sp.SPPostFormAuthe
nticator.authenticate(SPPostFormAuthenticator.java:198)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
torBase.java:491)
at org.apache.catalina.valves.RequestDumperValve.invoke(RequestDumperVal
ve.java:151)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValv
e.java:95)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.proce
Also why are all picketlink errors TRACE level?
-
24. Re: Major security leak PicketLink and testing on ADFSv2
anil.saldhana Dec 15, 2010 10:54 AM (in response to acoliver)Andy, the trunk is in a f$cked state, courtesy us as we transition away from JAXB.
The PL stuff that is 1.x which is in EAP etc is http://anonsvn.jboss.org/repos/picketlink/federation/branches/Branch_1_x/
-
25. Re: Major security leak PicketLink and testing on ADFSv2
acoliver Dec 15, 2010 10:59 AM (in response to anil.saldhana)Has the branch changed since 1.0.4? I showed the error of 1.04 in the second part of my message. Good move away from JAXB. JAXB code is yucky.
-
26. Re: Major security leak PicketLink and testing on ADFSv2
anil.saldhana Dec 15, 2010 11:05 AM (in response to acoliver)I dont think anything really changed in the branch since 1.0.4. The exception that you are showing may be the result of some modifications you have done in your environment. If not, then there may be a bug.
I did put in a red note yesterday about potentially delaying 1.0.5 in http://community.jboss.org/wiki/PicketLinkRoadMap
We are currently neck deep in PL2 rewrite/refactor.
-
27. Re: Major security leak PicketLink and testing on ADFSv2
acoliver Dec 15, 2010 11:22 AM (in response to anil.saldhana)Stock 1.0.4 used with stock EAP 5.1 exhibits these errors with the sales app. I notice that the trunk code changes this:
SubjectType subject = assertion.getSubject();JAXBElement<NameIDType> jnameID = (JAXBElement<NameIDType>) subject.getContent().get(0);NameIDType nameID = jnameID.getValue();final String userName = nameID.getValue();List<String> roles = new ArrayList<String>();SubjectType subject = assertion.getSubject();
JAXBElement<NameIDType> jnameID = (JAXBElement<NameIDType>) subject.getContent().get(0); //throws ClassCast
NameIDType nameID = jnameID.getValue();
final String userName = nameID.getValue();
List<String> roles = new ArrayList<String>();
was there a period in the trunk where both the XML transform errors did not exist and this assumption which causes a CCE did not exist? Or is there a way though configuration I could be off that would cause this CCE (even though I do get a response from ADFS)?
-Andy
-
28. Re: Major security leak PicketLink and testing on ADFSv2
anil.saldhana Dec 15, 2010 11:20 AM (in response to acoliver)Andy, it may be a bug. Any chance you can post the XML response here or in a JIRA? Mask out any confidential stuff from the response.
Hate the JAXB crap where in it gives out a List<Object>
Try writing a simple test case invoking the code that is displaying the error. Get the XML from ADFS2 and write a simple test if possible.
-
29. Re: Major security leak PicketLink and testing on ADFSv2
acoliver Dec 15, 2010 11:24 AM (in response to anil.saldhana)I can give you what is in the log. Since ADFS requires SSL and generates its own key I can't sniff it's side with wireshark.
How would such a test case work? I've no idea how to write it given that both use sides are using signed keys.... I've attempted to understand your test cases but I've never located how they are configured.