2 Replies Latest reply on Feb 28, 2013 12:58 PM by tim.kutz

SAML Attributes with Multiple Values

tim.kutz Feb 13, 2013 1:01 PM

We have discovered a problem with the JBossAppServerAttributeManager. This AttributeManager is written with the assumption that all attributes are single valued. When an attribute - in our case, an LDAP attribute - has multiple values, only the last value in the list is published into the SAML. In investigating this, I saw the following lines in the JBossAppServerAttributeManager:

if (attList != null) {

for (Attribute<Object> attribute : attList) {

attributeMap.put(attribute.getName(), attribute.getValue());

}

As you can see, this will replace a prior attribute, rather than add to it.

I wrote a custom attribute manager, which builds lists by attribute name, instead, thus preserving the full attribute list, but I am having trouble getting that AttributeManager to work. I am getting an NPE, on a responseType value. I found a reference to the same error in the following thread, also apparently connected to a custom AttributeManager.

https://community.jboss.org/message/716648

We can go ahead with a custom AttributeManager, assuming we can get it to work, but it seems to me that the default AttributeManager should really handle this. In order to plug in our custom Manager, do I need to pull down the latest code, and build a SNAPSHOT version of the project? We are somewhat less than enthusiastic about going live with a non-release version. If the latest version is indeed what we need, is there any way to get a timeline on when it will be released?

1. Re: SAML Attributes with Multiple Values

tim.kutz Feb 22, 2013 4:01 PM (in response to tim.kutz)

I attempted to update to the snapshot version in the message above, but it appears to be an older snapshot - versioned as 2.1.0-SNAPSHOT - while the codebase in git is 2.1.6. This fix should, then, be in my deployed version, already, but I'm still getting an error, and it's source is unclear.

My deployment is JBoss 7.1.1.Final, with PicketLink 2.1.6.

When running using the JBossAppServerAttributeManager, the login works, but only single values are published for multi-valued attributes within the LDAP store. I cribbed from that class, and modified it to handle multiple values, but even on a user with no multiple values present, I get the following error:

15:56:32,018 ERROR [org.apache.catalina.connector.CoyoteAdapter] (http--0.0.0.0-8080-1) An exception or error occurred in the container during the request processing: java.lang.RuntimeException: PLFED000092: Null Value: responseType
        at org.picketlink.identity.federation.PicketLinkLoggerImpl.nullValueError(PicketLinkLoggerImpl.java:106) [picketlink-jbas7-2.1.6.Final.jar:2.1.6.Final]
        at org.picketlink.identity.federation.web.util.IDPWebRequestUtil.send(IDPWebRequestUtil.java:194) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]
        at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:645) [picketlink-jbas7-2.1.6.Final.jar:2.1.6.Final]
        at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.invoke(AbstractIDPValve.java:383) [picketlink-jbas7-2.1.6.Final.jar:2.1.6.Final]
        at org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve.invoke(IDPSAMLDebugValve.java:57) [picketlink-jbas7-2.1.6.Final.jar:2.1.6.Final]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
        at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0]

Using the debugger, I've successfully stepped through the replacement AttributeManager, and it appears to be working correctly. The error happens later, and from the error message, appears unrelated to the AttributeManager directly. Can anyone shed some light on this?
Actions
2. Re: SAML Attributes with Multiple Values

tim.kutz Feb 28, 2013 12:58 PM (in response to tim.kutz)

The error above is resulting from a swallowed exception. I've opened a Jira case for it,https://issues.jboss.org/browse/PLFED-385 , in hopes that at least the error messages can be sorted out better. More details are in the issue tracker, but the short version is that when an exception occurs in marshalling the SAML Assertions, which in my case resulted from passing one or more attribute values downstream from the AttributeManager that are not supported, the swallowed exception results in a null being returned instead of a Document. Further downstream, that Document is inspected for type, and when null, produces the exception shown above.
Actions

Go to original post