1 Reply Latest reply on Jan 13, 2014 4:28 PM by Geoff Thieme

    Signature validate Error

    Geoff Thieme Newbie

      Validating signatures from ASFS STS is failing. My picketlink.xml has <PicketLinkSP SupportsSignatures="true". I previously had it working when using JBoss6 with picketlink 2.1.7.

       

      I'm using Picketlink 2.5.2.Final with JBoss EAP 6.1.0.Alpha1 (AS 7.2.0.Alpha1-redhat-4); upgraded completed using picketlink-installer-1.1.2.Final. I also had this same issue with the version of picketlink included in the base JBossAS install (picketlink 2.1.6).

       

      The error is:

      11:51:47,759 ERROR [org.apache.catalina.connector] (http-/0.0.0.0:8443-1) JBWEB001018: An exception or error occurred in the container during the request processing: java.lang.LinkageError: loader constraint violation in interface itable initialization: when resolving method "org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(Ljavax/xml/crypto/dsig/XMLSignContext;)V" the class loader (instance of org/jboss/modules/ModuleClassLoader) of the current class, org/apache/jcp/xml/dsig/internal/dom/DOMXMLSignature, and the class loader (instance of <bootloader>) for interface javax/xml/crypto/dsig/XMLSignature have different Class objects for the type ture.sign(Ljavax/xml/crypto/dsig/XMLSignContext;)V used in the signature

        at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshal(DOMXMLSignatureFactory.java:186)

        at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshalXMLSignature(DOMXMLSignatureFactory.java:146)

        at org.picketlink.identity.federation.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:492) [picketlink-federation-2.5.2.Final.jar:]

        at org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:308) [picketlink-federation-2.5.2.Final.jar:]

        at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyPostBindingSignature(SAML2SignatureValidationHandler.java:117) [picketlink-federation-2.5.2.Final.jar:]

        at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:88) [picketlink-federation-2.5.2.Final.jar:]

        at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleStatusResponseType(SAML2SignatureValidationHandler.java:57) [picketlink-federation-2.5.2.Final.jar:]

        at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:66) [picketlink-federation-2.5.2.Final.jar:]

        at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:102) [picketlink-federation-2.5.2.Final.jar:]

        at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:83) [picketlink-federation-2.5.2.Final.jar:]

        at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:455) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]

        at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:333) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]

        at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:261) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:447) [jbossweb-7.2.0.Final.jar:7.2.0.Final]

        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.Alpha1-redhat-4.jar:7.2.0.Alpha1-redhat-4]

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final.jar:7.2.0.Final]

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final.jar:7.2.0.Final]

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final.jar:7.2.0.Final]

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final.jar:7.2.0.Final]

        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final.jar:7.2.0.Final]

        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final.jar:7.2.0.Final]

        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final.jar:7.2.0.Final]

        at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]

       

      I'm assuming javax/xml/crypto/dsig/XMLSignContext is coming from org.apache.santuario.xmlsec. I noticed that picketlink is using org.apache.santuario.xmlsec version=1.5.1 and JBoss is usingorg.apache.santuario.xmlsec version=1.5.3. Would updating the xmlsec version in https://github.com/picketlink/picketlink/blob/master/modules/federation/pom.xml to 1.5.3 resolve this issue?

       

      ADFS is returning the SAML2 token as a URL arg. If ADFS can be changed to return the token as a POST, would that also resolve the issue?

       

      I also created bug [PLINK-317] Signature validate Error - JBoss Issue Tracker, however that may have been premature.

       

      Thanks,
      Geoff

        • 1. Re: Signature validate Error
          Geoff Thieme Newbie

          This issue stops anyone using SAML SSO with JBoss EAP 6.1.0.Alpha1 (AS 7.2.0.Alpha1-redhat-4) from using signatures.

           

          I got a solution to this issue from the [PLINK-317] Signature validate Error - JBoss Issue Tracker bug report I created. Below is a summary of the solution:

           

          If you are using the default install of picketlink (2.1.6):

           

          1) Modify

          modules\system\layers\base\org\picketlink\main\module.xml

           

          2) Change

              <module name="org.apache.santuario.xmlsec"/>

          to

              <module name="org.apache.santuario.xmlsec">

                  <imports>

                      <exclude path="javax/*"/>

                  </imports>

              </module>

           

          If you used picketlink-installer-1.1.3.Final to upgrade to Picketlink 2.5.2.Final:

           

          1) Modify both

          modules\system\layers\base\org\picketlink\federation\main\module.xml

          and

          modules\system\layers\base\org\picketlink\federation\bindings\main\module.xml

           

          2) Apply the same change in step #2 above.

           

          -Geoff