[OpenSAML] Unable to unmarshall message; unsupported attribute?
Bailo, John
From the SAML1 HTTPPostDecoder decode method, I receive this exception:
16:56:28,936 ERROR [BaseMessageDecoder] Unable to unmarshall message, no unmarshaller registered for message element {urn:oasis:names:tc:SAML:1.0:protocol}Response
In my SAML object I think the offending attribute is:
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol”
CONFIDENTIALITY NOTICE: The information in this Internet email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized.
Scott Cantor
> From the SAML1 HTTPPostDecoder decode method, I receive this exception:
>
> 16:56:28,936 ERROR [BaseMessageDecoder] Unable to unmarshall message, no
> unmarshaller registered for message element
> {urn:oasis:names:tc:SAML:1.0:protocol}Response
I would imagine you failed to initialize the libraries properly, however
that's done these days. That's a very basic element.
> In my SAML object I think the offending attribute is:
> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol”
There is no offending attribute, you just don't have any of the standard
classes registered with the XML runtime that's underneath all this.
-- Scott
Brent Putman
Scott Cantor wrote:
> Bailo, John wrote:
>> From the SAML1 HTTPPostDecoder decode method, I receive this exception:
>>
>> 16:56:28,936 ERROR [BaseMessageDecoder] Unable to unmarshall message,
>> no unmarshaller registered for message element
>> {urn:oasis:names:tc:SAML:1.0:protocol}Response
>
> I would imagine you failed to initialize the libraries properly,
> however that's done these days. That's a very basic element.
Yes, exactly. Please make sure to take a look at the User's Manual here:
https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManual
Library initialization is covered here:
--Brent
Bailo, John
Thanks for your help. I'm basing my code on
\org\opensaml\saml1\binding\decoding\HTTPPostDecoderTest.java.
The difference is that they simulate the http request in code, where I
set up a .jsp with a FORM and SAMLRequest and target INPUT fields and I
POST to a servlet.
From the sample code, I culled what I think are the necessary steps to
get me to decode a SAML 1.1 object that is 64encoded in a FORM.
According to the documentation link you sent me, "When fetching an
unmarshaller based on an element the factory first checks to see if the
element has a schema type specified by an xsi:type attribute. If it
does, the factory attempts to lookup an unmarshaller for that schema
type", so I assume that the BasicSAMLMessageContent object unmarshalls
and attempts to use the matching schema in the same way.
I am using:
import org.opensaml.saml1.binding.decoding.HTTPPostDecoder;
My method is below. I believe it's the necessary and sufficient number
of steps to get me to being able to decode the SAMLResponse.
protected void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
SAMLMessageDecoder decoder;
try {
messageContext = new BasicSAMLMessageContext();
messageContext.setInboundMessageTransport(
new HttpServletRequestAdapter(request));
decoder = new HTTPPostDecoder(null);
decoder.decode(messageContext);
} catch (MessageDecodingException e) {
} catch (SecurityException e) {}
}
Yet, decode(messageContext) throws an exception.
Bailo, John
the sample SAML 1.1 object in the Wikipedia article:
http://en.wikipedia.org/wiki/SAML_1.1#Browser.2FPOST_Profile
in Step 3.
I got the same exception.
Looking at the sample code I see that a mashallerFactory is instantiated
in the encodeMessage() method. But, I start with an existing
httpRequest that contains an encoded SAML 1.1 object in the POST, so I
am trying to strip away all the setup code down to just that needed to
decode the SAML object and let me get to its attributes.
Do I still need to set up a marshaller for decoding?
-----Original Message-----
From: Bailo, John
Sent: Friday, September 19, 2008 9:08 AM
To: 'mace-open...@internet2.edu'
Subject: RE: [OpenSAML] Unable to unmarshall message; unsupported
attribute?
Thanks for your help. I'm basing my code on
\org\opensaml\saml1\binding\decoding\HTTPPostDecoderTest.java.
CONFIDENTIALITY NOTICE: The information in this Internet email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized.
Brent Putman
Bailo, John wrote:
> Thanks for your help. I'm basing my code on
> \org\opensaml\saml1\binding\decoding\HTTPPostDecoderTest.java.
>
That's functionallly correct, of course, but perhaps a little convoluted
to use as a template based on the way the tests are written. Such is
the nature of unit tests...
> The difference is that they simulate the http request in code, where I
> set up a .jsp with a FORM and SAMLRequest and target INPUT fields and I
> POST to a servlet.
>
That's fine, it should work either way. What you're trying to implement
here is apparently the binding behavior defined by the SAML 1.1
Browser/POST profile. If there are any details about what that means
that are unclear, consulting the spec doc would be helpful:
http://www.oasis-open.org/committees/download.php/3405/oasis-sstc-saml-bindings-1.1.pdf
See section 4.1.2
("They", btw, includes Chad and me, the primary developers of Java
OpenSAML 2.)
Actually, I just noticed you said SAMLRequest. That isn't a part of
SAML 1.1 Browser/POST. Either you meant to say SAMLResponse (you're
implementing an SP, right?), or else you you intend to do SAML 2. The
code is the same for the latter, but the decoder class (amongst many
other things....) is of course different.
> From the sample code, I culled what I think are the necessary steps to
> get me to decode a SAML 1.1 object that is 64encoded in a FORM.
> According to the documentation link you sent me, "When fetching an
> unmarshaller based on an element the factory first checks to see if the
> element has a schema type specified by an xsi:type attribute. If it
> does, the factory attempts to lookup an unmarshaller for that schema
> type", so I assume that the BasicSAMLMessageContent object unmarshalls
> and attempts to use the matching schema in the same way.
>
Yes, mostly correctly, but it's not the message context itself that does
the unmarshalling. It uses factories exposed by the global
org.opensaml.Configuration to resolve builders, unmarshallers and
marshallers. On unmarshalling, resolution is first attempted based on
the xsi:type QName, if present; if not, or not registered, then uses the
Element QName.
> I am using:
>
> import org.opensaml.saml1.binding.decoding.HTTPPostDecoder;
>
> My method is below. I believe it's the necessary and sufficient number
> of steps to get me to being able to decode the SAMLResponse.
>
> protected void doGet(HttpServletRequest request, HttpServletResponse
> response) throws ServletException, IOException {
>
> SAMLMessageDecoder decoder;
>
> try {
>
> messageContext = new BasicSAMLMessageContext();
> messageContext.setInboundMessageTransport(
> new HttpServletRequestAdapter(request));
>
> decoder = new HTTPPostDecoder(null);
> decoder.decode(messageContext);
> } catch (MessageDecodingException e) {
> } catch (SecurityException e) {}
>
>
> }
>
>
That code looks functionally correct for the decoder. You do however
need to call DefaultBootstrap.bootstrap() to initialize the library
before you do any of this, as I've already noted. Amongst other things,
that loads up the Configuration factories with the implementation
classes. Note that the unit test does in fact call the bootstrap, it
just does it in a superclass setUp() method. You only need and want to
do it once, in your apps init/startup code, wherever that is.
> Yet, decode(messageContext) throws an exception.
>
The same error that you previously posted? Then you need to init the
library as we've already noted. If a different error, then please post it.
--Brent
Brent Putman
you use it. Trust me, I know what I'm talking about. ;-)
Bailo, John
No, thanks I see what you mean on this page here:
https://spaces.internet2.edu/display/OpenSAML/OSTwoUsrManJavaLibIntro#OS
TwoUsrManJavaLibIntro-ConfiguringtheLibrary
I think I was bamboozled by the sample code (which doesn't use a
Bootstrap initializer).
Brent Putman
Bailo, John wrote:
> No, thanks I see what you mean on this page here:
>
> https://spaces.internet2.edu/display/OpenSAML/OSTwoUsrManJavaLibIntro#OS
> TwoUsrManJavaLibIntro-ConfiguringtheLibrary
>
> I think I was bamboozled by the sample code (which doesn't use a
> Bootstrap initializer).
>
>
It does, it's in the test case's superclass setUp().
Bailo, John
I added the Bootstrap method to my servlet class.
I also had to put the endorsed jars in my jboss \lib\endorsed folder.
Note to jboss users: just putting the endorsed classes in $JAVA_HOME is
not sufficient.
Now my decode method throws
14:29:44,975 ERROR [BaseMessageDecoder] Encountered error unmarshalling
message from its DOM representation
org.opensaml.xml.io.UnmarshallingException: Unable to unmarshall
XMLSecSignatureImpl
-----Original Message-----
From: Brent Putman [mailto:put...@georgetown.edu]
Sent: Friday, September 19, 2008 11:39 AM
To: mace-open...@internet2.edu
Subject: Re: [OpenSAML] Unable to unmarshall message; unsupported
attribute?
Brent Putman
Bailo, John wrote:
> I also had to put the endorsed jars in my jboss \lib\endorsed folder.
>
> Note to jboss users: just putting the endorsed classes in $JAVA_HOME is
> not sufficient.
>
Yes, most Java runtimes are going to default the java.endorsed.dirs
system propery to jre/lib/endorsed, but servlet and application
containers usually have their own special location for that, often
implemented by setting that system property in their startup script.
> Now my decode method throws
>
> 14:29:44,975 ERROR [BaseMessageDecoder] Encountered error unmarshalling
> message from its DOM representation
> org.opensaml.xml.io.UnmarshallingException: Unable to unmarshall
> XMLSecSignatureImpl
>
>
You're trying to unmarshall something that contains a ds:Signature and
the Apache XML-Security xmlsec lib doesn't like it. The ds:Signature
XML is probably syntatically invalid or incomplete (missing required
data). If you want to post that, we can diagnose, but it will probably
be a pretty obvious issue with the XML, you can probably figure it out
if you look at it closely.
Bailo, John
Yes, there were some flaws in the SAML object I was using.
I got a rectified version to work from and now it's running perfectly.
I am at the point of listing Assertions from the SAML Response object!
Thanks for all your help this week...it really made the difference.
Bailo, John
I have an application that requires:
RSA key pair generation
Decryption of a form field using private key
No SAML involved
I'm wondering if I can use the openSAML package to do this easily?
It seems like there is a package called com.opensaml.xml that has some
security methods (for some reason, I'm having a hard time locating its
api docs).
You also seem to use the Bouncey Castle libraries which I've been told
are a bootstrap to JCE.
Any suggestions?
Chad La Joie
recommend using a library for doing heavy XML and SAML stuff when you
don't need either.
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch
Brent Putman
Bailo, John wrote:
> I have an application that requires:
>
> RSA key pair generation
> Decryption of a form field using private key
> No SAML involved
>
>
> I'm wondering if I can use the openSAML package to do this easily?
>
Not really. We have some security helper methods and such, but actually
not really anything that's directly applicable to what you need to do.
We have a signing utility for working with raw signatures, but nothing
for working with raw encryption/decryption ops directly.
Like Chad said, just use the Java security providers from the Java
Cryptography Architecture directly. It's not that hard, and you can
google plenty of simple example code.
http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html
> It seems like there is a package called com.opensaml.xml that has some
> security methods (for some reason, I'm having a hard time locating its
> api docs).
>
The docs for the 3 libraries in the OpenSAML stack (opensaml2, openws,
xmltooling) are published separately.
That package corresponds to the xmltooking project.
> You also seem to use the Bouncey Castle libraries which I've been told
> are a bootstrap to JCE.
>
Well, yes, we use some functionality of classes that are in the BC
provider jar, mostly some stuff for parsing ASN.1 structures in X.509
certs. But we don't necessarily require you to configure the BC
provider in your security provider set
(jre/lib/security/java.security). So we don't necessarily use it as a
JCA provider per se. Deployers can if they want, just depends on what
algorithms, max key lengths, etc that they want to support, taking
advantage of the pluggable and extensible nature of the Java security
provider architecture.