CAS 5.2.1 - Error loading ShibbolethAttributeResolverConfiguration

[Oscar del Pozo]

Hi!

I'm trying to configure CAS to act as an identity provider. I have configured my service, metadata, etc... but I'm having troubles with my attribute-resolver.xml and it seems to be a problem with the bean initialization order.

The problem is creating the bean attributeRepository at ShibbolethAttributeResolverConfiguration (cas-server-support-shibboleth-attributes dependency, following the https://apereo.github.io/cas/5.2.x/integration/Attribute-Resolution.html#shibboleth doc)

When the Bean is being created an exception is thrown because the XMLObjectProviderRegistry has not been initialized yet (it is initialized with OpenSamlConfigBean). Here the exception:

2018-01-26 14:05:01,616 WARN [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext] - <Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder#0': Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder]: Constructor threw exception; nested exception is java.lang.NullPointerException>
2018-01-26 14:05:05,615 WARN [org.apereo.cas.config.ShibbolethAttributeResolverConfiguration] - <Error creating bean with name 'net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder#0': Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder]: Constructor threw exception; nested exception is java.lang.NullPointerException>
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder#0': Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder]: Constructor threw exception; nested exception is java.lang.NullPointerException
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:1155) ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        [...]
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder]: Constructor threw exception; nested exception is java.lang.NullPointerException
at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:154) ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:89) ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:1147) ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
... 108 more
Caused by: java.lang.NullPointerException
at org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport.getBuilderFactory(XMLObjectProviderRegistrySupport.java:107) ~[opensaml-core-3.3.0.jar:?]
at net.shibboleth.idp.saml.attribute.encoding.AbstractSAML2AttributeEncoder.<init>(AbstractSAML2AttributeEncoder.java:61) ~[idp-saml-api-3.3.1.jar:?]

The NPE point:

    public static XMLObjectBuilderFactory getBuilderFactory() {

        return ConfigurationService.get(XMLObjectProviderRegistry.class).getBuilderFactory();

    }

My configuration:

cas.properties

cas.authn.samlIdp.entityId=entityId
cas.authn.samlIdp.hostName=HOST
cas.authn.samlIdp.scope=HOST
cas.authn.samlIdp.metadata.cacheExpirationMinutes=60
cas.authn.samlIdp.metadata.location=file:/etc/cas/saml
cas.authn.samlIdp.metadata.requireValidMetadata=true
cas.authn.samlIdp.response.signError=false
cas.authn.samlIdp.response.useAttributeFriendlyName=true
#cas.authn.samlIdp.metadata.failFast=true
#cas.authn.samlIdp.metadata.privateKeyAlgName=RSA
#cas.authn.samlIdp.response.skewAllowance=0
cas.shibAttributeResolver.resources=file:/etc/cas/saml/attribute-resolver.xml

attribute-resolver.xml

<?xml version="1.0" encoding="UTF-8"?>
<AttributeResolver
        xmlns="urn:mace:shibboleth:2.0:resolver"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> 

    <!-- ========================================== -->
    <!--      Attribute Definitions                 -->
    <!-- ========================================== -->
    <!-- Schema: Core schema attributes-->
    <AttributeDefinition id="FirstName" xsi:type="Simple" sourceAttributeID="firstname">
    <Dependency ref="vdp" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="FirstName" 
        encodeType="false" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" />
    </AttributeDefinition>
    
    <AttributeDefinition id="LastName" xsi:type="Simple" sourceAttributeID="lastname">
    <Dependency ref="vdp" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="LastName" 
        encodeType="false" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" />
    </AttributeDefinition>
    
    <AttributeDefinition id="Email" xsi:type="Simple" sourceAttributeID="email">
    <Dependency ref="vdp" />
    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="Email" 
    encodeType="false" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" />
    </AttributeDefinition>
    <!-- Name Identifier related attributes -->
    <AttributeDefinition id="NameID" xsi:type="PrincipalName">
        <AttributeEncoder xsi:type="SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" 
        nameQualifier="NameID" encodeType="false" name="urn:oid:0.9.2342.19200300.100.1.1"/>
    </AttributeDefinition>
    
    <!-- JNDI JDBC Connector -->
    <DataConnector id="vdp" xsi:type="RelationalDatabase" readOnlyConnection="true" queryTimeout="10000">
    <ContainerManagedConnection resourceName="java:comp/env/jdbc/mydatabase" />
    <QueryTemplate>
    <![CDATA[
select * from user_table where login_input = '$requestContext.principalName' limit 1
            ]]>
    </QueryTemplate>
        <Column columnName="login_input" attributeID="NameID"/>
        <Column columnName="firstname" attributeID="firstname" />
        <Column columnName="lastname" attributeID="lastname" />
        <Column columnName="email" attributeID="email" />
    </DataConnector>
</AttributeResolver>

 

When I access to CAS through a service provider request, the redirections work fine and I'm able to log in, but when it tries to retrieve the attributes for the principal, there's nothing because the created attribute repository is not the one configured in my attribute-resolver.xml.

Can anyone suggest me where the problem is?

[Oscar del Pozo]

OK, 

I think I have a workaround.

I excluded the ShibbolethAttributeResolverConfiguration adding to my application.yml the following

spring:
    autoconfigure:

        exclude: org.apereo.cas.config.ShibbolethAttributeResolverConfiguration

Then, I make my own AttributeResolverConfiguration class (a copy of ShibbolethAttributeResolverConfiguration) where I set a dependency with OpenSamlConfigBean to ensure that that bean is loaded before my config bean and, finally, I added my new bean to spring.factories file.

Anyway, I think that the ShibbolethAttributeResolverConfiguration should include the dependency with the samlConfigBean, shouldn't it?