SAML2 support
kaphael
Hi,
I'm using CAS 5.0.0.RC3-SNAPSHOT with SAML2 support.
Since this version I got an issue with authentication (authentication works with RC1).
I think the issue comes from these lines(cas/support/cas-server-support-saml-idp/src/main/java/org/apereo/cas/support/saml/web/idp/profile/builders/enc/SamlObjectSigner.java) :
l.409 : if (!overrideBlackListedSignatureAlgorithms.isEmpty()) {
and
l.414 : if (!overrideWhiteListedAlgorithms.isEmpty()) {
Should it be :
l.409 : if (this.overrideBlackListedSignatureAlgorithms != null && !this.overrideBlackListedSignatureAlgorithms.isEmpty()) {
and
l.414 : if (this.overrideWhiteListedAlgorithms != null && !overrideWhiteListedAlgorithms.isEmpty()) {
Or is there a properties to set this 2 list to empty ones?
I got the following stackTrace (full stacktrace in attachment) :
2016-10-18 16:02:24,943 INFO [org.apereo.cas.support.saml.services.idp.metadata.cache.ChainingMetadataResolverCacheLoader] - <Initialized metadata resolver from [http://cas.sp.test.fr/metadata]>
2016-10-18 16:02:25,053 ERROR [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to error page from request [/idp/profile/SAML2/Redirect/SSO] due to exception [null]>
java.lang.NullPointerException
at org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSigner.verifySamlProfileRequestIfNeeded(SamlObjectSigner.java:409) ~[cas-server-support-saml-idp-5.0.0.RC3-SNAPSHOT.jar:5.0.0.RC3-SNAPSHOT]
at org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSigner$$FastClassBySpringCGLIB$$84e9b1fd.invoke(<generated>) ~[cas-server-support-saml-idp-5.0.0.RC3-SNAPSHOT.jar:5.0.0.RC3-SNAPSHOT]
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-4.3.3.RELEASE.jar:4.3.3.RELEASE]
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:720) ~[spring-aop-4.3.3.RELEASE.jar:4.3.3.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) ~[spring-aop-4.3.3.RELEASE.jar:4.3.3.RELEASE]
at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133) ~[spring-aop-4.3.3.RELEASE.jar:4.3.3.RELEASE]
at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:121) ~[spring-aop-4.3.3.RELEASE.jar:4.3.3.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) ~[spring-aop-4.3.3.RELEASE.jar:4.3.3.RELEASE]
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655) ~[spring-aop-4.3.3.RELEASE.jar:4.3.3.RELEASE]
at org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSigner$$EnhancerBySpringCGLIB$$cc188ec1.verifySamlProfileRequestIfNeeded(<generated>) ~[cas-server-support-saml-idp-5.0.0.RC3-SNAPSHOT.jar:5.0.0.RC3-SNAPSHOT]
at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController.initiateAuthenticationRequest(AbstractSamlProfileHandlerController.java:408) ~[cas-server-support-saml-idp-5.0.0.RC3-SNAPSHOT.jar:5.0.0.RC3-SNAPSHOT]
at org.apereo.cas.support.saml.web.idp.profile.SSOPostProfileHandlerController.handleSsoPostProfileRequest(SSOPostProfileHandlerController.java:71) ~[cas-server-support-saml-idp-5.0.0.RC3-SNAPSHOT.jar:5.0.0.RC3-SNAPSHOT]
at org.apereo.cas.support.saml.web.idp.profile.SSOPostProfileHandlerController.handleSaml2ProfileSsoRedirectRequest(SSOPostProfileHandlerController.java:43) ~[cas-server-support-saml-idp-5.0.0.RC3-SNAPSHOT.jar:5.0.0.RC3-SNAPSHOT]
[...]
My cas.properties :
server.contextPath=/cas
server.port=8443
server.ssl.keyStore=file:C:\\workspace\\cas-server\\etc\\cas\\thekeystore
server.ssl.keyStorePassword=changeit
server.ssl.keyPassword=changeit
server.tomcat.basedir=build/tomcat
server.tomcat.accesslog.enabled=true
server.tomcat.accesslog.pattern=%t %a "%r" %s (%D ms)
server.tomcat.accesslog.suffix=.log
server.tomcat.maxHttpHeaderSize=20971520
server.tomcat.maxThreads=5
server.tomcat.portHeader=X-Forwarded-Port
server.tomcat.protocolHeader=X-Forwarded-Proto
server.tomcat.protocolHeaderHttpsValue=https
server.tomcat.remoteIpHeader=X-FORWARDED-FOR
server.tomcat.uriEncoding=UTF-8
server.useForwardHeaders=true
server.name=http://cas.idp.test.fr:8080
server.prefix=${server.name}/cas
cas.server.name=http://cas.idp.test.fr:8080
cas.server.prefix=${server.name}/cas
cas.adminPagesSecurity.ip=127\.0\.0\.1
logging.config:file:C:\\workspace\\cas-server\\etc\\cas\\config\\log4j2.xml
## SERVICES
cas.serviceRegistry.config.location=classpath:/services
cas.serviceRegistry.watcherEnabled=true
cas.serviceRegistry.repeatInterval=10000
cas.serviceRegistry.startDelay=15000
cas.serviceRegistry.initFromJson=true
## AUTHENTICATION
cas.authn.shiro.config.location=file:C:\\workspace\\cas-server\\etc\\cas\\config\\shiro.ini
cas.authn.accept.users=
## SAML IDP
cas.authn.samlIdp.entityId=http://cas.idp.test.fr:8080/cas/idp
cas.authn.samlIdp.hostName=cas.idp.test.fr
cas.authn.samlIdp.scope=cas.idp.test.fr
cas.authn.samlIdp.metadata.cacheExpirationMinutes=30
cas.authn.samlIdp.metadata.failFast=true
cas.authn.samlIdp.metadata.location=C:/workspace/cas-server/etc/cas/config/saml
cas.authn.samlIdp.metadata.privateKeyAlgName=RSA
cas.authn.samlIdp.metadata.requireValidMetadata=true
cas.authn.samlIdp.logout.forceSignedLogoutRequests=true
cas.authn.samlIdp.logout.singleLogoutCallbacksDisabled=false
cas.authn.samlIdp.response.skewAllowance=0
cas.authn.samlIdp.response.signError=false
cas.authn.samlIdp.response.overrideSignatureCanonicalizationAlgorithm=
cas.authn.samlIdp.response.useAttributeFriendlyName=true
## CAS components mappings
primaryAuthenticationHandler=shiroAuthenticationHandler
## CAS SSO Cookie Generation & Security
tgc.cipherEnabled=true
tgc.encryption.key=cTuglkjtEwRkpHuF
tgc.signing.key=I5k4Ydbnv4y14c_c8VwAkMCjOCQez-txtRXOUjnRIYeOq7zpiNb8rokfT12-IH5QJvXldhtaIH_InGahR5dUtQ
# Indicates whether SAML ticket id generation should be saml2-compliant.
cas.saml.ticketid.saml2=true
My pom.xml :
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd ">
<modelVersion>4.0.0</modelVersion>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-overlay</artifactId>
<packaging>war</packaging>
<version>1.0</version>
<build>
<plugins>
<plugin>
<groupId>com.rimerosolutions.maven.plugins</groupId>
<artifactId>wrapper-maven-plugin</artifactId>
<version>0.0.4</version>
<configuration>
<verifyDownload>true</verifyDownload>
<checksumAlgorithm>MD5</checksumAlgorithm>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>2.6</version>
<configuration>
<warName>cas</warName>
<failOnMissingWebXml>false</failOnMissingWebXml>
<recompressZippedFiles>false</recompressZippedFiles>
<archive>
<compress>false</compress>
<manifestFile>${project.build.directory}/war/work/org.apereo.cas/cas-server-webapp/META-INF/MANIFEST.MF</manifestFile>
</archive>
<overlays>
<overlay>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp</artifactId>
</overlay>
</overlays>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.3</version>
</plugin>
<plugin>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-maven-plugin</artifactId>
<version>${maven-jetty-plugin.version}</version>
<configuration>
<jettyXml>${basedir}/etc/jetty/jetty.xml,${basedir}/etc/jetty/jetty-ssl.xml,${basedir}/etc/jetty/jetty-https.xml</jettyXml>
<systemProperties>
<systemProperty>
<name>org.eclipse.jetty.annotations.maxWait</name>
<value>240</value>
</systemProperty>
</systemProperties>
<webApp>
<contextPath>/cas</contextPath>
<overrideDescriptor>${basedir}/etc/jetty/web.xml</overrideDescriptor>
</webApp>
<webAppConfig>
<allowDuplicateFragmentNames>true</allowDuplicateFragmentNames>
</webAppConfig>
<jvmArgs>-Dlogging.config=/etc/cas/log4j2.xml -Xdebug -Xrunjdwp:transport=dt_socket,address=5000,server=y,suspend=n</jvmArgs>
</configuration>
</plugin>
</plugins>
<finalName>cas</finalName>
</build>
<dependencies>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-saml</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-saml-idp</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-generic</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-jdbc</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.inspektr</groupId>
<artifactId>inspektr-aspects</artifactId>
<version>1.5.GA</version>
</dependency>
</dependencies>
<properties>
<cas.version>5.0.0.RC3-SNAPSHOT</cas.version>
<maven-jetty-plugin.version>9.3.6.v20151106</maven-jetty-plugin.version>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<repositories>
<repository>
<id>sonatype-releases</id>
<url>http://oss.sonatype.org/content/repositories/releases/</url>
<snapshots>
<enabled>false</enabled>
</snapshots>
<releases>
<enabled>true</enabled>
</releases>
</repository>
<repository>
<id>sonatype-snapshots</id>
<url>https://oss.sonatype.org/content/repositories/snapshots/</url>
<snapshots>
<enabled>true</enabled>
</snapshots>
<releases>
<enabled>false</enabled>
</releases>
</repository>
<repository>
<id>shibboleth-releases</id>
<url>https://build.shibboleth.net/nexus/content/repositories/releases</url>
</repository>
<repository>
<id>spring-milestones</id>
<url>https://repo.spring.io/milestone</url>
</repository>
</repositories>
<profiles>
<profile>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<id>pgp</id>
<build>
<plugins>
<plugin>
<groupId>com.github.s4u.plugins</groupId>
<artifactId>pgpverify-maven-plugin</artifactId>
<version>1.1.0</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
<configuration>
<pgpKeyServer>hkp://pool.sks-keyservers.net</pgpKeyServer>
<pgpKeysCachePath>${settings.localRepository}/pgpkeys-cache</pgpKeysCachePath>
<scope>test</scope>
<verifyPomFiles>true</verifyPomFiles>
<failNoSignature>false</failNoSignature>
</configuration>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>
Regards.
Misagh Moayyed
To: "CAS Community" <cas-...@apereo.org>
Sent: Tuesday, October 18, 2016 6:27:01 PM
Subject: [cas-user] SAML2 support
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CADopUgxyW4cvHYPQYk7KyqTy174oRifm-vrVT2_16u-8uBJfow%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.