CAS 6.1.7 - SAML2 Attribute Query
65 views
Skip to first unread message
Sven Specker
Aug 26, 2020, 3:20:14 AM8/26/20
to CAS Community
Hi!
I have got a shib3 SP registered at my CAS and it tries to do an
AttributeQuery.
While the SP-initiated login with a browser works fine and tickets are
generated, as soon as I try to do an Attribute Query using the SP
itself, I run in a null pointer exception.
CAS basically receives and validates the SOAP request of the SP, finds
the appropriate service definition, validates the signatures
successfully and then throws up without being very helpful about the reason:
2020-08-25 15:27:15,730 ERROR
[org.apereo.cas.support.saml.web.idp.profile.query.Saml2AttributeQueryProfileHandlerController]
- <null>
java.lang.NullPointerException: null
at
org.apereo.cas.support.saml.web.idp.profile.query.Saml2AttributeQueryProfileHandlerController.handlePostRequest(Saml2AttributeQueryProfileHandlerController.java:61)
~[cas-server-support-saml-idp-web-6.1.7.1.jar:6.1.7.1]
at jdk.internal.reflect.GeneratedMethodAccessor356.invoke(Unknown
Source) ~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
<snip>
2020-08-25 15:27:15,731 DEBUG
[org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the
received exception [java.lang.NullPointerException] due to a type
mismatch with handler
[org.apereo.cas.support.saml.web.idp.profile.query.Saml2AttributeQueryProfileHandlerController#handlePostRequest(HttpServletResponse,
HttpServletRequest)]>
2020-08-25 15:27:15,731 DEBUG
[org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the
received exception [java.lang.NullPointerException] due to a type
mismatch with handler
[org.apereo.cas.support.saml.web.idp.profile.query.Saml2AttributeQueryProfileHandlerController#handlePostRequest(HttpServletResponse,
HttpServletRequest)]>
2020-08-25 15:27:15,731 ERROR
[org.springframework.boot.web.servlet.support.ErrorPageFilter] -
<Forwarding to error page from request
[/idp/profile/SAML2/SOAP/AttributeQuery] due to exception [null]>
The only option I found to control SAML2 AQs was activating the endpoints.
The error messages did not enable me to track the problem down. Null
pointers are nasty and maybe I overlooked an option...
Can anyone point me in the right direction?
Thanks!
--
__________________________________________________________________
*** Sven Specker -- University of Frankfurt Computing Center ***
*********** UNIX System Administration (Auth/IDM) ****************
***** spe...@rz.uni-frankfurt.de [Phone (+49)-69-798-15188] *****
******************************************************************
__________________________________________________________________
Johann Wolfgang Goethe Universitaet
- Hochschulrechenzentrum -
Theodor W. Adorno-Platz 1 (PA-1P16)
D-60323 Frankfurt/Main
__________________________________________________________________
______________ TeX-users do it in {groups}________________________
I have got a shib3 SP registered at my CAS and it tries to do an
AttributeQuery.
While the SP-initiated login with a browser works fine and tickets are
generated, as soon as I try to do an Attribute Query using the SP
itself, I run in a null pointer exception.
CAS basically receives and validates the SOAP request of the SP, finds
the appropriate service definition, validates the signatures
successfully and then throws up without being very helpful about the reason:
2020-08-25 15:27:15,730 ERROR
[org.apereo.cas.support.saml.web.idp.profile.query.Saml2AttributeQueryProfileHandlerController]
- <null>
java.lang.NullPointerException: null
at
org.apereo.cas.support.saml.web.idp.profile.query.Saml2AttributeQueryProfileHandlerController.handlePostRequest(Saml2AttributeQueryProfileHandlerController.java:61)
~[cas-server-support-saml-idp-web-6.1.7.1.jar:6.1.7.1]
at jdk.internal.reflect.GeneratedMethodAccessor356.invoke(Unknown
Source) ~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
<snip>
2020-08-25 15:27:15,731 DEBUG
[org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the
received exception [java.lang.NullPointerException] due to a type
mismatch with handler
[org.apereo.cas.support.saml.web.idp.profile.query.Saml2AttributeQueryProfileHandlerController#handlePostRequest(HttpServletResponse,
HttpServletRequest)]>
2020-08-25 15:27:15,731 DEBUG
[org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the
received exception [java.lang.NullPointerException] due to a type
mismatch with handler
[org.apereo.cas.support.saml.web.idp.profile.query.Saml2AttributeQueryProfileHandlerController#handlePostRequest(HttpServletResponse,
HttpServletRequest)]>
2020-08-25 15:27:15,731 ERROR
[org.springframework.boot.web.servlet.support.ErrorPageFilter] -
<Forwarding to error page from request
[/idp/profile/SAML2/SOAP/AttributeQuery] due to exception [null]>
The only option I found to control SAML2 AQs was activating the endpoints.
The error messages did not enable me to track the problem down. Null
pointers are nasty and maybe I overlooked an option...
Can anyone point me in the right direction?
Thanks!
--
__________________________________________________________________
*** Sven Specker -- University of Frankfurt Computing Center ***
*********** UNIX System Administration (Auth/IDM) ****************
***** spe...@rz.uni-frankfurt.de [Phone (+49)-69-798-15188] *****
******************************************************************
__________________________________________________________________
Johann Wolfgang Goethe Universitaet
- Hochschulrechenzentrum -
Theodor W. Adorno-Platz 1 (PA-1P16)
D-60323 Frankfurt/Main
__________________________________________________________________
______________ TeX-users do it in {groups}________________________
Sven Specker
Sep 1, 2020, 10:26:15 AM9/1/20
to CAS Community
Hi!
Does really no one have an idea why there is a NPE being thrown?
I would not mind a "proper" Error message or at least an Exception I can
work with, but seeing a null pointer does not clear stuff up and since
apprently there is a Handler missing something, I would love to know what.
Especially since the actual Query SOAP request comes through just fine.
Does really no one have an idea why there is a NPE being thrown?
I would not mind a "proper" Error message or at least an Exception I can
work with, but seeing a null pointer does not clear stuff up and since
apprently there is a Handler missing something, I would love to know what.
Especially since the actual Query SOAP request comes through just fine.
Robert
Sep 27, 2021, 10:20:06 AM9/27/21
to CAS Community, specker, cas-...@apereo.org
Can you tell me, how you tried to run the attribute query? Did you use "resolvertest" from Shibboleth Utilies?
Robert
Sep 28, 2021, 2:19:03 AM9/28/21
to CAS Community, Robert, specker, cas-...@apereo.org
Just tested it on 6.4.1-SNAPSHOT with resolvertest from Shibboleth SP. Seems like CAS does not like <xenc:EncryptedData/> in <saml:EncryptedID/> inside <saml:Subject/>. Thats why `assertion.getSubject()` is null and therefore assertion.getSubject().getNameID() throws NPE.
Tested a SOAP request directly to idp/profile/SAML2/SOAP/AttributeQuery without encryption and everything works.
Reply all
Reply to author
Forward
0 new messages