[OpenSAML] Signature Validation Logging
Swapna Gupta
org.opensaml.xml.validation.ValidationException: Signature did not validate
against the credential's key
https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUserManSigErrors
mentions turning on Debug level logging for
org.apache.xml.security.utils.DigesterOutputStream
I fiddled with my logging.properties file to get the logging turned on for
this class, but without luck. Can anyone please tell me what the
logging.properties should look like to get the debug output from this class?
Thanks.
Brent Putman
On 5/26/11 11:44 AM, Swapna Gupta wrote:
>
> I fiddled with my logging.properties file to get the logging turned on for
> this class, but without luck. Can anyone please tell me what the
> logging.properties should look like to get the debug output from this class?
OpenSAML uses the sfl4j logging facade. You need to install and
configure an appropriate binding impl and/or bridge for slf4j.
https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUsrManJavaBB
Swapna Gupta
I apologize for my ignorance about logging frameworks. Thanks.
Brent Putman
On 5/26/11 12:50 PM, Swapna Gupta wrote:
> Thanks! I have added logback-core and logback-classic jars to the classpath. What else should I do to get the Debug messages from DigesterOuputStream? Reading the Logback documentation, it appears it is by default set to log at debug level to the console. But I don't see any messages on the console.
>
Ah, sorry, I spoke a little too quickly. To get logging from our
OpenSAML classes themselves, you do need to install an slf4j binding,
such as Logback.
To get logging from other libraries which don't use slf4j natively, you
need to address that logging framework's requirements. That
DigesterOutputStream is from Apache XML Security (Santuario) and uses
Apache Jakarta Commons Logging (JCL). So you need to get the actual log
output from JCL.
If you still want to use an SLF4J-based library like Logback as the
actual logging impl in your OpenSAML-based application (which is fine,
it's pretty good), then you need to install the SLF4J JCL to SLF4J
bridge jar. See:
It's the one listed there as jcl-over-slf4j.
Logback does log to the console by default. If you want it to go to a
file, etc. you just need a logback config file. The easiest is to just
put in your classpath. See the logback user manual for details.
Swapna Gupta
Thanks.
-----Original Message-----
From: mace-opensaml...@internet2.edu [mailto:mace-opensaml...@internet2.edu] On Behalf Of Brent Putman
Sent: Thursday, May 26, 2011 12:50 PM
To: mace-open...@internet2.edu
Subject: Re: [OpenSAML] Signature Validation Logging
Brent Putman
things on the console from OpenSAML itself logging to logback. If you
aren't, you'd have to ask the logback people or search around their
support stuff.
Also, to be clear, in this context of logback's internal default config,
"console" means stdout. So if you have stdout redirected somewhere,
that's where it would be going.
Swapna Gupta
org.apache.commons.logging.Log log = LogFactory.getLog(org.apache.xml.security.utils.DigesterOutputStream.class);
And there is an slfj-nop jar in the classpath.
Could this be the reason nothing is getting logged?
Brent Putman
API that silently discards all logging. You only want 1 binding jar on
the classpath. Since you are using logback, that's your binding jar.
So you want to not include any of the other binding jars that come with
slf4j itself. Those are for example listed about halfway down the page
here:
http://www.slf4j.org/manual.html
You just want the slf4j-api jar and any bridge jars for other logging
frameworks that are used by components in your environment (e.g. the
jcl-over-slf4j).
Gina Choi
message. I am wondering if this is my application problem or configuration
problem of the ADFS. If an application want to support Signle Logout, what
does application need to do?
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide
the reference number to identify the problem.
Reference number: bcdf60c2-ad00-40b3-942c-2cb2df597f83
Thanks.
Gina
Brent Putman
there for anyone to diagnose. You probably need some logs from both
sides and probably traces of the protocol messages being exchanged.
And this is probably the wrong list to ask anyway, unless and until you
have some reason to believe it's related to your usage of OpenSAML.
Gina Choi
something that I have to. All I did for logout is session:invalidate(). I
don't know if it is enough for my application. The following is ADFS log. I
already posted the following log in ADFS blog, but haven't get an answer to
fix my issue.
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7055: Not all SAML
session participants logged out properly. It is recommended to close your
browser. at
Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSamlLogoutR
esponse(HttpSamlMessage samlMessage) at
Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SingleLogout(Uri
returnUrl, Boolean wsFedInitiated)
-----Original Message-----
From: mace-opensaml...@internet2.edu
[mailto:mace-opensaml...@internet2.edu] On Behalf Of Brent Putman
Sent: Friday, May 27, 2011 3:43 PM
To: mace-open...@internet2.edu
Cantor, Scott E.
>Thanks for your response. I just want to make sure that I implemented
>something that I have to. All I did for logout is session:invalidate(). I
>don't know if it is enough for my application. The following is ADFS log.
>I
>already posted the following log in ADFS blog, but haven't get an answer
>to
>fix my issue.
Your application is irelevant to ADFS. Logout protocols are defined by
messages on the wire, not the actual fact that a logout happened
internally. Your obligation is whatever the logout protocol says it is,
nothing more or less.
-- Scott