Unidentified component on SAML client with Artifact bindings
10 views
Skip to first unread message
Nicolas Crittin
Oct 8, 2025, 4:23:15 AMOct 8
to Pac4j development mailing list
Hi,
I'm working with pac4j 6.2.2. and I encountered some issues with pac4j-saml client when using artifact bindings response. The SAML Artifact decoding fails due to some missing initializations. The stacktrace say this:
org.pac4j.saml.exceptions.SAMLException: Error decoding Artifact SAML message
at org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor.getDecoder(SAML2CredentialsExtractor.java:123)
at org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor.extract(SAML2CredentialsExtractor.java:84)
at org.pac4j.core.client.BaseClient.getCredentials(BaseClient.java:80)
at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:81)
at org.pac4j.jee.filter.CallbackFilter.internalFilter(CallbackFilter.java:63)
at org.pac4j.jee.config.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:92)
...
Caused by: org.opensaml.messaging.decoder.MessageDecodingException: org.opensaml.messaging.decoder.MessageDecodingException: Fatal error decoding or resolving inbound artifact
at org.pac4j.saml.sso.artifact.SAML2ArtifactBindingDecoder.doDecode(SAML2ArtifactBindingDecoder.java:100)
at org.opensaml.messaging.decoder.AbstractMessageDecoder.decode(AbstractMessageDecoder.java:66)
at org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor.getDecoder(SAML2CredentialsExtractor.java:121)
... 23 more
Caused by: org.opensaml.messaging.decoder.MessageDecodingException: Fatal error decoding or resolving inbound artifact
at org.pac4j.saml.transport.Pac4jHTTPArtifactDecoder.processArtifact(Pac4jHTTPArtifactDecoder.java:300)
at org.pac4j.saml.transport.Pac4jHTTPArtifactDecoder.doDecode(Pac4jHTTPArtifactDecoder.java:199)
at org.opensaml.messaging.decoder.AbstractMessageDecoder.decode(AbstractMessageDecoder.java:66)
at org.pac4j.saml.transport.Pac4jHTTPArtifactDecoder.decode(Pac4jHTTPArtifactDecoder.java:169)
at org.pac4j.saml.sso.artifact.SAML2ArtifactBindingDecoder.doDecode(SAML2ArtifactBindingDecoder.java:93)
... 25 more
Caused by: net.shibboleth.shared.component.UninitializedComponentException: Unidentified Component has not yet been initialized and cannot be used.
at net.shibboleth.shared.component.AbstractInitializableComponent.ifNotInitializedThrowUninitializedComponentException(AbstractInitializableComponent.java:81)
at net.shibboleth.shared.component.AbstractInitializableComponent.checkComponentActive(AbstractInitializableComponent.java:110)
at org.opensaml.messaging.handler.AbstractMessageHandler.invoke(AbstractMessageHandler.java:82)
at org.opensaml.soap.client.http.AbstractPipelineHttpSOAPClient.send(AbstractPipelineHttpSOAPClient.java:178)
at org.pac4j.saml.sso.artifact.SAML2ArtifactBindingDecoder$1.send(SAML2ArtifactBindingDecoder.java:77)
at org.pac4j.saml.transport.Pac4jHTTPArtifactDecoder.dereferenceArtifact(Pac4jHTTPArtifactDecoder.java:333)
at org.pac4j.saml.transport.Pac4jHTTPArtifactDecoder.processArtifact(Pac4jHTTPArtifactDecoder.java:294)
... 29 more
After some debug, I could confirm that some components are not initialized in DefaultSOAPPipelineFactory (all other components are initialized). I tried initialize them and it fixes above issue. Here is how to fix it:
In org.pac4j.saml.sso.artifact.DefaultSOAPPipelineFactory, just replace the methods below with following code:
protected BasicMessageHandlerChain toHandlerChain(final List<MessageHandler> handlers) throws ComponentInitializationException {
var ret = new BasicMessageHandlerChain();
ret.setHandlers(handlers);
ret.initialize();
return ret;
}
protected MessageHandler buildCheckMandatoryAuthentication() throws ComponentInitializationException {
val mandatoryAuthentication = new CheckMandatoryAuthentication();
mandatoryAuthentication.setAuthenticationLookupStrategy(
context -> context.getSubcontext(SAMLPeerEntityContext.class).isAuthenticated());
mandatoryAuthentication.initialize();
return mandatoryAuthentication;
}
Best Regards
Nicolas
I'm working with pac4j 6.2.2. and I encountered some issues with pac4j-saml client when using artifact bindings response. The SAML Artifact decoding fails due to some missing initializations. The stacktrace say this:
org.pac4j.saml.exceptions.SAMLException: Error decoding Artifact SAML message
at org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor.getDecoder(SAML2CredentialsExtractor.java:123)
at org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor.extract(SAML2CredentialsExtractor.java:84)
at org.pac4j.core.client.BaseClient.getCredentials(BaseClient.java:80)
at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:81)
at org.pac4j.jee.filter.CallbackFilter.internalFilter(CallbackFilter.java:63)
at org.pac4j.jee.config.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:92)
...
Caused by: org.opensaml.messaging.decoder.MessageDecodingException: org.opensaml.messaging.decoder.MessageDecodingException: Fatal error decoding or resolving inbound artifact
at org.pac4j.saml.sso.artifact.SAML2ArtifactBindingDecoder.doDecode(SAML2ArtifactBindingDecoder.java:100)
at org.opensaml.messaging.decoder.AbstractMessageDecoder.decode(AbstractMessageDecoder.java:66)
at org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor.getDecoder(SAML2CredentialsExtractor.java:121)
... 23 more
Caused by: org.opensaml.messaging.decoder.MessageDecodingException: Fatal error decoding or resolving inbound artifact
at org.pac4j.saml.transport.Pac4jHTTPArtifactDecoder.processArtifact(Pac4jHTTPArtifactDecoder.java:300)
at org.pac4j.saml.transport.Pac4jHTTPArtifactDecoder.doDecode(Pac4jHTTPArtifactDecoder.java:199)
at org.opensaml.messaging.decoder.AbstractMessageDecoder.decode(AbstractMessageDecoder.java:66)
at org.pac4j.saml.transport.Pac4jHTTPArtifactDecoder.decode(Pac4jHTTPArtifactDecoder.java:169)
at org.pac4j.saml.sso.artifact.SAML2ArtifactBindingDecoder.doDecode(SAML2ArtifactBindingDecoder.java:93)
... 25 more
Caused by: net.shibboleth.shared.component.UninitializedComponentException: Unidentified Component has not yet been initialized and cannot be used.
at net.shibboleth.shared.component.AbstractInitializableComponent.ifNotInitializedThrowUninitializedComponentException(AbstractInitializableComponent.java:81)
at net.shibboleth.shared.component.AbstractInitializableComponent.checkComponentActive(AbstractInitializableComponent.java:110)
at org.opensaml.messaging.handler.AbstractMessageHandler.invoke(AbstractMessageHandler.java:82)
at org.opensaml.soap.client.http.AbstractPipelineHttpSOAPClient.send(AbstractPipelineHttpSOAPClient.java:178)
at org.pac4j.saml.sso.artifact.SAML2ArtifactBindingDecoder$1.send(SAML2ArtifactBindingDecoder.java:77)
at org.pac4j.saml.transport.Pac4jHTTPArtifactDecoder.dereferenceArtifact(Pac4jHTTPArtifactDecoder.java:333)
at org.pac4j.saml.transport.Pac4jHTTPArtifactDecoder.processArtifact(Pac4jHTTPArtifactDecoder.java:294)
... 29 more
After some debug, I could confirm that some components are not initialized in DefaultSOAPPipelineFactory (all other components are initialized). I tried initialize them and it fixes above issue. Here is how to fix it:
In org.pac4j.saml.sso.artifact.DefaultSOAPPipelineFactory, just replace the methods below with following code:
protected BasicMessageHandlerChain toHandlerChain(final List<MessageHandler> handlers) throws ComponentInitializationException {
var ret = new BasicMessageHandlerChain();
ret.setHandlers(handlers);
ret.initialize();
return ret;
}
protected MessageHandler buildCheckMandatoryAuthentication() throws ComponentInitializationException {
val mandatoryAuthentication = new CheckMandatoryAuthentication();
mandatoryAuthentication.setAuthenticationLookupStrategy(
context -> context.getSubcontext(SAMLPeerEntityContext.class).isAuthenticated());
mandatoryAuthentication.initialize();
return mandatoryAuthentication;
}
Best Regards
Nicolas
Nicolas Crittin
Oct 8, 2025, 5:02:49 AMOct 8
to Pac4j development mailing list
Oops, one little mistake :
In my fix of toHandlerChain() method I accidentally changed "val ret = new BasicMessageHandlerChain();" into "var ret = new BasicMessageHandlerChain();"
The original "val" keyword is correct and can be maintained (I just changed it because it made my IDE unable to resolve type)
In my fix of toHandlerChain() method I accidentally changed "val ret = new BasicMessageHandlerChain();" into "var ret = new BasicMessageHandlerChain();"
The original "val" keyword is correct and can be maintained (I just changed it because it made my IDE unable to resolve type)
Jérôme LELEU
Oct 8, 2025, 5:12:25 AMOct 8
to Nicolas Crittin, Pac4j development mailing list
Hi,
It makes sense. Please open a PR.
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "Pac4j development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/pac4j-dev/9a691b56-83a3-42a0-a744-272dd31de3f4n%40googlegroups.com.
Nicolas Crittin
Oct 8, 2025, 5:34:56 AMOct 8
to Pac4j development mailing list
Done
cf. PR
#3613
Best Regards
Nicolas
Reply all
Reply to author
Forward
0 new messages