OpenSAML 4.1 and BC-FIPS
531 views
Skip to first unread message
scott.c...@hrworx.com
Apr 27, 2021, 2:58:19 PM4/27/21
to Pac4j development mailing list
We have been using pac4j 4.x successfully with bouncy castle's FIPS provider only (no other bc providers on the classpath). We recently tried to update pac4j to version 5 and opensaml 4.1 doesn't seem to work with bc-fips anymore. We get class not found exceptions on startup. Any idea how we can make it work?
Jérôme LELEU
Apr 28, 2021, 2:51:36 AM4/28/21
to scott.c...@hrworx.com, Pac4j development mailing list
Hi,
Can you post the full stack trace?
Thanks.
Best regards,
Jérôme
We have been using pac4j 4.x successfully with bouncy castle's FIPS provider only (no other bc providers on the classpath). We recently tried to update pac4j to version 5 and opensaml 4.1 doesn't seem to work with bc-fips anymore. We get class not found exceptions on startup. Any idea how we can make it work?
--
You received this message because you are subscribed to the Google Groups "Pac4j development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-dev/0b35d0e3-7eb0-4f09-b82e-dd257539a48cn%40googlegroups.com.
Scott Coldwell
Apr 30, 2021, 1:47:48 PM4/30/21
to Jérôme LELEU, Pac4j development mailing list
The target class of the ClassNotFoundException changes sometimes I believe due to load order, but here’s the stack trace:
java.lang.NoClassDefFoundError: org/bouncycastle/crypto/DerivationParameters at org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap.buildDefaultEncryptionConfiguration(DefaultSecurityConfigurationBootstrap.java:121) at org.opensaml.xmlsec.config.impl.GlobalSecurityConfigurationInitializer.init(GlobalSecurityConfigurationInitializer.java:36) at org.opensaml.core.config.InitializationService.initialize(InitializationService.java:56) at org.pac4j.saml.util.DefaultConfigurationManager.configure(DefaultConfigurationManager.java:27) at org.pac4j.saml.util.Configuration.bootstrap(Configuration.java:76) at org.pac4j.saml.util.Configuration.<clinit>(Configuration.java:47) at org.pac4j.saml.client.SAML2Client.<clinit>(SAML2Client.java:89) at com.hrworx.formworx.pac4j.client.DynamicSAML2Clients.createClient(DynamicSAML2Clients.java:98) at com.hrworx.formworx.pac4j.client.DynamicSAML2Clients.createClient(DynamicSAML2Clients.java:30) at com.hrworx.formworx.pac4j.client.DynamicClients.loadClientsInternal(DynamicClients.java:106) at com.hrworx.formworx.pac4j.client.DynamicClients.internalInit(DynamicClients.java:75) at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:27) at com.hrworx.formworx.webapp.pac4j.SpringSAMLUtils.getIDPs(SpringSAMLUtils.java:37) at com.hrworx.formworx.webapp.controller.SAMLController.getIdps(SAMLController.java:64) at com.hrworx.formworx.webapp.controller.SAMLController.displayIdpSelection(SAMLController.java:91) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:197) at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:141) at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:106) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:894) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808) at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1060) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:962) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898) at javax.servlet.http.HttpServlet.service(HttpServlet.java:626) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.hrworx.util.servlet.NoCacheFilter.doFilter(NoCacheFilter.java:58) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter.doFilterInternal(OpenEntityManagerInViewFilter.java:186) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.hrworx.util.servlet.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:49) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at ch.qos.logback.classic.selector.servlet.LoggerContextFilter.doFilter(LoggerContextFilter.java:69) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:327) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:81) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:126) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:81) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:149) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at com.hrworx.formworx.webapp.spring.security.AbstractRequestMatchingFilter.doFilter(AbstractRequestMatchingFilter.java:136) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at com.hrworx.formworx.webapp.pac4j.FormworxSecurityFilter.doFilter(FormworxSecurityFilter.java:122) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at com.hrworx.formworx.webapp.pac4j.FormworxSecurityFilter.doFilter(FormworxSecurityFilter.java:122) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at org.pac4j.springframework.security.web.CallbackFilter.doFilter(CallbackFilter.java:102) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at org.pac4j.springframework.security.web.CallbackFilter.doFilter(CallbackFilter.java:102) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at com.hrworx.formworx.webapp.spring.security.AbstractRequestMatchingFilter.doFilter(AbstractRequestMatchingFilter.java:136) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at com.hrworx.formworx.webapp.spring.security.AbstractRequestMatchingFilter.doFilter(AbstractRequestMatchingFilter.java:136) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at com.hrworx.formworx.webapp.pac4j.FormworxSecurityFilter.doFilter(FormworxSecurityFilter.java:122) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:147) at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:103) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:89) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:834) Caused by: java.lang.ClassNotFoundException: org.bouncycastle.crypto.DerivationParameters at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1358) at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1180) ... 124 more
Jérôme LELEU
May 4, 2021, 5:57:11 AM5/4/21
to Scott Coldwell, Pac4j development mailing list
Hi,
Do you have some bcprov-* JAR in your classpath?
Thanks.
Best regards,
Jérôme
Scott Coldwell
May 5, 2021, 12:41:02 PM5/5/21
to Jérôme LELEU, Pac4j development mailing list
No, we purposely removed them to make sure only the FIPS versions were used.
Jérôme LELEU
May 6, 2021, 3:08:42 AM5/6/21
to Scott Coldwell, Pac4j development mailing list
Hi,
OK. I get it now.
I think the problem comes from OpenSAML which relies on bcprov and is not compliant with FIPS.
The dependency tree:
INFO] org.pac4j:pac4j-saml:jar:5.1.0-SNAPSHOT
[INFO] +- org.pac4j:pac4j-core:jar:5.1.0-SNAPSHOT:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] +- org.opensaml:opensaml-core:jar:4.1.0:compile
[INFO] | +- commons-codec:commons-codec:jar:1.15:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] | +- io.dropwizard.metrics:metrics-core:jar:4.1.18:compile
[INFO] | \- net.shibboleth.utilities:java-support:jar:8.2.0:compile
[INFO] +- org.opensaml:opensaml-saml-api:jar:4.1.0:compile
[INFO] | \- org.apache.santuario:xmlsec:jar:2.2.2:compile
[INFO] | +- com.fasterxml.woodstox:woodstox-core:jar:5.2.1:runtime
[INFO] | | \- org.codehaus.woodstox:stax2-api:jar:4.2:runtime
[INFO] | \- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.2:compile
[INFO] | \- jakarta.activation:jakarta.activation-api:jar:1.2.1:compile
[INFO] +- org.opensaml:opensaml-saml-impl:jar:4.1.0:compile
[INFO] | +- org.opensaml:opensaml-soap-impl:jar:4.1.0:compile
[INFO] | +- org.opensaml:opensaml-storage-api:jar:4.1.0:compile
[INFO] | \- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] +- org.opensaml:opensaml-soap-api:jar:4.1.0:compile
[INFO] +- org.opensaml:opensaml-xmlsec-api:jar:4.1.0:compile
[INFO] +- org.opensaml:opensaml-security-api:jar:4.1.0:compile
[INFO] | +- org.bouncycastle:bcprov-jdk15on:jar:1.68:compile
[INFO] | \- org.bouncycastle:bcpkix-jdk15on:jar:1.68:compile
[INFO] +- org.pac4j:pac4j-core:jar:5.1.0-SNAPSHOT:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] +- org.opensaml:opensaml-core:jar:4.1.0:compile
[INFO] | +- commons-codec:commons-codec:jar:1.15:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] | +- io.dropwizard.metrics:metrics-core:jar:4.1.18:compile
[INFO] | \- net.shibboleth.utilities:java-support:jar:8.2.0:compile
[INFO] +- org.opensaml:opensaml-saml-api:jar:4.1.0:compile
[INFO] | \- org.apache.santuario:xmlsec:jar:2.2.2:compile
[INFO] | +- com.fasterxml.woodstox:woodstox-core:jar:5.2.1:runtime
[INFO] | | \- org.codehaus.woodstox:stax2-api:jar:4.2:runtime
[INFO] | \- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.2:compile
[INFO] | \- jakarta.activation:jakarta.activation-api:jar:1.2.1:compile
[INFO] +- org.opensaml:opensaml-saml-impl:jar:4.1.0:compile
[INFO] | +- org.opensaml:opensaml-soap-impl:jar:4.1.0:compile
[INFO] | +- org.opensaml:opensaml-storage-api:jar:4.1.0:compile
[INFO] | \- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] +- org.opensaml:opensaml-soap-api:jar:4.1.0:compile
[INFO] +- org.opensaml:opensaml-xmlsec-api:jar:4.1.0:compile
[INFO] +- org.opensaml:opensaml-security-api:jar:4.1.0:compile
[INFO] | +- org.bouncycastle:bcprov-jdk15on:jar:1.68:compile
[INFO] | \- org.bouncycastle:bcpkix-jdk15on:jar:1.68:compile
...
Thanks.
Best regards,
Jérôme
Reply all
Reply to author
Forward
0 new messages