Not able to redirect to same URL on which saml authentication configured.

Jaideep Singh

unread,

Apr 20, 2017, 8:36:57 AM4/20/17

to pac4j-users

Hello Jerome,

I want to apply security on url http://localhost:8080. When i try to access this url i am able to redirect to IDP, after authenticating with username and password i want to redirect back to localhost:8080 with no more authentication. But i am facing a problem, please look the attached video. I am also attaching the log file and shiro.ini.

Please help me i am stucked into it.

Thanks and Regards,

Jaideep singh

IssueFacing 2.mp4

logfile.txt

metadata-okta.xml

shiro.ini

sp-metadata.xml

Jérôme LELEU

unread,

Apr 21, 2017, 2:25:01 AM4/21/17

to Jaideep Singh, pac4j-users

Hi,

It's very strange. I just made the test both for the master and 2.1.x branches of the demo and it works for me (as the callback is defined before the /** = saml2SecurityFilter).

For the first redirection, the session is created and should be reused after that. I have exactly the same logs as you have, except that I get a profile from the session:

BUJI PAC4J DEMO 08:16:15.988 [qtp41810270-19] DEBUG o.p.core.engine.DefaultSecurityLogic - loadProfilesFromSession: true

BUJI PAC4J DEMO 08:16:15.988 [qtp41810270-19] DEBUG o.p.core.engine.DefaultSecurityLogic - profiles: [#SAML2Profile# | id: test...@gmail.com | attributes: {firstName=[Test], lastName=[pac4j], notOnOrAfter=2017-04-21T06:21:15.550Z, sessionindex=_erez8hcrzfpndvzkhhjzylsif9b2vxsozijqhuh, notBefore=2017-04-21T06:11:15.550Z} | roles: [] | permissions: [] | isRemembered: false |]

BUJI PAC4J DEMO 08:16:15.988 [qtp41810270-19] DEBUG o.p.core.engine.DefaultSecurityLogic - authorizers: null

Can you check the value of the JSESSIONID cookie (along the /, /callback and / URLs flow)?

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jaideep Singh

unread,

Apr 21, 2017, 10:37:12 PM4/21/17

to pac4j-users

Hello Jerome,

Thanks for the logs, i am able to figure out where the problem actually is. Its with the filters, since i am using samlsecurityfilter at / and the filters were configured to /saml directory. Now my question is how can i configure the filters to execute on / request.

Thanks,
Jaideep Singh

Jérôme LELEU

unread,

Apr 22, 2017, 4:04:41 AM4/22/17

to Jaideep Singh, pac4j-users

Hi,

Which filters are you talking about? samlSecuirtyFilter is on / and callbackFilter in on /callback.

Thanks.

Best regards,

Jérôme

Jaideep Singh

unread,

Apr 22, 2017, 4:28:32 AM4/22/17

to Jérôme LELEU, pac4j-users

Hello Jerome,

I am talking about the index.jsp file, so when i used the index.jsp file as /saml2/.. = /samlSecurityFilter i am able to get the profile, i think its code is written in jsp file, now i want / = samlSecurityFilter, so how to configure the code written in index.jsp to populate the profile for above condition.

Thanks,

Jaideep Singh

Jérôme LELEU

unread,

Apr 22, 2017, 4:44:26 AM4/22/17

to Jaideep Singh, pac4j-users

Hi,

If / is protected, the profile will be available in the session. So you should use the same code.

Thanks.

Best regards,

Jérôme

Jaideep Singh

unread,

Apr 22, 2017, 7:14:32 AM4/22/17

to Jérôme LELEU, pac4j-users

So my question is how to use that code to execute when i hit the / , since i am using it by /=samlSecurityFilter and it won't execute the code inside index.jsp.?

Jaideep Singh

unread,

Apr 24, 2017, 3:59:35 AM4/24/17

to pac4j-users, lel...@gmail.com

Hello Jérôme,

In shiro.ini file if i use the urls /saml2/** = saml2SecurityFilter i am able to get the profile.

see the logs

BUJI PAC4J DEMO 13:19:56.200 [qtp1788582153-18] DEBUG o.o.x.s.s.i.BaseSignatureTrustEngine - Successfully verified signature using KeyInfo-derived credential

BUJI PAC4J DEMO 13:19:56.200 [qtp1788582153-18] DEBUG o.o.x.s.s.i.BaseSignatureTrustEngine - Attempting to establish trust of KeyInfo-derived credential

BUJI PAC4J DEMO 13:19:56.200 [qtp1788582153-18] DEBUG o.o.s.t.i.ExplicitKeyTrustEvaluator - Successfully validated untrusted credential against trusted key

BUJI PAC4J DEMO 13:19:56.200 [qtp1788582153-18] DEBUG o.o.x.s.s.i.BaseSignatureTrustEngine - Successfully established trust of KeyInfo-derived credential

BUJI PAC4J DEMO 13:19:56.201 [qtp1788582153-18] DEBUG o.p.core.engine.DefaultCallbackLogic - credentials: SAMLCredential [nameId=org.opensaml.saml.saml2.core.impl.NameIDImpl@2c3032e4, attributes=[], sessionIndex=null]

BUJI PAC4J DEMO 13:19:56.201 [qtp1788582153-18] DEBUG org.pac4j.saml.client.SAML2Client - credentials : SAMLCredential [nameId=org.opensaml.saml.saml2.core.impl.NameIDImpl@2c3032e4, attributes=[], sessionIndex=null]

BUJI PAC4J DEMO 13:19:56.202 [qtp1788582153-18] DEBUG org.pac4j.saml.profile.SAML2Profile - identifier: admin

BUJI PAC4J DEMO 13:19:56.202 [qtp1788582153-18] DEBUG org.pac4j.saml.profile.SAML2Profile - no conversion => key: notBefore / value: 2017-04-24T07:49:54.968Z / class org.joda.time.DateTime

BUJI PAC4J DEMO 13:19:56.202 [qtp1788582153-18] DEBUG org.pac4j.saml.profile.SAML2Profile - no conversion => key: notOnOrAfter / value: 2017-04-24T07:54:54.967Z / class org.joda.time.DateTime

BUJI PAC4J DEMO 13:19:56.202 [qtp1788582153-18] DEBUG o.p.core.engine.DefaultCallbackLogic - profile: #SAML2Profile# | id: admin | attributes: {notOnOrAfter=2017-04-24T07:54:54.967Z, notBefore=2017-04-24T07:49:54.968Z} | roles: [] | permissions: [] | isRemembered: false |

BUJI PAC4J DEMO 13:19:56.208 [qtp1788582153-18] DEBUG o.a.shiro.realm.AuthenticatingRealm - Looked up AuthenticationInfo [#Pac4jPrincipal# | profiles: [#SAML2Profile# | id: admin | attributes: {notOnOrAfter=2017-04-24T07:54:54.967Z, notBefore=2017-04-24T07:49:54.968Z} | roles: [] | permissions: [] | isRemembered: false |] |] from doGetAuthenticationInfo

BUJI PAC4J DEMO 13:19:56.208 [qtp1788582153-18] DEBUG o.a.shiro.realm.AuthenticatingRealm - AuthenticationInfo caching is disabled for info [#Pac4jPrincipal# | profiles: [#SAML2Profile# | id: admin | attributes: {notOnOrAfter=2017-04-24T07:54:54.967Z, notBefore=2017-04-24T07:49:54.968Z} | roles: [] | permissions: [] | isRemembered: false |] |]. Submitted token: [io.buji.pac4j.token.Pac4jToken@13854ccf].

BUJI PAC4J DEMO 13:19:56.208 [qtp1788582153-18] DEBUG o.a.s.a.c.SimpleCredentialsMatcher - Performing credentials equality check for tokenCredentials of type [java.lang.Integer and accountCredentials of type [java.lang.Integer]

BUJI PAC4J DEMO 13:19:56.208 [qtp1788582153-18] DEBUG o.a.s.authc.AbstractAuthenticator - Authentication successful for token [io.buji.pac4j.token.Pac4jToken@13854ccf]. Returned account [#Pac4jPrincipal# | profiles: [#SAML2Profile# | id: admin | attributes: {notOnOrAfter=2017-04-24T07:54:54.967Z, notBefore=2017-04-24T07:49:54.968Z} | roles: [] | permissions: [] | isRemembered: false |] |]

BUJI PAC4J DEMO 13:19:56.209 [qtp1788582153-18] DEBUG o.a.s.s.s.DefaultSubjectContext - No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup.

BUJI PAC4J DEMO 13:19:56.209 [qtp1788582153-18] DEBUG o.a.shiro.mgt.DefaultSecurityManager - Context already contains a session. Returning.

BUJI PAC4J DEMO 13:19:56.209 [qtp1788582153-18] DEBUG o.a.s.s.s.DefaultSubjectContext - No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup.

BUJI PAC4J DEMO 13:19:56.215 [qtp1788582153-18] DEBUG o.a.shiro.web.servlet.SimpleCookie - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Sun, 23-Apr-2017 07:49:56 GMT]

BUJI PAC4J DEMO 13:19:56.215 [qtp1788582153-18] DEBUG o.a.s.mgt.AbstractRememberMeManager - AuthenticationToken did not indicate RememberMe is requested. RememberMe functionality will not be executed for corresponding account.

BUJI PAC4J DEMO 13:19:56.215 [qtp1788582153-18] DEBUG o.p.core.engine.DefaultCallbackLogic - redirectUrl: /

Now the case when i use /** = saml2SecurityFilter i am not getting the profile. Please see the logs

BUJI PAC4J DEMO 13:24:52.373 [qtp1788582153-17] DEBUG o.p.s.transport.Pac4jHTTPPostEncoder - Setting RelayState parameter to: 'http://localhost:8080/callback?client_name=SAML2Client', encoded as 'http://localhost:8080/callback?client_name=SAML2Client'

BUJI PAC4J DEMO 13:24:52.392 [qtp1788582153-17] DEBUG org.apache.velocity - ResourceManager : found /templates/saml2-post-binding.vm with loader org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader

BUJI PAC4J DEMO 13:24:52.395 [qtp1788582153-17] DEBUG org.apache.velocity - ResourceManager : found /templates/add-html-head-content.vm with loader org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader

BUJI PAC4J DEMO 13:24:52.396 [qtp1788582153-17] DEBUG org.apache.velocity - ResourceManager : found /templates/add-html-body-content.vm with loader org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader

BUJI PAC4J DEMO 13:24:55.037 [qtp1788582153-13] DEBUG o.p.core.engine.DefaultSecurityLogic - === SECURITY ===

BUJI PAC4J DEMO 13:24:55.037 [qtp1788582153-13] DEBUG o.p.core.engine.DefaultSecurityLogic - url: http://localhost:8080/callback?client_name=SAML2Client

BUJI PAC4J DEMO 13:24:55.037 [qtp1788582153-13] DEBUG o.p.core.engine.DefaultSecurityLogic - matchers: null

BUJI PAC4J DEMO 13:24:55.037 [qtp1788582153-13] DEBUG o.p.core.engine.DefaultSecurityLogic - clients: SAML2Client

BUJI PAC4J DEMO 13:24:55.048 [qtp1788582153-13] DEBUG o.p.core.engine.DefaultSecurityLogic - currentClients: [#SAML2Client# | name: SAML2Client | callbackUrl: http://localhost:8080/callback?client_name=SAML2Client | callbackUrlResolver: org.pac4j.core.http.DefaultCallbackUrlResolver@550d9210 | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@53319b37 |]

BUJI PAC4J DEMO 13:24:55.048 [qtp1788582153-13] DEBUG o.p.core.engine.DefaultSecurityLogic - loadProfilesFromSession: true

BUJI PAC4J DEMO 13:24:55.048 [qtp1788582153-13] DEBUG o.p.core.engine.DefaultSecurityLogic - profiles: []

BUJI PAC4J DEMO 13:24:55.048 [qtp1788582153-13] DEBUG o.p.core.engine.DefaultSecurityLogic - Starting authentication

BUJI PAC4J DEMO 13:24:55.048 [qtp1788582153-13] DEBUG o.p.core.engine.DefaultSecurityLogic - requestedUrl: http://localhost:8080/callback?client_name=SAML2Client

BUJI PAC4J DEMO 13:24:55.050 [qtp1788582153-13] DEBUG o.p.s.context.SAML2ContextProvider - Creating message storage by org.pac4j.saml.storage.EmptyStorageFactory

BUJI PAC4J DEMO 13:24:55.050 [qtp1788582153-13] DEBUG o.o.s.m.r.i.AbstractMetadataResolver - Metadata backing store does not contain any EntityDescriptors with the ID: zeppelin

BUJI PAC4J DEMO 13:24:55.050 [qtp1788582153-13] DEBUG o.o.s.m.support.SAML2MetadataSupport - Selecting default IndexedEndpoint

BUJI PAC4J DEMO 13:24:55.050 [qtp1788582153-13] DEBUG o.o.s.m.support.SAML2MetadataSupport - Selected first IndexedEndpoint with no explicit isDefault

BUJI PAC4J DEMO 13:24:55.050 [qtp1788582153-13] DEBUG o.o.s.m.support.SAML2MetadataSupport - Selecting default IndexedEndpoint

What is the problem here?

Thanks,

Jaideep Singh

unread,

Apr 24, 2017, 7:37:03 AM4/24/17

to pac4j-users, lel...@gmail.com

Attaching the shiro.ini file and web.xml file.

shiro.ini

web.xml

Jérôme LELEU

unread,

Apr 25, 2017, 4:03:42 AM4/25/17

to Jaideep Singh, pac4j-users

Hi,

Very strange. I just made the test with the demo (master branch) and it works: I get the SAML2Profile.

Does the demo work for you?

Thanks.

Best regards,

Jérôme

Jaideep Singh

unread,

Apr 26, 2017, 3:46:28 AM4/26/17

to pac4j-users, jaide...@gmail.com

Hello Jerome,

I have tried by using different version and the version buji-pac4j-demo-1.4.x is working for me with same configuration on wso2 idp and in demo. I am able to redirect to the application url with jsession id appended on the url as http://localhost:8080/;jsessionid=x3e6rffheht0lu7d2vk3tdpa. But i am getting this exception and my page didn't load completely after redirect to this url.

12:46:49.900 [qtp1663619914-60 - /app.4ece19b57e6fb1511450.js] DEBUG o.a.x.security.transforms.Transform - The NodeList is null

12:46:49.900 [qtp1663619914-19 - /assets/styles/printMode.css] DEBUG o.o.s.c.SAMLObjectContentReference - Adding list of inclusive namespaces for signature exclusive canonicalization transform

12:46:49.901 [qtp1663619914-58 - /scripts/vendor.c0c873f3ef52eecc.js] WARN o.e.jetty.servlet.ServletHandler -

javax.servlet.ServletException: org.pac4j.saml.exceptions.SAMLException: java.lang.NullPointerException

at org.apache.shiro.web.servlet.AdviceFilter.cleanup(AdviceFilter.java:196) ~[shiro-web-1.2.3.jar:1.2.3]

at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:148) ~[shiro-web-1.2.3.jar:1.2.3]

at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) ~[shiro-web-1.2.3.jar:1.2.3]

at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) ~[shiro-web-1.2.3.jar:1.2.3]

at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449) ~[shiro-web-1.2.3.jar:1.2.3]

at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365) ~[shiro-web-1.2.3.jar:1.2.3]

at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) ~[shiro-core-1.2.3.jar:1.2.3]

at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) ~[shiro-core-1.2.3.jar:1.2.3]

at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383) ~[shiro-core-1.2.3.jar:1.2.3]

at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362) ~[shiro-web-1.2.3.jar:1.2.3]

at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) ~[shiro-web-1.2.3.jar:1.2.3]

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) ~[jetty-servlet-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72) ~[classes/:na]

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) ~[jetty-servlet-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) [jetty-servlet-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) [jetty-security-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) [jetty-server-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) [jetty-server-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) [jetty-servlet-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) [jetty-server-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) [jetty-server-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) [jetty-server-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.server.Server.handle(Server.java:499) [jetty-server-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) [jetty-server-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) [jetty-server-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) [jetty-io-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) [jetty-util-9.2.15.v20160210.jar:9.2.15.v20160210]

at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) [jetty-util-9.2.15.v20160210.jar:9.2.15.v20160210]

at java.lang.Thread.run(Thread.java:745) [na:1.8.0_121]

Caused by: org.pac4j.saml.exceptions.SAMLException: java.lang.NullPointerException

at org.pac4j.saml.sso.impl.SAML2WebSSOMessageSender.invokeOutboundMessageHandlers(SAML2WebSSOMessageSender.java:144) ~[pac4j-saml-1.8.7.jar:na]

at org.pac4j.saml.sso.impl.SAML2WebSSOMessageSender.sendMessage(SAML2WebSSOMessageSender.java:98) ~[pac4j-saml-1.8.7.jar:na]

at org.pac4j.saml.sso.impl.SAML2WebSSOMessageSender.sendMessage(SAML2WebSSOMessageSender.java:46) ~[pac4j-saml-1.8.7.jar:na]

at org.pac4j.saml.sso.impl.SAML2WebSSOProfileHandler.send(SAML2WebSSOProfileHandler.java:50) ~[pac4j-saml-1.8.7.jar:na]

at org.pac4j.saml.sso.impl.SAML2WebSSOProfileHandler.send(SAML2WebSSOProfileHandler.java:34) ~[pac4j-saml-1.8.7.jar:na]

at org.pac4j.saml.client.SAML2Client.retrieveRedirectAction(SAML2Client.java:232) ~[pac4j-saml-1.8.7.jar:na]

at org.pac4j.core.client.IndirectClient.getRedirectAction(IndirectClient.java:124) ~[pac4j-core-1.8.7.jar:na]

at org.pac4j.core.client.IndirectClient.redirect(IndirectClient.java:85) ~[pac4j-core-1.8.7.jar:na]

at io.buji.pac4j.filter.ClientRolesAuthorizationFilter.redirectToLogin(ClientRolesAuthorizationFilter.java:54) ~[buji-pac4j-servlet-1.4.2.jar:na]

at org.apache.shiro.web.filter.AccessControlFilter.saveRequestAndRedirectToLogin(AccessControlFilter.java:192) ~[shiro-web-1.2.3.jar:1.2.3]

at org.apache.shiro.web.filter.authz.AuthorizationFilter.onAccessDenied(AuthorizationFilter.java:111) ~[shiro-web-1.2.3.jar:1.2.3]

at org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied(AccessControlFilter.java:133) ~[shiro-web-1.2.3.jar:1.2.3]

at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162) ~[shiro-web-1.2.3.jar:1.2.3]

at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203) ~[shiro-web-1.2.3.jar:1.2.3]

at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178) ~[shiro-web-1.2.3.jar:1.2.3]

at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131) ~[shiro-web-1.2.3.jar:1.2.3]

... 30 common frames omitted

Caused by: java.lang.NullPointerException: null

at org.apache.commons.codec.binary.Base64.encode(Base64.java:377) ~[commons-codec-1.5.jar:1.5]

at org.apache.commons.codec.binary.BaseNCodec.encode(BaseNCodec.java:340) ~[commons-codec-1.5.jar:1.5]

at org.apache.commons.codec.binary.BaseNCodec.encodeToString(BaseNCodec.java:275) ~[commons-codec-1.5.jar:1.5]

at net.shibboleth.utilities.java.support.codec.Base64Support.encode(Base64Support.java:68) ~[java-support-7.1.1.jar:na]

at org.opensaml.xmlsec.keyinfo.KeyInfoSupport.buildX509Certificate(KeyInfoSupport.java:359) ~[opensaml-xmlsec-api-3.2.0.jar:na]

at org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory$X509KeyInfoGenerator.processEntityCertificateChain(X509KeyInfoGeneratorFactory.java:703) ~[opensaml-xmlsec-impl-3.2.0.jar:na]

at org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory$X509KeyInfoGenerator.generate(X509KeyInfoGeneratorFactory.java:440) ~[opensaml-xmlsec-impl-3.2.0.jar:na]

at org.opensaml.xmlsec.signature.support.SignatureSupport.prepareSignatureParams(SignatureSupport.java:153) ~[opensaml-xmlsec-api-3.2.0.jar:na]

at org.opensaml.xmlsec.signature.support.SignatureSupport.signObject(SignatureSupport.java:191) ~[opensaml-xmlsec-api-3.2.0.jar:na]

at org.opensaml.saml.common.messaging.SAMLMessageSecuritySupport.signMessage(SAMLMessageSecuritySupport.java:65) ~[opensaml-saml-api-3.2.0.jar:na]

at org.opensaml.saml.common.binding.security.impl.SAMLOutboundProtocolMessageSigningHandler.doInvoke(SAMLOutboundProtocolMessageSigningHandler.java:79) ~[opensaml-saml-impl-3.2.0.jar:na]

at org.opensaml.messaging.handler.AbstractMessageHandler.invoke(AbstractMessageHandler.java:95) ~[opensaml-messaging-api-3.2.0.jar:na]

at org.pac4j.saml.sso.impl.SAML2WebSSOMessageSender.invokeOutboundMessageHandlers(SAML2WebSSOMessageSender.java:138) ~[pac4j-saml-1.8.7.jar:na]

... 45 common frames omitted

12:46:49.902 [qtp1663619914-60 - /app.4ece19b57e6fb1511450.js] DEBUG o.a.x.security.transforms.Transforms - Transforms.addTransform(http://www.w3.org/2000/09/xmldsig#enveloped-signature)

12:46:49.902 [qtp1663619914-19 - /assets/styles/printMode.css] DEBUG o.o.x.s.impl.SignatureMarshaller - Creating Signature DOM element

12:46:49.902 [qtp1663619914-60 - /app.4ece19b57e6fb1511450.js] DEBUG o.a.x.security.transforms.Transforms - Transforms.addTransform(http://www.w3.org/2001/10/xml-exc-c14n#)

12:46:49.902 [qtp1663619914-60 - /app.4ece19b57e6fb1511450.js] DEBUG o.a.x.security.transforms.Transform - Create URI "http://www.w3.org/2001/10/xml-exc-c14n#" class "class org.apache.xml.security.transforms.implementations.TransformC14NExclusive"

12:46:49.902 [qtp1663619914-60 - /app.4ece19b57e6fb1511450.js] DEBUG o.a.x.security.transforms.Transform - The NodeList is null

12:46:49.902 [qtp1663619914-60 - /app.4ece19b57e6fb1511450.js] DEBUG o.a.x.security.transforms.Transforms - Transforms.addTransform(http://www.w3.org/2001/10/xml-exc-c14n#)

12:46:49.902 [qtp1663619914-60 - /app.4ece19b57e6fb1511450.js] DEBUG o.a.xml.security.utils.ElementProxy - setElement("ds:Transform", "null")

12:46:49.902 [qtp1663619914-60 - /app.4ece19b57e6fb1511450.js] DEBUG o.o.s.c.SAMLObjectContentReference - Adding list of inclusive namespaces for signature exclusive canonicalization transform

12:46:49.902 [qtp1663619914-60 - /app.4ece19b57e6fb1511450.js] DEBUG o.o.x.s.impl.SignatureMarshaller - Creating Signature DOM element

Thanks and Regards,

Jaideep singh

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.

Jaideep Singh

unread,

Apr 26, 2017, 7:04:36 AM4/26/17

to pac4j-users, jaide...@gmail.com

When i try to authenticate zeppelin server url i.e. localhost:8083/ after authentication at idp and post redirection i am getting this error

The server responded with a status of 500 (Server Error). But when i disable to shiro configuration(i.e. without authentication to idp) i am able to load the page successfully, see see the Attached the screenshot for the same.

error post authentication.jpg

error post authentication2.jpg

Jérôme LELEU

unread,

Apr 26, 2017, 7:16:15 AM4/26/17

to Jaideep Singh, pac4j-users

Hi,

There must be something wrong with your SAML metadata:

at org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory$X509KeyInfoGenerator.processEntityCertificateChain(X509KeyInfoGeneratorFactory.java:703)

How do you get them? Do they work in another environment?

Thanks.

Best regards,

Jérôme

Jaideep Singh

unread,

Apr 27, 2017, 3:25:57 AM4/27/17

to pac4j-users, jaide...@gmail.com

Hello Jerome,

I am configuring sso for zeppelin server which runs on 8083 port. Zeppelin have shiro support in configuration, so i have configured it same as in buji-pac4j-demo-1.4.x which is connecting to wso2 idp and working successfully. In demo the apache server was running on 8080 port, though zeppelin also runs on apache server. What area i need to look to make the page load successfully and to resolve the above error. Attaching the metada for idp, sp metadata and shiro.

Also i am attaching the directory structure for zeppelin environment.

Thanks,

Jaideep singh

metadata-okta.xml

shiro.ini

sp-metadata.xml

zep1.JPG

zep2.JPG

zep3.JPG

Jaideep Singh

unread,

Apr 27, 2017, 6:09:09 AM4/27/17

to pac4j-users, jaide...@gmail.com

Hello Jerome,

I have also found this on documentation of zeppelin

Securing the HTTP endpoints is not enough, since Zeppelin also communicates with the browser through websockets. To secure this channel, we take the following approach:

The browser on startup requests a ticket through HTTP
The Apache Shiro Servlet filter handles the user auth
Once the user is authenticated, a ticket is assigned to this user and the ticket is returned to the browser

All websockets communications require the username and ticket to be submitted by the browser. Upon receiving a websocket message, the server checks that the ticket received is the one assigned to the username through the HTTP request (step 3 above).

https://github.com/apache/zeppelin/blob/master/SECURITY-README.md

Thanks,

Jaideep Singh

unread,

May 1, 2017, 4:24:59 AM5/1/17

to pac4j-users, jaide...@gmail.com

Any help on this?

Jaideep Singh

unread,

May 3, 2017, 3:44:45 AM5/3/17

to pac4j-users, jaide...@gmail.com

Apart from above problem i am getting this error as well:

13:04:35.554 [qtp1663619914-14-selector-ServerConnectorManager@258e2e41/2] DEBUG org.eclipse.jetty.io.SelectorManager - Selector loop waiting on select

13:04:35.557 [qtp1663619914-18 - /app.4ece19b57e6fb1511450.js] DEBUG o.a.shiro.web.servlet.AdviceFilter - Filter execution resulted in an unexpected Exception (not IOException or ServletException as the Filter API recommends). Wrapping in ServletException and propagating.

13:04:35.558 [qtp1663619914-18 - /app.4ece19b57e6fb1511450.js] WARN o.e.jetty.servlet.ServletHandler -

javax.servlet.ServletException: org.pac4j.saml.exceptions.SAMLException: Error encoding saml message

Caused by: org.pac4j.saml.exceptions.SAMLException: Error encoding saml message

at org.pac4j.saml.sso.impl.SAML2WebSSOMessageSender.sendMessage(SAML2WebSSOMessageSender.java:112) ~[pac4j-saml-1.8.7.jar:na]