Bug 1193861 - SAML2AuthenticationHandler fails when NotBefore or NotOnOrAfter Conditions are not set
Summary: SAML2AuthenticationHandler fails when NotBefore or NotOnOrAfter Conditions ar...
Keywords:
Status: CLOSED EOL
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: PicketLink
Version: 6.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Pedro Igor
QA Contact: Pavel Slavicek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-18 12:45 UTC by Ondrej Lukas
Modified: 2020-01-29 14:43 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-08-19 12:43:58 UTC
Type: Bug
Embargoed:
pskopek: needinfo-

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker PLINK-677 0 Major Resolved SAML2AuthenticationHandler fails when NotBefore or NotOnOrAfter Conditions are not set 2020-01-29 14:41:53 UTC

Description Ondrej Lukas 2015-02-18 12:45:26 UTC 
In case when PicketLink Service Provider is accessed with assertion without NotBefore or NotOnOrAfter attribute in Conditions element then Exception is thrown. However according to SAML2 specification [1] using any of these attributes in assertion conditions is optional. 

In case when NotOnOrAfter attribute is missing then following exception is thrown:
ERROR [org.picketlink.common] (http-localhost/127.0.0.1:8080-1) Service Provider could not handle the request.: java.lang.IllegalArgumentException: PL00078: Null Parameter:notOnOrAfter argument is null
        at org.picketlink.common.DefaultPicketLinkLogger.nullArgumentError(DefaultPicketLinkLogger.java:144)
        at org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil.isValid(XMLTimeUtil.java:158) [picketlink-federation-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil.hasExpired(AssertionUtil.java:301) [picketlink-federation-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHandler.handleSAMLResponse(SAML2AuthenticationHandler.java:579) [picketlink-federation-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:484) [picketlink-federation-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:142) [picketlink-federation-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:67) [picketlink-federation-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:101) [picketlink-federation-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:83) [picketlink-federation-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAML2Response(AbstractSPFormAuthenticator.java:494) [picketlink-jbas7-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:473) [picketlink-jbas7-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:344) [picketlink-jbas7-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:272) [picketlink-jbas7-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.5.5.Final-redhat-1.jar:7.5.5.Final-redhat-1]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.0.Final-redhat-18.jar:7.5.0.Final-redhat-18]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.5.Final-redhat-1.jar:7.5.5.Final-redhat-1]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.5.Final-redhat-1.jar:7.5.5.Final-redhat-1]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.5.Final-redhat-1.jar:7.5.5.Final-redhat-1]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.5.Final-redhat-1.jar:7.5.5.Final-redhat-1]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.5.Final-redhat-1.jar:7.5.5.Final-redhat-1]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.5.5.Final-redhat-1.jar:7.5.5.Final-redhat-1]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.5.Final-redhat-1.jar:7.5.5.Final-redhat-1]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_55]

In case when NotBefore attribute is missing then following NPE is thrown to server log:
ERROR [org.picketlink.common] (http-localhost/127.0.0.1:8080-1) Service Provider could not handle the request.: java.lang.NullPointerException
        at org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil.hasExpired(AssertionUtil.java:299) [picketlink-federation-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHandler.handleSAMLResponse(SAML2AuthenticationHandler.java:579) [picketlink-federation-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:484) [picketlink-federation-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:142) [picketlink-federation-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:67) [picketlink-federation-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:101) [picketlink-federation-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:83) [picketlink-federation-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAML2Response(AbstractSPFormAuthenticator.java:494) [picketlink-jbas7-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:473) [picketlink-jbas7-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:344) [picketlink-jbas7-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:272) [picketlink-jbas7-2.5.4.SP1-redhat-1.jar:2.5.4.SP1-redhat-1]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.5.5.Final-redhat-1.jar:7.5.5.Final-redhat-1]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.0.Final-redhat-18.jar:7.5.0.Final-redhat-18]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.5.Final-redhat-1.jar:7.5.5.Final-redhat-1]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.5.Final-redhat-1.jar:7.5.5.Final-redhat-1]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.5.Final-redhat-1.jar:7.5.5.Final-redhat-1]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.5.Final-redhat-1.jar:7.5.5.Final-redhat-1]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.5.Final-redhat-1.jar:7.5.5.Final-redhat-1]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.5.5.Final-redhat-1.jar:7.5.5.Final-redhat-1]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.5.Final-redhat-1.jar:7.5.5.Final-redhat-1]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_55]
        
[1] section 2.5.1 Element <Conditions> in https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf
Comment 2 Pedro Igor 2015-02-20 14:55:26 UTC 
Fixed by commit:

http://git.app.eng.bos.redhat.com/git/picketlink25.git/commit/?h=eap-6.x&id=a72489f3b80f49d6536b3d70c0c1b3e904ab03c6
Note You need to log in before you can comment on or make changes to this bug.