Bug 1466604 - [GSS] (6.4.z) Implicit namespace declaration of <Signature/> causes XPathStylesheetDOM3Exception
[GSS] (6.4.z) Implicit namespace declaration of <Signature/> causes XPathStyl...
Status: POST
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Services, PicketLink (Show other bugs)
6.4.8
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jiri Ondrusek
Peter Mackay
:
Depends On:
Blocks: 1471199
  Show dependency treegraph
 
Reported: 2017-06-29 23:53 EDT by Hisanobu Okuda
Modified: 2017-07-14 12:27 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1471199 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Hisanobu Okuda 2017-06-29 23:53:15 EDT
Description of problem:
A web service secured by WS-trust/SAML STS is deployed on EAP6.4.x. If the namespace of `<Signature/>` in an assersion in a webservice request is declared implicitly like:


<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <CanonicalizationMethod xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
        <SignatureMethod xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <Reference xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" URI="#ID_57501112-83ce-41fe-828c-d538b13432e6">


it throws XPathStylesheetDOM3Exception as follows:


20:13:15,332 ERROR [org.picketlink.common] (http-/127.0.0.1:8080-2) Unexpected error: javax.xml.xpath.XPathExpressionException: org.apache.xpath.domapi.XPathStylesheetDOM3Exception: Prefix must resolve to a namespace: null
        at org.apache.xpath.jaxp.XPathImpl.evaluate(XPathImpl.java:295)
        at org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule.getX509Certificate(SAMLTokenCertValidatingCommonLoginModule.java:465) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
        at org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule.validateSAMLCredential(SAMLTokenCertValidatingCommonLoginModule.java:421) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
        at org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule.login(SAMLTokenCertValidatingCommonLoginModule.java:276) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_102]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_102]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_102]
        at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) [rt.jar:1.8.0_102]
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.8.0_102]
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587) [rt.jar:1.8.0_102]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:424) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:363) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:351) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:156) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
        at org.picketlink.trust.jbossws.handler.AbstractWSAuthenticationHandler.handleInbound(AbstractWSAuthenticationHandler.java:83) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
        at org.picketlink.trust.jbossws.handler.AbstractPicketLinkTrustHandler.handleMessage(AbstractPicketLinkTrustHandler.java:259) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
        at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandleMessage(HandlerChainInvoker.java:359) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandlerChain(HandlerChainInvoker.java:255) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeProtocolHandlers(HandlerChainInvoker.java:132) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.jboss.wsf.stack.cxf.interceptor.HandlerAuthInterceptor$JBossWSHandlerChainInvoker.invokeProtocolHandlers(HandlerAuthInterceptor.java:114)
        at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessageInternal(SOAPHandlerInterceptor.java:169) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterceptor.java:124) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterceptor.java:71) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) [cxf-api-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-api-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249) [cxf-rt-transports-http-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:97)
        at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:131)
        at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) [cxf-rt-transports-http-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) [cxf-rt-transports-http-2.7.14.redhat-1.jar:2.7.14.redhat-1]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2]
        at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136)
        at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.3.1.Final-redhat-1.jar:2.3.1.Final-redhat-1]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_102]
Caused by: org.apache.xpath.domapi.XPathStylesheetDOM3Exception: Prefix must resolve to a namespace: null
        at org.apache.xpath.compiler.XPathParser.errorForDOM3(XPathParser.java:655)
        at org.apache.xpath.compiler.Lexer.mapNSTokens(Lexer.java:647)
        at org.apache.xpath.compiler.Lexer.tokenize(Lexer.java:274)
        at org.apache.xpath.compiler.Lexer.tokenize(Lexer.java:98)
        at org.apache.xpath.compiler.XPathParser.initXPath(XPathParser.java:112)
        at org.apache.xpath.XPath.<init>(XPath.java:178)
        at org.apache.xpath.XPath.<init>(XPath.java:266)
        at org.apache.xpath.jaxp.XPathImpl.eval(XPathImpl.java:195)
        at org.apache.xpath.jaxp.XPathImpl.evaluate(XPathImpl.java:281)
        ... 52 more




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. untar https://issues.jboss.org/secure/attachment/12421389/reproducer_xmlns.tar.gz
2. cd reproducer_xmlns
3. copy dist/reproducer_xmlns.war to $JBOSS_HOME/standalone/deployments
4. copy idp.truststore to to $JBOSS_HOME/standalone/configuration
5. add the following lines into standalone.xml

                <security-domain name="saml-token-local-validation" cache-type="default">
                    <authentication>
                        <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingLoginModule" flag="required">
                            <module-option name="roleKey" value="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"/>
                            <module-option name="localValidationSecurityDomain" value="saml-token-local-validation"/>
                        </login-module>
                    </authentication>
                    <jsse keystore-password="123456" keystore-url="${jboss.server.config.dir}/idp.truststore"/>
                </security-domain>

6. run `ant test`



Actual results:


Expected results:


Additional info:

Note You need to log in before you can comment on or make changes to this bug.