Bug 779750 (SOA-2112) - security_saml QS fails during RequestedSecurityToken extraction.
Summary: security_saml QS fails during RequestedSecurityToken extraction.
Keywords:
Status: CLOSED NEXTRELEASE
Alias: SOA-2112
Product: JBoss Enterprise SOA Platform 5
Classification: JBoss
Component: Examples, PicketLink
Version: 5.0.2
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 5.0.2
Assignee: Kevin Conner
QA Contact:
URL: http://jira.jboss.org/jira/browse/SOA...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-04 10:33 UTC by Marek Baluch
Modified: 2010-06-18 07:56 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-18 07:56:47 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 779749 0 high CLOSED SOAPElementImpl.getElementsByTagName does not return correct results. 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker SOA-2112 0 Major Closed security_saml QS fails during RequestedSecurityToken extraction. 2015-09-09 10:22:10 UTC

Internal Links: 779749

Description Marek Baluch 2010-06-04 10:33:45 UTC 
Affects: Interactive Demo/Tutorial
Date of First Response: 2010-06-15 10:35:54
project_key: SOA

When running the QS we get the following exception:

12:14:00,857 ERROR [ActionProcessingPipeline] SecurityService exception : 
org.jboss.soa.esb.services.security.SecurityServiceException: Exception while trying to login:
       at org.jboss.internal.soa.esb.services.security.JaasSecurityService.authenticate(JaasSecurityService.java:102)
       at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.processPipeline(ActionProcessingPipeline.java:534)
       at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.process(ActionProcessingPipeline.java:419)
       at org.jboss.soa.esb.listeners.message.MessageAwareListener$TransactionalRunner.run(MessageAwareListener.java:540)
       at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
       at java.lang.Thread.run(Thread.java:619)
Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
       at org.picketlink.identity.federation.core.wstrust.STSClient.issueToken(STSClient.java:188)
       at org.picketlink.identity.federation.core.wstrust.STSClient.issueToken(STSClient.java:122)
       at org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule.invokeSTS(STSIssuingLoginModule.java:85)
       at org.picketlink.identity.federation.core.wstrust.auth.AbstractSTSLoginModule.login(AbstractSTSLoginModule.java:243)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at org.jboss.internal.soa.esb.services.security.JaasSecurityService.authenticate(JaasSecurityService.java:94)
       at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.processPipeline(ActionProcessingPipeline.java:534)
       at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.process(ActionProcessingPipeline.java:419)
       at org.jboss.soa.esb.listeners.message.MessageAwareListener$TransactionalRunner.run(MessageAwareListener.java:540)
       at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
       at java.lang.Thread.run(Thread.java:619)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:872)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at org.jboss.internal.soa.esb.services.security.JaasSecurityService.authenticate(JaasSecurityService.java:94)
       ... 6 more
Comment 1 Marek Baluch 2010-06-04 10:34:25 UTC 
For more information see related issue.
Comment 2 Marek Baluch 2010-06-04 10:34:25 UTC 
Link: Added: This issue is related to SOA-2111
Comment 3 Kevin Conner 2010-06-10 10:08:18 UTC 
Link: Added: This issue depends JBESB-3343
Comment 4 Kevin Conner 2010-06-15 14:35:54 UTC 
This is not an ESB issue, rather it is an issue within picketlink.

The bug relates to SOA-2111 but this was incorrectly created against jbossws rather than against picketlink.

The issue lies within org.picketlink.identity.federation.core.wstrust.STSClient, specifically the following code

    private Element issueToken(RequestSecurityToken request) throws WSTrustException
    {
        request.setRequestType(URI.create(WSTrustConstants.ISSUE_REQUEST));
        request.setContext("context");
        WSTrustJAXBFactory jaxbFactory = WSTrustJAXBFactory.getInstance();
        DOMSource requestSource = (DOMSource) jaxbFactory.marshallRequestSecurityToken(request);
        Source response = dispatchLocal.get().invoke(requestSource);

        Node documentNode = ((DOMSource) response).getNode();
        Document responseDoc = documentNode instanceof Document ? (Document) documentNode : documentNode.getOwnerDocument();

        NodeList nodes;
        try
        {
            Document myDocument = DocumentUtil.createDocument();
            Node importedNode = myDocument.importNode(responseDoc.getDocumentElement(), true);
            myDocument.appendChild(importedNode);

            nodes = null;
            if (responseDoc instanceof SOAPPart)
            {
                SOAPPart soapPart = (SOAPPart) responseDoc;
                SOAPEnvelope env = soapPart.getEnvelope();
                SOAPBody body = env.getBody();
                Node data = body.getFirstChild();
                nodes = ((Element) data).getElementsByTagName("RequestedSecurityToken");
            }
            else
                nodes = responseDoc.getElementsByTagNameNS(WSTrustConstants.BASE_NAMESPACE, "RequestedSecurityToken");
        }
        catch (Exception e)
        {
            throw new WSTrustException("Exception in issuing token:", e);
        }

        if (nodes == null)
            throw new WSTrustException("NodeList is null");

        Node rstr = nodes.item(0);

        return (Element) rstr.getFirstChild();
    }


The invocation of getElementsByTagName is incorrect.
Comment 5 Kevin Conner 2010-06-15 14:58:14 UTC 
picketlink 1.0.2 seems to have a fix for this.  The line in error has been replaced with the following

            nodes = ((Element) data).getElementsByTagNameNS(WSTrustConstants.BASE_NAMESPACE, "RequestedSecurityToken");
            if (nodes == null || nodes.getLength() == 0)
               nodes = ((Element) data).getElementsByTagName("RequestedSecurityToken");

Will try the QS using 1.0.2 classes and follow up.
Comment 6 Kevin Conner 2010-06-15 15:24:37 UTC 
Running the quickstart using the 1.0.2 picketlink binaries seems to address this issue.  I'm not sure what differences exist between 1.0.1 and 1.0.2 so we need input from Anil.
Comment 7 Kevin Conner 2010-06-15 15:56:06 UTC 
As picketlink is still technical preview we should look to move to the latest version (1.0.3.final)

I'll download that version and run the QS again.
Comment 8 Kevin Conner 2010-06-15 16:04:42 UTC 
1.0.3.final works with this quickstart
Comment 9 Stefan Guilhen 2010-06-15 16:15:22 UTC 
Kevin, you are right. This has been fixed for PL 1.0.2. We are releasing 1.0.3.SP1 today and I think it is a good idea to upgrade PL to this version in SOA-P.
Comment 10 Kevin Conner 2010-06-16 13:12:21 UTC 
Link: Added: This issue depends JBESB-3352
Comment 11 Kevin Conner 2010-06-16 13:18:06 UTC 
Updated in ESB codebase, will be in next tag for platform.
Comment 12 Marek Baluch 2010-06-18 07:56:47 UTC 
Verified on 5.0.2 CR2
Note You need to log in before you can comment on or make changes to this bug.