JAX-RS SAML Web SSO - Validating SAML Response in OSGi

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

JAX-RS SAML Web SSO - Validating SAML Response in OSGi

DrBrain
Versions:
- CXF 3.1.8
- Karaf 4.0.9
- JDK 1.8.x

I'm following the example on http://cxf.apache.org/docs/saml-web-sso.html and everything's working fine up to the point where I need to validate the SAML response I get back from the IdP. The problem seems to lie to the fact that RequestAssertionConsumerService ends up using a SignatureValidator (provided by org.opensaml.xmlsec.signature.support) which in turn tries to find a signature validation provider using ServiceLoader.load(SignatureValidationProvider.class) - which AFAIK will never work in OSGi with no additional 'tricks'.

Here's the calling sequence:
RequestAssertionConsumerService.processSamlResponse()
AbstractRequestAssertionConsumerHandler.doProcessSamlResponse()
AbstractRequestAssertionConsumerHandler.createSecurityContext()
AbstractRequestAssertionConsumerHandler.validateSamlResponseProtocol()
SAMLProtocolResponseValidator.validateResponseSignature()
SAMLProtocolResponseValidator.validateSignatureAgainstProfile()
SignatureValidator.validate
SignatureValidator.getSignatureValidationProvider
And here's the problematic code (last call above):
private static SignatureValidationProvider getSignatureValidationProvider() throws SignatureException {
    if(validatorInstance == null) {
      ServiceLoader<SignatureValidationProvider> loader = ServiceLoader.load(SignatureValidationProvider.class);
      Iterator<SignatureValidationProvider> iterator = loader.iterator();
      if(!iterator.hasNext()) {
        throw new SignatureException("Could not load a signature validation provider implementation via service API");
      }
      validatorInstance = (SignatureValidationProvider)iterator.next();
    }

    return validatorInstance;
  }

Now, I'm pretty much aware of the problems of SPI + OSGi as well as possible remedies using something like Aries SPI Fly *on your own code*. However, since I - obviously - don't control the above code, trying to "SPIfy" it myself means I end up with custom JARs, custom Karaf features to include those JARs, etc. - not a nice place to be :)

So, I'm wondering whether I'm missing some obvious thing/workaround here... Any ideas welcome :)


Thanks
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: JAX-RS SAML Web SSO - Validating SAML Response in OSGi

Sergey Beryozkin
Administrator
I have tested this feature in a demo awhile back,

but I see now it was never tried on OSGI,

https://github.com/Talend/tesb-rt-se/tree/master/examples/cxf/jaxrs-oauth2/sso-saml

only the simpler version of the demo was:
https://github.com/Talend/tesb-rt-se/tree/master/examples/cxf/jaxrs-oauth2/war-bundle

Well, this RP code has been stressed by the users AFAIK but looks like
it was never tried in OSGI, unless I'm missing something, Colm, can that
validator provider optionally injected and if it is then the call to the
static function be skipped ?

Sergey


On 04/07/17 15:41, DrBrain wrote:

> Versions:
> - CXF 3.1.8
> - Karaf 4.0.9
> - JDK 1.8.x
>
> I'm following the example on http://cxf.apache.org/docs/saml-web-sso.html
> and everything's working fine up to the point where I need to validate the
> SAML response I get back from the IdP. The problem seems to lie to the fact
> that RequestAssertionConsumerService ends up using a SignatureValidator
> (provided by org.opensaml.xmlsec.signature.support) which in turn tries to
> find a signature validation provider using
> ServiceLoader.load(SignatureValidationProvider.class) - which AFAIK will
> never work in OSGi with no additional 'tricks'.
>
> Here's the calling sequence:
>
> And here's the problematic code (last call above):
>
>
> Now, I'm pretty much aware of the problems of SPI + OSGi as well as possible
> remedies using something like Aries SPI Fly *on your own code*. However,
> since I - obviously - don't control the above code, trying to "SPIfy" it
> myself means I end up with custom JARs, custom Karaf features to include
> those JARs, etc. - not a nice place to be :)
>
> So, I'm wondering whether I'm missing some obvious thing/workaround here...
> Any ideas welcome :)
>
>
> Thanks
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/JAX-RS-SAML-Web-SSO-Validating-SAML-Response-in-OSGi-tp5781687.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>


--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: JAX-RS SAML Web SSO - Validating SAML Response in OSGi

coheigea
Administrator
I've changed the code in CXF to avoid calling the OpenSAML code that calls
ServiceLoader.load. Could you try grabbing the latest sources and see if it
works now?

Colm.

On Wed, Jul 5, 2017 at 10:49 AM, Sergey Beryozkin <[hidden email]>
wrote:

> I have tested this feature in a demo awhile back,
>
> but I see now it was never tried on OSGI,
>
> https://github.com/Talend/tesb-rt-se/tree/master/examples/
> cxf/jaxrs-oauth2/sso-saml
>
> only the simpler version of the demo was:
> https://github.com/Talend/tesb-rt-se/tree/master/examples/
> cxf/jaxrs-oauth2/war-bundle
>
> Well, this RP code has been stressed by the users AFAIK but looks like it
> was never tried in OSGI, unless I'm missing something, Colm, can that
> validator provider optionally injected and if it is then the call to the
> static function be skipped ?
>
> Sergey
>
>
>
> On 04/07/17 15:41, DrBrain wrote:
>
>> Versions:
>> - CXF 3.1.8
>> - Karaf 4.0.9
>> - JDK 1.8.x
>>
>> I'm following the example on http://cxf.apache.org/docs/saml-web-sso.html
>> and everything's working fine up to the point where I need to validate the
>> SAML response I get back from the IdP. The problem seems to lie to the
>> fact
>> that RequestAssertionConsumerService ends up using a SignatureValidator
>> (provided by org.opensaml.xmlsec.signature.support) which in turn tries
>> to
>> find a signature validation provider using
>> ServiceLoader.load(SignatureValidationProvider.class) - which AFAIK will
>> never work in OSGi with no additional 'tricks'.
>>
>> Here's the calling sequence:
>>
>> And here's the problematic code (last call above):
>>
>>
>> Now, I'm pretty much aware of the problems of SPI + OSGi as well as
>> possible
>> remedies using something like Aries SPI Fly *on your own code*. However,
>> since I - obviously - don't control the above code, trying to "SPIfy" it
>> myself means I end up with custom JARs, custom Karaf features to include
>> those JARs, etc. - not a nice place to be :)
>>
>> So, I'm wondering whether I'm missing some obvious thing/workaround
>> here...
>> Any ideas welcome :)
>>
>>
>> Thanks
>>
>>
>>
>> --
>> View this message in context: http://cxf.547215.n5.nabble.co
>> m/JAX-RS-SAML-Web-SSO-Validating-SAML-Response-in-OSGi-tp5781687.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: JAX-RS SAML Web SSO - Validating SAML Response in OSGi

DrBrain
Hi,

I backported this change to 3.1.8, which is the version we're using in Karaf 4.0.9, and it works fine.


-n-
Loading...