Closed dlakatos847 closed 10 months ago
This is really weird. A few things fixes my X.509 authentication problem temporarily:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
to http://www.w3.org/2000/09/xmldsig#rsa-sha1
in SoapUIhttp://www.w3.org/2001/04/xmlenc#sha256
to http://www.w3.org/2000/09/xmldsig#sha1
RST
XML tags were embedded like this:
<wst:RequestSecurityToken Context="?">
<wst:RequestSecurityToken Context="?">
...
</wst:RequestSecurityToken>
</wst:RequestSecurityToken>
Altered to this:
<wst:RequestSecurityToken Context="?">
...
</wst:RequestSecurityToken>
Authentication works this way for a while. After some time (around 2 minutes) the error message Illegal state
reappears. No username/password or X.509 authentication works anymore. If I clear the user's sessions, everything works again. The problem seems to almost disappear when I turn on "Stateless Sessions" in OpenAM.
My request looks like this after the fix:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-7ADB9798BB4C536A751570693321809123">BINARY_SECURITY_TOKEN</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-7ADB9798BB4C536A751570693321810126" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenv wst" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-7ADB9798BB4C536A751570693321807122">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="wsse soapenv wst" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>aMuH0LpSKz1Bhq01BsrT5JyGGdI=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-7ADB9798BB4C536A75157069224316350">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="wst" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>CG6om2Y+bQGtvmzbRHf2d92tEBE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>gfA7SkXmO2Ia8ukV7PCPNDW6ogmKG81+PYGLjFpHaVO0FjBcA7pxq7rwfBlU9HgmsjSXYaRLZNc6
UjW+kkeWfKtRETbA420pFejUUeSJidG0gHfrgwStE5dWZ0W3rc8A6HlcZiCu6FItBYd1Tgls87mV
7LBNQmdSeF+vzPAATtUwCgMZuySKNZ1KfN3bVt808IogVi9YfiWHs/H5ibT0gDypf2C2niWPLJNb
WVx+YrjG9paMGIr5bzwgo3Ngr9ox9QN3BxF1rptGVyyMi+xY4DHZSb+R3tquN/42dPwk9PfRjKaW
ETtwwkxWwbyyKnCXySFpD2Ptl9GCKW2amq9PdFE9CV0WNl4BwFeCf+UIQ2ekt2ye1BucOGXOIpLk
pIBLbRCyBWBbhHl3TD5GHEJkmHlqGpaBycth5tuOFxgSKIOCBXi1swtETfspaDun0cm0AQqhUji2
E98XJjqZaiE0+S0qNTGRwT4erMJFoVSYiV+SbJ95uXFFmjFmwv/QF1LGHSpLUOtrVvqvDiuYpuvm
VlasL3+BD4DP58d7BN7esOQC2sAm6SRWCJre5phesT6pcDeQPFraYtol0xGBqCSYQaVLsABla1IM
tIn6VqIhJ2WDawhNQ50BPm/ZFmsIrUBTNl8SY7ZyXc5zafVafXKVs2uW1IkQ8HTIK5OYC/uyTEs=</ds:SignatureValue>
<ds:KeyInfo Id="KI-7ADB9798BB4C536A751570693321809124">
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-7ADB9798BB4C536A751570693321809125" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<wsse:Reference URI="#X509-7ADB9798BB4C536A751570693321809123" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-7ADB9798BB4C536A751570693321807122">
<wsu:Created>2019-10-10T07:42:01Z</wsu:Created>
<wsu:Expires>2019-10-10T07:52:01Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-7ADB9798BB4C536A75157069224316350" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wst:RequestSecurityToken Context="?">
<wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</wst:TokenType>
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>
Describe the bug I use the
openidentityplatform/openam:14.4.1
Docker image for piloting (non-production) a SOAP STS based SOA infrastructure . Signed, bearer subject confirmation method SAMLv2 tokens are issued after a successful WS-Security Username Token Profile or WS-Security X.509 Token Profile based authentication. Username/password is stored via the embedded OpenDJ server while X.509 certificates should be trusted via a CA trust store and verified according to the X.509 Public Key Infrastructure.While the username/password based authentication successfully returns the signed and valid SAMLv2 token, X.509 based authentication fails with an exotic exception:
As I understand,
org.forgerock.openam.sts.token.ThreadLocalAMTokenCacheImpl.AMSessionCache.sessionEntry
is already initialized whenorg.forgerock.openam.sts.token.ThreadLocalAMTokenCacheImpl.AMSessionCache.setSessionEntry(String, boolean)
is invoked which triggers the exception due to this unwanted state.To Reproduce Steps to reproduce the behavior:
openidentityplatform/openam:14.4.1
Docker container.war
WS-Trust
definedRequest Security Token
request via eg. SoapUIExample request:
Example response:
Expected behavior The SAMLv2 token is issued without an exception.
Screenshots Not applicable.
Desktop (please complete the following information):
Smartphone (please complete the following information):
Additional context The full stacktrace found in the Tomcat log: catalina.2019-10-09.log.