Hi Dimuthu,
Please find a patch that I was working sometime ago to make APIM SSO work
in tenant mode. This is not completed but can get some clue and go forward.
thank you.
On Mon, Jul 15, 2013 at 10:15 PM, Dimuthu Leelarathne <[email protected]>wrote:
> Hi,
>
> This is the error now.
>
>
> [2013-07-16 10:26:50,880] WARN
> {org.apache.xml.security.signature.XMLSignature} - Signature verification
> failed.
> org.opensaml.xml.validation.ValidationException: Signature did not
> validate against the credential's key
> at
> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78)
> at
> org.wso2.carbon.hostobjects.sso.internal.util.Util.validateSignature(Util.java:255)
> at
> org.wso2.carbon.hostobjects.sso.SAMLSSORelyingPartyObject.jsFunction_validateSignature(SAMLSSORelyingPartyObject.java:120)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
> at org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386)
> at
> org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)
> at
> org.jaggeryjs.rhino.appmgt.jagg.c3._c_anonymous_1(/appmgt/jagg/jaggery_acs.jag:33)
> at
> org.jaggeryjs.rhino.appmgt.jagg.c3.call(/appmgt/jagg/jaggery_acs.jag)
> at
> org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23)
> at
> org.jaggeryjs.rhino.appmgt.jagg.c3._c_script_0(/appmgt/jagg/jaggery_acs.jag:5)
> at
> org.jaggeryjs.rhino.appmgt.jagg.c3.call(/appmgt/jagg/jaggery_acs.jag)
> at
> org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394)
> at
> org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091)
> at
> org.jaggeryjs.rhino.appmgt.jagg.c3.call(/appmgt/jagg/jaggery_acs.jag)
> at
> org.jaggeryjs.rhino.appmgt.jagg.c3.exec(/appmgt/jagg/jaggery_acs.jag)
> at
> org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:577)
> at
> org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:280)
> at
> org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:377)
> at
> org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
> at
> org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:487)
> at
> org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:379)
> at
> org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:339)
> at
> org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> at
> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:177)
> at
> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:161)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
> at
> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
> at java.lang.Thread.run(Thread.java:662)
> [2013-07-16 10:26:50,881] ERROR {JAGGERY.jagg.jaggery_acs:jag} - SAML
> response signature is verification failed.
> ^C[2013-07-16 10:36:11,316] INFO
> {org.wso2.carbon.core.init.CarbonServerManager} - Shutdown hook tri
>
> thanks,
> dimuthu
>
>
>
> On Sat, Jul 13, 2013 at 10:11 AM, Dimuthu Leelarathne
> <[email protected]>wrote:
>
>>
>>
>>
>> On Sat, Jul 13, 2013 at 12:29 AM, Manjula Rathnayake
>> <[email protected]>wrote:
>>
>>> Hi Dimuthu,
>>>
>>> Just to understand the scenario,
>>> 1. Is it the normal AF deployment and you are trying to login to AF
>>> appmgt app?
>>>
>>
>> yes to both. My tenant can successfully login to the carbon console of AF
>> now. :) But that is not SSO.
>>
>>
>>> 2. Have we updated Identity features recently?
>>>
>>
>> No
>>
>>
>>> 3. Have we configured other carbon servers as service providers in AF
>>> setup, currently, only the appmgt, publisher and store are the service
>>> providers
>>>
>>
>> Nothing is changed. Same setup.
>>
>> thanks,
>> dimuthu
>>
>>
>>>
>>> Regarding the above issue, domain2 is the tenant(or application name)
>>> and Identity server looks for default jks of tenant(AFAIR this is created
>>> at tenant creation time) not the super tenant one. I can not figure out
>>> such a scenario we use tenancy jks.
>>>
>>> thank you.
>>>
>>>
>>> On Fri, Jul 12, 2013 at 7:00 AM, Dimuthu Leelarathne
>>> <[email protected]>wrote:
>>>
>>>> Hi,
>>>>
>>>> I am trying to login to appmgt with of AF with SSO, as a tenant and
>>>> getting the following exception. Any pointers on where I should look at?
>>>>
>>>> [2013-07-12 19:27:39,534] ERROR
>>>> {org.wso2.carbon.identity.sso.saml.processors.AuthnRequestProcessor} -
>>>> Error processing the authentication request
>>>> org.wso2.carbon.identity.base.IdentityException: Key Store with a name
>>>> : domain2.jks does not exist.
>>>> at
>>>> org.wso2.carbon.identity.sso.saml.builders.SignKeyDataHolder.<init>(SignKeyDataHolder.java:135)
>>>> at
>>>> org.wso2.carbon.identity.sso.saml.builders.ResponseBuilder.buildResponse(ResponseBuilder.java:96)
>>>> at
>>>> org.wso2.carbon.identity.sso.saml.processors.AuthnRequestProcessor.process(AuthnRequestProcessor.java:154)
>>>> at
>>>> org.wso2.carbon.identity.sso.saml.SAMLSSOService.authenticate(SAMLSSOService.java:113)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>> at
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>> at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>> at
>>>> org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:212)
>>>> at
>>>> org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:117)
>>>> at
>>>> org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)
>>>> at
>>>> org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:110)
>>>> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
>>>> at
>>>> org.apache.axis2.transport.local.LocalTransportReceiver.processMessage(LocalTransportReceiver.java:169)
>>>> at
>>>> org.apache.axis2.transport.local.LocalTransportReceiver.processMessage(LocalTransportReceiver.java:82)
>>>> at
>>>> org.wso2.carbon.core.transports.local.CarbonLocalTransportSender.finalizeSendWithToAddress(CarbonLocalTransportSender.java:45)
>>>> at
>>>> org.apache.axis2.transport.local.LocalTransportSender.invoke(LocalTransportSender.java:77)
>>>> at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
>>>> at
>>>> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:398)
>>>> at
>>>> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:224)
>>>> at
>>>> org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
>>>> at
>>>> org.wso2.carbon.identity.sso.saml.stub.IdentitySAMLSSOServiceStub.authenticate(IdentitySAMLSSOServiceStub.java:783)
>>>> at
>>>> org.wso2.carbon.identity.sso.saml.ui.client.SAMLSSOServiceClient.authenticate(SAMLSSOServiceClient.java:81)
>>>> at
>>>> org.wso2.carbon.identity.sso.saml.ui.SAMLSSOProvider.handleRequestFromLoginPage(SAMLSSOProvider.java:323)
>>>> at
>>>> org.wso2.carbon.identity.sso.saml.ui.SAMLSSOProvider.doPost(SAMLSSOProvider.java:131)
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
>>>> at
>>>> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
>>>> at
>>>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
>>>> at
>>>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
>>>> at
>>>> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>>>> at
>>>> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>>>> at
>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
>>>> at
>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
>>>> at
>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
>>>> at
>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>>>> at
>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
>>>> at
>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:177)
>>>> at
>>>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:161)
>>>> at
>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
>>>> at
>>>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
>>>> at
>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>>>> at
>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
>>>> at
>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
>>>> at
>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
>>>> at
>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
>>>> at java.lang.Thread.run(Thread.java:662)
>>>> Caused by: java.lang.SecurityException: Key Store with a name :
>>>> domain2.jks does not exist.
>>>> at
>>>> org.wso2.carbon.core.util.KeyStoreManager.getKeyStore(KeyStoreManager.java:156)
>>>> at
>>>> org.wso2.carbon.identity.sso.saml.builders.SignKeyDataHolder.<init>(SignKeyDataHolder.java:90)
>>>> ... 53 more
>>>>
>>>> thanks in advance,
>>>> dimuthu
>>>>
>>>> --
>>>> Dimuthu Leelarathne
>>>> Architect & Product Lead of App Factory
>>>>
>>>> WSO2, Inc. (http://wso2.com)
>>>> email: [email protected]
>>>> Mobile : 0773661935
>>>>
>>>> Lean . Enterprise . Middleware
>>>>
>>>
>>>
>>>
>>> --
>>> Manjula Rathnayaka
>>> Software Engineer
>>> WSO2, Inc.
>>> Mobile:+94 77 743 1987
>>>
>>
>>
>>
>> --
>> Dimuthu Leelarathne
>> Architect & Product Lead of App Factory
>>
>> WSO2, Inc. (http://wso2.com)
>> email: [email protected]
>> Mobile : 0773661935
>>
>> Lean . Enterprise . Middleware
>>
>
>
>
> --
> Dimuthu Leelarathne
> Architect & Product Lead of App Factory
>
> WSO2, Inc. (http://wso2.com)
> email: [email protected]
> Mobile : 0773661935
>
> Lean . Enterprise . Middleware
>
--
Manjula Rathnayaka
Software Engineer
WSO2, Inc.
Mobile:+94 77 743 1987
Index: src/main/java/org/wso2/carbon/hostobjects/sso/internal/util/Util.java
===================================================================
--- src/main/java/org/wso2/carbon/hostobjects/sso/internal/util/Util.java
(revision 174729)
+++ src/main/java/org/wso2/carbon/hostobjects/sso/internal/util/Util.java
(working copy)
@@ -39,6 +39,8 @@
import org.w3c.dom.ls.DOMImplementationLS;
import org.w3c.dom.ls.LSOutput;
import org.w3c.dom.ls.LSSerializer;
+import org.wso2.carbon.base.MultitenantConstants;
+import org.wso2.carbon.core.util.KeyStoreManager;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
@@ -49,6 +51,7 @@
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyStore;
+import java.security.cert.X509Certificate;
import java.util.Random;
import java.util.zip.DataFormatException;
import java.util.zip.Deflater;
@@ -251,17 +254,29 @@
* @param resp SAML Response
* @return true, if signature is valid.
*/
- public static boolean validateSignature(Response resp, String
keyStoreName, String keyStorePassword, String alias) {
+ public static boolean validateSignature(Response resp, String
keyStoreName, String keyStorePassword, String alias, int tenantId, String
tenantDomain) {
boolean isSigValid = false;
try {
- if(log.isDebugEnabled()){
- log.info("keystore path:"+keyStoreName);
+ if (log.isDebugEnabled()) {
+ log.info("keystore path:" + keyStoreName);
}
- KeyStore keyStore = KeyStore.getInstance("JKS");
- keyStore.load(new FileInputStream(new File(keyStoreName)),
- keyStorePassword.toCharArray());
- java.security.cert.X509Certificate cert =
(java.security.cert.X509Certificate)
- keyStore.getCertificate(alias);
+ KeyStore keyStore = null;
+ java.security.cert.X509Certificate cert = null;
+
+ if (tenantId != MultitenantConstants.SUPER_TENANT_ID) {
+ // get an instance of the corresponding Key Store Manager
instance
+ KeyStoreManager keyStoreManager =
KeyStoreManager.getInstance(tenantId);
+ keyStore =
keyStoreManager.getKeyStore(generateKSNameFromDomainName(tenantDomain));
+ log.info(keyStore.getCertificate(tenantDomain));
+ cert = (java.security.cert.X509Certificate)
keyStore.getCertificate(tenantDomain);
+ log.info(cert.getSubjectDN().getName());
+
+ } else {
+ keyStore = KeyStore.getInstance("JKS");
+ keyStore.load(new FileInputStream(new File(keyStoreName)),
+ keyStorePassword.toCharArray());
+ cert = (java.security.cert.X509Certificate)
keyStore.getCertificate(alias);
+ }
X509CredentialImpl credentialImpl = new X509CredentialImpl(cert);
SignatureValidator signatureValidator = new
SignatureValidator(credentialImpl);
Signature signature = resp.getSignature();
@@ -271,11 +286,20 @@
signatureValidator.validate(resp.getSignature());
isSigValid = true;
return isSigValid;
+
} catch (Exception e) {
- log.error("Signature verification failed...",e);
+ log.error("Signature verification failed...", e);
return isSigValid;
}
}
+ /**
+ * Generate the key store name from the domain name
+ * @param tenantDomain tenant domain name
+ * @return key store file name
+ */
+ private static String generateKSNameFromDomainName(String tenantDomain) {
+ String ksName = tenantDomain.trim().replace(".", "-");
+ return (ksName + ".jks");
+ }
-
}
Index:
src/main/java/org/wso2/carbon/hostobjects/sso/SAMLSSORelyingPartyObject.java
===================================================================
---
src/main/java/org/wso2/carbon/hostobjects/sso/SAMLSSORelyingPartyObject.java
(revision 174729)
+++
src/main/java/org/wso2/carbon/hostobjects/sso/SAMLSSORelyingPartyObject.java
(working copy)
@@ -111,20 +111,26 @@
Function funObj)
throws Exception {
int argLength = args.length;
- if (argLength != 1 || !(args[0] instanceof String)) {
+ log.info("arg lenth "+argLength);
+ log.info(args[1]+" "+ args[2]);
+ if (argLength != 3 || !(args[0] instanceof String)) {
String errorMsg = "Invalid argument. SAML response is missing.";
log.error(errorMsg);
throw new ScriptException(errorMsg);
}
String decodedString = Util.decode((String) args[0]);
XMLObject samlObject = Util.unmarshall(decodedString);
+ Double tenantId = (Double)args[1];
+ int tenantID = tenantId.intValue();
+ log.info(tenantID);
if (samlObject instanceof Response) {
Response samlResponse = (Response) samlObject;
SAMLSSORelyingPartyObject relyingPartyObject =
(SAMLSSORelyingPartyObject) thisObj;
return Util.validateSignature(samlResponse,
relyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_NAME),
relyingPartyObject.getSSOProperty(SSOConstants.KEY_STORE_PASSWORD),
-
relyingPartyObject.getSSOProperty(SSOConstants.IDP_ALIAS));
+
relyingPartyObject.getSSOProperty(SSOConstants.IDP_ALIAS),
+ tenantID, (String)args[2]);
}
if (log.isWarnEnabled()) {
log.warn("SAML response in signature validation is not a SAML
Response.");
Index: pom.xml
===================================================================
--- pom.xml (revision 174729)
+++ pom.xml (working copy)
@@ -51,6 +51,11 @@
<artifactId>commons-codec</artifactId>
<version>${commons-codec.version}</version>
</dependency>
+ <dependency>
+ <groupId>org.wso2.carbon</groupId>
+ <artifactId>org.wso2.carbon.core</artifactId>
+ <version>4.1.0</version>
+ </dependency>
</dependencies>
<build>
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
