Adding to Dev group On Tue, Feb 10, 2015 at 3:04 PM, Nirmani Meegahathenna <[email protected]> wrote:
> Hi, > > I'm trying to integrate Jira and IS for SSO provisioning. Using LastPass > Jira SAML Plugin for this. > https://github.com/lastpass/jira-saml > > When a user tries to log in, the request is sent to IS and an > authentication response is sent back to Jira. And then I'm getting a server > 500 error due to a NullPointerException. Below is the error log. > >> Referer URL: *Unknown* >> >> java.lang.NullPointerException >> >> java.lang.NullPointerException >> at com.lastpass.saml.SAMLClient.validate(SAMLClient.java:219) >> at com.lastpass.saml.SAMLClient.validateResponse(SAMLClient.java:429) >> at >> com.lastpass.jira.SAMLAuthenticator.getUser(SAMLAuthenticator.java:165) >> at >> com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:136) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:100) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> com.atlassian.seraph.filter.BaseLoginFilter.doFilter(BaseLoginFilter.java:172) >> at >> com.atlassian.jira.web.filters.JiraLoginFilter.doFilter(JiraLoginFilter.java:70) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) >> at >> com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70) >> at >> com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:79) >> at >> com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:78) >> at >> com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) >> at >> com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70) >> at >> com.atlassian.prettyurls.filter.PrettyUrlsCombinedMatchDispatcherFilter.doFilter(PrettyUrlsCombinedMatchDispatcherFilter.java:61) >> at >> com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:78) >> at >> com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) >> at >> com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77) >> at >> com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:99) >> at >> com.atlassian.jira.web.filters.JIRAProfilingFilter.doFilter(JIRAProfilingFilter.java:19) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> com.atlassian.johnson.filters.AbstractJohnsonFilter.doFilter(AbstractJohnsonFilter.java:71) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176) >> at >> org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) >> at >> org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) >> at >> org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:394) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> com.atlassian.gzipfilter.GzipFilter.doFilterInternal(GzipFilter.java:82) >> at com.atlassian.gzipfilter.GzipFilter.doFilter(GzipFilter.java:59) >> at >> com.atlassian.jira.web.filters.gzip.JiraGzipFilter.doFilter(JiraGzipFilter.java:55) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) >> at >> com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70) >> at >> com.atlassian.analytics.client.filter.JiraAnalyticsFilter.doFilter(JiraAnalyticsFilter.java:40) >> at >> com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:32) >> at >> com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:78) >> at >> com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) >> at >> com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70) >> at >> com.atlassian.prettyurls.filter.PrettyUrlsCombinedMatchDispatcherFilter.doFilter(PrettyUrlsCombinedMatchDispatcherFilter.java:61) >> at >> com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:78) >> at >> com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) >> at >> com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77) >> at >> com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> com.atlassian.jira.web.filters.steps.ChainedFilterStepRunner.doFilter(ChainedFilterStepRunner.java:87) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> com.atlassian.core.filters.cache.AbstractCachingFilter.doFilter(AbstractCachingFilter.java:33) >> at >> com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> com.atlassian.core.filters.encoding.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:41) >> at >> com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31) >> at >> com.atlassian.jira.web.filters.PathMatchingEncodingFilter.doFilter(PathMatchingEncodingFilter.java:49) >> at >> com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> com.atlassian.jira.startup.JiraStartupChecklistFilter.doFilter(JiraStartupChecklistFilter.java:79) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> com.atlassian.jira.web.filters.MultipartBoundaryCheckFilter.doFilter(MultipartBoundaryCheckFilter.java:41) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> com.atlassian.jira.web.filters.steps.ChainedFilterStepRunner.doFilter(ChainedFilterStepRunner.java:87) >> at >> com.atlassian.jira.web.filters.JiraFirstFilter.doFilter(JiraFirstFilter.java:60) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >> at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >> at >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) >> at >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) >> at >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) >> at >> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >> at >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >> at java.lang.Thread.run(Thread.java:724) >> >> This is the code snippet where the Exception occurs. > >> for (AuthnStatement as: assertion.getAuthnStatements()) { >> >> DateTime exp = >>> as.getSessionNotOnOrAfter().plusSeconds(slack); >> >> if (exp != null && >> >> (now.isEqual(exp) || now.isAfter(exp))) >> >> throw new ValidationException( >> >> "AuthnStatement has expired"); >> >> } >> >> Full code is in here. > > https://github.com/lastpass/saml-sdk-java/blob/master/src/com/lastpass/saml/SAMLClient.java#L219 > > This happens because it checks for session's "NotOnOrAfter" attribute > within the "AuthnStatement", but it is outside the "AuthnStatement" in the > SAML Response sent from IS. > > Here is the SAML Response sent from IS. > >> <saml2p:Response Destination="http://localhost:8085/saml_acs.jsp"; >>> >> ID="ikomjgjecbhlnfkjfjdanfkfeiikllpoehfpbglp" >> >> >>> >>> InResponseTo="470a8e67051a1cf2c9878e183e98530385c052ae42863df46c431043ed9ba7e7" >> >> IssueInstant="2015-02-10T06:11:48.139Z" >> >> Version="2.0" >> >> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >> >> > >> >> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >> >> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >> >> >localhost</saml2:Issuer> >> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> >> <ds:SignedInfo> >> >> <ds:CanonicalizationMethod Algorithm=" >>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >> >> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; >>> /> >> >> <ds:Reference URI="#ikomjgjecbhlnfkjfjdanfkfeiikllpoehfpbglp"> >> >> <ds:Transforms> >> >> <ds:Transform Algorithm=" >>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >> >> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> >> >> </ds:Transforms> >> >> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> >> >> <ds:DigestValue>pp7QlMArRO18k3QRZPWBcYXb/zg=</ds:DigestValue> >> >> </ds:Reference> >> >> </ds:SignedInfo> >> >> >>> <ds:SignatureValue>YeEsHiFI97brhZl4are0bBmFdp43t7i1ZI5vygUpQdXe/xOxJ50TheZU4e9NDtGzmRUMFPPwOq2/3hMzlNEnhyIA71yOq3DzQXV0qoYmxnWJ3Wzr0Zffm89VzuTpJ/Sg7puW1Jnc6jSAe6pprz/UVXwwqZNgizSVKwJ4a/uP6lo=</ds:SignatureValue> >> >> <ds:KeyInfo> >> >> <ds:X509Data> >> >> >>> <ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate> >> >> </ds:X509Data> >> >> </ds:KeyInfo> >> >> </ds:Signature> >> >> <saml2p:Status> >> >> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> >> >> </saml2p:Status> >> >> <saml2:Assertion ID="bgjkdehpojbjkllkmgpegofieacjnjfgbenlnhkb" >> >> IssueInstant="2015-02-10T06:11:48.141Z" >> >> Version="2.0" >> >> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >> >> > >> >> <saml2:Issuer >>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer> >> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> >> <ds:SignedInfo> >> >> <ds:CanonicalizationMethod Algorithm=" >>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >> >> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; >>> /> >> >> <ds:Reference URI="#bgjkdehpojbjkllkmgpegofieacjnjfgbenlnhkb"> >> >> <ds:Transforms> >> >> <ds:Transform Algorithm=" >>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >> >> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> >> >> </ds:Transforms> >> >> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> >> >> <ds:DigestValue>3vMPs2Ks1e2C3mHLAYWmzsHMyfc=</ds:DigestValue> >> >> </ds:Reference> >> >> </ds:SignedInfo> >> >> >>> <ds:SignatureValue>A2FMg9XlfTmngFQLMWBvOZcvwWPZUrK68aZPJLFSD5GHl9ZMN2cNbebj1XW7frocnbaYO48VUzdXG+Wl3rVzHAtIYQ5VlDC+5DNyTBYvqps8LmRV5OzVcevBgeqr/miOkixuCrcOeTvYVHh3RNuHMAM/IE35/xa8/wMuklNrwl8=</ds:SignatureValue> >> >> <ds:KeyInfo> >> >> <ds:X509Data> >> >> >>> <ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate> >> >> </ds:X509Data> >> >> </ds:KeyInfo> >> >> </ds:Signature> >> >> <saml2:Subject> >> >> <saml2:NameID >>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">admina</saml2:NameID> >> >> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> >> >> <saml2:SubjectConfirmationData >>> InResponseTo="470a8e67051a1cf2c9878e183e98530385c052ae42863df46c431043ed9ba7e7" >> >> NotOnOrAfter="2015-02-10T06:16:48.139Z" >> >> Recipient=" >>> http://localhost:8085/saml_acs.jsp"; >> >> /> >> >> </saml2:SubjectConfirmation> >> >> </saml2:Subject> >> >> <saml2:Conditions NotBefore="2015-02-10T06:11:48.141Z" >> >> NotOnOrAfter="2015-02-10T06:16:48.139Z" >> >> > >> >> <saml2:AudienceRestriction> >> >> <saml2:Audience>http://localhost:8085/secure/Dashboard.jspa >>> </saml2:Audience> >> >> </saml2:AudienceRestriction> >> >> </saml2:Conditions> >> >> <saml2:AuthnStatement AuthnInstant="2015-02-10T06:11:48.146Z" >> >> SessionIndex="2a5faf12-9d84-476c-94c3-e493a04960ae" >> >> > >> >> <saml2:AuthnContext> >> >> >>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> >> >> </saml2:AuthnContext> >> >> </saml2:AuthnStatement> >> >> </saml2:Assertion> >> >> </saml2p:Response> >> >> > Is there any way I can get session's "NotOnOrAfter" attribute within the > "AuthnStatement" in the SAML Response from IS. > > Thanks and Regards. > > -- > Nirmani Meegahathenna > *Software Engineer Intern* > Mobile : +94 (0) 775 507684 > [email protected] <[email protected]> > -- Nirmani Meegahathenna *Software Engineer Intern* Mobile : +94 (0) 775 507684 [email protected] <[email protected]>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
