Thanks for following up with them. Their hints helped me figure out where to look. I THINK I see what may be happening here on our side and I've just committed a fix. If you could test tomorrows snapshots (or checkout the source and build it) to see if that helps, that would be great.
Dan On Mon March 1 2010 11:20:28 pm PrSd wrote: > Dan, > > I approached the folks at OpenSAML. As per Scott Cantor (one of the person > heading that project), the issue is not at the SAML end, it is where DOM is > first being created. The XML Parser is creating the DOM without namespace > awareness which causes the SAML code to fail when it tries creating a > QName(localpart). The localName of the DOM attribute is null. > > Following link is a detailed exchange I had with them > https://mail.internet2.edu/wws/arc/mace-opensaml-users/2010-03/msg00025.htm > l > > > > He clearly mentioned that I need to use a DOM2 or DOM3 Level specification. > It is also possible that the CXF client or server side SOAP/SAAJ > Interceptors are altering the DOM in a certain way that is causing the > umarshalling process using the SAML to fail. > > I managed to catch hold of the stack trace on the client side. > > at > org.apache.cxf.binding.soap.saaj.SAAJInInterceptor.handleMessage(SAAJInInte > rceptor.java:154) at > org.apache.cxf.jaxws.handler.soap.SOAPMessageContextImpl.getMessage(SOAPMes > sageContextImpl.java:78) at > org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.createProtocolMess > ageContext(SOAPHandlerInterceptor.java:236) at > org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessageInter > nal(SOAPHandlerInterceptor.java:144) at > org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAP > HandlerInterceptor.java:119) at > org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAP > HandlerInterceptor.java:69) at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai > n.java:243) at > org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:672) at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRespons > eInternal(HTTPConduit.java:2210) at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRespons > e(HTTPConduit.java:2087) at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPCon > duit.java:1985) at > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66) > at > org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:640) at > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInte > rceptor.handleMessage(MessageSenderInterceptor.java:62) at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai > n.java:243) at > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:484) at > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:310) at > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:262) at > org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73) at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124) > at $Proxy47.findTaskListUsingLoginCreds(Unknown Source) > at > com.hsc.security.saml.soap.SpringWSClient.main(SpringWSClient.java:77) > > Q1. Does CXF uses its own DOM Parser when building the SOAPMessages? Is > there a way to turn on the namespace awareness at DOM parsing time. > Q2. If not, can we turn off the CXF interceptors on both the client and > server side and if we do are there any ripple effects. As you are already > aware I am using a JAX WS Handler to intercept the SOAP request - Will that > be sufficient or I would still need the SOAP and SAAJ interceptors? > > Eagerly waiting to hear from you > > thanks > Sid > > dkulp wrote: > > This is being thrown from down in Opensaml. I really don't know what > > would > > cause it. You would probably need to ask on their lists and give them > > the > > stack trace and the XML of the SAML assertion. > > > > Dan > > dkulp wrote: > > This is being thrown from down in Opensaml. I really don't know what > > would > > cause it. You would probably need to ask on their lists and give them > > the > > stack trace and the XML of the SAML assertion. > > > > Dan > > > > On Fri February 26 2010 7:19:15 pm PrSd wrote: > >> Daniel, > >> > >> Here is the stack trace you had requested regarding this issue. I just > >> cannot figure out a solution to this > >> > >> [2/26/10 17:16:11:596 EST] 0000001c SystemErr R > >> java.lang.IllegalArgumentException: local part cannot be "null" when > >> creating a QName > >> [2/26/10 17:16:11:612 EST] 0000001c SystemErr R at > >> javax.xml.namespace.QName.<init>(Unknown Source) > >> [2/26/10 17:16:11:612 EST] 0000001c SystemErr R at > >> javax.xml.namespace.QName.<init>(Unknown Source) > >> [2/26/10 17:16:11:612 EST] 0000001c SystemErr R at > >> org.opensaml.xml.util.XMLHelper.constructQName(XMLHelper.java:433) > >> [2/26/10 17:16:11:612 EST] 0000001c SystemErr R at > >> org.opensaml.xml.util.XMLHelper.getNodeQName(XMLHelper.java:171) > >> [2/26/10 17:16:11:612 EST] 0000001c SystemErr R at > >> org.opensaml.xml.io.AbstractXMLObjectUnmarshaller.unmarshallAttribute(Ab > >> str actXMLObjectUnmarshaller.java:215) [2/26/10 17:16:11:612 EST] > >> 0000001c SystemErr R at > >> org.opensaml.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXML > >> Obj ectUnmarshaller.java:107) [2/26/10 17:16:11:612 EST] 0000001c > >> SystemErr R at > >> com.syscom.hsc.web.soap.ServiceSAMLHandler.handleMessage(ServiceSAMLHand > >> ler .java:222) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R > >> at > >> com.syscom.hsc.web.soap.ServiceSAMLHandler.handleMessage(ServiceSAMLHan > >> dler .java:1) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R > >> at > >> org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandleMessage(Ha > >> ndle rChainInvoker.java:335) [2/26/10 17:16:11:612 EST] 0000001c > >> SystemErr R > >> > >> at > >> > >> org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandlerChain(Hand > >> ler ChainInvoker.java:253) [2/26/10 17:16:11:612 EST] 0000001c SystemErr > >> R > >> > >> at > >> > >> org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeProtocolHandlers( > >> Han dlerChainInvoker.java:131) [2/26/10 17:16:11:612 EST] 0000001c > >> SystemErr > >> > >> R at > >> > >> org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessageIn > >> ter nal(SOAPHandlerInterceptor.java:152) [2/26/10 17:16:11:612 EST] > >> 0000001c SystemErr R at > >> org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(S > >> OAP HandlerInterceptor.java:119) [2/26/10 17:16:11:612 EST] 0000001c > >> SystemErr > >> > >> R at > >> > >> org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(S > >> OAP HandlerInterceptor.java:69) [2/26/10 17:16:11:612 EST] 0000001c > >> SystemErr > >> > >> R at > >> > >> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC > >> hai n.java:243) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R > >> at > >> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiat > >> ionO bserver.java:109) [2/26/10 17:16:11:612 EST] 0000001c SystemErr > >> R at > >> org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestin > >> ati on.java:98) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R > >> at > >> org.apache.cxf.transport.servlet.ServletController.invokeDestination(Se > >> rvle tController.java:406) [2/26/10 17:16:11:612 EST] 0000001c SystemErr > >> R > >> > >> at > >> > >> org.apache.cxf.transport.servlet.ServletController.invoke(ServletControl > >> ler .java:178) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R > >> at > >> org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFS > >> ervl et.java:142) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R > >> at > >> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(Abst > >> ract HTTPServlet.java:179) [2/26/10 17:16:11:612 EST] 0000001c SystemErr > >> R > >> > >> at > >> > >> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTP > >> Ser vlet.java:103) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R > >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:763) > >> [2/26/10 17:16:11:612 EST] 0000001c SystemErr R at > >> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTT > >> PSe rvlet.java:159) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R > >> at > >> com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.j > >> ava: 1096) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R at > >> com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWra > >> pper .java:570) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R > >> at > >> com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletW > >> rapp er.java:478) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R > >> at > >> com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(Cache > >> Serv letWrapper.java:90) [2/26/10 17:16:11:612 EST] 0000001c SystemErr > >> R > >> > >> at > >> > >> com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:748 > >> ) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R at > >> com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1 > >> 466 ) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R at > >> com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:1 > >> 19) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R at > >> com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscriminatio > >> n(H ttpInboundLink.java:458) [2/26/10 17:16:11:612 EST] 0000001c > >> SystemErr R at > >> com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformatio > >> n(H ttpInboundLink.java:387) [2/26/10 17:16:11:612 EST] 0000001c > >> SystemErr R at > >> com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLi > >> nk. java:267) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R > >> at > >> com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDisc > >> rimi nators(NewConnectionInitialReadCallback.java:214) [2/26/10 > >> 17:16:11:612 EST] 0000001c SystemErr R at > >> com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(Ne > >> wCo nnectionInitialReadCallback.java:113) [2/26/10 17:16:11:612 EST] > >> 0000001c SystemErr R at > >> com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(Ai > >> oRe adCompletionListener.java:165) [2/26/10 17:16:11:612 EST] 0000001c > >> SystemErr R at > >> com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture. > >> jav a:217) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R at > >> com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelF > >> utur e.java:161) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R > >> at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136) > >> [2/26/10 17:16:11:612 EST] 0000001c SystemErr R at > >> com.ibm.io.async.ResultHandler.complete(ResultHandler.java:195) > >> [2/26/10 17:16:11:612 EST] 0000001c SystemErr R at > >> com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java > >> :74 3) [2/26/10 17:16:11:612 EST] 0000001c SystemErr R at > >> com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:873) > >> [2/26/10 17:16:11:612 EST] 0000001c SystemErr R at > >> com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1473) > > > > ----------- > > > >> > Here is the SAML Assertion that is being sent into the SOAP Header > >> > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> > >> > > >> > <soap:Header> > >> > <wsse:Security > >> > >> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse > >> c > >> > >> > urity-secext-1.0.xsd"> > >> > > >> > <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > >> > ID="123" IssueInstant="2010-02-24T19:10:32.724Z" Version="2.0"> > >> > > >> > <saml2:Issuer>http://localhost:9088</saml2:Issuer> > >> > > >> > <saml2:Subject> > >> > > >> > <saml2:NameID > >> > >> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">p8adm > >> i > >> > >> > n</saml2:NameID> </saml2:Subject> > >> > > >> > <saml2:AuthnStatement > >> > > >> > AuthnInstant="2010-02-24T19:10:32.787Z"> > >> > > >> > <saml2:AuthnContext> > >> > >> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509< > >> / > >> > >> > saml2:AuthnContextClassRef> > >> > > >> > </saml2:AuthnContext> > >> > > >> > </saml2:AuthnStatement> > >> > > >> > <saml2:AuthzDecisionStatement Decision="Permit" Resource="DoubleIt"> > >> > > >> > <saml2:Action > >> > >> Namespace="urn:doubleit:doubleitactions">DoubleEvenNumbers</saml2:Action > >> > > >> > >> > </saml2:AuthzDecisionStatement> > >> > > >> > <saml2:AttributeStatement> > >> > > >> > <saml2:Attribute Name="degree" > >> > NameFormat="http://www.example.org/DoubleIt/Security";> > >> > > >> > <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; > >> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > >> > xsi:type="xs:string">Mathematics</saml2:AttributeValue> > >> > </saml2:Attribute></saml2:AttributeStatement> > >> > > >> > </saml2:Assertion></wsse:Security></soap:Header> > >> > > >> > <soap:Body><findTaskListUsingLoginCreds > >> > xmlns="http://web.hsc.syscom.com/";><username > >> > xmlns="http://web.hsc.syscom.com/";>kpham</username><password > >> > xmlns="http://web.hsc.syscom.com/";>hdfuhgdg</password><category > >> > >> xmlns="http://web.hsc.syscom.com/";>GETFULLEOPINWRK</category><maxResults > >> > >> xmlns="http://web.hsc.syscom.com/";>-1</maxResults></findTaskListUsingLog > >> i > >> > >> > nCreds></soap:Body></soap:Envelope> -- Daniel Kulp [email protected] http://www.dankulp.com/blog
