OpenSAML user discussion

[Grover Manuel Campos Ancajima <>]

Hi everybody:

   I'm making a system, I need send a Authorization Decision Query with Evidence a Attribute Assertion. the servlet 'QueryWSE' send a SAMLRequest to other servlet 'Autoridad', I got a SAMLException from Autoridad, that exception is logic but not's logic why that exception?

This is part of my code:

    private SAMLRequest getRequestAutorizacion(String user, SAMLSubject subject) throws Exception {
       
        String recurso = "http://localhost:8080/biblioteca2/paper";
        SAMLAuthorizationDecisionQuery query =
            new SAMLAuthorizationDecisionQuery();
        SAMLAction action = "new" SAMLAction();
        // aut: it is a class that gives assertions to me
        SAMLAssertion assertion = aut.getAttributeAssertion(user, subject);
        // setup action
        action.setData("Read");
        action.setNamespace(SAMLAction.SAML_ACTION_NAMESPACE_RWEDC);
        // setup query
        query.setSubject(subject);
        query.addAction(action);
        query.setResource(recurso);
        query.addEvidence(assertion);
        // creo el request
        SAMLRequest request = new SAMLRequest(null, query, null, null);
        // Authority: it is a class that sign my assertions
        Authority.firmar(request);
        Util.logger("QueryWSE:243", "comprobamos el request: " + request);
        Util.logger("", Boolean.toString(comprobar(request)));
        return request;
    }
   
    private boolean comprobar(SAMLObject asercion) throws IOException{
        try{
            ByteArrayOutputStream os = new ByteArrayOutputStream();
            asercion.toStream(os);
            ByteArrayInputStream is = new ByteArrayInputStream(os.toByteArray());
            SAMLAssertion other = new SAMLAssertion(is);
            return true;
        } catch(SAMLException se){
            Util.logger("comprobar", se.toString());
            return false;
        }
    }

My logs:

19:26- [QueryWSE:243] comprobamos el request:
<Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2004-06-25T22:26:45.527Z" MajorVersion="1" MinorVersion="1" RequestID="f4f09bf83ea6f285585b9896a9910456"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#f4f09bf83ea6f285585b9896a9910456">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default code ds kind rw saml samlp typens"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>fpwdTXvWOCZJXk1KcpOir7vFixY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
H2NkxI9yNUDqXM5oG8sK+f84QPVoDtfxT6oAZeZ0Ex8U7ZDsg0APfCHJ8MOAykaQSibkhZ+k7c1V
M1fpQR0d+JJlSH90fz73p+OWkoagS5bWJ885B56Jljzbk9osjkETXUO5Fo9jiyGpyDKTEjlMCSUQ
LYvgPQaTW38SKkKbN2E=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICgjCCAesCBEDHqGAwDQYJKoZIhvcNAQEEBQAwgYcxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJT
QzEWMBQGA1UEBxMNRmxvcmlhbm9wb2xpczEvMC0GA1UEChMmVW5pdmVyc2lkYWRlIEZlZGVyYWwg
ZGUgU2FudGEgQ2F0YXJpbmExDTALBgNVBAsTBExDTUkxEzARBgNVBAMTCkJpYmxpb3RlY2EwHhcN
MDQwNjEwMDAxNjMyWhcNMDQxMjA3MDAxNjMyWjCBhzELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlND
MRYwFAYDVQQHEw1GbG9yaWFub3BvbGlzMS8wLQYDVQQKEyZVbml2ZXJzaWRhZGUgRmVkZXJhbCBk
ZSBTYW50YSBDYXRhcmluYTENMAsGA1UECxMETENNSTETMBEGA1UEAxMKQmlibGlvdGVjYTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7/76y8HsCCQQXY8xxHIyKgwFRz0X9f6Sa5D+2pAQcYSb
zbhIBB5QPakwmMYx8MyzF7+fafxnZWup4K4nzQltlrLKcJ4rs6uYX39Ie5zOdirdUzufnUqbWy6s
Ov9+vbrmydO65m1+v2qJJ6sfK1aUdgJOY1XU/asabZd6/nJMdj8CAwEAATANBgkqhkiG9w0BAQQF
AAOBgQAni/clmcORgkk3juwWeHkc17WUxNrZoUXgPPDpkoduGIn2l9jvW8C344zIVuqAluCnyz43
G2QrB8yIy9jQDDG7VBulPC7zC9A+775n2y+mvX5OEkXXnD0OWZ2wXRJpGSD5wS5Jnfo9oycZvlSl
N/Hc73d6rMwbx+5FoC6T1XPZUw==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature><AuthorizationDecisionQuery Resource="http://lampson.das.ufsc.br:8080/biblioteca2/paper"><Subject xmlns="urn:oasis:names:tc:SAML:1.0:assertion"><NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="http://lampson.das.ufsc.br:8080/biblioteca1">CN=, OU=, O=Universidade Federal de Santa Catarina, L=Florianopolis, ST=SC, C=br</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</ConfirmationMethod><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
p4AoDrZrkC0APrU6OCVdgETYu3XluSHsQscL111AAUjTNv3MOZHqurPCGydHRdhFqcplmO4XV4KS
BngYbAFVjiMq5XCh14t6pwnvk2R5QUQoTdvHGZbAqKyROHtN9erhnJ5ga4qkcRI8qMEoH0JJtO5q
bSt51y+pn/hLe8DScMk=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo></SubjectConfirmation></Subject><Action xmlns="urn:oasis:names:tc:SAML:1.0:assertion" Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc">Read</Action><Evidence xmlns="urn:oasis:names:tc:SAML:1.0:assertion"><AssertionIDReference>f239755bd61fbbad560e484e8924d117</AssertionIDReference><Assertion AssertionID="f239755bd61fbbad560e484e8924d117" IssueInstant="2004-06-25T22:26:45.447Z" Issuer="biblioteca1" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2004-06-25T22:26:45.447Z" NotOnOrAfter="2004-06-25T22:56:45.447Z"></Conditions><AttributeStatement><Attribute AttributeName="username" AttributeNamespace="http://lampson.das.ufsc.br:8080/biblioteca1"><AttributeValue>lector1</AttributeValue></Attribute><Attribute AttributeName="full-name" AttributeNamespace="http://lampson.das.ufsc.br:8080/biblioteca1"><AttributeValue>Fulano Perez</AttributeValue></Attribute><Attribute AttributeName="isAutor" AttributeNamespace="http://lampson.das.ufsc.br:8080/biblioteca1"><AttributeValue>false</AttributeValue></Attribute><Attribute AttributeName="isLector" AttributeNamespace="http://lampson.das.ufsc.br:8080/biblioteca1"><AttributeValue>true</AttributeValue></Attribute><Attribute AttributeName="isMember" AttributeNamespace="http://lampson.das.ufsc.br:8080/biblioteca1"><AttributeValue>false</AttributeValue></Attribute></AttributeStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#f239755bd61fbbad560e484e8924d117">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default code ds kind rw saml samlp typens"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>rW7/U0k+PjdLBFQFVSepHRKiGU4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
C7212J1OEz76Pb28Eg/9Ahg3DKBccflsm8t9/fFp1VxDBGVCRS0uV1C3CvZb8EoqMruYXcCi5Ste
HtHYFCZJLu7IW+/x7lvNr4QJW+z+U20qzCMIWtRv3CAIqiA8w8rZmBgxQyhpEwEdHU9/ai3kIOKu
ywChKmYBlRpECYx8izI=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICgjCCAesCBEDHqGAwDQYJKoZIhvcNAQEEBQAwgYcxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJT
QzEWMBQGA1UEBxMNRmxvcmlhbm9wb2xpczEvMC0GA1UEChMmVW5pdmVyc2lkYWRlIEZlZGVyYWwg
ZGUgU2FudGEgQ2F0YXJpbmExDTALBgNVBAsTBExDTUkxEzARBgNVBAMTCkJpYmxpb3RlY2EwHhcN
MDQwNjEwMDAxNjMyWhcNMDQxMjA3MDAxNjMyWjCBhzELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlND
MRYwFAYDVQQHEw1GbG9yaWFub3BvbGlzMS8wLQYDVQQKEyZVbml2ZXJzaWRhZGUgRmVkZXJhbCBk
ZSBTYW50YSBDYXRhcmluYTENMAsGA1UECxMETENNSTETMBEGA1UEAxMKQmlibGlvdGVjYTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7/76y8HsCCQQXY8xxHIyKgwFRz0X9f6Sa5D+2pAQcYSb
zbhIBB5QPakwmMYx8MyzF7+fafxnZWup4K4nzQltlrLKcJ4rs6uYX39Ie5zOdirdUzufnUqbWy6s
Ov9+vbrmydO65m1+v2qJJ6sfK1aUdgJOY1XU/asabZd6/nJMdj8CAwEAATANBgkqhkiG9w0BAQQF
AAOBgQAni/clmcORgkk3juwWeHkc17WUxNrZoUXgPPDpkoduGIn2l9jvW8C344zIVuqAluCnyz43
G2QrB8yIy9jQDDG7VBulPC7zC9A+775n2y+mvX5OEkXXnD0OWZ2wXRJpGSD5wS5Jnfo9oycZvlSl
N/Hc73d6rMwbx+5FoC6T1XPZUw==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature></Assertion></Evidence></AuthorizationDecisionQuery></Request>
19:26- [comprobar] org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'Attribute'. One of '{"urn:oasis:names:tc:SAML:1.0:assertion":Subject}' is expected.
19:26- [] false



That Exception is logical because if we analized the request, we see that the AttributeStatement does not contain the Subject element. But, if we analized the code, I never touch the subject. The class Authority only sign that request using the sign method inherited from SAMLSignedObject.

Please somebody would help to analize this code?


Thanks


----------------------------------------------------------------------
Grover Campos Ancajima
Universidade Federal de Santa Catarina - Brasil