Skip to Content.
Sympa Menu

shibboleth-dev - TransientIdEntry ClassCastException error in IdP 2.1

Subject: Shibboleth Developers

List archive

TransientIdEntry ClassCastException error in IdP 2.1


Chronological Thread 
  • From: "Mahabalagiri, Datta" <>
  • To: <>
  • Subject: TransientIdEntry ClassCastException error in IdP 2.1
  • Date: Thu, 13 Aug 2009 11:33:13 -0700

Hi,

I hope somebody can explain this. I plan to move to production in 2
weeks and I am a bit nervous about this error. I am sure I was not
messing with Terracotta or Tomcat at the time. Both were running for
couple of days when it happened.

Couple of users got ClassCastException, after authentication. For most
users it was just fine. I had to restart Tomcat and Terracotta and the
exception went away.

2009-08-11-11:23:31.657 - [TP-Processor12] - ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispat
cherServlet:85] - Error processing profile request
java.lang.ClassCastException:
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.a
ttributeDefinition.TransientIdEntry cannot be cast to
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.a
ttributeDefinition.TransientIdEntry
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.a
ttributeDefinition.TransientIdAttributeDefinition.doResolve(TransientIdA
ttributeDefinition.java:85) [shibboleth-common-1.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.a
ttributeDefinition.BaseAttributeDefinition.resolve(BaseAttributeDefiniti
on.java:107) [shibboleth-common-1.1.2.jar:na]
at

This is the IdP environment. At the time I was running Terracotta and
Tomcat on the same VM.
IdP 2.1.2
Terracotta 3.0.1
Sun Jre-1.6.0
Tomcat 6.0.18
RHEL 5
Apache 2.2

Exception origin points to this code in
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.a
ttributeDefinition. TransientIdAttributeDefinition. I can't find fault
with the code.

SAMLProfileRequestContext requestContext =
resolutionContext.getAttributeRequestContext();
StringBuilder principalTokenIdBuilder = new StringBuilder();

principalTokenIdBuilder.append(requestContext.getOutboundMessageIssuer()
).append("!").append(

requestContext.getInboundMessageIssuer()).append("!").append(requestCont
ext.getPrincipalName());
line 85 --> String principalTokenId =
principalTokenIdBuilder.toString();

IdEntry tokenEntry = idStore.get(partition, principalTokenId);
if (tokenEntry == null || tokenEntry.isExpired()) {
String token = idGenerator.generateIdentifier(idSize);
tokenEntry = new IdEntry(idLifetime,
requestContext.getInboundMessageIssuer(), requestContext
.getPrincipalName(), token);
idStore.put(partition, token, tokenEntry);
idStore.put(partition, principalTokenId, tokenEntry);
}


It was SP2.2 making a SSO request using SAML 1.1.
Snippet from the SP metadata below(I didn't include the whole metadata
due to size limit). IdP logs indicate it picked the right binding
(index="6"). It resolved every other attribute from Ldap, but failed
when resolving transientId.


<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat
>

<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md
:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://fsdev09.dev.ais.ucla.edu/Shibboleth.sso/SAML2/POST";
index="1"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://fsdev09.dev.ais.ucla.edu/Shibboleth.sso/SAML2/POST";
index="2"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://fsdev09.dev.ais.ucla.edu/Shibboleth.sso/SAML2/POST-Sim
pleSign" index="3"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://fsdev09.dev.ais.ucla.edu/Shibboleth.sso/SAML2/Artifact
" index="4"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="http://fsdev09.dev.ais.ucla.edu/Shibboleth.sso/SAML2/Artifact";
index="5"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="https://fsdev09.dev.ais.ucla.edu/Shibboleth.sso/SAML/POST";
index="6"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.1:profiles:browser-post"
Location="http://fsdev09.dev.ais.ucla.edu/Shibboleth.sso/SAML/POST";
index="7"/>
</md:SPSSODescriptor>


Attribute Filter configuration for TransientId
<AttributeFilterPolicy id="releaseTransientIdToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY" />
<AttributeRule attributeID="transientId">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>

Resolver configuration for TransientId
<resolver:AttributeDefinition id="transientId"
xsi:type="TransientId" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"

nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
</resolver:AttributeDefinition>

TransientIdEntry is instrumented. From tc-config.xml
<include>

<class-expression>edu.internet2.middleware.shibboleth.common.attribute.r
esolver.provider.attributeDefinition.TransientIdEntry</class-expression>
<honor-transient>true</honor-transient>
</include>


Thanks in advance.
Datta Mahabalagiri






Archive powered by MHonArc 2.6.16.

Top of Page