Spring SAML redirecs to failureRedirectHandler even on successful authentication -

-

after successful authentication idp being redirected defaultfailureurl property specified in bean id="failureredirecthandler". though dont have errors in response. saml response :

<?xml version="1.0" encoding="utf-8"?>     <saml2p:response xmlns:saml2p="urn:oasis:names:tc:saml:2.0:protocol" destination="https://vogon.srv.media.net:8080/saml2/acs" id="_82e963af7e01be8c6b22762ef15b0af4" inresponseto="a40fdeb955aahd123d63ejegi5feh0f" issueinstant="2016-08-08t12:49:33.806z" version="2.0">        <saml2:issuer xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion">https://accounts.google.com/o/saml2?idpid=c03r9b88d</saml2:issuer>        <saml2p:status>           <saml2p:statuscode value="urn:oasis:names:tc:saml:2.0:status:success" />        </saml2p:status>        <saml2:assertion xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion" id="_09e40853eaac6e2dcceecd6da54fc927" issueinstant="2016-08-08t12:49:33.806z" version="2.0">           <saml2:issuer>https://accounts.google.com/o/saml2?idpid=c03r9b88d</saml2:issuer>           <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">              <ds:signedinfo>                 <ds:canonicalizationmethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />                 <ds:signaturemethod algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />                 <ds:reference uri="#_09e40853eaac6e2dcceecd6da54fc927">                    <ds:transforms>                       <ds:transform algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />                       <ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />                    </ds:transforms>                    <ds:digestmethod algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />                    <ds:digestvalue>2ofxb/5ad7ajy9ab5o0lmfvcixommrxsdgoaajevyla=</ds:digestvalue>                 </ds:reference>              </ds:signedinfo>              <ds:signaturevalue>owp2pgigzezp+cdkky2bwowc7hi5ivs/dltqdacpwlrcuewjoueafc12rsazjzjr/1vuwe6zoouk     fmnyx6zproemlgmjhet51f1uf0ariqrs3dwau1ylvurm6ltswcigactnqbddnqzbrhxtjo7b+zld     xfyxitngvhgvzgk8ivi/dj+uq7gclaobvfa54icojy1qgwkwmzfdg5ayadkm6u/a/ftrvxizlt3a     pzr/6/o8i1jgppvvlujmnazpr/pvb2tbby+lufqeuvcst3p+uq2g/csmfz02ji/yr2isyrgvofwa     gm+w4chmhah/mtzsmotgtmibhpgcsfrl5uzaia==</ds:signaturevalue>              <ds:keyinfo>                 <ds:x509data>                    <ds:x509subjectname>st=california,c=us,ou=google work,cn=google,l=mountain view,o=google inc.</ds:x509subjectname>                    <ds:x509certificate>miidddccalygawibagigavzlktcama0gcsqgsib3dqebcwuamhsxfdasbgnvbaotc0dvb2dszsbj     bmmumrywfaydvqqhew1nb3vudgfpbibwawv3mq8wdqydvqqdewzhb29nbguxgdawbgnvbastd0dv     b2dszsbgb3igv29yazelmakga1uebhmcvvmxezarbgnvbagtcknhbglmb3juawewhhcnmtywoday     mtixmda1whcnmjewodaxmtixmda1wjb7mrqwegydvqqkewthb29nbgugsw5jljewmbqga1uebxmn     tw91bnrhaw4gvmlldzepma0ga1ueaxmgr29vz2xlmrgwfgydvqqlew9hb29nbgugrm9yifdvcmsx     czajbgnvbaytalvtmrmweqydvqqiewpdywxpzm9ybmlhmiibijanbgkqhkig9w0baqefaaocaq8a     miibcgkcaqeakp+4zl/f7firgknia0wbdkkyt7s0ecv5keuwwoxna3v7fsaanelzm+yavdchkwvz     f4wj26ifzvy/mf48zhoyvfcvxkaz8iwnikphju07j8y8ujrdmttogpmrj+p9hdj+pkglfkmgpuuz     ndhp6jwjtgtpgmsonaruv/hhyh9nteftt9e+xsa2x2gpy0bugaqg1efd4bqdhwqxd6whrg49vkw6     7pdh2lpon+5ssslgnfugla5jfkc6do3mgko9z+ljbg6yt+zhjvmwucivf2moennbr8zizlsr9v7a     53cfwbv/upvrpr8tglbw5wzi5egr8zqhsznyqumrmn7twoq4pwidaqabma0gcsqgsib3dqebcwua     a4ibaqayfxyhd9i3+/ddbxo9bygrbzdfe/1edwz0s0sc64zi2irlj/1qby2qrqhaxi1z60/j7qyl     vamwtw0zv+vy1uwyprpum6f5zlmdjbx1xzjxxjczxpm68arxwt1vdu0rtad7h1akrtwkzzj7rcak     mdc5/d3pqfvdgaq0nbfruyemztdxxlxbuvnkx0fobwpy8ntvrzuhwhmh9wblhg7ivcnkms59cd4a     gk/rrh0ml/u2ujrheo2fnk2apfsapx6l7plsrswydisb+ga7amgfxq0ni74qghy1sqegdrdnvb3l     e41ewiilsm5gdtmvcg1mmfxnucgxolrjxfoufawgk5av</ds:x509certificate>                 </ds:x509data>              </ds:keyinfo>           </ds:signature>           <saml2:subject>              <saml2:nameid format="urn:oasis:names:tc:saml:1.1:nameid-format:unspecified">rishi.mi@media.net</saml2:nameid>              <saml2:subjectconfirmation method="urn:oasis:names:tc:saml:2.0:cm:bearer">                 <saml2:subjectconfirmationdata inresponseto="a40fdeb955aahd123d63ejegi5feh0f" notonorafter="2016-08-08t12:54:33.806z" recipient="https://vogon.srv.media.net:8080/saml2/acs" />              </saml2:subjectconfirmation>           </saml2:subject>           <saml2:conditions notbefore="2016-08-08t12:44:33.806z" notonorafter="2016-08-08t12:54:33.806z">              <saml2:audiencerestriction>                 <saml2:audience>http://vogon.srv.media.net</saml2:audience>              </saml2:audiencerestriction>           </saml2:conditions>           <saml2:authnstatement authninstant="2016-07-27t11:42:05.000z" sessionindex="_09e40853eaac6e2dcceecd6da54fc927">              <saml2:authncontext>                 <saml2:authncontextclassref>urn:oasis:names:tc:saml:2.0:ac:classes:unspecified</saml2:authncontextclassref>              </saml2:authncontext>           </saml2:authnstatement>        </saml2:assertion>     </saml2p:response>

this securitycontext.xml

<?xml version="1.0" encoding="utf-8" ?> <beans xmlns="http://www.springframework.org/schema/beans"        xmlns:security="http://www.springframework.org/schema/security"        xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"        xmlns:context="http://www.springframework.org/schema/context"        xsi:schemalocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd               http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">      <!-- enable auto-wiring -->     <context:annotation-config/>      <!-- scan auto-wiring classes in spring saml packages -->     <context:component-scan base-package="org.springframework.security.saml"/>      <!-- unsecured pages -->     <security:http security="none" pattern="/favicon.ico"/>     <security:http security="none" pattern="/images/**"/>     <security:http security="none" pattern="/css/**"/>     <security:http security="none" pattern="/logout.jsp"/>     <!--<security:http security="none" pattern="/saml2/acs"/>-->       <!-- security administration ui -->     <security:http pattern="/saml/web/**" use-expressions="false">         <security:access-denied-handler error-page="/saml/web/metadata/login"/>         <security:form-login login-processing-url="/saml/web/login" login-page="/saml/web/metadata/login" default-target-url="/saml/web/metadata"/>         <security:intercept-url pattern="/saml/web/metadata/login" access="is_authenticated_anonymously"/>         <security:intercept-url pattern="/saml/web/**" access="role_admin"/>         <!--change-->         <!--<security:custom-filter before="first" ref="metadatageneratorfilter"/>-->     </security:http>      <!-- secured pages saml entry point -->     <security:http entry-point-ref="samlentrypoint" use-expressions="false">         <security:intercept-url pattern="/**" access="is_authenticated_fully"/>         <!--change-->         <!--<security:custom-filter before="first" ref="metadatageneratorfilter"/>-->         <security:custom-filter after="basic_auth_filter" ref="samlfilter"/>     </security:http>      <!-- filters processing of saml messages -->     <bean id="samlfilter" class="org.springframework.security.web.filterchainproxy">         <security:filter-chain-map request-matcher="ant">             <security:filter-chain pattern="/saml/login/**" filters="samlentrypoint"/>             <security:filter-chain pattern="/saml/logout/**" filters="samllogoutfilter"/>             <security:filter-chain pattern="/saml/metadata/**" filters="metadatadisplayfilter"/>             <!--<security:filter-chain pattern="/saml/sso/**" filters="samlwebssoprocessingfilter"/>-->             <security:filter-chain pattern="/saml2/acs/**" filters="samlwebssoprocessingfilter"/>             <security:filter-chain pattern="/saml/ssohok/**" filters="samlwebssohokprocessingfilter"/>             <security:filter-chain pattern="/saml/singlelogout/**" filters="samllogoutprocessingfilter"/>             <security:filter-chain pattern="/saml/discovery/**" filters="samlidpdiscovery"/>         </security:filter-chain-map>     </bean>      <!-- handler deciding redirect user after successful login -->     <bean id="successredirecthandler"           class="org.springframework.security.web.authentication.savedrequestawareauthenticationsuccesshandler">         <property name="defaulttargeturl" value="/"/>     </bean>      <!--     use following interpreting relaystate coming unsolicited response redirect url:        -->     <!--<bean id="successredirecthandler" class="org.springframework.security.saml.samlrelaystatesuccesshandler">-->     <!--<property name="defaulttargeturl" value="/" />-->     <!--</bean>-->       <!-- handler deciding redirect user after failed login -->     <bean id="failureredirecthandler"           class="org.springframework.security.web.authentication.simpleurlauthenticationfailurehandler">         <property name="useforward" value="true"/>         <property name="defaultfailureurl" value="/login.jsp"/>     </bean>      <!-- handler successful logout -->     <bean id="successlogouthandler" class="org.springframework.security.web.authentication.logout.simpleurllogoutsuccesshandler">         <property name="defaulttargeturl" value="/logout.jsp"/>     </bean>      <security:authentication-manager alias="authenticationmanager">         <!-- register authentication manager saml provider -->         <security:authentication-provider ref="samlauthenticationprovider"/>         <!-- register authentication manager administration ui -->         <security:authentication-provider>             <security:user-service id="admininterfaceservice">                 <security:user name="admin" password="admin" authorities="role_admin"/>             </security:user-service>         </security:authentication-provider>     </security:authentication-manager>      <!-- logger saml messages , events -->     <bean id="samllogger" class="org.springframework.security.saml.log.samldefaultlogger"/>      <!-- central storage of cryptographic keys -->     <bean id="keymanager" class="org.springframework.security.saml.key.jkskeymanager">         <constructor-arg value="classpath:security/samlkeystore.jks"/>         <constructor-arg type="java.lang.string" value="nalle123"/>         <constructor-arg>             <map>                 <entry key="apollo" value="nalle123"/>             </map>         </constructor-arg>         <constructor-arg type="java.lang.string" value="apollo"/>     </bean>      <!-- entry point initialize authentication, default values taken properties file -->     <bean id="samlentrypoint" class="org.springframework.security.saml.samlentrypoint">         <property name="defaultprofileoptions">             <bean class="org.springframework.security.saml.websso.webssoprofileoptions">                 <!--<property name="binding" value="urn:oasis:names:tc:saml:2.0:bindings:http-redirect"/>-->                 <property name="includescoping" value="false"/>             </bean>         </property>     </bean>      <!-- idp discovery service -->     <bean id="samlidpdiscovery" class="org.springframework.security.saml.samldiscovery">         <property name="idpselectionpath" value="/web-inf/security/idpselection.jsp"/>     </bean>       <!-- filter waiting connections on url suffixed filtersuffix , presents sp metadata there -->     <bean id="metadatadisplayfilter" class="org.springframework.security.saml.metadata.metadatadisplayfilter"/>      <!-- configure http client accept certificates keystore https verification -->     <!--     <bean class="org.springframework.security.saml.trust.httpclient.tlsprotocolconfigurer">         <property name="sslhostnameverification" value="default"/>     </bean>     -->      <bean id="metadata" class="org.springframework.security.saml.metadata.cachingmetadatamanager">         <!-- sp_metadata had entity id -->         <property name="hostedspname" value="http://vogon.srv.media.net"/>         <constructor-arg>             <list>                 <bean class="org.springframework.security.saml.metadata.extendedmetadatadelegate">                     <constructor-arg>                         <bean class="org.opensaml.saml2.metadata.provider.resourcebackedmetadataprovider">                             <constructor-arg>                                 <bean class="java.util.timer"/>                             </constructor-arg>                             <constructor-arg>                                 <bean class="org.opensaml.util.resource.classpathresource">                                     <constructor-arg value="/metadata/mnet_sp.xml"/>                                 </bean>                             </constructor-arg>                             <property name="parserpool" ref="parserpool"/>                         </bean>                     </constructor-arg>                     <constructor-arg>                         <bean class="org.springframework.security.saml.metadata.extendedmetadata">                             <property name="local" value="true"/>                             <property name="securityprofile" value="metaiop"/>                             <property name="sslsecurityprofile" value="pkix"/>                             <property name="signmetadata" value="true"/>                             <property name="signingkey" value="apollo"/>                             <property name="encryptionkey" value="apollo"/>                             <property name="requireartifactresolvesigned" value="false"/>                             <property name="requirelogoutrequestsigned" value="false"/>                             <property name="requirelogoutresponsesigned" value="false"/>                             <!--<property name="idpdiscoveryenabled" value="false"/>-->                             <!--<property name="idpdiscoveryurl"-->                             <!--value="https://vogon.reports.mn:8080/context/saml/discovery"/>-->                             <!--<property name="idpdiscoveryresponseurl"-->                             <!--value="https://vogon.reports.mn:8080/context/saml/login?disco=true"/>-->                         </bean>                     </constructor-arg>                 </bean>                 <!-- example of classpath metadata extended metadata -->                 <bean class="org.springframework.security.saml.metadata.extendedmetadatadelegate">                     <constructor-arg>                         <bean class="org.opensaml.saml2.metadata.provider.resourcebackedmetadataprovider">                             <constructor-arg>                                 <bean class="java.util.timer"/>                             </constructor-arg>                             <constructor-arg>                                 <bean class="org.opensaml.util.resource.classpathresource">                                     <constructor-arg value="/metadata/googleidpmetadata-media.net.xml"/>                                 </bean>                             </constructor-arg>                             <property name="parserpool" ref="parserpool"/>                         </bean>                     </constructor-arg>                     <constructor-arg>                         <bean class="org.springframework.security.saml.metadata.extendedmetadata">                         </bean>                     </constructor-arg>                 </bean>              </list>         </constructor-arg>         <!-- optional used when 1 of metadata files contains information service provider -->         <!-- <property name="hostedspname" value=""/> -->         <!-- optional property: can tell system idp should used authenticating user default. -->         <!-- <property name="defaultidp" value="http://localhost:8080/opensso"/> -->     </bean>      <!-- saml authentication provider responsible validating of received saml messages -->     <bean id="samlauthenticationprovider" class="org.springframework.security.saml.samlauthenticationprovider">         <!-- optional property: can used store/load user data after login -->         <!--         <property name="userdetails" ref="bean" />         -->     </bean>      <!-- provider of default saml context -->     <bean id="contextprovider" class="org.springframework.security.saml.context.samlcontextproviderimpl"/>      <!-- processing filter websso profile messages -->     <bean id="samlwebssoprocessingfilter" class="org.springframework.security.saml.samlprocessingfilter">         <constructor-arg>             <value type="java.lang.string">/saml2/acs</value>         </constructor-arg>          <property name="authenticationmanager" ref="authenticationmanager"/>         <property name="authenticationsuccesshandler" ref="successredirecthandler"/>         <property name="authenticationfailurehandler" ref="failureredirecthandler"/>     </bean>       <!-- processing filter websso holder-of-key profile -->     <bean id="samlwebssohokprocessingfilter" class="org.springframework.security.saml.samlwebssohokprocessingfilter">         <property name="authenticationmanager" ref="authenticationmanager"/>         <property name="authenticationsuccesshandler" ref="successredirecthandler"/>         <property name="authenticationfailurehandler" ref="failureredirecthandler"/>     </bean>      <!-- logout handler terminating local session -->     <bean id="logouthandler"           class="org.springframework.security.web.authentication.logout.securitycontextlogouthandler">         <property name="invalidatehttpsession" value="false"/>     </bean>      <!-- override default logout processing filter 1 processing saml messages -->     <bean id="samllogoutfilter" class="org.springframework.security.saml.samllogoutfilter">         <constructor-arg index="0" ref="successlogouthandler"/>         <constructor-arg index="1" ref="logouthandler"/>         <constructor-arg index="2" ref="logouthandler"/>     </bean>      <!-- filter processing incoming logout messages -->     <!-- first argument determines url user redirected after successful global logout -->     <bean id="samllogoutprocessingfilter" class="org.springframework.security.saml.samllogoutprocessingfilter">         <constructor-arg index="0" ref="successlogouthandler"/>         <constructor-arg index="1" ref="logouthandler"/>     </bean>      <!-- class loading incoming saml messages httprequest stream -->     <bean id="processor" class="org.springframework.security.saml.processor.samlprocessorimpl">         <constructor-arg>             <list>                 <ref bean="redirectbinding"/>                 <ref bean="postbinding"/>                 <ref bean="artifactbinding"/>                 <ref bean="soapbinding"/>                 <ref bean="paosbinding"/>             </list>         </constructor-arg>     </bean>      <!-- saml 2.0 websso assertion consumer -->     <bean id="webssoprofileconsumer" class="org.springframework.security.saml.websso.webssoprofileconsumerimpl"/>      <!-- saml 2.0 holder-of-key websso assertion consumer -->     <bean id="hokwebssoprofileconsumer" class="org.springframework.security.saml.websso.webssoprofileconsumerhokimpl"/>      <!-- saml 2.0 web sso profile -->     <bean id="webssoprofile" class="org.springframework.security.saml.websso.webssoprofileimpl"/>      <!-- saml 2.0 holder-of-key web sso profile -->     <bean id="hokwebssoprofile" class="org.springframework.security.saml.websso.webssoprofileconsumerhokimpl"/>      <!-- saml 2.0 ecp profile -->     <bean id="ecpprofile" class="org.springframework.security.saml.websso.webssoprofileecpimpl"/>      <!-- saml 2.0 logout profile -->     <bean id="logoutprofile" class="org.springframework.security.saml.websso.singlelogoutprofileimpl"/>      <!-- bindings, encoders , decoders used creating , parsing messages -->     <bean id="postbinding" class="org.springframework.security.saml.processor.httppostbinding">         <constructor-arg ref="parserpool"/>         <constructor-arg ref="velocityengine"/>     </bean>      <bean id="redirectbinding" class="org.springframework.security.saml.processor.httpredirectdeflatebinding">         <constructor-arg ref="parserpool"/>     </bean>      <bean id="artifactbinding" class="org.springframework.security.saml.processor.httpartifactbinding">         <constructor-arg ref="parserpool"/>         <constructor-arg ref="velocityengine"/>         <constructor-arg>             <bean class="org.springframework.security.saml.websso.artifactresolutionprofileimpl">                 <constructor-arg>                     <bean class="org.apache.commons.httpclient.httpclient">                         <constructor-arg>                             <bean class="org.apache.commons.httpclient.multithreadedhttpconnectionmanager"/>                         </constructor-arg>                     </bean>                 </constructor-arg>                 <property name="processor">                     <bean class="org.springframework.security.saml.processor.samlprocessorimpl">                         <constructor-arg ref="soapbinding"/>                     </bean>                 </property>             </bean>         </constructor-arg>     </bean>      <bean id="soapbinding" class="org.springframework.security.saml.processor.httpsoap11binding">         <constructor-arg ref="parserpool"/>     </bean>      <bean id="paosbinding" class="org.springframework.security.saml.processor.httppaos11binding">         <constructor-arg ref="parserpool"/>     </bean>      <!-- initialization of opensaml library-->     <bean class="org.springframework.security.saml.samlbootstrap"/>      <!-- initialization of velocity engine -->     <bean id="velocityengine" class="org.springframework.security.saml.util.velocityfactory" factory-method="getengine"/>      <!-- xml parser pool needed opensaml parsing -->     <bean id="parserpool" class="org.opensaml.xml.parse.staticbasicparserpool" init-method="initialize">         <property name="builderfeatures">             <map>                 <entry key="http://apache.org/xml/features/dom/defer-node-expansion" value="false"/>             </map>         </property>     </bean>      <bean id="parserpoolholder" class="org.springframework.security.saml.parser.parserpoolholder"/>  </beans>

so figured out cause of problem in class org.springframework.security.saml.websso.webssoprofileconsumerimpl maxauthenticationage value low , since had been authenticated long time ago idp, authentication failing. increase variable's value setting in bean.


Comments

Post a Comment

Popular posts from this blog

Spring Boot + JPA + Hibernate: Unable to locate persister -

-
i trying work entity inside request method of spring boot application. entity in project , pom.xml has dependencies it. why error message?: org.hibernate.unknownentitytypeexception: unable locate persister: com.ric.bill.model.bs.par package com.ric.web; import java.util.concurrent.atomic.atomiclong; import javax.persistence.entitymanager; import javax.persistence.persistencecontext; import net.sf.ehcache.cachemanager; import net.sf.ehcache.management.cache; import net.sf.ehcache.management.cachestatistics; import org.hibernate.stat.statistics; import org.springframework.beans.factory.annotation.autowired; import org.springframework.boot.autoconfigure.domain.entityscan; import org.springframework.cache.annotation.enablecaching; import org.springframework.transaction.annotation.enabletransactionmanagement; import org.springframework.transaction.annotation.propagation; import org.springframework.transaction.annotation.transactional; import org.springframework.web.bind.annotati
Read more

go - Golang: panic: runtime error: invalid memory address or nil pointer dereference using bufio.Scanner -

-
i implementing go program uses bufio.scanner , bufio.writer have packaged code follows package main import ( "fmt" "player/command" "strings" ) func main() { //enter code here. read input stdin. print output stdout commands.scanner.scan() { //scan new line , send comand variable check command exist or not input := strings.split(strings.trim(commands.scanner.text(), " "), " ") command := input[0] if command == "" { fmt.printf("$ %s:", commands.pwd) continue } if !commands.commands[command] { commands.throwerror("cannot recognize input.") } else { commands.execute(command, input[1:], nil) } fmt.printf("$ %s:", commands.pwd) } } i using init.go file in main package follows package main import ( "flag" "player/sourc
Read more

c - double free or corruption (fasttop) -

-
this code reads null terminated string file (file containing null terminated strings & should provide index wanted string). error: *** error in `./main': double free or corruption (fasttop): 0x090a4a80 *** aborted code: char *tmp_realloc=null; char *sstring=null; int i=1; /*set file pointer point string*/ fseek(fh,index,seek_set); sstring=(char*)malloc(sizeof(char)); if(sstring == null) return null; tmp_realloc=sstring; while( (*(sstring+i-1)=(char)fgetc((file*)fh)) != 0x0 ) { /*reallocate more memory*/ tmp_realloc=(char*)realloc((char*)sstring,++i); /*if not same address copy old new & set old point new*/ if(tmp_realloc != sstring){ strcpy((char*)tmp_realloc,(char*)sstring); free(sstring); sstring=tmp_realloc; } } could tell me pointer causing issue (& reason) ? remove part /*if not same address copy old new & set old point new*/ if(tmp_realloc != sstring){ strc
Read more