Null Pointer Exception from UnmarshallerFactory while migrating from OpenSAML2.x to OpenSAML3.x

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Null Pointer Exception from UnmarshallerFactory while migrating from OpenSAML2.x to OpenSAML3.x

DD K
Hi All,

As soon as the Authentication Request is sent I'm getting the Exception,

[2019-08-06 09:15:28,233]  INFO {org.opensaml.core.config.InitializationService} -  Initializing OpenSAML using the Java Services API
[2019-08-06 09:15:28,830] ERROR {org.wso2.carbon.identity.sso.
saml.util.SAMLSSOUtil} -  Error in constructing AuthRequest from the encoded String
java.lang.NullPointerException
at org.wso2.carbon.identity.sso.
saml.util.SAMLSSOUtil.unmarshall(SAMLSSOUtil.java:394)
at org.wso2.carbon.identity.sso.
saml.SAMLSSOService.validateSPInitSSORequest(SAMLSSOService.java:95)
at org.wso2.carbon.identity.sso.
saml.servlet.SAMLSSOProviderServlet.handleSPInitSSO(SAMLSSOProviderServlet.java:706)
at org.wso2.carbon.identity.sso.
saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:264)
at org.wso2.carbon.identity.sso.
saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:143)
at javax.servlet.http.
HttpServlet.service(HttpServlet.java:624)
at javax.servlet.http.
HttpServlet.service(HttpServlet.java:731)
at org.eclipse.equinox.http.
helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
at org.eclipse.equinox.http.
servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at org.eclipse.equinox.http.
servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at org.eclipse.equinox.http.
servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
at javax.servlet.http.
HttpServlet.service(HttpServlet.java:731)
at org.wso2.carbon.tomcat.ext.
servlet.DelegationServlet.service(DelegationServlet.java:68)
at org.apache.catalina.core.
ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.
ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.
server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.
ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.
ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.owasp.csrfguard.
CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
at org.apache.catalina.core.
ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.
ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.filters.
HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)
at org.apache.catalina.core.
ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.
ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.tomcat.ext.
filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:65)
at org.apache.catalina.core.
ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.
ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.filters.
HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)
at org.apache.catalina.core.
ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.
ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.
StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.
StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.
authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:494)
at org.apache.catalina.core.
StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.
ErrorReportValve.invoke(ErrorReportValve.java:104)
at org.wso2.carbon.identity.
context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
at org.wso2.carbon.identity.
authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:100)
at org.wso2.carbon.identity.auth.
valve.AuthenticationValve.invoke(AuthenticationValve.java:74)
at org.wso2.carbon.tomcat.ext.
valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.
valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.
TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.
valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.
valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.
valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.
AccessLogValve.invoke(AccessLogValve.java:1025)
at org.wso2.carbon.tomcat.ext.
valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.wso2.carbon.tomcat.ext.
valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:112)
at org.wso2.carbon.tomcat.ext.
valves.RequestEncodingValve.invoke(RequestEncodingValve.java:49)
at org.apache.catalina.core.
StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.
CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.http11.
AbstractHttp11Processor.process(AbstractHttp11Processor.java:1137)
at org.apache.coyote.
AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.
NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1780)
at org.apache.tomcat.util.net.
NioEndpoint$SocketProcessor.run(NioEndpoint.java:1739)
at java.util.concurrent.
ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.
ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.
threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.
java:748)

The exception is thrown from the code snippet at the commented line:

public static XMLObject unmarshall(String authReqStr) throws IdentityException {
InputStream inputStream = null;
try {
doBootstrap();
DocumentBuilderFactory documentBuilderFactory = IdentityUtil.getSecuredDocumentBuilderFactory();
DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
inputStream = new ByteArrayInputStream(authReqStr.trim().getBytes(StandardCharsets.UTF_8));
Document document = docBuilder.parse(inputStream);
Element element = document.getDocumentElement();
UnmarshallerFactory unmarshallerFactory = XMLObjectProviderRegistrySupport.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
return unmarshaller.unmarshall(element); // Exception thrown here
} catch (Exception e) {
log.error("Error in constructing AuthRequest from the encoded String", e);
throw IdentityException.error(
"Error in constructing AuthRequest from the encoded String ",
e);
} finally {
if (inputStream != null) {
try {
inputStream.close();
} catch (IOException e) {
log.error("Error while closing the stream", e);
}
}
}
}

doBootstrap() method:

public static void doBootstrap() {
if (!isBootStrapped) {
try {
InitializationService.initialize();
isBootStrapped = true;
} catch (InitializationException e) {
log.error("Error in bootstrapping the OpenSAML2 library", e);
}
}
}

dependencies in pom file:
        <dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-core</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-soap-api</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-soap-impl</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-profile-api</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-profile-impl</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-saml-api</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-saml-impl</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-messaging-api</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-messaging-impl</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-security-api</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-storage-api</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-storage-impl</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-xacml-api</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-xacml-impl</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-xacml-saml-api</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-xacml-saml-impl</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-xmlsec-api</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-xmlsec-impl</artifactId>
<version>${opensaml3.version}</version>
</dependency>
<dependency>
<groupId>net.shibboleth.utilities</groupId>
<artifactId>java-support</artifactId>
<version>${java-support.version}</version>
</dependency>
What I came across while searching was that the unmarshallers and marshallers has not been initialized. But i have add the required dependencies and also initialized using InitializationService.initialize().

Any answers for this would be appreciated,
Thanks,
Deshan Koswatte





--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Null Pointer Exception from UnmarshallerFactory while migrating from OpenSAML2.x to OpenSAML3.x

Brent Putman


On 8/6/19 1:30 AM, DD K wrote:

The exception is thrown from the code snippet at the commented line:

public static XMLObject unmarshall(String authReqStr) throws IdentityException {
    InputStream inputStream = null;
    try {
        doBootstrap();
        DocumentBuilderFactory documentBuilderFactory = IdentityUtil.getSecuredDocumentBuilderFactory();
        DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
        inputStream = new ByteArrayInputStream(authReqStr.trim().getBytes(StandardCharsets.UTF_8));
        Document document = docBuilder.parse(inputStream);
        Element element = document.getDocumentElement();
        UnmarshallerFactory unmarshallerFactory = XMLObjectProviderRegistrySupport.getUnmarshallerFactory();
        Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
        return unmarshaller.unmarshall(element); // Exception thrown here
    } catch (Exception e) {
        log.error("Error in constructing AuthRequest from the encoded String", e);
        throw IdentityException.error(
                "Error in constructing AuthRequest from the encoded String ",
                e);
    } finally {
        if (inputStream != null) {
            try {
                inputStream.close();
            } catch (IOException e) {
                log.error("Error while closing the stream", e);
            }
        }
    }
}



I don't see anything obviously wrong there.  If it's throwing on that line, it's likely that the unmarshaller is null, which means you didn't get anything back from the unmarshallerFactory.  That means something is likely not working with your initialization of the library.  I can't say anything more than that.  I'd suggest turning up logging to DEBUG or even TRACE on some or all of the OpenSAML packages to see what is actually happening, for example whether you are actually successfully reading and registering the XMLObject builders, marshallers and unmarshallers.


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Null Pointer Exception from UnmarshallerFactory while migrating from OpenSAML2.x to OpenSAML3.x

Brent Putman


On 8/7/19 6:50 PM, Brent Putman wrote:


On 8/6/19 1:30 AM, DD K wrote:

The exception is thrown from the code snippet at the commented line:

public static XMLObject unmarshall(String authReqStr) throws IdentityException {
    InputStream inputStream = null;
    try {
        doBootstrap();
        DocumentBuilderFactory documentBuilderFactory = IdentityUtil.getSecuredDocumentBuilderFactory();
        DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
        inputStream = new ByteArrayInputStream(authReqStr.trim().getBytes(StandardCharsets.UTF_8));
        Document document = docBuilder.parse(inputStream);
        Element element = document.getDocumentElement();
        UnmarshallerFactory unmarshallerFactory = XMLObjectProviderRegistrySupport.getUnmarshallerFactory();
        Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
        return unmarshaller.unmarshall(element); // Exception thrown here
    } catch (Exception e) {
        log.error("Error in constructing AuthRequest from the encoded String", e);
        throw IdentityException.error(
                "Error in constructing AuthRequest from the encoded String ",
                e);
    } finally {
        if (inputStream != null) {
            try {
                inputStream.close();
            } catch (IOException e) {
                log.error("Error while closing the stream", e);
            }
        }
    }
}



I don't see anything obviously wrong there.  If it's throwing on that line, it's likely that the unmarshaller is null, which means you didn't get anything back from the unmarshallerFactory.  That means something is likely not working with your initialization of the library.  I can't say anything more than that.  I'd suggest turning up logging to DEBUG or even TRACE on some or all of the OpenSAML packages to see what is actually happening, for example whether you are actually successfully reading and registering the XMLObject builders, marshallers and unmarshallers.


I doubt it's related to your NPE issue, but I meant to also say that we'd in general strongly recommend using our ParserPool imp to parse the InputStream into a Document.  It's safer and easier, and there's also some mandatory things that you must now do when parsing with your own JAXP or other XML components, or else unmarshalling will fail, period.

https://wiki.shibboleth.net/confluence/display/OS30/Secure+XML+Processing+Requirements


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Null Pointer Exception from UnmarshallerFactory while migrating from OpenSAML2.x to OpenSAML3.x

DD K
In reply to this post by Brent Putman
Hi Brent,

I've been able to debug the process and found out that I have got null from unmarshallerFactory.getUnmarshaller(element) because there has been no unmarshaller registered to unmarshall the element. Can you suggest a way to manually register an unmarshaller for the element (any resource that i can refer). So my request is as follows:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="http://localhost.com:8080/saml2-web-app-pickup-dispatch.com/home.jsp" Destination="https://localhost:9443/samlsso" ForceAuthn="false" ID="fnhigdbcehpepkchcpbacfooiadpciniicamhckg" IsPassive="true" IssueInstant="2019-08-08T04:40:07.949Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">saml2-web-app-pickup-dispatch.com</samlp:Issuer><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="Issuer" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"/><saml2p:RequestedAuthnContext Comparison="exact" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml2p:RequestedAuthnContext></samlp:AuthnRequest>

Any answers answers would be appreciated,
Thanks,
Deshan Koswatte

On Thu, Aug 8, 2019 at 4:21 AM Brent Putman <[hidden email]> wrote:


On 8/6/19 1:30 AM, DD K wrote:

The exception is thrown from the code snippet at the commented line:

public static XMLObject unmarshall(String authReqStr) throws IdentityException {
    InputStream inputStream = null;
    try {
        doBootstrap();
        DocumentBuilderFactory documentBuilderFactory = IdentityUtil.getSecuredDocumentBuilderFactory();
        DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
        inputStream = new ByteArrayInputStream(authReqStr.trim().getBytes(StandardCharsets.UTF_8));
        Document document = docBuilder.parse(inputStream);
        Element element = document.getDocumentElement();
        UnmarshallerFactory unmarshallerFactory = XMLObjectProviderRegistrySupport.getUnmarshallerFactory();
        Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
        return unmarshaller.unmarshall(element); // Exception thrown here
    } catch (Exception e) {
        log.error("Error in constructing AuthRequest from the encoded String", e);
        throw IdentityException.error(
                "Error in constructing AuthRequest from the encoded String ",
                e);
    } finally {
        if (inputStream != null) {
            try {
                inputStream.close();
            } catch (IOException e) {
                log.error("Error while closing the stream", e);
            }
        }
    }
}



I don't see anything obviously wrong there.  If it's throwing on that line, it's likely that the unmarshaller is null, which means you didn't get anything back from the unmarshallerFactory.  That means something is likely not working with your initialization of the library.  I can't say anything more than that.  I'd suggest turning up logging to DEBUG or even TRACE on some or all of the OpenSAML packages to see what is actually happening, for example whether you are actually successfully reading and registering the XMLObject builders, marshallers and unmarshallers.

--
To unsubscribe from this list send an email to [hidden email]

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Null Pointer Exception from UnmarshallerFactory while migrating from OpenSAML2.x to OpenSAML3.x

DD K
In reply to this post by Brent Putman
Hi Brent,

As you've said I've tried this before too and your doubt is true cause the NPE still throws out.

Thanks,
Deshan Koswatte

On Thu, Aug 8, 2019 at 4:27 AM Brent Putman <[hidden email]> wrote:


On 8/7/19 6:50 PM, Brent Putman wrote:


On 8/6/19 1:30 AM, DD K wrote:

The exception is thrown from the code snippet at the commented line:

public static XMLObject unmarshall(String authReqStr) throws IdentityException {
    InputStream inputStream = null;
    try {
        doBootstrap();
        DocumentBuilderFactory documentBuilderFactory = IdentityUtil.getSecuredDocumentBuilderFactory();
        DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
        inputStream = new ByteArrayInputStream(authReqStr.trim().getBytes(StandardCharsets.UTF_8));
        Document document = docBuilder.parse(inputStream);
        Element element = document.getDocumentElement();
        UnmarshallerFactory unmarshallerFactory = XMLObjectProviderRegistrySupport.getUnmarshallerFactory();
        Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
        return unmarshaller.unmarshall(element); // Exception thrown here
    } catch (Exception e) {
        log.error("Error in constructing AuthRequest from the encoded String", e);
        throw IdentityException.error(
                "Error in constructing AuthRequest from the encoded String ",
                e);
    } finally {
        if (inputStream != null) {
            try {
                inputStream.close();
            } catch (IOException e) {
                log.error("Error while closing the stream", e);
            }
        }
    }
}



I don't see anything obviously wrong there.  If it's throwing on that line, it's likely that the unmarshaller is null, which means you didn't get anything back from the unmarshallerFactory.  That means something is likely not working with your initialization of the library.  I can't say anything more than that.  I'd suggest turning up logging to DEBUG or even TRACE on some or all of the OpenSAML packages to see what is actually happening, for example whether you are actually successfully reading and registering the XMLObject builders, marshallers and unmarshallers.


I doubt it's related to your NPE issue, but I meant to also say that we'd in general strongly recommend using our ParserPool imp to parse the InputStream into a Document.  It's safer and easier, and there's also some mandatory things that you must now do when parsing with your own JAXP or other XML components, or else unmarshalling will fail, period.

https://wiki.shibboleth.net/confluence/display/OS30/Secure+XML+Processing+Requirements

--
To unsubscribe from this list send an email to [hidden email]

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Null Pointer Exception from UnmarshallerFactory while migrating from OpenSAML2.x to OpenSAML3.x

DD K
In reply to this post by DD K
Hi All,

Since I was using OpenSAML3 on a project which is based on OSGi seems there was a problem during initialization so what I had to do is initialize them myself. Hope this helps someone in the future.


Code Implementation:

public static void doBootstrap() {
if (!isBootStrapped) {
try {
InitializationService.initialize();
SAMLConfigurationInitializer initializer_1 = new SAMLConfigurationInitializer();
initializer_1.init();

org.opensaml.saml.config.XMLObjectProviderInitializer initializer_2 = new org.opensaml.saml.config.XMLObjectProviderInitializer();
initializer_2.init();


org.opensaml.core.xml.config.XMLObjectProviderInitializer initializer_3 = new org.opensaml.core.xml.config.XMLObjectProviderInitializer();
initializer_3.init();

org.opensaml.core.xml.config.GlobalParserPoolInitializer initializer_4 = new org.opensaml.core.xml.config.GlobalParserPoolInitializer();
initializer_4.init();

isBootStrapped = true;
} catch (InitializationException e) {
log.error("Error in bootstrapping the OpenSAML2 library", e);
}
}
}

Thanks all for the answers,
Best Regards,
Deshan Koswatte 

On Thu, Aug 8, 2019 at 10:11 AM DD K <[hidden email]> wrote:
Hi Brent,

I've been able to debug the process and found out that I have got null from unmarshallerFactory.getUnmarshaller(element) because there has been no unmarshaller registered to unmarshall the element. Can you suggest a way to manually register an unmarshaller for the element (any resource that i can refer). So my request is as follows:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="http://localhost.com:8080/saml2-web-app-pickup-dispatch.com/home.jsp" Destination="https://localhost:9443/samlsso" ForceAuthn="false" ID="fnhigdbcehpepkchcpbacfooiadpciniicamhckg" IsPassive="true" IssueInstant="2019-08-08T04:40:07.949Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">saml2-web-app-pickup-dispatch.com</samlp:Issuer><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="Issuer" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"/><saml2p:RequestedAuthnContext Comparison="exact" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml2p:RequestedAuthnContext></samlp:AuthnRequest>

Any answers answers would be appreciated,
Thanks,
Deshan Koswatte

On Thu, Aug 8, 2019 at 4:21 AM Brent Putman <[hidden email]> wrote:


On 8/6/19 1:30 AM, DD K wrote:

The exception is thrown from the code snippet at the commented line:

public static XMLObject unmarshall(String authReqStr) throws IdentityException {
    InputStream inputStream = null;
    try {
        doBootstrap();
        DocumentBuilderFactory documentBuilderFactory = IdentityUtil.getSecuredDocumentBuilderFactory();
        DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
        inputStream = new ByteArrayInputStream(authReqStr.trim().getBytes(StandardCharsets.UTF_8));
        Document document = docBuilder.parse(inputStream);
        Element element = document.getDocumentElement();
        UnmarshallerFactory unmarshallerFactory = XMLObjectProviderRegistrySupport.getUnmarshallerFactory();
        Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
        return unmarshaller.unmarshall(element); // Exception thrown here
    } catch (Exception e) {
        log.error("Error in constructing AuthRequest from the encoded String", e);
        throw IdentityException.error(
                "Error in constructing AuthRequest from the encoded String ",
                e);
    } finally {
        if (inputStream != null) {
            try {
                inputStream.close();
            } catch (IOException e) {
                log.error("Error while closing the stream", e);
            }
        }
    }
}



I don't see anything obviously wrong there.  If it's throwing on that line, it's likely that the unmarshaller is null, which means you didn't get anything back from the unmarshallerFactory.  That means something is likely not working with your initialization of the library.  I can't say anything more than that.  I'd suggest turning up logging to DEBUG or even TRACE on some or all of the OpenSAML packages to see what is actually happening, for example whether you are actually successfully reading and registering the XMLObject builders, marshallers and unmarshallers.

--
To unsubscribe from this list send an email to [hidden email]

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Null Pointer Exception from UnmarshallerFactory while migrating from OpenSAML2.x to OpenSAML3.x

Brent Putman
In reply to this post by DD K


On 8/8/19 12:41 AM, DD K wrote:
Hi Brent,

I've been able to debug the process and found out that I have got null from unmarshallerFactory.getUnmarshaller(element) because there has been no unmarshaller registered to unmarshall the element. Can you suggest a way to manually register an unmarshaller for the element (any resource that i can refer). So my request is as follows:


Manually registering an unmarshaller programmatically is possible, but I would not recommend that for the standard types.  First of all, there's dozens that you would need to handle all the possible inbound SAML elements, not just one. Second, you presumably need to respond to the inbound message, so you'd also need to register all the builders and marshallers too.

So that's just a non-starter idea.  Need to understand and fix the issue with library init.


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Null Pointer Exception from UnmarshallerFactory while migrating from OpenSAML2.x to OpenSAML3.x

Brent Putman
In reply to this post by DD K


On 8/8/19 11:07 AM, DD K wrote:
Hi All,

Since I was using OpenSAML3 on a project which is based on OSGi seems there was a problem during initialization so what I had to do is initialize them myself. Hope this helps someone in the future.



If the library init problem is related to use with OSGi, then that at least sheds more light on the problem.   It would have been nice if the people who discovered this 3+ years ago had actually brought this up with us, rather than just cooking up and promoting those "solutions" in a StackOverflow thread.  Our team doesn't generally use or know much about OSGi, but we would have at least researched and determined if there is a supportable solution.

Manually invoking the Initializer impls like that is not supported.  With the exception of the ones that are in the opensaml-core module, those are all implementation classes, for which we provide absolutely no guarantee of stability, such as the package/class names, what inits what and provides what, etc.  Your calling of those classes could literally break at any time, even in a patch release.  The API for calling the Initializers is InitializationService, nothing else.

I don't personally know or use OSGi.  Skimming the SO article, I gather that the issue within OSGi is use of the thread context classloader failing vis-a-vis where the config resources are located in the jars.  The proper solution here would be to figure out precisely what assumptions are wrong and address those directly.  Perhaps allowing an optional ClassLoader to be passed to the InitializationService could be part of that solution (the swapping out of the TCCL looks like a decent workaround til then).

If someone who knows OSGi can provide suggestions and/or a patch, we'd consider it.  If it requires API changes however, that would be a 4.0 thing, as we currently don't plan on releasing any new minor releases of 3.x.


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Null Pointer Exception from UnmarshallerFactory while migrating from OpenSAML2.x to OpenSAML3.x

DD K
Hi Brent,

First of all sorry for the late reply. As you've said the way I'm doing is not recommended I had to think a bit on the way to get the initialization process correctly. In the initialization process the file org.opensaml.core.config.Initializer is called to initialize the required, but since I'm getting the dependencies using an orbit seems the file gets overridden and at last the final dependency's initializers would be the only remaining. So to fix this I'm making an orbit for each dependency so that they won't get bundled together which will not override the file, I've currently done it for only one dependency and im planning on doing it to all.

Regards,
Deshan Koswatte

On Fri, Aug 9, 2019 at 3:11 AM Brent Putman <[hidden email]> wrote:


On 8/8/19 11:07 AM, DD K wrote:
Hi All,

Since I was using OpenSAML3 on a project which is based on OSGi seems there was a problem during initialization so what I had to do is initialize them myself. Hope this helps someone in the future.



If the library init problem is related to use with OSGi, then that at least sheds more light on the problem.   It would have been nice if the people who discovered this 3+ years ago had actually brought this up with us, rather than just cooking up and promoting those "solutions" in a StackOverflow thread.  Our team doesn't generally use or know much about OSGi, but we would have at least researched and determined if there is a supportable solution.

Manually invoking the Initializer impls like that is not supported.  With the exception of the ones that are in the opensaml-core module, those are all implementation classes, for which we provide absolutely no guarantee of stability, such as the package/class names, what inits what and provides what, etc.  Your calling of those classes could literally break at any time, even in a patch release.  The API for calling the Initializers is InitializationService, nothing else.

I don't personally know or use OSGi.  Skimming the SO article, I gather that the issue within OSGi is use of the thread context classloader failing vis-a-vis where the config resources are located in the jars.  The proper solution here would be to figure out precisely what assumptions are wrong and address those directly.  Perhaps allowing an optional ClassLoader to be passed to the InitializationService could be part of that solution (the swapping out of the TCCL looks like a decent workaround til then).

If someone who knows OSGi can provide suggestions and/or a patch, we'd consider it.  If it requires API changes however, that would be a 4.0 thing, as we currently don't plan on releasing any new minor releases of 3.x.

--
To unsubscribe from this list send an email to [hidden email]

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Null Pointer Exception from UnmarshallerFactory while migrating from OpenSAML2.x to OpenSAML3.x

Brent Putman


On 8/14/19 4:05 AM, DD K wrote:
Hi Brent,

First of all sorry for the late reply. As you've said the way I'm doing is not recommended I had to think a bit on the way to get the initialization process correctly. In the initialization process the file org.opensaml.core.config.Initializer is called to initialize the required, but since I'm getting the dependencies using an orbit seems the file gets overridden and at last the final dependency's initializers would be the only remaining. So to fix this I'm making an orbit for each dependency so that they won't get bundled together which will not override the file, I've currently done it for only one dependency and im planning on doing it to all.


Since I don't know OSGi, I don't really understand what any of that means, what an 'orbit' is, etc.

The InitializationService uses the Java ServiceLoader to find and execute all the org.opensaml.core.config.Initializer impls that are declared in the /META-INF/services of the jars present on the runtime classpath.  Figuring out why that is failing in an OSGi environment and addressing that would be the appropriate next step.  Maybe for those familiar with OSGi, the answer is obvious.  I personally just have no experience with it.



--
To unsubscribe from this list send an email to [hidden email]