I am getting this exception while trying to invoke PingFederae StartSSO.ping endpoint.
12:49:54,153 DEBUG [IntegrationControllerServlet] GET: https://localhost:9031/idp/startSSO.ping
12:49:54,157 DEBUG [IdpAdapterSupportBase] IdP Adapter Selection disabled, performing legacy adapter selection.
12:49:54,157 DEBUG [HttpServletRespProxy] adding lazy cookie Cookie{PF=F1OpbNzE8iYqMJq6UcG5waLotsmXsBxdLFrhrm8OVFYE; path=/; maxAge=-1; domain=null} replacing Cookie{PF=F1OpbNzE8iYqMJq6UcG5wa; path=/; maxAge=-1; domain=null}
12:49:54,157 DEBUG [InterReqStateMgmtMapImpl] setAttr(oldKey: null, newKey: LotsmXsBxdLFrhrm8OVFYE, name: NUMBER_OF_ATTEMPTS, value: 1)
12:49:54,157 DEBUG [HttpServletRespProxy] flush cookies: adding Cookie{PF=F1OpbNzE8iYqMJq6UcG5waLotsmXsBxdLFrhrm8OVFYE; path=/; maxAge=-1; domain=null}
12:49:54,160 DEBUG [BindingServiceImpl] Not transporting protocol response message because the HTTP response has been committed (this is a normal condition usually due to an adapter or other component redirecting the user or writing its own content to the response).
12:49:54,232 DEBUG [IntegrationControllerServlet] GET: https://localhost:9031/idp/ENvrS/resumeSAML20/idp/startSSO.ping
12:49:54,233 DEBUG [IdpAdapterSupportBase] IdP Adapter Selection disabled, performing legacy adapter selection.
12:49:54,233 DEBUG [InterReqStateMgmtMapImpl] getAttr(key: LotsmXsBxdLFrhrm8OVFYE, name: NUMBER_OF_ATTEMPTS): 1
12:49:54,233 DEBUG [HttpServletRespProxy] adding lazy cookie Cookie{PF=F1OpbNzE8iYqMJq6UcG5waTbQaafveigalePVvdwcdta; path=/; maxAge=-1; domain=null} replacing null
12:49:54,233 DEBUG [InterReqStateMgmtMapImpl] setAttr(oldKey: LotsmXsBxdLFrhrm8OVFYE, newKey: TbQaafveigalePVvdwcdta, name: NUMBER_OF_ATTEMPTS, value: 2)
12:49:54,233 DEBUG [InterReqStateMgmtMapImpl] Object removeAttr(key: TbQaafveigalePVvdwcdta, name: NUMBER_OF_ATTEMPTS): 2
12:49:54,233 DEBUG [TrackingIdSupport] [cross-reference-message] entityid:sbwb-ppc-idp subject:null
12:49:54,233 ERROR [HandleAuthnRequest] Exception occurred during request processing
org.sourceid.websso.profiles.RequestProcessingException: Unexpected Runtime Authn Adapter Integration Problem.
at org.sourceid.websso.profiles.ResumableRequestHandlerBase.resume(ResumableRequestHandlerBase.java:54)
at org.sourceid.websso.profiles.ResumableRequestHandlerBase.resume(ResumableRequestHandlerBase.java:78)
at org.sourceid.saml20.profiles.ProfileProcessManager.resumeHandleRequest(ProfileProcessManager.java:73)
at $ProfileProcessMgmtService_1461cd08008.resumeHandleRequest($ProfileProcessMgmtService_1461cd08008.java)
at org.sourceid.websso.servlet.IntegrationControllerServlet.process(IntegrationControllerServlet.java:63)
at org.sourceid.websso.servlet.EnforcerServletBase.checkProcess(EnforcerServletBase.java:89)
at org.sourceid.websso.servlet.EnforcerServletBase.doGet(EnforcerServletBase.java:138)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:669)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1448)
at org.sourceid.servlet.filter.NoCacheFilter.doFilter(NoCacheFilter.java:55)
at org.sourceid.servlet.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:53)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1419)
at org.sourceid.websso.servlet.ProxyFilter.doFilter(ProxyFilter.java:34)
at org.sourceid.servlet.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:53)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1419)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:455)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1075)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:384)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1009)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:154)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:126)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:368)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:488)
at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:932)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:994)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:640)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:628)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:722)
Caused by: org.sourceid.saml20.adapter.AuthnAdapterException: org.sourceid.saml20.adapter.AuthnAdapterException: Could not obtain attributes from the IdP Authentication Service.
at org.sourceid.saml20.profiles.idp.IdpAdapterSupportBase.lookupAuthN(IdpAdapterSupportBase.java:141)
at org.sourceid.saml20.profiles.idp.HandleAuthnRequest.doResume(HandleAuthnRequest.java:245)
at org.sourceid.saml20.profiles.ResumableRequestHandlerBase.exeResume(ResumableRequestHandlerBase.java:66)
at org.sourceid.websso.profiles.ResumableRequestHandlerBase.resume(ResumableRequestHandlerBase.java:50)
... 43 more
Caused by: org.sourceid.saml20.adapter.AuthnAdapterException: Could not obtain attributes from the IdP Authentication Service.
at com.pingidentity.adapters.opentoken.IdpAuthnAdapter.lookupAuthNHelper(IdpAuthnAdapter.java:159)
at com.pingidentity.adapters.opentoken.IdpAuthnAdapter.lookupAuthN(IdpAuthnAdapter.java:78)
at org.sourceid.websso.authn.AdapterAuthnProcessor.lookupAuthN(AdapterAuthnProcessor.java:96)
at org.sourceid.saml20.profiles.idp.IdpAdapterSupportBase.lookupAuthN(IdpAdapterSupportBase.java:132)
... 46 more
12:49:54,238 DEBUG [HttpServletRespProxy] flush cookies: adding Cookie{PF=F1OpbNzE8iYqMJq6UcG5waTbQaafveigalePVvdwcdta; path=/; maxAge=-1; domain=null}
12:49:54,239 DEBUG [BindingServiceImpl] Not transporting protocol response message because the HTTP response has been committed (this is a normal condition usually due to an adapter or other component redirecting the user or writing its own content to the response).
And i think this exception is invoked when the PingFederate cannot find the OpenToken generated by application. But the cookie is present in the browser.
And the Ping Federate Application shows the error page :
And my Idp Adapter setting looks like :
cookie-path=/
use-verbose-error-messages=false
cipher-suite=2
obfuscate-password=true
session-cookie=false
password=Kyx+ElfeRRDkPRYZoVF3BQ==
token-name=opentoken
cookie-domain=.banka.liferay.com
token-notbefore-tolerance=0
token-renewuntil=43200
use-sunjce=false
secure-cookie=false
token-lifetime=300
use-cookie=true
I am struggling to find out the cause of this problem. But with no success.
What could be the cause of this problem? Is it related to Ping Federate or am i missing something in my configuration ?
And here is the Screen-shot of IdP Adapter :
And here is the summary of SP Connection :
Could it be that you're redirected to the resume URL with the hostname being localhost? In that case your browser won't send a cookie issued to .banka.liferay.com to the server, hence the error.
Related
I'm trying to make work window authentication in Linux/Debian server with Kerberos. I'm using .net core 3.1 and IdentityServer4. For now I had joined Linux to the Windows AD like docs say:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-3.1&tabs=visual-studio#kestrel-1
I have managet to work kerberos from bash with -kinit command. I also made work Apache2 with kerberos.
But in .net core it's always returns in logs
[17:39:53 Information] Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler AuthenticationScheme: Negotiate was challenged.
[17:39:54 Information] Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler None
if I set in krb5.conf wrong encript type I have error like:
Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error - Unspecified GSS failure. Minor code may provide more information(Request ticket server **** kvno 4 enctype aes256-cts found in keytab but cannot decrypt ticket).
at System.Net.Security.NegotiateStreamPal.GssAcceptSecurityContext(SafeGssContextHandle& context, Byte[] buffer, Byte[]& outputBuffer, UInt32& outFlags)
at System.Net.Security.NegotiateStreamPal.AcceptSecurityContext(SafeFreeCredentials credentialsHandle, SafeDeleteContext& securityContext, ContextFlagsPal requestedContextFlags, Byte[] incomingBlob, ChannelBinding channelBinding, Byte[]& resultBlob, ContextFlagsPal& contextFlags)
So the token is passing GSSAPI in normal mode and trying to validate user, but there is alwayse None in anwser. Can somebody help me get what I'm doing wrong?
I got it by using [Authorize] attribute instead of HttpContext.ChallengeAsync().
I'm trying to build a webapi service in aspnet core, on Linux Mint (which is an Ubuntu variant.)
When I try to access an endpoint, whether from the Swagger UI in Chrome, from Postman, or from Chrome directly, I get exceptions:
AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain
System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
HttpRequestException: The SSL connection could not be established, see inner exception.
System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(bool async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
Chrome is displaying the "Not secure" button, clicking on which displays:
Your connection to this site is not secure
I can click on "Certificate(invalid)" which brings up "Certificate Viewer: localhost", where I can see the details of the certificate, but I see nothing in the Chrome Certificate Viewer, or in the exceptions, that indicates exactly why the certificate is invalid.
Where can I find this certificate?
How do I determine why it's failing validation?
How do I get it to not fail validation?
I am working on integrating Knox with Keycloak with OIDC, for the SSO and security functionalities in Hadoop Cluster.
I have congigured everthing, and now while accessing the Knox URL, it is redirecting to the Keycloak URL. After authenticating the user successfully in Keycloak, it redirects it to the Knox URL(which is configured).
But once it is redirecting, Getting the below error:
2020-11-11 08:13:48,098 ERROR knox.gateway (CommonIdentityAssertionFilter.java:doFilter(79)) - Required subject/identity not available. Check authentication/federation provider for proper configuration.
2020-11-11 08:13:48,100 ERROR knox.gateway (AbstractGatewayFilter.java:doFilter(63)) - Failed to execute filter: java.lang.IllegalStateException: Required Subject Missing
2020-11-11 08:13:48,100 ERROR knox.gateway (GatewayFilter.java:doFilter(169)) - Gateway processing failed: javax.servlet.ServletException: java.lang.IllegalStateException: Required Subject Missing
javax.servlet.ServletException: java.lang.IllegalStateException: Required Subject Missing
at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:64)
at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:349)
at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:263)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:167)
at org.apache.knox.gateway.GatewayServlet.doFilter(GatewayServlet.java:158)
..........
Caused by: java.lang.IllegalStateException: Required Subject Missing
at org.apache.knox.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter.doFilter(CommonIdentityAssertionFilter.java:80)
at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:349)
at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:263)
at org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:50)
at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
... 48 more
Any suggestions will be very much helpful.
Thanks
Jithesh
I am using the Flash in my application and when I restart my tomcat I get the following Error resulting in disabled flash.
Jul 23, 2013 11:20:29 AM com.sun.faces.context.flash.ELFlash$PreviousNextFlashInfoManager decode
SEVERE: JSF1094: Could not decode flash data from incoming cookie value ??o?/tv?
. Processing will continue, but the flash is unavailable for this request.
The workaround to this is to clear my cookies or wait until the cookie expires with the session. Is there a way that I can invalidate this? Should I invalidate the session altogether?
This has been raised as a bug:
https://java.net/jira/browse/JAVASERVERFACES-2862
I am getting this exception in WebSphere Commerce. No idea why. This may or may not be related to Commerce. I could not find much info on the internet for this exception. Any insight/help would be much appreciated.
[8/31/11 9:40:39:545 EDT] 00000025 CommerceSrvr E com.ibm.commerce.command.ECCommandTarget executeCommand CMN0420E: The following command exception has occurred during processing: "
javax.xml.ws.WebServiceException: org.apache.axis2.AxisFault: Out request Policy Set for SSL is set to true for protocol: http
javax.xml.ws.WebServiceException: org.apache.axis2.AxisFault: Out request Policy Set for SSL is set to true for protocol: http
at org.apache.axis2.jaxws.ExceptionFactory.createWebServiceException(ExceptionFactory.java:175)
at org.apache.axis2.jaxws.ExceptionFactory.makeWebServiceException(ExceptionFactory.java:70)
at org.apache.axis2.jaxws.ExceptionFactory.makeWebServiceException(ExceptionFactory.java:128)
at org.apache.axis2.jaxws.core.controller.impl.AxisInvocationController.execute(AxisInvocationController.java:572)
...
Caused by: org.apache.axis2.AxisFault: Out request Policy Set for SSL is set to true for protocol: http
at com.ibm.ws.websvcs.transport.http.SOAPOverHTTPSender.setupTransportClientProperties(SOAPOverHTTPSender.java:1916)
at com.ibm.ws.websvcs.transport.http.SOAPOverHTTPSender.<init>(SOAPOverHTTPSender.java:404)
at com.ibm.ws.websvcs.transport.http.HTTPTransportSender.invoke(HTTPTransportSender.java:350)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:531)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:401)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
at org.apache.axis2.jaxws.core.controller.impl.AxisInvocationController.execute(AxisInvocationController.java:567)
We have a set of JAX-WS services. One of them needs WS-Security enabled. Others are just plain HTTP calls.
WS-Security was enabled using policy sets and client bindings on RAD. This was applied to in the environment configuration. Hence the exception.
Solution: Detach the policy set and client bindings from and attach it to the specific service that needs it.