Skip to content
This repository has been archived by the owner on Jan 30, 2019. It is now read-only.

SAML insertion fails periodically during high contention #1686

Open
glassfishrobot opened this issue Apr 1, 2014 · 4 comments
Open

SAML insertion fails periodically during high contention #1686

glassfishrobot opened this issue Apr 1, 2014 · 4 comments
Assignees
@glassfishrobot
Labels
Component: security ERR: Assignee Priority: Major Type: Bug

Comments

@glassfishrobot
Copy link
Contributor

There is a race condition in the SAML security policy handling. This causes the attachment of the SAML assertion to fail periodically in high contention situations.

Affected Versions

[2.1.1]
@glassfishrobot
Copy link
Contributor Author

Reported by mleese

@glassfishrobot
Copy link
Contributor Author

Was assigned to symonchang

@glassfishrobot
Copy link
Contributor Author

mleese said:
This patch should correct the following problem (if there's a better way to attach a patch, let me know):
diff --git a/metro/com/sun/xml/wss/impl/filter/SignatureFilter.java b/metro/com/sun/xml/wss/impl/filter/SignatureFilter.java
index 1657f02..70def0f 100644
— a/metro/com/sun/xml/wss/impl/filter/SignatureFilter.java
+++ b/metro/com/sun/xml/wss/impl/filter/SignatureFilter.java
@@ -350,8 +350,8 @@ public class SignatureFilter

{ context.setKerberosTokenBinding(binding); }

else if (PolicyTypeUtil.samlTokenPolicy(keyBinding)) {

  • resolvedPolicy = (SignaturePolicy)policy.clone();
  • keyBinding =(WSSPolicy) resolvedPolicy.getKeyBinding();
  • //resolvedPolicy = (SignaturePolicy)policy.clone();
  • keyBinding =(WSSPolicy) ((SignaturePolicy)policy).getKeyBinding();
    AuthenticationTokenPolicy.SAMLAssertionBinding binding =
    (AuthenticationTokenPolicy.SAMLAssertionBinding) keyBinding;
    if(binding.getAssertion() != null || binding.getAssertionReader() != null
    @@ -386,7 +386,9 @@ public class SignatureFilter { " the Policy by the CallbackHandler"); }
  • policy.setKeyBinding(resolvedSAMLBinding);
  • policy.setKeyBinding(resolvedSAMLBinding);

  • resolvedPolicy = (SignaturePolicy)policy;

    }else if (PolicyTypeUtil.symmetricKeyBinding(keyBinding)) {
    try {

diff --git a/metro/com/sun/xml/wss/impl/policy/mls/SignaturePolicy.java b/metro/com/sun/xml/wss/impl/policy/mls/SignaturePolicy.java
index d2df007..9584288 100644
— a/metro/com/sun/xml/wss/impl/policy/mls/SignaturePolicy.java
+++ b/metro/com/sun/xml/wss/impl/policy/mls/SignaturePolicy.java
@@ -405,8 +405,6 @@ public class SignaturePolicy extends WSSKeyBindingExtension

{ SignatureTarget target = (SignatureTarget) i.next(); binding.addTargetBinding((SignatureTarget)target.clone()); }

  • binding.setDisbaleInclusivePrefix(disableInclusivePrefix);
    } catch (Exception e) {}

return binding;
diff --git a/metro/com/sun/xml/wss/impl/policy/mls/SignatureTarget.java b/metro/com/sun/xml/wss/impl/policy/mls/SignatureTarget.java
index 548fcc2..3ebbab8 100644
— a/metro/com/sun/xml/wss/impl/policy/mls/SignatureTarget.java
+++ b/metro/com/sun/xml/wss/impl/policy/mls/SignatureTarget.java
@@ -297,8 +297,6 @@ public class SignatureTarget extends Target implements Cloneable

{ //TODO: should change this since we support DynamicPolicy //TODO: Need to handle clone; transform.setAlgorithmParameters(_algorithmParameters); + transform.setDisbaleInclusivePrefix(disableInclusivePrefix); return transform; }

}

@glassfishrobot
Copy link
Contributor Author

This issue was imported from java.net JIRA WSIT-1686

@glassfishrobot glassfishrobot self-assigned this Apr 24, 2017
@Tomas-Kraus Tomas-Kraus mentioned this issue Jun 2, 2022
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@glassfishrobot glassfishrobot

Labels
Component: security ERR: Assignee Priority: Major Type: Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@glassfishrobot