Announcement Announcement Module
Collapse
No announcement yet.
A really weird bug. Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • A really weird bug.

    If user is logged in and he/she is inactive for a more then 1 hour (inactive means - he doesn't use the website, doesn't click on links, etc) and then if he/she try to login again they gets 401 Authentication Failed: Error validating SAML message. (See attachement).

    In this case, the user should be redirected back to the IdP login page.

    My server's clock also is synchronized time per 1 hour. I'm not sure about this issue because sometimes it occurs sometimes not. Please help me identify this problem.

    Here is the logs:

    Code:
    WebSSOProfileConsumerImpl:204 - Validation of received assertion failed, assertion will be skipped
     Validation of received assertion failed, assertion will be skipped
    org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAuthenticationStatement(WebSSOProfileConsumerImpl.java:522)
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:300)
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:202)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:81)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:78)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:581)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
    at java.lang.Thread.run(Thread.java:722)
    
    WebSSOProfileConsumerImpl:243 - Response doesn't any valid assertion which would pass subject validatio
    Code:
    org.apache.catalina.session.StandardManager doLoad
    SEVERE: IOException while loading persisted sessions: java.io.WriteAbortedException: writing aborted; java.io.NotSerializableException: org.opensaml.saml2.core.impl.NameIDImpl
    java.io.WriteAbortedException: writing aborted; java.io.NotSerializableException: org.opensaml.saml2.core.impl.NameIDImpl
    at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
    at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1964)
    at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1888)
    at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1771)
    at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1347)
    at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1964)
    at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1888)
    at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1771)
    at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1347)
    at java.io.ObjectInputStream.readObject(ObjectInputStream.java:369)
    at org.apache.catalina.session.StandardSession.readObject(StandardSession.java:1595)
    at org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:1060)
    at org.apache.catalina.session.StandardManager.doLoad(StandardManager.java:284)
    at org.apache.catalina.session.StandardManager.load(StandardManager.java:204)
    at org.apache.catalina.session.StandardManager.startInternal(StandardManager.java:491)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5300)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633)
    at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:977)
    at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1655)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
    at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
    at java.util.concurrent.FutureTask.run(FutureTask.java:166)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
    at java.lang.Thread.run(Thread.java:722)
    Caused by: java.io.NotSerializableException: org.opensaml.saml2.core.impl.NameIDImpl
    at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1180)
    at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1528)
    at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1493)
    at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1416)
    at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1174)
    at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1528)
    at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1493)
    at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1416)
    at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1174)
    at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:346)
    at org.apache.catalina.session.StandardSession.writeObject(StandardSession.java:1671)
    at org.apache.catalina.session.StandardSession.writeObjectData(StandardSession.java:1077)
    at org.apache.catalina.session.StandardManager.doUnload(StandardManager.java:432)
    at org.apache.catalina.session.StandardManager.unload(StandardManager.java:353)
    at org.apache.catalina.session.StandardManager.stopInternal(StandardManager.java:518)
    at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
    at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5480)
    at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
    at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1575)
    at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1564)
    ... 5 more
    
    org.apache.catalina.session.StandardManager startInternal
    Last edited by duybinh0208; May 19th, 2013, 11:31 PM.

  • #2
    Hi,

    After the timeout your user is likely redirected back to the IDP which immediately responds with an assertion and states that the user had been authenticated earlier and tells about the time of the authentication in the authnInstant field of the assertion. By default, the authInstant has to be at most 2 hours old. You can increase this interval by setting property maxAuthenticationAge on bean WebSSOProfileConsumerImpl to a higher value (e.g. 604800 for one week period).

    The other exception you posted is caused by the fact that NameID is not serializable. You can disable inclusion of NameID in the authenticated token by setting forcePrincipalAsString to true on bean SAMLAuthenticationProvider.

    Cheers, Vladi

    Comment


    • #3
      Hi Vladi,

      Our SP communicates with an ADFS IDP. You say above that the IDP responds "with an assertion and states that the user had been authenticated earlier." I assume that if maxAuthenticationAge is set high enough, the SAML Extension will accept the assertion and the user won't receive a 401.

      In our environment, it is up to ADFS to authenticate the user. There is no situation where the SP should reject authentication by the IDP. If I understand this issue correctly, by setting the value to one week users will rarely if ever receive a 401.

      Is the above correct?

      Thanks,
      Mark

      Comment


      • #4
        Hi Mark,

        Yes, setting the maxAuthenticationAge high enough will make the SAML Extension accept the assertion. The value should be set to the maximum allowed session/remember-me time of the IDP server (e.g. in case cookie based remember-me authentication may be used, it makes sense to set the value to the maximum validity time of the IDP cookies). You can of course practically disable the feature by setting high enough value - e.g. with 31536000 for a year.

        When talking about federations it is always up to the IDP server to authenticate users, but SP is responsible for defining its own criteria on how should the authentication be done (using e.g. required authentication context, passive/active authentication, allowed dynamic user creation, required nameIDs, bindings, ...) and whether the result is acceptable to it (based on e.g. used authentication context, age of authentication, age of assertion, used subject confirmation, provided attributes, certificate validity, ...). Although the fact is that many of these settings are not necessary in the most common scenarios - such as the authentication age which we are facing here.

        Brs,
        Vladimir Schafer

        Comment


        • #5
          Once a user opens a page after session expiration the usual mechanisms of Spring Security will kick-in and will decide what to do:

          - in case the page is secured it will invoke the configured entry point (in this case SAMLEntryPoint) and SAMLEntryPoint will either start IDP discovery or begin SP-initialized SSO with the default IDP (depends on the configuration)
          - in case the page is not secured it will be simply displayed

          The problem reported in the first post was random not because user would get redirected to different pages, but because the maximum authentication time was sometimes exceeded and sometimes not once the user was sent back from IDP.

          Cheers, Vladi

          Comment


          • #6
            I just set the value 604800 for one week period and this error seems to be fixed.

            Thanks, Vladi

            Comment

            Working...
            X