I am using spring web services framework to call some SOAP apis.
My configuration is like this:
<bean name="wsTemplate" class="org.springframework.ws.client.core.WebServiceTemplate" scope="prototype" >
<constructor-arg ref="messageFactory" />
<property name="marshaller" ref="marshaller"/>
<property name="unmarshaller" ref="unmarshaller"/>
</bean>
<bean id="messageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory">
<property name="soapVersion">
<util:constant static-field="org.springframework.ws.soap.SoapVersion.SOAP_11"/>
</property>
</bean>
<bean id="marshaller" class="org.springframework.oxm.jaxb.Jaxb2Marshaller" >
<property name="contextPaths">
<list>
some configured classes here
</list>
</property>
</bean>
<bean id="unmarshaller" class="org.springframework.oxm.jaxb.Jaxb2Marshaller" >
<property name="contextPaths">
<list>
some configured classes here
</list>
</property>
</bean>
Note I am using a prototype scope. I am not sure if that could be causing issues.
In my java code I use WebServiceTemplate like this:
#PostConstruct
private void init() {
try {
String uri = "https://web/file.svc?wsdl"
webServiceTemplate.setDefaultUri(uri);
} catch (Exception exception) {
logger.error("Error creating URL for the wsdl location.", exception);
}
}
I call the webservice like this:
Response response = (Response) webServiceTemplate.marshalSendAndReceive(request, new SoapActionCallback(SOAP_ACTION_URL));
I am getting the following read time out exception which I am not sure what it is, I have read it is because the response it is too big, but it really is not. It is not bigger than 100K
org.springframework.ws.client.WebServiceIOException: I/O error: Read timed out; nested exception is java.net.SocketTimeoutException: Read timed out
15:27:49,028 INFO [stdout] (default task-22) at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:561) ~[spring-ws-core-2.2.4.RELEASE.jar:2.2.4.RELEASE]
15:27:49,028 INFO [stdout] (default task-22) at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:390) ~[spring-ws-core-2.2.4.RELEASE.jar:2.2.4.RELEASE]
15:27:49,028 INFO [stdout] (default task-22) at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:383) ~[spring-ws-core-2.2.4.RELEASE.jar:2.2.4.RELEASE]
What could be the issue ? I am clueless
At the end, I am not sure what was the issue, but I solved it by setting the message sender to a diferent provider . I set it to some apache library
<bean name="wsTemplate" class="org.springframework.ws.client.core.WebServiceTemplate" scope="prototype" >
<constructor-arg ref="messageFactory" />
<property name="marshaller" ref="marshaller"/>
<property name="unmarshaller" ref="unmarshaller"/>
<property name="messageSender">
<bean class="org.springframework.ws.transport.http.HttpComponentsMessageSender" />
</property>
</bean>
Related
I've configured the included sample application and am able successfully perform both IdP and SP initiated SSO, and SP initiated SLO (using POST)
However, when sending an IdP initiated logout using Ping Federate, it fails saying that the logout response must be signed (however it succeeds in OpenAM). Looking through the SAML messages, the logout response isn't signed (it seems that Ping Federate is more strict than OpenAM), from what I understand, the response should always be signed.
4.4.3.4 Session Participant/Authority Issues to Identity
Provider
...
It is RECOMMENDED that the HTTP exchanges in this step be made over either SSL 3.0 [SSL3] or
TLS 1.0 [RFC2246] to maintain confidentiality and message integrity. The
message MUST be signed if the HTTP POST or Redirect binding is used. The HTTP Artifact binding,
if used, also provides for an alternate means of authenticating the response issuer when the artifact is
dereferenced.
The relevant part of my securityContext.xml is here..
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/moocow.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="pkix"/>
<property name="sslHostnameVerification" value="default"/>
<property name="signMetadata" value="false"/>
<property name="signingKey" value="apollo"/>
<property name="encryptionKey" value="apollo"/>
<property name="requireArtifactResolveSigned" value="false"/>
<property name="requireLogoutRequestSigned" value="true"/>
<property name="requireLogoutResponseSigned" value="true"/>
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
</constructor-arg>
</bean>
However, I don't believe any of this applies to the signing of the response to the IdP.
Associated metadata file...
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="http___localhost_8080_spring-security-saml2-sample" entityID="http://localhost:8080/spring-security-saml2-sample">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>Stripped out for legibility
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/spring-security-saml2-sample/saml/SingleLogout"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/spring-security-saml2-sample/saml/SingleLogout"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/spring-security-saml2-sample/saml/SSO" index="0" isDefault="true"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Am I missing something blindingly obvious here? Thanks.
John
I am attempting to go through the Spring Security SAML Quick Start at:
http://docs.spring.io/spring-security-saml/docs/1.0.0.RELEASE/reference/html/chapter-quick-start.html
I've gone through the four steps listed, done the two simple edits to sample/src/main/webapp/WEB-INF/securityContext.xml, and attempt to start the app as described in step 5.
I receive this error:
Bean property 'signMetadata' is not writable or has an invalid setter method.
Does the parameter type of the setter match the return type of the getter?
I have only changed the few lines of XML as described in the QuickStart.
That section of the relevant file looks like this:
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="urn:test:chazlarson:waconia" />
<property name="signMetadata" value="false" />
</bean>
</constructor-arg>
</bean>
compared to the QuickStart's suggestion of:
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="replaceWithUniqueIdentifier"/>
<property name="signMetadata" value="false"/>
</bean>
</constructor-arg>
</bean>
What have I missed? I am sure this is simple, but I've gone through this simple process on two different machines with the same result.
Did you try this example?
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="replaceWithUniqueIdentifier"/>
<property name="extendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="signMetadata" value="false"/>
<property name="idpDiscoveryEnabled" value="true"/>
</bean>
</property>
</bean>
</constructor-arg></bean>
I looked into MetadataGenerator class and there is no property signMetadata.
I would recommend you to follow this doc
This documentation explains how to configure Spring-Security LDAP:
http://docs.spring.io/spring-security/site/docs/3.2.4.CI-SNAPSHOT/reference/htmlsingle/#ldap
3.4.5. Spring Bean Configuration
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/>
<property name="userDn" value="cn=manager,dc=springframework,dc=org"/>
<property name="password" value="password"/>
</bean>
<bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource"/>
<property name="userDnPatterns">
<list><value>uid={0},ou=people</value></list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource"/>
<constructor-arg value="ou=groups"/>
<property name="groupRoleAttribute" value="ou"/>
</bean>
</constructor-arg>
</bean>
how can we achieve this without xml?
Here we have a sample which uses a local ldif file:
https://github.com/spring-projects/spring-security/blob/master/samples/ldap-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
I've modified SecurityConfig.java as follows:
public void registerGlobalAuthentication(AuthenticationManagerBuilder auth) throws Exception {
DefaultSpringSecurityContextSource contextSource = new DefaultSpringSecurityContextSource(ldap_url);
contextSource.setUrl(ldap_user);
contextSource.setPassword(ldap_password);
DefaultLdapAuthoritiesPopulator ldapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(contextSource, "ou=groups");
ldapAuthoritiesPopulator.setGroupRoleAttribute("ou");
LdapAuthenticationProviderConfigurer<AuthenticationManagerBuilder> ldapAuthenticationProviderConfigurer = auth.ldapAuthentication();
ldapAuthenticationProviderConfigurer
.userDnPatterns("uid={0},ou=people")
.groupSearchBase("ou=groups")
.contextSource(contextSource)
.ldapAuthoritiesPopulator(ldapAuthoritiesPopulator);
}
}
but when I login using the web form, I get this error:
java.lang.NullPointerException
at java.util.Hashtable.<init>(Hashtable.java:296)
at org.springframework.ldap.core.support.AbstractContextSource.getAuthenticatedEnv(AbstractContextSource.java:499)
at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:114)
at org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:110)
at org.springframework.security.ldap.authentication.BindAuthenticator.bindWithDn(BindAuthenticator.java:112)
Is there a similar documentation to http://docs.spring.io/spring-security/site/docs/3.2.4.CI-SNAPSHOT/reference/htmlsingle/#ldap explaining how to achieve this without spring xml?
You need to call
contextSource.afterPropertiesSet()
if you are using the class outside an application context (see the source and Javadoc for Spring LDAP's AbstractContextSource for more information). Either that or you can just make it an #Bean and Spring will call the method and initialize it for you.
Also
contextSource.setUrl(ldap_user);
doesn't look right. Shouldn't that be setUserDn ?
I am trying to connect Ldap from spring security, getting connection errors. Could some one suggest what is wrong with this configuration,
UsernamePasswordAuthenticationFilter - An internal error occurred while trying to authenticate the user.
org.springframework.security.authentication.InternalAuthenticationServiceException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'ou=Users,dc=aaa,dc=bbb,dc=ccc,dc=dddd'
at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:191)
config file has,
<sec:authentication-manager alias="myAuthenticationManager">
<sec:authentication-provider ref="myAuthenticationProvider"/>
</sec:authentication-manager>
<bean id="myAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg ref="ldapBindAuthenticator"/>
<constructor-arg ref="ldapAuthoritiesPopulator"/>
</bean>
<bean id="ldapBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource" />
<property name="userSearch" ref="userSearch"/>
</bean>
<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value="ou=Users,dc=aaa,dc=bbb,dc=ccc,dc=dddd"/>
<constructor-arg index="1" value="(sAMAccountName={0})"/>
<constructor-arg index="2" ref="contextSource"/>
<property name="searchSubtree" value="true"/>
</bean>
<bean id="ldapAuthoritiesPopulator" class="com.xxxx.MyLdapAuthoritiesPopulator">
<property name="userDao" ref="userDao"/>
</bean>
<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldaps://aaa.com:123/DC=aa,DC=bb,DC=cc,DC=dd"/>
<property name="base" value="DC=aa,DC=bb,DC=cc,DC=dd" />
<!-- <property name="anonymousReadOnly" value="true"/> -->
</bean>
Lets assume user is trying to login with username XXX and password YYY. Usually LDAP authentication works like this:
Bind to the LDAP with technical account
Search for the user with the username XXX => get his DN
Try to bind to the LDAP using found DN and password YYY
Your error is suggesting that you didnt't do the first step (technical account binding) correctly.
Try adding userDn and password to your context source (this is from the official JavaDoc):
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/>
<property name="userDn" value="cn=manager,dc=springframework,dc=org"/>
<property name="password" value="password"/>
</bean>
Can you please give me some links or solutions to manage my problem?
The problem is the follows. I have an LDAP server. How can I make http basic authorization through this LDAP server?
Thanks in advance.
You need to set up two different fetures of Spring Security:
LDAP Authentication. Actual config described here.
HTTP Basic Authentication. This feature is described here.
Thanks. I made such a config:
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/index.jsp" access="isAuthenticated()"/>
<security:http-basic/>
</security:http>
Then, BasicAuthenticationFilter
<bean id="basicAuthenticationFilter"
class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<property name="authenticationEntryPoint" ref="BauthenticationEntryPoint"/>
<property name="authenticationManager" ref="BauthenticationManager"/>
</bean>
Entry point and manager were descrbed like that:
<bean id="BauthenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="Name Of Your Realm"/>
</bean>
<bean id="BauthenticationManager" class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="ldapAuthProvider"/>
</list>
</property>
</bean>
And finally
<bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource"/>
<property name="userDnPatterns">
<list>
<value>sAMAccountName={0}</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource"/>
<constructor-arg value=""/>
</bean>
</constructor-arg>
</bean>
When I try to access /index.jsp I shown an stadart http auth window that requesting me my username and password. When I type it into form and press Enter nothing goes on - an auth window just reloads and nothing more.
Where I made a mistake?
Thanks.