So authentication response in Spring Security Saml Sample application looks like the following (the attribute value is question marks):
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_670fb4839b61c1398a1acb39e56ee5e6" ..>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="userName" Name="urn:com.example:userName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>???????</saml2:AttributeValue>
</saml2:Attribute>
</saml2:Assertion>
I am using Shibboleth as IdP, and in the logs of IdP I see that authentication response xml (before encryption) holds actual values, not question marks.
Any idea how to read them properly? Or to check where they get scrambled.
UPDATE #1 (2016-03-03)
I disabled encryption of saml assertions temporarily, analyzed HTTP traffic between IdP and SP, and I see that Japanese characters arrive normally to browser in the authentication response. This proves that Spring Security Saml Sample fails to decode / display them properly. I will keep looking into ways to resolve this.
All I had to do is to add
<%# page contentType="text/html; charset=UTF-8" %>
To index.jsp of Spring Security Saml Sample application to make page Japanese characters display properly. :)
Related
We have an requirement to test Keycloak Login/Registration using Keycloak application. When I open portal and click on continue to Login/Registration, it is redirecting to the following URL and taking Query Parameter.
I am not aware how and from which section we can get the value of Query parameter to pass
https://keycloak..com/realms//protocol/openid-connect/auth?client_id=&redirect_uri=http***personal-information
state= f707ae75-4543-46a8-8204-538492251966
nonce= 03d80815-c174-4453-83d4-0324726b87df
code challenge= OpSGM55wKbL4suTi_-FJcyWIdD63UryMV8fX4Mu-dc4
code challenge method= S256
tab id= ub4Sj_h_Cho
Please help here, if possible
Thanks
You've mentioned you're redirected which means that one of the previous request responds with i.e. 302 HTTP Status Code and its Location header contains the keycloak URL and all these query parameters.
If you need to extract them for future use - go for Regular Expression Extractor or Boundary Extractor, just make sure to choose the relevant "Field to check"
Your app uses Authorization Code Flow with Proof Key for Code Exchange (PKCE), so you need to understand:
1.) OIDC auth request (client_id,redirect_uri,state parameters - they configured in your IDP/Keyclok usually): https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
2.) PKCE part (code_challenge,code_challenge parameters - they are generated usually): https://datatracker.ietf.org/doc/html/rfc7636
I am trying to use the CURL Command to POST the response receive from the IDP, i.e. the SAML Response to the SP on one of the alias which I have.
I am using Spring-SAML Framework.
Can someone help me with the exact command which needs to be used if I want to post the SAML Response to the SP using CURL Command ?
SAML Response is fairly complicated and contains a range of values which expire over time, need to correspond to the originally send SAML Authentication Request and depend on configuration of the particular SAML federation. For these reasons there's no way to craft a generic CURL Command.
curl --data #path/to/file https://host
where file contains SAMLResponse= followed by the Base64 encoded and then URL-encoded SAML Response XML, e.g.
SAMLResponse=PHNhbWxwOlJlc3B...snip...R0cmlidXRlU3RhdGVtZW50PgogIDwvc2FtbDpBc3NlcnRpb24%2BCjwvc2FtbHA6UmVzcG9uc2U%2B
If you don't URL-encode the Base64 encoded string, any + characters will cause the XML to be truncated and parsing to fail. The errors I saw in the Keycloak logs were along the lines of Element type "Response" must be followed by either attribute specifications, ">" or "/>".
My Restful service application developed with Spring 3 is deployed on Tomcat7. I use a chrome app called Postman to request REST services.
I have a custom-filter placed before all the services (except the non-secured service login) for checking Session and application specific cookies.
This filter returns HTTP status:403 if cookies are not present or invalid in the incoming HttpServletRequest. The filter (myCustomSecurityFilter) is Singleton scoped.
<security:intercept-url pattern="/services/v1/login" access="permitAll()" /> <security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="myCustomSecurityFilter" />
I observed that in a speicific case old HttpServletRequest is used. Please see the following scenario
Case #1: All requests are over HTTPS.
All cookies are removed and browser is restarted.
Call HTTPS serveice: ..\services\v1\account. As this service has to be called after ..\services\v1\login, 403 response is expected. Actual response :403.
A new session is created and a JSESSIONID is returned by Tomcat. Say, JSESSIONID_1.
Request ..\services\v1\login . Expected and Actual respose 200-OK.
A new session is created and a JSESSIONID is returned by Tomcat. Say, JSESSIONID_2.
Also application specific cookies are returned to client/browser. Say, App_cookie_1.
Call any other service other than ..\services\v1\account. All are successful(200).
Cookies JSESSIONID_2, App_cookie_1 are sent by request and the same can be observed after receiveing response.
Note: This step is not important. Step 5 can be reproduced with or without this step.
Request ..\services\v1\account. Expected: 200. Actual: 403.
When I debugged the HttpServletRequest received by the doFilter method in my SecurityFilter mentioned above, I see that the HttpServletRequest contains old cookies of the previous request to the same service ..\services\v1\account.
i.e JSESSIONID_1. No app cookie.
I checked cookies with the help of httpServletRequest.getCookies()
Browser shows Cookies JSESSIONID_2, App_cookie_1. I am sure that Tomcat receieves Cookies JSESSIONID_2, App_cookie_1 becasue I have access logging enabled.
So, it is Spring (my code or config on top of the the Spring framework) passing old HttpServletRequest to filter. But how? why?
Request ..\services\v1\account. Expected: 200. Actual: 200.
Cookies JSESSIONID_2, App_cookie_1 are sent by request and the same can be observed after receiveing response.
So, old cookies are used only once and that too only for the same service in this case (..\services\v1\account).
Webapp works as expected in the following cases (above steps are denoted by numbers):
Case2: 1,2,3,4,5,6. All are HTTPS requests except #2 (login request). #5 returns 200 if #2 is a HTTP request!! This is also a surprise.
Case3: 2,3,4,5,6.
Case4: 2,3,5,6.
Step 4 is not important. Step 5 can be reproduced with or without this step. I placed this to explain that previous request of the same service is loaded and no effect on other services.
Problem is definitely not with ..\services\v1\account. Because I just used this service for example. Case 1 can be repeated with any secured service in the application.
I tried managing my session with newSessio, migrateSession options.
<security:session-management session-fixation-protection="newSession">
<security:concurrency-control max-sessions="1" />
</security:session-management>
Thanks for reading my question. It would be great if you could give some pointers.
Please let me know if I am not clear.
(answering as I faced a similar problem recently. Even though the question is too old)
..\services\v1\login
A new session is created and a JSESSIONID is returned by Tomcat.
How is the session created here?
Assuming its typically created like below
HttpServletRequest.getSession(true);
there is a high chance server gets an old session here.
Can you try a
session.Invalidate()
or
request.logout()
So that any open session is invalidated.after that you try creating the session again
HttpServletRequest.getSession(true);
Im using Spring MVC: Spring security.
There is one GET request which downloads a form. I want to know whether the request was made using an hyperlink or from the address bar.
Is there any attribute in the HttpRequest object that can differentiate between the two?
You could use the Referer header to see if the request is coming from a link in another page. See explanations on Wikipedia and the entry in the HTTP spec. Directly entering the URL in the address bar will not have the header in the request.
Since you ask your question in a security context do note that you cannot count on this check because any request can be faked (i.e. I could use a basic command line app to make your application think I'm requesting from a browser). Also, there are plugins that deactivate this feature in browsers for privacy considerations.
Most of my Spring application uses regular spring security. However, there is a (non-negotiable) requirement for certain pages to be accessed by an embedded system that communicates exclusively via XML inside a POST body. That is to say, it's not capable of passing 'JSESSIONID=xxx' or receiving cookies, but instead it expects to receive a sessionid via xml on login, which it then repeats back in future requests.
So, on login (I've simplified here), it sends
<username>user</username><password>password</password>
in a post body to http://example.com/xml_login and expects
<sessionid>xxxxxx</sessionid>
in reponse. Then all subsequent requests will repeat back the <sessionid> tag's contents as part of its body.
Any ideas how to go about getting spring security to use this?
My first attempt was to try writing a filter to extract the sessionid and crowbar a JSESSION= into the body, but it turned out to be too late (by the time I had a request object to get the body from, spring security had already established the session, and I can't see any way of doing anything like 'request.setSession(id)'). The only other thing I can think of is to write my own session handling outside of spring security, but it'd be nice if I didn't have to do that.
thanks