We're trying setup Keycloak (version 20.0.1) with an EHerkenning/EIDAS (Dutch/European identity system for businesses) Identity provider using SAML.
We can connect with the EHerkenning/EIDAS broker (their login page is shown). The response posted to the Keycloak endpoint however causes an exception. Keycloak displays "Invalid response from identity provider."
In the Keycloak logs we found the following error;
2022-11-09 14:01:30,735 ERROR [org.keycloak.saml.common] (executor-thread-0) Error in base64 decoding saml message.: java.lang.RuntimeException: PL00062: Parser : Unknown tag:EncryptedAttribute::location=Line number = 159
Column number = 252
System Id = null
Public Id = null
Location Uri= null
CharacterOffset = 35248
at org.keycloak.saml.common.DefaultPicketLinkLogger.parserUnknownTag(DefaultPicketLinkLogger.java:359)
at org.keycloak.saml.processing.core.parsers.saml.assertion.SAMLAttributeStatementParser.processSubElement(SAMLAttributeStatementParser.java:56)
at org.keycloak.saml.processing.core.parsers.saml.assertion.SAMLAttributeStatementParser.processSubElement(SAMLAttributeStatementParser.java:31)
at org.keycloak.saml.common.parsers.AbstractStaxParser.parse(AbstractStaxParser.java:97)
at org.keycloak.saml.processing.core.parsers.saml.assertion.SAMLAssertionParser.processSubElement(SAMLAssertionParser.java:96)
at org.keycloak.saml.processing.core.parsers.saml.assertion.SAMLAssertionParser.processSubElement(SAMLAssertionParser.java:34)
at org.keycloak.saml.common.parsers.AbstractStaxParser.parse(AbstractStaxParser.java:97)
at org.keycloak.saml.processing.core.parsers.saml.protocol.SAMLResponseParser.processSubElement(SAMLResponseParser.java:77)
at org.keycloak.saml.processing.core.parsers.saml.protocol.SAMLResponseParser.processSubElement(SAMLResponseParser.java:38)
at org.keycloak.saml.common.parsers.AbstractStaxParser.parse(AbstractStaxParser.java:97)
at org.keycloak.saml.processing.core.parsers.saml.SAMLParser.parse(SAMLParser.java:123)
at org.keycloak.saml.common.parsers.AbstractParser.parse(AbstractParser.java:98)
at org.keycloak.saml.common.parsers.AbstractParser.parse(AbstractParser.java:102)
at org.keycloak.saml.processing.api.saml.v2.response.SAML2Response.getSAML2ObjectFromStream(SAML2Response.java:389)
at org.keycloak.saml.SAMLRequestParser.parseResponseDocument(SAMLRequestParser.java:104)
at org.keycloak.broker.saml.SAMLEndpoint$PostBinding.extractResponseDocument(SAMLEndpoint.java:726)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:624)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:276)
at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:187)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:84)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:71)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:430)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:408)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$0(QuarkusRequestFilter.java:82)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:564)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:829)
We're running out of ideas what causes this issue. It's also hard to debug, because of the lack of details in the logging of Keycloak, even with verbose logging enabled.
Does anyone have any clue what is going wrong with the base64 decoding of the SAML response?
We've tried to decode the response using saml tool, however SAML tool is also unable to decode the message.
We've tried removing the newlines from the entire SAML response (both in the encrypted, base64 hashed attributes and the response as a whole). Every change made results in Keycloak not accepting the new base64 encoded SAML response or crashes Keycloak without any logging at all.
Related
I created Reactive SQL client on Quarkus using this official guide, but while making GET request on http://localhost:8080/hello trying to query data from database, I get such an error:
2022-03-06 13:18:53,051 ERROR [io.qua.ver.htt.run.QuarkusErrorHandler] (vert.x-eventloop-thread-5) HTTP Request to /hello failed, error id: 2796a874-61d9-43ee-bd87-6f098cffa484-2: java.lang.NullPointerException: Cannot invoke "org.jboss.resteasy.reactive.common.util.ServerMediaType.getSortedMediaTypes()" because the return value of "org.jboss.resteasy.reactive.server.mapping.RuntimeResource.getProduces()" is null
at org.jboss.resteasy.reactive.server.handlers.PublisherResponseHandler.handle(PublisherResponseHandler.java:203)
at org.jboss.resteasy.reactive.server.handlers.PublisherResponseHandler.handle(PublisherResponseHandler.java:30)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:141)
at org.jboss.resteasy.reactive.server.handlers.RestInitialHandler.beginProcessing(RestInitialHandler.java:49)
at org.jboss.resteasy.reactive.server.vertx.ResteasyReactiveVertxHandler.handle(ResteasyReactiveVertxHandler.java:17)
at org.jboss.resteasy.reactive.server.vertx.ResteasyReactiveVertxHandler.handle(ResteasyReactiveVertxHandler.java:7)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:67)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:55)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:126)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
at io.vertx.ext.web.handler.impl.StaticHandlerImpl.lambda$sendStatic$1(StaticHandlerImpl.java:274)
at io.vertx.core.impl.future.FutureImpl$3.onSuccess(FutureImpl.java:141)
at io.vertx.core.impl.future.FutureBase.lambda$emitSuccess$0(FutureBase.java:54)
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164)
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:469)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:503)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:833)
You need to add something like:
#Produces(MediaType.APPLICATION_JSON)
// Each element will be sent as JSON
#RestSseElementType(MediaType.APPLICATION_JSON)
to your JAX-RS method.
However, you most likely also need to include quarkus-resteasy-reactive-jackson.
Furthermore, you might want to revisit the use of Multi as a return type as you are likely looking for something like Uni<List<Address>>.
I am running a keycloak (version 11.01) and have added an SAML 2.0 identity provider. It seems that all handshakes and logins are working, but after that step I get a NullPointerException (if I've interpreted the error logs correctly)
00:27:04,170 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-5) Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider.
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:444)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:479)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:237)
at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:157)
.
.
.
Caused by: java.lang.NullPointerException
at java.util.regex.Matcher.getTextLength(Matcher.java:1283)
at java.util.regex.Matcher.reset(Matcher.java:309)
at java.util.regex.Matcher.<init>(Matcher.java:229)
at java.util.regex.Pattern.matcher(Pattern.java:1093)
at java.util.regex.Pattern.split(Pattern.java:1206)
at org.keycloak.broker.provider.util.IdentityBrokerState.encoded(IdentityBrokerState.java:41)
at org.keycloak.services.resources.IdentityBrokerService.parseEncodedSessionCode(IdentityBrokerService.java:980)
at org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:490)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:440)
... 63 more
Unfortunately it seems the stacktrace is cut after this and I don't see much more details (currently running with TRACE logging)
I've not set up any mappers as I hoped to get the attributes transparantly (with the name they have in the saml-xml)
Has anyone experienced this before or know of a way to get more details? Is there any unit-test I could do towards the source code of keycloak to verify this?
Thanks!
Same here Keycloak 11.0.2 NullPointerException when SAML response processing
at org.keycloak.keycloak-services#12.0.3//org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:512)
at org.keycloak.keycloak-services#12.0.3//org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:559)
at org.keycloak.keycloak-services#12.0.3//org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:259)
at org.keycloak.keycloak-services#12.0.3//org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:174)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:543)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:432)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:393)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:395)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:364)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:150)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:110)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:141)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:104)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:245)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:61)
at org.jboss.resteasy.resteasy-jaxrs#3.13.2.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at javax.servlet.api#2.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.keycloak-wildfly-extensions#12.0.3//org.keycloak.provider.wildfly.WildFlyRequestFilter.lambda$doFilter$0(WildFlyRequestFilter.java:41)
at org.keycloak.keycloak-services#12.0.3//org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractRequestFilter.java:43)
at org.keycloak.keycloak-wildfly-extensions#12.0.3//org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilter(WildFlyRequestFilter.java:39)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow#21.0.2.Final//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandle
at io.undertow.core#2.2.2.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.core#2.2.2.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.core#2.2.2.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.
at io.undertow.core#2.2.2.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.core#2.2.2.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.core#2.2.2.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43
at io.undertow.core#2.2.2.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow#21.0.2.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.core#2.2.2.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow#21.0.2.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.ja
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
at io.undertow.core#2.2.2.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow#21.0.2.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupActio
at org.wildfly.extension.undertow#21.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(Undert
at org.wildfly.extension.undertow#21.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(Undert
at org.wildfly.extension.undertow#21.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(Undert
at org.wildfly.extension.undertow#21.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(Undert
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
at io.undertow.servlet#2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
at io.undertow.core#2.2.2.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
at io.undertow.core#2.2.2.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841)
at org.jboss.threads#2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads#2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jboss.threads#2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads#2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at org.jboss.xnio#3.8.2.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
at java.base/java.lang.Thread.run(Thread.java:834)
Caus ed by: java.lang.NullPointerException
at java.base/java.util.regex.Matcher.getTextLength(Matcher.java:1770)
at java.base/java.util.regex.Matcher.reset(Matcher.java:416)
at java.base/java.util.regex.Matcher.<init>(Matcher.java:253)
at java.base/java.util.regex.Pattern.matcher(Pattern.java:1133)
at java.base/java.util.regex.Pattern.split(Pattern.java:1261)
at org.keycloak.keycloak-server-spi-private#12.0.3//org.keycloak.broker.provider.util.IdentityBrokerState.encoded(IdentityBrokerState.java:41)
at org.keycloak.keycloak-services#12.0.3//org.keycloak.services.resources.IdentityBrokerService.parseEncodedSessionCode(IdentityBrokerService.java:1066)
at org.keycloak.keycloak-services#12.0.3//org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:517)
at org.keycloak.keycloak-services#12.0.3//org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:508)
... 79 more```
I am trying to upload a file to S3 and urlencode the filename with Amazon SDK's ObjectMetadata.setContentDisposition(). The filename can contain any UTF-8 character and spaces. Right now the filename breaks on spaces and I get an error when using special case characters.
The code snippet where I use it is as follows:
ObjectMetadata fileMetadata = new ObjectMetadata();
fileMetadata.setContentLength(file.length());
fileMetadata.setContentType(metaContentType);
fileMetadata.addUserMetadata("Filename", metaFileName);
fileMetadata.setContentDisposition("attachment; filename*=UTF-8 " + URLEncoder.encode(metaFileName,"UTF-8"));
Unfortunately this does not work as excpected as I am getting the exception: "AmazonS3Exception: Status Code: 403, AWS Service: Amazon S3, AWS Request ID: 3F2C3AE3420561BA, AWS Error Code: SignatureDoesNotMatch, AWS Error Message: The request signature we calculated does not match the signature you provided. Check your key and signing method.".
The full stacktrace:
at services.AWS_S3_Uploader.AWS_S3_Upload.service(AWS_S3_Upload.java:281)
at com.sonicsw.xqimpl.service.ServiceMessageHandler.callService(ServiceMessageHandler.java:461)
at com.sonicsw.xqimpl.service.ServiceMessageHandler.handleMessageCommon(ServiceMessageHandler.java:273)
at com.sonicsw.xqimpl.service.ServiceMessageHandler.handleMessage(ServiceMessageHandler.java:136)
at com.sonicsw.xqimpl.service.XQDispatcher.onMessage(XQDispatcher.java:460)
at com.sonicsw.esb.itinerary.model.EsbStepNode.doExecute(EsbStepNode.java:296)
at com.sonicsw.esb.itinerary.model.EsbStepNode.execute(EsbStepNode.java:180)
at com.sonicsw.esb.process.model.impl.DefaultActivityNode.offerIncoming(DefaultActivityNode.java:140)
at com.sonicsw.esb.itinerary.engine.ItineraryEngine.executeProcess(ItineraryEngine.java:338)
at com.sonicsw.esb.itinerary.engine.ItineraryEngine.handleToken(ItineraryEngine.java:181)
at com.sonicsw.esb.itinerary.engine.ItineraryEngine.handleMessage(ItineraryEngine.java:171)
at com.sonicsw.xqimpl.endpoint.container.EndpointContextContainer.onMessage(EndpointContextContainer.java:116)
at com.sonicsw.xq.connector.jms.JMSEndpointMessageListener.onMessage(JMSEndpointMessageListener.java:259)
at progress.message.jimpl.Session.deliver(Session.java:3086)
at progress.message.jimpl.Session.run(Session.java:2489)
at progress.message.jimpl.Session$SessionThread.run(Session.java:2881)
Caused by: java.lang.Exception: AmazonServiceException
at services.AWS_S3_Uploader.AWS_S3.logAmazonServiceException(AWS_S3.java:340)
at services.AWS_S3_Uploader.AWS_S3.uploadObject(AWS_S3.java:280)
at services.AWS_S3_Uploader.AWS_S3_Upload.service(AWS_S3_Upload.java:263)
... 15 more
Caused by: AmazonS3Exception: Status Code: 403, AWS Service: Amazon S3, AWS Request ID: 3F2C3AE3420561BA, AWS Error Code: SignatureDoesNotMatch, AWS Error Message: The request signature we calculated does not match the signature you provided. Check your key and signing method., S3 Extended Request ID: 0AlM9giKI8hRMWG0Xc84lxXSJ8ZwUPB2DjHKddwa1oVZ4AWUzlyko7jEko9MEtwkd5Tc7xocFJw=
at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:644)
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:338)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:190)
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:2979)
at com.amazonaws.services.s3.AmazonS3Client.putObject(AmazonS3Client.java:1159)
at com.amazonaws.services.s3.transfer.internal.UploadCallable.uploadInOneChunk(UploadCallable.java:97)
at com.amazonaws.services.s3.transfer.internal.UploadCallable.call(UploadCallable.java:89)
at com.amazonaws.services.s3.transfer.internal.UploadMonitor.upload(UploadMonitor.java:179)
at com.amazonaws.services.s3.transfer.internal.UploadMonitor.call(UploadMonitor.java:137)
at com.amazonaws.services.s3.transfer.internal.UploadMonitor.call(UploadMonitor.java:48)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
I am using:
Java 1.6
aws-java-sdk-1.10.2.jar
All help and suggestions are welcome.
If more information is needed, then just ask.
Br.
I don't know whether that's the reason, but the encoding used for filename* is incorrect. See http://greenbytes.de/tech/webdav/rfc6266.html#disposition.parameter.filename for the specification.
I am trying to use Java APNS - an open source project - to send push notifications to iPhones.
I am getting an error, though.
I have used a .pem file as certificate. Should this have been a .p12 file? I am not sure what the difference is, but I read somewhere online that there is a difference between these file formats.
Here is the code:
ApnsService service =
APNS.newService()
.withCert("gpk.pem", "XXXX")
.withSandboxDestination()
.build();
String payload = APNS.newPayload().alertBody("Can't be simpler than this!").build();
String token = "theTokenIsRemoveHere";
service.push(token, payload);
And here is the error:
Exception in thread "main" com.notnoop.exceptions.InvalidSSLConfig: java.io.IOException: toDerInputStream rejects tag type 45
at com.notnoop.apns.internal.Utilities.newSSLContext(Utilities.java:102)
at com.notnoop.apns.ApnsServiceBuilder.withCert(ApnsServiceBuilder.java:161)
at com.notnoop.apns.ApnsServiceBuilder.withCert(ApnsServiceBuilder.java:124)
at com.geomobsters.cli.ApnsClient.main(ApnsClient.java:12)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: java.io.IOException: toDerInputStream rejects tag type 45
at sun.security.util.DerValue.toDerInputStream(DerValue.java:806)
at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1201)
at java.security.KeyStore.load(KeyStore.java:1185)
at com.notnoop.apns.internal.Utilities.newSSLContext(Utilities.java:87)
... 8 more
Java APNS is expecting the cert as .p12 file.
You have to check both privatekey and certificate in your keychain.
then right click-> "export 2 files"
and export them
you have to give it a password, this password you have to type here
.withCert("gpk.pem", "XXXX")
as your XXXX
good luck
EDIT:
.P12 – PKCS#12, contains certificates an private keys saved with a password
.PEM – is Base64-encoded certificate, lockedby „-----BEGIN CERTIFICATE-----“ and „-----END CERTIFICATE-----“
I'm running the following tutorial:
http://download.oracle.com/javase/6/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html
I'm getting the following prompts:
Connected to server localhost/127.0.0.1
Kerberos username [login]: {I enter my username here}
Kerberos password for login: {I enter my password here}
I get the following error:
Can you ascertain the root cause of this?
Exception in thread "main" GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:333)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:128)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at demo.SampleClient.main(SampleClient.java:145)
Caused by: javax.security.auth.login.LoginException: Message stream modified (41)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:246)
at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:136)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:328)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:325)
... 7 more
Caused by: KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:96)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:410)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:378)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
... 23 more
I got exceptions “Message stream modified (41)”, when the Kerberos realm didn’t match. The realm (in system property java.security.krb5.realm) has to match exactly, including upper/lower case.
I'm wondering if this is a possibility (ie even if registry key is set, locked out for local administrators):
http://cr.openjdk.java.net/~weijun/special/krb5winguide-2/raw_files/new/kwin
Known Issues
If an AD account is also added into local administrator group on the
client PC, Microsoft restricts such client from getting the session key
for tickets (even if you set the allowtgtsessionkey registry key to 1).
The workaround is: Just forget you're a logged in user, call kinit.exe.
Do not depends on LSA credential cache.
I cannot confirm that issue. I do have admin rights on my machine and still are able to obtain the session key from the LSA. You should enable full debug ouput on JGSS and the Krb5LoginModule. Share your krb5.ini and login.conf too. I hope your are aware that the above example cannot work because your client cannot obtain a ticket for a local host. It has to be a FQDN with an appropriate SPN set in the Active Directory.