Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-3841

Export metadata produces XML Parsing Error after upgrade to AM11.0.1

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 11.0.1
    • 11.0.2
    • SAML, upgrade
    • Centos 6 64-bit / JDK 1.6.0_45 / tomcat 6.0.39 / OpenAM 11.0.1 (2014-March-28 19:43)
    • Rank:
      1|hzoe3j:
    • 0
    • No
    • None

    Description

      Metadata is exported inccorectly after upgrade to 11.0.1 and produces XML Parsing Error. XML declaration moved to 10th row and is allowed only at the start of the document.

      Steps to reproduce:
      1.) Configure OpenAM 955 as default configuration
      2.) login to AM console and go to Access Control
      3.) Create a new realm = sp
      4.) Go to Federation > Entity Providers > New = SAMLv2
      realm = / > sp
      Entity Identifier = sp
      Service Provider > Meta Alias = sp
      5.) Federation > Circle of Trust > New
      name = sp-cot
      Realm = />sp
      OK
      6.) Federation > Circle of Trust > sp-cot
      Entity Providers - Move sp SAMLv2 from "Available" to "Selected" and save
      7.) Export metadata: http://centos6-64.example.com:8080/openam/saml2/jsp/exportmetadata.jsp?entityid=sp&realm=sp
      Result: you see metadata in your browser
      Check the page source and it should look like following example:

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <EntityDescriptor entityID="sp" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
          <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://centos6-64.example.com:8080/openam/SPSloRedirect/metaAlias/sp/sp" ResponseLocation="http://centos6-64.example.com:8080/openam/SPSloRedirect/metaAlias/sp/sp"/>
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://centos6-64.example.com:8080/openam/SPSloPOST/metaAlias/sp/sp" ResponseLocation="http://centos6-64.example.com:8080/openam/SPSloPOST/metaAlias/sp/sp"/>
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://centos6-64.example.com:8080/openam/SPSloSoap/metaAlias/sp/sp"/>
              <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://centos6-64.example.com:8080/openam/SPMniRedirect/metaAlias/sp/sp" ResponseLocation="http://centos6-64.example.com:8080/openam/SPMniRedirect/metaAlias/sp/sp"/>
              <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://centos6-64.example.com:8080/openam/SPMniPOST/metaAlias/sp/sp" ResponseLocation="http://centos6-64.example.com:8080/openam/SPMniPOST/metaAlias/sp/sp"/>
              <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://centos6-64.example.com:8080/openam/SPMniSoap/metaAlias/sp/sp" ResponseLocation="http://centos6-64.example.com:8080/openam/SPMniSoap/metaAlias/sp/sp"/>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
              <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://centos6-64.example.com:8080/openam/Consumer/metaAlias/sp/sp"/>
              <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://centos6-64.example.com:8080/openam/Consumer/metaAlias/sp/sp"/>
              <AssertionConsumerService index="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://centos6-64.example.com:8080/openam/Consumer/ECP/metaAlias/sp/sp"/>
          </SPSSODescriptor>
      </EntityDescriptor>
      

      8.) Do an upgrade to Am 11.0.1
      Upgrade Complete! and restart container
      9.) Export metadata again:
      http://centos6-64.example.com:8080/openam/saml2/jsp/exportmetadata.jsp?entityid=sp&realm=sp
      Observed result:

      XML Parsing Error: XML or text declaration not at start of entity
      Location: http://centos6-64.example.com:8080/openam/saml2/jsp/exportmetadata.jsp?entityid=sp&realm=sp
      Line Number 10, Column 1:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      ^
      

      note: error message could be different, depends of browser. I used Firefox
      Check the page source(see picture in attachment), (I put dots on empty rows, because JIRA skipped empty rows):

      .
      .
      .
      .
      .
      .
      .
      .
      .
      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <EntityDescriptor entityID="sp" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
          <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://centos6-64.example.com:8080/openam/SPSloRedirect/metaAlias/sp/sp" ResponseLocation="http://centos6-64.example.com:8080/openam/SPSloRedirect/metaAlias/sp/sp"/>
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://centos6-64.example.com:8080/openam/SPSloPOST/metaAlias/sp/sp" ResponseLocation="http://centos6-64.example.com:8080/openam/SPSloPOST/metaAlias/sp/sp"/>
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://centos6-64.example.com:8080/openam/SPSloSoap/metaAlias/sp/sp"/>
              <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://centos6-64.example.com:8080/openam/SPMniRedirect/metaAlias/sp/sp" ResponseLocation="http://centos6-64.example.com:8080/openam/SPMniRedirect/metaAlias/sp/sp"/>
              <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://centos6-64.example.com:8080/openam/SPMniPOST/metaAlias/sp/sp" ResponseLocation="http://centos6-64.example.com:8080/openam/SPMniPOST/metaAlias/sp/sp"/>
              <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://centos6-64.example.com:8080/openam/SPMniSoap/metaAlias/sp/sp" ResponseLocation="http://centos6-64.example.com:8080/openam/SPMniSoap/metaAlias/sp/sp"/>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
              <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://centos6-64.example.com:8080/openam/Consumer/metaAlias/sp/sp"/>
              <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://centos6-64.example.com:8080/openam/Consumer/metaAlias/sp/sp"/>
              <AssertionConsumerService index="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://centos6-64.example.com:8080/openam/Consumer/ECP/metaAlias/sp/sp"/>
          </SPSSODescriptor>
      </EntityDescriptor>
      

      There are 9 free rows and code starts on 10th. row.

      This bug does not exist for AM 11.0.0. I am ablto to reproduce it, if I did an upgrade from AM11.0.0 to 11.0.1.

      Attachments

        Issue Links

          Activity

            People

              peter.major Peter Major [X] (Inactive)
              richard.hruza Richard Hruza
              Richard Hruza Richard Hruza
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: