Unable to find flow 'authn/conditions' on Windows IdP 3.2.0

Domingues, Michael D michael-domingues at uiowa.edu
Fri Dec 18 10:23:56 EST 2015 

Greetings all -

I seem to have stumbled across the issue described in this developer's list exchange [1] in upgrading from IdP 3.1.2 to 3.2.0 on Windows. After upgrading, as soon as the auth/Password flow is triggered, I encounter the following Uncaught Exception:

2015-12-17 17:05:20,271 ERROR {http-bio-443-exec-1} [,X.X.X.X,F414789D4604C5764A99C6850F04BBE7] net.shibboleth.idp.authn:-2 Uncaught runtime exception
org.springframework.webflow.definition.registry.FlowDefinitionConstructionException: An exception occurred constructing the flow 'authn/Password'
                at org.springframework.webflow.engine.builder.DefaultFlowHolder.assembleFlow(DefaultFlowHolder.java:111)
Caused by: org.springframework.webflow.engine.builder.FlowBuilderException: Unable to get the model for this flow
                at org.springframework.webflow.engine.builder.model.FlowModelFlowBuilder.doInit(FlowModelFlowBuilder.java:154)
Caused by: org.springframework.webflow.engine.model.builder.FlowModelBuilderException: Unable to find flow 'authn/conditions' to inherit from
                at org.springframework.webflow.engine.model.builder.xml.XmlFlowModelBuilder.mergeFlows(XmlFlowModelBuilder.java:646)
Caused by: org.springframework.webflow.engine.model.registry.NoSuchFlowModelException: No flow model 'authn/conditions' found
                at org.springframework.webflow.engine.model.registry.FlowModelRegistryImpl.getLocalFlowModelHolder(FlowModelRegistryImpl.java:94)

Digging into the log files at log-level debug, I see the same behavior that Rod has described in the developer's list exchange: the authentication condition flows get initialized, but their IDs are set to include the full Windows path to the files, as opposed to just their names:

2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.core.io.support.PathMatchingResourcePatternResolver:631 Looking for matching resources in directory tree [C:\opt\shibboleth-idp\flows]
2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.core.io.support.PathMatchingResourcePatternResolver:693 Searching directory [C:\opt\shibboleth-idp\flows] for files matching pattern [C:/opt/shibboleth-idp/flows/**/*-flow.xml]
2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.core.io.support.PathMatchingResourcePatternResolver:693 Searching directory [C:\opt\shibboleth-idp\flows\authn] for files matching pattern [C:/opt/shibboleth-idp/flows/**/*-flow.xml]
2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.core.io.support.PathMatchingResourcePatternResolver:693 Searching directory [C:\opt\shibboleth-idp\flows\authn\conditions] for files matching pattern [C:/opt/shibboleth-idp/flows/**/*-flow.xml]
2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.core.io.support.PathMatchingResourcePatternResolver:693 Searching directory [C:\opt\shibboleth-idp\flows\authn\conditions\account-locked] for files matching pattern [C:/opt/shibboleth-idp/flows/**/*-flow.xml]
2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.core.io.support.PathMatchingResourcePatternResolver:693 Searching directory [C:\opt\shibboleth-idp\flows\authn\conditions\expired-password] for files matching pattern [C:/opt/shibboleth-idp/flows/**/*-flow.xml]
2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.core.io.support.PathMatchingResourcePatternResolver:693 Searching directory [C:\opt\shibboleth-idp\flows\authn\conditions\expiring-password] for files matching pattern [C:/opt/shibboleth-idp/flows/**/*-flow.xml]
2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.core.io.support.PathMatchingResourcePatternResolver:693 Searching directory [C:\opt\shibboleth-idp\flows\user] for files matching pattern [C:/opt/shibboleth-idp/flows/**/*-flow.xml]
2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.core.io.support.PathMatchingResourcePatternResolver:693 Searching directory [C:\opt\shibboleth-idp\flows\user\prefs] for files matching pattern [C:/opt/shibboleth-idp/flows/**/*-flow.xml]
2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.core.io.support.PathMatchingResourcePatternResolver:424 Resolved location pattern [C:\opt\shibboleth-idp/flows/**/*-flow.xml] to resources [file [C:\opt\shibboleth-idp\flows\authn\conditions\account-locked\account-locked-flow.xml], file [C:\opt\shibboleth-idp\flows\authn\conditions\conditions-flow.xml], file [C:\opt\shibboleth-idp\flows\authn\conditions\expired-password\expired-password-flow.xml], file [C:\opt\shibboleth-idp\flows\authn\conditions\expiring-password\expiring-password-flow.xml], file [C:\opt\shibboleth-idp\flows\user\prefs\prefs-flow.xml]]
2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl:99 Registering flow definition 'file [C:\opt\shibboleth-idp\flows\authn\conditions\account-locked\account-locked-flow.xml]' under id 'C:/opt/shibboleth-idp/flows/authn/conditions/account-locked'
2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl:99 Registering flow definition 'file [C:\opt\shibboleth-idp\flows\authn\conditions\conditions-flow.xml]' under id 'C:/opt/shibboleth-idp/flows/authn/conditions'
2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl:99 Registering flow definition 'file [C:\opt\shibboleth-idp\flows\authn\conditions\expired-password\expired-password-flow.xml]' under id 'C:/opt/shibboleth-idp/flows/authn/conditions/expired-password'
2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl:99 Registering flow definition 'file [C:\opt\shibboleth-idp\flows\authn\conditions\expiring-password\expiring-password-flow.xml]' under id 'C:/opt/shibboleth-idp/flows/authn/conditions/expiring-password'
2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl:99 Registering flow definition 'file [C:\opt\shibboleth-idp\flows\user\prefs\prefs-flow.xml]' under id 'C:/opt/shibboleth-idp/flows/user/prefs'

By comparison, prior flows are registered using proper naming:

...
2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl:99 Registering flow definition 'file [C:\opt\shibboleth-idp\flows\..\system\flows\cas\login\login-flow.xml]' under id 'cas/login'
2015-12-17 16:59:32,785 DEBUG {localhost-startStop-1} [,,] org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl:99 Registering flow definition 'file [C:\opt\shibboleth-idp\flows\..\system\flows\cas\proxy\proxy-flow.xml]' under id 'cas/proxy'
...

Environment-wise, my setup is as follows:

-          Windows Server 2012 R2

-          Apache Tomcat 8.0.28 (Daemonized)

-          Oracle Java 1.8.0_66

I encounter the same behavior regardless of whether I've used the Windows MSI installer or the .zip distributable and install.bat script, either as an upgrade from 3.1.2 or a fresh install. In all cases, I've taken the default install location.

Explicitly setting idp.home to "C:/opt/shibboleth-idp" as a system property during Tomcat daemonization solves the problem.

My gut feeling says this seems like a regression, because the installer with default options didn't lead to this situation prior to 3.2.0, and documentation indicates that setting idp.home is only necessary if installing to a non-default location. That said, if I've missed something or the installation documentation just needs to be updated, please let me know.

Thoughts?

Michael Domingues
University of Iowa

[1] http://marc.info/?l=shibboleth-dev&m=141267389230106&w=2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151218/899e4644/attachment-0001.html>

More information about the users mailing list