Shibcas and Shibboleth IdP 3.4.6

Jones, Brian brian.jones at ua.edu
Thu Oct 3 12:14:15 EDT 2019 

Hi All,

This may or may not be an issue anybody here would be able to address, as it appears to be a Shibcas issue, but we wanted to post here just in case.

Based on the release notes for Shibboleth Identity Provider V3.4.6, we believe we fell into the category of the third bullet point mentioned here (as we are using Shibcas):

https://wiki.shibboleth.net/confluence/display/IDP30/ReleaseNotes#ReleaseNotes-3.4.6(Oct2,2019)


-          Anybody directly instantiating/adding an instance of the ExternalAuthenticationContext<http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.context.ExternalAuthenticationContext> class to the profile request context tree. This is also not something we would expect anybody to have done.

In a test upgrade to Shibboleth IdP V3.4.6, we received the following error message:

2019-10-03 09:20:17,080 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
org.springframework.binding.expression.EvaluationException: An ELException occurred getting the value for expression 'opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.authn.context.AuthenticationContext)).addSubcontext(new net.shibboleth.idp.authn.context.ExternalAuthenticationContext(), true).setFlowExecutionUrl(flowExecutionUrl + '&_eventId_proceed=1')' on context [class org.springframework.webflow.engine.impl.RequestControlContextImpl]
                at org.springframework.binding.expression.spel.SpringELExpression.getValue(SpringELExpression.java:94)
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1002E: Constructor call: No suitable constructor found on type net.shibboleth.idp.authn.context.ExternalAuthenticationContext for arguments ()
                at org.springframework.expression.spel.ast.ConstructorReference.findExecutorForConstructor(ConstructorReference.java:203)


In trying to fix that, we made changes to the following file from Shibcas:

https://github.com/Unicon/shib-cas-authn3/blob/master/IDP_HOME/flows/authn/Shibcas/shibcas-authn-flow.xml

The changes we made are as follows (commented out code was replaced by the uncommented expression below each commented segment):

        <on-render>
            <!--<evaluate expression="opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.authn.context.AuthenticationContext)).addSubcontext(new net.shibboleth.idp.authn.context.ExternalAuthenticationContext(), true).setFlowExecutionUrl(flowExecutionUrl + '&_eventId_proceed=1')" />-->
            <evaluate expression="opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.authn.context.AuthenticationContext)).addSubcontext(new net.shibboleth.idp.authn.context.ExternalAuthenticationContext(new net.shibboleth.idp.authn.impl.ExternalAuthenticationImpl()), true).setFlowExecutionUrl(flowExecutionUrl + '&_eventId_proceed=1')" />
            <!--<evaluate expression="externalContext.getNativeRequest().getSession().setAttribute('conversation' + flowExecutionContext.getKey().toString(), new net.shibboleth.idp.authn.impl.ExternalAuthenticationImpl(opensamlProfileRequestContext, calledAsExtendedFlow?:false))" />-->
            <evaluate expression="externalContext.getNativeRequest().getSession().setAttribute('conversation' + flowExecutionContext.getKey().toString(), new net.shibboleth.idp.authn.impl.ExternalAuthenticationImpl(calledAsExtendedFlow?:false))" />
        </on-render>

With this change, the error was no longer thrown and we were able to access our CAS login screen via browser.  However, we are concerned that this change still leaves us open to the DOS attack described in the Shibboleth IdP 3.4.6 release notes.

Does anyone have any feedback on whether we would still be vulnerable to such an attack?  Or, any suggestions for updating to Shibboleth IdP 3.4.6 while using Shibcas?  Finally, if anybody has any word on whether/when Shibcas might be updated based on the changes in Shibboleth IdP 3.4.6 that would be helpful as well.

Thanks in advance for any assistance.


Brian


Brian Jones
Programmer Analyst IV
Enterprise Development and Application Support, OIT
The University of Alabama
brian.jones at ua.edu


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191003/9bdaa320/attachment.html>

More information about the users mailing list