previous X509 auth result contains subject with no public credentials
robertl at jlab.org
Fri Nov 20 22:12:21 UTC 2020
Well - it appears I may have found my problem, but I don't know how to solve it.
Per the Javadoc for javax.security.auth.Subject (https://docs.oracle.com/javase/8/docs/api/javax/security/auth/Subject.html):
"While the Principals associated with the Subject are serialized, the credentials associated with the Subject are not"
So it seems that when the AuthenticationResult is serialized to the session, all the credentials are lost.
>From what I know about how Java app servers and the IdP work, I have a couple solutions - none of which are very ideal.
I can create my own version of "net.shibboleth.idp.authn.impl.ValidateX509Certificate" which changes the implementation of the "populateSubject" method and adds a net.shibboleth.idp.authn.principal.UsernamePrincipal for each of the certificate subject alternative names. Maybe in a similar manner as the "net.shibboleth.idp.authn.impl. X500SubjectCanonicalization" class does and basically performing the subject canonicalization before the c14 process is even performed. I could even use a Predicate to determine if/when this should happen or even for determining if a SubjectAltName should be used instead of the X500Principal. While all of this seems do-able, there is no easy way make the IdP use my custom class without either overriding the impl class with my own version (adding to the Tomcat system classpath so it takes precedence), or changing system/flows/authn/x509-internal-authn-beans.xml and/or system/flows/authn/x509-internal-authn-flow.xml file to use a custom class. Both of these are 'system' config files and not meant to be changed.
Obviously both of these solutions are a hack to solve my problem and neither sit well with me.
Does anyone have any ideas?
From: Bobby Lawrence
Sent: Friday, November 20, 2020 4:35 PM
To: Shib Users <users at shibboleth.net>
Subject: previous X509 auth result contains subject with no public credentials
Hello all - I have a strange issue here that I'm hoping someone can help with. I'm running IdP 3.4.7 on Tomcat 8.0.53 and trying to get X509 authentication working so that our users can authenticate with their smart cards.
It seems that everything works fine on the first authentication attempt...the IdP trusts my cert, extracts the X500Principal which is added to the principals of the subject and adds the certificate itself to the public credentials of the subject. The DN on the certificate doesn't contain my LDAP username, but it does have a SubjectAltName that does. No problem for the IdP tho because the c14n/x500 flow extracts the subject alternative name from the certificate and constructs a c14n principal name which is used to fetch attributes from LDAP. All very well documented and working as expected. Yay.
However when I attempt to log into another SP and the IdP re-uses my previous X509 authentication result, the subject from the previous X509 authentication result has no public credentials...the set returned from the 'getPublicCredentials' method is empty. The set of principals (returned from the 'getPrincipals' method) seems fine tho because it is populated with all the principals from the previous authentication. The missing public credentials means that the c14/x500 canonicalization process cannot fetch the username from the subject alternative name and because of that, the IdP cannot lookup my attributes from LDAP.
Has anyone encountered this before?
Thanks in advance.
Jefferson Lab MIS
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users