Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Internet2

VIEWS: 49 PAGES: 816

									[SIDP-493] can not create /profile/Status Created: 19/Sep/11   Updated: 19/Sep/11

Status:            Open
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     None

Type:              Bug                         Priority:              Minor
Reporter:          xing chun yan               Assignee:              Tom Barton
Resolution:        Unresolved                  Votes:                 0
Labels:            None

Java Version:      Sun 1.6
Servlet            Jetty 7
Container:

 Description
idp-process.log
16:24:37.850 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.JSPErrorHandlerBeanDefinitionPa
rser:45] - Parsing configuration for JSP error handler.
16:24:37.852 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfil
eHandlerBeanDefinitionParser:42] - Parsing configuration for profile handler: Status
16:24:37.853 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfil
eHandlerBeanDefinitionParser:42] - Parsing configuration for profile handler: SAMLMetadata
16:24:37.859 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfil
eHandlerBeanDefinitionParser:42] - Parsing configuration for profile handler: ShibbolethSSO
16:24:37.878 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfil
eHandlerBeanDefinitionParser:42] - Parsing configuration for profile handler:
SAML1AttributeQuery
16:24:37.880 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfil
eHandlerBeanDefinitionParser:42] - Parsing configuration for profile handler:
SAML1ArtifactResolution
16:24:37.885 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfil
eHandlerBeanDefinitionParser:42] - Parsing configuration for profile handler: SAML2SSO
[SIDP-492] bin/version causes exception Created: 22/May/11   Updated: 22/May/11

Status:            Open
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.3.0
Fix Version/s:     None

Type:              Bug                          Priority:           Trivial
Reporter:          Peter Schober                Assignee:           Chad La Joie
Resolution:        Unresolved                   Votes:              0
Labels:            None

Java Version:      Sun 1.6
Servlet            Apache Tomcat 6.0
Container:

 Description
{noformat}
[shibboleth-idp]# bin/version.sh
Exception in thread "main" java.lang.ExceptionInInitializerError
Caused by: java.lang.ArrayIndexOutOfBoundsException: 0
      at edu.internet2.middleware.shibboleth.idp.Version.<clinit>(Version.java:101)
Could not find the main class: edu.internet2.middleware.shibboleth.idp.Version. Program will
exit.
{noformat}
[SIDP-491] Stylesheet link in login.jsp is not inside the head tag Created: 20/May/11        Updated:
20/May/11

Status:            Open
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     None

Type:               Bug                            Priority:              Trivial
Reporter:           Daniel J. Lauk                 Assignee:              Chad La Joie
Resolution:         Unresolved                     Votes:                 0
Labels:             None

Attachments:          shib-idp-2.3-login.jsp.patch
Java Version:       Sun 1.6
Servlet             Apache Tomcat 6.0
Container:

 Description
The HTML element '<link rel="stylesheet" ... />' belongs inside the '<head>' section of an
(X)HTML document.

Comments
Comment by Daniel J. Lauk [ 20/May/11 ]
The attached patch file 'shib-idp-2.3-login.jsp.patch' fixes the issue.
[SIDP-489] Typos in the idpui.tld Created: 07/May/11   Updated: 12/May/11 Resolved: 12/May/11

Status:            Resolved
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     None

Type:              Improvement                   Priority:               Minor
Reporter:          Rod Widdowson                 Assignee:               Chad La Joie
Resolution:        Fixed                         Votes:                  0
Labels:            None


 Description
This file appears to have had a bad case of "search and replace gone bad". I fixed on in idp-485,
but there are some more.

Comments
Comment by Rod Widdowson [ 12/May/11 ]
Fixed likewise in Version 3027
[SIDP-488] PeerEntityId property not set on SAML queries Created: 06/May/11           Updated:
17/May/11 Resolved: 06/May/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1, SAML 2
Affects Version/s: 2.2.0, 2.2.1
Fix Version/s:     2.3.0

Type:                    Bug                     Priority:          Major
Reporter:                Scott Cantor            Assignee:          Scott Cantor
Resolution:              Fixed                   Votes:             0
Labels:                  None

Java Version:            Sun 1.6
Servlet                  Jetty 7
Container:

 Description
For SAML attribute queries, the requestContext object is missing a value for getPeerEntityId. It
does have a value for getInboundMessageIssuer, which is why the filtering engine works.

Comments
Comment by Scott Cantor [ 06/May/11 ]
Fixed in svn.
[SIDP-487] More login.jsp changes Created: 05/May/11   Updated: 17/May/11 Resolved: 12/May/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.3.0
Fix Version/s:     2.3.0

Type:               Improvement                Priority:              Minor
Reporter:           Rod Widdowson              Assignee:              Chad La Joie
Resolution:         Fixed                      Votes:                 0
Labels:             None


 Description
From Ian:
> A couple of quick observations about the example user/password login page, which I had to
customise from scratch:
>
> 1) It seems to have DOS line endings now; I don't think that used to be the case.
>
> 2) It has a documentation link to a page on spaces.internet2.edu which no longer exists.
>
> 3) The sentence starting "The web site described to the right" should end with a '.'

(2) is SIDP-486
(1) also applies to login.css



Comments
Comment by Rod Widdowson [ 12/May/11 ]
Why did I not close this off when I checked in Version3024? Never mind...
[SIDP-486] login.jsp page contains this helper text "This login page is an
example and should be customized. Refer to the documentation." The link on the
word documentation takes the user to the spaces wiki. Created: 04/May/11 Updated: 04/May/11
Resolved: 04/May/11

Status:            Resolved
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.3.0
Fix Version/s:     None

Type:                 Bug                          Priority:           Trivial
Reporter:             Steven Carmody               Assignee:           Scott Cantor
Resolution:           Fixed                        Votes:              0
Labels:               None

Java Version:         Sun 1.6
Servlet               Apache Tomcat 6.0
Container:

Comments
Comment by Scott Cantor [ 04/May/11 ]
Fixed in rev 3022. I'll resolve once I sweep the projects for any other links.
Comment by Scott Cantor [ 04/May/11 ]
Found remaining links in major spots.
[SIDP-485] idpui tags for images do not create the "alt" attribute. Created: 04/May/11
Updated: 17/May/11 Resolved: 05/May/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.3.0
Fix Version/s:     2.3.0

Type:                    Bug                     Priority:          Minor
Reporter:                Rod Widdowson           Assignee:          Rod Widdowson
Resolution:              Fixed                   Votes:             0
Labels:                  None

Java Version:            Sun 1.6
Servlet                  Jetty 7
Container:

 Description
three options to fix :
1) add a required alt text parameter
2) or supply it from the same code that creates the entityName.
3) or supply it, but have it overridable.

Do we need this for 2.3?

Comments
Comment by Chad La Joie [ 04/May/11 ]
Do option #3. And yeah, it would probably be nice to have this for v2.3 if you have a few
minutes to do it.
Comment by Rod Widdowson [ 05/May/11 ]
Checkin 3023
[SIDP-484] Login stops at AuthnEngine with an empty page Created: 28/Apr/11           Updated:
12/May/11 Resolved: 11/May/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.2.1
Fix Version/s:     2.3.0

Type:                    Bug                     Priority:           Major
Reporter:                Thomas Lenggenhager     Assignee:           Chad La Joie
Resolution:              Fixed                   Votes:              0
Labels:                  None

Java Version:            Sun 1.6
Servlet                  Apache Tomcat 6.0
Container:

 Description
We observed repeatedly that a login at our IdP stops at AuthnEngine with an empty page in the
browser, the redirect to the Login Handler does not take place. The first retry is mostly
successful. However, yesterday it happend to me three times in a row when trtying to access
wiki.shibboleth.net.

Up to now, we can not reproduce it yet, but by chance we captured such an incident yesterday
evening while DEBUG was turned on for another reason.

Here the relevant logfile entries.
The user confirmed that he made this access with no old session cookies, since he restarted the
browser just before it hapened and no cookies were blocked. A retry thereafter using the same
browser config was successful.

2011-04-27 19:23:22,564 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:198] - Creating login
context and transferring control to authentication engine
2011-04-27 19:23:22,572 - DEBUG
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:166] - Storing LoginContext to
StorageService partition loginContexts, key df3694a5-7acf-4416-82dc-018f57bc3cd6
2011-04-27 19:23:22,573 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:210] - Redirecting
user to authentication engine at https://aai-logon.switch.ch:443/idp/AuthnEngine
2011-04-27 19:23:22,599 - DEBUG
[edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:156] - No session associated
with session ID
OWZhMGRlODJkZDI1NzNkYzZjYTRlYmIyNzhiMDZiMDFlMGVmMDhmMzQwYTdiMjQ
4ZjQwOTYxNmMyODQ0NmNlMw== - session must have timed out
2011-04-27 19:23:22,600 - DEBUG
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:316] - LoginContext key cookie
was not present in request
2011-04-27 19:23:22,600 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:201] - Processing
incoming request
2011-04-27 19:23:22,600 - DEBUG
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:316] - LoginContext key cookie
was not present in request
2011-04-27 19:23:22,600 - ERROR
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:209] - Incoming request
does not have attached login context
2011-04-27 19:23:22,601 - ERROR [ch.SWITCH.aai.uApprove.idpplugin.Plugin:124] -
uApprove error: Error dispatching to IdP: Incoming request does not have attached login context


 Comments
Comment by Chad La Joie [ 28/Apr/11 ]
Well, the error is what it says then. The IdP did not get the login context key cookie. I'm not sure
why it would work after the initial attempt but the IdP has no control over whether and how
cookies are received, it's either present or it's not. You'll need to look at your deployment
environment for other causes of such a problem.
Comment by Scott Cantor [ 28/Apr/11 ]
Usually blank pages are from a null pointer exception, though it doesn't seem to be logging that.

You might want to turn on cookie logging at the web server end, you might spot something
useful and it's not that invasive to other traffic.
Comment by Kaspar Brand [ 04/May/11 ]
Ok, I'm now able to reproduce (cookie logging was indeed helpful, though it took me some time
to realize *why* the cookies didn't come back from the client).

One method to trigger this behavior is to disable cookies (or deny them from the IdP,
specifically)... the IdP login then just stops with a blank /idp/AuthnEngine page.

I would suggest to improve the error handling, though. Currently, we have this code in
AuthenticationEngine.java (in the "service" method):

  207 LoginContext loginContext = HttpServletHelper.getLoginContext(storageService,
getServletContext(), httpRequest);
  208 if (loginContext == null) {
  209 LOG.error("Incoming request does not have attached login context");
  210 throw new ServletException("Incoming request does not have attached login context");
  211 }

At other places (returnToAuthenticationEngine and returnToProfileHandler), the error is handled
like this:

  144 LoginContext loginContext = HttpServletHelper.getLoginContext(storageService, context,
httpRequest);
  145 if (loginContext == null) {
  146 LOG.warn("No login context available, unable to return to authentication engine");
  147 forwardRequest("/error.jsp", httpRequest, httpResponse);
  148 } else {

  161 LoginContext loginContext = HttpServletHelper.getLoginContext(storageService, context,
httpRequest);
  162 if (loginContext == null) {
  163 LOG.warn("No login context available, unable to return to profile handler");
  164 forwardRequest("/error.jsp", httpRequest, httpResponse);
  165 }

Can the "does not have attached login context" error be handled in the same way? IMO,
displaying error.jsp is the proper thing to do in such a case - it will tell the user that Shib requires
cookies.
Comment by Chad La Joie [ 11/May/11 ]
Re-opening since there is now a way to reproduce the issue.
Comment by Chad La Joie [ 11/May/11 ]
fixed in rev 3028
Comment by Kaspar Brand [ 12/May/11 ]
Disclaimer: IANAJP, but as the "service" method is defined like this

   protected void service(HttpServletRequest httpRequest, HttpServletResponse httpResponse)
throws ServletException,
        IOException {

shouldn't it still throw an exception if it fails to retrieve the login context? Otherwise, I'm seeing
uApprove log entries such as

ERROR [ch.SWITCH.aai.uApprove.idpplugin.Plugin:124] - uApprove error: Error dispatching
to IdP: null

(Re-adding a "throw new ServletException(..." line after the forwardRequest line works fine for
me, as I just confirmed with a local build.)
Comment by Chad La Joie [ 12/May/11 ]
Actually, the correct behavior should be to have a return statement after the forward, not an
exception. Can you please try that out in your test environment. I don't have anything running
uApprove.
Comment by Chad La Joie [ 12/May/11 ]
So, testing on my side, without uApprove, shows having the return statement in there does the
right thing (display the error page and stop processing).
Comment by Kaspar Brand [ 12/May/11 ]
Yes, I can confirm. With uApprove, it's fine as well, with the benefit that there's no longer an
ERROR log entry.
Comment by Chad La Joie [ 12/May/11 ]
Yeah, I dropped the log message down to a warning.
Comment by Kaspar Brand [ 12/May/11 ]
I was referring to the log entry from uApprove, to be precise ("Error dispatching to IdP..."). That
one goes away when the return statement is added.
[SIDP-483] Log Completed, Unencrypted SAML Assertion Created: 13/Apr/11               Updated:
14/Apr/11 Resolved: 14/Apr/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.2.1
Fix Version/s:     2.3.0

Type:                     New Feature            Priority:           Minor
Reporter:                 Nate Klingenstein      Assignee:           Brent Putman
Resolution:               Fixed                  Votes:              0
Labels:                   None


 Description
Currently, if a deployer wants to see the complete SAML assertion that is being sent to an SP, it
is difficult to do so. The PROTOCOL_MESSAGE logger will log only an encrypted
assertion(assuming encryption for transport), and the fully serialized assertion is not AFAIK
logged at any point prior to encryption.

This would be useful for debugging transactions, especially with non-Shibboleth SP's.

Comments
Comment by Brent Putman [ 14/Apr/11 ]
Added in r3016.
[SIDP-482] JSP pages should HTML-encode any strings they handle Created: 12/Apr/11
Updated: 17/May/11 Resolved: 12/Apr/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.3.0

Type:                    Improvement                 Priority:         Minor
Reporter:                Scott Cantor                Assignee:         Chad La Joie
Resolution:              Fixed                       Votes:            0
Labels:                  None

Issue Links:             Related
                         is related to SC-150 HTML-ize unsafe characters rather tha...    Closed

Description
The error templates currently assume the IdP has made any strings they get safe for insertion, but
we want to ensure that gets done directly by the templates.

Comments
Comment by Scott Cantor [ 12/Apr/11 ]
Fixed in rev 3013.
[SIDP-480] Update POM to add plugin versions, use / publish to Shib.net Repo,
and attach generated source and Javadocs Created: 06/Apr/11 Updated: 07/Apr/11 Resolved: 07/Apr/11
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: None
Fix Version/s:     2.3.0

Type:               Task                          Priority:           Major
Reporter:           Chad La Joie                  Assignee:           Chad La Joie
Resolution:         Fixed                         Votes:              0
Labels:             None


 Description
Update POM to add plugin versions, use / publish to Shib.net Repo, and attach generated source
and Javadocs

 Comments
Comment by Chad La Joie [ 07/Apr/11 ]
done in rev 3010
[SIDP-478] ECP profile support Created: 05/Apr/11   Updated: 26/Apr/11 Resolved: 26/Apr/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: None
Fix Version/s:     2.3.0

Type:              New Feature                   Priority:               Major
Reporter:          Scott Cantor                  Assignee:               Chad La Joie
Resolution:        Fixed                         Votes:                  0
Labels:            None


 Description
Merge in a modified version of Jim Fox' ECP profile support. This version will rely on new
handler-aware SOAP binding classes in OpenSAML, and inherit more effectively from the
SAML 2 SSO handler.

Authentication via REMOTE_USER is implemented using a decoder handler rather than inside
the profile handler.

Comments
Comment by Scott Cantor [ 05/Apr/11 ]
Lightly tested version checked in with rev. 3006. Need to test further and examine error handling
more closely.
[SIDP-477] Need to move references to the i2 spaces wiki to be to the
shibbolet.net one Created: 05/Apr/11 Updated: 17/May/11 Resolved: 06/Apr/11
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.3.0

Type:              Bug                       Priority:         Major
Reporter:          Rod Widdowson             Assignee:         Rod Widdowson
Resolution:        Fixed                     Votes:            0
Labels:            None

Java Version:      Sun 1.6
Servlet            Apache Tomcat 7.0
Container:

 Description
A quick grep shows that login.jsp (which I was aware of) and login.config and README.TXT
need changed.

Comments
Comment by Rod Widdowson [ 06/Apr/11 ]
Checkin 3008
[SIDP-476] NullPointerException when mapping null values returned from
RDBMS query Created: 30/Mar/11 Updated: 11/Apr/11 Resolved: 11/Apr/11
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Attribute Resolution
Affects Version/s: 2.1.5
Fix Version/s:     None

Type:              Bug                           Priority:           Minor
Reporter:          Russell Beall                 Assignee:           Chad La Joie
Resolution:        Duplicate                     Votes:              0
Labels:            None

Java Version:      Sun 1.6
Servlet            Apache Tomcat 6.0
Container:

 Description
Multiple rows returned by RDBMS query on non-normalized database. Some values are returned
as null. When mapping these values, the Null values are considered to be actual values for the
column by the mapper and it tries to run a regex match on the null value. This error is printed in
the logs:

17:21:57.358 DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.Val
ueMap:98] - Performing regular expression based comparison
17:21:57.384 ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:88] -
Error occured while processing request
java.lang.NullPointerException: null
     at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.Map
pedAttributeDefinition.doResolve(MappedAttributeDefinition.java:68)
     at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.Base
AttributeDefinition.resolve(BaseAttributeDefinition.java:107)


 Comments
Comment by Russell Beall [ 30/Mar/11 ]
I should perhaps comment that this occurred with the Oracle connector:
oracle.jdbc.OracleDriver
It is possible that Null values may be handled differently when returned from the MySQL driver.

---

Upon further investigation I am having a heck of a time reproducing this error on a subset of the
table I used originally. The mapper appears to be working fine on a similarly constructed table
with only a few data elements involved, even though the supposedly problematic null value is
still present.
Comment by Russell Beall [ 30/Mar/11 ]
Ahh... And the issue reveals itself further.

The errant attribute definition was of type "ad:Mapped". When I change it to "ad:Simple" and
remove the value mappings, the data is resolved no problem.

So the problem is narrowed to simply this type of definition:
     <AttributeDefinition id="eduPersonEntitlement" xsi:type="ad:Mapped">
Comment by Chad La Joie [ 11/Apr/11 ]
Duplicate of SC-132
[SIDP-475] Better login page for IdP Created: 29/Mar/11      Updated: 17/May/11 Resolved: 29/Mar/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.3.0

Type:               Task                           Priority:              Minor
Reporter:           Rod Widdowson                  Assignee:              Chad La Joie
Resolution:         Fixed                          Votes:                 0
Labels:             None


Description
Despite lots of help, people still deploy the default login page.

Now that we have taglib assists we can make this look more like the standard page we are aiming
for (login left, SP right).


Comments
Comment by Rod Widdowson [ 29/Mar/11 ]
Checkin 3004.

- New CSS file.
- login.jsp has the two pane login
- error.jsp references the SP's support contact (if possible).
Comment by kevin foote [ 05/Apr/11 ]
Rod can you add one quick jpg of the stock login.jsp / error.jsp w/out any branding etc..
Might be good to have here for reference.
Comment by Rod Widdowson [ 05/Apr/11 ]
Kevin. Not sure I get you. Do you mean in this case, or added to
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPassLoginPage?
[SIDP-474] NPE in taglib processing Created: 29/Mar/11   Updated: 17/May/11 Resolved: 29/Mar/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.3.0
Fix Version/s:     2.3.0

Type:               Bug                          Priority:            Minor
Reporter:           Rod Widdowson                Assignee:            Rod Widdowson
Resolution:         Fixed                        Votes:               0
Labels:             None

Java Version:       Sun 1.6
Servlet             Jetty 7
Container:

 Description
Caused by: java.lang.NullPointerException: null
at
edu.internet2.middleware.shibboleth.idp.ui.ServiceTagSupport.getSPEntityDescriptor(ServiceTa
gSupport.java:133)

 Comments
Comment by Rod Widdowson [ 29/Mar/11 ]
(I had to corrupt the cookie to get that one!)
Comment by Rod Widdowson [ 29/Mar/11 ]
Checkin 3003
[SIDP-473] Sample login page should exploit the MDUI tags Created: 24/Mar/11            Updated:
17/May/11 Resolved: 12/Apr/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.3.0

Type:                    Task                    Priority:           Minor
Reporter:                Rod Widdowson           Assignee:           Chad La Joie
Resolution:              Fixed                   Votes:              0
Labels:                  None


Description
What it says.

We will probably go for the "two box" approach, with login on the LHS and SP details (if any)
on the RHS.

This does present a few issues for layout since I don't see an way to have two same sized boxes
without ending up with absolute sizes. Fortunately you can cascade the taglibs which means you
can say "If there is a (logo > size) then use that but clip it, otherwise just use the logo" which
means that big logos get scaled down but small ones do not get bloated.

Comments
Comment by Rod Widdowson [ 12/Apr/11 ]
Checkins 3011, 3007, 3004. See this all done
[SIDP-471] Taglibs appear to be caching SP information... Created: 18/Mar/11              Updated:
18/Mar/11 Resolved: 18/Mar/11

Status:            Resolved
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     None

Type:                    Bug                        Priority:            Blocker
Reporter:                Rod Widdowson              Assignee:            Rod Widdowson
Resolution:              Fixed                      Votes:               0
Labels:                  None

Java Version:            Sun 1.6
Servlet                  Apache Tomcat 6.0
Container:

 Description
(I view this a a blocker to 2.3 delivery - we can fix it by removing the atg support but I'd rather
not).

As part of final test of this code I deployed this into a live IdP. It appears that I only ever see one
SP's logo - no matter which SP I approach this from.

More diagnosis needed, But I wanted to get this is ASAP


 Comments
Comment by Rod Widdowson [ 18/Mar/11 ]
<expletive deleted> There is but one bean for request. It makes is inadvisable therefore to use
bean-local storage. I guess that was obvious had I thought about how it was built rather than how
it would be used...
Comment by Rod Widdowson [ 18/Mar/11 ]
Checkin 2997.
No documentation (or in fact release notes) needed.
Comment by Rod Widdowson [ 18/Mar/11 ]
Also 2999 (flushed by further testing)
[SIDP-470] Uptime in ms is demoralizing Created: 14/Mar/11       Updated: 14/Mar/11 Resolved: 14/Mar/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.2.1
Fix Version/s:     None

Type:               Improvement                   Priority:            Trivial
Reporter:           Nate Klingenstein             Assignee:            Chad La Joie
Resolution:         Won't Fix                     Votes:               0
Labels:             None


 Description
The uptime on https://server.name/idp/status is displayed in ms. This may cause demoralization
and trepidation in new deployers.

 Comments
Comment by Nate Klingenstein [ 14/Mar/11 ]
This actually came up at the Amherst, MA installfest, and I just had to file it.
Comment by Chad La Joie [ 14/Mar/11 ]
Currently, I believe, everything in the logs is given in ms. I plan on keeping it that way. The only
other format I'd even remotely consider at this point is the ISO8601 duration notation. I don't like
that option, however, because it's hard for scripts to parse (and there are a lot of people who
parse the status page within scripts).
Comment by Nate Klingenstein [ 14/Mar/11 ]
This is acknowledgment that we are real people, with real problems. It's good enough. For now.
[SIDP-469] eduPersonTargetedID Could Be Separately Commented Created: 14/Mar/11
Updated: 15/Mar/11 Resolved: 15/Mar/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Attribute Resolution
Affects Version/s: 2.2.1
Fix Version/s:     2.3.0

Type:                    Improvement            Priority:          Trivial
Reporter:                Nate Klingenstein      Assignee:          Chad La Joie
Resolution:              Fixed                  Votes:             0
Labels:                  None


 Description
A lot of early deployers like to uncomment large piles of attributes. In the process, they often
uncomment eduPersonTargetedID, which is dependent on the computedID data connector, which
isn't generally uncommented. Installfests would be marginally smoother if these were
commented independently.

<!--
  <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonTargetedID.old"
scope="$IDP_SCOPE$" sourceAttributeID="computedID">
     <resolver:Dependency ref="computedID" />
     <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonTargetedID" />
  </resolver:AttributeDefinition>

  <resolver:AttributeDefinition xsi:type="ad:SAML2NameID" id="eduPersonTargetedID"
                     nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
sourceAttributeID="computedID">
     <resolver:Dependency ref="computedID" />
     <resolver:AttributeEncoder xsi:type="enc:SAML1XMLObject"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
     <resolver:AttributeEncoder xsi:type="enc:SAML2XMLObject"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
  </resolver:AttributeDefinition>
  -->


Comments
Comment by Chad La Joie [ 15/Mar/11 ]
Fixed in rev 2996
[SIDP-468] Supply taglibs with IdP 2.3 to allow easier access to display
informatiomn gleaned from the metadata Created: 28/Feb/11 Updated: 17/May/11 Resolved: 14/Apr/11
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.3.0

Type:               New Feature                   Priority:            Minor
Reporter:           Rod Widdowson                 Assignee:            Rod Widdowson
Resolution:         Fixed                         Votes:               0
Labels:             None


 Description
This can all be found by traversing the metadata, but it seems best to keep this compexity from
the GUI.

The kinds of information we want to supply is
- ServiceName (taken from <mdui:UIInfo> or <AssertionConsumerService> of the host name
from the entityID
- ServiceDescription
- ServiceLogo (with some sort of size "parameterization")
- ServiceContact
- ServicePrivacyURL
- Service InformationURL
- IdPContact


 Comments
Comment by Rod Widdowson [ 13/Mar/11 ]
Checkin 2992/2993
Also documentation updated at
https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPassLoginPage
Comment by Rod Widdowson [ 13/Apr/11 ]
I'm going to reopen this pending sorting out all the ESAPI issues...
Comment by Rod Widdowson [ 14/Apr/11 ]
Closing (again 3015)
[SIDP-466] IdP22Upgrade documentation in unclear regarding "Changes in
Principal Name Returned from Authentication" Created: 21/Feb/11 Updated: 20/Mar/11 Resolved:
20/Mar/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     None

Type:               Documentation                Priority:           Minor
Reporter:           Olivier Salaün               Assignee:           Chad La Joie
Resolution:         Fixed                        Votes:              0
Labels:             None


 Description
The Upgrade instructions from
https://spaces.internet2.edu/display/SHIB2/IdP22Upgrade#IdP22Upgrade-
ChangesinPrincipalNameReturnedfromAuthentication states that "If you were properly pulling
in the value from the principal name set by class name then you should see no change in
behavior."

I'm afraid I don't understand what "pulling in the value from the principal name set by class
name" mean.

Could you please complete this (very usefull documentation) with more precised instructions?

Thanks.

Comments
Comment by Chad La Joie [ 20/Mar/11 ]
Added to documentation
[SIDP-465] A FailoverDataConnector for the Stored ID Data Connector Created:
15/Feb/11 Updated: 15/Feb/11 Resolved: 15/Feb/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Attribute Resolution
Affects Version/s: 2.1.5
Fix Version/s:     None

Type:                     Improvement              Priority:          Minor
Reporter:                 naveed                   Assignee:          Chad La Joie
Resolution:               Invalid                  Votes:             0
Labels:                   None


 Description
Unlike the Relational Database Data Connector, there is no FailoverDataConnector for the
Stored ID Data Connector. I'm sure this could prove a useful feature.

 Comments
Comment by Chad La Joie [ 15/Feb/11 ]
All data connectors have support for failover on errors.
Comment by naveed [ 15/Feb/11 ]
I tried adding a FailoverDataConnector, the idp failed to start ...

ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:187] - Configuration
was not loaded for shibboleth.AttributeResolver service, error creating components. The root
cause of this error was: org.xml.sax.SAXParseException: cvc-complex-type.2.4.d: Invalid
content was found starting with element 'resolver:FailoverDataConnector'. No child element is
expected at this point.

No child element is expected at this point?

attribute-resolver.xml :-

  <resolver:DataConnector xsi:type="StoredId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="myStoredId"
    generatedAttributeID="persistentID"
    sourceAttributeID="uid"
    salt="ThisIsRandomText">

      <resolver:Dependency ref="directory" />
      <ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
jdbcURL="jdbc:oracle:thin:@...."
jdbcUserName="???"
jdbcPassword="????" />

<resolver:FailoverDataConnector ref="myStoredId2" />

</resolver:DataConnector>

  <!-- Fail over -->
<resolver:DataConnector xsi:type="StoredId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="myStoredId2"
     generatedAttributeID="persistentID"
     sourceAttributeID="uid"
     salt="ThisIsRandomText">

     <resolver:Dependency ref="directory" />
     <ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
jdbcURL="jdbc:oracle:thin:@???"
jdbcUserName="shib"
jdbcPassword="" />

</resolver:DataConnector>

Could be a mis-config? any help appreciated.

Naveed
[SIDP-464] An SPNameQualifier in NameIDPolicy always treated as an
affiliation Created: 11/Feb/11 Updated: 14/Mar/11 Resolved: 11/Feb/11
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.2.0, 2.2.1
Fix Version/s:     2.3.0

Type:               Bug                           Priority:           Minor
Reporter:           Scott Cantor                  Assignee:           Scott Cantor
Resolution:         Fixed                         Votes:              0
Labels:             None

Java Version:       Sun 1.6
Servlet             Jetty 7
Container:

 Description
If you set SPNameQualifier to the SP's entityID, it should be a no-op/default result, but instead
the code treats it as an affiliation and checks the metadata, resulting in an Invalid
SPNameQualifier error.

Comments
Comment by Scott Cantor [ 11/Feb/11 ]
Fixed in rev. 2990.
Comment by Scott Cantor [ 11/Feb/11 ]
Added an outbound check for a mismatch in rev. 2991.

As of 2.3.0, you can set SPNameQualifier in an AttributeValue-bound NameID (which doesn't
get checked against NameIDPolicy), but not in a Subject-bound NameID. If that ever changes,
this check will ensure we never send out a NameID in the Subject that conflicts with a requested
SPNameQualifier.
[SIDP-463] Adjustments to the default format for idp-process.log entries Created:
08/Feb/11 Updated: 14/Feb/11 Resolved: 10/Feb/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.2.1
Fix Version/s:     None

Type:                     Improvement              Priority:           Minor
Reporter:                 Kaspar Brand             Assignee:           Chad La Joie
Resolution:               Won't Fix                Votes:              0
Labels:                   None


 Description
I'd like to suggest the changes appended below to the default format for the idp-process.log:

1) add the full date to each message - while it's true that the YYYY-MM-DD is also "encoded" in
the file name (after rotation), this information can sometimes get lost (when extracts are copied
etc). Having it "inline" as well seems preferrable to me.

2) only output exceptions in the short format, by default. (%ex{short} "prints the first line of the
stack trace", otherwise the Logback default applies - the "PatternLayout will automatically add it
as the last conversion word" if it's not explicitly specified -
http://logback.qos.ch/manual/layouts.html)

Thanks for considering these for 2.3.


Index: REL_2/src/installer/resources/conf-tmpl/logging.xml
===================================================================
--- REL_2/src/installer/resources/conf-tmpl/logging.xml (revision 2988)
+++ REL_2/src/installer/resources/conf-tmpl/logging.xml (working copy)
@@ -63,7 +63,7 @@

     <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
        <charset>UTF-8</charset>
- <Pattern>%date{HH:mm:ss.SSS} - %level [%logger:%line] - %msg%n</Pattern>
+ <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
     </encoder>
   </appender>
 Comments
Comment by Chad La Joie [ 10/Feb/11 ]
People can make this change to their logging format if they want, but changing things like the
date/time representation would likely break any of the existing log parsers that people have that
work with the process log.
Comment by Kaspar Brand [ 14/Feb/11 ]
Well, this is about setting sensible defaults which best suit the needs of the majority of the IdP
admins. The only argument for not adapting the format seems to be the backward-compatibility
for the - probably very small number of - people who are apparently considering idp-process.log
a machine parsable log (I thought that's what idp-access.log and idp-audit.log are for, at least
https://spaces.internet2.edu/display/SHIB2/IdPLogging seems to indicate so).

Even if someone is parsing idp-process.log, I can't follow the reasoning for not ever adapting the
default format - consequently, the format would have to be considered as cast into stone from
now on. For the very few people who are indeed machine-parsing this log, I consider it
acceptable that *they* tune their logging.xml, actually.

Changing to %date{ISO8601} and adding %ex{short} is of benefit to the large majority of the
user base - it gives them (date-)complete and more manageable log entries. [Having an 8-line
stack in idp-process.log, starting at java.util.TimerThread.run, only to tell me that the
FilesystemMetadataProvider can't find a metadata file seems pretty useless to me. One line is
completely sufficient for normal operations.]
[SIDP-462] Add a separate (non install) "Keygen" capability to IdP Created: 04/Feb/11
Updated: 04/Feb/11 Resolved: 04/Feb/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.2.1
Fix Version/s:     None

Type:                     New Feature              Priority:            Minor
Reporter:                 Rod Widdowson            Assignee:            Chad La Joie
Resolution:               Duplicate                Votes:               0
Labels:                   None


 Description
I got a strong steer for the UK Fed support guys that it would be nice to be able to generate the
self-signed .key/.cert/.jks which the IdP installation does as a separate beast from the instalation.
II'm not sure why it important to them. I suspect that its (a) to allow easier documentation (since
the SP and (b) because in the UK more IdPs have to have non self signed certs because of legacy
software considerations.

Either way I it feels like a good idea to align the IdPs capabilities with the SP and I can see good
reasons to want to be able to do this easily.

I just took a look at build.xml and it looks as though this might be possible with very little effort.
If it's less than a day (and it's hard to see how it could be more) I'll happily do the work for this
as part of 2.3, otherwise can we move this to 3.x?

Comments
Comment by Chad La Joie [ 04/Feb/11 ]
Duplicate of SIDP-272
[SIDP-461] Add legacy Shib SSO protocol as binding for IdP-initiated SSO for
SAML 2.0 Created: 02/Feb/11 Updated: 14/Mar/11 Resolved: 09/Feb/11
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: None
Fix Version/s:     2.3.0

Type:               New Feature                   Priority:           Major
Reporter:           Scott Cantor                  Assignee:           Scott Cantor
Resolution:         Fixed                         Votes:              0
Labels:             None

Attachments:           unsolicited.patch

 Description
After much gnashing of teeth, we've agreed to support IdP-initiated SSO by using the legacy
Shibboleth protocol (a simple query string) to signal this on the SAML 2.0 SSO endpoint.

We need to reuse or adapt the MessageDecoder from the original protocol support for SAML 1
and bind it to the SAML 2.0 endpoint. We may even be able to reuse the binding URN, because
there's no reason to add this to metadata (it's intended to be internal to the IdP deployment, not
public).

We will not try and support both SAML versions on one endpoint, so if the shire parameter
matches a SAML 1 ACS, it will be treated as an error when the SAML 2 endpoint is used.

Finally, the whole point of this exercise is to signal that the IdP should omit InResponseTo. We
can't do this by the absence of a messageID, because the replay support we added to 2.2.1 mocks
up a messageID for legacy protocol requests. Chad suggested using a profile handler option, but
I would rather that deployers didn't have to turn this off for all responses from the profile
handler, mainly because the SP at some point might start enforcing the InResponseTo check.

So I think we have a couple of options:

- create a second version of the profile handler to represent IdP-initiated SSO, and add that to the
relying-party set, and to handler.xml bound to only the legacy MessageDecoder (they would
obviously share 99.9% code)

- implement a brute force check of the inbound binding to suppress InResponseTo automatically
when the legacy binding is used (reusing the existing profile handler)
 Comments
Comment by Scott Cantor [ 02/Feb/11 ]
I started working on this by examining the profile handler and SAML2LoginContext classes and
cleaning up any code where the AuthnRequest was assumed to exist (as opposed to being null).
It seems likely we could use that as a signal for the InResponseTo suppression as well.

However, the code that selects the response endpoint uses the AuthnResponseEndpointSelector
helper class inside of opensaml that is SAML 2-specific, and assumes a non-null AuthnRequest
as input to the selector. The helper class doesn't know how to deal with an explicit ACS URL to
match against, so we'd probably have to inline some special logic copied from the SAML 1
handler, or go with a "mock up" approach and create a dummy AuthnRequest to stand-in for the
lack of one. That would probably be cleaner and avoid the need to scour for more null checks.
Comment by Brent Putman [ 02/Feb/11 ]
Before you get too far into this, recall that I did something along these lines for Georgetown for a
couple of vendor IdP-initiated cases. See:

https://svn.middleware.georgetown.edu/putmanb/java-idp-saml2-idp-initiated-sso/

It's primarily:

1) an unsolicited SAML 2 SSO profile handler, which does 2 main things: a) omits the
InResponseTo b) ensures that errors don't result in an unsolicited error to the SP. This can be
used with a JSP or CGI script that generates an AuthnRequest, or can be combined with the
decoder below.

2) a decoder which takes query params and constructs an AuthnRequest for the inbound message
context. The current params supported allow for a significant subset of what can go into a SAML
2 AuthnRequest. That's probably more than what we wanted here, but could of course be pared
down. The param names don't align exactly with the Shib SSO protocol, but could be adapted,
etc. It's even unit tested.

Like I think you are seeing, I think the "mock up" approach is probably the easiest and fastest
way to implement this, otherwise we really have to adjust a lot of other code.

Comment by Scott Cantor [ 02/Feb/11 ]
I don't think we should support anything new here protocol-wise, because that means
standardizing it, and I'm not interested in doing that kind of work, I just want to reuse what's
defined already.

If mocking up a request is necessary, I was thinking of doing that inside the profile handler
where the decoder is run, just to avoid duplicating the decoder, but I'll take a look at it.

I wasn't that keen on creating a second profile handler, but as long as it's mostly just inheriting
from the original, I guess it's not too bad.
Comment by Brent Putman [ 03/Feb/11 ]
That's fine, I wasn't suggesting a new protocol, I know you were opposed to that. Only
suggesting reuse the code. On the params, do:

entityID -> providerId
acsURL -> shire
relayState -> target

and remove the others, I think that does it. Oh, I guess there's the optional 'time' param, but that's
easily added.

I think doing anything significant to the profile handler along the lines of mocking up the request
is probably a pita, and introduces all kinds of special case logic in that part of the handler. I
thought it was better and cleaner to just isolate it all in the decoder. And I think it's technically
more correct design-wise: the decoder should decode the inbound request and produce the
structure that will be processed by the profile handler. At least that's how we've generally viewed
it.

Actually, I only created a separate profile handler b/c this was an extension. If we collapse this
into the IdP, it makes sense to put that part in the SAML 2 SSO profile handler. I had envisioned,
and I think Chad and I discussed briefly back then, that we might carry a new boolean
'isUnsolicited' or something on the profile request context. That would then trigger the logic that
is currently in the profile handler subclass to omit the InResponseTo and change the error
handling. That code is actually pretty simple and could be moved to the existing profile handler
pretty easily. As far as what sets the boolean: I suppose it could either be the message decoder
(although I suppose that tightly couples the decoder to the profile handler impl, since it will have
to cast it), or perhaps the profile handler would set early on, possibly based on the request URI or
something like that. Or perhaps a better way will present itself, haven't thought it all the way
through.
Comment by Scott Cantor [ 03/Feb/11 ]
Mocking up the request seemed likely to be confined to the existing function calling decode(),
and by putting it there, I figured we'd avoid the need for a duplicate MessageDecoder that would
have to be maintained in sync with the other one (not that we change it much, but I did in fact
just enhance it in 2.2.1). In terms of design, the mocking up alone bothers me, and I didn't really
see it as something the decoder should have to do. It's really a code hack to make the profile
handler keep working, so I thought it made sense to put the hack there so that if it were fixed, the
hack would be removed.

As far as how to combine the handlers, I don't like the idea of a boolean config option, but if it's
a request context option, that's not too ugly. That's another reason I prefer to mock the request in
the handler, since I could set that option at the same time, I think. Good point about combining
them though. I wasn't sure the error handling change would be that clean to merge back in, but I
didn't look at it closely yet.
Comment by Scott Cantor [ 03/Feb/11 ]
Never mind, I see that the decoders are tied to SAML 1 and SAML 2 specific request context
classes for capturing e.g. the ACS URL from the shire parameter and so forth. I thought those
were abstracted more, but reusing the decoder isn't going to work anyway, so I'll just copy what
you did.

We should clean all this up in v3.
Comment by Brent Putman [ 03/Feb/11 ]
Yeah, right, as I was walking to the office just now I realized that you were thinking of reusing
the Shib 1 protocol decoder, and I was pretty sure that wasn't going to work, for exactly the
reason you mention. That's why you have to have a different decoder anyway, so may as well do
the mock up there, and avoid making lots of invasive changes to the profile handler, at least
IMHO.
Comment by Scott Cantor [ 03/Feb/11 ]
It also means we can go ahead and put the unsolicited flag on SSORequestContext, because the
decoder is tied to the context class type anyway.
Comment by Scott Cantor [ 06/Feb/11 ]
A working patch is attached. Before I check it in, I wanted to make sure my changes were
acceptable. To make this work, I had to extend the Saml2LoginContext class with a flag to track
the unsolicited option so that it would be recreated in the request context on the
"completeAuthentication" end of the profile run.

The decoder is responsible here for initially setting the flag on the SSORequestContext, which
means other decoders could be plugged in (so Brent could continue to support the protocol he
created in his extension, and drop out the rest of his profile changes).

The protocol I implemented is:
providerId (required)
shire, target, time (optional)
Comment by Brent Putman [ 07/Feb/11 ]
Looks good to me. It's pretty much what I had imagined it would look like. I hadn't thought
about the wrinkle of needing to carry the flag across the 2 legs of the request. Replicating it into
the login context seems like the best solution.
Comment by Scott Cantor [ 09/Feb/11 ]
Checked in rev 2989.

This is enabled by default in the config, since we don't require signed requests in general
anyway, but we can revisit before release.

Brent, if you have time to try using your custom decoder with the changed core classes, that
might be a good test.
[SIDP-460] Add AuthenticatingAuthority support to login context API Created:
31/Jan/11 Updated: 10/Feb/11 Resolved: 10/Feb/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: None
Fix Version/s:     None

Type:                     Improvement              Priority:         Minor
Reporter:                 Scott Cantor             Assignee:         Scott Cantor
Resolution:               Won't Fix                Votes:            0
Labels:                   None


 Description
Some people are building IdP proxies that populate the AuthenticatingAuthority element. We
should add support for setting that via custom login handlers and honor that in the SAML 2 SSO
profile handler.

 Comments
Comment by Scott Cantor [ 02/Feb/11 ]
To implement this, we'd have to extend the AuthenticationMethodInformation interface and impl
that gets stored within the session. I'm not sure this is possible without breaking compatibility,
need to check with Chad. I suppose we could add an AuthenticationMethodInformationEx
interface as an extension, but that's a bit far to go, could just wait for 3.0.
Comment by Chad La Joie [ 10/Feb/11 ]
This issue will not be addressed in the IdP v2 series.
[SIDP-457] would be nice to include displayName in default attribute resolver
Created: 04/Jan/11 Updated: 04/Jan/11 Resolved: 04/Jan/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Attribute Resolution
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:                      Improvement                      Priority:   Minor
Reporter:                  Ian Young                        Assignee:   Chad La Joie
Resolution:                Fixed                            Votes:      0
Labels:                    None


 Description
The default attribute-resolver.xml does not include the displayName attribute from
inetOrgPerson (RFC 2798 section 2.3) although this attribute is in use in some popular SP
deployments including the shibboleth.net wiki.

Something like this could be added to the default file:

  <resolver:AttributeDefinition xsi:type="ad:Simple" id="displayName"
sourceAttributeID="displayName">
     <resolver:Dependency ref="myLDAP" />
     <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-
def:displayName" />
     <resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" />
  </resolver:AttributeDefinition>


 Comments
Comment by Chad La Joie [ 04/Jan/11 ]
add in rev 2975
[SIDP-456] Specifying the metadata refresh interval Created: 03/Jan/11 Updated: 03/Jan/11   Resolved:
03/Jan/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.5
Fix Version/s:     None

Type:               Documentation                  Priority:         Minor
Reporter:           Tom Scavo                      Assignee:         Chad La Joie
Resolution:         Invalid                        Votes:            0
Labels:             None


 Description
In versions prior to v2.2, how do you explicitly configure the IdP to refresh metadata, say, every
8 hrs?

Comments
Comment by Chad La Joie [ 03/Jan/11 ]
Support questions need to be sent to the user's list.
[SIDP-455] Better error message in case of ACS mismatch (metadata vs shire
parameter) Created: 03/Jan/11 Updated: 05/Jan/11 Resolved: 03/Jan/11
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.5
Fix Version/s:     None

Type:               Improvement                   Priority:           Minor
Reporter:           Olivier Salaün                Assignee:           Chad La Joie
Resolution:         Invalid                       Votes:              0
Labels:             None


 Description
That's a very common mistake and it always takes me some time to fix it, mainly because of the
error messages. Therefore I thought it was worth sumitting a suggestion.

This happens whenever an SP admin publishes an ACS URL that differs from the one configured
in his shibboleth2.xml.

The end user gets an error message that makes him think it's a web client configuration issue
because the error message refers to cookies: "An error occurred while processing your request.
Please contact your helpdesk or user ID office for assistance. This service requires cookies.
Please ensure that they are enabled and try your going back to your desired resource and trying
to login again. Use of your browser's back button may cause specific errors that can be resolved
by going back to your desired resource and trying to login again." Since it's not a web client
configuration issue, this error message should be changed.

I had a look at the idp-process log and here is here is the corresponding error message: "ERROR
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:397] - No return
endpoint available for relying party https://conf-ng.jres.org"

This error message does not help that much to find out that there is a mismatch between the
published ACS URL and the one provided via the shire parameter, along with the SAML
request. I'd suggest fixing the error message and providing the value of the shire parameter in the
error message.

BTW: why does the SP request includes a shire parameter if, in the end, the relyable information
about the ACS is in the metadata?

Thanks.
 Comments
Comment by Chad La Joie [ 03/Jan/11 ]
You're using the example error page. If you want different wording on it then change it. It's just
an example (and should be changed anyways so that it looks like your site not a shibboleth page).

As to why the SP sends the ACS URL, in the spec it was meant to allow the SP to specifically
say which endpoint it wanted the response sent to. For example, maybe the SP is aware that it is
being load balanced and wants the response sent to the same SP instance that created the request.
The IdP simply checks to make sure that the URL given by the SP is in the metadata (since that's
the trusted source of information).
Comment by Olivier Salaün [ 03/Jan/11 ]
Thank you for detailing the rationale for passing the ACS URL to the IdP.

Regarding my suggestions:
 - it seems that you missed my second suggestion that is to improve the error message in the IdP
log file
 - I know that I can customize error pages however, as a national federation operator, I hope to
have this fixed upstream to prevent similar issues for IdP admins


Thank you
Comment by Olivier Salaün [ 05/Jan/11 ]
Given my last comment, could you please reopen this improvement ticket?

Thank you Chad.
Comment by Chad La Joie [ 05/Jan/11 ]
No. The error message says the right thing. If you want more details about why that's the case
then you need to turn on debug logging. There are a number of reasons why you might get that
error message, not just ACS URL mismatches.
Comment by Olivier Salaün [ 05/Jan/11 ]
It seems to me that you overestimate the skills of the IdP administrators: given this error message
("No return endpoint available for relying party"), it's hard to understand that the SP admin
declared the wrong ACS URL.

Please consider adding another error message, whenever there is a mismatch between the ACS
URL submitted and the one published in the metadata.
Comment by Scott Cantor [ 05/Jan/11 ]
The most critical issue is whether the specific cause is clear from the log (and not on DEBUG,
that shouldn't be required for production use).

Users are not meant to be diagnosing errors, so what's on the actual page is immaterial. IdPs can
easily catch that error message and tailor the response, since it always indicates a configuration
or metadata condition that will require intervention to deal with.
Comment by Olivier Salaün [ 05/Jan/11 ]
I don't mean to make Shibboleth IdP understandable by end users, but this error messages insists
on web browser configuration prerequisites (compared to other more technical error message). In
the end, the end user may think that the issue is on her site, i mean some sort of cookies
configuration.

In the curcomstances I refer to, I'd suggest either removing the "This service requires cookies..."
part of the message or make it more clear that the end user needs to contact someone at his
university.

Thank you.
[SIDP-453] Session inactivity timeout being treated as a hard expiration time
Created: 21/Dec/10 Updated: 21/Dec/10 Resolved: 21/Dec/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:                     Bug                               Priority:   Minor
Reporter:                 Chad La Joie                      Assignee:   Chad La Joie
Resolution:               Fixed                             Votes:      0
Labels:                   None

Java Version:             Sun 1.5
Servlet                   Jetty 7
Container:

 Description
The IdP SessionManager and sweeper thread are improperly identifying when a session is
expired. Currently they the expiration time is being determined via the formula creationDate +
inactivityTimeout when it should be lastActivity + inactivityTimeout

Comments
Comment by Chad La Joie [ 21/Dec/10 ]
Fixed in rev 2972
[SIDP-452] Facilitate replay detection to Shibboleth SSO Created: 20/Dec/10           Updated: 11/Jan/11
Resolved: 11/Jan/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:                 Improvement                  Priority:           Minor
Reporter:             Scott Cantor                 Assignee:           Chad La Joie
Resolution:           Completed                    Votes:              0
Labels:               None

Attachments:            decoder.patch

 Description
I have an improved ShibbolethSSODecoder that supports replay detection by "mocking" up a
message ID by combining the time parameter with the Java container session ID (if any). If
there's no session ID, it just behaves as before. The session isn't actually used as a session, but
it's usually (always?) there, and it's a simple way to make the timestamp tracking unique by
client without adding cookies. That would probably work, but this is simpler and avoids cookie
hassles.

In conjunction with this, you also add:
   <security:Rule xsi:type="samlsec:Replay" required="false"/>
to the ShibbolethSSOSecurityPolicy rule set in relying-party.xml


Comments
Comment by Scott Cantor [ 20/Dec/10 ]
Updated patch, corrected comment.
Comment by Chad La Joie [ 11/Jan/11 ]
Added in rev 2979
[SIDP-450] NPE with AttributeQueryProfile when there are errors resolving
attributes Created: 16/Dec/10 Updated: 21/Dec/10 Resolved: 21/Dec/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Attribute Resolution
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:               Bug                            Priority:           Minor
Reporter:           Bradley Schwoerer              Assignee:           Chad La Joie
Resolution:         Fixed                          Votes:              0
Labels:             None

Attachments:          AttributeQueryHandler.patch.txt
Java Version:       Sun 1.6
Servlet             Apache Tomcat 6.0
Container:

 Description
When doing a /profile/SAMLX/SOAP/AttributeQuery for a user which results in an
attributeresolver error it causes an NPE. It is an easy fix using the same logic flow as the
SSOProfileHandler.


22:14:50.905 - [144.92.104.210|51ABCF58EC84F6684103D3E7FA6668DD] - ERROR
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRe
solver:350] - Received the
following error from data connector udsLDAPfailover, no failover data connector available
edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException:
No LDAP entry found for buckybadger
     at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDat
aConnector.resolve(LdapDataConnector.java:319) ~[shibboleth-common-1.2.1-WISC.jar:na]
     at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDat
aConnector.resolve(LdapDataConnector.java:49) ~[shibboleth-common-1.2.1-WISC.jar:na]
     at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.Context
ualDataConnector.resolve(ContextualDataConnector.java:76) ~[shibboleth-common-1.2.1-
WISC.j
ar:na]
     at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.Context
ualDataConnector.resolve(ContextualDataConnector.java:30) ~[shibboleth-common-1.2.1-
WISC.j
ar:na]
      at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRes
olver.resolveDataConnector(ShibbolethAttributeResolver.java:345) [shibboleth-common-1.2.1
-WISC.jar:na]
      at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRes
olver.resolveDataConnector(ShibbolethAttributeResolver.java:358) [shibboleth-common-1.2.1
-WISC.jar:na]
      at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRes
olver.resolveDependencies(ShibbolethAttributeResolver.java:381) [shibboleth-common-1.2.1-
WISC.jar:na]
      at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRes
olver.resolveAttribute(ShibbolethAttributeResolver.java:303) [shibboleth-common-1.2.1-WIS
C.jar:na]
      at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRes
olver.resolveAttributes(ShibbolethAttributeResolver.java:257) [shibboleth-common-1.2.1-WI
SC.jar:na]
      at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRes
olver.resolveAttributes(ShibbolethAttributeResolver.java:130) [shibboleth-common-1.2.1-WI
SC.jar:na]
      at
edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAut
hority.getAttributes(ShibbolethSAML2AttributeAuthority.java:173) [shibboleth-common-1.2.1-
WIS
C.jar:na]
      at
edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAut
hority.getAttributes(ShibbolethSAML2AttributeAuthority.java:57) [shibboleth-common-1.2.1-
WISC
.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.resolveAtt
ributes(AbstractSAML2ProfileHandler.java:460) [shibboleth-identityprovider-2.2.1-
SNAPSHOT.
jar:na]
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler.processReq
uest(AttributeQueryProfileHandler.java:115) [shibboleth-identityprovider-2.2.1-SNAPSHOT.j
ar:na]
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler.processReq
uest(AttributeQueryProfileHandler.java:51) [shibboleth-identityprovider-2.2.1-SNAPSHOT.ja
r:na]
      at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:83) [shibboleth-common-1.2.1-WISC.jar:na]
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
      at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:29
0) [catalina.jar:6.0.29]
      at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.29]
      at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:
81) [shibboleth-identityprovider-2.2.1-SNAPSHOT.jar:na]
      at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:23
5) [catalina.jar:6.0.29]
      at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.29]
      at
edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMD
CCleanupFilter.java:51) [shibboleth-common-1.2.1-WISC.jar:na]
      at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:23
5) [catalina.jar:6.0.29]
      at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.29]
      at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
[catalina.jar:6.0.29]
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[catalina.jar:6.0.29]
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
[catalina.jar:6.0.29]
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[catalina.jar:6.0.29]
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[catalina.jar:6.0.29]
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
[catalina.jar:6.0.29]
      at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-
coyote.jar:6.0.29]
      at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) [tomcat-
coyote.jar:6.0.29]
      at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774) [tomcat-
coyote.jar:6.0.29]
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
[catalina.jar:6.0.29]
      at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-
coyote.jar:6.0.29]
      at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) [tomcat-
coyote.jar:6.0.29]
      at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774) [tomcat-
coyote.jar:6.0.29]
      at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
[tomcat-coyote.jar:6.0.29]
      at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:896)
[tomcat-coyote.jar:6.0.29]
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
[tomcat-coyote.jar:6.0.29]
      at java.lang.Thread.run(Thread.java:662) [na:1.6.0_22]
22:14:50.939 - [144.92.104.210|51ABCF58EC84F6684103D3E7FA6668DD] - WARN
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:464] -
Error resolving attributes for principal 'buckybadger'. No name identifier or attribute statement
will be included in response
22:14:50.941 - [144.92.104.210|51ABCF58EC84F6684103D3E7FA6668DD] - ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:88] -
Error occurred while processing request
java.lang.NullPointerException: null
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler.processReq
uest(AttributeQueryProfileHandler.java:116) ~[shibboleth-identityprovider-2.2.1-
SNAPSHOT.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler.processReq
uest(AttributeQueryProfileHandler.java:51) ~[shibboleth-identityprovider-2.2.1-
SNAPSHOT.jar:na]
      at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:83) ~[shibboleth-common-1.2.1-WISC.jar:na]
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
      at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:29
0) [catalina.jar:6.0.29]
      at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.29]
     at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:
81) [shibboleth-identityprovider-2.2.1-SNAPSHOT.jar:na]
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:23
5) [catalina.jar:6.0.29]
     at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.29]
     at
edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMD
CCleanupFilter.java:51) [shibboleth-common-1.2.1-WISC.jar:na]
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:23
5) [catalina.jar:6.0.29]
     at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.29]
     at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
[catalina.jar:6.0.29]
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[catalina.jar:6.0.29]
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
[catalina.jar:6.0.29]
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[catalina.jar:6.0.29]
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[catalina.jar:6.0.29]
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
[catalina.jar:6.0.29]
     at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-
coyote.jar:6.0.29]
     at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) [tomcat-
coyote.jar:6.0.29]
     at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774) [tomcat-
coyote.jar:6.0.29]
     at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
[tomcat-coyote.jar:6.0.29]
     at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:896)
[tomcat-coyote.jar:6.0.29]
     at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
[tomcat-coyote.jar:6.0.29]
     at java.lang.Thread.run(Thread.java:662) [na:1.6.0_22]
Comments
Comment by Chad La Joie [ 21/Dec/10 ]
Fix in rev 2971
[SIDP-449] AttributeFilterPolicy AttributeRule for scoped Attribute not working
Created: 15/Dec/10 Updated: 31/Jan/11 Resolved: 15/Dec/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:                     Bug                               Priority:   Major
Reporter:                 Robert Schlacher                  Assignee:   Chad La Joie
Resolution:               Duplicate                         Votes:      0
Labels:                   None

Issue Links:              Duplicate
Java Version:             IBM 1.6
Servlet                   Apache Tomcat 6.0
Container:

 Description
After Upgrading my test environment from IDP verison 2.1.5 to 2.2.0, the following Filter rule
isn't working anymore.
No Value for eduPersonScopedAffiliation is included in the Assertion.
The rule which is working in my production environment (2.1.5) and not in 2.2.0 is:

       <AttributeRule attributeID="eduPersonScopedAffiliation">
        <PermitValueRule xsi:type="basic:OR">
           <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true"
/>
          <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" />
          <basic:Rule xsi:type="basic:AttributeValueString" value="member"
ignoreCase="true" />
          <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true"/>
       </PermitValueRule>
     </AttributeRule>

If i replace the PermitValueRule with
         <PermitValueRule xsi:type="basic:ANY" />
the attribute is in the Assertion.

The resolver definiton for eduPersonScopedAffiliation is:

     <resolver:AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
    scope="tugraz.at" sourceAttributeID="eduPersonAffiliation">
    <resolver:Dependency ref="eduPersonAffiliation" />

    <resolver:AttributeEncoder xsi:type="SAML1ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
      name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />

    <resolver:AttributeEncoder xsi:type="SAML2ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
       name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" />
  </resolver:AttributeDefinition>


Comments
Comment by Scott Cantor [ 31/Jan/11 ]
Closing resolved issues.
[SIDP-448] Create a login handler that provides authn "state" data to an
external authentication system and has that system authenticate the user. Created:
14/Dec/10 Updated: 01/May/11 Resolved: 01/May/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.2.1
Fix Version/s:     2.3.0

Type:                    Improvement               Priority:         Minor
Reporter:                Bradley Schwoerer         Assignee:         Chad La Joie
Resolution:              Fixed                     Votes:            0
Labels:                  None

Attachments:                 SIDP-448.patch

 Description
The use case is to be able to support two additional things with RemoteUser authentication. The
first is to allow for Relying Party specific extensions and the second is to support force
authentication. IMHO, both can be supported by appending information onto the end of the
request string. To support force authentication it would be to append something like
/ForceAuthN at the end of the url, to look like
https://login.wisc.edu/idp/Authn/RemoteUser/ForceAuthN. Likewise for Relying Party specific
support it would be to append the Base64 url encoded string to the end like
https://login.wisc.edu/idp/Authn/RemoteUser/bXkud2lzY29uc2luLmVkdS9zaGliYm9sZXRo. In
the situation that the relying party asked for force re-auth in the SAML token it would then result
in
https://login.wisc.edu/idp/Authn/RemoteUser/ForceAuthN/bXkud2lzY29uc2luLmVkdS9zaGliY
m9sZXRo.

 Comments
Comment by Bradley Schwoerer [ 14/Dec/10 ]
Configuration is something like ...
  <LoginHandler xsi:type="RemoteUser" protectedServletPath="/Authn/RemoteUser"
           forceAuthenticationPath="/ForceAuthN" appendRelyingPartyId="true"
           authenticationDuration="PT1M">
     <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTrans
port</AuthenticationMethod>
     <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</Authenticat
ionMethod>
  </LoginHandler>
Comment by Chad La Joie [ 15/Mar/11 ]
I think the approach I'm going to take here is to actually create a new login handler specifically
meant to work with external authentication system. The login handler will redirect to a different
URL.

The URL may be either absolute (so starting with 'http' or relative to the IdP context) and will
append the following items as query params:
 - isPassive - no value, presence indicates this is a passive authentication request
 - forceAuthn - no value, presence indicates forced authentication is required
 - relyingParty - entity ID of the relying party
 - authnMethod - URI identifying the select authentication method
 - return - URL to which the external authentication system needs to return the user

The authentication system will then need to return the user principal's name and the
authentication method used to authenticate the user.
Comment by Chad La Joie [ 20/Mar/11 ]
Added in rev 3002
Comment by Chad La Joie [ 26/Apr/11 ]
forgot to open Spring config elements for this
Comment by Chad La Joie [ 01/May/11 ]
finished in rev 3020

Change the login handler slightly to use HTTP request attributes instead of query params so that
user's can't maliciously change them.
[SIDP-447] Fix for SIDP-417 missed RemoteUserLoginHandler Created: 14/Dec/10   Updated:
21/Dec/10 Resolved: 21/Dec/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:                     Bug                      Priority:   Minor
Reporter:                 Bradley Schwoerer        Assignee:   Chad La Joie
Resolution:               Fixed                    Votes:      0
Labels:                   None

Attachments:                RemoteUserLoginHandler.patch
Java Version:             Sun 1.6
Servlet                   Apache Tomcat 6.0
Container:

Description
The fix for SIDP-417 (rev 2966) missed the RemoteUserLoginHandler.

Comments
Comment by Chad La Joie [ 21/Dec/10 ]
Fixed in rev 2967
[SIDP-446] cuncurrent multi tab login Created: 13/Dec/10     Updated: 10/Feb/11 Resolved: 10/Feb/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.2.0
Fix Version/s:     None

Type:              Improvement                   Priority:              Minor
Reporter:          Petra Berg                    Assignee:              Chad La Joie
Resolution:        Won't Fix                     Votes:                 0
Labels:            None

Attachments:          alt-SIDP-446.patch        alt-SIDP-446.v2.patch             idp-2.2.0-multi_tab-
                   patch.diff

Description
Logging in from multiple browser tabs at same time fail.

Since the passing from one IdP module to the other is done by HTTP
redirect and the loginContextKey is stored in a cookie, for all requests
in the same session the cookie will be overwritten. One solution for
this problem could be passing the loginContextKey as parameter through
the modules including the login jsp page.
If done this way every login page, displayed in it's own browser tab has
it's own loginContextKey.

Next thing is refreshing a login-page, where the authentication finished
already in an other browser tab. In this case the loginContext need to
be reseted and the 'PreviousSession'- Handler need to be uses instead.

 Comments
Comment by Petra Berg [ 13/Dec/10 ]
a patch resolving this problem in IdP 2.2.0 (java-idp tags/2.2.0) for
UsernamePasswordLoginHandler
Comment by Bradley Schwoerer [ 14/Dec/10 ]
An alternate to the proposed fix that has been adjusted for 2.2.1-SNAPSHOT, but it does NOT
include the new functionality proposed for reseting the flow.

So it just addresses moving the loginContextKey to a query parameter. UW-Madison is currently
using this patch in production and it is working well.
Comment by Bradley Schwoerer [ 09/Jan/11 ]
fixed one line.

Fixed the issue that the loginContexKey is not always an attribute, like after a failed
authentication attempt. It should always be a parameter though.
Comment by Chad La Joie [ 10/Feb/11 ]
This will not be addressed in the 2.x series. v3's method for handling per-"conversation" state
will address this issue.
[SIDP-444] default attribute definitions for some attributes are missing the
namespace qualifier in their xsi:type Created: 06/Dec/10 Updated: 21/Dec/10 Resolved: 21/Dec/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Attribute Resolution
Affects Version/s: 2.2.0
Fix Version/s:     None

Type:               Bug                             Priority:            Trivial
Reporter:           Vladimir Mencl                  Assignee:            Chad La Joie
Resolution:         Duplicate                       Votes:               0
Labels:             None

Attachments:           attribute-resolver-xsi-types.diff        attribute-resolver-xsi-types-eptid.diff

Java Version:       Sun 1.6
Servlet             Apache Tomcat 5.5
Container:

Description
Hi,

This is just a trivial thing - I started installing a Shibboleth 2.2.0 IdP and as I was uncommenting
the attribute definitions in attribute-resolver.xml, I got some XML parse errors for attributes that
have not yet been converted to the new naming syntax: eduPersonScopedAffiliation,
eduPersonAssirance and eduPersonTargetedId (plus the encoders for eduPersonAssurance).
Looks like someone overlooked a block of text when manually converting the attribute
definitions.

The following patch fixes the issue in the attribute resolver configuration file template:
{noformat}
--- ./shibboleth-identityprovider-2.2.0/src/installer/resources/conf-tmpl/attribute-
resolver.xml.orig 2010-12-07 12:24:00.000000000 +1300
+++ ./shibboleth-identityprovider-2.2.0/src/installer/resources/conf-tmpl/attribute-resolver.xml
2010-12-07 12:25:54.000000000 +1300
@@ -232,19 +232,19 @@
       <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
    </resolver:AttributeDefinition>

- <resolver:AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation"
scope="$IDP_SCOPE$" sourceAttributeID="eduPersonAffiliation">
+ <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonScopedAffiliation"
scope="$IDP_SCOPE$" sourceAttributeID="eduPersonAffiliation">
     <resolver:Dependency ref="myLDAP" />
     <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
     <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" />
   </resolver:AttributeDefinition>

- <resolver:AttributeDefinition xsi:type="Simple" id="eduPersonAssurance"
sourceAttributeID="eduPersonAssurance">
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAssurance"
sourceAttributeID="eduPersonAssurance">
      <resolver:Dependency ref="myLDAP" />
- <resolver:AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-
def:eduPersonAssurance" />
- <resolver:AttributeEncoder xsi:type="SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-
def:eduPersonAssurance" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" />
   </resolver:AttributeDefinition>

- <resolver:AttributeDefinition xsi:type="Scoped" id="eduPersonTargetedID.old"
scope="$IDP_SCOPE$" sourceAttributeID="computedID">
+ <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonTargetedID.old"
scope="$IDP_SCOPE$" sourceAttributeID="computedID">
      <resolver:Dependency ref="computedID" />
      <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonTargetedID" />
   </resolver:AttributeDefinition>
{noformat}

This can also be easily found by searching for the following regexp: xsi:type="[A-Z]
.... unqualified types start with an uppercase letter, qualified types start with a lowercase letter.


Hope this helps - and can be fixed in next release.

Cheers,
Vladimir

--
Vladimir Mencl, Ph.D.
E-Research Services and Systems Consultant
BlueFern Computing Services
University of Canterbury
Private Bag 4800
Christchurch 8140
New Zealand

http://www.bluefern.canterbury.ac.nz
mailto:vladimir.mencl@canterbury.ac.nz
Phone: +64 3 364 3012
Mobile: +64 21 997 352



Comments
Comment by Vladimir Mencl [ 06/Dec/10 ]
The patch as an attachment - in case Confluence munches up the syntax.
Comment by Vladimir Mencl [ 06/Dec/10 ]
Hi,

Found one more copy-editing error in the default attribute-resolver template: the xsi:type for
eduPersonTargetedId AttributeDefinition was: "enc:SAML2NameID" but should have been
"ad:SAML2NameID"

Cheers,
Vladimir

{noformat}
--- ./shibboleth-identityprovider-2.2.0/src/installer/resources/conf-tmpl/attribute-
resolver.xml.orig2 2010-12-07 13:02:09.000000000 +1300
+++ ./shibboleth-identityprovider-2.2.0/src/installer/resources/conf-tmpl/attribute-resolver.xml
2010-12-07 13:02:19.000000000 +1300
@@ -249,7 +249,7 @@
       <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonTargetedID" />
    </resolver:AttributeDefinition>

- <resolver:AttributeDefinition xsi:type="enc:SAML2NameID" id="eduPersonTargetedID"
+ <resolver:AttributeDefinition xsi:type="ad:SAML2NameID" id="eduPersonTargetedID"
                      nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
sourceAttributeID="computedID">
      <resolver:Dependency ref="computedID" />
      <resolver:AttributeEncoder xsi:type="enc:SAML1XMLObject"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
{noformat}
Comment by Chad La Joie [ 21/Dec/10 ]
Thanks for submitting this but Nate beat you to it. :)
[SIDP-443] Profile handlers override encoder nameQualifier setting Created: 06/Dec/10
Updated: 31/Jan/11 Resolved: 22/Dec/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1, SAML 2
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:                     Bug                     Priority:           Minor
Reporter:                 Scott Cantor            Assignee:           Scott Cantor
Resolution:               Fixed                   Votes:              0
Labels:                   None

Java Version:             Sun 1.6
Servlet                   Jetty 7
Container:

 Description
The string-based NameID encoders have a nameQualifier setting to override/control the
NameQualifier attribute, but the abstract profile handler bases explicitly set that to the IdP name
regardless of whether it's set by the encoder already. We could check for null in the profile
handler bases to fix it.


Comments
Comment by Scott Cantor [ 22/Dec/10 ]
Fixed in rev 2974.
Comment by Scott Cantor [ 31/Jan/11 ]
Closing resolved issues.
[SIDP-442] IdPSession expiration during requests Created: 06/Dec/10 Updated: 21/Dec/10       Resolved:
21/Dec/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.2.0
Fix Version/s:     None

Type:               Bug                            Priority:            Major
Reporter:           Bradley Schwoerer              Assignee:            Chad La Joie
Resolution:         Won't Fix                      Votes:               0
Labels:             None

Attachments:          IdPSessionBug.txt
Java Version:       Sun 1.6
Servlet             Apache Tomcat 6.0
Container:

 Description
We are getting errors for users when their IdP sessions expire in the middle processing requests.
Our IdP session timeout is set to 60 seconds. When they start an incoming request before the
expiration and don't finish before the expiration we are getting errors in the attribute resolution or
other places, mainly in the attribute resolution. It reports the principal as 'null'. Attached you will
find an example of this where the the session was created around 22:07:02.221, and they
returned for a new request at 22:08:01.540. At 22:08:02.533 when they are redirected to the
profile handler they IdP session is expired and they no longer have a principal associated with
this session.


 Comments
Comment by Bradley Schwoerer [ 06/Dec/10 ]
We are using a modified version of 2.2.1-SNAPSHOT so the line numbers don't match. If you
need me to reproduce with a vanilla version of 2.2.1-SNAPSHOT, I can do so.
Comment by Chad La Joie [ 21/Dec/10 ]
There isn't really anything that can be done if you set your session timeout lower than the length
of time it takes to complete a transaction.
[SIDP-441] Add JSESSIONID and ClientIP to MDC Created: 06/Dec/10           Updated: 14/Mar/11
Resolved: 14/Mar/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.2.0
Fix Version/s:     2.3.0

Type:                 Improvement              Priority:          Trivial
Reporter:             Bradley Schwoerer        Assignee:          Chad La Joie
Resolution:           Fixed                    Votes:             0
Labels:               None

Attachments:            sidp-441.patch.txt

 Description
Please add JSESSIONID and ClientIP to MDC to make it easier to correlate log lines.

 Comments
Comment by Chad La Joie [ 14/Mar/11 ]
fixed in rev 2995
[SIDP-440] servlet-api-2.4.jar not installed when upgrading to 2.2.0 / aacli testing
errors. Created: 28/Nov/10 Updated: 29/Nov/10 Resolved: 29/Nov/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.2.0
Fix Version/s:     None

Type:                Bug                             Priority:       Minor
Reporter:            Benji Wakely                    Assignee:       Chad La Joie
Resolution:          Duplicate                       Votes:          0
Labels:              None

Java Version:        Sun 1.5
Servlet              Apache Tomcat 6.0
Container:

 Description
I have run across a bug, the same as detailed at:
http://comments.gmane.org/gmane.comp.web.shibboleth.user/14878

...There didn't seem to be a bug filed yet, so I've filed this.

I had an installed version of the shibboleth IdP, version 2.1.5.
Upgraded to 2.2.0 using the source at
http://shibboleth.internet2.edu/downloads/shibboleth/idp/2.2.0/shibboleth-identityprovider-2.2.0-
bin.zip

Testing retrieval of attributes using aacli.sh failed with error:
Exception in thread "main" org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'shibboleth.HandlerManager': Initialization of bean failed; nested
exception is java.lang.NoClassDefFoundError: javax/servlet/ServletRequest

As per Chad La Joie's suggestion, the workaround to this is to simply place servlet-api.2.4.jar
into the /opt/shibboleth-idp/lib directory

--Benji Wakely
Unix Systems Administrator,
La Trobe University, Melbourne, Australia

Comments
Comment by Chad La Joie [ 29/Nov/10 ]
Duplicate of SIDP-422
[SIDP-438] Improve user experience when switching versions of SAML Created:
23/Nov/10 Updated: 11/Jan/11 Resolved: 11/Jan/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1, SAML 2
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:                     Improvement              Priority:          Minor
Reporter:                 Karsten Huneycutt        Assignee:          Chad La Joie
Resolution:               Fixed                    Votes:             0
Labels:                   None

Attachments:                  classcast.diff

 Description
When a user begins an authentication transaction but abandons it without completing it and starts
another authentication transaction using the same version of SAML, the second authentication
transaction can be completed successfully. However, when the second transaction is using a
different version of SAML, the user gets an error page and is not allowed to log in. The logs
show a ClassCastException, because the profile handlers are assuming that the LoginContext
returned will always be of the type appropriate for that version of SAML and are not checking
before casting. This is a regression in user experience from previous versions of the IdP (at least
from version 2.1.2).

We have users who set Shibboleth-protected sites (the actual end site) as their browser's
homepage, and they experience this when they attempt to start a new window/tab and log into a
site that uses a different version of SAML.

I've attached a patch to revert the behavior of the IdP by checking (using instanceof) the
LoginContext returned.

 Comments
Comment by Chad La Joie [ 11/Jan/11 ]
fixed in rev 2980
[SIDP-437] NPE when loading metadata via HTTPS Created: 19/Nov/10               Updated: 19/Nov/10
Resolved: 19/Nov/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.2.0
Fix Version/s:     None

Type:                 Bug                          Priority:           Minor
Reporter:             Paul Engle                   Assignee:           Chad La Joie
Resolution:           Duplicate                    Votes:              0
Labels:               None

Attachments:            idp-process.log
Java Version:         Sun 1.6
Servlet               Apache Tomcat 6.0
Container:

Description

I have the following metadata provider defined in relying-party.xml

<metadata:MetadataProvider id="LearnFedMD"
xsi:type="metadata:FileBackedHTTPMetadataProvider"
metadataURL="https://eco.tx-learn.net/downloads/LEARNfed-metadata.xml"
backingFile="/usr/site/shibboleth_idp/metadata/LEARNfed-metadata.xml" />

As is, the configuration generates a null pointer exception. I'll attach the full, trace-level idp-
process.log.
I have a relatively easy workaround by just putting disregardSslCertificate="true" in the
definition, but I thought you'd want a report of the NPE nonetheless. The certificate provided is
perfectly kosher, and the same definition caused no problems under 2.1.5 using the same
container & JRE.

Comments
Comment by Paul Engle [ 19/Nov/10 ]
Here's the full log with stack trace.
Comment by Chad La Joie [ 19/Nov/10 ]
Duplicate of SC-120
[SIDP-436] Null AuthnContextClassRef causes NPE Created: 17/Nov/10          Updated: 21/Dec/10
Resolved: 21/Dec/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:                 Bug                       Priority:          Minor
Reporter:             James Bardin              Assignee:          Chad La Joie
Resolution:           Fixed                     Votes:             0
Labels:               None

Java Version:         Sun 1.5
Servlet               Apache Tomcat 5.0
Container:

 Description
A NullPointerException is thrown after receiving a message with a RequestedAuthnContext
containing an empty AuthnContextClassRef (from a misconfigured SAML2 SP).

<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://example.com/navpage.do" ForceAuthn="false"
 ID="5B428E390A0A3CAA013029B7E66B58D4" IsPassive="false" IssueInstant="2010-11-
17T19:14:37.263Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="undefined" Version="2.0">
  <saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://example.com&lt;/saml2:Issuer>
  <saml2p:NameIDPolicy AllowCreate="true"/>
  <saml2p:RequestedAuthnContext Comparison="exact">
    <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"/>
  </saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>


This may have contributed to tomcat crashing from an out of memory error (only time that
happened was after many of these requests).

Comments
Comment by Scott Cantor [ 17/Nov/10 ]
You should also report the bug to whoever's SP that is, since that's invalid SAML (which is why
it's crashing the IdP).
Comment by Chad La Joie [ 21/Dec/10 ]
Fix in rev 2970
[SIDP-435] Different principal used for index into session storage and transient
ID Created: 16/Nov/10 Updated: 08/Jan/11 Resolved: 08/Jan/11
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Attribute Resolution, Authentication
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:               Bug                           Priority:        Minor
Reporter:           Karsten Huneycutt             Assignee:        Chad La Joie
Resolution:         Fixed                         Votes:           0
Labels:             None

Java Version:       Sun 1.6
Servlet             JBoss 5.0 Tomcat
Container:

 Description
At authentication time, the IdP AuthnEngine inserts a second pointer from the user's principal
name to the user's session object. It does this based on:
authnMethodInfo.getAuthenticationPrincipal().getName(). Everywhere else in the IdP, however,
the Session's getPrincipalName() (or RequestContext's, which is set from the Session) method is
used, which can return a different name (and does in our environment).

This will cause any AttributeQuery profiles to fail.

A simple fix is to index using the Session getPrincipalName() method:


--- src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java
(revision 2966)
+++ src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java
(working copy)
@@ -698,7 +698,7 @@

      loginContext.setAuthenticationMethodInformation(authnMethodInfo);
      idpSession.getAuthenticationMethods().put(authnMethodInfo.getAuthenticationMethod(),
authnMethodInfo);
- sessionManager.indexSession(idpSession,
authnMethodInfo.getAuthenticationPrincipal().getName());
+ sessionManager.indexSession(idpSession, idpSession.getPrincipalName());
     ServiceInformation serviceInfo = new
ServiceInformationImpl(loginContext.getRelyingPartyId(), new DateTime(),
          authnMethodInfo);


Comments
Comment by Chad La Joie [ 08/Jan/11 ]
Fixed in rev 2976
[SIDP-434] More Typos in Default attribute-resolver.xml Created: 09/Nov/10           Updated: 10/Nov/10
Resolved: 10/Nov/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Attribute Resolution
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:                 Bug                         Priority:           Minor
Reporter:             Nate Klingenstein           Assignee:           Chad La Joie
Resolution:           Fixed                       Votes:              0
Labels:               None

Java Version:         Sun 1.6
Servlet               Apache Tomcat 6.0
Container:

Description
More errors in default java-idp/tags/2.2.0/src/installer/resources/conf-tmpl/attribute-resolver.xml:

eduPersonScopeAffiliation, eduPersonAssurance, and eduPersonTargetedID.old's xsi:type have
no namespace declared; should be ad:.
eduPersonAssurance's AttributeEncoders' xsi:type have no namespace defined; should be enc:.

  <resolver:AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation"
scope="$IDP_SCOPE$" sourceAttributeID="eduPersonAffiliation">
    <resolver:Dependency ref="myLDAP" />
    <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
    <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" />
  </resolver:AttributeDefinition>

  <resolver:AttributeDefinition xsi:type="Simple" id="eduPersonAssurance"
sourceAttributeID="eduPersonAssurance">
     <resolver:Dependency ref="myLDAP" />
     <resolver:AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-
def:eduPersonAssurance" />
     <resolver:AttributeEncoder xsi:type="SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" />
  </resolver:AttributeDefinition>

  <resolver:AttributeDefinition xsi:type="Scoped" id="eduPersonTargetedID.old"
scope="$IDP_SCOPE$" sourceAttributeID="computedID">
    <resolver:Dependency ref="computedID" />
    <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonTargetedID" />
  </resolver:AttributeDefinition>

20:14:08.856 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:187]
- Configuration was not loaded for shibboleth.AttributeResolver service, error creating
components. The root cause of this error was: org.xml.sax.SAXParseException: cvc-elt.4.2:
Cannot resolve 'enc:SAML2NameID' to a type definition for element
'resolver:AttributeDefinition'.

enc:SAML2NameID should be ad:SAML2NameID

  <resolver:AttributeDefinition xsi:type="enc:SAML2NameID" id="eduPersonTargetedID"
                     nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
sourceAttributeID="computedID">
     <resolver:Dependency ref="computedID" />
     <resolver:AttributeEncoder xsi:type="enc:SAML1XMLObject"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
     <resolver:AttributeEncoder xsi:type="enc:SAML2XMLObject"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
  </resolver:AttributeDefinition>

 Comments
Comment by Chad La Joie [ 10/Nov/10 ]
fixed in rev 2964
[SIDP-433] Update libs for 2.2.1 Created: 09/Nov/10   Updated: 08/Jan/11 Resolved: 08/Jan/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:              Task                        Priority:                   Minor
Reporter:          Chad La Joie                Assignee:                   Chad La Joie
Resolution:        Completed                   Votes:                      0
Labels:            None


 Description
shib-common 1.2.0 -> 1.2.1
[SIDP-432] Set explicit caching headers on redirects Created: 09/Nov/10          Updated: 21/Dec/10
Resolved: 21/Dec/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.3
Fix Version/s:     2.2.1

Type:                 Improvement                  Priority:            Minor
Reporter:             Christopher Bongaarts        Assignee:            Chad La Joie
Resolution:           Completed                    Votes:               0
Labels:               None


 Description
We have had a user complain that he got "Shibboleth Error - An error has occurred while
processing your request. - Please login through the original link if you are attempting to use a
bookmark." when using Opera 10.

IdP logs showed this error:
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:148] - No login context
available, unable to return to authentication engine

We are using the RemoteUser LoginHandler. My suspicion is that this is running afoul of Opera
10's aggressive redirect caching (see http://stevesouders.com/tests/redirects/results.php for a
table) causing the user's login session to get dropped (perhaps by not getting the
_idp_authn_lc_key cookie set during the redirect from the SSO endpoint).

If my understanding of the problem is correct, the IdP could work around the problem by setting
Expires: or Cache-Control: headers on the HTTP response containing the redirect to
/idp/Authn/RemoteUser.


 Comments
Comment by Christopher Bongaarts [ 09/Nov/10 ]
Forgot to mention that the user said it was "working fine yesterday", hence the idea that the
redirect caching is the culprit - the first login works fine; it is only later on when Opera begins
relying on the cached redirect instead of actually requesting the SSO endpoint from the IdP.
Comment by Chad La Joie [ 21/Dec/10 ]
Add in rev 2968
[SIDP-431] Typo in default attribute-resolver.xml Created: 09/Nov/10 Updated: 09/Nov/10 Resolved:
09/Nov/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Attribute Resolution
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:               Bug                          Priority:           Major
Reporter:           Nate Klingenstein            Assignee:           Chad La Joie
Resolution:         Fixed                        Votes:              0
Labels:             None

Java Version:       Sun 1.6
Servlet             Apache Tomcat 6.0
Container:

 Description
http://svn.middleware.georgetown.edu/view/java-idp/tags/2.2.0/src/installer/resources/conf-
tmpl/attribute-resolver.xml?view=markup

      <resolver:AttributeEncoder
xsi:type="enc:SAML2String"name="urn:oid:0.9.2342.19200300.100.1.20"
friendlyName="homePhone" />


Comments
Comment by Chad La Joie [ 09/Nov/10 ]
Fixed in rev 2961

Next time, please actually state the typo.
[SIDP-429] Limit metadata SP credential resolution for encryption to RSA keys
only Created: 02/Nov/10 Updated: 17/May/11 Resolved: 14/Apr/11
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.2.0
Fix Version/s:     2.3.0

Type:               Bug                           Priority:           Minor
Reporter:           Brent Putman                  Assignee:           Brent Putman
Resolution:         Completed                     Votes:              0
Labels:             None

Java Version:       Sun 1.6
Servlet             Jetty 7
Container:

 Description
An SP's entity descriptor may for example have an EC key or (erroneously) a DSA key flagged
for effective use = "encryption". Currently the IdP picks the "first" encryption key and doesn't
filter these out. Should add an additional credential criteria to require only RSA keys to be
resolved, since that is realistically the only algorithm supported. (This will be replaced by the
more general algorithm whitelist/blacklist mechanism in 3.x).

 Comments
Comment by Brent Putman [ 03/Feb/11 ]
Fixed in r2985. I'll leave open pending testing confirmation that it doesn't break something.
Comment by Brent Putman [ 14/Apr/11 ]
I've tested against an IdP snapshot and confirmed that this doesn't seem to break anything.
Resolving.
[SIDP-428] Address lifecycle issues around use of
MetadataCredentialResolverFactory Created: 21/Oct/10 Updated: 25/Oct/10 Resolved: 25/Oct/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1, SAML 2
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:               Bug                            Priority:            Minor
Reporter:           Brent Putman                   Assignee:            Brent Putman
Resolution:         Fixed                          Votes:               0
Labels:             None

Java Version:       Sun 1.5
Servlet             Jetty 7
Container:

 Description
There are issues to consider around use of the factory and the lifecycle of the output instances of
the factory (MetadataCredentialResolver). These are related to the use of WeakReferences in the
factory impl to avoid memory leaks. These issues are documented in the superclass of the
factory:

http://svn.middleware.georgetown.edu/view/java-
xmltooling/branches/REL_1/src/main/java/org/opensaml/xml/util/AbstractWrappedSingletonFac
tory.java?revision=564&view=markup

We should probably either:
1) cache a long-lived reference to the obtained resolver instance (i.e. a strong reference) inside
the profile handler (easiest)
2) implement the explicit release mechanism, perhaps by using a finalize() method in the profile
handlers

Comments
Comment by Brent Putman [ 25/Oct/10 ]
Fixed in r2960.
[SIDP-427] Incorrect handling of returned authn error in SSO profile handlers
Created: 19/Oct/10 Updated: 10/Nov/10 Resolved: 10/Nov/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1, SAML 2
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:                     Bug                               Priority:   Major
Reporter:                 Scott Cantor                      Assignee:   Chad La Joie
Resolution:               Fixed                             Votes:      0
Labels:                   None

Java Version:             Sun 1.6
Servlet                   Jetty 7
Container:

 Description
I think there's a bug in the conditionals that run in the processRequest method in the SAML 1
and 2 SSO profile handlers. They use the LoginContext.isPrincipalAuthenticated() method to
determine whether to treat the request as the "first" or "second" leg, but this breaks if the
LoginHandler returns to the profile handler with an error rather than authenticating the user.

The code in both the protocol versions looks like this:

     if (loginContext == null) {
        log.debug("Incoming request does not contain a login context, processing as first leg of
request");
        performAuthentication(inTransport, outTransport);
     }else if(!loginContext.isPrincipalAuthenticated()){
        log.debug("Incoming request contained a login context but principal was not
authenticated, processing as first leg of request");
        performAuthentication(inTransport, outTransport);
     } else {
        log.debug("Incoming request contains a login context, processing as second leg of
request");
        HttpServletHelper.unbindLoginContext(getStorageService(), servletContext,
httpRequest, httpResponse);
        completeAuthenticationRequest(loginContext, inTransport, outTransport);
     }

When there's a failure in the LoginHandler, it returns control to the profile handler, but with a
login context in place, and the middle branch runs instead of the last branch. That fails because
the request URL no longer has the SAML request content. It's supposed to fall into the last
branch where it would look for a login error inside completeAuthenticationRequest, but it never
gets a chance.

I'm not 100% certain what the fix is yet. Maybe the presence of a login context is sufficient to
send it to the second leg? Or it needs to check for the error case explicitly as well as using
isPrincipalAuthenticated().

Comments
Comment by Scott Cantor [ 19/Oct/10 ]
Likely fix: change the middle condition to:

} else if (!loginContext.isPrincipalAuthenticated() && loginContext.getAuthenticationFailure()
== null) {

When I do that, it correctly propagates the SAML failure status back to the SP.
Comment by Chad La Joie [ 10/Nov/10 ]
Fixed in rev 2965
[SIDP-426] Forced authentication does not reset the AuthnInstant Created: 09/Oct/10
Updated: 31/Jan/11 Resolved: 22/Dec/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:                     Bug                     Priority:           Minor
Reporter:                 Scott Cantor            Assignee:           Scott Cantor
Resolution:               Fixed                   Votes:              0
Labels:                   None

Attachments:                 patch.txt
Java Version:             Sun 1.6
Servlet                   Jetty 7
Container:

 Description
The time of authentication is tracked by an Info structure that's only created when an existing
Info structure for a given method isn't already present in a user's session. So if forceAuthn is
used before the previous authentication has expired, the time won't get reset.


 Comments
Comment by Scott Cantor [ 09/Oct/10 ]
The patch fixes the issue by passing a new timestamp into the method that creates the Info
structure when forceAuthn is used, and ensures that a new structure gets created if the timestamp
is supplied.

It includes a separate trivial enhancement to let the LoginHandler override the AuthnInstant
along with the method.
Comment by Scott Cantor [ 22/Dec/10 ]
Fixed in rev 2973.
Comment by Scott Cantor [ 31/Jan/11 ]
Closing resolved issues.
[SIDP-425] TCNonPortableObjectError when artifacts are used Created: 08/Oct/10                     Updated:
08/Jan/11 Resolved: 08/Jan/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     None

Type:                      Bug                         Priority:            Major
Reporter:                  Adam Lantos                 Assignee:            Chad La Joie
Resolution:                Invalid                     Votes:               0
Labels:                    None

Attachments:                  0001-Convert-logger-to-local-variable.patch      0001-Fix-
                           NonPortableObjectError-in-artifact-maps.patch
Java Version:              Sun 1.6
Servlet                    Jetty 7
Container:

 Description
Latest released version causes TCNonPortableObjectError when artifacts are used. This issue
also affects the 2.2 IdP release.

Referring class : org.opensaml.common.binding.artifact.BasicSAMLArtifactMapEntry
Referring field : org.opensaml.common.binding.artifact.BasicSAMLArtifactMapEntry.log
Non-portable field name:
org.opensaml.common.binding.artifact.BasicSAMLArtifactMapEntry.log
Thread : TP-Processor9
JVM ID : VM(9)
Non-included class : ch.qos.logback.classic.Logger

Terracotta tries to cluster the non-transient instance field "log", which is not included in the
bootstrap jar.

 Comments
Comment by Adam Lantos [ 08/Oct/10 ]
Working patch.
Comment by Brent Putman [ 08/Oct/10 ]
I looked into this in detail. There are trade-offs associated with declaring SLF4J Loggers as static
vs instance variables:
http://www.slf4j.org/faq.html#declared_static

and also the Apache Commons docs linked from there:

http://wiki.apache.org/jakarta-commons/Logging/StaticLog

The general consensus is that it is bad to use static loggers in library code (as opposed to stand-
alone application code) for classes that are instantiated (i.e. not helper classes with only static
methods, etc).

I double-checked the OpenSAML stack and with one minor exception (which should probably
be fixed), we have adhered to this convention. Only helper classes with static methods use static
loggers. So I think it would be unwise to fix this by modifying the map entry class.

Also, fixing it here in this one class doesn't really fix it for the "next time". There may be other
classes that will be used in Terracotta that have instance Loggers. That is in fact the norm for
instantiated classes, as stated above. So this is the fundamental problem to fix.

The fix for this really should be to instrument the class in Terracotta via an additional <include>
section for class ch.qos.logback.classic.Logger.

I'm going to move this to the IdP project to be tracked there. Once Adam or someone with a
Terracotta environment can test and confirm, we can update the wiki example tc-config.xml.
Comment by Adam Lantos [ 09/Oct/10 ]
The library problem would only occur, if the class in question would be loaded in a shared
classloader (eg. an http library in the application server code). As far as the library is only used
by web applications, each application will have "their own" class logger.

Secondly, I don't think it's a good idea to share logger instances between nodes. They are
referring to their parent logger and attached appenders, which will hold file handles, and so on.
Comment by Brent Putman [ 09/Oct/10 ]
As to your first point: we don't make any assumptions in OpenSAML as to how the library will
be used. It might be deployed in a shared classloader or whatever. So instance Loggers are the
way to go. As I said, all of our other classes are written that way, I believe consciously so, and
we're not going to change it now, especially if the sole reason is Terracotta. As a practical matter,
this is the last release of 2.x, and in the 3.x I believe it's pretty much decided that we will not be
using Terracotta, or at least advocating as the "primary" clustering solution.

As to your second point: yes, there might be a problem there with distributing the Logger
instance across nodes. Not sure, and I don't have any way to test, but makes sense that there
could be. (I note we *are* distributing
org.apache.commons.logging.impl.SLF4JLocationAwareLog, so I wonder if there is a similar
issue there. It's possible no one has gone done a code path where the logger gets used).

Since we staying with instance Loggers, the solution there is the one that Terracotta provides just
for cases like this: in tc-config.xml you should 1) declare the field transient (in the Terracotta
sense, not the Java serialization sense) and 2) declare an on-load bean shell hook to re-populate
the field. There's even an example of #2 for the logger case in the TC wiki:

http://www.terracotta.org/confluence/display/docs/Concept+and+Architecture+Guide#Concepta
ndArchitectureGuide-onload

That's the solution for the general case. For this particular class logger, you don't need to actually
do that b/c the logger is only used in the readObject/writeObject methods and those check for
null and re-instantiate anyway. So if you just declare the field transient in tc-config.xml, that
should take care of it.

If you have an opportunity to test that, it would be greatly appreciated.
Comment by Adam Lantos [ 09/Oct/10 ]
and what about loggers in static helper classes?
Comment by Brent Putman [ 09/Oct/10 ]
Fair point, static helper classes in OpenSAML should probably be refactored to use local
Loggers in each method that logs, and not declare upfront a static Logger. There's not that many
of them.
Comment by Adam Lantos [ 09/Oct/10 ]
Just to be on the safe side, we could convert the ArtifactMapEntry logger local, too. I feel it's still
better handling it in the code than doing the on-load trick.

I'll test it out on monday.
Comment by Adam Lantos [ 11/Oct/10 ]
Use local loggers instead of instance variable.
Comment by Brent Putman [ 14/Oct/10 ]
Well, note you don't need to do the on-load for this class. It already coincidentally uses lazy
instantiation. So it only needs to be marked transient in Terracotta.

I really don't like the idea of changing this one (library) class to meet the assumed needs of
Terracotta. It sets a bad precedent. It is only by sheer coincidence that none of the other classes
that are instrumented have Loggers or other instance data that is inappropriate to share across
nodes (and we're not even sure that Loggers are in fact un-shareable - it depends on the impl of
the Loggers. I note that slf4j Loggers are by design Serializable, and that implies that they may
in fact not hold references to things that are node specific. Maybe they look them up dynamically
each time).

Actually that's not quite true, since we are sharing
org.apache.commons.logging.impl.SLF4JLocationAwareLog, and that's very likely suspect, if
not wrong. That's used I am sure in a non-OpenSAML class that we can't change and the (only)
solution there would be the same - declare it transient and use the on-load to recreate on the other
nodes.
We're only having this discussion b/c it's a class in OpenSAML. If it were in a library we didn't
control, we wouldn't even have the option.

Terracotta provides mechanisms specifically to deal with these and other situations. IMHO they
are not hacks and we shouldn't be afraid to make use of them where needed.

Comment by Adam Lantos [ 15/Oct/10 ]
The following tc-config.xml snippet does the job:

 <transient-fields>
  <field-name>org.opensaml.common.binding.artifact.BasicSAMLArtifactMapEntry.log</field-
name>
 </transient-fields>

...still don't like it, but I can live with that :)
Comment by Chad La Joie [ 08/Jan/11 ]
Posted tc-config.xml updated with necessary information to address this issue
[SIDP-424] Artifact clustering is broken Created: 08/Oct/10    Updated: 10/Jan/11 Resolved: 10/Jan/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     None

Type:              Bug                           Priority:             Major
Reporter:          Adam Lantos                   Assignee:             Chad La Joie
Resolution:        Completed                     Votes:                0
Labels:            None

Attachments:          0002-Change-SAMLObject-marshal-unmarshal-behavior.patch
Java Version:      Sun 1.6
Servlet            Jetty 7
Container:

 Description
With the changes introduced in the 2.4.0 version, BasicArtifactMapEntry no longer works in a
clustered environment.

When put() and get() happens on separate nodes, the transient message field is dropped by the
clustering code, so the getMessage() method will eventually end up returning null (since
Terracotta doesn't call the writeObject/readObject pair).


 Comments
Comment by Brent Putman [ 08/Oct/10 ]
We need to confirm what's actually happening. I'm not terribly familiar with Terracotta, but the
docs say that it shouldn't be dropping transient fields by default:

http://www.terracotta.org/confluence/display/docs/Concept+and+Architecture+Guide#Concepta
ndArchitectureGuide-transience

"Although Terracotta transience and Java transience are similar, by default, Terracotta does not
skip fields that are marked with the Java transient modifier when sharing an object. This is
because Java serialization and Terracotta sharing are significantly different, and just because a
field should not be serialized does not mean Terracotta should not share it."

There are options to override that and say "honor transient". Are we doing that in our TC config
for the IdP ? If so, we should probably disable for that override for this instrumented class.
I'll look into this some more.

In any event, the current transient and serialization behavior of the BasicArtifactMapEntry is
correct (given that XMLObject is currently not Serializable) and and I doubt this issue should be
logged here against java-opensaml2. Sounds like we should probably move this to java-idp and
get the TC config example files fixed up.
Comment by Brent Putman [ 08/Oct/10 ]
To answer my own question: the example instrumentation from the wiki for this class is saying
to honor-transient.

https://spaces.internet2.edu/download/attachments/11926/tc-config.xml?version=6

<include>
<class-expression>
org.opensaml.common.binding.artifact.BasicSAMLArtifactMapEntry
</class-expression>
<honor-transient>true</honor-transient>
</include>



In fact, all the instrumented classes say this. Is this just due to cut-and-paste of an initial
example? Or is there some reasoning behind all of this? I doubt we have a lot of transient fields,
but IMHO the TC default of not honoring transient is correct for the general case.

It think the solution is to remove the honor-transient flag for this class.

I'm going to move this issue to the IdP project.
Comment by Brent Putman [ 08/Oct/10 ]
Did a quick search. This field in BasicSAMLArtifactMapEntry is in fact the only transient field
we have in the entire OpenSAML and IdP Java codebase.

So IMHO declaring honor-transient=true on everything in the tc-config.xml seems a little
excessive - from a minimalism perspective. Esp. since that would seem to not be the default right
thing to do for the general case.
Comment by Adam Lantos [ 09/Oct/10 ]
From a minimalism perspective, I think it would be nicer to keep the old behavior and serialize
the artifact into String upon ArtifactMapEntry creation, and parse when needed (with the
addition of a transient SAMLObject "cache" reference, so parsing would only be occuring after
serialization / clustering).
Comment by Brent Putman [ 09/Oct/10 ]
Well, the reason the old code was changed was:
1) it was inefficiently and unnecessarily serializing the SAMLObject always, even when the
object wasn't going to be serialized (and in the IdP it's not, it's just stored in a Map-based
StorageService impl). Serializing the DOM is expensive (relatively). Unnecessarily doing it is
IMHO non-minimalist.
2) it was doing it outside the class as a pre- and post-processing step, violating the contract of the
Serializable interface, and thereby unnecessarily coupling the map entry impl to the map itself

I'm definitely not reverting back to #2, that was just wrong. I'd really prefer not to revert back to
#1. Automatic (and unnecessary) serialization could be done in the constructor, as you say. I'd
personally prefer to avoid that if possible. Your comment did make me realize that making the
SAMLObject field non-transient (in the Terracotta sense) would mean SAMLObject and other
classes in its object graph would have to be declared in tc-config.xml. I don't necessarily think
that's a problem, just more config declarations to make. Practically we'd need to see how that
would work.

I'll think about this one some more, and Chad may want to chime in

In general, I'd say my philosophy is "don't adjust a library to fit Terracotta, adjust Terracotta to
fit the library", especially where TC gives you the tools to do so.
Comment by Adam Lantos [ 11/Oct/10 ]
SAMLObject has 340 subtypes in OpenSAML-J and Shibboleth-Common projects, and some of
them are also referring to the signature representations, so the class hierarchy to instrument is
huge :(
Comment by Adam Lantos [ 11/Oct/10 ]
This patch applies on 0001-Convert-logger-to-local-variable.patch attached to SIDP-425, and is
mildly load-tested in a clustered environment.
Comment by Brent Putman [ 14/Oct/10 ]
One wouldn't need to declare 340 subtypes of SAMLObject like that, just declare a common
superclass or interface. I'm not a TC expert, but either 1) that works, or else 2) much of the
existing TC config is also wrong, since that's how some of the other type hierarchies are being
handled.

Based on my read of the TC docs, another option is to use wildcards. We (and I mean probably
Chad, who I believe created the initial tc-config.xml, which has been amended by others) are
explicitly enumerating each individual class, but that's not the only way to do.

There are other non-XMLObject clases used in the XMLObject object graphs that would also
have to be instrumented, notably Apache xmlsec classes, W3C DOM classes and some types like
DateTime and XSBooleanValue and such. The "correct" way IMHO to handle these in
Terracotta world would be to just instrument them. As I said in the other thread, the only reason
for this discussion is because we control this particular library. If this issue came up with respect
to another library, there wouldn't be any choice in the matter.

Like I said before, this is a library (not standalone app code) and I'm philosophically opposed to
adjusting it in a significant way to fit TC, esp. since we are almost certainly going to be moving
away from it as the primary, recommended clustering solution for the IdP.

I don't want to unconditionally serialize the map entry, as you do in your patch. That was one of
the things wrong in the old code. I would not be opposed however to having a "pre-serialization"
option for the SAMLObject message in the artifact map entry factory mechanism, either a flag or
a specialized factory subclass. That way, if someone wants to pre-serialize the SAMLObject and
avoid doing a lot of TC config, they can do so. I'll do a little work on that, should be pretty
simple.
Comment by Brent Putman [ 14/Oct/10 ]
I added this support in the factory, see JOST-137.

To enable in the IdP, in the internal.xml, you'd just inject the factory explicitly into the artifact
map (rather than relying on the default), setting the new serialize flag to true.

If you have an opportunity to test in Terracotta, it would certainly be appreciated.
Comment by Adam Lantos [ 15/Oct/10 ]
Thanks, it's working fine with the explicit BasicArtifactMapEntryFactory configuration
(serializeMessage=true).
Comment by Chad La Joie [ 10/Jan/11 ]
Necessary internal.xml changes have been documented in the wiki
https://spaces.internet2.edu/display/SHIB2/IdPCluster
[SIDP-422] aacli.sh Exception in thread "main" Created: 05/Oct/10   Updated: 21/Dec/10 Resolved:
21/Dec/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.2.0
Fix Version/s:     2.2.0

Type:                 Bug                        Priority:       Minor
Reporter:             kevin foote                Assignee:       Chad La Joie
Resolution:           Fixed                      Votes:          0
Labels:               None

Java Version:         Sun 1.6
Servlet               Apache Tomcat 6.0
Container:

 Description
running aacli to test filters etc.. results in

Exception in thread "main" org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'shibboleth.HandlerManager': Initialization of bean failed; nested
exception is java.lang.NoClassDefFoundError: javax/servlet/ServletRequest....

Comments
Comment by kevin foote [ 05/Oct/10 ]
Full Stack dump..

Exception in thread "main" org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'shibboleth.HandlerManager': Initialization of bean failed; nested
exception is java.lang.NoClassDefFoundError: javax/servlet/ServletRequest
     at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBea
n(AbstractAutowireCapableBeanFactory.java:480)
     at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(Abstra
ctAutowireCapableBeanFactory.java:409)
     at java.security.AccessController.doPrivileged(Native Method)
     at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(A
bstractAutowireCapableBeanFactory.java:380)
     at
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFact
ory.java:264)
     at
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(Default
SingletonBeanRegistry.java:222)
     at
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFacto
ry.java:261)
     at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.j
ava:185)
     at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.j
ava:164)
     at
org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons
(DefaultListableBeanFactory.java:429)
     at
org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitializatio
n(AbstractApplicationContext.java:728)
     at
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationC
ontext.java:380)
     at
edu.internet2.middleware.shibboleth.common.attribute.AttributeAuthorityCLI.loadConfiguration
s(AttributeAuthorityCLI.java:180)
     at
edu.internet2.middleware.shibboleth.common.attribute.AttributeAuthorityCLI.main(AttributeAu
thorityCLI.java:90)
Caused by: java.lang.NoClassDefFoundError: javax/servlet/ServletRequest
     at java.lang.Class.getDeclaredMethods0(Native Method)
     at java.lang.Class.privateGetDeclaredMethods(Class.java:2427)
     at java.lang.Class.getDeclaredMethods(Class.java:1791)
     at java.beans.Introspector$1.run(Introspector.java:1287)
     at java.security.AccessController.doPrivileged(Native Method)
     at java.beans.Introspector.getPublicDeclaredMethods(Introspector.java:1285)
     at java.beans.Introspector.getTargetMethodInfo(Introspector.java:1151)
     at java.beans.Introspector.getBeanInfo(Introspector.java:402)
     at java.beans.Introspector.getBeanInfo(Introspector.java:168)
     at
org.springframework.beans.CachedIntrospectionResults.<init>(CachedIntrospectionResults.java:
220)
     at
org.springframework.beans.CachedIntrospectionResults.forClass(CachedIntrospectionResults.ja
va:144)
     at
org.springframework.beans.BeanWrapperImpl.getCachedIntrospectionResults(BeanWrapperImp
l.java:252)
      at
org.springframework.beans.BeanWrapperImpl.getPropertyDescriptorInternal(BeanWrapperImpl.
java:282)
      at
org.springframework.beans.BeanWrapperImpl.isWritableProperty(BeanWrapperImpl.java:333)
      at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropert
yValues(AbstractAutowireCapableBeanFactory.java:1247)
      at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean
(AbstractAutowireCapableBeanFactory.java:1010)
      at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBea
n(AbstractAutowireCapableBeanFactory.java:472)
      ... 13 more
Caused by: java.lang.ClassNotFoundException: javax.servlet.ServletRequest
      at java.net.URLClassLoader$1.run(URLClassLoader.java:200)
      at java.security.AccessController.doPrivileged(Native Method)
      at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
      at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
      at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
      at java.lang.ClassLoader.loadClass(ClassLoader.java:252)
      at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:320)
      ... 30 more
Comment by kevin foote [ 05/Oct/10 ]
gmane link to shibboleth-users thread

http://thread.gmane.org/gmane.comp.web.shibboleth.user/14878
Comment by Chad La Joie [ 21/Dec/10 ]
fixed in rev 2969
[SIDP-421] Error logging SOAP queries Created: 04/Oct/10       Updated: 04/Oct/10 Resolved: 04/Oct/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:               Bug                          Priority:             Minor
Reporter:           Scott Cantor                 Assignee:             Brent Putman
Resolution:         Fixed                        Votes:                0
Labels:             None

Java Version:       Sun 1.5
Servlet             Jetty 7
Container:

 Description
The SAML2 attribute query handler logs the reference to the SOAP envelope instead of the
actual message:

14:20:58.359 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler:174] -
Decoded request from relying party
'org.opensaml.ws.soap.soap11.impl.EnvelopeImpl@1be87a0'

May affect other profile handlers as well.

 Comments
Comment by Brent Putman [ 04/Oct/10 ]
From looking at the other handlers, I think the intention was to log the entity ID of the protocol
message issuer, not the actual SOAP message. There's already code for the latter in the decoders
themselves.

Fixed in r2958.
Comment by Scott Cantor [ 04/Oct/10 ]
I actually noted the problem when I turned up logging to DEBUG on the logging category
labeled for "dumping protocol messages". Not sure if that means you're right or wrong...
Comment by Brent Putman [ 04/Oct/10 ]
Hmm, OK, but are you sure that's what caused it to happen? The category name (or whatever
slf4j calls it) for the logger in question is just the class name:
private static Logger log = LoggerFactory.getLogger(AttributeQueryProfileHandler.class);

and that jibes with the logger name in the output
"edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler".

So I think you must have logging effectively on DEBUG for that category - either the root one or
perhaps "edu.internet2.middleware.shibboleth". Not seeing how the PROTOCOL_MESSAGE
logger would have any effect on that, it's special and not a part of the standard hierarchically-
named loggers.
Comment by Scott Cantor [ 04/Oct/10 ]
Can't say for sure, but when I turned the PROTOCOL_MESSAGE logger on, I didn't get the
XML, but did notice this. The buggy line might have been there initially, so maybe the bug is
that the encoders/decoders aren't logging in all cases?
Comment by Scott Cantor [ 04/Oct/10 ]
Ah, never mind, you're right. There was a third variable, the use of an EncryptedID in the query.
I think that was short circuiting the logging somehow, maybe failing at a different spot, but I'm
seeing the XML now as expected.
Comment by Brent Putman [ 04/Oct/10 ]
Yeah, the logging is done all the way up in the OpenWS base class like so:

  public void decode(MessageContext messageContext) throws MessageDecodingException,
SecurityException {
    log.debug("Beginning to decode message from inbound transport of type: {}",
messageContext
          .getInboundMessageTransport().getClass().getName());

      doDecode(messageContext);

      logDecodedMessage(messageContext);

      processSecurityPolicy(messageContext);

      log.debug("Successfully decoded message.");
  }


So if the actual decoding op throws in doDecode, then the logging would not be performed,
right. Not sure if just using an EncryptedID in the Subject would cause that. Don't think so, but
that step in the SAML decoders does include all the extraction of a bunch of information bits into
the message context, some of which might fail IIRC. It's a lot of work that probably shouldn't be
in the decoders at all, and probably should change in 3.x (should be factored into a handler that
runs after the decoder).
[SIDP-420] Status servlet should monitor for Terracotta availablility via
SessionStore object Created: 27/Sep/10 Updated: 02/Mar/11 Resolved: 10/Feb/11
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Attribute Resolution
Affects Version/s: 2.1.5, 2.2.0
Fix Version/s:     None

Type:               Improvement                   Priority:           Major
Reporter:           Russell Beall                 Assignee:           Chad La Joie
Resolution:         Won't Fix                     Votes:              0
Labels:             None


 Description
Here is a patch to edu/internet2/middleware/shibboleth/idp/StatusServlet.java which enables
session store monitoring. The page shows a line indicating that the store is accessible, but hangs
if Terracotta is disconnected. If terracotta is not implemented, the line always shows true.

$ diff StatusServlet.java.dist StatusServlet.java
47a48
> import org.opensaml.util.storage.StorageService;
69a71,73
> /** Storage service used by the IdP. */
> private StorageService<?,?> store;
>
89a94
> store = HttpServletHelper.getStorageService(config.getServletContext());
173a179,183
> try {
> out.println("storage_accessible: " + ((store.getPartitions() != null) ? Boolean.TRUE :
Boolean.FALSE));
> } catch (Exception e) {
> out.println("storage_accessible: " + Boolean.FALSE);
>}


 Comments
Comment by Russell Beall [ 27/Sep/10 ]
I should mention that this patch was run against the 2.1.5 version of StatusServlet.java
Comment by Chad La Joie [ 10/Feb/11 ]
This will not be fixed. Terracotta will not be used with the next major version of the IdP however
its replacement will be a monitored component like this that already report their status via the
status page.
Comment by kevin foote [ 02/Mar/11 ]
Russell

Wondering if your running this patch on your production IdP.. I have it running in my test
environment for a while now.

If you are running this in production .. do you know what the cost of this check is against the
Idp..

I'm running a check from my loadbalancer to the StatusServlet every 30 sec or so .. Just curious
about the load that this will cost if any when I move this to production.. and perhaps if I should
scale back my monitoring.

Any hints on running this patch on a production Idp? :-)


kevin.foote
Comment by Russell Beall [ 02/Mar/11 ]
I have had no problems with this in production. It is a trivial call with no load on the server. Our
loadbalancer uses it every 5 seconds.

It is very convenient for the node to be auto-removed from the loadbalancer if the node
disconnects from Terracotta.
Comment by kevin foote [ 02/Mar/11 ]
Great. Thanks
[SIDP-419] Metadata parsing fails when version 2.1.5 succeeds for the same ones
Created: 24/Sep/10 Updated: 24/Sep/10 Resolved: 24/Sep/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.2.0
Fix Version/s:     None

Type:                     Bug                               Priority:   Major
Reporter:                 Hached Mehdi                      Assignee:   Chad La Joie
Resolution:               Duplicate                         Votes:      0
Labels:                   None

Java Version:             Sun 1.6
Servlet                   JBoss 6.0 Tomcat
Container:

 Description
The IdP 2.2.0 fails at parsing French federation metadata when version 2.1.5 succeeds. It can be
a problem linked to that particular federation's metadata format.
These metadata are available here : https://services-federation.renater.fr/metadata/renater-
metadata.xml
signing certificate here : https://services-federation.renater.fr/metadata/metadata-federation-
renater.crt

The IdP 2.2.0 stops with the following messages (in debug level the stack trace is not more
clearer):

16:47:04.717 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:179] -
shibboleth.HandlerManager service loaded new configuration
16:49:37.263 - INFO [org.apache.velocity.app.VelocityEngine:49] - LogSystem has been
deprecated. Please use a LogChute implementation.
16:49:37.450 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:157] -
Loading new configuration for service shibboleth.AttributeResolver
16:49:37.584 - INFO
[edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugI
nBeanDefinitionParser:54] - Parsing configuration for PrincipalConnector plugin with ID:
shibTransient
16:49:37.586 - INFO
[edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugI
nBeanDefinitionParser:54] - Parsing configuration for PrincipalConnector plugin with ID:
saml1Unspec
16:49:37.587 - INFO
[edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugI
nBeanDefinitionParser:54] - Parsing configuration for PrincipalConnector plugin with ID:
saml2Transient
16:49:37.613 - INFO
[edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugI
nBeanDefinitionParser:54] - Parsing configuration for AttributeDefinition plugin with ID:
transientId
16:49:37.824 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:179] -
shibboleth.AttributeResolver service loaded new configuration
16:49:37.841 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:157] -
Loading new configuration for service shibboleth.AttributeFilterEngine
16:49:37.882 - INFO
[edu.internet2.middleware.shibboleth.common.config.attribute.filtering.AttributeFilterPolicyBea
nDefinitionParser:71] - Parsing configuration for attribute filter policy
releaseTransientIdToAnyone
16:49:37.945 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:179] -
shibboleth.AttributeFilterEngine service loaded new configuration
16:49:37.957 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:157] -
Loading new configuration for service shibboleth.SAML1AttributeAuthority
16:49:37.969 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:157] -
Loading new configuration for service shibboleth.SAML2AttributeAuthority
16:49:37.995 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:157] -
Loading new configuration for service shibboleth.RelyingPartyConfigurationManager
16:49:38.439 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:187]
- Configuration was not loaded for shibboleth.RelyingPartyConfigurationManager service, error
creating components. The root cause of this error was: java.lang.NullPointerException: null

Comments
Comment by Rod Widdowson [ 24/Sep/10 ]
Duplicate https://bugs.internet2.edu/jira/browse/SIDP-418, I feel...
[SIDP-417] Shib deployed to root web context, SSOProfileHandler forwards to
"/null/AuthnEngine" Created: 23/Sep/10 Updated: 10/Nov/10 Resolved: 10/Nov/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.2.0
Fix Version/s:     2.2.1

Type:               Bug                             Priority:       Minor
Reporter:           Robert Egglestone               Assignee:       Chad La Joie
Resolution:         Fixed                           Votes:          0
Labels:             None

Attachments:           shib-root-context.patch
Java Version:       Sun 1.5
Servlet             Jetty 6
Container:

 Description
I have Shibboleth deployed at the root of a site.

With Shibboleth 2.2.0, attempts to login redirect the user to
"https://iam.dev.auckland.ac.nz:443/null/AuthnEngine".

Previously this was being handled by dispatching internally, however the changes in SIDP-380
mean that there is now an extra redirect.

The redirect path is being built using org.opensaml.util.URLBuilder, but the problem is in
SSOProfileHandler, which is taking the existing path (which has been converted from "" to null
by URLBuilder), and it concatenating authenticationManagerPath to it.

{code}
URLBuilder urlBuilder = HttpServletHelper.getServletContextUrl(httpRequest);
urlBuilder.setPath(urlBuilder.getPath() + authenticationManagerPath);
{code}

 Comments
Comment by Robert Egglestone [ 23/Sep/10 ]
Patch attached, the same problem occurred in several different places. With the patch applied I
can now login again.
Comment by Chad La Joie [ 10/Nov/10 ]
fixed in rev 2966
[SIDP-416] MetadataProviderObserver leak, new one added on every login Created:
22/Sep/10 Updated: 23/Sep/10 Resolved: 23/Sep/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication, SAML 2
Affects Version/s: 2.1.5
Fix Version/s:     2.2.0

Type:                     Bug                        Priority:          Minor
Reporter:                 Robert Egglestone          Assignee:          Chad La Joie
Resolution:               Fixed                      Votes:             0
Labels:                   None

Attachments:                 shib-use-MetadataCredentialResolverFactory.patch
Java Version:             Sun 1.6
Servlet                   Jetty 6
Container:

 Description
After running Shibboleth for a period of time, we've found thousands of metadata provider
observer instances are registered on the metadata provider. These are getting added every time a
user logs in.

MetadataCredentialResolverFactory ensures that only one instance of
MetadataCredentialResolver is created for each MetadataProvider.

Shibboleth is not using this factory, but instead directly creating instances of
MetadataCredentialResolver. Each resolver then registers its own observer, which causes the
observers to build up over time. This also means the caching done in
MetadataCredentialResolver is not effective as the cache is being recreated for each instance.

Please can Shibboleth use the factory instead of directly creating instances of
MetadataCredentialResolver?

The request trace for these observers being created is...
> SSOProfileHandler.completeAuthenticationRequest
> AbstractSAML2ProfileHandler.buildResponse
> AbstractSAML2ProfileHandler.getEncrypter
> AbstractSAML2ProfileHandler.getKeyEncryptionCredential
> new MetadataCredentialResolver
> new MetadataProviderObserver
Comments
Comment by Robert Egglestone [ 22/Sep/10 ]
Patch attached.
Comment by Robert Egglestone [ 22/Sep/10 ]
Note that this issue is the cause of a large number of repeated "Credential cache cleared"
messages, as seen in JOST-103
[SIDP-415] SAML name identifier value not logged in audit log Created: 20/Sep/10   Updated:
20/Sep/10 Resolved: 20/Sep/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1, SAML 2
Affects Version/s: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5
Fix Version/s:     2.2.0

Type:                     Bug                      Priority:      Minor
Reporter:                 Chad La Joie             Assignee:      Chad La Joie
Resolution:               Fixed                    Votes:         0
Labels:                   None

Java Version:             Sun 1.5
Servlet                   Jetty 7
Container:

 Description
The SAML name identifier was not being properly logged in the audit log per
https://spaces.internet2.edu/display/SHIB2/IdPLogging

Comments
Comment by Chad La Joie [ 20/Sep/10 ]
Fixed in rev 2952
[SIDP-414] report number of active sessions in status Created: 16/Sep/10       Updated: 23/Sep/10
Resolved: 20/Sep/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.2.0
Fix Version/s:     None

Type:                 New Feature                 Priority:           Trivial
Reporter:             Etienne Dysli               Assignee:           Chad La Joie
Resolution:           Won't Fix                   Votes:              0
Labels:               None


 Description
It'd be nice if the status page would report the number of active IdP sessions. This should give
deployers an idea of the usage level of their IdP.

 Comments
Comment by Chad La Joie [ 20/Sep/10 ]
The APIs available at the level of the status page don't allow this. That's something on the IdP v3
list of things to fix as it also causes issues with the Hungarian's logout plugin
[SIDP-413] Change link on example login page Created: 16/Sep/10   Updated: 20/Sep/10 Resolved:
20/Sep/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.2.0

Type:               Improvement               Priority:          Minor
Reporter:           Patrik Schnellmann        Assignee:          Chad La Joie
Resolution:         Completed                 Votes:             0
Labels:             None


 Description
The link for the documentation in login.jsp should point to
https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPassLoginPage instead of
IdPAuthUserPass

Comments
Comment by Chad La Joie [ 20/Sep/10 ]
Done in rev 2953
[SIDP-412] Create new login context, discard old one(s) Created: 16/Sep/10          Updated: 23/Sep/10
Resolved: 20/Sep/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.2.0
Fix Version/s:     None

Type:                 Bug                          Priority:           Minor
Reporter:             Halm Reusser                 Assignee:           Chad La Joie
Resolution:           Won't Fix                    Votes:              0
Labels:               None

Java Version:         Sun 1.6
Servlet               Jetty 7
Container:

Description
Let me explain the issue:

1. User access to SP A
2. LoginContext is created, User authenticates
3. User might be redirected to an extension (e.g., uApprove), the LoginContext is persisted
(cookie, storage service)
4. The user does not complete authentication (e.g., within uApprove he clicks on some bookmark
to another SP B)
   --> LoginContext is still persisted and valid (refers to RP A), because he gets not unbound by
the IdP.
5. When the user access to IdP again (session imitation from SP B) the login context from A is
retrieved from the storage.

The behavior, which in my opinion will be the "right" one:
When a new SSO session is initiated, a new login context will be created and old ones are
discarded.

 Comments
Comment by Chad La Joie [ 20/Sep/10 ]
There isn't anything the IdP can do here. It has no way of detecting a user coming back to the
profile handler after a successful authentication vs a user that successfully authenticated but left
the IdP at some other non-IdP managed page provided by an extension then came back again
with a new request from an SP.
[SIDP-411] Check for loginContext != null at login.jsp Created: 31/Aug/10       Updated: 23/Sep/10
Resolved: 13/Sep/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.2.0
Fix Version/s:     2.2.0

Type:                 Improvement                Priority:           Trivial
Reporter:             Halm Reusser               Assignee:           Chad La Joie
Resolution:           Fixed                      Votes:              1
Labels:               None


 Description
Some users will bookmark the IdP login form. If they access later again, they get an error after
authentication, cause of missing login context.

A suggestion would be, to check for loginContext != null at the login.jsp and print a warning
message. This would be a good example for the shipped login.jsp, deployers might to adjust it
accordingly.


Comments
Comment by Peter Schober [ 09/Sep/10 ]
From http://groups.google.com/group/shibboleth-users/msg/09b3953b9cb9757e

<%@ page
import="edu.internet2.middleware.shibboleth.idp.authn.LoginContext,
edu.internet2.middleware.shibboleth.idp.session.*,
edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper" %><%
 LoginContext loginContext =
HttpServletHelper.getLoginContext(HttpServletHelper.getStorageService(appli cation),
application, request);
 Session userSession = HttpServletHelper.getUserSession(request);
%><?xml ...><!DOCTYPE ...><html ...>
<% if(loginContext != null){ %>
 <% if ("true".equals(request.getAttribute("loginFailed"))) { %>
  <h1>Authentication failed</h1>
 <% } else { %>
  <h1>Login</h1>
 <% } %>
<% } else { %>
 <h1>Error</h1>
<% } %>
Comment by Chad La Joie [ 13/Sep/10 ]
Added in rev 2949

Also made it more clear that the shipping login page is only an example
[SIDP-410] Subject Principal NullPointerException on restart (or change of
nodes) of Terracotta-instrumented tomcat nodes Created: 27/Aug/10 Updated: 23/Sep/10 Resolved:
27/Aug/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.2.0
Fix Version/s:     None

Type:              Bug                           Priority:           Critical
Reporter:          Russell Beall                 Assignee:           Chad La Joie
Resolution:        Invalid                       Votes:              0
Labels:            None

Java Version:      Sun 1.6
Servlet            Apache Tomcat 6.0
Container:

 Description
1. Existing session in browser
2. Restart tomcat node using TC or switch to a different node where the session is not present
3. Use browser to navigate to new SP
4. NullPointerException in resolving principal

It seems we still do not have the complete set of classes requiring instrumentation for TC.

Not sure why, but the browser ends up on this link:
https://shibboleth.usc.edu:443/idp/AuthnEngine

This is the error message; it bypasses the idp-process.log and is printed to catalina.out:
SEVERE: Servlet.service() for servlet AuthenticationEngine threw exception
java.lang.NullPointerException
      at javax.security.auth.Subject$ClassSet.<init>(Subject.java:1311)
      at javax.security.auth.Subject.getPrincipals(Subject.java:592)
      at
edu.internet2.middleware.shibboleth.idp.session.impl.SessionImpl.__tc_wrapped_getPrincipalNa
me(SessionImpl.java:98)
      at
edu.internet2.middleware.shibboleth.idp.session.impl.SessionImpl.getPrincipalName(SessionIm
pl.java)
      at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.startUserAuthentication(A
uthenticationEngine.java:237)
     at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.service(AuthenticationEngi
ne.java:216)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:29
0)
     at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:
77)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:23
5)
     at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     at
edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMD
CCleanupFilter.java:51)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:23
5)
     at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
     at
org.terracotta.modules.tomcat.tomcat_5_5.SessionValve55.invoke(SessionValve55.java:57)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
     at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
     at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
     at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767)
     at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697)
     at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889)
     at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
     at java.lang.Thread.run(Thread.java:619)

Comments
Comment by Russell Beall [ 27/Aug/10 ]
Should have tried debugging this a bit before reporting it (maybe... but now you have record of
it).

This bug is resolved by adding:
           <include>javax.security.auth.Subject$ClassSet</include>
to the block:
        <additional-boot-jar-classes>

re-running make-boot-jar.sh and restarting the nodes
Comment by Russell Beall [ 27/Aug/10 ]
I see that the snapshot has no tc-config.xml at all.
I have added all the various configuration elements found to be required to support the snapshot
(both by myself and Kevin P. Foote) into the tc-config.xml published on the IdPCluster wiki
page.
[SIDP-408] NullPointerException when unable to construct NameID Created: 26/Aug/10
Updated: 23/Sep/10 Resolved: 27/Aug/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Attribute Resolution
Affects Version/s: 2.2.0
Fix Version/s:     None

Type:                    Bug                        Priority:            Critical
Reporter:                Russell Beall              Assignee:            Chad La Joie
Resolution:              Invalid                    Votes:               0
Labels:                  None

Java Version:            Sun 1.6
Servlet                  Apache Tomcat 6.0
Container:

 Description
At USC we don't release any attributes about a person where the person does not have an
entitlement to the application. This includes all identifiers including the usual transient-nameid
field which is constructed for all relying parties if the person is entitled. Here is the stack trace
from the exception:

11:34:34.794 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:825] -
Attemping to build NameID for principal 'beall' in response to request from relying party
'https://grs.usc.edu/shibboleth-sp
11:34:34.794 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:434] - No
attributes for principal 'beall', no name identifier will be created for relying party
'https://grs.usc.edu/shibboleth-sp&#39;
11:34:34.798 - ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:88] -
Error occured while processing request
java.lang.NullPointerException: null
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.buildNam
eId(AbstractSAML2ProfileHandler.java:837) [shibboleth-identityprovider-2.2.0-
SNAPSHOT.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.buildNameId(SSOPro
fileHandler.java:584) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.buildSubj
ect(AbstractSAML2ProfileHandler.java:700) [shibboleth-identityprovider-2.2.0-
SNAPSHOT.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.buildResp
onse(AbstractSAML2ProfileHandler.java:263) [shibboleth-identityprovider-2.2.0-
SNAPSHOT.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.completeAuthenticati
onRequest(SSOProfileHandler.java:265) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOP
rofileHandler.java:151) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOP
rofileHandler.java:85) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
      at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:83) [shibboleth-common-1.2.0.jar:na]
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
      at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:29
0) [catalina.jar:na]
      at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
      at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:630)
[catalina.jar:na]
      at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
[catalina.jar:na]
      at
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
[catalina.jar:na]
      at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
[catalina.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.forwardRequest(Authentic
ationEngine.java:185) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.returnToProfileHandler(Au
thenticationEngine.java:171) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.completeAuthentication(A
uthenticationEngine.java:520) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.service(AuthenticationEngi
ne.java:213) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:29
0) [catalina.jar:na]
     at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
     at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:630)
[catalina.jar:na]
     at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
[catalina.jar:na]
     at
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
[catalina.jar:na]
     at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
[catalina.jar:na]
     at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.forwardRequest(Authentic
ationEngine.java:185) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
     at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.returnToAuthenticationEng
ine(AuthenticationEngine.java:149) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
     at
edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler.login(Pre
viousSessionLoginHandler.java:115) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
     at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.startUserAuthentication(A
uthenticationEngine.java:257) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
     at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.service(AuthenticationEngi
ne.java:211) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:29
0) [catalina.jar:na]
     at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
     at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:630)
[catalina.jar:na]
     at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
[catalina.jar:na]
      at
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
[catalina.jar:na]
      at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
[catalina.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthenticatio
n(SSOProfileHandler.java:192) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOP
rofileHandler.java:148) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOP
rofileHandler.java:85) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
      at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:83) [shibboleth-common-1.2.0.jar:na]
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
      at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:29
0) [catalina.jar:na]
      at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:
77) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
      at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:23
5) [catalina.jar:na]
      at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
      at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
[catalina.jar:na]
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[catalina.jar:na]
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
[catalina.jar:na]
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[catalina.jar:na]
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[catalina.jar:na]
      at
org.terracotta.modules.tomcat.tomcat_5_5.SessionValve55.invoke(SessionValve55.java:57)
[na:na]
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
[catalina.jar:na]
     at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-
coyote.jar:na]
     at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283) [tomcat-
coyote.jar:na]
     at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767) [tomcat-
coyote.jar:na]
     at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697)
[tomcat-coyote.jar:na]
     at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889)
[tomcat-coyote.jar:na]
     at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
[tomcat-coyote.jar:na]
     at java.lang.Thread.run(Thread.java:619) [na:1.6.0_20]

 Comments
Comment by Chad La Joie [ 26/Aug/10 ]
Russ, are you using the snapshot from just a few days ago? This sound like a problem in the
previous snapshot that was fixed (or at least I thought it was)
Comment by Russell Beall [ 27/Aug/10 ]
After downloading and trying the latest snapshot, this error no longer exists.
[SIDP-407] Shibboleth SSO profile handler sets incorrect protocol string in
outbound message context Created: 25/Aug/10 Updated: 26/Sep/10 Resolved: 25/Aug/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1
Affects Version/s: 2.1.5
Fix Version/s:     2.2.0

Type:               Bug                       Priority:         Minor
Reporter:           Scott Cantor              Assignee:         Scott Cantor
Resolution:         Fixed                     Votes:            0
Labels:             None

Java Version:       Sun 1.5
Servlet             Jetty 7
Container:

 Description
The ShibbolethSSOProfileHandler buildRequestContext method is setting the outbound protocol
as SAML 2.0. Looks like it should be the SAML 1.1 constant? Assuming there's no SAML 1.0
support...

Comments
Comment by Scott Cantor [ 25/Aug/10 ]
Fixed in rev. 2947.
[SIDP-404] Add an install-time setting for the path to web.xml Created: 24/Aug/10       Updated:
14/Mar/11 Resolved: 08/Feb/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5
Fix Version/s:     2.3.0

Type:                     Improvement               Priority:        Minor
Reporter:                 Scott Cantor              Assignee:        Rod Widdowson
Resolution:               Fixed                     Votes:           0
Labels:                   None


 Description
If web.xml has to be customized (e.g. to add a container managed data source) it would be
convenient when tracking snapshots or upgrading to override the path to the web.xml to pull into
the war. I think this is fairly straightforward in the ant task that builds the war.

 Comments
Comment by Rod Widdowson [ 04/Feb/11 ]
I'm going to be all over the build.xml in 2.3 so I'll take a look at this.
Comment by Rod Widdowson [ 08/Feb/11 ]
The installer now looks for ${IDP_HOME}\conf\web.xml and uses that if this is a reinstall.

Revisions 2988.

Installation documentation amended as well.
[SIDP-403] Use text/xml as the media type for returned metadata unless user
agent request metadata media type Created: 24/Aug/10 Updated: 22/Oct/10 Resolved: 13/Sep/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.5
Fix Version/s:     2.2.0

Type:               Improvement                   Priority:           Minor
Reporter:           Chad La Joie                  Assignee:           Chad La Joie
Resolution:         Fixed                         Votes:              0
Labels:             None


 Description
Currently, when a user agent requests an IdP's metadata from the metadata profile handler it
responds with the SAML metadata media type. If you point a browser at this URL, since it
doesn't understand the SAML metadata media type, it will simply prompt to save the file instead
of displaying it.

In order to avoid this, check the incoming requests for supported media types. If SAML metadata
media type is not listed use text/xml or text as supported. If nothing is supported return an error.

Comments
Comment by Chad La Joie [ 13/Sep/10 ]
Added in rev 2950

Use the media type application/xml instead of text/xml because text/xml implies US-ASCII
character encoding which isn't what we want.
Comment by seylok [ 22/Oct/10 ]
According to SAML 2.0 Metadata Spec (saml-metadata-2.0-os), section 4.1.1 (rows 1229-1235),

"... the content type of the metadata instance MUST be application/samlmetadata+xml..."
[SIDP-402] Update 3rd party libraries for 2.2 release Created: 23/Aug/10   Updated: 23/Aug/10
Resolved: 23/Aug/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.2.0

Type:                 Task                   Priority:         Minor
Reporter:             Chad La Joie           Assignee:         Chad La Joie
Resolution:           Fixed                  Votes:            0
Labels:               None


Description
Update 3rd party libs:
 xerces 2.9.1 -> 2.10.0
 ant 1.7.0 -> 1.7.1

Comments
Comment by Chad La Joie [ 23/Aug/10 ]
Added in rev 2942
[SIDP-401] Quick Installer doesn't set up the Admin access rights correctly for
Tomcat Created: 23/Aug/10 Updated: 17/May/11 Resolved: 19/Mar/11
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.1.5
Fix Version/s:     2.3.0

Type:               Bug                           Priority:            Minor
Reporter:           Rod Widdowson                 Assignee:            Rod Widdowson
Resolution:         Fixed                         Votes:               0
Labels:             None

Java Version:       Sun 1.6
Servlet             Apache Tomcat 6.0
Container:

 Description
The QS installer (should have) enough smarts to use the Shibboleth JAAS connector to allow the
"administrator" user (by name) to get access to the tomcat manager capability.

This seemed like a good idea at the time, particularly since I naively expected people to wire in
something more permanent if they had a need. However has proven to be contstantly problematic
and I just don't like hardwiring this to an account name. Further it is not widely used (people just
don't have a need) and adds marginal value, somewhere quite far from our core needs.

It has now rusted - (https://lists.internet2.edu/sympa/arc/shibboleth-users/2010-
08/msg00190.html), I'll trouble shoot this, but unless there is a wail of complaint. I am going to
remove this function from future version - probably 2.2, failing that 3.0 definitely.

 Comments
Comment by Rod Widdowson [ 23/Aug/10 ]
The issue is that the principal in the web.xml is "Administrator" (starting with caps). Specifying
a login as "Administrator" works (for me), "administrator" doesn't. I knew that using the
hardwired login name was a smelly idea.

I'm going to keep this case alive to track deleting this unfortunate function from the installer and
the documentation,
Comment by Rod Widdowson [ 19/Mar/11 ]
This has been checked in as part of the 2.3 work. Check,in 292 in the extensiona
[SIDP-399] SessionManagerImpl fails to destroy indexed sessions Created: 21/Jul/09
Updated: 26/Sep/10 Resolved: 06/Aug/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.2.0

Type:                    Bug                  Priority:          Minor
Reporter:                Adam Lantos          Assignee:          Chad La Joie
Resolution:              Duplicate            Votes:             0
Labels:                  None

Java Version:            Sun 1.5
Servlet                  Apache Tomcat 5.5
Container:

 Description
SessionManagerImpl.destroySession() only removes the given sessionID from the session store
and keeps indexed references in place. This causes several code-paths to access the session
depending on the index they use.

 Comments
Comment by Adam Lantos [ 17/Aug/09 ]
I have a proposed patch here:

https://repo.niif.hu/gitweb/gitweb.cgi?p=java-
idp.git;a=commitdiff;h=98d404d241e946ed3745ce55d52d0c64b9fa1889
Comment by Chad La Joie [ 06/Aug/10 ]
Duplicate of SIDP-386
[SIDP-398] Add X-Frame-Options http header as a prevention for XSRF
(Clickjacking) attacks on IdP login page Created: 03/Aug/10 Updated: 13/Sep/10 Resolved: 13/Sep/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.2.0

Type:                New Feature                    Priority:             Minor
Reporter:            Patrik Schnellmann             Assignee:             Chad La Joie
Resolution:          Completed                      Votes:                0
Labels:              None


 Description
The latest browser versions (IE8, Opera 10.50, Safari 4+ i.e. WebKit, forthcoming Firefox 3.6.9
or current FF with NoScript Add-On) support the header and for older browsers, the header
won't do any harm.

References:
http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
http://www.owasp.org/index.php/Clickjacking

 Comments
Comment by Chad La Joie [ 13/Sep/10 ]
Instead of adding this to the login.jsp itself, where we know it will cause problems with some
sites (that do purposefully frame their login page) it will be added to a much expanded version of
the documentation page describing how to customize the login page.
[SIDP-397] Remove any unit test that won't be fixed in the 2.X branch, fix the
rest Created: 02/Aug/10 Updated: 31/Jan/11 Resolved: 03/Aug/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: None
Fix Version/s:     None

Type:               Task                          Priority:            Minor
Reporter:           Chad La Joie                  Assignee:            Chad La Joie
Resolution:         Completed                     Votes:               0
Labels:             None


 Description
Fix any failing unit test that can be fixed with minimal effort. Remove all the rest.

Comments
Comment by Chad La Joie [ 03/Aug/10 ]
Finished in rev 2934
Comment by Scott Cantor [ 31/Jan/11 ]
Closing resolved issues.
[SIDP-396] Previous session LoginHandler used even if authentication method
has expired Created: 28/Jul/10 Updated: 16/Aug/10 Resolved: 16/Aug/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.5
Fix Version/s:     2.2.0

Type:                Bug                        Priority:           Minor
Reporter:            David Langenberg           Assignee:           Chad La Joie
Resolution:          Fixed                      Votes:              0
Labels:              None

Java Version:        Sun 1.6
Servlet              Apache Tomcat 6.0
Container:

 Description
From: handler.xml

<LoginHandler xsi:type="UsernamePassword" authenticationDuration="1"
          jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">
     <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTrans
port</AuthenticationMethod>
  </LoginHandler>

From: internal.xml

<bean id="shibboleth.SessionManager"
     class="edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerImpl"
     depends-on="shibboleth.LogbackLogging">
    <constructor-arg ref="shibboleth.StorageService" />
    <constructor-arg value="28800000" type="long" />
  </bean>

1) Visit SP
2) Login to IdP
3) Wait 2 minutes
4) Cause SP to re-check with the IdP

SP will report back that the SAML from the IdP contains errors. If you leave
authenticationDuration off & wait the default time the same issue happens. Ideally the IdP would
notice that there is a mis-match in the SessionManager timeout & loginHandler timeout & either
log the issue or throw a fatal error and abort. When you reverse the settings (short session
management & long authenticationDuration) the expected behavior of having to re-enter your
credentials after the session times-out happens.

Comments
Comment by Chad La Joie [ 16/Aug/10 ]
What is the actual error at the SP? What do the IdP logs say?
Comment by Chad La Joie [ 16/Aug/10 ]
Fixed in rev 2941
[SIDP-395] Slow Memory Leak Created: 23/Jul/10                Updated: 31/Jan/11 Resolved: 02/Aug/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.5
Fix Version/s:     None

Type:                  Bug                                 Priority:                 Minor
Reporter:              Russell Beall                       Assignee:                 Chad La Joie
Resolution:            Cannot Reproduce                    Votes:                    0
Labels:                None

Java Version:          Sun 1.6
Servlet                Apache Tomcat 6.0
Container:

 Description
It appears that not quite all memory leaks were plugged from last year's work on the memory
issues.

Instead of filling up the JVM in two weeks of heavy use, it takes two months of heavy use to fill
up a 2G JVM. The following is a heap trace showing the objects which were hanging around.
This is with Terracotta in use.

Object Histogram:

num #instances #bytes Class description
--------------------------------------------------------------------------
1: 3740573 364185984 char[]
2: 7121427 341828496 java.util.HashMap$Entry
3: 3498305 195905080 java.lang.ref.SoftReference
4: 61004 177727376 java.util.HashMap$Entry[]
5: 3756237 150249480 java.lang.String
6: 3517010 84408240 java.lang.Integer
7: 25603 32320384 byte[]
8: 108632 14826176 * ConstMethodKlass
9: 108632 13045840 * MethodKlass
10: 10602 11330072 * ConstantPoolKlass
11: 10602 9559192 * InstanceKlassKlass
12: 74289 8995264 java.lang.Object[]
13: 142345 7757336 * SymbolKlass
14: 9330 6933728 * ConstantPoolCacheKlass
15: 16801 6056696 int[]
16: 67160 5372800 com.tc.object.TCObjectPhysical
17: 8625 4454528 * MethodDataKlass
18: 2 4325424 org.apache.commons.collections.map.AbstractHashedMap$HashEntry[]
19: 128616 4115712 EDU.oswego.cs.dl.util.concurrent.LinkedNode
20: 68558 3839248 com.tc.object.WeakObjectReference
21: 42125 3707000 java.util.HashMap
22: 116109 2786616 com.tc.object.ObjectID
23: 44217 2476152 java.lang.ThreadLocal$ThreadLocalMap$Entry
24: 43945 2471088 java.lang.String[]
25: 218 2385648 java.lang.ThreadLocal$ThreadLocalMap$Entry[]
26: 26254 2290856 java.util.concurrent.ConcurrentHashMap$HashEntry[]
27: 47054 2258592 java.util.concurrent.ConcurrentHashMap$HashEntry
28: 35203 2252992 java.util.LinkedHashMap$Entry
29: 26240 2099200 java.util.concurrent.ConcurrentHashMap$Segment
30: 11267 2073128 java.lang.Class
31: 25792 2063360 java.util.concurrent.locks.ReentrantReadWriteLock$FairSync
32: 51543 2061720 java.util.concurrent.locks.ReentrantReadWriteLock$DsoLock
33: 18812 1956448 java.util.LinkedHashMap
34: 17108 1779232 com.tc.aspectwerkz.reflect.impl.asm.AsmMethodInfo
35: 34287 1645776 java.util.ArrayList
36: 18689 1526680 * System ObjArray
37: 30996 1487808 java.lang.ref.WeakReference
38: 42500 1360000 java.util.concurrent.locks.ReentrantReadWriteLock$Sync$HoldCounter
39: 41264 1320448 org.opensaml.xml.util.LazyList
40: 19740 1105440 com.tc.aspectwerkz.reflect.impl.asm.MethodStruct
41: 22158 1063584 javax.xml.namespace.QName
42: 25792 1031680 java.util.concurrent.locks.ReentrantReadWriteLock$WriteLock
43: 25751 1030040 java.util.concurrent.locks.ReentrantReadWriteLock$ReadLock
44: 9802 1019408 com.tc.object.dna.impl.ObjectDNAImpl
45: 13595 1018280 short[]
46: 191 966888 java.util.WeakHashMap$Entry[]
47: 19491 935568 org.opensaml.xml.Namespace
48: 15779 883624 java.nio.HeapByteBuffer
49: 5465 830680 java.lang.reflect.Method
50: 6851 822120 java.lang.reflect.Constructor
51: 19846 793840 java.util.HashSet
52: 12967 726152 gnu.trove.THashMap
53: 15003 720144 com.tc.bytes.TCByteBufferImpl
54: 28598 686352 org.opensaml.xml.util.LazyMap
55: 4964 650192 java.util.Hashtable$Entry[]
56: 25792 619008
java.util.concurrent.locks.ReentrantReadWriteLock$Sync$ThreadLocalHoldCounter
57: 19178 613696 java.util.HashMap$EntrySet
58: 5935 569760 org.springframework.beans.PropertyValue
59: 13846 553840 org.opensaml.xml.util.XMLObjectChildrenList
60: 22809 547416 org.opensaml.xml.util.LazySet
61: 17063 546016 org.opensaml.xml.util.IDIndex
62: 15036 481152 java.util.Collections$SingletonSet
63: 9805 470640 com.tc.io.TCByteBufferInputStream
64: 5812 464960 org.apache.tomcat.util.buf.MessageBytes
65: 14248 455936 java.util.HashMap$KeySet
66: 9376 450048 edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerEntry
67: 9314 447072 java.util.Hashtable$Entry
68: 7687 430472 org.apache.commons.collections.map.AbstractReferenceMap$WeakRef
69: 7687 430472 org.apache.commons.collections.map.AbstractReferenceMap$ReferenceEntry
70: 7537 422072
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.Tran
sientIdEntry
71: 7519 421064
com.tc.util.ToggleableReferenceManager$SometimesStrongAlwaysWeakReference
72: 4308 413568 com.tc.jrexx.regex.Automaton_Pattern$PState
73: 1710 396720 org.springframework.beans.factory.support.RootBeanDefinition
74: 6183 395712 org.apache.tomcat.util.buf.ByteChunk
75: 636 366336 * ObjArrayKlassKlass
76: 4955 356760 java.util.WeakHashMap$Entry
77: 10645 351480 com.tc.bytes.TCByteBuffer[]
78: 6077 340312 org.apache.tomcat.util.buf.CharChunk
79: 2714 303968 org.apache.xerces.dom.ElementNSImpl
80: 4085 294120 org.apache.catalina.loader.ResourceEntry
81: 1728 290304 org.springframework.beans.factory.support.GenericBeanDefinition
82: 6011 288528 java.util.Vector
83: 3595 287600 java.util.Hashtable
84: 5050 282800 org.apache.xerces.dom.TextImpl
85: 5605 269040 org.opensaml.xml.util.IndexedXMLObjectChildrenList
86: 4197 268608 com.tc.jrexx.automaton.Automaton$State$Transition
87: 1316 263200 com.tc.aspectwerkz.reflect.impl.asm.AsmClassInfo
88: 6327 253080 java.util.Collections$SynchronizedSet
89: 3948 252672 com.tc.aspectwerkz.reflect.impl.asm.AsmFieldInfo
90: 5243 251664 java.util.LinkedHashSet
91: 1640 249280 java.util.concurrent.ConcurrentHashMap$Segment[]
92: 3425 246600 org.apache.xerces.dom.AttrNSImpl
93: 2942 235360 java.util.Collections$SingletonMap
94: 5711 228440 org.opensaml.xml.util.AttributeMap
95: 5567 222680 java.util.LinkedList$Entry
96: 3461 221504 java.lang.ref.Finalizer
97: 3948 221088 com.tc.aspectwerkz.reflect.impl.asm.FieldStruct
98: 1287 216216 org.opensaml.saml2.metadata.impl.ContactPersonImpl
99: 1351 216160 org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl
100: 4502 216096 java.util.LinkedList
101: 2632 210560 com.tc.aspectwerkz.reflect.impl.asm.AsmConstructorInfo
102: 4198 201520 com.tc.jrexx.set.CharSet$Wrapper[]
103: 6252 201456 java.lang.Class[]
104: 1680 188160 java.net.URL
105: 1408 168960 com.tc.aspectwerkz.definition.AspectDefinition
106: 1758 168768 java.beans.MethodDescriptor
107: 4198 167920 com.tc.jrexx.set.CharSet$LongMap
108: 1327 159240 org.mozilla.javascript.DefiningClassLoader
109: 3972 158880 java.util.Collections$SingletonList
110: 1640 157440 java.util.concurrent.ConcurrentHashMap
111: 1122 152592 org.apache.catalina.session.StandardSession
112: 1287 144144 org.opensaml.saml2.metadata.impl.EmailAddressImpl
113: 1279 143248 org.opensaml.saml2.metadata.impl.GivenNameImpl
114: 2207 141248 java.util.TreeMap$Entry
115: 4308 137856 com.tc.jrexx.automaton.Automaton$Wrapper_State
116: 3438 137520 org.springframework.beans.MutablePropertyValues
117: 4253 136096 com.tc.jrexx.set.CharSet$Wrapper
118: 1408 135168 com.tc.aspectwerkz.definition.AdviceDefinition
119: 3227 129080 sun.reflect.generics.tree.SimpleClassTypeSignature
120: 1343 128928 java.util.Properties
121: 643 128600 org.opensaml.saml2.metadata.impl.EntityDescriptorImpl
122: 495 126720 org.opensaml.saml2.metadata.impl.SPSSODescriptorImpl
123: 979 117480 org.opensaml.xml.signature.impl.KeyInfoImpl
124: 912 116736 org.opensaml.saml2.metadata.impl.KeyDescriptorImpl
125: 647 113872 org.springframework.beans.GenericTypeAwarePropertyDescriptor
126: 2833 113320 org.springframework.beans.BeanWrapperImpl$PropertyTokenHolder
127: 2810 112400 org.apache.xerces.dom.AttributeMap
128: 3438 110016 org.springframework.beans.factory.config.ConstructorArgumentValues
129: 980 109760 org.opensaml.xml.signature.impl.X509CertificateImpl
130: 979 109648 org.opensaml.xml.signature.impl.X509DataImpl
131: 1195 105160 javax.management.MBeanServerNotification
132: 1408 101376 com.tc.aspectwerkz.definition.SystemDefinition
133: 4198 100752 com.tc.jrexx.set.CharSet
134: 1398 100656 com.tc.object.TCObjectLogical
135: 1501 96064 gnu.trove.TIntObjectHashMap
136: 641 92304 org.opensaml.saml2.metadata.impl.OrganizationImpl
137: 688 88064 java.beans.PropertyDescriptor
138: 2632 84224 com.tc.aspectwerkz.reflect.NullClassInfo
139: 1503 84168 gnu.trove.TObjectIntHashMap
140: 3438 82512 org.springframework.beans.factory.support.MethodOverrides
141: 566 81504 com.tc.object.lockmanager.impl.ClientLock
142: 2536 81152 java.util.jar.Attributes$Name
143: 3227 80168 sun.reflect.generics.tree.TypeArgument[]
144: 1574 75552 com.tc.aspectwerkz.util.SequencedHashMap$Entry
145: 4529 72464 java.lang.Object
146: 105 72256 org.apache.xerces.util.SymbolHash$Entry[]
147: 641 71792 org.opensaml.saml2.metadata.impl.OrganizationURLImpl
148: 641 71792 org.opensaml.saml2.metadata.impl.OrganizationNameImpl
149: 641 71792 org.opensaml.saml2.metadata.impl.OrganizationDisplayNameImpl
150: 1275 71400
org.springframework.beans.factory.config.ConstructorArgumentValues$ValueHolder
151: 221 69064 long[]
152: 1689 67560 sun.reflect.NativeConstructorAccessorImpl
153: 1392 66208 javax.management.ObjectName$Property[]
154: 2045 65440 javax.management.ObjectName$Property
155: 1321 63744 com.tc.aspectwerkz.reflect.FieldInfo[]
156: 1574 62960 com.tc.aspectwerkz.util.SequencedHashMap
157: 1923 61536 org.opensaml.saml2.metadata.LocalizedString
158: 2493 59832 java.util.HashMap$Values
159: 322 59248 java.net.SocksSocketImpl
160: 585 56160 java.lang.Package
161: 501 56112 org.opensaml.saml2.common.impl.ExtensionsImpl
162: 1373 54920 edu.internet2.middleware.shibboleth.idp.authn.LoginContextEntry
163: 1142 54816 java.beans.PropertyChangeSupport
164: 521 54184 java.security.Provider$Service
165: 1691 54112 com.tc.stats.counter.sampled.TimeStampedCounterValue
166: 99 53856 org.apache.xmlbeans.impl.schema.SchemaTypeImpl
167: 1330 53296 java.lang.reflect.Constructor[]
168: 1318 52720 com.tc.aspectwerkz.reflect.impl.asm.AsmClassInfoRepository
169: 2150 51600 java.lang.Long
170: 644 51520 org.apache.tomcat.util.modeler.AttributeInfo
171: 805 51520 sun.security.pkcs11.SessionKeyRef
172: 1500 48000 com.tc.object.dna.impl.ObjectStringSerializer
173: 319 45936 org.opensaml.saml2.metadata.impl.SingleSignOnServiceImpl
174: 1068 42720 sun.security.util.MemoryCache$HardCacheEntry
175: 1060 42400 java.security.Provider$ServiceKey
176: 1759 42216 sun.reflect.DelegatingConstructorAccessorImpl
177: 1316 42112 com.tc.aspectwerkz.reflect.ClassInfo[]
178: 870 41760 org.apache.tomcat.util.http.MimeHeaderField
179: 225 41400 com.sun.jndi.ldap.LdapCtx
180: 427 40992 java.util.regex.Pattern
181: 188 40608 java.text.DecimalFormat
182: 1550 40496 java.security.cert.Certificate[]
183: 148 40256 org.opensaml.saml2.metadata.impl.IDPSSODescriptorImpl
184: 355 39760 org.opensaml.saml2.metadata.impl.SurNameImpl
185: 621 39744 java.util.Collections$SynchronizedMap
186: 987 39480 org.apache.xerces.util.SymbolTable$Entry
187: 696 38976 javax.management.ObjectName
188: 1195 38240 com.sun.jmx.remote.opt.internal.ArrayNotificationBuffer$NamedNotification
189: 296 37888
edu.internet2.middleware.shibboleth.common.xmlobject.impl.ShibbolethMetadataScopeImpl
190: 469 37520 ch.qos.logback.classic.Logger
191: 342 35568 javax.naming.NameImpl
192: 886 35440 sun.security.util.DerValue
193: 886 35440 sun.security.util.DerInputBuffer
194: 884 35360 sun.security.x509.RDN
195: 148 34336 org.opensaml.saml2.metadata.impl.AttributeAuthorityDescriptorImpl
196: 475 34200 org.apache.tomcat.util.http.ServerCookie
197: 1067 34144 javax.crypto.spec.SecretKeySpec
198: 836 33440
edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.AttributeRule
199: 180 33120 javax.management.NotificationListener[][]
200: 458 32976 sun.security.pkcs11.P11Key$P11SecretKey
201: 1363 32712 com.tc.util.concurrent.SetOnceFlag
202: 574 32144 javax.management.MBeanAttributeInfo
203: 1306 31344 com.tc.object.lockmanager.api.LockID
204: 217 31248 org.opensaml.saml2.metadata.impl.AttributeServiceImpl
205: 188 30080 java.util.GregorianCalendar
206: 200 28800 com.tc.object.config.TransparencyClassSpecImpl
207: 900 28800 java.util.concurrent.atomic.AtomicReference
208: 115 28520 com.tc.object.msg.LockRequestMessage
209: 886 28352 sun.security.util.DerInputStream
210: 884 28288 sun.security.x509.AVA[]
211: 884 28288 sun.security.x509.AVA
212: 113 28024 com.sun.net.ssl.internal.ssl.SSLSocketImpl
213: 248 27776 org.opensaml.xml.schema.impl.XSStringImpl
214: 165 27720 org.apache.xmlbeans.impl.store.Xobj$ElementXobj
215: 572 27456 java.util.HashMap$UnwrappedEntriesIterator
216: 489 27384 java.util.HashMap$EntryIterator
217: 1122 26928 org.apache.catalina.session.StandardSessionFacade
218: 165 26400 org.opensaml.saml2.metadata.impl.ArtifactResolutionServiceImpl
219: 458 25648 java.util.Stack
220: 1068 25632 sun.security.pkcs11.KeyCache$IdentityWrapper
221: 199 25472 org.opensaml.saml1.core.impl.AttributeImpl
222: 226 25312 sun.security.pkcs11.P11Cipher
223: 350 25200 com.tc.runtime.Jdk15MemoryUsage
224: 519 24912 java.math.BigInteger
225: 205 24600 sun.util.calendar.Gregorian$Date
226: 613 24520 org.opensaml.util.storage.ReplayCacheEntry
227: 278 24464 org.springframework.core.MethodParameter
228: 191 24448 org.apache.jasper.compiler.Node$TemplateText
229: 217 24304 org.opensaml.saml2.metadata.impl.NameIDFormatImpl
230: 296 23680 org.apache.xerces.dom.DeferredAttrNSImpl
231: 590 23600
edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.basic.AttributeV
alueStringMatchFunctor
232: 226 23504 javax.crypto.Cipher
233: 586 23440 org.opensaml.xml.util.IndexingObjectStore$StoredObjectWrapper
234: 970 23280 java.util.jar.Attributes
235: 96 23040 org.apache.xerces.dom.DocumentImpl
236: 480 23040 javax.security.auth.Subject$SecureSet
237: 575 23000 java.util.HashMap$EntrySetWrapper
238: 260 22880 sun.security.provider.SHA
239: 566 22640 com.tc.util.LazyMap$LazyHashMap
240: 696 22272 java.util.regex.Pattern$Slice
241: 214 22256 org.mozilla.javascript.NativeJavaMethod
242: 390 21840 java.nio.HeapCharBuffer
243: 448 21504 org.apache.xerces.xni.QName
244: 103 21424 edu.vt.middleware.ldap.LdapConfig
245: 533 21320 java.util.Date
246: 63 21168 org.apache.xerces.impl.dv.xs.XSSimpleTypeDecl
247: 329 21056 org.springframework.beans.factory.support.ManagedList
248: 375 21000 java.security.MessageDigest$Delegate
249: 236 20768 org.apache.jasper.compiler.Mark
250: 370 20720 org.apache.xerces.impl.xs.XSParticleDecl
251: 336 20640 boolean[]
252: 416 19968 java.util.HashMap$KeysIterator
253: 8 19712 org.apache.xerces.util.SymbolTable$Entry[]
254: 492 19680 org.apache.velocity.runtime.parser.Parser$JJCalls
255: 153 19584 org.opensaml.xml.schema.impl.XSAnyImpl
256: 349 19544 java.nio.HeapByteBufferR
257: 812 19488 com.tc.management.stats.AggregateInteger$Sample
258: 186 19344 java.text.SimpleDateFormat
259: 150 19200 org.mozilla.javascript.IdFunctionObject
260: 199 19104 com.tc.net.protocol.transport.WireProtocolMessageImpl
261: 182 18928 org.apache.xerces.impl.xs.XSElementDecl
262: 169 18928 sun.reflect.DelegatingClassLoader
263: 236 18880 com.tc.aspectwerkz.reflect.impl.java.JavaMethodInfo
264: 292 18688 javax.management.MBeanOperationInfo
265: 564 18272 com.tc.aspectwerkz.expression.ast.Node[]
266: 163 18256 sun.net.www.protocol.jar.URLJarFile
267: 72 18216 java.beans.MethodDescriptor[]
268: 206 18128 sun.security.x509.X500Name
269: 566 18112 com.tc.object.lockmanager.impl.ClientLock$Greediness
270: 226 18080 sun.security.pkcs11.P11Mac
271: 188 18048 java.text.DecimalFormatSymbols
272: 186 17856 java.text.DateFormatSymbols
273: 197 17336 com.tc.net.protocol.delivery.OOOProtocolMessageImpl
274: 354 16992 org.mozilla.javascript.MemberBox
275: 162 16848 org.apache.xerces.impl.xs.XSComplexTypeDecl
276: 78 16848 org.apache.tomcat.util.threads.ThreadWithAttributes
277: 100 16800 org.apache.xmlbeans.impl.schema.SchemaLocalElementImpl
278: 346 16608 java.lang.management.MemoryUsage
279: 415 16600 java.util.HashMap$KeySetWrapper
280: 206 16480 com.tc.object.dna.impl.DNAWriterImpl
281: 114 16416 com.sun.net.ssl.internal.ssl.SSLSessionImpl
282: 502 16336 java.lang.reflect.Type[]
283: 255 16320 ch.qos.logback.core.status.InfoStatus
284: 408 16320 sun.security.util.ObjectIdentifier
285: 226 16272 javax.crypto.Mac
286: 406 16240 java.util.Collections$SynchronizedCollection
287: 169 16224 sun.nio.cs.StreamEncoder
288: 53 16112 org.apache.catalina.connector.Request
289: 402 16080 com.tc.util.SetIteratorWrapper
290: 125 16000 java.lang.reflect.Field
291: 663 15912 sun.reflect.generics.tree.ClassTypeSignature
292: 497 15904 java.util.concurrent.ConcurrentHashMap$KeySet
293: 497 15904 com.tcclient.util.ConcurrentHashMapKeySetWrapper
294: 218 15696 org.apache.tomcat.util.modeler.OperationInfo
295: 279 15624 org.springframework.beans.factory.support.DisposableBeanAdapter
296: 975 15600
edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.basic.AnyMatch
Functor
297: 390 15600 org.apache.xerces.util.SymbolHash$Entry
298: 484 15488 com.tc.util.LazyMap$LazyEntrySet
299: 128 15360 com.tc.object.lockmanager.impl.ClientLockManagerImpl
300: 316 15168 java.lang.StackTraceElement
301: 469 15008 ch.qos.logback.classic.spi.LoggerRemoteView
302: 186 14880 java.util.WeakHashMap
303: 181 14480 edu.internet2.middleware.shibboleth.idp.session.impl.SessionImpl
304: 53 14416 org.apache.coyote.Request
305: 111 14208 org.apache.xmlbeans.impl.schema.SchemaPropertyImpl
306: 192 13824 org.apache.xerces.impl.xs.XSAttributeDecl
307: 215 13760 sun.nio.cs.US_ASCII$Decoder
308: 156 13728 com.tc.jrexx.regex.Automaton_Pattern
309: 282 13536 java.util.zip.Inflater
310: 338 13520 com.tc.aspectwerkz.expression.regexp.TypePattern
311: 34 13392 java.lang.reflect.Method[]
312: 416 13312 java.lang.StringBuilder
313: 16 13184 com.tc.management.stats.AggregateInteger$Sample[]
314: 237 13128 java.nio.ByteBuffer[]
315: 164 13120 org.apache.xerces.impl.xs.XSAttributeGroupDecl
316: 272 13056 sun.reflect.generics.tree.MethodTypeSignature
317: 408 13056 org.joda.time.DateTime
318: 204 13056
edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttribut
eEncoder
319: 199 12736 java.net.SocketInputStream
320: 156 12480 com.tc.jrexx.regex.Automaton_Pattern$TerminalFormat[]
321: 106 12464 org.apache.tomcat.util.http.MimeHeaderField[]
322: 111 12432 com.sun.jndi.ldap.LdapSearchEnumeration
323: 388 12416 java.util.concurrent.ConcurrentHashMap$EntrySet
324: 388 12416 com.tcclient.util.ConcurrentHashMapEntrySetWrapper
325: 188 12032 java.text.DigitList
326: 167 12024 java.net.SocketOutputStream
327: 206 12016 sun.security.x509.RDN[]
328: 100 12000 org.apache.xerces.dom.DeferredElementNSImpl
329: 93 11904 sun.security.x509.X509CertImpl
330: 99 11880
edu.internet2.middleware.shibboleth.common.config.attribute.resolver.attributeDefinition.Simpl
eAttributeDefinitionFactoryBean
331: 245 11760 org.mozilla.javascript.ScriptableObject$Slot
332: 104 11648 java.util.logging.Logger
333: 164 11576 org.apache.xerces.impl.xs.XSAttributeUseImpl[]
334: 204 11424
edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML1StringAttribut
eEncoder
335: 284 11360 sun.reflect.generics.reflectiveObjects.ParameterizedTypeImpl
336: 232 11136 org.apache.xml.serializer.EncodingInfo
337: 347 11104 EDU.oswego.cs.dl.util.concurrent.CopyOnWriteArrayList$COWIterator
338: 345 11040 org.apache.xerces.impl.xs.util.XSObjectListImpl
339: 227 10896 com.sun.net.ssl.internal.ssl.MAC
340: 339 10848 java.lang.StringBuffer
341: 224 10752 javax.management.MBeanParameterInfo
342: 111 10656 com.sun.jndi.ldap.LdapResult
343: 222 10656 java.util.regex.Pattern$BnM
344: 166 10624 com.tc.aspectwerkz.expression.ExpressionInfo
345: 164 10496 sun.reflect.generics.repository.MethodRepository
346: 72 10368 org.opensaml.saml2.core.impl.IssuerImpl
347: 161 10304 org.apache.xmlbeans.impl.store.Xobj$Bookmark
348: 143 10296 org.apache.log4j.Logger
349: 107 10272 javax.management.MBeanAttributeInfo[]
350: 80 10240 edu.internet2.middleware.shibboleth.idp.authn.Saml2LoginContext
351: 255 10200 com.tc.io.TCByteBufferOutputStream$Mark
352: 115 10120 sun.security.provider.MD5
353: 115 10120 org.apache.tomcat.util.http.mapper.MappingData
354: 417 10008 com.tc.jrexx.regex.Pattern
355: 306 9792 sun.reflect.generics.factory.CoreReflectionFactory
356: 93 9672 sun.security.x509.X509CertInfo
357: 134 9648
edu.internet2.middleware.shibboleth.idp.session.impl.AuthenticationMethodInformationImpl
358: 67 9648 org.opensaml.xml.signature.impl.SignatureImpl
359: 401 9624 com.tc.util.LazyMap$LazyCollection
360: 60 9600 org.opensaml.samlext.idpdisco.DiscoveryResponseImpl
361: 398 9552 java.util.concurrent.ConcurrentHashMap$Values
362: 119 9520 java.util.jar.JarFile
363: 148 9472 org.apache.velocity.runtime.parser.Token
364: 294 9408 org.opensaml.xml.schema.XSBooleanValue
365: 35 9336 org.apache.xerces.xni.QName[]
366: 194 9312 org.apache.xerces.impl.xs.XSAttributeUseImpl
367: 115 9200 com.sun.net.ssl.internal.ssl.InputRecord
368: 190 9120 sun.security.x509.AlgorithmId
369: 142 9088 java.util.concurrent.locks.ReentrantLock$FairSync
370: 227 9080 com.sun.net.ssl.internal.ssl.CipherBox
371: 162 9072 javax.security.auth.Subject
372: 113 9040 sun.security.pkcs11.P11Key$P11TlsMasterSecretKey
373: 70 8960 edu.internet2.middleware.shibboleth.idp.authn.ShibbolethSSOLoginContext
374: 372 8928 java.util.regex.Pattern$Dot
375: 222 8880 javax.naming.ldap.Rdn$RdnEntry
376: 111 8880 com.sun.jndi.toolkit.ctx.Continuation
377: 184 8832 org.apache.tomcat.util.modeler.ParameterInfo
378: 156 8736 com.tc.jrexx.automaton.Automaton$LinkedSet_State
379: 78 8736 sun.security.pkcs11.P11Signature
380: 273 8736
edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.basic.AttributeR
equesterStringMatchFunctor
381: 273 8736 * CompilerICHolderKlass
382: 107 8560 javax.management.MBeanInfo
383: 177 8496 java.security.AccessControlContext
384: 95 8360 sun.security.pkcs11.P11RSACipher
385: 208 8320 java.lang.ref.ReferenceQueue
386: 1 8216 org.joda.time.chrono.BasicChronology$YearInfo[]
387: 341 8184 javax.naming.CompositeName
388: 51 8160 org.apache.xmlbeans.impl.store.Xobj$AttrXobj
389: 102 8160 sun.nio.cs.ISO_8859_1$Encoder
390: 222 8112 org.mozilla.javascript.MemberBox[]
391: 202 8080 com.tc.net.protocol.transport.WireProtocolHeader
392: 202 8080 java.net.Socket
393: 53 8056 org.apache.tomcat.util.http.Parameters
394: 272 8024 sun.reflect.generics.tree.TypeSignature[]
395: 200 8000 org.apache.tomcat.util.buf.StringCache$ByteEntry
396: 166 7968 com.tc.aspectwerkz.expression.AdvisedClassFilterExpressionVisitor
397: 83 7968 org.apache.tomcat.util.modeler.ManagedBean
398: 166 7968 com.tc.aspectwerkz.expression.ast.ASTRoot
399: 166 7968 com.tc.aspectwerkz.expression.ast.ASTExpression
400: 166 7968 com.tc.aspectwerkz.expression.ExpressionVisitor
401: 62 7936 org.apache.jasper.runtime.PageContextImpl
402: 99 7920
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.Sim
pleAttributeDefinition
403: 72 7912 java.beans.PropertyDescriptor[]
404: 197 7880 com.tc.net.protocol.delivery.OOOProtocolMessageHeader
405: 123 7872 org.apache.xerces.dom.DeferredTextImpl
406: 89 7832 sun.security.pkcs11.P11Key$P11RSAPublicKey
407: 312 7800 sun.reflect.generics.tree.FieldTypeSignature[]
408: 88 7744
edu.internet2.middleware.shibboleth.common.config.attribute.filtering.AttributeFilterPolicyFact
oryBean
409: 160 7680 edu.internet2.middleware.shibboleth.idp.session.impl.ServiceInformationImpl
410: 160 7680 org.apache.xmlbeans.XmlLineNumber
411: 62 7664 org.apache.tomcat.util.http.ServerCookie[]
412: 191 7640 java.util.AbstractList$Itr
413: 159 7632 org.apache.xerces.impl.xs.util.SimpleLocator
414: 306 7560 sun.reflect.generics.tree.FormalTypeParameter[]
415: 189 7560 javax.management.ImmutableDescriptor
416: 187 7480 sun.reflect.NativeMethodAccessorImpl
417: 58 7424 org.opensaml.saml1.core.impl.SubjectConfirmationImpl
418: 58 7424 org.opensaml.saml1.core.impl.NameIdentifierImpl
419: 66 7392 org.apache.xml.security.signature.SignedInfo
420: 92 7360 org.apache.tomcat.util.digester.CallMethodRule
421: 40 7360 com.tc.object.TCClassImpl
422: 230 7360 com.tc.object.config.schema.IncludeOnLoad
423: 6 7312 java.util.TimerTask[]
424: 114 7296 com.sun.net.ssl.internal.ssl.OutputRecord
425: 182 7280 org.apache.xerces.impl.xs.identity.IdentityConstraint[]
426: 3 7272 java.util.concurrent.atomic.AtomicReference[]
427: 226 7232 sun.security.pkcs11.wrapper.CK_MECHANISM
428: 53 7208 org.apache.coyote.Response
429: 180 7200 org.apache.tomcat.util.modeler.BaseNotificationBroadcasterEntry
430: 225 7200 javax.naming.ldap.Control[]
431: 100 7200 org.apache.naming.resources.CacheEntry
432: 180 7200 org.apache.xmlbeans.SchemaType$Ref
433: 180 7200 org.apache.tomcat.util.modeler.BaseNotificationBroadcaster
434: 224 7168 javax.naming.ldap.LdapName
435: 64 7168 java.util.jar.JarFile$JarFileEntry
436: 128 7168 com.tc.object.lockmanager.impl.ClientLockManagerImpl$LockGCTask
437: 179 7160 org.apache.juli.ClassLoaderLogManager$LogNode
438: 37 7104 org.opensaml.saml2.core.impl.ResponseImpl
439: 126 7088 org.apache.xerces.xs.XSObject[]
440: 177 7080 org.springframework.beans.factory.config.RuntimeBeanReference
441: 49 7056 org.opensaml.saml2.core.impl.AttributeImpl
442: 40 7040 org.apache.velocity.runtime.parser.Parser
443: 175 7000 com.tc.object.field.GenericTCField
444: 87 6960 sun.nio.cs.UTF_8$Encoder
445: 58 6960 org.opensaml.saml1.core.impl.SubjectImpl
446: 79 6952 org.apache.velocity.runtime.parser.VelocityCharStream
447: 216 6912 java.lang.ThreadLocal$ThreadLocalMap
448: 86 6880 sun.nio.cs.US_ASCII$Encoder
449: 86 6880 sun.nio.cs.StreamDecoder
450: 85 6800 java.util.zip.ZipEntry
451: 53 6784 org.apache.catalina.connector.InputBuffer
452: 218 6704 org.apache.tomcat.util.modeler.ParameterInfo[]
453: 93 6696 javax.servlet.http.Cookie
454: 93 6696 sun.security.util.MemoryCache$SoftCacheEntry
455: 279 6696 org.bouncycastle.asn1.DERObjectIdentifier
456: 180 6688 javax.management.MBeanParameterInfo[]
457: 167 6680 com.tc.net.core.TCConnectionJDK14$WriteContext
458: 139 6672 EDU.oswego.cs.dl.util.concurrent.ConcurrentReaderHashMap$Entry
459: 208 6656 org.apache.log4j.CategoryKey
460: 166 6640 com.tc.aspectwerkz.cflow.CflowAspectExpressionVisitor
461: 58 6496 org.opensaml.saml1.core.impl.ConfirmationMethodImpl
462: 81 6480 java.util.ResourceBundle$CacheKey
463: 135 6480 org.apache.xmlbeans.QNameSet
464: 159 6360 org.apache.jk.common.MsgAjp
465: 53 6360 org.apache.jk.core.MsgContext
466: 53 6360 org.apache.coyote.RequestInfo
467: 66 6336 org.apache.xml.security.signature.XMLSignatureInput
468: 79 6320 com.tc.aspectwerkz.expression.ast.ASTMethodPattern
469: 156 6240 java.lang.StringCoding$StringDecoder
470: 54 6240 org.mozilla.javascript.ScriptableObject$Slot[]
471: 156 6240 com.tc.jrexx.regex.PScanner
472: 60 6240 sun.org.mozilla.javascript.internal.NativeJavaMethod
473: 194 6208 org.apache.xerces.impl.xs.XSAnnotationImpl
474: 35 6160 org.opensaml.saml2.core.impl.AssertionImpl
475: 157 6128 java.security.ProtectionDomain[]
476: 152 6080 org.apache.xmlbeans.impl.schema.XmlValueRef
477: 252 6048 sun.reflect.DelegatingMethodAccessorImpl
478: 126 6048 org.apache.xerces.impl.xs.XSModelGroupImpl
479: 108 6048 sun.reflect.generics.repository.ConstructorRepository
480: 188 6016 sun.nio.cs.Surrogate$Parser
481: 53 5936 org.apache.catalina.connector.OutputBuffer
482: 46 5936 int[][]
483: 53 5936 org.apache.catalina.connector.Response
484: 4 5776 sun.misc.CacheEntry[]
485: 100 5768 javax.management.MBeanOperationInfo[]
486: 80 5760 org.apache.xerces.util.XMLAttributesImpl$Attribute
487: 48 5760 sun.security.pkcs11.SunPKCS11$P11Service
488: 72 5760 java.beans.BeanDescriptor
489: 19 5728 java.lang.StackTraceElement[]
490: 58 5712 org.apache.catalina.core.ApplicationFilterConfig[]
491: 101 5656 org.apache.tomcat.util.buf.WriteConvertor
492: 47 5640 com.tc.aspectwerkz.reflect.impl.java.JavaClassInfo
493: 39 5616 java.net.URI
494: 35 5600 org.opensaml.saml2.core.impl.SubjectConfirmationDataImpl
495: 99 5544 java.net.SocketException
496: 99 5544 javax.net.ssl.SSLException
497: 53 5512 org.apache.jk.core.Msg[]
498: 86 5504 com.sun.net.ssl.internal.ssl.CipherSuite
499: 86 5504 org.apache.tomcat.util.modeler.BaseModelMBean
500: 137 5480 com.tc.object.tx.ServerTransactionID
501: 62 5456 javax.servlet.jsp.PageContext[]
502: 227 5448 java.io.FileDescriptor
503: 113 5424 com.sun.jndi.ldap.LdapClient
504: 134 5360 com.tc.net.protocol.tcm.TCMessageHeaderImpl
505: 126 5344 org.apache.xerces.impl.xs.XSParticleDecl[]
506: 111 5328 javax.naming.directory.SearchControls
507: 222 5328 javax.naming.ldap.Rdn
508: 111 5328 com.sun.jndi.ldap.LdapCtx$SearchArgs
509: 66 5280 org.apache.xml.security.signature.Reference
510: 73 5256 sun.misc.URLClassPath$JarLoader
511: 164 5248 sun.reflect.generics.scope.MethodScope
512: 41 5248 sun.org.mozilla.javascript.internal.IdFunctionObject
513: 93 5208 com.tc.aspectwerkz.expression.ast.ASTParameter
514: 53 5088 org.apache.catalina.util.ParameterMap
515: 53 5088 org.apache.catalina.connector.CoyoteWriter
516: 105 5040 com.sun.jmx.mbeanserver.ConvertingMethod
517: 63 5040 java.security.Signature$Delegate
518: 126 5040 java.net.Inet4Address
519: 35 5040 org.opensaml.saml2.core.impl.SubjectConfirmationImpl
520: 35 5040 org.opensaml.saml2.core.impl.NameIDImpl
521: 35 5040 org.opensaml.saml2.core.impl.AuthnStatementImpl
522: 125 5000 java.util.BitSet
523: 78 4992 java.util.ResourceBundle$BundleReference
524: 62 4960 org.apache.jasper.runtime.JspWriterImpl
525: 29 4872 org.opensaml.saml1.core.impl.AssertionImpl
526: 87 4872 java.util.concurrent.locks.AbstractQueuedSynchronizer$Node
527: 87 4872 org.opensaml.xml.parse.BasicParserPool$DocumentBuilderProxy
528: 87 4872 com.tc.aspectwerkz.expression.ast.ASTClassPattern
529: 29 4872 org.opensaml.saml1.core.impl.ResponseImpl
530: 29 4872 java.lang.Thread
531: 101 4848 org.apache.tomcat.util.buf.C2BConverter
532: 40 4800 org.apache.velocity.runtime.parser.ParserTokenManager
533: 40 4800 org.apache.velocity.runtime.parser.Parser$JJCalls[]
534: 35 4760 org.opensaml.saml2.core.impl.AuthnContextImpl
535: 35 4760 org.opensaml.saml2.core.impl.SubjectImpl
536: 66 4752 org.apache.xml.security.signature.XMLSignature
537: 99 4752 com.tc.net.core.CoreNIOServices$InterestRequest
538: 37 4736 org.opensaml.saml2.core.impl.StatusImpl
539: 39 4680 org.opensaml.saml2.core.impl.StatusCodeImpl
540: 53 4664 org.apache.catalina.connector.CoyoteReader
541: 83 4648 java.util.LinkedHashMap$EntryIterator
542: 8 4608 * TypeArrayKlassKlass
543: 72 4608 java.beans.GenericBeanInfo
544: 192 4608 com.tc.util.ObjectIDSet$MyLong
545: 115 4600 java.security.cert.X509Certificate[]
546: 142 4544 java.util.concurrent.locks.ReentrantLock
547: 71 4544 java.security.cert.TrustAnchor
548: 81 4536 java.util.ResourceBundle$LoaderReference
549: 113 4520 com.sun.net.ssl.internal.ssl.AppInputStream
550: 113 4520 com.sun.net.ssl.internal.ssl.AppOutputStream
551: 80 4480 java.security.ProtectionDomain
552: 35 4480 org.opensaml.saml2.core.impl.ConditionsImpl
553: 79 4424 java.security.CodeSource
554: 29 4408 org.apache.xmlbeans.impl.store.Xobj$CommentXobj
555: 78 4368 org.apache.tomcat.util.threads.ThreadPool$ControlRunnable
556: 133 4256 edu.vt.middleware.ldap.jaas.LdapPrincipal
557: 106 4240 java.lang.StringCoding$StringEncoder
558: 176 4224 com.tc.object.tx.TransactionID
559: 75 4200 java.io.ObjectStreamField
560: 35 4200 org.opensaml.saml2.core.impl.SubjectLocalityImpl
561: 58 4176 com.tc.aspectwerkz.reflect.impl.java.JavaConstructorInfo
562: 174 4176
edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.basic.AndMatch
Functor
563: 29 4176 org.opensaml.saml1.core.impl.AuthenticationStatementImpl
564: 87 4176 com.tc.aspectwerkz.expression.ast.ASTWithin
565: 87 4176 org.apache.xerces.util.AugmentationsImpl$SmallContainer
566: 103 4120 com.sun.jmx.interceptor.DefaultMBeanServerInterceptor$ListenerWrapper
567: 1 4120 org.joda.time.tz.CachedDateTimeZone$Info[]
568: 128 4096 com.tc.logging.TextDecoratorTCLogger
569: 128 4096 org.apache.commons.collections.map.ListOrderedMap
570: 85 4080 org.apache.naming.resources.WARDirContext$Entry
571: 51 4080 edu.vt.middleware.ldap.Authenticator
572: 1 4024 org.apache.tomcat.util.threads.ThreadPool$ControlRunnable[]
573: 36 4016 org.apache.xmlbeans.impl.schema.XmlValueRef[]
574: 100 4000 java.io.File
575: 55 3960 java.io.BufferedWriter
576: 29 3944 org.apache.xmlbeans.impl.schema.SchemaParticleImpl
577: 35 3920 org.opensaml.saml2.core.impl.AudienceImpl
578: 35 3920 org.opensaml.saml2.core.impl.AttributeStatementImpl
579: 35 3920 org.opensaml.saml2.core.impl.AudienceRestrictionImpl
580: 35 3920 org.opensaml.saml2.core.impl.AuthnContextClassRefImpl
581: 81 3888 com.tc.object.ClientObjectManagerImpl$LocalLookupContext
582: 162 3888 com.tc.util.Counter
583: 97 3880 sun.org.mozilla.javascript.internal.ScriptableObject$Slot
584: 119 3808 java.util.regex.Pattern$Start
585: 79 3792 com.tc.aspectwerkz.expression.ast.ASTExecution
586: 118 3776 com.sun.jmx.mbeanserver.NamedObject
587: 156 3744 com.tc.jrexx.regex.Automaton_Pattern$TerminalFormat_LABEL
588: 156 3744 com.tc.jrexx.regex.Automaton_Pattern$TerminalFormat_LITERAL
589: 156 3744 com.tc.jrexx.regex.Automaton_Pattern$TerminalFormat_GroupBegin
590: 156 3744 com.tc.jrexx.regex.Automaton_Pattern$TerminalFormat_RegExp
591: 156 3744 com.tc.jrexx.regex.Automaton_Pattern$TerminalFormat_LITERALSET
592: 156 3744 com.tc.jrexx.regex.Automaton_Pattern$TerminalFormat_REPETITION
593: 156 3744 com.tc.jrexx.regex.Automaton_Pattern$TerminalFormat_GroupEnd
594: 29 3712 org.opensaml.saml1.core.impl.StatusImpl
595: 58 3712 com.tc.aspectwerkz.reflect.impl.java.JavaFieldInfo
596: 29 3712 org.opensaml.saml1.core.impl.ConditionsImpl
597: 66 3696 org.apache.xml.security.algorithms.SignatureAlgorithm
598: 46 3680 org.mozilla.javascript.NativeJavaPackage
599: 153 3672 com.tc.logging.TCLoggerImpl
600: 113 3616 com.sun.net.ssl.internal.ssl.HandshakeHash
601: 10 3616 java.lang.Object[][]
602: 32 3584 javax.management.openmbean.OpenMBeanAttributeInfoSupport
603: 64 3584 sun.security.pkcs11.SunPKCS11$Descriptor
604: 88 3520
edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.AttributeFilterPolicy
605: 109 3488 org.apache.commons.logging.impl.SLF4JLocationAwareLog
606: 29 3480 org.opensaml.saml1.core.impl.StatusCodeImpl
607: 29 3480 org.opensaml.saml1.core.impl.SubjectLocalityImpl
608: 29 3480 org.opensaml.saml1.core.impl.AttributeStatementImpl
609: 108 3456 sun.reflect.generics.scope.ConstructorScope
610: 108 3456 org.apache.xerces.util.XMLStringBuffer
611: 54 3456 org.apache.jk.common.JkInputStream
612: 86 3440 java.io.InputStreamReader
613: 43 3440 java.util.IdentityHashMap
614: 71 3408 sun.security.x509.BasicConstraintsExtension
615: 106 3392
edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.basic.AttributeV
alueRegexMatchFunctor
616: 106 3392 org.apache.tomcat.util.http.MimeHeaders
617: 210 3360 java.lang.ref.ReferenceQueue$Lock
618: 105 3360 org.apache.xerces.util.SymbolHash
619: 42 3360 EDU.oswego.cs.dl.util.concurrent.ConcurrentHashMap$ValueIterator
620: 30 3360 org.apache.naming.resources.ResourceAttributes
621: 46 3312 sun.security.ec.NamedCurve
622: 205 3280 org.opensaml.xml.schema.impl.XSStringBuilder
623: 30 3272 org.apache.xerces.impl.xs.util.SimpleLocator[]
624: 68 3264 sun.security.x509.SubjectKeyIdentifierExtension
625: 136 3264 com.tc.net.ClientID
626: 29 3248 org.opensaml.saml1.core.impl.AudienceRestrictionConditionImpl
627: 29 3248 org.opensaml.saml1.core.impl.AudienceImpl
628: 112 3240 com.sun.jmx.mbeanserver.OpenConverter[]
629: 101 3232 org.apache.tomcat.util.buf.IntermediateOutputStream
630: 134 3216 com.tc.object.gtx.GlobalTransactionID
631: 67 3216 java.security.Permissions
632: 67 3216 org.opensaml.common.impl.SAMLObjectContentReference
633: 80 3200 sun.security.x509.CertificateExtensions
634: 80 3200 java.io.ByteArrayInputStream
635: 80 3200 com.sun.jmx.mbeanserver.PerInterface$MethodAndSig
636: 16 3200 com.tc.async.impl.StageImpl$WorkerThread
637: 66 3168 org.apache.xml.security.transforms.Transforms
638: 66 3168 org.apache.xml.security.algorithms.MessageDigestAlgorithm
639: 66 3168 java.util.regex.Pattern$Curly
640: 99 3168 org.apache.jk.common.ChannelSocket$SocketConnection
641: 65 3120 org.apache.log4j.ProvisionNode
642: 65 3120 java.util.HashMap$ValuesIterator
643: 97 3104 javax.security.auth.x500.X500Principal
644: 18 3088 java.lang.String[][]
645: 64 3072 java.io.FilePermission
646: 128 3072 java.lang.Character
647: 32 3072 java.util.TreeMap
648: 42 3024 org.apache.xmlbeans.impl.schema.SchemaAnnotationImpl
649: 63 3024 com.tc.object.config.LockDefinitionImpl
650: 8 3008 EDU.oswego.cs.dl.util.concurrent.ConcurrentReaderHashMap$Entry[]
651: 93 2976 sun.security.util.Cache$EqualByteArray
652: 93 2976 sun.security.x509.CertificateValidity
653: 93 2976 sun.security.x509.CertificateSubjectName
654: 93 2976 sun.security.x509.CertificateIssuerName
655: 62 2976 java.io.OutputStreamWriter
656: 53 2968 org.apache.tomcat.util.collections.MultiMap$Field[]
657: 8 2944 org.apache.catalina.core.StandardWrapper
658: 91 2912 sun.org.mozilla.javascript.internal.MemberBox
659: 7 2912 org.apache.xerces.impl.XMLNSDocumentScannerImpl
660: 50 2800 java.util.zip.Deflater
661: 15 2792 org.apache.xerces.impl.xs.XSComplexTypeDecl[]
662: 87 2784 com.tc.object.config.ClassExpressionMatcherImpl
663: 114 2736 com.sun.net.ssl.internal.ssl.SessionId
664: 57 2736 java.io.BufferedInputStream
665: 85 2712 org.apache.naming.resources.WARDirContext$Entry[]
666: 56 2688 org.apache.catalina.core.ApplicationFilterChain
667: 67 2680 com.tc.net.core.CoreNIOServices$3
668: 83 2656 java.util.regex.Pattern$Dollar
669: 48 2648 org.joda.time.format.DateTimeParser[]
670: 55 2640 java.text.SimpleDateFormat[]
671: 66 2640 org.w3c.dom.Element[]
672: 66 2640 org.apache.xml.security.utils.UnsyncBufferedOutputStream
673: 66 2640 org.apache.xml.security.utils.DigesterOutputStream
674: 110 2640 sun.security.x509.SerialNumber
675: 58 2632 com.tc.net.core.TCConnectionJDK14$WriteContext[]
676: 7 2632 org.apache.xerces.parsers.XIncludeAwareParserConfiguration
677: 41 2624 sun.security.x509.AuthorityKeyIdentifierExtension
678: 54 2616 char[][]
679: 12 2592 org.apache.xerces.impl.xs.SchemaGrammar
680: 54 2592 sun.security.x509.KeyUsageExtension
681: 26 2576 sun.org.mozilla.javascript.internal.ScriptableObject$Slot[]
682: 53 2544 org.apache.tomcat.util.buf.UEncoder
683: 79 2528 com.tc.aspectwerkz.expression.regexp.NamePattern
684: 35 2520 org.joda.time.format.DateTimeFormatter
685: 21 2520 org.apache.jasper.compiler.Node$Expression
686: 104 2496 sun.security.x509.KeyIdentifier
687: 78 2496 java.util.regex.Pattern$SliceI
688: 26 2496 com.tc.object.tx.ClientTransactionImpl
689: 104 2496 org.apache.juli.logging.DirectJDKLog
690: 62 2480 org.apache.jasper.runtime.JspFactoryImpl$PageContextPool
691: 4 2464 java.lang.Thread[]
692: 44 2464 java.io.PrintStream
693: 14 2464 java.io.ObjectStreamClass
694: 102 2448 java.util.zip.Adler32
695: 102 2448 sun.reflect.BootstrapConstructorAccessorImpl
696: 61 2440 edu.vt.middleware.ldap.Ldap
697: 12 2400 * KlassKlass
698: 100 2400 org.apache.xmlbeans.SchemaIdentityConstraint$Ref[]
699: 74 2368 java.security.Provider$UString
700: 74 2368 com.tc.object.lockmanager.api.ThreadID
701: 72 2368 org.apache.xerces.impl.xs.XSAnnotationImpl[]
702: 16 2304 org.apache.xerces.impl.xs.XSElementDecl[]
703: 96 2304 EDU.oswego.cs.dl.util.concurrent.ConcurrentHashMap$Segment
704: 72 2304 com.tc.object.config.StandardDSOClientConfigHelperImpl$Resource
705: 36 2304 com.tc.management.stats.AggregateInteger
706: 72 2304 org.apache.xerces.xni.XMLString
707: 4 2288 java.lang.Integer[]
708: 71 2272 sun.security.provider.JavaKeyStore$TrustedCertEntry
709: 7 2240 org.apache.xerces.impl.dtd.XMLNSDTDValidator
710: 28 2240 sun.util.calendar.ZoneInfo
711: 40 2240 org.apache.velocity.runtime.parser.Parser$LookaheadSuccess
712: 35 2240 EDU.oswego.cs.dl.util.concurrent.BoundedLinkedQueue
713: 93 2232 sun.security.x509.CertificateAlgorithmId
714: 93 2232 sun.security.x509.CertificateSerialNumber
715: 93 2232 sun.security.x509.CertificateX509Key
716: 93 2232 sun.security.x509.CertificateVersion
717: 46 2208 java.security.spec.EllipticCurve
718: 39 2184 java.io.ObjectStreamClass$WeakClassKey
719: 34 2176 org.mozilla.javascript.ScriptableObject$GetterSlot
720: 68 2176 com.tc.object.config.Lock
721: 34 2176 org.apache.xerces.impl.dtd.XMLSimpleType
722: 63 2168 sun.org.mozilla.javascript.internal.MemberBox[]
723: 53 2120 org.apache.catalina.util.StringParser
724: 53 2120 org.apache.tomcat.util.http.Cookies
725: 2 2096 org.apache.commons.collections.map.AbstractHashedMap$HashEntry[]
726: 2 2096 java.lang.Long[]
727: 87 2088 org.apache.xerces.util.AugmentationsImpl
728: 65 2080 sun.nio.ch.AllocatedNativeObject
729: 13 2080 org.apache.velocity.runtime.parser.node.ASTReference
730: 65 2080 com.tc.object.tx.ThreadTransactionContext
731: 1 2072 com.tc.object.TCObject[]
732: 1 2072 org.apache.xerces.impl.dv.DatatypeValidator[]
733: 1 2072 org.apache.xerces.impl.dtd.models.ContentModelValidator[]
734: 41 2064 org.apache.xerces.impl.xs.traversers.OneAttr[]
735: 86 2064 java.util.regex.Pattern$Begin
736: 64 2048 java.util.HashMap$ValuesCollectionWrapper
737: 64 2048 java.util.AbstractMap$SimpleImmutableEntry
738: 16 2048 com.sun.jndi.ldap.Connection
739: 64 2048 java.io.FilePermissionCollection
740: 11 2024 com.tc.object.msg.AcknowledgeTransactionMessageImpl
741: 18 2016 org.springframework.beans.BeanWrapperImpl
742: 21 2016 org.apache.velocity.runtime.parser.node.ASTText
743: 63 2016 org.apache.jasper.compiler.JspUtil$ValidAttribute
744: 50 2000 org.apache.xmlbeans.impl.values.XmlBooleanImpl
745: 83 1992 org.apache.tomcat.util.modeler.NotificationInfo[]
746: 62 1984 org.apache.catalina.core.ApplicationContext$DispatchData
747: 34 1960 org.joda.time.format.DateTimePrinter[]
748: 61 1952 org.springframework.beans.CachedIntrospectionResults
749: 81 1944 com.tc.util.concurrent.ResetableLatch
750: 10 1920 org.knopflerfish.framework.BundleImpl
751: 20 1920 org.opensaml.xml.security.x509.BasicX509Credential
752: 48 1920 org.apache.xerces.impl.xs.traversers.OneAttr
753: 80 1920 java.security.Principal[]
754: 40 1920 org.apache.velocity.runtime.parser.JJTParserState
755: 34 1904 org.apache.xmlbeans.impl.regex.RangeToken
756: 17 1904 org.apache.xerces.impl.xs.models.XSDFACM
757: 34 1904 sun.reflect.generics.repository.ClassRepository
758: 1 1880 org.apache.xml.serializer.EncodingInfo[]
759: 78 1872 com.tc.object.lockmanager.impl.ClientLock$Action
760: 18 1872
edu.internet2.middleware.shibboleth.common.config.relyingparty.RelyingPartyFactoryBean
761: 39 1872 org.apache.tomcat.util.digester.ObjectCreateRule
762: 68 1864 javax.management.MBeanConstructorInfo[]
763: 58 1856 sun.reflect.generics.scope.ClassScope
764: 29 1856 com.tc.io.TCByteBufferOutputStream
765: 23 1840 sun.org.mozilla.javascript.internal.NativeJavaPackage
766: 25 1800 java.util.PropertyResourceBundle
767: 28 1792 org.mozilla.javascript.IdScriptableObject$PrototypeValues
768: 44 1760 java.util.regex.Pattern$8
769: 7 1736 org.apache.xerces.impl.XMLDTDScannerImpl
770: 54 1728 java.util.jar.Manifest
771: 43 1720 org.springframework.beans.factory.config.TypedStringValue
772: 42 1680 java.util.Collections$UnmodifiableRandomAccessList
773: 19 1672 java.util.zip.ZipFile$1
774: 9 1656
edu.internet2.middleware.shibboleth.common.config.relyingparty.saml.SAML2SSOProfileConfi
gurationFactoryBean
775: 23 1656 org.joda.time.chrono.ZonedChronology$ZonedDateTimeField
776: 41 1640 com.tc.object.NamedTraversedReference
777: 12 1632
edu.internet2.middleware.shibboleth.common.config.relyingparty.saml.SAML1AttributeQueryPr
ofileConfigurationFactoryBean
778: 34 1632 sun.security.x509.URIName
779: 12 1632
edu.internet2.middleware.shibboleth.common.config.relyingparty.saml.SAML1ArtifactResolutio
nProfileConfigurationFactoryBean
780: 1 1624 org.apache.tomcat.util.buf.StringCache$ByteEntry[]
781: 67 1608 com.tc.util.UUID
782: 67 1608 com.tc.object.tx.ClientTransactionManagerImpl$ThreadTransactionLoggingStack
783: 5 1600 org.springframework.beans.factory.support.DefaultListableBeanFactory
784: 4 1600 org.apache.xerces.impl.XMLDocumentScannerImpl
785: 10 1600 org.knopflerfish.framework.BundleClassLoader
786: 40 1600 org.apache.xmlbeans.impl.schema.SchemaAttributeModelImpl
787: 33 1584 sun.security.pkcs11.Session
788: 28 1568 sun.security.x509.DistributionPoint
789: 49 1568 java.util.HashMap$EntryWrapper
790: 65 1560 com.tc.util.Stack
791: 65 1560 sun.security.x509.GeneralName
792: 32 1536 org.apache.xerces.impl.xs.XSWildcardDecl
793: 64 1536 sun.nio.ch.DevPollArrayWrapper$Updator
794: 63 1512
org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1
795: 27 1512 sun.reflect.generics.reflectiveObjects.TypeVariableImpl
796: 47 1504 java.security.spec.ECPoint
797: 62 1488 org.apache.jasper.runtime.BodyContentImpl[]
798: 40 1480 com.tc.object.field.TCField[]
799: 23 1472 java.io.ObjectStreamClass$FieldReflectorKey
800: 30 1440 java.security.Provider$EngineDescription
801: 36 1440 org.apache.xmlbeans.impl.values.XmlIntegerImpl
802: 15 1440 org.apache.xerces.impl.xs.XSDDescription
803: 36 1440 org.apache.xerces.impl.xs.traversers.SmallContainer
804: 15 1440 org.apache.velocity.runtime.parser.node.ASTComment
805: 20 1440 org.mozilla.javascript.NativeError
806: 45 1440 java.io.ByteArrayOutputStream
807: 22 1408 com.sun.jmx.mbeanserver.PerInterface
808: 28 1408 org.apache.xmlbeans.SchemaParticle[]
809: 35 1400 org.joda.time.format.DateTimeFormatterBuilder$Composite
810: 25 1400 org.apache.tomcat.util.digester.SetNextRule
811: 25 1400 sun.security.x509.CRLDistributionPointsExtension
812: 25 1400 org.apache.xerces.util.XMLResourceIdentifierImpl
813: 19 1368 org.apache.xerces.impl.dtd.XMLEntityDecl
814: 34 1360 sun.reflect.generics.tree.ClassSignature
815: 42 1344 org.apache.tomcat.util.log.CaptureLog
816: 56 1344 sun.security.x509.GeneralNames
817: 7 1344 org.apache.xerces.impl.XMLEntityManager
818: 28 1344 java.io.DataOutputStream
819: 24 1344 com.tc.object.lockmanager.impl.ClientLock$LockHold
820: 55 1320
edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.basic.OrMatchFu
nctor
821: 15 1320 javax.management.openmbean.ArrayType
822: 30 1320 java.io.ObjectStreamField[]
823: 41 1312 edu.internet2.middleware.shibboleth.idp.authn.UsernamePrincipal
824: 54 1296 org.apache.catalina.connector.ResponseFacade
825: 53 1296 org.apache.xmlbeans.SchemaType$Ref[]
826: 27 1296 java.math.BigDecimal
827: 54 1296 org.apache.catalina.connector.RequestFacade
828: 10 1280 org.apache.jasper.compiler.Node$PageDirective
829: 32 1280 com.sun.jmx.mbeanserver.OpenConverter$IdentityConverter
830: 16 1280 com.tc.object.bytecode.LogicalMethodAdapter
831: 53 1272 org.apache.catalina.connector.CoyoteInputStream
832: 53 1272 com.tc.net.protocol.delivery.OOOProtocolEvent
833: 53 1272 org.apache.catalina.connector.CoyoteOutputStream
834: 26 1248 com.tc.object.tx.TransactionContextImpl
835: 39 1248 com.tc.net.protocol.tcm.TCMessageType
836: 43 1248 java.lang.reflect.TypeVariable[]
837: 4 1248 org.apache.xerces.impl.dtd.XMLDTDValidator
838: 31 1240 org.apache.xml.security.algorithms.JCEMapper$Algorithm
839: 31 1240 java.util.Collections$UnmodifiableCollection$1
840: 22 1232 javax.management.MBeanConstructorInfo
841: 7 1232 org.apache.xerces.impl.dtd.XMLDTDProcessor
842: 47 1224 javax.management.MBeanNotificationInfo[]
843: 51 1224 com.tc.util.State
844: 30 1200 org.mozilla.javascript.BeanProperty
845: 30 1200 com.tc.object.config.schema.IncludedInstrumentedClass
846: 10 1200 org.apache.jasper.compiler.Node$Scriptlet
847: 15 1200 java.io.PrintWriter
848: 50 1200 java.lang.Boolean
849: 30 1200 org.apache.xmlbeans.impl.values.XmlStringImpl
850: 25 1200 org.apache.tomcat.util.digester.ArrayStack
851: 29 1160 org.osgi.framework.Version
852: 8 1152
edu.internet2.middleware.shibboleth.common.config.relyingparty.saml.ShibbolethSSOProfileCo
nfigurationFactoryBean
853: 16 1152 com.tc.async.impl.StageImpl
854: 18 1152 org.apache.xerces.impl.dv.xs.DecimalDV$XDecimal
855: 6 1152 com.tc.object.msg.CommitTransactionMessageImpl
856: 11 1144 org.knopflerfish.framework.BundlePackages
857: 20 1144 org.apache.velocity.runtime.parser.node.Node[]
858: 14 1120
edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyFactoryB
ean
859: 5 1120 org.apache.jasper.JspCompilationContext
860: 35 1120 com.tc.object.applicator.PhysicalApplicator
861: 23 1104 com.tc.util.ListIteratorWrapper
862: 6 1104 java.util.TimerThread
863: 23 1104 java.util.LinkedList$ListItr
864: 23 1104 org.joda.time.DateTimeFieldType$StandardDateTimeFieldType
865: 8 1088
edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.SSOConfiguration
866: 34 1088 java.util.concurrent.atomic.AtomicInteger
867: 17 1088 sun.nio.cs.ISO_8859_1$Decoder
868: 17 1088 org.apache.tomcat.util.digester.CallParamRule
869: 16 1080 javax.servlet.http.Cookie[]
870: 2 1072 java.lang.Character[]
871: 19 1064 java.util.zip.ZipFile$ZipFileInputStream
872: 22 1056 sun.security.x509.OIDMap$OIDInfo
873: 33 1056 com.tc.logging.ClientIDLogger
874: 1 1048 javax.xml.namespace.QName[]
875: 1 1048 com.tc.object.lockmanager.impl.ClientLockManagerImpl[]
876: 1 1048 java.util.Map[]
877: 34 1040 sun.reflect.generics.tree.ClassTypeSignature[]
878: 26 1040 java.security.spec.ECFieldF2m
879: 16 1024 com.sun.jmx.mbeanserver.MXBeanSupport
880: 16 1024 com.tc.async.impl.StageQueueImpl
881: 16 1024 com.tc.config.schema.dynamic.BooleanXPathBasedConfigItem
882: 42 1008 org.apache.xmlbeans.SchemaAnnotation$Attribute[]
883: 21 1008 com.tc.util.AATreeSet$AANode
884: 18 1008 org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule
885: 18 1008
edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfiguration
886: 14 1008 javax.management.openmbean.SimpleType
887: 18 1008 org.mozilla.javascript.LazilyLoadedCtor
888: 21 1008 org.apache.xerces.impl.dtd.XMLElementDecl
889: 18 1008
org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRu
le
890: 21 1008 java.util.Locale
891: 18 1008
edu.internet2.middleware.shibboleth.common.binding.security.ShibbolethClientCertAuthRule
892: 20 1000 sun.security.pkcs11.wrapper.CK_ATTRIBUTE[]
893: 12 992 java.util.regex.Pattern$Node[]
894: 11 968 org.apache.xmlbeans.impl.schema.SchemaLocalAttributeImpl
895: 30 960 org.apache.catalina.util.LifecycleSupport
896: 30 960 com.tc.object.config.InstrumentationDescriptorImpl
897: 40 960 com.tc.object.TraversedReferencesImpl
898: 40 960 sun.security.x509.DNSName
899: 17 952 com.sun.jmx.mbeanserver.WeakIdentityHashMap$IdentityWeakReference
900: 39 936 java.util.regex.Pattern$CharPropertyNames$1
901: 13 936 sun.org.mozilla.javascript.internal.IdScriptableObject$PrototypeValues
902: 12 928 org.apache.xerces.util.XMLAttributesImpl$Attribute[]
903: 5 920 org.apache.jasper.servlet.JasperLoader
904: 38 912 sun.reflect.generics.tree.TypeVariableSignature
905: 19 912 org.apache.naming.resources.WARDirContext$WARResource
906: 3 912 edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler
907: 28 896 java.util.regex.Pattern$GroupTail
908: 7 896 org.apache.commons.collections.ExtendedProperties
909: 4 896 org.apache.tomcat.util.digester.Digester
910: 28 896 java.util.regex.Pattern$GroupHead
911: 10 880 org.apache.xerces.impl.xs.AttributePSVImpl
912: 27 864 gnu.trove.TIntArrayList
913: 18 864 org.springframework.beans.propertyeditors.URLEditor
914: 9 864 javax.management.openmbean.CompositeType
915: 18 864 org.springframework.beans.propertyeditors.URIEditor
916: 18 864 com.terracottatech.config.impl.ClassExpressionImpl
917: 18 864 org.springframework.core.io.support.ResourceArrayPropertyEditor
918: 27 864 sun.reflect.generics.tree.FormalTypeParameter
919: 18 864 org.springframework.beans.propertyeditors.InputStreamEditor
920: 12 864 org.apache.xerces.impl.dtd.XMLDTDDescription
921: 18 864 org.springframework.beans.propertyeditors.ClassEditor
922: 18 864 org.springframework.beans.propertyeditors.FileEditor
923: 15 864 org.apache.jasper.compiler.JspUtil$ValidAttribute[]
924: 18 864 org.apache.tomcat.util.http.mapper.Mapper$Wrapper
925: 18 864 org.springframework.core.io.ResourceEditor
926: 18 864 org.apache.tomcat.util.digester.SetPropertiesRule
927: 53 848 org.apache.tomcat.util.buf.UDecoder
928: 21 840 org.opensaml.common.binding.security.IssueInstantRule
929: 3 840 EDU.oswego.cs.dl.util.concurrent.ConcurrentHashMap$Segment[]
930: 21 840 sun.security.x509.AVAKeyword
931: 21 840 org.apache.xmlbeans.impl.regex.Op$RangeOp
932: 15 840 org.opensaml.security.MetadataCredentialResolver$MetadataCacheKey
933: 15 840 com.terracottatech.config.impl.LockLevelImpl
934: 3 840 EDU.oswego.cs.dl.util.concurrent.ConcurrentHashMap$Entry[]
935: 8 832 EDU.oswego.cs.dl.util.concurrent.ConcurrentReaderHashMap
936: 8 832 com.tc.object.tx.TransactionBatchWriter
937: 26 832 java.util.regex.Pattern$2
938: 8 832 org.apache.catalina.core.StandardWrapperValve
939: 8 832 javax.management.openmbean.OpenMBeanParameterInfoSupport
940: 13 832 edu.internet2.middleware.shibboleth.common.attribute.provider.BasicAttribute
941: 13 832 org.apache.xerces.impl.dv.ValidatedInfo
942: 26 832 java.util.concurrent.CopyOnWriteArrayList
943: 6 816 org.apache.xmlbeans.impl.schema.SchemaContainer
944: 17 816 java.util.concurrent.locks.ReentrantReadWriteLock
945: 4 816 java.math.BigInteger[]
946: 30 800 org.apache.catalina.LifecycleListener[]
947: 20 800 com.tc.asm.Type
948: 2 800
edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler$Shibboleth
SSORequestContext
949: 20 800 org.apache.xmlbeans.impl.regex.Token$ClosureToken
950: 10 800 org.knopflerfish.framework.bundlestorage.memory.BundleArchiveImpl
951: 20 800 org.opensaml.xml.security.credential.CredentialContextSet
952: 9 792 org.knopflerfish.framework.ImportPkg
953: 33 792 com.tc.config.schema.dynamic.CompoundConfigItemListener
954: 16 768 sun.security.x509.NetscapeCertTypeExtension
955: 16 768 java.security.cert.PolicyQualifierInfo
956: 16 768 org.opensaml.xml.signature.impl.CryptoBinaryUnmarshaller
957: 12 768 sun.nio.cs.UTF_8$Decoder
958: 8 768 org.knopflerfish.framework.ExportPkg
959: 6 768 org.mozilla.javascript.FunctionObject
960: 16 768 sun.misc.CacheEntry
961: 8 768
edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml1.ShibbolethSSOConfig
uration
962: 5 760 org.joda.time.convert.ConverterSet$Entry[]
963: 3 744 org.apache.xerces.parsers.DOMParser
964: 4 736 org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser
965: 18 720 org.springframework.beans.factory.config.BeanDefinitionHolder
966: 18 720 com.tc.aspectwerkz.expression.ast.ExpressionParser$JJCalls
967: 15 720 com.sun.net.ssl.internal.ssl.CipherSuite$KeyExchange
968: 15 720 sun.security.x509.CertificatePoliciesExtension
969: 15 720 org.apache.xmlbeans.impl.regex.Op$ModifierOp
970: 15 720 com.terracottatech.config.impl.MethodExpressionImpl
971: 18 720 org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule
972: 18 720 com.terracottatech.config.impl.IncludeImpl
973: 18 720 org.opensaml.common.binding.security.MessageReplayRule
974: 10 720 sun.org.mozilla.javascript.internal.NativeError
975: 1 712 org.apache.catalina.core.StandardContext
976: 11 704 org.knopflerfish.framework.RequireBundle
977: 8 704
edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml1.ArtifactResolutionCo
nfiguration
978: 22 704 com.tc.object.config.DSOChangeApplicatorSpec
979: 11 704 byte[][]
980: 11 704 org.apache.xerces.impl.validation.ValidationState
981: 8 704
edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml1.AttributeQueryConfig
uration
982: 4 704 sun.nio.ch.SocketChannelImpl
983: 19 680 org.apache.xmlbeans.impl.regex.RegularExpression[]
984: 17 680 sun.security.pkcs11.TemplateManager$TemplateKey
985: 28 672 java.lang.Float
986: 12 672 org.apache.xerces.util.XMLAttributesImpl
987: 21 672 org.apache.velocity.util.introspection.Info
988: 4 672 sun.org.mozilla.javascript.internal.InterpreterData
989: 6 672 com.tc.object.tx.TransactionBatchWriter$TransactionBufferImpl
990: 21 672 org.apache.xmlbeans.impl.regex.Token$CharToken
991: 14 672 org.apache.xerces.impl.XMLEntityManager$CharacterBuffer[]
992: 12 672 java.util.Collections$UnmodifiableMap
993: 14 672 org.apache.catalina.startup.SetNextNamingRule
994: 5 640 org.apache.catalina.core.ApplicationHttpRequest
995: 4 640 org.springframework.context.support.GenericApplicationContext
996: 5 640 org.apache.xmlbeans.impl.store.Cur
997: 16 640 org.joda.time.format.DateTimeFormatterBuilder$PaddedNumber
998: 16 640 org.opensaml.security.SAMLMDCredentialContext
999: 10 640 org.apache.catalina.core.StandardPipeline
1000: 2 640 org.joda.time.chrono.ISOChronology
1001: 20 640 ch.qos.logback.core.pattern.LiteralConverter
1002: 20 640 net.sourceforge.yamlbeans.tokenizer.TokenType
1003: 16 640 org.apache.xerces.impl.xpath.regex.Op$RangeOp
1004: 16 640 org.opensaml.xml.signature.impl.CryptoBinaryMarshaller
1005: 20 640 ch.qos.logback.classic.spi.LoggerContextAwareBase
1006: 6 624 java.security.SecureRandom
1007: 11 616 sun.misc.URLClassPath
1008: 19 608 com.tc.util.ObjectIDSet$Range
1009: 15 600 com.terracottatech.config.impl.AutolockImpl
1010: 15 600 javax.naming.ldap.InitialLdapContext
1011: 15 600 org.apache.xerces.impl.xs.XSGroupDecl[]
1012: 5 600 org.apache.jasper.servlet.JspServletWrapper
1013: 15 600 java.lang.ref.SoftReference[]
1014: 18 576 java.text.DateFormat$Field
1015: 18 576 java.util.Collections$UnmodifiableCollection
1016: 6 576
edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2ScopedString
AttributeEncoder
1017: 24 576 com.tc.object.lockmanager.impl.ClientLock$LevelCounter
1018: 12 576 java.util.regex.Pattern$Branch
1019: 8 576 org.mozilla.javascript.JavaMembers
1020: 18 576 java.util.regex.Pattern$Single
1021: 12 576 com.tc.net.core.ConnectionInfo
1022: 18 576 org.springframework.beans.TypeConverterDelegate
1023: 24 576 gnu.trove.TIntStack
1024: 10 560 com.sun.net.ssl.internal.ssl.CipherSuite$BulkCipher
1025: 7 560 com.tc.object.bytecode.DateMethodAdapter
1026: 14 560 org.apache.xerces.impl.xpath.regex.Op$ChildOp
1027: 5 560 org.apache.juli.FileHandler
1028: 23 552 org.apache.coyote.ActionCode
1029: 23 552 java.lang.ThreadLocal
1030: 17 544 java.util.concurrent.atomic.AtomicLong
1031: 17 544 com.tc.object.loaders.LoaderDescription
1032: 17 544 com.tc.net.protocol.tcm.TCMessageSinkToSedaSink
1033: 17 544 EDU.oswego.cs.dl.util.concurrent.SynchronizedLong
1034: 1 536 org.joda.time.chrono.ISOChronology[]
1035: 2 528 com.tc.object.msg.BroadcastTransactionMessageImpl
1036: 6 528
edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML1ScopedString
AttributeEncoder
1037: 11 528 org.joda.time.chrono.ZonedChronology$ZonedDurationField
1038: 5 528 java.io.File[]
1039: 6 528 java.util.jar.JarVerifier
1040: 11 528 sun.security.x509.ExtendedKeyUsageExtension
1041: 9 520 java.lang.Boolean[]
1042: 5 520 org.opensaml.util.resource.ResourceChangeWatcher
1043: 4 512
edu.internet2.middleware.shibboleth.common.config.security.X509CredentialFactoryBean
1044: 16 512 sun.security.pkcs11.wrapper.CK_ATTRIBUTE
1045: 16 512 com.tc.async.impl.StageImpl$WorkerThread[]
1046: 16 512 com.tc.async.impl.StageQueueImpl$NullStageQueueStatsCollector
1047: 8 512 java.io.ObjectStreamClass$FieldReflector
1048: 4 512 ch.qos.logback.classic.spi.LoggingEvent
1049: 7 504 com.sun.jmx.mbeanserver.OpenConverter$CompositeConverter
1050: 7 504 org.apache.xerces.impl.XMLErrorReporter
1051: 21 504 org.opensaml.ws.security.provider.MandatoryIssuerRule
1052: 3 504 ch.qos.logback.core.rolling.helper.RollingCalendar
1053: 3 504
edu.internet2.middleware.shibboleth.common.config.relyingparty.saml.SAML2AttributeQueryPr
ofileConfigurationFactoryBean
1054: 21 504 EDU.oswego.cs.dl.util.concurrent.CopyOnWriteArrayList
1055: 3 504
edu.internet2.middleware.shibboleth.common.config.relyingparty.saml.SAML2ArtifactResolutio
nProfileConfigurationFactoryBean
1056: 21 504
edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.basic.NotMatchF
unctor
1057: 15 488 java.lang.Byte[]
1058: 15 480 sun.security.x509.PolicyInformation
1059: 4 480 org.apache.xerces.impl.dv.xs.AbstractDateTimeDV$DateTimeData
1060: 12 480 org.apache.xerces.impl.dtd.XMLAttributeDecl
1061: 5 480 org.apache.xmlbeans.impl.regex.RegularExpression
1062: 10 480 org.eclipse.jdt.internal.compiler.lookup.BaseTypeBinding
1063: 15 480 java.util.regex.Pattern$BitClass
1064: 1 480 org.apache.xerces.impl.dtd.DTDGrammar
1065: 20 480 java.security.spec.ECFieldFp
1066: 15 480 org.apache.xmlbeans.impl.regex.Token$UnionToken
1067: 12 480 java.util.Arrays$ArrayList
1068: 3 480 org.opensaml.saml2.metadata.impl.EntitiesDescriptorImpl
1069: 15 480 javax.management.StandardMBean
1070: 10 480 org.opensaml.xml.schema.impl.XSBase64BinaryUnmarshaller
1071: 4 480 org.springframework.beans.factory.support.ManagedMap
1072: 10 480 sun.security.jca.ProviderConfig
1073: 10 480 sun.security.x509.SubjectAlternativeNameExtension
1074: 12 480 org.knopflerfish.framework.VersionRange
1075: 20 480 java.lang.Double
1076: 15 480 java.util.concurrent.CopyOnWriteArrayList$COWIterator
1077: 12 480 java.lang.RuntimePermission
1078: 10 480 org.apache.xmlbeans.impl.values.XmlTokenImpl
1079: 19 456 org.joda.time.format.DateTimeFormatterBuilder$CharacterLiteral
1080: 3 456 ch.qos.logback.core.rolling.RollingFileAppender
1081: 8 448 org.joda.time.field.PreciseDateTimeField
1082: 8 448 org.apache.xerces.impl.xpath.regex.RangeToken
1083: 7 448 com.tc.aspectwerkz.expression.ast.Token
1084: 8 448 sun.misc.ProxyGenerator$PrimitiveTypeInfo
1085: 14 448 edu.internet2.middleware.shibboleth.common.security.ShibbolethSecurityPolicy
1086: 8 448 java.lang.OutOfMemoryError
1087: 11 440 org.apache.xmlbeans.impl.regex.Op$CharOp
1088: 11 440 java.util.TreeSet
1089: 11 440 com.sun.jmx.mbeanserver.StandardMBeanSupport
1090: 5 440 org.apache.velocity.runtime.parser.node.ASTExpression
1091: 11 440 java.io.FileOutputStream
1092: 5 440 org.apache.velocity.runtime.parser.node.ASTBlock
1093: 5 440 org.apache.velocity.runtime.parser.node.ASTIfStatement
1094: 11 440 org.apache.xerces.impl.dtd.DTDGrammarBucket
1095: 3 432
edu.internet2.middleware.shibboleth.common.config.attribute.resolver.attributeDefinition.Script
edAttributeDefinitionFactoryBean
1096: 18 432 org.opensaml.security.SAMLSignatureProfileValidator
1097: 2 432 org.apache.xmlbeans.impl.schema.SchemaTypeSystemImpl
1098: 2 432 org.apache.xerces.impl.xs.SchemaGrammar$BuiltinSchemaGrammar
1099: 1 416 java.net.URL[]
1100: 13 416 org.joda.time.format.DateTimeFormatterBuilder$MatchingParser
1101: 4 416 ch.qos.logback.classic.PatternLayout
1102: 17 408 sun.security.pkcs11.TemplateManager$Template
1103: 1 408 java.util.jar.JarFile[]
1104: 5 400 org.apache.jasper.compiler.JDTCompiler
1105: 10 400 sun.org.mozilla.javascript.internal.BeanProperty
1106: 10 400 javax.management.NotificationBroadcasterSupport
1107: 10 400 java.awt.AWTPermission
1108: 10 400 org.knopflerfish.framework.bundlestorage.memory.Archive
1109: 10 400 org.apache.xmlbeans.impl.schema.SchemaStringEnumEntryImpl
1110: 10 400 com.terracottatech.config.impl.PropertyImpl
1111: 1 400 org.apache.xmlbeans.impl.schema.SchemaTypeImpl[]
1112: 5 400 org.apache.naming.resources.WARDirContext
1113: 10 400 org.opensaml.xml.schema.impl.XSBase64BinaryMarshaller
1114: 7 392 org.apache.xerces.impl.XMLVersionDetector
1115: 7 392 org.apache.xerces.impl.XMLEntityScanner
1116: 7 392 org.apache.xerces.impl.XMLEntityManager$CharacterBufferPool
1117: 5 392 double[]
1118: 7 392 java.util.NoSuchElementException
1119: 8 384 org.opensaml.xacml.profile.saml.impl.ReferencedPoliciesTypeUnmarshaller
1120: 16 384 org.opensaml.xml.security.keyinfo.KeyInfoCredentialContext
1121: 8 384 org.opensaml.xml.schema.impl.XSStringUnmarshaller
1122: 16 384 java.lang.Byte
1123: 12 384 org.joda.time.DurationFieldType$StandardDurationFieldType
1124: 3 384 sun.org.mozilla.javascript.internal.FunctionObject
1125: 8 384 org.opensaml.xacml.policy.impl.AttributeDesignatorTypeUnmarshaller
1126: 8 384
org.opensaml.xacml.profile.saml.impl.XACMLAuthzDecisionQueryTypeUnmarshaller
1127: 12 384 org.xml.sax.helpers.AttributesImpl
1128: 12 384 EDU.oswego.cs.dl.util.concurrent.SynchronizedBoolean
1129: 8 384
org.opensaml.xacml.profile.saml.impl.XACMLAuthzDecisionStatementTypeUnmarshaller
1130: 12 384 org.apache.log4j.Level
1131: 8 384 org.knopflerfish.framework.Pkg
1132: 16 384 com.tc.util.concurrent.TCBoundedLinkedQueue
1133: 3 384 org.apache.xmlbeans.impl.schema.SchemaTypeLoaderImpl
1134: 12 384 java.util.Collections$UnmodifiableSet
1135: 6 384 ch.qos.logback.core.rolling.helper.DateTokenConverter
1136: 16 384 com.tc.object.AnonymousTraversedReference
1137: 2 384 com.sun.jmx.remote.opt.util.JobExecutor
1138: 16 384 java.util.regex.Pattern$CharPropertyNames$4
1139: 8 384 org.apache.log4j.helpers.PatternParser$LiteralPatternConverter
1140: 4 384 java.lang.reflect.Field[]
1141: 8 384 org.opensaml.xacml.profile.saml.impl.XACMLPolicyQueryTypeUnmarshaller
1142: 3 384 ch.qos.logback.core.rolling.TimeBasedRollingPolicy
1143: 8 384 org.opensaml.xacml.profile.saml.impl.XACMLPolicyStatementTypeUnmarshaller
1144: 12 384 com.sun.jmx.remote.opt.util.ClassLogger
1145: 2 368 org.apache.xmlbeans.impl.store.Cur[]
1146: 5 360 sun.management.MemoryPoolImpl
1147: 9 360 java.util.logging.Level
1148: 3 360 org.apache.juli.ClassLoaderLogManager$RootLogger
1149: 15 360 net.sourceforge.yamlbeans.tokenizer.Token
1150: 15 360 sun.security.x509.CertificatePolicyId
1151: 9 360 org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver
1152: 3 360
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.Scri
ptedAttributeDefinition
1153: 15 360 org.opensaml.ws.security.provider.MandatoryAuthenticatedMessageRule
1154: 9 360 javax.management.NotificationBroadcasterSupport$SendNotifJob
1155: 9 360 org.opensaml.util.resource.FilesystemResource
1156: 3 360 sun.org.mozilla.javascript.internal.InterpretedFunction
1157: 15 360 org.eclipse.jdt.internal.compiler.impl.IntConstant
1158: 9 360 java.net.InetSocketAddress
1159: 9 360 com.tc.management.AbstractTerracottaMBean$Listener
1160: 1 352 org.apache.xerces.dom.DeferredDocumentImpl
1161: 11 352 org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$ElementStack
1162: 11 352 org.apache.xerces.impl.xpath.regex.Token$CharToken
1163: 11 352 sun.security.pkcs11.TemplateManager$KeyAndTemplate
1164: 11 352 java.util.regex.Pattern$Ctype
1165: 4 352 org.apache.xerces.jaxp.SAXParserImpl
1166: 11 352 org.knopflerfish.framework.BundleContextImpl
1167: 9 344 org.apache.tomcat.util.http.mapper.Mapper$Wrapper[]
1168: 7 336 sun.security.x509.AuthorityInfoAccessExtension
1169: 6 336 com.tc.object.tx.TransactionBatchWriter$FoldingKey
1170: 7 336 org.apache.xerces.util.NamespaceSupport
1171: 7 336 com.tc.net.TCSocketAddress
1172: 6 336 sun.reflect.generics.reflectiveObjects.WildcardTypeImpl
1173: 7 336
org.opensaml.xml.security.BasicSecurityConfiguration$KeyTransportEncryptionIndex
1174: 6 336 java.util.IdentityHashMap$KeyIterator
1175: 1 336 org.joda.time.chrono.GregorianChronology
1176: 2 336 sun.security.jgss.SunProvider
1177: 6 336 javax.management.MBeanNotificationInfo
1178: 2 336 java.text.DateFormat$Field[]
1179: 6 336 org.apache.catalina.LifecycleEvent
1180: 7 336 org.apache.catalina.util.ManifestResource
1181: 1 336 com.tc.net.protocol.tcm.TCMessageType[]
1182: 5 328 org.joda.time.convert.Converter[]
1183: 1 320 org.joda.time.chrono.ZonedChronology
1184: 10 320 java.io.ObjectStreamClass$ClassDataSlot
1185: 8 320 org.opensaml.xacml.profile.saml.impl.XACMLPolicyQueryTypeMarshaller
1186: 8 320 sun.security.x509.AccessDescription
1187: 8 320
org.opensaml.xacml.profile.saml.impl.XACMLAuthzDecisionStatementTypeMarshaller
1188: 10 320 com.tc.object.config.DistributedMethodSpec
1189: 8 320 org.apache.xerces.util.SymbolTable
1190: 8 320 org.opensaml.xacml.profile.saml.impl.ReferencedPoliciesTypeMarshaller
1191: 10 320 org.knopflerfish.framework.bundlestorage.memory.Archive[]
1192: 4 320 ch.qos.logback.classic.pattern.ExtendedThrowableProxyConverter
1193: 10 320 com.tc.object.LiteralValues
1194: 10 320 sun.misc.MetaIndex
1195: 5 320 sun.management.MemoryPoolImpl$CollectionSensor
1196: 10 320 com.tc.util.LazyMap$LazyValueIterator
1197: 10 320 org.apache.xerces.impl.XMLEntityManager$CharacterBuffer
1198: 20 320 org.opensaml.xml.security.x509.InternalX500DNHandler
1199: 8 320
org.opensaml.xacml.profile.saml.impl.XACMLAuthzDecisionQueryTypeMarshaller
1200: 10 320 net.sourceforge.yamlbeans.parser.EventType
1201: 2 320 com.tc.net.core.TCConnectionJDK14
1202: 8 320 org.opensaml.xacml.profile.saml.impl.XACMLPolicyStatementTypeMarshaller
1203: 8 320 org.opensaml.xml.schema.impl.XSStringMarshaller
1204: 10 320 com.tc.config.TcProperty
1205: 8 320 java.math.RoundingMode
1206: 5 320 sun.management.MemoryPoolImpl$PoolSensor
1207: 8 320 org.opensaml.xacml.policy.impl.AttributeDesignatorTypeMarshaller
1208: 1 312 org.apache.catalina.loader.WebappClassLoader
1209: 3 312 java.util.regex.Pattern$GroupHead[]
1210: 2 304 org.apache.jasper.compiler.Node$Root
1211: 1 296 com.tc.object.config.StandardDSOClientConfigHelperImpl
1212: 6 288 java.util.logging.SimpleFormatter
1213: 6 288 sun.util.LocaleServiceProviderPool
1214: 4 288 sun.nio.ch.SocketAdaptor
1215: 6 288 java.lang.ClassLoader$NativeLibrary
1216: 9 288 ch.qos.logback.core.rolling.helper.PeriodicityType
1217: 1 288 com.sun.net.ssl.internal.ssl.ClientHandshaker
1218: 4 288 org.apache.xerces.impl.xs.SchemaGrammar$BuiltinAttrDecl
1219: 6 288 org.opensaml.ws.security.provider.CertificateNameOptions
1220: 6 288 ch.qos.logback.core.rolling.helper.FileNamePattern
1221: 9 288 org.apache.xmlbeans.impl.schema.StscComplexTypeResolver$CodeForNameEntry
1222: 3 288
edu.internet2.middleware.shibboleth.common.config.attribute.resolver.principalConnector.Trans
ientPrincipalConnectorFactoryBean
1223: 3 288 ch.qos.logback.core.rolling.DefaultTimeBasedFileNamingAndTriggeringPolicy
1224: 9 288 org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
1225: 2 288 org.apache.jasper.EmbeddedServletOptions
1226: 12 288 java.util.regex.Pattern$BranchConn
1227: 4 288 org.apache.xmlbeans.impl.regex.RegularExpression$Context
1228: 6 288
edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringNameID
Encoder
1229: 3 288 org.apache.tomcat.util.http.mapper.Mapper$Context
1230: 3 288 EDU.oswego.cs.dl.util.concurrent.ConcurrentHashMap
1231: 6 288 com.terracottatech.config.impl.QualifiedClassNameImpl
1232: 6 288 com.terracottatech.config.impl.NonBlankTokenImpl
1233: 7 280 java.net.NetPermission
1234: 1 280 org.apache.xmlbeans.impl.store.Xobj[]
1235: 5 280 com.tc.config.schema.repository.StandardBeanRepository
1236: 6 280 org.apache.xerces.xs.ShortList[]
1237: 7 280 java.util.regex.Pattern$6
1238: 7 280 org.apache.xerces.impl.XMLEntityManager$ByteBufferPool
1239: 5 280 javax.script.SimpleScriptContext
1240: 7 280 org.apache.xmlbeans.impl.regex.Token$ParenToken
1241: 7 280 org.apache.xerces.impl.XMLNSDocumentScannerImpl$NSContentDispatcher
1242: 7 280 com.tc.object.dna.impl.VersionizedDNAWrapper
1243: 2 272 sun.security.pkcs11.P11Key$P11RSAPrivateKey
1244: 1 272 edu.internet2.middleware.shibboleth.idp.profile.saml2.ArtifactResolution
1245: 11 264 java.text.NumberFormat$Field
1246: 11 264 org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher
1247: 11 264 org.apache.xerces.impl.xs.util.XInt
1248: 7 264 com.tc.net.core.ConnectionInfo[]
1249: 1 264 org.apache.catalina.core.StandardHost
1250: 3 264 java.util.regex.Matcher
1251: 2 264 java.math.BigDecimal[]
1252: 11 264 org.apache.xerces.impl.XMLDocumentScannerImpl$TrailingMiscDispatcher
1253: 1 264 org.apache.xerces.impl.dv.xs.TypeValidator[]
1254: 11 264 org.apache.xerces.impl.XMLDocumentScannerImpl$XMLDeclDispatcher
1255: 3 264 javax.management.openmbean.OpenMBeanOperationInfoSupport
1256: 11 264 org.apache.xerces.impl.XMLDocumentScannerImpl$PrologDispatcher
1257: 8 256 com.tc.object.config.ConfigLockLevel
1258: 8 256 java.util.Hashtable$EntrySet
1259: 8 256 java.util.regex.Pattern$CharProperty$1
1260: 8 256 java.net.InetAddress[]
1261: 8 256 org.apache.catalina.util.InstanceSupport
1262: 2 256
edu.internet2.middleware.shibboleth.common.config.attribute.resolver.attributeDefinition.Presco
pedAttributeDefinitionFactoryBean
1263: 1 256
edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler
1264: 8 256 com.tc.object.dna.api.LogicalAction
1265: 8 256 com.sun.net.ssl.internal.ssl.ExtensionType
1266: 8 256 sun.misc.URLClassPath$FileLoader
1267: 8 256 org.opensaml.xml.validation.ValidatorSuite
1268: 8 256 org.apache.catalina.core.StandardWrapperFacade
1269: 4 256 org.hyperic.sigar.Sigar
1270: 8 256 org.joda.time.chrono.BasicChronology$YearInfo
1271: 2 256
edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler$SAML2
AuditLogEntry
1272: 4 256 org.bouncycastle.math.ec.ECPoint$Fp
1273: 8 256 org.bouncycastle.math.ec.ECFieldElement$Fp
1274: 1 256 org.apache.catalina.core.StandardEngine
1275: 7 248 java.beans.PropertyChangeListener[]
1276: 1 248 sun.security.pkcs11.SunPKCS11
1277: 7 248 java.io.ObjectStreamClass$ClassDataSlot[]
1278: 1 248 com.tc.net.core.CoreNIOServices
1279: 1 248 edu.internet2.middleware.shibboleth.idp.profile.saml1.ArtifactResolution
1280: 1 248
edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler
1281: 1 248 com.tc.object.ClientObjectManagerImpl
1282: 5 240 com.tc.config.schema.context.StandardConfigContext
1283: 2 240
edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.ArtifactResolutionCo
nfiguration
1284: 3 240 org.apache.xerces.jaxp.DocumentBuilderImpl
1285: 5 240 org.apache.log4j.helpers.PatternParser$BasicPatternConverter
1286: 3 240 org.apache.catalina.util.Extension
1287: 3 240 org.knopflerfish.framework.ServiceRegistrationImpl
1288: 6 240 org.apache.catalina.startup.SetAllPropertiesRule
1289: 10 240 com.tc.net.groups.NodeIDSerializer
1290: 6 240
org.apache.velocity.app.event.ReferenceInsertionEventHandler$referenceInsertExecutor
1291: 5 240 java.io.FileWriter
1292: 6 240 com.tc.object.config.ConnectionInfoConfigItem
1293: 2 240
edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.AttributeQueryConfig
uration
1294: 10 240 org.knopflerfish.framework.HeaderDictionary
1295: 5 240 org.springframework.context.support.DelegatingMessageSource
1296: 6 240 java.util.Timer
1297: 10 240 org.apache.catalina.util.StringManager
1298: 1 232 com.tc.object.DistributedObjectClient
1299: 1 232
edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler
1300: 7 224 java.net.InetAddress$CacheEntry
1301: 2 224 org.mozilla.javascript.gen.c7
1302: 4 224 ch.qos.logback.classic.pattern.LineSeparatorConverter
1303: 1 224 org.joda.time.format.DateTimeFormatter[]
1304: 4 224 org.opensaml.saml2.common.impl.ExtensionsUnmarshaller
1305: 7 224 org.apache.xml.security.keys.keyresolver.KeyResolver
1306: 2 224 org.apache.commons.collections.map.ReferenceIdentityMap
1307: 2 224 org.mozilla.javascript.gen.c2
1308: 2 224 java.io.ExpiringCache$1
1309: 4 224 sun.security.x509.PrivateKeyUsageExtension
1310: 4 224 ch.qos.logback.classic.pattern.MessageConverter
1311: 7 224 ch.qos.logback.classic.Level
1312: 4 224 short[][]
1313: 4 224 java.lang.Throwable
1314: 2 224 org.mozilla.javascript.gen.c5
1315: 2 224 org.apache.catalina.deploy.NamingResources
1316: 7 224 sun.security.x509.NetscapeCertTypeExtension$MapEntry
1317: 4 224 org.joda.time.tz.CachedDateTimeZone$Info
1318: 7 224 org.apache.xerces.impl.msg.XMLMessageFormatter
1319: 2 224 edu.vt.middleware.ldap.jaas.LdapLoginModule
1320: 2 224 org.apache.velocity.runtime.RuntimeInstance
1321: 1 224 org.apache.catalina.session.StandardManager
1322: 7 224
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDat
aConnector$AUTHENTICATION_TYPE
1323: 7 224 org.apache.xerces.impl.validation.ValidationManager
1324: 2 224 org.mozilla.javascript.gen.c8
1325: 1 216 org.apache.jk.common.ChannelSocket
1326: 3 216 java.io.BufferedReader
1327: 3 216 com.sun.jmx.remote.opt.util.ThreadService
1328: 1 216 org.springframework.web.context.support.XmlWebApplicationContext
1329: 1 216 com.tc.object.LiteralValues[]
1330: 9 216 org.opensaml.xml.signature.validator.CryptoBinarySchemaValidator
1331: 3 216 org.apache.log4j.varia.NullAppender
1332: 9 216 org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider
1333: 9 216 org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider
1334: 3 216 com.tc.object.change.TCChangeBufferImpl
1335: 1 216 org.apache.xerces.impl.xs.SchemaGrammar$Schema4Annotations
1336: 9 216 org.opensaml.xml.schema.validator.XSBase64BinarySchemaValidator
1337: 3 216 java.lang.ThreadGroup
1338: 9 216 com.tc.object.tx.TxnBatchID
1339: 2 208 java.text.Format[]
1340: 2 208 org.eclipse.jdt.internal.compiler.lookup.LocalVariableBinding[]
1341: 1 208
edu.internet2.middleware.shibboleth.common.config.attribute.resolver.dataConnector.LdapData
ConnectorFactoryBean
1342: 2 208 com.sun.jmx.remote.generic.ServerSynchroMessageConnectionImpl
1343: 2 208 org.apache.commons.collections.map.LRUMap
1344: 2 208 com.tc.object.dna.impl.DNAImpl
1345: 1 208 org.apache.xml.security.c14n.implementations.NameSpaceSymbEntry[]
1346: 2 208 org.opensaml.xml.parse.BasicParserPool
1347: 2 208 com.tc.util.properties.TCPropertyStore
1348: 1 208 org.apache.catalina.startup.Catalina
1349: 2 208 org.mozilla.javascript.NativeGenerator
1350: 1 208 org.apache.naming.resources.CacheEntry[]
1351: 5 200
org.springframework.context.support.AbstractApplicationContext$BeanPostProcessorChecker
1352: 5 200 sun.security.x509.Extension
1353: 5 200 org.apache.xerces.impl.xs.traversers.LargeContainer
1354: 5 200 org.apache.log4j.helpers.OnlyOnceErrorHandler
1355: 5 200 org.opensaml.xml.security.BasicSecurityConfiguration$DataEncryptionIndex
1356: 5 200 org.joda.time.format.DateTimeFormatterBuilder$FixedNumber
1357: 1 200 org.knopflerfish.framework.SystemBundle
1358: 4 192 org.apache.xmlbeans.impl.values.XmlNonNegativeIntegerImpl
1359: 8 192 org.apache.catalina.InstanceListener[]
1360: 3 192 sun.org.mozilla.javascript.internal.JavaMembers
1361: 1 192 com.tc.net.protocol.transport.ClientMessageTransport
1362: 4 192 java.nio.channels.SelectionKey[]
1363: 2 192
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.Pres
copedAttributeDefinition
1364: 3 192 sun.org.mozilla.javascript.internal.ScriptableObject$GetterSlot
1365: 2 192 org.apache.jasper.compiler.JspRuntimeContext
1366: 4 192 org.opensaml.xacml.policy.impl.IdReferenceTypeUnmarshaller
1367: 6 192 com.tc.config.schema.dynamic.ConfigItem[]
1368: 2 192 org.mozilla.javascript.NativeArray
1369: 6 192 java.io.FileInputStream
1370: 8 192 java.util.regex.Pattern$CharPropertyNames$3
1371: 2 192 org.mozilla.javascript.NativeCall
1372: 4 192
edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML1StringNameId
entifierEncoder
1373: 2 192 com.tc.util.concurrent.CopyOnWriteArrayMap
1374: 2 192 org.apache.jasper.compiler.JspConfig
1375: 3 192
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.principalConnector.Tra
nsientPrincipalConnector
1376: 4 192 com.sun.jmx.mbeanserver.OpenConverter$ArrayConverter
1377: 4 192 org.apache.tomcat.util.digester.RulesBase
1378: 6 192 java.util.TaskQueue
1379: 2 192 javax.security.auth.login.LoginContext
1380: 1 192 org.apache.catalina.realm.JAASRealm
1381: 4 192 org.apache.velocity.util.introspection.IntrospectorCacheImpl
1382: 6 192 java.security.CodeSigner[]
1383: 1 192 com.tc.util.ProductInfo
1384: 4 192 org.apache.naming.NamingContext
1385: 6 192 com.tc.asm.commons.Method
1386: 6 192 org.joda.time.field.PreciseDurationField
1387: 3 192 com.sun.jmx.remote.opt.internal.ListenerInfo
1388: 8 192 com.tc.net.protocol.transport.MessageTransportState
1389: 6 192 sun.reflect.generics.tree.Wildcard
1390: 3 192 com.tc.config.schema.dynamic.StringArrayXPathBasedConfigItem
1391: 4 192 org.apache.xerces.jaxp.SAXParserFactoryImpl
1392: 4 192 com.sun.phobos.script.javascript.ExternalScriptable
1393: 4 192 org.opensaml.xml.util.ListView
1394: 8 192 javax.script.SimpleBindings
1395: 4 192 com.tc.object.tx.TransactionBatchAccounting$BatchDescriptor
1396: 6 192 java.util.IdentityHashMap$KeySet
1397: 2 192 org.mozilla.javascript.NativeScript
1398: 4 192 org.joda.time.field.RemainderDateTimeField
1399: 3 192 java.util.concurrent.ConcurrentHashMap$KeyIterator
1400: 2 192 com.sun.jndi.ldap.ext.StartTlsResponseImpl
1401: 1 184 org.apache.xmlbeans.impl.store.Locale
1402: 1 184 org.apache.xerces.impl.xpath.regex.RegularExpression[]
1403: 1 184 net.sourceforge.yamlbeans.tokenizer.TokenType[]
1404: 1 184 com.tc.object.ClientObjectManagerImpl$2
1405: 1 184 org.apache.catalina.connector.Connector
1406: 1 184 org.apache.jk.core.JkHandler[]
1407: 1 176 javax.management.remote.generic.GenericConnectorServer$Receiver
1408: 2 176 sun.security.pkcs11.P11Key$P11DSAPublicKey
1409: 4 176 org.apache.xmlbeans.SchemaStringEnumEntry[]
1410: 2 176 org.apache.catalina.startup.CallMethodMultiRule
1411: 2 176 org.apache.velocity.runtime.parser.node.ASTprocess
1412: 2 176 javax.management.openmbean.TabularType
1413: 2 176 org.mozilla.javascript.ImporterTopLevel
1414: 11 176 org.apache.xerces.jaxp.datatype.DatatypeFactoryImpl
1415: 1 176 org.apache.catalina.startup.Catalina$CatalinaShutdownHook
1416: 2 176 org.apache.catalina.core.NamingContextListener
1417: 2 176 ch.qos.logback.core.rolling.helper.PeriodicityType[]
1418: 1 176 java.util.logging.LogManager$Cleaner
1419: 2 176 org.mozilla.javascript.BaseFunction
1420: 1 176 com.tc.object.RemoteObjectManagerImpl
1421: 1 168 sun.security.smartcardio.SunPCSC
1422: 1 168 sun.security.util.ObjectIdentifier[]
1423: 1 168 org.bouncycastle.jce.provider.BouncyCastleProvider
1424: 7 168 com.tc.config.schema.listen.ConfigurationChangeListenerSet
1425: 1 168 org.jcp.xml.dsig.internal.dom.XMLDSigRI
1426: 1 168 sun.security.provider.Sun
1427: 1 168 sun.security.rsa.SunRsaSign
1428: 1 168 java.lang.Byte[][]
1429: 1 168 com.tc.aspectwerkz.expression.ast.ExpressionParser$JJCalls[]
1430: 1 168 java.lang.ref.Finalizer$FinalizerThread
1431: 1 168 com.sun.net.ssl.internal.ssl.Provider
1432: 7 168 org.apache.xerces.util.ErrorHandlerWrapper
1433: 7 168 sun.awt.EventListenerAggregate
1434: 7 168
edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartySecurityPolicyResolver
1435: 1 168 com.tc.net.protocol.tcm.ClientMessageChannelImpl
1436: 1 168 sun.security.pkcs11.Token
1437: 3 168 java.lang.ThreadGroup[]
1438: 1 168 com.sun.security.sasl.Provider
1439: 3 168 java.util.IdentityHashMap$EntryIterator
1440: 1 168 com.sun.crypto.provider.SunJCE
1441: 1 168 java.lang.ref.Reference$ReferenceHandler
1442: 7 168 com.tc.util.SequenceID
1443: 3 168 org.apache.commons.ssl.TrustMaterial
1444: 3 168 com.tc.stats.counter.sampled.SampledCounterImpl$1
1445: 3 168 com.tc.util.AATreeSet
1446: 7 168 com.tc.object.config.TransparencyCodeSpecImpl
1447: 7 168 com.tc.aspectwerkz.DeploymentModel
1448: 1 168 sun.security.jca.ProviderList$1
1449: 7 168 com.tc.aspectwerkz.expression.PointcutType
1450: 2 160 org.mozilla.javascript.NativeBoolean
1451: 4 160 org.apache.xmlbeans.SchemaGlobalElement$Ref
1452: 2 160 org.apache.jasper.compiler.JspReader
1453: 5 160 org.springframework.context.event.SimpleApplicationEventMulticaster
1454: 2 160 org.mozilla.javascript.NativeDate
1455: 2 160 org.mozilla.javascript.NativeJavaTopPackage
1456: 2 160 com.sun.jmx.mbeanserver.MBeanIntrospector$PerInterfaceMap
1457: 4 160 com.tc.management.TerracottaManagement$MBeanDomain
1458: 1 160 org.eclipse.jdt.internal.compiler.CompilationResult
1459: 2 160 org.mozilla.javascript.NativeIterator
1460: 4 160 sun.misc.JarIndex
1461: 4 160 sun.misc.Cache
1462: 1 160 sun.security.pkcs11.wrapper.CK_TOKEN_INFO
1463: 4 160 com.tc.license.Capability
1464: 3 160 java.lang.management.MemoryPoolMXBean[]
1465: 1 160 org.apache.xmlbeans.impl.store.Xobj$DocumentXobj
1466: 6 160 org.apache.catalina.Container[]
1467: 1 160 javax.management.remote.generic.GenericConnectorServer
1468: 4 160 org.apache.naming.NamingEntry
1469: 1 160 com.tc.object.bytecode.ManagerImpl
1470: 1 160 sun.security.pkcs11.Config
1471: 5 160 sun.security.jca.ServiceId
1472: 4 160 org.apache.xerces.impl.XMLEntityManager$InternalEntity
1473: 4 160 org.opensaml.saml2.common.impl.ExtensionsMarshaller
1474: 2 160 org.springframework.beans.factory.config.MapFactoryBean
1475: 2 160 org.mozilla.javascript.NativeNumber
1476: 4 160 java.io.BufferedOutputStream
1477: 2 160 org.apache.catalina.core.ApplicationDispatcher$State
1478: 2 160 org.mozilla.javascript.NativeJavaClass
1479: 4 160 java.net.InetAddress
1480: 5 160 com.sun.net.ssl.internal.ssl.ProtocolVersion
1481: 2 160 com.tc.object.cache.CacheManager$CacheStatistics
1482: 4 160 org.apache.jasper.compiler.Node$Nodes
1483: 4 160 com.tc.util.concurrent.SetOnceRef
1484: 5 160 org.joda.time.convert.ConverterSet
1485: 2 160 ch.qos.logback.classic.pattern.DateConverter
1486: 5 160 org.springframework.core.NamedThreadLocal
1487: 4 160 com.sun.jndi.ldap.BerDecoder
1488: 2 160 org.apache.catalina.core.ApplicationDispatcher
1489: 5 160 ch.qos.logback.core.util.AggregationType
1490: 5 160 org.joda.time.format.DateTimeFormatterBuilder$Fraction
1491: 4 160 sun.security.util.MemoryCache
1492: 5 160 com.sun.jmx.remote.util.ClassLogger
1493: 2 160 org.apache.catalina.mbeans.NamingResourcesMBean
1494: 1 160 int[][][]
1495: 4 160 org.opensaml.xacml.policy.impl.IdReferenceTypeMarshaller
1496: 2 160 org.mozilla.javascript.NativeString
1497: 2 160 com.sun.jmx.mbeanserver.MBeanIntrospector$MBeanInfoMap
1498: 1 152 sun.misc.Launcher$ExtClassLoader
1499: 6 144 org.opensaml.xml.schema.validator.XSStringSchemaValidator
1500: 1 144 org.apache.catalina.loader.StandardClassLoader
1501: 6 144 java.util.logging.ErrorManager
1502: 3 144 java.util.AbstractList$ListItr
1503: 2 144
edu.internet2.middleware.shibboleth.common.config.security.ChainingTrustEngineFactoryBean
1504: 2 144 org.mozilla.javascript.NativeObject
1505: 3 144 org.apache.xmlbeans.impl.store.Cursor
1506: 2 144 org.apache.xmlbeans.impl.store.Locale$nthCache
1507: 3 144 org.opensaml.xacml.policy.impl.DefaultsTypeUnmarshaller
1508: 1 144 sun.nio.ch.ServerSocketChannelImpl
1509: 3 144 org.knopflerfish.framework.PropertiesDictionary
1510: 2 144 com.tc.stats.counter.sampled.derived.SampledRateCounterImpl
1511: 1 144 com.tc.object.tx.RemoteTransactionManagerImpl
1512: 2 144 com.tc.config.schema.dynamic.SubstitutedFileXPathBasedConfigItem
1513: 1 144 org.knopflerfish.framework.Framework
1514: 2 144 com.tc.object.bytecode.DelegateMethodAdapter
1515: 1 144 com.sun.net.ssl.internal.ssl.CipherSuite$KeyExchange[]
1516: 6 144 com.tc.handler.CallbackStartupExceptionLoggingAdapter
1517: 3 144 org.apache.xerces.impl.dv.xs.QNameDV$XQName
1518: 3 144 java.util.RegularEnumSet
1519: 3 144 ch.qos.logback.core.spi.AppenderAttachableImpl
1520: 6 144 com.tc.aspectwerkz.aspect.AdviceType
1521: 4 144 com.tc.config.schema.L2ConfigForL1$L2Data[]
1522: 2 144 org.mozilla.javascript.NativeIterator$StopIteration
1523: 3 144 java.util.RandomAccessSubList
1524: 1 144 java.net.URLClassLoader
1525: 1 144 org.opensaml.saml2.metadata.provider.FileBackedHTTPMetadataProvider
1526: 2 144
edu.internet2.middleware.shibboleth.common.config.security.ChainingSignatureTrustEngineFac
toryBean
1527: 6 144 com.tc.management.TerracottaManagement$Type
1528: 3 144 com.tc.object.lockmanager.api.LockRequest
1529: 6 144 com.tc.management.TerracottaManagement$Subsystem
1530: 2 144 org.mozilla.javascript.NativeMath
1531: 1 144 com.tc.config.schema.setup.StandardL1TVSConfigurationSetupManager
1532: 3 144 org.opensaml.saml2.core.impl.SubjectConfirmationDataUnmarshaller
1533: 6 144 java.security.spec.ECGenParameterSpec
1534: 1 144
edu.internet2.middleware.shibboleth.common.config.attribute.resolver.attributeDefinition.Mappe
dAttributeDefinitionFactoryBean
1535: 6 144 java.util.regex.Pattern$CharPropertyNames$2
1536: 1 144 javax.management.remote.generic.ServerIntermediary
1537: 3 144 com.tcclient.cluster.DsoNodeImpl
1538: 6 144 java.util.Timer$1
1539: 3 144 com.sun.jmx.mbeanserver.OpenConverter$EnumConverter
1540: 3 144 org.joda.time.field.OffsetDateTimeField
1541: 1 144 sun.misc.Launcher$AppClassLoader
1542: 3 144 ch.qos.logback.core.rolling.helper.DefaultArchiveRemover
1543: 3 144 org.apache.juli.ClassLoaderLogManager$ClassLoaderLogInfo
1544: 2 144 org.mozilla.javascript.ObjArray
1545: 3 144 org.opensaml.xml.schema.impl.XSQNameUnmarshaller
1546: 1 144 com.tc.management.L1Info
1547: 1 136 javax.management.openmbean.SimpleType[]
1548: 1 136
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRes
olver
1549: 1 136
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDat
aConnector
1550: 1 136 edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager
1551: 2 128
edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationRes
olver
1552: 1 128 org.apache.log4j.RollingFileAppender
1553: 4 128 javax.servlet.http.HttpSessionEvent
1554: 2 128 org.apache.catalina.startup.CallParamMultiRule
1555: 2 128 com.sun.jmx.mbeanserver.OpenConverter$TabularConverter
1556: 1 128
edu.internet2.middleware.shibboleth.common.config.attribute.resolver.attributeDefinition.Transi
entIdAttributeDefinitionFactoryBean
1557: 1 128 com.tc.management.L1Management
1558: 8 128 org.opensaml.xacml.profile.saml.impl.ReferencedPoliciesTypeImplBuilder
1559: 1 128 com.tc.net.protocol.transport.TransportMessageImpl
1560: 4 128 ch.qos.logback.core.UnsynchronizedAppenderBase$1
1561: 1 128 com.sun.jmx.remote.opt.util.ClassLoaderWithRepository
1562: 1 128 org.apache.catalina.core.StandardService
1563: 1 128 com.tc.management.beans.tx.ClientTxMonitor
1564: 2 128 org.apache.velocity.runtime.VelocimacroFactory
1565: 2 128 org.apache.jasper.servlet.JspServlet
1566: 2 128
org.apache.velocity.app.event.InvalidReferenceEventHandler$InvalidGetMethodExecutor
1567: 2 128 org.apache.velocity.runtime.directive.Foreach
1568: 8 128
org.opensaml.xacml.profile.saml.impl.XACMLAuthzDecisionQueryTypeImplBuilder
1569: 2 128 sun.security.jca.ProviderConfig[]
1570: 2 128 java.io.InvalidClassException
1571: 2 128 org.opensaml.security.MetadataCredentialResolver
1572: 4 128 sun.security.pkcs11.wrapper.Functions$Flags
1573: 1 128
edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCon
figurationManager
1574: 1 128 sun.reflect.misc.MethodUtil
1575: 2 128 sun.security.provider.DSAPublicKeyImpl
1576: 2 128 java.text.MessageFormat
1577: 4 128 com.tc.util.LazyMap$LazyEntryIterator
1578: 4 128 org.apache.tomcat.util.res.StringManager
1579: 2 128 sun.nio.ch.SelectionKeyImpl
1580: 2 128 org.apache.velocity.runtime.resource.ResourceManagerImpl
1581: 1 128 org.apache.catalina.core.StandardServer
1582: 1 128 org.apache.catalina.loader.WebappLoader
1583: 8 128
org.opensaml.xacml.profile.saml.impl.XACMLAuthzDecisionStatementTypeImplBuilder
1584: 2 128 java.util.concurrent.ConcurrentHashMap$ValueIterator
1585: 4 128 org.apache.xerces.impl.XMLDocumentScannerImpl$ContentDispatcher
1586: 8 128 org.opensaml.xacml.policy.impl.AttributeDesignatorTypeImplBuilder
1587: 4 128 com.sun.jmx.remote.generic.ServerSynchroMessageConnectionImpl$RemoteJob
1588: 2 128 ch.qos.logback.classic.pattern.LoggerConverter
1589: 1 128 org.apache.jk.common.HandlerRequest
1590: 1 128
edu.internet2.middleware.shibboleth.common.config.attribute.resolver.attributeDefinition.Scope
dAttributeDefinitionFactoryBean
1591: 4 128 org.apache.velocity.util.introspection.Introspector
1592: 1 128 com.tc.net.protocol.delivery.SendStateMachine
1593: 4 128 java.text.Normalizer$Form
1594: 8 128 org.opensaml.xacml.profile.saml.impl.XACMLPolicyStatementTypeImplBuilder
1595: 8 128 org.opensaml.xacml.profile.saml.impl.XACMLPolicyQueryTypeImplBuilder
1596: 4 128 ch.qos.logback.core.pattern.parser.Token
1597: 4 128 org.springframework.core.io.support.PathMatchingResourcePatternResolver
1598: 4 128 com.terracottatech.config.LockLevel$Enum
1599: 4 128 com.tc.util.sequence.SequenceBatch
1600: 2 128 org.apache.catalina.mbeans.MBeanFactory
1601: 2 128 org.apache.velocity.app.event.EventCartridge
1602: 2 128 org.apache.commons.collections.map.AbstractLinkedMap$LinkEntry
1603: 8 128 EDU.oswego.cs.dl.util.concurrent.ConcurrentReaderHashMap$BarrierLock
1604: 1 128 com.tc.net.protocol.transport.ConnectionHealthCheckerContextImpl
1605: 1 120 com.tc.net.protocol.delivery.OnceAndOnlyOnceProtocolNetworkLayerImpl
1606: 1 120 org.apache.commons.lang.builder.ToStringStyle$SimpleToStringStyle
1607: 5 120 sun.nio.ch.SocketOptsImpl$IP$TCP
1608: 5 120 java.util.Collections$EmptySet$1
1609: 1 120 org.apache.commons.lang.builder.ToStringStyle$MultiLineToStringStyle
1610: 3 120 ch.qos.logback.core.joran.action.AppenderRefAction
1611: 5 120 com.tc.object.dna.impl.ObjectStringSerializer$SerializeProcedure
1612: 3 120 java.security.CodeSigner
1613: 1 120
edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilt
eringEngine
1614: 3 120 com.tc.config.schema.L2ConfigForL1$L2Data
1615: 1 120 org.apache.jk.server.JkMain
1616: 1 120 sun.nio.ch.DevPollSelectorImpl
1617: 3 120 org.opensaml.xml.schema.impl.XSQNameMarshaller
1618: 5 120 org.opensaml.saml2.metadata.ContactPersonTypeEnumeration
1619: 3 120 java.security.SecurityPermission
1620: 3 120 org.opensaml.saml2.core.impl.SubjectConfirmationDataMarshaller
1621: 3 120 com.tc.util.concurrent.CircularLossyQueue
1622: 5 120 java.nio.channels.spi.AbstractInterruptibleChannel$1
1623: 5 120 org.springframework.context.support.ApplicationContextAwareProcessor
1624: 3 120 javax.security.auth.login.AppConfigurationEntry
1625: 3 120 javax.management.NotificationBroadcasterSupport$ListenerInfo
1626: 3 120 org.opensaml.xacml.policy.impl.DefaultsTypeMarshaller
1627: 3 120 org.apache.velocity.context.InternalContextAdapterImpl
1628: 1 120 com.tc.net.core.TCListenerJDK14
1629: 1 120 org.apache.commons.lang.builder.ToStringStyle$NoFieldNameToStringStyle
1630: 2 120
org.apache.xmlbeans.impl.schema.StscComplexTypeResolver$CodeForNameEntry[]
1631: 3 120 sun.org.mozilla.javascript.internal.LazilyLoadedCtor
1632: 1 120 com.tc.object.tx.ClientTransactionManagerImpl
1633: 5 120 sun.security.x509.RFC822Name
1634: 3 120 ch.qos.logback.classic.joran.action.LevelAction
1635: 5 120 org.apache.log4j.helpers.AppenderAttachableImpl
1636: 1 120 org.apache.commons.lang.builder.ToStringStyle$DefaultToStringStyle
1637: 5 120
org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver
1638: 5 120 sun.nio.ch.OptionAdaptor
1639: 3 120 java.util.SubList$1
1640: 1 120 java.util.logging.LogManager$RootLogger
1641: 3 120 org.apache.xerces.impl.xpath.regex.Token$ClosureToken
1642: 3 120 org.joda.time.field.ScaledDurationField
1643: 3 120 sun.security.pkcs11.Secmod$DbMode
1644: 1 120 com.tc.net.protocol.tcm.CommunicationsManagerImpl
1645: 5 120 org.apache.xml.serializer.CharInfo$CharKey
1646: 1 120 com.tc.object.tx.TransactionSequencer
1647: 3 120 ch.qos.logback.core.rolling.helper.Compressor
1648: 1 120 ch.qos.logback.classic.LoggerContext
1649: 1 120
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.Tran
sientIdAttributeDefinition
1650: 5 120 org.springframework.util.AntPathMatcher
1651: 5 120 org.springframework.beans.support.ResourceEditorRegistrar
1652: 1 120 com.tc.net.protocol.transport.ServerStackProvider
1653: 1 120 com.tc.object.ClusterMetaDataManagerImpl
1654: 2 112 com.tc.object.lockmanager.api.LockContext
1655: 2 112 java.io.IOException
1656: 2 112 com.tc.license.Capability[]
1657: 1 112 org.apache.naming.resources.ProxyDirContext
1658: 1 112 org.eclipse.jdt.internal.compiler.lookup.ProblemReferenceBinding
1659: 2 112 org.joda.time.field.DividedDateTimeField
1660: 2 112 org.opensaml.saml1.core.impl.AuthorizationDecisionStatementUnmarshaller
1661: 1 112 org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider
1662: 1 112 com.tc.statistics.beans.impl.StatisticsEmitterMBeanImpl
1663: 1 112 com.tc.object.handshakemanager.ClientHandshakeManagerImpl
1664: 1 112 org.apache.commons.httpclient.HttpConnection
1665: 1 112 org.apache.jk.server.JkCoyoteHandler
1666: 2 112 com.sun.jmx.mbeanserver.OpenConverter$CollectionConverter
1667: 2 112 org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
1668: 2 112 org.bouncycastle.jce.provider.JCEECPublicKey
1669: 2 112 org.apache.xerces.xni.QName[][]
1670: 2 112
edu.internet2.middleware.shibboleth.common.config.service.ServletContextAttributeExporter
1671: 1 112 ch.qos.logback.core.ConsoleAppender
1672: 2 112 com.tc.net.core.event.TCConnectionEventCaller
1673: 2 112 org.apache.log4j.helpers.PatternParser$DatePatternConverter
1674: 2 112 sun.management.GarbageCollectorImpl
1675: 2 112 org.mozilla.javascript.ClassCache
1676: 2 112 org.apache.log4j.PatternLayout
1677: 1 112 org.springframework.beans.factory.support.ManagedProperties
1678: 1 112 java.util.ResourceBundle$RBClassLoader
1679: 2 112 com.sun.phobos.script.javascript.RhinoScriptEngine
1680: 1 112 com.tc.object.loaders.StandardClassProvider$RemovedClassLoader
1681: 1 112 org.mozilla.javascript.gen.c3
1682: 1 112
edu.internet2.middleware.shibboleth.common.config.attribute.resolver.dataConnector.Computed
IDDataConnectorFactoryBean
1683: 2 112 org.apache.xerces.jaxp.DocumentBuilderFactoryImpl
1684: 2 112 ch.qos.logback.classic.pattern.LevelConverter
1685: 2 112 org.apache.xmlbeans.impl.store.Locale$domNthCache
1686: 1 112 org.mozilla.javascript.gen.c6
1687: 7 112 org.apache.xerces.impl.dv.dtd.DTDDVFactoryImpl
1688: 1 104 org.apache.xerces.dom.CoreDOMImplementationImpl
1689: 1 104 java.util.logging.ConsoleHandler
1690: 1 104
edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML1AttributeAut
hority
1691: 1 104 org.apache.xerces.impl.xs.SchemaGrammar$XSAnyType
1692: 1 104 org.apache.xerces.dom.DOMImplementationImpl
1693: 1 104 java.lang.Runnable[]
1694: 1 104 org.apache.xerces.dom.DeferredDOMImplementationImpl
1695: 1 104 org.apache.xerces.impl.xs.util.XInt[]
1696: 1 104
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.Map
pedAttributeDefinition
1697: 1 104 org.apache.log4j.ConsoleAppender
1698: 1 104 com.tc.config.TcProperty[]
1699: 1 104 org.opensaml.xml.security.BasicSecurityConfiguration
1700: 4 104 org.eclipse.jdt.internal.compiler.lookup.ReferenceBinding[]
1701: 1 104
edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAut
hority
1702: 1 104 net.sourceforge.yamlbeans.parser.EventType[]
1703: 2 96 org.opensaml.saml2.core.impl.AuthzDecisionStatementUnmarshaller
1704: 1 96 org.apache.xmlbeans.impl.regex.SchemaRegularExpression$2
1705: 2 96 java.security.AlgorithmParameters
1706: 2 96 org.opensaml.saml2.core.impl.IDPEntryUnmarshaller
1707: 2 96 org.opensaml.saml2.core.impl.ProxyRestrictionUnmarshaller
1708: 2 96 org.opensaml.xacml.ctx.impl.MissingAttributeDetailTypeUnmarshaller
1709: 1 96 org.hyperic.sigar.SigarLoader
1710: 2 96 org.opensaml.xacml.ctx.impl.DecisionTypeUnmarshaller
1711: 3 96 sun.security.util.BitArray
1712: 2 96 org.opensaml.saml2.core.impl.AssertionIDRequestUnmarshaller
1713: 2 96 com.tc.net.protocol.delivery.StateMachineRunner
1714: 2 96 org.opensaml.xacml.policy.impl.CombinerParametersTypeUnmarshaller
1715: 4 96 javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag
1716: 2 96 org.apache.velocity.runtime.directive.Include
1717: 2 96 org.opensaml.saml2.metadata.impl.EntityDescriptorUnmarshaller
1718: 2 96 org.opensaml.saml1.core.impl.SubjectUnmarshaller
1719: 2 96 org.opensaml.saml2.metadata.impl.PDPDescriptorUnmarshaller
1720: 2 96 org.opensaml.xacml.policy.impl.ResourceTypeUnmarshaller
1721: 2 96 org.opensaml.xacml.policy.impl.ActionTypeUnmarshaller
1722: 2 96 org.opensaml.saml1.core.impl.AuthenticationStatementUnmarshaller
1723: 2 96 org.opensaml.saml1.core.impl.StatusUnmarshaller
1724: 2 96 org.opensaml.saml1.core.impl.AudienceRestrictionConditionUnmarshaller
1725: 2 96 org.opensaml.saml2.core.impl.TerminateUnmarshaller
1726: 2 96 org.opensaml.xacml.policy.impl.ApplyTypeUnmarshaller
1727: 1 96 org.opensaml.saml2.binding.encoding.HTTPArtifactEncoder
1728: 2 96 org.opensaml.saml2.core.impl.AttributeQueryUnmarshaller
1729: 2 96 org.opensaml.xacml.policy.impl.AttributeSelectorTypeUnmarshaller
1730: 3 96 com.tc.object.change.event.PhysicalChangeEvent
1731: 2 96 org.opensaml.xacml.policy.impl.ObligationTypeUnmarshaller
1732: 3 96
edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequireme
ntLevel
1733: 1 96 sun.org.mozilla.javascript.internal.NativeScript
1734: 3 96 EDU.oswego.cs.dl.util.concurrent.CopyOnWriteArraySet
1735: 2 96 org.opensaml.saml2.metadata.impl.IDPSSODescriptorUnmarshaller
1736: 2 96 java.io.ExpiringCache
1737: 2 96 org.opensaml.xml.schema.impl.XSURIUnmarshaller
1738: 3 96 sun.security.provider.certpath.X509CertPath
1739: 2 96 org.opensaml.xml.security.x509.BasicX509CredentialNameEvaluator
1740: 2 96 org.opensaml.xacml.policy.impl.RuleTypeUnmarshaller
1741: 1 96 com.tc.statistics.beans.impl.StatisticsManagerMBeanImpl
1742: 2 96 org.opensaml.saml2.metadata.impl.AuthnAuthorityDescriptorUnmarshaller
1743: 2 96 org.opensaml.saml2.core.impl.ArtifactResolveUnmarshaller
1744: 2 96 EDU.oswego.cs.dl.util.concurrent.LinkedQueue
1745: 3 96 ch.qos.logback.core.spi.FilterReply
1746: 2 96 org.opensaml.saml1.core.impl.AuthorizationDecisionQueryUnmarshaller
1747: 3 96 com.tc.object.tx.TimerSpec$Signature
1748: 3 96 EDU.oswego.cs.dl.util.concurrent.SynchronizedRef
1749: 2 96 com.sun.net.ssl.internal.ssl.SSLSessionContextImpl
1750: 2 96
edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequireme
ntLevel[]
1751: 2 96 org.opensaml.xacml.policy.impl.SubjectTypeUnmarshaller
1752: 2 96 org.opensaml.xacml.ctx.impl.ResourceTypeUnmarshaller
1753: 1 96 org.apache.xerces.impl.xpath.regex.RegularExpression
1754: 1 96 com.sun.script.javascript.RhinoTopLevel
1755: 2 96 org.opensaml.saml2.metadata.impl.AdditionalMetadataLocationUnmarshaller
1756: 2 96 org.opensaml.saml2.metadata.impl.ContactPersonUnmarshaller
1757: 2 96 org.opensaml.xacml.policy.impl.FunctionTypeUnmarshaller
1758: 2 96 org.opensaml.saml2.core.impl.EvidenceUnmarshaller
1759: 2 96 org.opensaml.xacml.policy.impl.PolicySetCombinerParametersTypeUnmarshaller
1760: 2 96 org.opensaml.xacml.policy.impl.ConditionTypeUnmarshaller
1761: 2 96 org.opensaml.saml2.core.impl.ArtifactResponseUnmarshaller
1762: 4 96 net.sourceforge.yamlbeans.parser.Event
1763: 2 96 org.opensaml.saml1.core.impl.AssertionUnmarshaller
1764: 2 96 org.opensaml.saml2.metadata.impl.EntityDescriptorMarshaller
1765: 2 96 org.opensaml.saml2.metadata.impl.AffiliationDescriptorUnmarshaller
1766: 2 96 org.opensaml.saml2.core.impl.AttributeUnmarshaller
1767: 2 96 org.opensaml.saml1.core.impl.NameIdentifierUnmarshaller
1768: 2 96 org.opensaml.saml1.core.impl.AttributeQueryUnmarshaller
1769: 2 96 org.opensaml.xacml.ctx.impl.AttributeTypeUnmarshaller
1770: 6 96 org.apache.naming.NameParserImpl
1771: 2 96 org.opensaml.saml2.metadata.impl.KeyDescriptorUnmarshaller
1772: 2 96 org.opensaml.saml1.core.impl.AttributeUnmarshaller
1773: 2 96 org.opensaml.saml2.core.impl.RequestedAuthnContextUnmarshaller
1774: 3 96 org.opensaml.common.SAMLVersion
1775: 1 96
edu.internet2.middleware.shibboleth.common.config.attribute.resolver.dataConnector.StaticData
ConnectorFactoryBean
1776: 2 96 org.opensaml.saml2.core.impl.StatusUnmarshaller
1777: 1 96 com.tc.net.protocol.tcm.NetworkListenerImpl
1778: 2 96 org.opensaml.saml2.metadata.impl.OrganizationUnmarshaller
1779: 3 96 sun.misc.Signal
1780: 3 96 sun.util.resources.LocaleData$1
1781: 2 96 org.opensaml.saml2.core.impl.ManageNameIDResponseUnmarshaller
1782: 2 96 org.opensaml.saml1.core.impl.SubjectLocalityUnmarshaller
1783: 2 96 org.opensaml.xacml.ctx.impl.StatusCodeTypeUnmarshaller
1784: 2 96 org.opensaml.saml2.core.impl.OneTimeUseUnmarshaller
1785: 2 96 org.opensaml.saml1.core.impl.AuthorityBindingUnmarshaller
1786: 2 96 org.opensaml.xacml.policy.impl.VariableDefinitionTypeUnmarshaller
1787: 3 96 org.opensaml.util.resource.ResourceChangeListener$ResourceChange
1788: 2 96 org.apache.commons.httpclient.auth.AuthScope
1789: 2 96 org.opensaml.xacml.policy.impl.DescriptionTypeUnmarshaller
1790: 2 96 org.opensaml.saml2.metadata.impl.EntitiesDescriptorMarshaller
1791: 3 96 ch.qos.logback.core.rolling.helper.RenameUtil
1792: 2 96 org.opensaml.xml.schema.impl.XSIntegerUnmarshaller
1793: 2 96 float[]
1794: 1 96 org.eclipse.jdt.internal.compiler.lookup.ReferenceBinding$1
1795: 2 96 org.opensaml.saml2.metadata.impl.SPSSODescriptorUnmarshaller
1796: 2 96 org.opensaml.saml2.core.impl.SubjectConfirmationUnmarshaller
1797: 2 96 org.opensaml.saml2.core.impl.SubjectLocalityUnmarshaller
1798: 4 96 java.util.Hashtable$ValueCollection
1799: 2 96 org.opensaml.saml1.core.impl.AttributeDesignatorUnmarshaller
1800: 2 96 org.opensaml.xacml.ctx.impl.ActionTypeUnmarshaller
1801: 2 96 gnu.trove.TLinkedList
1802: 2 96 org.opensaml.saml2.core.impl.NameIDUnmarshaller
1803: 2 96 org.opensaml.xacml.ctx.impl.EnvironmentTypeUnmarshaller
1804: 2 96 org.opensaml.saml2.core.impl.ScopingUnmarshaller
1805: 1 96 org.opensaml.saml1.binding.decoding.HTTPSOAP11Decoder
1806: 4 96 org.apache.xerces.util.EntityResolverWrapper
1807: 2 96 org.opensaml.xacml.policy.impl.ActionsTypeUnmarshaller
1808: 2 96 org.opensaml.xacml.policy.impl.EnvironmentsTypeUnmarshaller
1809: 2 96 org.opensaml.saml2.core.impl.AudienceRestrictionUnmarshaller
1810: 4 96 com.tc.net.protocol.tcm.ChannelEventType
1811: 2 96 org.opensaml.saml1.core.impl.ConditionsUnmarshaller
1812: 2 96 org.opensaml.saml2.core.impl.LogoutRequestUnmarshaller
1813: 2 96 org.opensaml.xacml.policy.impl.SubjectMatchTypeUnmarshaller
1814: 3 96 java.net.Proxy$Type
1815: 3 96 org.joda.time.field.ImpreciseDateTimeField$LinkedDurationField
1816: 1 96 sun.org.mozilla.javascript.internal.NativeCall
1817: 2 96 org.apache.xmlbeans.impl.schema.SchemaTypeSystemImpl$HandlePool
1818: 2 96 org.opensaml.saml2.metadata.impl.AttributeConsumingServiceUnmarshaller
1819: 3 96 java.util.regex.Pattern$TreeInfo
1820: 2 96 org.opensaml.saml2.core.impl.SubjectUnmarshaller
1821: 2 96 org.opensaml.saml1.core.impl.AttributeStatementUnmarshaller
1822: 2 96 sun.security.provider.SecureRandom
1823: 2 96 java.security.BasicPermissionCollection
1824: 2 96 org.opensaml.saml2.core.impl.IDPListUnmarshaller
1825: 2 96 org.opensaml.xacml.ctx.impl.StatusTypeUnmarshaller
1826: 2 96 org.opensaml.saml1.core.impl.ActionUnmarshaller
1827: 2 96 org.opensaml.saml2.core.impl.AuthnRequestUnmarshaller
1828: 2 96 org.opensaml.saml2.core.impl.NameIDMappingRequestUnmarshaller
1829: 4 96 com.tc.net.GroupID
1830: 1 96 org.apache.xmlbeans.impl.regex.SchemaRegularExpression$1
1831: 2 96 org.opensaml.xacml.policy.impl.PolicySetTypeUnmarshaller
1832: 2 96 org.opensaml.saml2.metadata.impl.AuthnAuthorityDescriptorMarshaller
1833: 4 96 org.apache.xerces.parsers.AbstractSAXParser$LocatorProxy
1834: 4 96 com.sun.net.ssl.internal.ssl.HandshakeMessage$DistinguishedName
1835: 2 96 org.opensaml.saml2.metadata.impl.AttributeAuthorityDescriptorUnmarshaller
1836: 2 96 org.opensaml.saml2.core.impl.StatusDetailUnmarshaller
1837: 2 96 org.opensaml.saml2.metadata.impl.AffiliationDescriptorMarshaller
1838: 2 96 org.apache.velocity.runtime.log.LogDisplayWrapper
1839: 4 96 sun.nio.ch.SocketChannelImpl$1
1840: 3 96 sun.security.jca.GetInstance$Instance
1841: 2 96 org.opensaml.xacml.policy.impl.EnvironmentTypeUnmarshaller
1842: 1 96 sun.security.provider.NativePRNG$RandomIO
1843: 3 96 org.opensaml.xml.security.credential.UsageType
1844: 2 96 org.opensaml.xacml.policy.impl.SubjectsTypeUnmarshaller
1845: 2 96 org.bouncycastle.math.ec.ECCurve$Fp
1846: 2 96 org.opensaml.saml1.core.impl.EvidenceUnmarshaller
1847: 2 96 org.opensaml.xacml.ctx.impl.SubjectTypeUnmarshaller
1848: 1 96 org.apache.commons.logging.impl.WeakHashtable
1849: 1 96 com.tc.management.beans.sessions.SessionMonitorImpl
1850: 3 96
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDat
aConnector$SEARCH_SCOPE
1851: 2 96 org.opensaml.saml2.core.impl.NameIDPolicyUnmarshaller
1852: 2 96 org.opensaml.xacml.ctx.impl.AttributeValueTypeUnmarshaller
1853: 2 96 org.opensaml.saml2.core.impl.AuthnContextUnmarshaller
1854: 2 96 org.opensaml.xacml.policy.impl.PolicyTypeUnmarshaller
1855: 2 96 org.opensaml.xacml.ctx.impl.RequestTypeUnmarshaller
1856: 2 96 org.opensaml.xacml.policy.impl.ObligationsTypeUnmarshaller
1857: 2 96 org.opensaml.xacml.ctx.impl.ResponseTypeUnmarshaller
1858: 2 96 org.opensaml.saml2.core.impl.AuthzDecisionQueryUnmarshaller
1859: 2 96 org.opensaml.saml2.core.impl.ManageNameIDRequestUnmarshaller
1860: 2 96 org.apache.jasper.compiler.TagPluginManager
1861: 2 96 org.opensaml.xml.security.credential.UsageType[]
1862: 2 96 org.apache.velocity.runtime.VelocimacroManager
1863: 2 96 com.terracottatech.config.impl.HostImpl
1864: 2 96 org.opensaml.xacml.policy.impl.RuleCombinerParametersTypeUnmarshaller
1865: 2 96 org.opensaml.saml2.core.impl.StatusCodeUnmarshaller
1866: 3 96 sun.net.www.protocol.http.HttpURLConnection$TunnelState
1867: 2 96 org.opensaml.saml2.core.impl.ActionUnmarshaller
1868: 2 96 org.opensaml.xacml.policy.impl.ResourcesTypeUnmarshaller
1869: 2 96 org.opensaml.saml2.metadata.impl.AttributeAuthorityDescriptorMarshaller
1870: 4 96 ch.qos.logback.core.spi.FilterAttachableImpl
1871: 2 96 org.opensaml.saml2.core.impl.AssertionUnmarshaller
1872: 2 96 org.opensaml.ws.transport.http.HttpServletRequestAdapter
1873: 2 96 org.opensaml.saml2.core.impl.AuthnQueryUnmarshaller
1874: 2 96 org.opensaml.xacml.policy.impl.EnvironmentMatchTypeUnmarshaller
1875: 2 96 org.opensaml.saml2.metadata.impl.RequestedAttributeUnmarshaller
1876: 2 96 ch.qos.logback.core.joran.action.AppenderAction
1877: 2 96 org.opensaml.saml2.core.impl.ConditionsUnmarshaller
1878: 2 96 org.opensaml.saml2.metadata.impl.SPSSODescriptorMarshaller
1879: 2 96 org.opensaml.saml1.core.impl.StatusCodeUnmarshaller
1880: 2 96 org.opensaml.xacml.ctx.impl.ResultTypeUnmarshaller
1881: 4 96 org.apache.xml.security.utils.resolver.ResourceResolver
1882: 3 96 java.util.TreeMap$KeySet
1883: 2 96 org.opensaml.xacml.policy.impl.PolicyCombinerParametersTypeUnmarshaller
1884: 1 96 org.apache.xerces.impl.dv.XSSimpleType[]
1885: 2 96 org.opensaml.saml1.core.impl.SubjectConfirmationUnmarshaller
1886: 2 96 org.opensaml.xacml.policy.impl.ResourceMatchTypeUnmarshaller
1887: 2 96 org.apache.commons.httpclient.HostConfiguration
1888: 2 96 org.opensaml.xacml.policy.impl.VariableReferenceTypeUnmarshaller
1889: 2 96 org.apache.jasper.compiler.TldLocationsCache
1890: 2 96 org.opensaml.xacml.ctx.impl.ResourceContentTypeUnmarshaller
1891: 3 96 ch.qos.logback.core.rolling.helper.CompressionMode
1892: 2 96 org.opensaml.saml1.core.impl.DoNotCacheConditionUnmarshaller
1893: 2 96 org.opensaml.saml2.core.impl.AttributeStatementUnmarshaller
1894: 2 96 org.opensaml.saml2.metadata.impl.EntitiesDescriptorUnmarshaller
1895: 3 96 com.sun.net.ssl.internal.ssl.CipherSuite$MacAlg
1896: 2 96 org.opensaml.saml2.core.impl.AuthnStatementUnmarshaller
1897: 1 96 com.tc.object.handler.ReceiveTransactionHandler
1898: 2 96 org.opensaml.xacml.policy.impl.AttributeAssignmentTypeUnmarshaller
1899: 2 96 org.opensaml.xml.schema.impl.XSAnyUnmarshaller
1900: 2 96 org.opensaml.xacml.ctx.impl.StatusDetailTypeUnmarshaller
1901: 2 96 org.opensaml.saml2.core.impl.LogoutResponseUnmarshaller
1902: 2 96 org.opensaml.saml2.core.impl.AdviceUnmarshaller
1903: 4 96 org.apache.xerces.parsers.AbstractSAXParser$AttributesProxy
1904: 2 96 com.terracottatech.config.impl.PathImpl
1905: 1 96
edu.internet2.middleware.shibboleth.idp.config.profile.authn.PreviousSessionLoginHandlerFacto
ryBean
1906: 2 96 org.opensaml.xacml.policy.impl.TargetTypeUnmarshaller
1907: 2 96 org.opensaml.xacml.policy.impl.ActionMatchTypeUnmarshaller
1908: 1 96 org.apache.xmlbeans.impl.regex.SchemaRegularExpression$3
1909: 4 96
edu.internet2.middleware.shibboleth.common.config.BaseReloadableService$ConfigurationReso
urceListener
1910: 2 96 org.opensaml.saml2.metadata.impl.PDPDescriptorMarshaller
1911: 2 96 org.opensaml.saml1.core.impl.AdviceUnmarshaller
1912: 2 96 org.opensaml.xacml.policy.impl.CombinerParameterTypeUnmarshaller
1913: 2 96 com.tc.config.schema.repository.ChildBeanRepository
1914: 2 96 org.opensaml.saml1.core.impl.AuthenticationQueryUnmarshaller
1915: 2 96 org.opensaml.xacml.policy.impl.AttributeValueTypeUnmarshaller
1916: 2 96 org.opensaml.saml2.metadata.impl.IDPSSODescriptorMarshaller
1917: 2 96 org.opensaml.saml2.core.impl.NameIDMappingResponseUnmarshaller
1918: 3 96 com.sun.jmx.mbeanserver.ClassLoaderRepositorySupport$LoaderEntry
1919: 1 88 sun.net.www.http.KeepAliveCache
1920: 1 88 org.opensaml.saml2.binding.encoding.HTTPPostSimpleSignEncoder
1921: 1 88 org.apache.catalina.servlets.DefaultServlet
1922: 1 88 org.apache.tomcat.util.threads.ThreadPool
1923: 2 88 long[][]
1924: 1 88 com.sun.jmx.remote.opt.internal.ArrayNotificationBuffer
1925: 1 88 org.apache.naming.resources.ImmutableNameNotFoundException
1926: 1 88 org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory$X509Options
1927: 1 88 org.eclipse.jdt.internal.compiler.flow.UnconditionalFlowInfo
1928: 1 88 sun.org.mozilla.javascript.internal.NativeArray
1929: 1 88 org.apache.juli.ClassLoaderLogManager
1930: 1 88 org.apache.catalina.startup.HostConfig
1931: 1 88 com.tc.object.bytecode.TreeMapAdapter$DeleteEntryAdapter
1932: 1 88
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.Sco
pedAttributeDefinition
1933: 1 88 com.tc.object.bytecode.TreeMapAdapter$PutAdapter
1934: 1 88 java.io.StreamTokenizer
1935: 1 88 java.security.cert.PKIXBuilderParameters
1936: 1 88 com.tc.object.bytecode.THashMapAdapter$TransformValuesAdapter
1937: 1 88
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet
1938: 1 88 java.math.RoundingMode[]
1939: 1 88
edu.internet2.middleware.shibboleth.idp.config.profile.authn.UsernamePasswordLoginHandlerF
actoryBean
1940: 1 88 sun.awt.AppContext
1941: 1 88 javax.naming.directory.SchemaViolationException
1942: 1 88 sun.org.mozilla.javascript.internal.BaseFunction
1943: 1 88 sun.nio.ch.FileChannelImpl
1944: 1 88 org.apache.xmlbeans.impl.store.Cur$Locations
1945: 1 88 com.tc.cluster.DsoClusterImpl
1946: 2 80 org.opensaml.saml2.metadata.impl.RequestedAttributeMarshaller
1947: 2 80 org.opensaml.xacml.policy.impl.EnvironmentsTypeMarshaller
1948: 2 80 org.opensaml.saml2.core.impl.StatusMarshaller
1949: 2 80 org.opensaml.xacml.ctx.impl.ResponseTypeMarshaller
1950: 2 80 org.opensaml.xacml.policy.impl.ActionMatchTypeMarshaller
1951: 2 80 org.opensaml.saml1.core.impl.AttributeDesignatorMarshaller
1952: 2 80 org.opensaml.saml2.core.impl.AudienceRestrictionMarshaller
1953: 2 80 org.opensaml.saml1.core.impl.ActionMarshaller
1954: 2 80 javax.management.remote.message.NotificationRequestMessage
1955: 2 80 org.opensaml.saml2.core.impl.AttributeMarshaller
1956: 1 80 org.joda.time.chrono.GregorianChronology[]
1957: 2 80 org.opensaml.saml2.core.impl.ArtifactResponseMarshaller
1958: 2 80 org.joda.time.format.DateTimeFormatterBuilder$TimeZoneOffset
1959: 2 80 org.joda.time.tz.DateTimeZoneBuilder$OfYear
1960: 2 80 org.opensaml.saml2.core.impl.LogoutRequestMarshaller
1961: 2 80 org.opensaml.saml1.core.impl.SubjectConfirmationMarshaller
1962: 2 80 org.opensaml.saml2.core.impl.NameIDPolicyMarshaller
1963: 2 80 org.opensaml.saml1.core.impl.DoNotCacheConditionMarshaller
1964: 2 80 ch.qos.logback.core.joran.action.NestedComplexPropertyIA
1965: 2 80 org.opensaml.xacml.policy.impl.PolicySetCombinerParametersTypeMarshaller
1966: 2 80 org.opensaml.saml2.core.impl.AttributeStatementMarshaller
1967: 1 80 sun.org.mozilla.javascript.internal.NativeNumber
1968: 2 80 org.opensaml.xacml.policy.impl.RuleCombinerParametersTypeMarshaller
1969: 1 80 org.apache.jasper.compiler.JspConfig$JspProperty
1970: 2 80 sun.reflect.UnsafeQualifiedIntegerFieldAccessorImpl
1971: 2 80 java.lang.management.MemoryType
1972: 1 80 org.apache.naming.resources.ResourceCache
1973: 2 80 org.apache.velocity.util.introspection.ClassMap$MethodCache
1974: 2 80 org.opensaml.xacml.ctx.impl.EnvironmentTypeMarshaller
1975: 2 80 org.opensaml.xacml.ctx.impl.AttributeValueTypeMarshaller
1976: 2 80 com.terracottatech.config.impl.ModuleImpl
1977: 1 80
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDat
aConnector$AUTHENTICATION_TYPE[]
1978: 2 80 org.opensaml.saml1.core.impl.AuthenticationQueryMarshaller
1979: 2 80 sun.net.spi.DefaultProxySelector$NonProxyInfo
1980: 2 80 org.opensaml.saml2.core.impl.NameIDMappingRequestMarshaller
1981: 2 80 org.opensaml.saml2.core.impl.AssertionMarshaller
1982: 1 80 com.tc.object.config.schema.StandardDSORuntimeLoggingOptions
1983: 1 80 com.sun.jmx.mbeanserver.OpenConverter$ConverterMap
1984: 2 80 org.opensaml.xacml.policy.impl.ResourceMatchTypeMarshaller
1985: 1 80 sun.org.mozilla.javascript.internal.continuations.Continuation
1986: 2 80 java.util.Random
1987: 2 80 org.opensaml.saml2.metadata.impl.AttributeConsumingServiceMarshaller
1988: 5 80 org.springframework.beans.factory.support.CglibSubclassingInstantiationStrategy
1989: 2 80 org.opensaml.saml1.core.impl.AuthorityBindingMarshaller
1990: 2 80 org.apache.velocity.util.introspection.ClassMap
1991: 2 80 org.opensaml.xacml.policy.impl.PolicyTypeMarshaller
1992: 2 80 org.opensaml.saml2.core.impl.AuthnRequestMarshaller
1993: 2 80 org.opensaml.xacml.policy.impl.ConditionTypeMarshaller
1994: 2 80 org.apache.velocity.runtime.ParserPoolImpl
1995: 2 80 org.opensaml.xacml.policy.impl.AttributeAssignmentTypeMarshaller
1996: 2 80 org.opensaml.xacml.ctx.impl.SubjectTypeMarshaller
1997: 2 80 sun.security.provider.DSAParameters
1998: 2 80 org.opensaml.saml2.core.impl.SubjectMarshaller
1999: 2 80 org.opensaml.xacml.ctx.impl.RequestTypeMarshaller
2000: 2 80 org.opensaml.saml2.core.impl.AdviceMarshaller
2001: 2 80 org.opensaml.xacml.policy.impl.PolicySetTypeMarshaller
2002: 2 80 org.opensaml.saml1.core.impl.SubjectMarshaller
2003: 1 80 edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSODecoder
2004: 2 80 org.opensaml.saml2.core.impl.AssertionIDRequestMarshaller
2005: 2 80 org.opensaml.xacml.policy.impl.DescriptionTypeMarshaller
2006: 2 80 org.opensaml.xacml.policy.impl.VariableReferenceTypeMarshaller
2007: 2 80 org.opensaml.xacml.policy.impl.ActionTypeMarshaller
2008: 2 80 org.opensaml.xacml.policy.impl.RuleTypeMarshaller
2009: 2 80 org.opensaml.saml2.core.impl.ActionMarshaller
2010: 2 80 java.net.ServerSocket
2011: 2 80 org.opensaml.saml2.core.impl.IDPEntryMarshaller
2012: 2 80 org.opensaml.saml2.core.impl.TerminateMarshaller
2013: 2 80 org.opensaml.saml2.core.impl.AuthzDecisionQueryMarshaller
2014: 2 80 org.apache.xerces.impl.xpath.regex.Token$ParenToken
2015: 2 80 org.opensaml.saml2.core.impl.ArtifactResolveMarshaller
2016: 2 80 org.opensaml.xacml.policy.impl.FunctionTypeMarshaller
2017: 1 80 org.apache.xerces.util.URI
2018: 2 80 org.opensaml.xacml.ctx.impl.ResourceContentTypeMarshaller
2019: 2 80 org.opensaml.saml1.core.impl.AudienceRestrictionConditionMarshaller
2020: 1 80 com.tc.net.protocol.delivery.ReceiveStateMachine
2021: 2 80 java.lang.ref.ReferenceQueue$Null
2022: 1 80 com.tc.config.schema.setup.StandardXMLFileConfigurationCreator
2023: 1 80 com.tc.object.ClientShutdownManager
2024: 2 80 org.opensaml.saml2.core.impl.ProxyRestrictionMarshaller
2025: 2 80 org.opensaml.xacml.ctx.impl.DecisionTypeMarshaller
2026: 1 80 org.terracotta.modules.tomcat.tomcat_5_5.SessionValve55
2027: 1 80 org.opensaml.util.URLBuilder
2028: 1 80 sun.org.mozilla.javascript.internal.NativeBoolean
2029: 2 80 com.sun.phobos.script.javascript.RhinoScriptEngineFactory
2030: 1 80 sun.org.mozilla.javascript.internal.NativeString
2031: 2 80 org.opensaml.saml2.core.impl.EvidenceMarshaller
2032: 1 80 org.apache.catalina.core.StandardContextValve
2033: 2 80 org.opensaml.saml1.core.impl.StatusCodeMarshaller
2034: 1 80 com.sun.jmx.interceptor.DefaultMBeanServerInterceptor
2035: 2 80 ch.qos.logback.classic.joran.action.ConfigurationAction
2036: 2 80 org.opensaml.xacml.policy.impl.TargetTypeMarshaller
2037: 1 80 java.nio.DirectByteBuffer
2038: 2 80 org.opensaml.saml2.core.impl.IDPListMarshaller
2039: 2 80 org.joda.time.tz.DateTimeZoneBuilder$Recurrence
2040: 2 80 com.terracottatech.config.impl.ServerImpl
2041: 2 80 org.opensaml.xacml.policy.impl.PolicyCombinerParametersTypeMarshaller
2042: 1 80 sun.security.x509.NetscapeCertTypeExtension$MapEntry[]
2043: 2 80 org.opensaml.saml2.core.impl.AuthzDecisionStatementMarshaller
2044: 1 80 org.apache.jk.core.WorkerEnv
2045: 2 80 org.opensaml.xacml.ctx.impl.StatusDetailTypeMarshaller
2046: 1 80 com.tc.net.core.TCConnectionManagerJDK14
2047: 2 80 org.opensaml.xacml.ctx.impl.ResultTypeMarshaller
2048: 2 80 org.opensaml.ws.transport.http.HttpServletResponseAdapter
2049: 2 80 org.opensaml.saml2.core.impl.StatusCodeMarshaller
2050: 2 80 javax.security.auth.callback.PasswordCallback
2051: 2 80 org.opensaml.saml2.metadata.impl.ContactPersonMarshaller
2052: 1 80 org.opensaml.saml1.binding.decoding.HTTPPostDecoder
2053: 2 80 org.opensaml.xml.schema.impl.XSIntegerMarshaller
2054: 2 80 org.opensaml.saml2.core.impl.SubjectLocalityMarshaller
2055: 1 80 com.tc.object.DistributedObjectClient$StatisticsSetupCallback
2056: 1 80 com.tc.management.beans.logging.RuntimeOutputOptions
2057: 2 80 org.opensaml.xml.security.x509.CertPathPKIXTrustEvaluator
2058: 2 80 org.opensaml.xacml.ctx.impl.ResourceTypeMarshaller
2059: 2 80 org.opensaml.saml2.core.impl.LogoutResponseMarshaller
2060: 2 80 org.opensaml.saml1.core.impl.AuthenticationStatementMarshaller
2061: 2 80 java.lang.management.ManagementPermission
2062: 2 80 org.opensaml.xml.schema.impl.XSURIMarshaller
2063: 2 80 org.opensaml.xacml.policy.impl.CombinerParameterTypeMarshaller
2064: 2 80 org.opensaml.saml2.core.impl.AttributeQueryMarshaller
2065: 2 80 org.opensaml.xacml.policy.impl.SubjectTypeMarshaller
2066: 2 80 org.opensaml.saml2.metadata.impl.AdditionalMetadataLocationMarshaller
2067: 1 80 com.tc.net.protocol.transport.ClientConnectionEstablisher
2068: 5 80 org.springframework.core.task.SyncTaskExecutor
2069: 2 80 org.opensaml.xacml.policy.impl.ActionsTypeMarshaller
2070: 2 80 org.opensaml.xacml.policy.impl.CombinerParametersTypeMarshaller
2071: 1 80
com.tc.net.protocol.transport.ConnectionHealthCheckerImpl$HealthCheckerMonitorThreadEngi
ne
2072: 2 80 org.opensaml.saml2.core.impl.ManageNameIDResponseMarshaller
2073: 5 80 sun.net.www.protocol.jar.Handler
2074: 2 80 com.tc.object.config.TimCapability[]
2075: 2 80 org.opensaml.saml2.core.impl.NameIDMappingResponseMarshaller
2076: 2 80 com.sun.jmx.remote.opt.security.AdminServer
2077: 2 80 org.opensaml.saml2.metadata.impl.OrganizationMarshaller
2078: 2 80 org.opensaml.xacml.policy.impl.AttributeSelectorTypeMarshaller
2079: 2 80 org.opensaml.saml2.core.impl.ConditionsMarshaller
2080: 2 80 org.opensaml.saml2.core.impl.OneTimeUseMarshaller
2081: 2 80 org.opensaml.saml1.core.impl.AdviceMarshaller
2082: 2 80 org.opensaml.saml1.core.impl.ConditionsMarshaller
2083: 2 80 org.opensaml.xacml.policy.impl.EnvironmentMatchTypeMarshaller
2084: 2 80 org.opensaml.xacml.policy.impl.ApplyTypeMarshaller
2085: 2 80 org.opensaml.xacml.policy.impl.ResourceTypeMarshaller
2086: 2 80 org.opensaml.saml2.core.impl.AuthnStatementMarshaller
2087: 2 80
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet$Simple
CallbackHandler
2088: 2 80 org.opensaml.xacml.policy.impl.ResourcesTypeMarshaller
2089: 1 80 com.tc.management.beans.logging.InstrumentationLogging
2090: 2 80 org.opensaml.saml2.core.impl.NameIDMarshaller
2091: 1 80 com.tc.config.schema.L2ConfigForL1Object$2
2092: 2 80 org.apache.velocity.runtime.directive.Literal
2093: 1 80 edu.internet2.middleware.shibboleth.idp.StatusServlet
2094: 2 80 javax.security.auth.AuthPermission
2095: 1 80 com.tc.object.config.schema.NewDSOApplicationConfigObject
2096: 2 80 org.opensaml.saml1.core.impl.AuthorizationDecisionQueryMarshaller
2097: 2 80 com.tc.net.protocol.tcm.TCMessageFactoryImpl
2098: 2 80 org.opensaml.saml1.core.impl.EvidenceMarshaller
2099: 2 80 org.opensaml.saml2.core.impl.AuthnQueryMarshaller
2100: 2 80 org.opensaml.xacml.policy.impl.ObligationsTypeMarshaller
2101: 1 80 com.tc.lang.TCThreadGroup
2102: 2 80 org.opensaml.saml1.core.impl.AttributeStatementMarshaller
2103: 2 80 org.opensaml.xacml.policy.impl.VariableDefinitionTypeMarshaller
2104: 2 80 org.opensaml.xacml.policy.impl.AttributeValueTypeMarshaller
2105: 2 80 sun.security.jca.ProviderList
2106: 2 80 org.opensaml.xml.schema.impl.XSAnyMarshaller
2107: 2 80 org.opensaml.saml2.core.impl.AuthnContextMarshaller
2108: 2 80 edu.internet2.middleware.shibboleth.idp.util.IPRange
2109: 2 80 org.opensaml.saml2.metadata.impl.KeyDescriptorMarshaller
2110: 2 80 org.opensaml.saml2.core.impl.ScopingMarshaller
2111: 2 80 org.opensaml.saml1.core.impl.StatusMarshaller
2112: 1 80 org.knopflerfish.framework.StartLevelImpl
2113: 2 80 org.opensaml.saml2.core.impl.SubjectConfirmationMarshaller
2114: 2 80 org.apache.catalina.deploy.ErrorPage
2115: 1 80 sun.org.mozilla.javascript.internal.NativeDate
2116: 2 80 org.opensaml.saml1.core.impl.AttributeQueryMarshaller
2117: 2 80 com.sun.net.ssl.internal.ssl.EphemeralKeyManager$EphemeralKeyPair
2118: 2 80 org.opensaml.saml2.core.impl.ManageNameIDRequestMarshaller
2119: 1 80 org.opensaml.saml2.binding.decoding.HTTPSOAP11Decoder
2120: 2 80 org.apache.tomcat.util.http.mapper.Mapper
2121: 2 80 org.opensaml.xacml.ctx.impl.ActionTypeMarshaller
2122: 2 80 org.opensaml.saml2.core.impl.RequestedAuthnContextMarshaller
2123: 1 80 org.knopflerfish.framework.Packages
2124: 1 80 sun.security.validator.PKIXValidator
2125: 2 80 javax.security.auth.callback.NameCallback
2126: 2 80 org.opensaml.saml2.core.impl.StatusDetailMarshaller
2127: 2 80 org.opensaml.xacml.ctx.impl.StatusCodeTypeMarshaller
2128: 2 80 com.tc.util.ObjectIDSet
2129: 2 80 org.opensaml.saml1.core.impl.AuthorizationDecisionStatementMarshaller
2130: 1 80 com.tc.management.beans.logging.RuntimeLogging
2131: 2 80 org.opensaml.saml1.core.impl.SubjectLocalityMarshaller
2132: 2 80 org.opensaml.saml1.core.impl.AssertionMarshaller
2133: 2 80 org.opensaml.saml1.core.impl.NameIdentifierMarshaller
2134: 2 80 org.opensaml.xacml.ctx.impl.StatusTypeMarshaller
2135: 2 80 org.opensaml.xacml.ctx.impl.MissingAttributeDetailTypeMarshaller
2136: 2 80 org.opensaml.saml1.core.impl.AttributeMarshaller
2137: 2 80 org.opensaml.xacml.policy.impl.SubjectMatchTypeMarshaller
2138: 2 80 org.opensaml.xacml.policy.impl.ObligationTypeMarshaller
2139: 1 80 java.net.SocketPermission
2140: 1 80 sun.org.mozilla.javascript.internal.NativeJavaTopPackage
2141: 2 80 org.opensaml.xacml.ctx.impl.AttributeTypeMarshaller
2142: 2 80 org.opensaml.xacml.policy.impl.SubjectsTypeMarshaller
2143: 2 80 org.opensaml.xacml.policy.impl.EnvironmentTypeMarshaller
2144: 2 80 java.security.cert.CertificateFactory
2145: 1 72 sun.util.logging.resources.logging
2146: 1 72 org.apache.log4j.spi.RootLogger
2147: 3 72 com.tc.handler.CallbackDumpAdapter
2148: 1 72 com.tc.management.beans.L1Dumper
2149: 3 72 org.apache.xerces.impl.dv.dtd.ListDatatypeValidator
2150: 3 72 com.tc.object.applicator.ListApplicator
2151: 1 72 org.apache.catalina.deploy.FilterDef
2152: 1 72 org.terracotta.modules.tomcat.tomcat_5_5.TerracottaPipeline
2153: 1 72
edu.internet2.middleware.shibboleth.common.config.security.MetadataExplicitKeySignatureTru
stEngineFactoryBean
2154: 1 72
edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService$AddEntry
Event
2155: 1 72 com.tc.object.config.schema.NewDSOApplicationConfigObject$1
2156: 3 72 org.apache.commons.httpclient.HttpVersion
2157: 1 72 org.apache.tomcat.util.modeler.Registry
2158: 3 72 org.apache.catalina.util.URLEncoder
2159: 1 72 edu.internet2.middleware.shibboleth.common.config.relyingparty.RelyingPartyGroup
2160: 1 72
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.Comput
edIDDataConnector
2161: 1 72
edu.internet2.middleware.shibboleth.common.config.security.MetadataExplicitKeyTrustEngineF
actoryBean
2162: 1 72 org.apache.catalina.valves.ErrorReportValve
2163: 3 72 com.tc.object.config.Root$DsoFinal
2164: 1 72 org.opensaml.saml1.binding.encoding.HTTPPostEncoder
2165: 1 72 sun.org.mozilla.javascript.internal.NativeMath
2166: 1 72 org.apache.xerces.impl.xpath.regex.RegularExpression$Context
2167: 1 72 com.tc.util.ProductInfoBundle
2168: 1 72 sun.text.resources.FormatData_en
2169: 1 72 com.tc.net.protocol.transport.HealthCheckerSocketConnectImpl
2170: 1 72 org.opensaml.saml1.binding.encoding.HTTPArtifactEncoder
2171: 3 72 org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule
2172: 3 72 com.tc.runtime.cache.CacheMemoryEventType
2173: 1 72 org.opensaml.saml2.binding.encoding.HTTPPostEncoder
2174: 3 72 java.nio.charset.CodingErrorAction
2175: 1 72 sun.text.resources.FormatData_en_US
2176: 1 72 org.apache.velocity.VelocityContext
2177: 1 72 com.tc.config.schema.L2ConfigForL1Object
2178: 1 72 com.tc.net.protocol.transport.HealthCheckerConfigClientImpl
2179: 1 72 org.opensaml.util.storage.ExpiringObjectStorageServiceSweeper
2180: 3 72 com.tc.aspectwerkz.expression.SubtypePatternType
2181: 3 72 org.apache.catalina.realm.RealmBase$AllRolesMode
2182: 3 72 org.apache.commons.lang.builder.HashCodeBuilder
2183: 1 72 com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl
2184: 1 72 com.tc.runtime.TCMemoryManagerImpl
2185: 1 72 sun.text.resources.FormatData
2186: 1 72
edu.internet2.middleware.shibboleth.common.config.security.MetadataPKIXSignatureTrustEngi
neFactoryBean
2187: 3 72 com.tc.object.tx.TxnType
2188: 1 72
edu.internet2.middleware.shibboleth.common.config.security.MetadataPKIXX509CredentialTru
stEngineFactoryBean
2189: 1 72 edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerImpl
2190: 1 72 org.apache.catalina.startup.ContextConfig
2191: 1 72 com.tc.statistics.buffer.memory.MemoryStatisticsBufferImpl
2192: 1 72 com.tc.management.remote.protocol.terracotta.TunnelingEventHandler
2193: 3 72 org.eclipse.jdt.internal.compiler.lookup.VariableBinding[]
2194: 1 72 com.tc.config.schema.L2ConfigForL1Object$1
2195: 3 72 org.knopflerfish.framework.ServiceReferenceImpl
2196: 1 72 sun.nio.ch.DevPollArrayWrapper
2197: 3 72 sun.org.mozilla.javascript.internal.UniqueTag
2198: 1 72 com.sun.script.javascript.JavaAdapter
2199: 3 72 org.apache.xerces.impl.dtd.DTDGrammar$QNameHashtable
2200: 1 72 com.tc.object.config.schema.NewDSOApplicationConfigObject$3
2201: 1 72 org.apache.catalina.core.StandardEngineValve
2202: 1 72 org.springframework.ui.velocity.VelocityEngineFactoryBean
2203: 1 72 com.tc.statistics.StatisticsAgentSubSystemImpl
2204: 3 72 java.lang.InheritableThreadLocal
2205: 3 72 com.tc.net.protocol.tcm.AbstractMessageChannel$ChannelState
2206: 1 72 org.apache.catalina.core.StandardHostValve
2207: 1 72 sun.org.mozilla.javascript.internal.NativeObject
2208: 2 72 com.sun.jmx.mbeanserver.ClassLoaderRepositorySupport$LoaderEntry[]
2209: 3 72 org.mozilla.javascript.UniqueTag
2210: 1 72 org.apache.catalina.core.ApplicationContext
2211: 3 72 java.text.AttributedCharacterIterator$Attribute
2212: 1 72 org.apache.log4j.helpers.PatternParser
2213: 1 72 sun.org.mozilla.javascript.internal.ObjArray
2214: 1 72 org.apache.log4j.Hierarchy
2215: 3 72 sun.text.normalizer.NormalizerBase$QuickCheckResult
2216: 1 72 sun.misc.Cleaner
2217: 1 72 sun.security.rsa.RSAPublicKeyImpl
2218: 1 72 org.opensaml.saml2.metadata.provider.ChainingMetadataProvider
2219: 1 72 org.eclipse.jdt.internal.compiler.lookup.ProblemPackageBinding
2220: 1 72 com.tc.object.config.schema.NewDSOApplicationConfigObject$2
2221: 1 72 org.eclipse.jdt.internal.compiler.ast.IntLiteral
2222: 1 64 sun.nio.cs.StandardCharsets$Aliases
2223: 1 64 com.sun.jndi.toolkit.dir.HierMemDirCtx
2224: 1 64 com.tc.object.ClientConfigurationContext
2225: 2 64 com.tc.statistics.StatisticsSystemType
2226: 2 64 java.util.concurrent.atomic.AtomicBoolean
2227: 1 64 com.tc.object.config.schema.StandardDSOInstrumentationLoggingOptions
2228: 2 64 org.apache.velocity.runtime.directive.Parse
2229: 1 64 java.util.UUID
2230: 1 64 com.tc.management.lock.stats.ClientLockStatisticsManagerImpl
2231: 2 64 com.tc.object.bytecode.AQSSubclassStrongReferenceAdapter
2232: 2 64 com.tc.object.config.TimCapability
2233: 2 64 org.apache.xerces.impl.xpath.regex.Token$UnionToken
2234: 2 64 sun.security.pkcs11.SessionManager$Pool
2235: 2 64 sun.security.validator.EndEntityChecker
2236: 4 64 org.opensaml.saml2.common.impl.ExtensionsBuilder
2237: 1 64 org.apache.xmlbeans.impl.store.CharUtil$CharIterator
2238: 1 64 java.util.ResourceBundle$1
2239: 1 64 org.apache.catalina.mbeans.ConnectorMBean
2240: 2 64 org.apache.velocity.util.introspection.UberspectImpl
2241: 1 64 sun.nio.ch.ServerSocketAdaptor
2242: 1 64 com.sun.jmx.mbeanserver.JmxMBeanServer
2243: 2 64 org.mozilla.javascript.NativeWith
2244: 1 64 org.eclipse.jdt.internal.compiler.codegen.ExceptionLabel[]
2245: 1 64 edu.internet2.middleware.shibboleth.common.util.StringResourceLoader
2246: 2 64 org.joda.time.field.ZeroIsMaxDateTimeField
2247: 1 64 org.opensaml.saml2.binding.decoding.HTTPPostDecoder
2248: 1 64 sun.misc.SoftCache
2249: 2 64 com.tc.net.protocol.transport.ConnectionID
2250: 2 64 net.sourceforge.yamlbeans.parser.DocumentEndEvent
2251: 2 64 org.apache.velocity.runtime.resource.ResourceCacheImpl
2252: 1 64 com.tc.config.schema.dynamic.IntXPathBasedConfigItem
2253: 2 64 com.tc.net.protocol.tcm.TCMessageRouterImpl
2254: 1 64 sun.security.jca.ServiceId[]
2255: 1 64 com.tc.object.appevent.NonPortableEventContext
2256: 1 64 org.apache.tomcat.util.log.SystemLogHandler
2257: 2 64 javax.management.remote.TargetedNotification
2258: 2 64 org.opensaml.xml.security.trust.ChainingTrustEngine
2259: 2 64 javax.security.auth.login.LoginContext$ModuleInfo
2260: 1 64 com.tc.management.exposed.TerracottaCluster
2261: 2 64 org.opensaml.xml.signature.impl.ChainingSignatureTrustEngine
2262: 2 64 org.apache.commons.httpclient.params.HttpClientParams
2263: 2 64 com.sun.phobos.script.javascript.RhinoScriptEngine$1
2264: 1 64 org.eclipse.jdt.internal.compiler.lookup.FieldBinding
2265: 1 64 sun.nio.cs.StandardCharsets$Classes
2266: 1 64 com.tc.object.loaders.StandardClassProvider
2267: 2 64 javax.security.auth.login.LoginContext$ModuleInfo[]
2268: 2 64 com.sun.jmx.mbeanserver.WeakIdentityHashMap
2269: 2 64 javax.security.auth.login.LoginContext$4
2270: 4 64 ch.qos.logback.classic.pattern.EnsureExceptionHandling
2271: 1 64 com.tc.statistics.logging.impl.StatisticsLoggerImpl$LogActionDataTask
2272: 1 64 sun.security.pkcs11.SessionManager
2273: 2 64 java.net.InetAddress$Cache
2274: 2 64 org.opensaml.xml.security.x509.PKIXValidationOptions
2275: 2 64 java.util.concurrent.CopyOnWriteArraySet
2276: 1 64 com.tc.net.protocol.transport.WireProtocolAdaptorImpl
2277: 1 64 org.apache.xmlbeans.impl.schema.BuiltinSchemaTypeSystem
2278: 2 64 java.util.Hashtable$KeySet
2279: 2 64 com.sun.phobos.script.javascript.RhinoCompiledScript
2280: 2 64 org.apache.velocity.runtime.directive.Macro
2281: 1 64 org.apache.log4j.helpers.CountingQuietWriter
2282: 1 64 ch.qos.logback.core.BasicStatusManager
2283: 4 64 org.opensaml.xacml.policy.impl.IdReferenceTypeImplBuilder
2284: 1 64 org.apache.coyote.RequestGroupInfo
2285: 2 64 java.net.InetAddress$Cache$Type
2286: 1 64 sun.nio.cs.StandardCharsets$Cache
2287: 2 64 sun.awt.MostRecentKeyValue
2288: 2 64 sun.security.jca.ProviderList$3
2289: 2 64 org.apache.jasper.compiler.ErrorDispatcher
2290: 1 64 org.eclipse.jdt.internal.compiler.codegen.BranchLabel[]
2291: 2 64 java.util.Currency
2292: 1 64
com.tc.object.tx.RemoteTransactionManagerImpl$RemoteTransactionManagerTimerTask
2293: 1 64
edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler
2294: 2 64 com.tc.logging.ConnectionIdLogger
2295: 2 64 javax.security.auth.login.LoginContext$SecureCallbackHandler
2296: 1 64 org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine
2297: 2 64 java.security.AllPermissionCollection
2298: 1 64 org.opensaml.saml2.binding.decoding.HTTPPostSimpleSignDecoder
2299: 1 64 org.apache.xml.serializer.CharInfo
2300: 2 64 org.apache.commons.httpclient.params.HostParams
2301: 1 64 org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder
2302: 2 64 sun.security.pkcs11.KeyCache
2303: 1 64 com.sun.jmx.remote.opt.internal.ServerNotifForwarder
2304: 2 64 org.apache.log4j.helpers.ISO8601DateFormat
2305: 1 64 com.tc.object.cache.CacheManager
2306: 2 64 com.tc.net.protocol.delivery.OOOEventHandler
2307: 1 64 org.joda.time.tz.DateTimeZoneBuilder$PrecalculatedZone
2308: 2 64 org.apache.velocity.util.SimplePool
2309: 1 64 ch.qos.logback.core.util.AggregationType[]
2310: 1 56 org.opensaml.saml2.metadata.impl.EncryptionMethodUnmarshaller
2311: 1 56 org.apache.log4j.Logger[]
2312: 1 56 org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder
2313: 1 56 org.opensaml.ws.wsaddressing.impl.ReferenceParametersUnmarshaller
2314: 1 56 java.lang.ClassCastException
2315: 1 56
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler
2316: 1 56 sun.nio.ch.FileLockImpl
2317: 1 56 org.opensaml.ws.wssecurity.impl.UsernameUnmarshaller
2318: 1 56 org.bouncycastle.jce.provider.JCEECPrivateKey
2319: 1 56 org.opensaml.util.storage.ReplayCache
2320: 1 56
edu.internet2.middleware.shibboleth.common.xmlobject.impl.ShibbolethMetadataKeyAuthority
Unmarshaller
2321: 1 56 org.opensaml.ws.wssecurity.impl.SignatureConfirmationUnmarshaller
2322: 1 56 org.opensaml.ws.wsaddressing.impl.RetryAfterUnmarshaller
2323: 1 56 org.opensaml.xml.encryption.impl.DataReferenceUnmarshaller
2324: 1 56 org.opensaml.xml.encryption.impl.AgreementMethodUnmarshaller
2325: 1 56 org.opensaml.ws.wsaddressing.impl.AddressUnmarshaller
2326: 1 56 com.tc.object.logging.RuntimeLoggerImpl
2327: 1 56 org.opensaml.xml.signature.impl.X509DataUnmarshaller
2328: 1 56 org.apache.catalina.startup.WebRuleSet
2329: 1 56 com.sun.jmx.remote.opt.internal.ArrayNotificationBuffer$2
2330: 1 56 org.opensaml.xml.encryption.impl.CipherDataUnmarshaller
2331: 1 56 org.opensaml.xml.encryption.impl.DHKeyValueUnmarshaller
2332: 1 56 org.opensaml.xml.encryption.impl.EncryptionPropertiesUnmarshaller
2333: 1 56 org.opensaml.ws.wssecurity.impl.EncryptedHeaderUnmarshaller
2334: 1 56 org.opensaml.ws.wssecurity.impl.ExpiresUnmarshaller
2335: 1 56 org.opensaml.ws.wsaddressing.impl.ProblemActionUnmarshaller
2336: 1 56 org.opensaml.xml.encryption.impl.KeyReferenceUnmarshaller
2337: 1 56 com.tc.object.event.DmiManagerImpl
2338: 1 56 org.opensaml.xml.signature.impl.X509IssuerSerialUnmarshaller
2339: 1 56 sun.nio.ch.FileChannelImpl$FileLockReference
2340: 1 56 java.lang.String[][][]
2341: 2 56 org.apache.catalina.connector.Connector[]
2342: 1 56 org.opensaml.ws.wssecurity.impl.PasswordUnmarshaller
2343: 1 56 org.opensaml.xml.signature.impl.KeyInfoUnmarshaller
2344: 1 56 java.lang.Error
2345: 1 56 java.lang.VirtualMachineError
2346: 1 56 org.opensaml.xml.signature.impl.DigestMethodUnmarshaller
2347: 1 56 org.apache.xerces.impl.dv.xs.AbstractDateTimeDV$DateTimeData[]
2348: 1 56 org.apache.catalina.startup.HostConfig$DeployedApplication
2349: 1 56 java.lang.ArrayStoreException
2350: 1 56 org.joda.time.chrono.GJMonthOfYearDateTimeField
2351: 1 56 org.opensaml.ws.wssecurity.impl.TransformationParametersUnmarshaller
2352: 1 56 org.opensaml.xml.signature.impl.KeyValueUnmarshaller
2353: 1 56 org.opensaml.ws.wssecurity.impl.BinarySecurityTokenUnmarshaller
2354: 1 56 org.opensaml.ws.wssecurity.impl.KeyIdentifierUnmarshaller
2355: 1 56 com.sun.net.ssl.internal.ssl.X509TrustManagerImpl
2356: 1 56 org.opensaml.ws.wsaddressing.impl.ActionUnmarshaller
2357: 1 56 java.lang.OutOfMemoryError[]
2358: 1 56 org.opensaml.xml.encryption.impl.EncryptedKeyUnmarshaller
2359: 1 56 ch.qos.logback.classic.pattern.ThreadConverter
2360: 1 56
javax.management.remote.generic.ServerIntermediary$GenericServerCommunicatorAdmin
2361: 1 56 ch.qos.logback.classic.pattern.LineOfCallerConverter
2362: 1 56 org.opensaml.xml.signature.impl.SPKIDataUnmarshaller
2363: 1 56 org.opensaml.ws.wsaddressing.impl.ProblemIRIUnmarshaller
2364: 1 56 org.knopflerfish.framework.Queue
2365: 1 56 java.lang.ArithmeticException
2366: 1 56 org.opensaml.common.binding.artifact.BasicSAMLArtifactMap
2367: 1 56 org.opensaml.ws.wsaddressing.impl.ReplyToUnmarshaller
2368: 1 56 org.opensaml.ws.wssecurity.impl.SecurityUnmarshaller
2369: 1 56 com.tc.stats.counter.sampled.SampledCounterImpl
2370: 2 56 org.apache.tomcat.util.http.mapper.Mapper$Host[]
2371: 1 56 org.joda.time.convert.ConverterManager
2372: 2 56 org.apache.catalina.startup.HostConfig$DeployedApplication[]
2373: 1 56 com.tc.aspectwerkz.expression.ast.ASTModifier
2374: 1 56 org.opensaml.xml.encryption.impl.RecipientKeyInfoUnmarshaller
2375: 1 56 com.tc.object.TCClassFactoryImpl
2376: 1 56 com.tc.net.protocol.transport.ConnectionHealthCheckerImpl
2377: 1 56 org.opensaml.ws.wsaddressing.impl.ToUnmarshaller
2378: 1 56 org.opensaml.ws.wssecurity.impl.SecurityTokenReferenceUnmarshaller
2379: 1 56 org.opensaml.xml.encryption.impl.TransformsUnmarshaller
2380: 1 56 com.tc.object.gtx.ClientGlobalTransactionManagerImpl
2381: 1 56 org.apache.xerces.parsers.AbstractDOMParser$1
2382: 1 56 org.opensaml.xml.signature.impl.DSAKeyValueUnmarshaller
2383: 1 56 javax.crypto.SunJCE_k
2384: 2 56 org.apache.xmlbeans.SchemaTypeLoader[]
2385: 1 56 javax.management.remote.JMXServiceURL
2386: 1 56 org.opensaml.saml1.core.impl.RequestUnmarshaller
2387: 1 56 org.apache.xml.security.c14n.implementations.NameSpaceSymbEntry
2388: 1 56 org.opensaml.xml.signature.impl.PGPDataUnmarshaller
2389: 1 56 org.apache.xerces.impl.XMLEntityScanner$1
2390: 1 56 org.opensaml.ws.wssecurity.impl.TimestampUnmarshaller
2391: 1 56 com.sun.net.ssl.internal.ssl.ProtocolList
2392: 1 56 org.apache.catalina.connector.MapperListener
2393: 1 56 org.opensaml.ws.wssecurity.impl.SaltUnmarshaller
2394: 1 56 org.opensaml.xml.encryption.impl.EncryptionMethodUnmarshaller
2395: 1 56 org.opensaml.xml.encryption.impl.EncryptionPropertyUnmarshaller
2396: 1 56 com.tc.net.protocol.delivery.OOOConnectionWatcher
2397: 1 56 edu.internet2.middleware.shibboleth.common.log.AccessLogEntry
2398: 1 56 java.text.Normalizer$Form[]
2399: 1 56 org.opensaml.ws.wssecurity.impl.UsernameTokenUnmarshaller
2400: 1 56 org.opensaml.xml.encryption.impl.CipherReferenceUnmarshaller
2401: 1 56 com.tc.object.config.schema.NewL1DSOConfigObject
2402: 1 56 org.opensaml.ws.wssecurity.impl.NonceUnmarshaller
2403: 1 56 java.lang.ArrayIndexOutOfBoundsException
2404: 1 56 org.opensaml.ws.wssecurity.impl.ReferenceUnmarshaller
2405: 1 56 java.lang.NullPointerException
2406: 1 56 org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine
2407: 1 56 org.opensaml.saml1.binding.encoding.HTTPSOAP11Encoder
2408: 1 56 org.opensaml.ws.wssecurity.impl.EmbeddedUnmarshaller
2409: 1 56 sun.security.validator.SimpleValidator
2410: 1 56 org.opensaml.xml.signature.impl.TransformUnmarshaller
2411: 1 56 java.io.StringReader
2412: 1 56 org.opensaml.ws.wsaddressing.impl.EndpointReferenceUnmarshaller
2413: 1 56 org.opensaml.ws.wsaddressing.impl.MetadataUnmarshaller
2414: 1 56 org.opensaml.xml.signature.impl.RetrievalMethodUnmarshaller
2415: 1 56 org.opensaml.xml.encryption.impl.EncryptedDataUnmarshaller
2416: 1 56 org.opensaml.ws.wssecurity.impl.IterationUnmarshaller
2417: 1 56 com.sun.security.auth.login.ConfigFile
2418: 1 56 sun.org.mozilla.javascript.internal.ClassCache
2419: 1 56
com.tc.net.protocol.tcm.CommunicationsManagerImpl$MessageTransportFactoryImpl
2420: 1 56 java.io.CharArrayWriter
2421: 1 56 com.tc.aspectwerkz.expression.ast.ExpressionParser$LookaheadSuccess
2422: 1 56 org.opensaml.xml.signature.impl.RSAKeyValueUnmarshaller
2423: 1 56 org.apache.xerces.impl.dtd.models.ContentModelValidator[][]
2424: 1 56 org.opensaml.saml1.core.impl.ResponseUnmarshaller
2425: 1 56 org.apache.commons.logging.impl.WeakHashtable$WeakKey
2426: 1 56 org.opensaml.ws.wsaddressing.impl.FaultToUnmarshaller
2427: 1 56 com.tc.async.impl.StageManagerImpl
2428: 1 56 com.sun.jmx.mbeanserver.MBeanServerDelegateImpl
2429: 1 56 org.joda.time.chrono.BasicChronology$HalfdayField
2430: 1 56 org.opensaml.ws.wsaddressing.impl.MessageIDUnmarshaller
2431: 1 56 org.opensaml.xml.signature.impl.TransformsUnmarshaller
2432: 1 56 org.opensaml.ws.wssecurity.impl.CreatedUnmarshaller
2433: 1 56 com.sun.script.javascript.RhinoScriptEngine
2434: 1 56 org.opensaml.ws.wsaddressing.impl.FromUnmarshaller
2435: 1 56
edu.internet2.middleware.shibboleth.common.xmlobject.impl.ShibbolethMetadataScopeUnmars
haller
2436: 1 56 org.opensaml.xml.encryption.impl.ReferenceListUnmarshaller
2437: 1 56 java.lang.Exception
2438: 1 56 java.io.DataInputStream
2439: 1 56 com.tc.object.config.Root
2440: 1 56 org.apache.xerces.impl.dv.DatatypeValidator[][]
2441: 1 56 org.apache.log4j.helpers.PatternParser$CategoryPatternConverter
2442: 1 56 org.knopflerfish.framework.Listeners
2443: 1 56 com.tc.runtime.cache.CacheMemoryManagerEventGenerator
2444: 1 56 org.apache.log4j.helpers.QuietWriter
2445: 1 56 com.tc.management.TerracottaManagement$MBeanDomain[]
2446: 1 56 org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder
2447: 1 56 com.tc.management.remote.protocol.terracotta.TunnelingMessageConnection
2448: 1 56 org.opensaml.xml.encryption.impl.OriginatorKeyInfoUnmarshaller
2449: 1 48 com.tc.object.tx.TransactionBatchWriterFactory
2450: 1 48 com.tc.util.sequence.BatchSequence
2451: 1 48 org.opensaml.ws.wsaddressing.impl.SoapActionUnmarshaller
2452: 2 48 com.tc.object.SerializationUtil
2453: 1 48 org.opensaml.saml2.core.impl.NewEncryptedIDUnmarshaller
2454: 1 48 com.tc.util.runtime.VmVersion
2455: 1 48 org.joda.time.chrono.BasicWeekyearDateTimeField
2456: 2 48 java.lang.annotation.Annotation[]
2457: 2 48 org.eclipse.jdt.internal.compiler.impl.BooleanConstant
2458: 1 48 org.opensaml.ws.wsfed.impl.AppliesToUnmarshaller
2459: 1 48 org.opensaml.saml1.core.impl.ConfirmationMethodUnmarshaller
2460: 2 48 com.tc.stats.counter.CounterImpl
2461: 1 48 sun.management.MemoryImpl
2462: 1 48 java.net.Proxy$Type[]
2463: 1 48 org.opensaml.saml1.core.impl.AssertionArtifactUnmarshaller
2464: 2 48
org.opensaml.saml2.metadata.provider.ChainingMetadataProvider$ContainedProviderObserver
2465: 2 48 sun.misc.NativeSignalHandler
2466: 2 48 org.apache.velocity.runtime.log.Log
2467: 1 48 org.apache.xmlbeans.impl.values.XmlPositiveIntegerImpl
2468: 2 48 org.opensaml.xml.signature.impl.SignatureMarshaller
2469: 1 48 org.opensaml.ws.soap.soap11.impl.DetailUnmarshaller
2470: 1 48 com.tc.object.PortabilityImpl
2471: 1 48 com.tc.object.cache.CacheConfigImpl
2472: 1 48 org.opensaml.saml2.core.impl.ArtifactUnmarshaller
2473: 1 48 org.joda.time.chrono.BasicDayOfYearDateTimeField
2474: 2 48 org.apache.xmlbeans.SchemaModelGroup[]
2475: 2 48 java.util.logging.Handler[]
2476: 1 48 org.opensaml.saml2.core.impl.AuthnContextDeclRefUnmarshaller
2477: 1 48 org.opensaml.saml2.metadata.impl.NameIDFormatUnmarshaller
2478: 1 48 org.opensaml.saml2.core.impl.SessionIndexUnmarshaller
2479: 1 48 org.joda.time.chrono.GJDayOfWeekDateTimeField
2480: 2 48 com.tc.net.protocol.tcm.ChannelID
2481: 1 48 org.apache.catalina.deploy.LoginConfig
2482: 2 48 com.tc.net.protocol.transport.WireProtocolAdaptorFactoryImpl
2483: 1 48 ch.qos.logback.classic.joran.action.LoggerAction
2484: 1 48 org.opensaml.samlext.samlpthrpty.impl.RespondToUnmarshaller
2485: 1 48 ch.qos.logback.core.spi.FilterReply[]
2486: 1 48 org.opensaml.saml2.metadata.impl.OrganizationNameUnmarshaller
2487: 1 48 com.tc.statistics.logging.impl.StatisticsLoggerImpl
2488: 2 48 org.apache.xmlbeans.impl.regex.Token
2489: 2 48 com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
2490: 1 48 sun.net.www.protocol.https.Handler
2491: 1 48 com.tc.runtime.TCMemoryManagerImpl$MemoryMonitor
2492: 2 48 java.security.AllPermission
2493: 1 48 org.opensaml.ws.wsfed.impl.RequestSecurityTokenResponseUnmarshaller
2494: 1 48 com.tc.net.core.TCCommJDK14
2495: 1 48 org.opensaml.samlext.saml1md.impl.SourceIDUnmarshaller
2496: 1 48 sun.security.pkcs11.Secmod$DbMode[]
2497: 1 48 org.apache.xmlbeans.impl.store.CharUtil
2498: 2 48
edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationRes
olver$MetadataProviderObserver
2499: 2 48 org.apache.xmlbeans.SchemaAnnotation[]
2500: 1 48 sun.security.pkcs11.P11SecureRandom
2501: 1 48 com.terracottatech.config.impl.PortImpl
2502: 1 48 org.opensaml.saml2.core.impl.IssuerUnmarshaller
2503: 3 48 org.opensaml.xacml.policy.impl.DefaultsTypeImplBuilder
2504: 2 48 javax.management.NotificationFilterSupport
2505: 1 48 org.opensaml.ws.wsaddressing.impl.ProblemHeaderQNameUnmarshaller
2506: 2 48 org.apache.xmlbeans.SchemaAttributeGroup[]
2507: 2 48 com.tc.statistics.retrieval.actions.SRAMemoryUsage
2508: 1 48 org.opensaml.saml2.metadata.impl.AuthzServiceUnmarshaller
2509: 1 48 org.opensaml.saml2.metadata.impl.NameIDMappingServiceUnmarshaller
2510: 1 48 org.opensaml.xacml.ctx.impl.StatusMessageTypeUnmarshaller
2511: 1 48 org.joda.time.tz.DateTimeZoneBuilder$DSTZone
2512: 1 48 org.opensaml.ws.soap.soap11.impl.BodyUnmarshaller
2513: 1 48 com.tc.object.tx.TransactionBatchAccounting
2514: 2 48 org.opensaml.xml.signature.impl.SignatureUnmarshaller
2515: 2 48 org.apache.velocity.util.introspection.MethodMap
2516: 1 48 com.tc.aspectwerkz.expression.ast.JJTExpressionParserState
2517: 1 48
java.util.concurrent.atomic.AtomicReferenceFieldUpdater$AtomicReferenceFieldUpdaterImpl
2518: 1 48 org.opensaml.saml2.metadata.impl.ServiceDescriptionUnmarshaller
2519: 1 48 org.opensaml.saml2.metadata.impl.SingleLogoutServiceUnmarshaller
2520: 1 48 sun.management.NotificationEmitterSupport$ListenerInfo
2521: 1 48 org.opensaml.saml2.metadata.impl.AuthnQueryServiceUnmarshaller
2522: 1 48
org.opensaml.samlext.saml2mdquery.impl.AuthzDecisionQueryDescriptorTypeUnmarshaller
2523: 2 48 org.apache.naming.StringManager
2524: 2 48 org.apache.xmlbeans.impl.schema.ClassLoaderResourceLoader
2525: 2 48 com.sun.jmx.remote.opt.util.ThreadService$ThreadServiceJob
2526: 2 48 sun.security.pkcs11.wrapper.CK_VERSION
2527: 1 48 com.sun.jmx.remote.opt.internal.ArrayQueue
2528: 1 48 org.apache.catalina.util.SchemaResolver
2529: 2 48 org.apache.xmlbeans.XmlOptions
2530: 1 48 org.opensaml.saml2.core.impl.EncryptedAttributeUnmarshaller
2531: 1 48 sun.nio.cs.StandardCharsets
2532: 1 48
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet
2533: 1 48 org.opensaml.saml2.metadata.impl.GivenNameUnmarshaller
2534: 1 48 org.opensaml.saml2.metadata.impl.OrganizationDisplayNameUnmarshaller
2535: 1 48 org.opensaml.ws.wsfed.impl.EndPointReferenceUnmarshaller
2536: 1 48 com.tc.object.idprovider.impl.RemoteObjectIDBatchSequenceProvider
2537: 1 48 com.tc.config.schema.NewCommonL1ConfigObject
2538: 1 48 org.opensaml.saml2.metadata.impl.SingleSignOnServiceUnmarshaller
2539: 1 48 java.util.Collections$SynchronizedSortedSet
2540: 1 48 org.opensaml.saml2.core.impl.StatusMessageUnmarshaller
2541: 1 48 sun.management.VMManagementImpl
2542: 1 48 sun.security.x509.IssuerAlternativeNameExtension
2543: 1 48 com.tc.lang.ThrowableHandler
2544: 1 48 org.opensaml.saml2.core.impl.AuthnContextClassRefUnmarshaller
2545: 2 48 org.apache.xmlbeans.SchemaType[]
2546: 1 48 org.opensaml.saml2.core.impl.AssertionIDRefUnmarshaller
2547: 1 48 org.opensaml.samlext.saml2delrestrict.impl.DelegationRestrictionTypeUnmarshaller
2548: 1 48 org.opensaml.saml2.ecp.impl.ResponseUnmarshaller
2549: 1 48 java.util.zip.ZipFile
2550: 1 48 org.opensaml.samlext.saml2mdquery.impl.AttributeQueryDescriptorTypeMarshaller
2551: 1 48 java.lang.management.MemoryManagerMXBean[]
2552: 1 48 org.opensaml.ws.soap.soap11.impl.FaultUnmarshaller
2553: 1 48 com.tc.object.config.schema.StandardDSORuntimeOutputOptions
2554: 1 48 org.joda.time.chrono.BasicDayOfMonthDateTimeField
2555: 1 48 org.opensaml.saml2.core.impl.EncryptedIDUnmarshaller
2556: 1 48 org.opensaml.samlext.idpdisco.DiscoveryResponseUnmarshaller
2557: 1 48 org.springframework.ui.context.support.ResourceBundleThemeSource
2558: 1 48 org.opensaml.saml2.core.impl.RequesterIDUnmarshaller
2559: 2 48 org.apache.commons.ssl.asn1.DERBoolean
2560: 1 48 org.apache.catalina.deploy.FilterMap
2561: 1 48 org.opensaml.saml2.metadata.impl.TelephoneNumberUnmarshaller
2562: 1 48 org.joda.time.chrono.BasicYearDateTimeField
2563: 1 48 org.opensaml.saml2.metadata.impl.AssertionIDRequestServiceUnmarshaller
2564: 1 48 edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine
2565: 2 48 org.apache.xmlbeans.SchemaGlobalElement[]
2566: 1 48 org.apache.commons.httpclient.HttpState
2567: 1 48 org.opensaml.saml2.metadata.impl.EmailAddressUnmarshaller
2568: 2 48 java.nio.charset.CoderResult
2569: 1 48 com.tc.net.protocol.tcm.ChannelManagerImpl
2570: 1 48 org.opensaml.samlext.saml2mdquery.impl.AuthnQueryDescriptorTypeUnmarshaller
2571: 1 48 java.util.HashMap[]
2572: 1 48 org.apache.commons.httpclient.HttpClient
2573: 1 48 org.opensaml.saml2.metadata.impl.ManageNameIDServiceUnmarshaller
2574: 2 48 org.eclipse.jdt.internal.compiler.lookup.FieldBinding[]
2575: 1 48 org.opensaml.ws.soap.soap11.impl.HeaderUnmarshaller
2576: 1 48 org.opensaml.ws.wsaddressing.impl.RelatesToUnmarshaller
2577: 2 48 java.nio.ByteOrder
2578: 2 48 org.opensaml.xml.parse.LoggingErrorHandler
2579: 2 48 org.springframework.web.context.request.SessionScope
2580: 1 48 javax.management.StandardEmitterMBean
2581: 1 48 org.opensaml.ws.wsfed.impl.AddressUnmarshaller
2582: 1 48 org.opensaml.saml2.ecp.impl.RelayStateUnmarshaller
2583: 1 48 org.opensaml.saml2.core.impl.AudienceUnmarshaller
2584: 1 48 edu.vt.middleware.ldap.LdapPool
2585: 1 48 org.apache.xerces.impl.xpath.regex.Op$ModifierOp
2586: 1 48 com.sun.script.javascript.RhinoScriptEngine$1
2587: 1 48 org.opensaml.saml2.metadata.impl.ArtifactResolutionServiceUnmarshaller
2588: 1 48 org.apache.jasper.runtime.JspApplicationContextImpl
2589: 2 48 com.tc.object.config.CompoundExpressionMatcher
2590: 1 48 org.apache.xerces.dom.NodeListCache
2591: 1 48 com.tc.util.concurrent.TCFuture
2592: 1 48 org.mozilla.javascript.ContextFactory
2593: 1 48 org.opensaml.samlext.saml2mdquery.impl.ActionNamespaceUnmarshaller
2594: 1 48 org.opensaml.saml1.core.impl.AssertionIDReferenceUnmarshaller
2595: 1 48 com.sun.jndi.ldap.LdapRequest
2596: 1 48 com.terracottatech.config.impl.NonNegativeIntImpl
2597: 1 48 com.tc.cluster.DsoClusterTopologyImpl
2598: 1 48 com.tc.object.cache.ClockEvictionPolicy
2599: 1 48 org.opensaml.xml.signature.impl.X509SerialNumberUnmarshaller
2600: 1 48 org.opensaml.saml2.core.impl.AssertionURIRefUnmarshaller
2601: 1 48 java.text.DontCareFieldPosition
2602: 1 48 com.tc.object.handler.LockResponseHandler
2603: 1 48 com.tc.net.protocol.delivery.OOONetworkStackHarnessFactory
2604: 1 48 org.opensaml.saml2.core.impl.AuthnContextDeclUnmarshaller
2605: 1 48 com.tc.object.bytecode.hook.impl.DSOContextImpl
2606: 1 48
org.opensaml.samlext.saml2mdquery.impl.AuthzDecisionQueryDescriptorTypeMarshaller
2607: 2 48 org.opensaml.security.MetadataCredentialResolver$MetadataProviderObserver
2608: 1 48 org.opensaml.util.resource.ResourceChangeListener$ResourceChange[]
2609: 2 48 org.apache.commons.httpclient.Wire
2610: 1 48 org.opensaml.saml2.core.impl.GetCompleteUnmarshaller
2611: 2 48 com.tc.object.appevent.NonPortableEventContextFactory
2612: 1 48 java.lang.ref.Reference
2613: 1 48 com.sun.jmx.remote.generic.SynchroMessageConnectionServerImpl
2614: 2 48 com.sun.net.ssl.internal.ssl.RandomCookie
2615: 2 48 com.tc.net.protocol.tcm.TCMessageRouterImpl$1
2616: 1 48 sun.net.www.protocol.http.HttpURLConnection$TunnelState[]
2617: 1 48 org.opensaml.xml.security.x509.PKIXX509CredentialTrustEngine
2618: 2 48 org.apache.xerces.impl.xpath.regex.Token
2619: 1 48
org.opensaml.samlext.saml2mdquery.impl.AttributeQueryDescriptorTypeUnmarshaller
2620: 1 48 org.joda.time.tz.ZoneInfoProvider
2621: 1 48 org.opensaml.saml2.metadata.impl.AttributeProfileUnmarshaller
2622: 1 48 org.opensaml.saml2.metadata.impl.OrganizationURLUnmarshaller
2623: 1 48 org.opensaml.ws.soap.soap11.impl.EnvelopeUnmarshaller
2624: 2 48 com.tc.object.tools.BootJar$State
2625: 2 48 org.opensaml.xml.security.trust.ExplicitKeyTrustEvaluator
2626: 1 48 org.opensaml.saml2.ecp.impl.RequestUnmarshaller
2627: 2 48 org.eclipse.jdt.internal.compiler.impl.DoubleConstant
2628: 1 48 org.opensaml.saml2.core.impl.ResponseUnmarshaller
2629: 1 48
edu.internet2.middleware.shibboleth.common.xmlobject.impl.ShibbolethScopedValueUnmarsha
ller
2630: 1 48 org.opensaml.saml2.core.impl.AuthenticatingAuthorityUnmarshaller
2631: 1 48 org.opensaml.saml2.core.impl.NewIDUnmarshaller
2632: 1 48 org.opensaml.saml2.metadata.impl.ServiceNameUnmarshaller
2633: 1 48 com.sun.script.javascript.ExternalScriptable
2634: 1 48 com.tc.net.protocol.delivery.GuaranteedDeliveryProtocol
2635: 1 48 com.tc.object.handler.ClientCoordinationHandler
2636: 1 48 org.opensaml.saml1.core.impl.StatusMessageUnmarshaller
2637: 1 48 EDU.oswego.cs.dl.util.concurrent.ConcurrentHashMap$Entry
2638: 1 48 org.opensaml.ws.wsfed.impl.RequestedSecurityTokenUnmarshaller
2639: 1 48 com.sun.jndi.ldap.BerEncoder
2640: 1 48 org.opensaml.saml2.metadata.impl.AssertionConsumerServiceUnmarshaller
2641: 2 48 org.eclipse.jdt.internal.compiler.lookup.TypeBinding[]
2642: 1 48 org.opensaml.samlext.saml2mdquery.impl.AuthnQueryDescriptorTypeMarshaller
2643: 1 48 com.terracottatech.config.impl.QualifiedFieldNameImpl
2644: 2 48 com.tc.logging.DelegatingAppender
2645: 1 48 org.opensaml.saml1.core.impl.AudienceUnmarshaller
2646: 1 48 org.opensaml.saml2.core.impl.EncryptedAssertionUnmarshaller
2647: 2 48 sun.security.util.HostnameChecker
2648: 2 48
org.opensaml.saml2.metadata.provider.AbstractObservableMetadataProvider$DescriptorIndexCl
earingObserver
2649: 1 48 org.joda.time.chrono.BasicWeekOfWeekyearDateTimeField
2650: 1 48 org.apache.naming.TransactionRef
2651: 1 48 org.opensaml.saml2.metadata.impl.AttributeServiceUnmarshaller
2652: 3 48 org.opensaml.xml.signature.validator.KeyInfoTypeSchemaValidator
2653: 1 48 org.opensaml.saml2.metadata.impl.CompanyUnmarshaller
2654: 1 48 org.opensaml.util.resource.ClasspathResource
2655: 1 48 java.security.KeyStore
2656: 1 48 ch.qos.logback.core.rolling.helper.CompressionMode[]
2657: 1 48 java.lang.ThreadLocal[]
2658: 1 48
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.StaticDa
taConnector
2659: 1 48 org.knopflerfish.framework.ServiceURLStreamHandlerFactory
2660: 1 48 java.io.UnixFileSystem
2661: 1 48 org.opensaml.saml2.metadata.impl.SurNameUnmarshaller
2662: 1 48 org.apache.catalina.startup.Bootstrap
2663: 1 48 org.eclipse.jdt.internal.compiler.flow.FlowContext
2664: 2 48 org.apache.velocity.runtime.log.HoldingLogChute
2665: 1 48
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDat
aConnector$SEARCH_SCOPE[]
2666: 1 48 org.opensaml.samlext.saml2delrestrict.impl.DelegateUnmarshaller
2667: 1 48 org.apache.commons.httpclient.SimpleHttpConnectionManager
2668: 1 48 org.opensaml.saml2.metadata.impl.AffiliateMemberUnmarshaller
2669: 2 48 org.apache.xmlbeans.SchemaGlobalAttribute[]
2670: 1 40 java.lang.management.MemoryType[]
2671: 1 40 org.apache.xerces.impl.dtd.XMLContentSpec
2672: 1 40 com.tc.object.DSOClientMessageChannelImpl
2673: 1 40 org.apache.jsp.logout_jsp
2674: 1 40 com.tc.runtime.TCMemoryManagerJdk15PoolMonitor
2675: 1 40 org.springframework.context.event.SimpleApplicationEventMulticaster$1
2676: 1 40 org.opensaml.xml.encryption.impl.TransformsMarshaller
2677: 1 40 org.opensaml.saml2.metadata.impl.OrganizationNameMarshaller
2678: 1 40 org.apache.jsp.idp_002dstatus_002dlb_jsp
2679: 1 40 org.opensaml.ws.wsaddressing.impl.ToMarshaller
2680: 1 40 org.opensaml.ws.wsfed.impl.EndPointReferenceMarshaller
2681: 1 40 org.opensaml.xml.signature.impl.RetrievalMethodMarshaller
2682: 1 40 java.util.logging.LogManager$LogNode
2683: 1 40 com.tc.util.TCCollections$EmptyObjectIDSet
2684: 1 40 com.tc.object.handler.DmiHandler
2685: 1 40 com.tc.object.handler.ReceiveObjectHandler
2686: 1 40 org.opensaml.samlext.samlpthrpty.impl.RespondToMarshaller
2687: 1 40 org.opensaml.ws.wssecurity.impl.UsernameTokenMarshaller
2688: 1 40 org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager
2689: 1 40 com.tc.properties.L1ReconnectConfigImpl
2690: 1 40 org.opensaml.saml2.ecp.impl.ResponseMarshaller
2691: 1 40 com.tc.object.config.ClassReplacementMappingImpl
2692: 1 40 com.sun.jmx.mbeanserver.Repository
2693: 1 40 com.terracottatech.config.impl.ApplicationImpl
2694: 1 40 org.opensaml.xml.signature.impl.SPKIDataMarshaller
2695: 1 40 org.opensaml.saml2.metadata.impl.NameIDMappingServiceMarshaller
2696: 1 40 org.opensaml.xml.encryption.impl.EncryptionPropertyMarshaller
2697: 1 40 org.opensaml.ws.wssecurity.impl.EmbeddedMarshaller
2698: 1 40 com.terracottatech.config.impl.DsoApplicationImpl
2699: 1 40 org.opensaml.ws.wsaddressing.impl.MessageIDMarshaller
2700: 1 40 org.opensaml.saml1.core.impl.StatusMessageMarshaller
2701: 1 40 org.knopflerfish.framework.ServiceListenerState
2702: 1 40
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.Valu
eMap
2703: 1 40 org.opensaml.ws.soap.soap11.impl.BodyMarshaller
2704: 1 40 org.opensaml.saml2.metadata.impl.AuthnQueryServiceMarshaller
2705: 1 40 org.opensaml.samlext.saml2delrestrict.impl.DelegationRestrictionTypeMarshaller
2706: 1 40 org.opensaml.saml2.core.impl.AuthnContextDeclMarshaller
2707: 1 40 com.sun.net.ssl.internal.ssl.HandshakeOutStream
2708: 1 40 org.opensaml.saml2.metadata.impl.SingleLogoutServiceMarshaller
2709: 1 40 com.tc.object.handler.ReceiveRootIDHandler
2710: 1 40 sun.nio.cs.ISO_8859_1
2711: 1 40 com.tc.statistics.StatisticsSystemType[]
2712: 1 40 org.opensaml.ws.wsaddressing.impl.EndpointReferenceMarshaller
2713: 1 40 org.opensaml.xml.signature.impl.TransformsMarshaller
2714: 1 40 org.opensaml.saml2.core.impl.AssertionIDRefMarshaller
2715: 1 40 org.opensaml.saml2.metadata.impl.GivenNameMarshaller
2716: 1 40 java.lang.reflect.ReflectPermission
2717: 1 40 com.terracottatech.config.impl.InstrumentedClassesImpl
2718: 1 40 org.opensaml.saml2.metadata.impl.SurNameMarshaller
2719: 1 40 org.opensaml.saml2.metadata.impl.AttributeServiceMarshaller
2720: 1 40 org.opensaml.saml2.metadata.impl.AffiliateMemberMarshaller
2721: 1 40 org.opensaml.ws.wssecurity.impl.IterationMarshaller
2722: 1 40 org.opensaml.xml.signature.impl.KeyValueMarshaller
2723: 1 40 org.opensaml.saml2.core.impl.RequesterIDMarshaller
2724: 1 40 java.io.RandomAccessFile
2725: 1 40 org.apache.xerces.impl.xpath.regex.Op$CharOp
2726: 1 40 org.opensaml.ws.wsaddressing.impl.SoapActionMarshaller
2727: 1 40 org.opensaml.saml2.metadata.impl.ServiceNameMarshaller
2728: 1 40 org.opensaml.saml2.metadata.impl.AssertionConsumerServiceMarshaller
2729: 1 40 com.terracottatech.config.impl.AdditionalBootJarClassesImpl
2730: 1 40 org.apache.xmlbeans.impl.regex.Token$ConcatToken
2731: 1 40 org.joda.time.tz.CachedDateTimeZone
2732: 1 40 org.apache.jsp.error_002d404_jsp
2733: 1 40 org.terracotta.modules.tomcat.tomcat_5_5.Tomcat55Configurator
2734: 1 40 org.apache.tomcat.util.http.mapper.Mapper$Host
2735: 1 40
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.Valu
eMap$SourceValue
2736: 1 40 org.opensaml.saml1.core.impl.ConfirmationMethodMarshaller
2737: 1 40 org.opensaml.xml.encryption.impl.DHKeyValueMarshaller
2738: 1 40 com.sun.jmx.mbeanserver.ClassLoaderRepositorySupport
2739: 1 40 org.opensaml.xml.encryption.impl.CipherReferenceMarshaller
2740: 1 40 com.tc.net.protocol.tcm.CommunicationsManagerImpl$1
2741: 1 40 java.util.Collections$EmptyMap
2742: 1 40 com.tc.object.handler.ReceiveTransactionCompleteHandler
2743: 1 40 org.opensaml.ws.wssecurity.impl.UsernameMarshaller
2744: 1 40 org.springframework.core.io.UrlResource
2745: 1 40 com.terracottatech.config.impl.LocksImpl
2746: 1 40 org.opensaml.xml.encryption.impl.EncryptionPropertiesMarshaller
2747: 1 40 com.sun.net.ssl.internal.ssl.HandshakeMessage$DistinguishedName[]
2748: 1 40 ch.qos.logback.classic.spi.LoggerContextVO
2749: 1 40 org.opensaml.xml.encryption.impl.ReferenceListMarshaller
2750: 1 40 org.opensaml.saml2.ecp.impl.RequestMarshaller
2751: 1 40 org.opensaml.xml.signature.impl.TransformMarshaller
2752: 1 40 java.util.Collections$UnmodifiableSortedSet
2753: 1 40 org.opensaml.ws.wsaddressing.impl.ReferenceParametersMarshaller
2754: 1 40 com.sun.jmx.remote.opt.internal.ArrayNotificationBuffer$5
2755: 1 40 org.opensaml.saml2.core.impl.NewEncryptedIDMarshaller
2756: 1 40 sun.reflect.UnsafeQualifiedObjectFieldAccessorImpl
2757: 1 40 org.opensaml.saml2.core.impl.AssertionURIRefMarshaller
2758: 1 40 org.opensaml.ws.wsfed.impl.AddressMarshaller
2759: 1 40 com.sun.jmx.remote.generic.ServerSynchroMessageConnectionImpl$MessageReader
2760: 1 40 org.opensaml.saml2.core.impl.ArtifactMarshaller
2761: 1 40 org.apache.catalina.startup.SetPublicIdRule
2762: 1 40 org.opensaml.ws.wsaddressing.impl.ActionMarshaller
2763: 1 40 java.util.logging.LoggingPermission
2764: 1 40 com.terracottatech.config.impl.ClientImpl
2765: 1 40 org.opensaml.saml2.metadata.impl.SingleSignOnServiceMarshaller
2766: 1 40 org.opensaml.samlext.saml2mdquery.impl.ActionNamespaceMarshaller
2767: 1 40 com.terracottatech.config.impl.MirrorGroupsImpl
2768: 1 40 com.tc.object.lockmanager.impl.StripedClientLockManagerImpl
2769: 1 40 org.apache.catalina.core.ApplicationFilterConfig
2770: 1 40 org.opensaml.xml.signature.impl.X509SerialNumberMarshaller
2771: 1 40 com.terracottatech.config.impl.ModulesImpl
2772: 1 40 org.opensaml.xml.encryption.impl.KeyReferenceMarshaller
2773: 1 40 org.opensaml.ws.wssecurity.impl.ExpiresMarshaller
2774: 1 40 org.joda.time.tz.FixedDateTimeZone
2775: 1 40 com.terracottatech.config.impl.MirrorGroupImpl
2776: 1 40 org.opensaml.ws.wsaddressing.impl.AddressMarshaller
2777: 1 40 org.opensaml.saml2.core.impl.ResponseMarshaller
2778: 1 40 com.tc.runtime.logging.LongGCLogger
2779: 1 40 org.opensaml.ws.wsaddressing.impl.ProblemIRIMarshaller
2780: 1 40 org.apache.catalina.startup.SetLoginConfig
2781: 1 40
edu.internet2.middleware.shibboleth.common.xmlobject.impl.ShibbolethMetadataScopeMarshal
ler
2782: 1 40 com.tc.io.TCByteBufferInputStream$TCMark
2783: 1 40 org.opensaml.saml2.metadata.impl.OrganizationURLMarshaller
2784: 1 40 org.opensaml.ws.wsfed.impl.RequestSecurityTokenResponseMarshaller
2785: 1 40 org.opensaml.saml2.metadata.impl.AttributeProfileMarshaller
2786: 1 40 com.sun.net.ssl.internal.ssl.CipherSuiteList
2787: 1 40 org.opensaml.saml2.core.impl.NewIDMarshaller
2788: 1 40 org.opensaml.saml2.core.impl.EncryptedAssertionMarshaller
2789: 1 40 com.sun.jmx.mbeanserver.MXBeanLookup
2790: 1 40 edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter
2791: 1 40 org.opensaml.ws.wssecurity.impl.ReferenceMarshaller
2792: 1 40 long[][][]
2793: 1 40 org.opensaml.saml2.metadata.impl.AuthzServiceMarshaller
2794: 1 40 org.opensaml.ws.wssecurity.impl.TimestampMarshaller
2795: 1 40 org.opensaml.saml2.ecp.impl.RelayStateMarshaller
2796: 1 40 org.opensaml.ws.soap.soap11.impl.EnvelopeMarshaller
2797: 1 40 org.apache.catalina.core.ApplicationContextFacade
2798: 1 40 sun.nio.cs.US_ASCII
2799: 1 40 org.opensaml.ws.wsaddressing.impl.ProblemActionMarshaller
2800: 1 40 org.opensaml.saml2.core.impl.AuthenticatingAuthorityMarshaller
2801: 1 40
edu.internet2.middleware.shibboleth.common.xmlobject.impl.ShibbolethScopedValueMarshaller
2802: 1 40 org.opensaml.ws.soap.soap11.impl.HeaderMarshaller
2803: 1 40 org.opensaml.samlext.saml1md.impl.SourceIDMarshaller
2804: 1 40 java.util.regex.Pattern$Ques
2805: 1 40 com.terracottatech.config.impl.RootsImpl
2806: 1 40 com.sun.jndi.ldap.ManageReferralControl
2807: 1 40 org.opensaml.saml2.metadata.impl.OrganizationDisplayNameMarshaller
2808: 1 40 com.terracottatech.config.impl.TcConfigDocumentImpl
2809: 1 40 java.net.InetAddress$Cache$Type[]
2810: 1 40 org.apache.tomcat.util.threads.ThreadPool$MonitorRunnable
2811: 1 40 org.opensaml.xml.signature.impl.RSAKeyValueMarshaller
2812: 1 40 com.terracottatech.config.impl.SystemImpl
2813: 1 40 com.terracottatech.config.impl.ServersImpl
2814: 1 40 org.opensaml.xacml.ctx.impl.StatusMessageTypeMarshaller
2815: 1 40 org.opensaml.saml2.metadata.impl.ServiceDescriptionMarshaller
2816: 1 40 com.terracottatech.config.impl.MembersImpl
2817: 1 40 org.opensaml.samlext.idpdisco.DiscoveryResponseMarshaller
2818: 1 40
edu.internet2.middleware.shibboleth.common.xmlobject.impl.ShibbolethMetadataKeyAuthority
Marshaller
2819: 1 40 org.opensaml.saml2.core.impl.EncryptedIDMarshaller
2820: 1 40 com.terracottatech.config.impl.TcConfigDocumentImpl$TcConfigImpl
2821: 1 40 org.opensaml.xml.signature.impl.X509DataMarshaller
2822: 1 40 ch.qos.logback.core.helpers.CyclicBuffer
2823: 1 40 org.apache.jsp.error_jsp
2824: 1 40 sun.security.pkcs11.wrapper.CK_MECHANISM_INFO
2825: 1 40 org.opensaml.samlext.saml2delrestrict.impl.DelegateMarshaller
2826: 1 40 org.opensaml.ws.wsaddressing.impl.FaultToMarshaller
2827: 1 40 org.opensaml.ws.soap.soap11.impl.DetailMarshaller
2828: 1 40 org.apache.xmlbeans.impl.regex.Op$UnionOp
2829: 1 40 org.opensaml.ws.wsaddressing.impl.RetryAfterMarshaller
2830: 1 40 org.opensaml.saml1.core.impl.RequestMarshaller
2831: 1 40 com.tc.object.handler.BatchTransactionAckHandler
2832: 1 40 org.opensaml.xml.signature.impl.DSAKeyValueMarshaller
2833: 1 40 com.tc.object.ClientObjectManagerImpl$AddManagedObjectAction
2834: 1 40 org.opensaml.ws.wssecurity.impl.CreatedMarshaller
2835: 1 40 org.opensaml.saml2.core.impl.StatusMessageMarshaller
2836: 1 40 sun.org.mozilla.javascript.internal.InterpreterData[]
2837: 1 40 com.tc.properties.TCPropertiesImpl$LoggingInvocationHandler
2838: 1 40 org.opensaml.saml2.core.impl.EncryptedAttributeMarshaller
2839: 1 40 com.tc.object.handler.ClusterMetaDataHandler
2840: 1 40 com.tc.object.bytecode.hook.impl.DefaultWeavingStrategy
2841: 1 40 org.opensaml.saml2.metadata.impl.ManageNameIDServiceMarshaller
2842: 1 40 com.tc.util.runtime.ThreadIDManagerImpl
2843: 1 40 org.opensaml.xml.encryption.impl.OriginatorKeyInfoMarshaller
2844: 1 40 org.apache.jsp.login_jsp
2845: 1 40 org.opensaml.ws.wsaddressing.impl.FromMarshaller
2846: 1 40 org.opensaml.saml2.metadata.impl.CompanyMarshaller
2847: 1 40 com.terracottatech.config.impl.RootImpl
2848: 1 40 sun.nio.cs.UTF_8
2849: 1 40 sun.management.MemoryManagerImpl
2850: 1 40 org.opensaml.saml1.core.impl.AudienceMarshaller
2851: 1 40 org.opensaml.ws.wssecurity.impl.SignatureConfirmationMarshaller
2852: 1 40 org.opensaml.ws.wsaddressing.impl.ReplyToMarshaller
2853: 1 40 org.eclipse.jdt.internal.compiler.util.HashtableOfInt
2854: 1 40 org.opensaml.ws.wsfed.impl.RequestedSecurityTokenMarshaller
2855: 1 40 org.opensaml.ws.wssecurity.impl.EncryptedHeaderMarshaller
2856: 1 40 org.knopflerfish.framework.ServiceContentHandlerFactory
2857: 1 40 org.slf4j.impl.StaticLoggerBinder
2858: 1 40 org.opensaml.ws.wssecurity.impl.NonceMarshaller
2859: 1 40 org.opensaml.saml1.core.impl.ResponseMarshaller
2860: 1 40 org.opensaml.saml2.core.impl.AuthnContextClassRefMarshaller
2861: 1 40 org.opensaml.xml.encryption.impl.RecipientKeyInfoMarshaller
2862: 1 40 org.opensaml.ws.wsfed.impl.AppliesToMarshaller
2863: 1 40 org.opensaml.xml.encryption.impl.DataReferenceMarshaller
2864: 1 40 org.opensaml.ws.wssecurity.impl.SecurityMarshaller
2865: 1 40 org.opensaml.xml.signature.impl.KeyInfoMarshaller
2866: 1 40 org.apache.catalina.startup.SetJspConfig
2867: 1 40 org.opensaml.ws.wsaddressing.impl.RelatesToMarshaller
2868: 1 40 org.opensaml.ws.wssecurity.impl.PasswordMarshaller
2869: 1 40 com.tc.net.ServerID
2870: 1 40 com.tc.object.session.SessionManagerImpl$Provider
2871: 1 40 org.opensaml.saml2.metadata.impl.AssertionIDRequestServiceMarshaller
2872: 1 40 org.opensaml.ws.wsaddressing.impl.ProblemHeaderQNameMarshaller
2873: 1 40 org.joda.time.chrono.GJYearOfEraDateTimeField
2874: 1 40 org.apache.catalina.startup.SetSessionConfig
2875: 1 40 org.opensaml.saml1.core.impl.AssertionArtifactMarshaller
2876: 1 40 com.terracottatech.config.impl.TcPropertiesImpl
2877: 1 40 org.opensaml.saml2.metadata.impl.TelephoneNumberMarshaller
2878: 1 40 org.apache.xmlbeans.QNameCache
2879: 1 40 org.apache.commons.httpclient.protocol.Protocol
2880: 1 40 com.tc.properties.TCPropertiesImpl
2881: 1 40 org.opensaml.xml.signature.impl.DigestMethodMarshaller
2882: 1 40 org.opensaml.xml.signature.impl.X509IssuerSerialMarshaller
2883: 1 40 org.opensaml.xml.signature.impl.PGPDataMarshaller
2884: 1 40 org.opensaml.ws.wssecurity.impl.SaltMarshaller
2885: 1 40 org.opensaml.xml.encryption.impl.EncryptedDataMarshaller
2886: 1 40 org.opensaml.saml2.core.impl.IssuerMarshaller
2887: 1 40 org.apache.velocity.runtime.resource.util.StringResource
2888: 1 40 edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService
2889: 1 40 org.apache.xml.security.c14n.implementations.SymbMap
2890: 1 40 com.tc.statistics.config.impl.StatisticsConfigImpl
2891: 1 40 com.tc.object.RemoteObjectManagerImpl$DNALRU
2892: 1 40 org.opensaml.saml2.metadata.impl.EncryptionMethodMarshaller
2893: 1 40 org.opensaml.ws.soap.soap11.impl.FaultMarshaller
2894: 1 40 org.opensaml.ws.wssecurity.impl.BinarySecurityTokenMarshaller
2895: 1 40 org.opensaml.xml.encryption.impl.AgreementMethodMarshaller
2896: 1 40
com.tc.statistics.retrieval.actions.SRAVmGarbageCollector$SRAVmGarbageCollectorType[]
2897: 1 40 org.opensaml.saml2.core.impl.AudienceMarshaller
2898: 1 40 org.opensaml.saml2.core.impl.AuthnContextDeclRefMarshaller
2899: 1 40 org.opensaml.saml2.metadata.impl.NameIDFormatMarshaller
2900: 1 40 org.opensaml.saml2.core.impl.SessionIndexMarshaller
2901: 1 40 org.opensaml.xml.security.trust.ExplicitKeyTrustEngine
2902: 1 40 com.tc.object.handler.LockStatisticsEnableDisableHandler
2903: 1 40 org.opensaml.saml2.metadata.impl.EmailAddressMarshaller
2904: 1 40 com.tc.object.lockmanager.impl.RemoteLockManagerImpl
2905: 1 40 org.opensaml.ws.wssecurity.impl.SecurityTokenReferenceMarshaller
2906: 1 40 org.opensaml.ws.wssecurity.impl.TransformationParametersMarshaller
2907: 1 40 org.opensaml.saml2.metadata.impl.ArtifactResolutionServiceMarshaller
2908: 1 40 org.opensaml.ws.wssecurity.impl.KeyIdentifierMarshaller
2909: 1 40 org.opensaml.ws.wsaddressing.impl.MetadataMarshaller
2910: 1 40 com.sun.net.ssl.internal.ssl.EphemeralKeyManager$EphemeralKeyPair[]
2911: 1 40 org.opensaml.saml1.core.impl.AssertionIDReferenceMarshaller
2912: 1 40 org.opensaml.saml2.core.impl.GetCompleteMarshaller
2913: 1 40 javax.net.ssl.SSLContext
2914: 1 40 org.opensaml.xml.encryption.impl.EncryptionMethodMarshaller
2915: 1 40 org.opensaml.xml.encryption.impl.CipherDataMarshaller
2916: 1 40 org.knopflerfish.framework.Services
2917: 1 40 org.opensaml.xml.encryption.impl.EncryptedKeyMarshaller
2918: 1 32 com.tc.stats.counter.CounterManagerImpl
2919: 1 32 com.tc.object.tx.ClientTransactionManagerImpl$3
2920: 2 32 org.opensaml.saml2.core.impl.NameIDMappingResponseBuilder
2921: 2 32 com.tc.object.config.Root$Type
2922: 1 32 com.tc.object.LiteralValues$5
2923: 1 32 EDU.oswego.cs.dl.util.concurrent.ConcurrentHashMap$KeySet
2924: 2 32 org.opensaml.saml2.core.impl.OneTimeUseBuilder
2925: 2 32 org.opensaml.xacml.policy.impl.PolicyTypeImplBuilder
2926: 1 32 com.tc.backport175.bytecode.AnnotationElement$Annotation
2927: 1 32 org.apache.catalina.startup.SecurityRoleRefCreateRule
2928: 1 32 com.tc.net.protocol.tcm.AbstractMessageChannel$ChannelStatus
2929: 2 32 org.opensaml.xacml.policy.impl.ResourceTypeImplBuilder
2930: 1 32 com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateRequest
2931: 2 32 org.opensaml.xacml.policy.impl.FunctionTypeImplBuilder
2932: 1 32 com.tcclient.util.DSOUnsafe
2933: 1 32 com.tc.net.protocol.transport.DefaultConnectionIdFactory
2934: 1 32 java.util.Collections$EmptyList
2935: 2 32 org.bouncycastle.asn1.x9.X9IntegerConverter
2936: 2 32 org.opensaml.xacml.ctx.impl.ResultTypeImplBuilder
2937: 1 32 com.sun.net.ssl.internal.ssl.SupportedEllipticCurvesExtension
2938: 1 32 sun.reflect.UnsafeObjectFieldAccessorImpl
2939: 2 32 org.opensaml.saml2.core.impl.ScopingBuilder
2940: 1 32 com.sun.net.ssl.internal.ssl.ECDHCrypt
2941: 1 32 com.tc.object.lockmanager.impl.ThreadLockManagerImpl
2942: 1 32 com.tc.management.remote.protocol.terracotta.TunnelingMessageConnectionServer
2943: 2 32 org.opensaml.saml1.core.impl.AdviceBuilder
2944: 1 32 org.knopflerfish.framework.BundleURLStreamHandler
2945: 1 32 org.apache.catalina.startup.SetContextPropertiesRule
2946: 1 32 org.bouncycastle.jce.provider.PKCS12BagAttributeCarrierImpl
2947: 2 32 org.opensaml.saml2.core.impl.AttributeBuilder
2948: 1 32 org.terracotta.modules.tomcat.common.adapters.JspWriterImplAdapter
2949: 1 32 com.tc.object.tx.LockAccounting
2950: 1 32 sun.security.action.GetPropertyAction
2951: 1 32
org.apache.xmlbeans.impl.schema.SchemaTypeLoaderImpl$SchemaTypeLoaderCache
2952: 2 32 org.opensaml.xacml.policy.impl.SubjectTypeImplBuilder
2953: 1 32 javax.naming.directory.BasicAttributes
2954: 1 32 org.springframework.web.context.ContextLoader
2955: 2 32 org.opensaml.saml1.core.impl.StatusBuilder
2956: 1 32 org.joda.time.chrono.GJEraDateTimeField
2957: 2 32 org.opensaml.saml2.metadata.impl.AttributeAuthorityDescriptorBuilder
2958: 2 32 org.opensaml.saml2.core.impl.ManageNameIDResponseBuilder
2959: 2 32 org.opensaml.xacml.policy.impl.CombinerParametersTypeImplBuilder
2960: 2 32 org.opensaml.saml2.metadata.impl.AuthnAuthorityDescriptorBuilder
2961: 2 32 org.opensaml.saml2.core.impl.LogoutRequestBuilder
2962: 1 32 java.security.Policy$UnsupportedEmptyCollection
2963: 2 32 org.opensaml.saml1.core.impl.AttributeBuilder
2964: 1 32 org.apache.catalina.startup.SetAuthConstraintRule
2965: 1 32 org.apache.commons.httpclient.params.HttpConnectionParams
2966: 1 32 org.apache.commons.logging.impl.SLF4JLogFactory
2967: 1 32 org.apache.catalina.Service[]
2968: 2 32 org.opensaml.xacml.policy.impl.ResourceMatchTypeImplBuilder
2969: 1 32 com.tc.config.schema.repository.StandardApplicationsRepository
2970: 2 32 org.opensaml.xacml.ctx.impl.DecisionTypeImplBuilder
2971: 2 32 org.opensaml.saml2.core.impl.AuthnRequestBuilder
2972: 1 32 com.tc.net.protocol.transport.MessageTransportStatus
2973: 2 32 org.opensaml.xacml.ctx.impl.StatusCodeTypeImplBuilder
2974: 2 32 org.opensaml.saml2.core.impl.SubjectConfirmationBuilder
2975: 2 32 org.opensaml.saml2.core.impl.StatusDetailBuilder
2976: 1 32 com.tc.object.LiteralValues$11
2977: 1 32 org.apache.log4j.helpers.FormattingInfo
2978: 1 32 org.joda.time.format.DateTimeFormatterBuilder$UnpaddedNumber
2979: 1 32
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordCredential
2980: 2 32 org.opensaml.xacml.ctx.impl.ResourceTypeImplBuilder
2981: 1 32 sun.org.mozilla.javascript.internal.NativeWith
2982: 2 32 org.opensaml.saml2.core.impl.AudienceRestrictionBuilder
2983: 2 32 org.opensaml.xacml.policy.impl.RuleTypeImplBuilder
2984: 2 32 org.opensaml.saml2.core.impl.NameIDBuilder
2985: 2 32 org.opensaml.xacml.ctx.impl.ResourceContentTypeImplBuilder
2986: 2 32 org.opensaml.saml1.core.impl.ActionBuilder
2987: 1 32 org.apache.catalina.startup.IgnoreAnnotationsRule
2988: 1 32 com.sun.management.UnixOperatingSystem
2989: 1 32 com.tc.object.logging.InstrumentationLoggerImpl
2990: 2 32 org.opensaml.saml1.core.impl.AuthorizationDecisionQueryBuilder
2991: 1 32 sun.security.pkcs11.wrapper.PKCS11
2992: 1 32 com.tc.object.LiteralValues$7
2993: 2 32 org.opensaml.xacml.ctx.impl.ActionTypeImplBuilder
2994: 1 32 sun.net.www.protocol.http.Handler
2995: 1 32 javax.management.ObjectInstance
2996: 1 32 org.terracotta.modules.GUIModelsConfiguration
2997: 1 32 org.apache.catalina.security.SecurityConfig
2998: 2 32 org.opensaml.saml2.metadata.impl.AffiliationDescriptorBuilder
2999: 1 32 sun.nio.ch.NativeThreadSet
3000: 2 32 org.opensaml.xacml.policy.impl.ResourcesTypeImplBuilder
3001: 2 32 org.opensaml.xacml.ctx.impl.StatusTypeImplBuilder
3002: 2 32 org.opensaml.saml1.core.impl.SubjectLocalityBuilder
3003: 2 32 org.opensaml.saml1.core.impl.AssertionBuilder
3004: 1 32 com.tc.license.Capabilities
3005: 2 32 org.opensaml.saml2.metadata.impl.EntityDescriptorBuilder
3006: 1 32 com.sun.script.javascript.RhinoScriptEngine$2
3007: 1 32 org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory
3008: 1 32 org.terracotta.modules.test.TestModuleCommonConfigurator
3009: 2 32 org.apache.xerces.impl.dv.dtd.ENTITYDatatypeValidator
3010: 1 32 com.tc.aspectwerkz.reflect.impl.java.JavaClassInfoRepository
3011: 2 32 org.opensaml.saml2.metadata.impl.AdditionalMetadataLocationBuilder
3012: 2 32 org.opensaml.saml2.core.impl.AuthzDecisionStatementBuilder
3013: 1 32 $Proxy0
3014: 1 32 org.apache.xerces.impl.xs.util.ShortListImpl
3015: 1 32 edu.internet2.middleware.shibboleth.common.config.OpensamlConfigBean
3016: 1 32 javax.net.ssl.KeyManager[]
3017: 1 32 sun.security.provider.NativeSeedGenerator
3018: 2 32 org.opensaml.saml2.core.impl.ActionBuilder
3019: 1 32 org.apache.xerces.impl.Constants$ArrayEnumeration
3020: 1 32 org.springframework.web.context.support.ServletContextResourcePatternResolver
3021: 1 32 org.apache.xml.security.keys.keyresolver.implementations.X509SKIResolver
3022: 2 32 org.apache.el.ExpressionFactoryImpl
3023: 1 32 org.apache.velocity.runtime.resource.util.StringResourceRepositoryImpl
3024: 2 32 org.opensaml.xacml.policy.impl.ObligationsTypeImplBuilder
3025: 1 32 org.apache.xml.security.keys.keyresolver.implementations.RSAKeyValueResolver
3026: 2 32 org.opensaml.xml.encryption.validator.ReferenceTypeSchemaValidator
3027: 2 32 org.opensaml.xacml.ctx.impl.EnvironmentTypeImplBuilder
3028: 1 32 org.apache.catalina.connector.CoyoteAdapter
3029: 1 32 com.tc.object.LiteralValues$2
3030: 1 32 com.tc.object.lockmanager.impl.TCLockTimerImpl
3031: 1 32 org.apache.catalina.startup.WrapperCreateRule
3032: 1 32 com.tc.object.handler.LockStatisticsResponseHandler
3033: 1 32 ch.qos.logback.core.pattern.FormatInfo
3034: 2 32 org.opensaml.xacml.policy.impl.VariableDefinitionTypeImplBuilder
3035: 2 32 org.mozilla.javascript.NativeGlobal
3036: 1 32 org.knopflerfish.framework.Bundles
3037: 2 32 org.opensaml.saml2.core.impl.NameIDPolicyBuilder
3038: 2 32 sun.security.provider.X509Factory
3039: 1 32 sun.nio.ch.FileChannelImpl$SharedFileLockTable
3040: 1 32 com.tc.object.idprovider.impl.ObjectIDClientHandshakeRequester
3041: 2 32 sun.nio.ch.SocketDispatcher
3042: 1 32 com.sun.jmx.remote.opt.security.SubjectDelegator
3043: 2 32 org.opensaml.saml2.core.impl.SubjectLocalityBuilder
3044: 1 32 org.apache.commons.httpclient.params.HttpConnectionManagerParams
3045: 2 32 org.opensaml.saml2.metadata.impl.AttributeConsumingServiceBuilder
3046: 1 32 com.tc.net.protocol.delivery.SendStateMachine$HandshakeWaitState
3047: 2 32 org.opensaml.xml.schema.impl.XSAnyBuilder
3048: 1 32 org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver
3049: 1 32 org.apache.tomcat.util.http.mapper.Mapper$ContextList
3050: 1 32 com.tc.object.ClientObjectManagerImpl$1
3051: 1 32 java.nio.DirectByteBuffer$Deallocator
3052: 2 32 org.opensaml.saml2.core.impl.AuthnContextBuilder
3053: 2 32 org.opensaml.saml1.core.impl.AttributeQueryBuilder
3054: 2 32 org.opensaml.xacml.policy.impl.RuleCombinerParametersTypeImplBuilder
3055: 2 32 org.opensaml.xacml.policy.impl.EnvironmentsTypeImplBuilder
3056: 2 32 org.opensaml.saml2.core.impl.AssertionBuilder
3057: 2 32 org.opensaml.saml2.core.impl.IDPEntryBuilder
3058: 1 32 com.tc.config.schema.dynamic.ObjectArrayConfigItem[]
3059: 2 32 org.opensaml.saml1.core.impl.AudienceRestrictionConditionBuilder
3060: 1 32 com.tc.exception.ExceptionHelperImpl
3061: 2 32 org.opensaml.xacml.policy.impl.ActionsTypeImplBuilder
3062: 1 32 com.tc.object.LiteralValues$10
3063: 2 32 org.opensaml.saml2.metadata.impl.PDPDescriptorBuilder
3064: 1 32 org.opensaml.xml.io.MarshallerFactory
3065: 2 32 org.opensaml.saml2.metadata.impl.RequestedAttributeBuilder
3066: 2 32 org.opensaml.saml1.core.impl.NameIdentifierBuilder
3067: 1 32 com.tc.net.protocol.tcm.HydrateHandler
3068: 2 32 org.opensaml.xacml.policy.impl.AttributeAssignmentTypeImplBuilder
3069: 1 32 sun.security.pkcs11.TemplateManager
3070: 2 32 org.opensaml.saml2.core.impl.AuthnQueryBuilder
3071: 2 32 org.opensaml.common.impl.SecureRandomIdentifierGenerator
3072: 1 32 org.apache.commons.logging.impl.WeakHashtable$Referenced
3073: 2 32 org.opensaml.saml1.core.impl.AuthenticationStatementBuilder
3074: 1 32 javax.crypto.SunJCE_d
3075: 1 32 edu.vt.middleware.ldap.PoolableLdapFactory
3076: 2 32 org.opensaml.saml1.core.impl.AttributeStatementBuilder
3077: 2 32 org.opensaml.saml1.core.impl.DoNotCacheConditionBuilder
3078: 2 32 org.opensaml.saml2.core.impl.AuthzDecisionQueryBuilder
3079: 2 32 org.opensaml.xacml.policy.impl.ApplyTypeImplBuilder
3080: 2 32 org.opensaml.saml2.core.impl.ConditionsBuilder
3081: 1 32 org.apache.tomcat.util.http.mapper.Mapper$Context[]
3082: 2 32 org.opensaml.xacml.ctx.impl.RequestTypeImplBuilder
3083: 1 32
com.tc.statistics.retrieval.actions.SRAVmGarbageCollector$SRAVmGarbageCollectorType$2
3084: 1 32 com.tc.net.protocol.delivery.SendStateMachine$MessageWaitState
3085: 2 32 org.opensaml.saml2.metadata.impl.EntitiesDescriptorBuilder
3086: 2 32 org.opensaml.saml1.core.impl.AuthorityBindingBuilder
3087: 2 32 org.opensaml.xacml.ctx.impl.AttributeTypeImplBuilder
3088: 1 32 org.knopflerfish.framework.bundlestorage.memory.BundleStorageImpl
3089: 1 32 org.terracotta.modules.Jdk15PreInstrumentedConfiguration
3090: 1 32 sun.management.CompilationImpl
3091: 2 32 org.opensaml.saml2.core.impl.ManageNameIDRequestBuilder
3092: 2 32 org.opensaml.saml2.core.impl.AuthnStatementBuilder
3093: 1 32 com.tc.net.protocol.tcm.HydrateContext
3094: 1 32 org.terracotta.modules.StandardConfiguration
3095: 2 32 org.opensaml.saml2.core.impl.ArtifactResolveBuilder
3096: 2 32 org.opensaml.saml2.core.impl.IDPListBuilder
3097: 2 32 org.opensaml.saml2.core.impl.SubjectBuilder
3098: 1 32 java.net.Proxy
3099: 1 32 com.tc.object.LiteralValues$14
3100: 1 32 com.tc.object.DistributedObjectClient$2
3101: 1 32 org.joda.time.convert.ConverterSet$Entry
3102: 2 32 com.tc.net.protocol.transport.TransportMessageFactoryImpl
3103: 2 32 org.apache.jasper.compiler.DefaultErrorHandler
3104: 2 32 org.opensaml.saml2.core.impl.AttributeQueryBuilder
3105: 1 32 sun.security.pkcs11.P11RSAKeyFactory
3106: 2 32 org.apache.xerces.impl.dv.xs.QNameDV
3107: 2 32 org.opensaml.saml1.core.impl.EvidenceBuilder
3108: 1 32 org.bouncycastle.util.encoders.HexEncoder
3109: 2 32 org.opensaml.saml1.core.impl.SubjectConfirmationBuilder
3110: 1 32 sun.org.mozilla.javascript.internal.DefaultErrorReporter
3111: 2 32 org.opensaml.saml2.metadata.impl.KeyDescriptorBuilder
3112: 1 32 org.apache.catalina.deploy.FilterMap[]
3113: 1 32 com.tc.object.LiteralValues$9
3114: 2 32 org.opensaml.saml2.core.impl.ArtifactResponseBuilder
3115: 2 32 org.opensaml.xacml.ctx.impl.ResponseTypeImplBuilder
3116: 2 32 org.opensaml.saml2.core.impl.StatusBuilder
3117: 2 32 org.opensaml.saml1.core.impl.StatusCodeBuilder
3118: 1 32 com.tc.object.session.SessionManagerImpl
3119: 1 32 org.opensaml.xml.util.IndexingObjectStore
3120: 2 32 org.opensaml.xacml.policy.impl.PolicyCombinerParametersTypeImplBuilder
3121: 2 32 org.opensaml.xacml.policy.impl.SubjectMatchTypeImplBuilder
3122: 2 32 org.opensaml.saml2.core.impl.RequestedAuthnContextBuilder
3123: 2 32 org.opensaml.xacml.policy.impl.AttributeSelectorTypeImplBuilder
3124: 1 32 org.mozilla.javascript.DefaultErrorReporter
3125: 1 32
com.tc.statistics.retrieval.actions.SRAVmGarbageCollector$SRAVmGarbageCollectorType$1
3126: 2 32 java.lang.Shutdown$Lock
3127: 2 32 org.opensaml.xacml.policy.impl.SubjectsTypeImplBuilder
3128: 1 32 org.terracotta.modules.session.SessionsConfigurator
3129: 2 32 org.opensaml.xacml.policy.impl.PolicySetTypeImplBuilder
3130: 1 32 com.tc.license.util.LicenseDescriptor
3131: 1 32 java.math.MutableBigInteger
3132: 1 32
com.tc.object.bytecode.hook.impl.DefaultWeavingStrategy$AnnotationByteCodeProvider
3133: 2 32 org.opensaml.xacml.policy.impl.ConditionTypeImplBuilder
3134: 1 32 com.tc.object.tx.TransactionBatchWriter$FoldingConfig
3135: 2 32 org.opensaml.xacml.policy.impl.AttributeValueTypeImplBuilder
3136: 1 32 com.tc.net.protocol.delivery.ReceiveStateMachine$MessageWaitState
3137: 1 32 edu.internet2.middleware.shibboleth.idp.profile.StatusProfileHandler
3138: 1 32 org.springframework.core.Constants
3139: 1 32 com.tc.object.LiteralValues$4
3140: 1 32 com.tc.object.LiteralValues$13
3141: 1 32 org.apache.catalina.startup.SoapHeaderRule
3142: 1 32 sun.management.ThreadImpl
3143: 1 32 org.springframework.web.context.support.ServletContextAwareProcessor
3144: 2 32 org.opensaml.saml1.core.impl.AuthenticationQueryBuilder
3145: 1 32 com.tc.object.TCObjectFactoryImpl
3146: 1 32 edu.vt.middleware.ldap.jaas.LdapCredential
3147: 2 32 org.opensaml.xacml.policy.impl.TargetTypeImplBuilder
3148: 1 32 com.tc.object.LiteralValues$3
3149: 2 32 org.opensaml.saml2.core.impl.EvidenceBuilder
3150: 1 32 org.opensaml.xml.security.credential.BasicKeyInfoGeneratorFactory$BasicOptions
3151: 1 32 org.apache.xmlbeans.StringEnumAbstractBase$Table
3152: 2 32 org.opensaml.xacml.policy.impl.DescriptionTypeImplBuilder
3153: 2 32 org.opensaml.saml2.core.impl.AttributeStatementBuilder
3154: 2 32 org.opensaml.saml2.core.impl.AdviceBuilder
3155: 1 32 com.tc.object.tx.ClientTransactionManagerImpl$1
3156: 1 32 org.terracotta.modules.ExcludesConfiguration
3157: 2 32 org.opensaml.saml2.core.impl.AssertionIDRequestBuilder
3158: 2 32 org.opensaml.xacml.policy.impl.ActionMatchTypeImplBuilder
3159: 1 32 org.opensaml.xml.XMLObjectBuilderFactory
3160: 2 32 org.opensaml.saml1.core.impl.ConditionsBuilder
3161: 2 32 org.opensaml.saml2.core.impl.ProxyRestrictionBuilder
3162: 2 32 org.opensaml.saml1.core.impl.AuthorizationDecisionStatementBuilder
3163: 2 32 sun.net.www.protocol.file.Handler
3164: 2 32 org.opensaml.xacml.ctx.impl.AttributeValueTypeImplBuilder
3165: 2 32 org.opensaml.xacml.ctx.impl.StatusDetailTypeImplBuilder
3166: 2 32 org.opensaml.xacml.policy.impl.PolicySetCombinerParametersTypeImplBuilder
3167: 1 32
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.Templat
eEngine
3168: 2 32 org.opensaml.saml1.core.impl.AttributeDesignatorBuilder
3169: 2 32 org.opensaml.xacml.policy.impl.ObligationTypeImplBuilder
3170: 2 32 org.opensaml.saml2.metadata.impl.SPSSODescriptorBuilder
3171: 1 32 org.apache.tomcat.util.IntrospectionUtils$PropertySource[]
3172: 1 32 com.tc.object.config.StandardDSOClientConfigHelperImpl$ModulesContext
3173: 2 32 org.opensaml.saml1.core.impl.SubjectBuilder
3174: 1 32 com.tc.object.LiteralValues$8
3175: 2 32 org.opensaml.xml.encryption.validator.EncryptedTypeSchemaValidator
3176: 1 32 com.tc.object.LiteralValues$6
3177: 1 32 org.apache.xml.security.keys.keyresolver.implementations.DSAKeyValueResolver
3178: 2 32 org.opensaml.saml2.metadata.impl.IDPSSODescriptorBuilder
3179: 2 32 org.opensaml.saml2.core.impl.TerminateBuilder
3180: 2 32 org.opensaml.xacml.ctx.impl.SubjectTypeImplBuilder
3181: 1 32 com.sun.script.javascript.RhinoCompiledScript
3182: 1 32 com.tc.net.core.SocketParams
3183: 2 32 org.opensaml.saml2.core.impl.SubjectConfirmationDataBuilder
3184: 1 32 org.opensaml.xml.io.UnmarshallerFactory
3185: 1 32 org.apache.xml.security.keys.keyresolver.implementations.RetrievalMethodResolver
3186: 1 32 org.terracotta.modules.tomcat.common.adapters.ContainerBaseAdapter
3187: 2 32 org.opensaml.xacml.policy.impl.EnvironmentMatchTypeImplBuilder
3188: 1 32 java.net.Inet4AddressImpl
3189: 1 32 java.util.IdentityHashMap$EntrySet
3190: 1 32 com.tc.properties.TCSubProperties
3191: 1 32 org.apache.xml.security.keys.keyresolver.implementations.X509IssuerSerialResolver
3192: 1 32 org.apache.jasper.runtime.JspFactoryImpl
3193: 1 32 ch.qos.logback.classic.spi.TurboFilterList
3194: 1 32 javax.crypto.SunJCE_l
3195: 2 32 org.opensaml.saml2.metadata.impl.OrganizationBuilder
3196: 1 32 EDU.oswego.cs.dl.util.concurrent.SynchronizedInt
3197: 1 32 sun.net.ProgressMonitor
3198: 1 32 org.apache.catalina.startup.ServiceQnameRule
3199: 1 32 com.sun.jmx.remote.opt.internal.ArrayNotificationBuffer$ShareBuffer
3200: 1 32
org.apache.xml.security.keys.keyresolver.implementations.X509SubjectNameResolver
3201: 1 32 org.apache.xmlbeans.impl.schema.SchemaTypeLoaderImpl$1
3202: 2 32 org.opensaml.xml.signature.impl.SignatureBuilder
3203: 1 32 org.joda.time.chrono.ISOYearOfEraDateTimeField
3204: 1 32 com.tc.object.LiteralValues$1
3205: 2 32 org.opensaml.saml2.core.impl.NameIDMappingRequestBuilder
3206: 2 32 com.tc.statistics.util.NullStatsRecorder
3207: 1 32 javax.net.ssl.TrustManager[]
3208: 1 32 sun.nio.ch.FileKey
3209: 1 32 com.tc.object.lockmanager.impl.ClientLockManagerConfigImpl
3210: 1 32 edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet
3211: 2 32 org.opensaml.saml2.core.impl.LogoutResponseBuilder
3212: 2 32 org.opensaml.xacml.policy.impl.EnvironmentTypeImplBuilder
3213: 2 32 org.opensaml.xacml.policy.impl.VariableReferenceTypeImplBuilder
3214: 1 32 com.tc.net.protocol.delivery.SendStateMachine$AckWaitState
3215: 2 32 org.opensaml.saml2.metadata.impl.ContactPersonBuilder
3216: 2 32 org.opensaml.xacml.policy.impl.ActionTypeImplBuilder
3217: 1 32 org.apache.catalina.startup.SetDistributableRule
3218: 2 32 org.opensaml.saml2.core.impl.StatusCodeBuilder
3219: 1 32 sun.security.pkcs11.P11DSAKeyFactory
3220: 1 32 sun.management.RuntimeImpl
3221: 2 32 org.opensaml.xacml.policy.impl.CombinerParameterTypeImplBuilder
3222: 1 32 com.tc.object.LiteralValues$12
3223: 1 32 com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl
3224: 1 32 com.tc.net.GroupID[]
3225: 2 32 org.opensaml.xacml.ctx.impl.MissingAttributeDetailTypeImplBuilder
3226: 2 32 org.opensaml.saml2.core.validator.AuthnContextClassRefSchemaValidator
3227: 1 32 edu.internet2.middleware.shibboleth.common.profile.provider.JSPErrorHandler
3228: 1 32 com.sun.net.ssl.internal.ssl.SupportedEllipticPointFormatsExtension
3229: 1 24 com.tc.injection.InjectionInstrumentationRegistry
3230: 1 24 org.joda.time.field.UnsupportedDurationField
3231: 1 24 org.apache.xerces.dom.DeferredDocumentImpl$RefCount
3232: 1 24 org.opensaml.saml2.binding.artifact.SAML2ArtifactBuilderFactory
3233: 1 24 com.tc.net.core.TCConnection[]
3234: 1 24 java.util.regex.Pattern$CharPropertyNames$11
3235: 1 24 org.apache.xerces.impl.dv.xs.DateDV
3236: 1 24 com.sun.jmx.mbeanserver.DescriptorCache
3237: 1 24 java.util.regex.Pattern$CharPropertyNames$19
3238: 1 24 org.apache.xmlbeans.impl.store.CharUtil$1
3239: 1 24 java.lang.Float[]
3240: 1 24 java.util.regex.Pattern$CharPropertyNames$7
3241: 1 24 java.util.regex.Pattern$CharPropertyNames$15
3242: 1 24 org.apache.xerces.impl.dv.xs.DayTimeDurationDV
3243: 1 24 java.util.regex.Pattern$LastNode
3244: 1 24 com.tc.net.core.ConnectionAddressProvider
3245: 1 24 com.tc.jam.transform.ReflectClassBuilderAdapter
3246: 1 24 com.tc.object.idprovider.impl.ObjectIDProviderImpl
3247: 1 24 ch.qos.logback.classic.pattern.TargetLengthBasedClassNameAbbreviator
3248: 1 24 org.apache.xmlbeans.impl.store.Locale$DocProps
3249: 1 24 sun.text.normalizer.NormalizerBase$NFKCMode
3250: 1 24 com.tc.object.applicator.ConcurrentHashMapApplicator
3251: 1 24 org.apache.commons.httpclient.params.DefaultHttpParamsFactory
3252: 1 24 sun.text.normalizer.NormalizerBase$NFKDMode
3253: 1 24 org.apache.xerces.impl.dv.xs.DateTimeDV
3254: 1 24 org.apache.xerces.impl.dv.xs.DurationDV
3255: 1 24 com.tc.object.session.SessionID
3256: 1 24 org.terracotta.modules.UnsafeAdapter
3257: 1 24 sun.misc.FloatingDecimal$1
3258: 1 24 sun.management.ClassLoadingImpl
3259: 1 24 org.opensaml.saml1.binding.artifact.SAML1ArtifactType0002Builder
3260: 1 24 org.opensaml.xml.encryption.validator.KeySizeSchemaValidator
3261: 1 24 com.tc.object.ClientIDProviderImpl
3262: 1 24 com.tc.object.DistributedObjectClient$1
3263: 1 24 org.apache.xerces.impl.dv.xs.DayDV
3264: 1 24 org.apache.xml.security.utils.resolver.implementations.ResolverXPointer
3265: 1 24 org.apache.log4j.spi.DefaultRepositorySelector
3266: 1 24 org.apache.xmlbeans.impl.piccolo.xml.UnicodeLittleXMLDecoder
3267: 1 24 com.tc.statistics.retrieval.actions.SRAL1TransactionCount
3268: 1 24 com.tc.net.protocol.tcm.MessageChannelInternal[]
3269: 1 24 sun.nio.ch.ServerSocketChannelImpl$1
3270: 1 24 com.tc.object.ClientObjectManagerImpl$NewObjectTraverseTest
3271: 1 24 com.sun.net.ssl.internal.ssl.HandshakeInStream
3272: 1 24 org.apache.xmlbeans.impl.store.Locale$1
3273: 1 24 org.apache.log4j.or.RendererMap
3274: 1 24 java.text.DontCareFieldPosition$1
3275: 1 24 com.tc.statistics.StatisticData[]
3276: 1 24 com.tc.util.InitialClassDumper
3277: 1 24 java.util.regex.Pattern$CharPropertyNames$20
3278: 1 24 com.tc.statistics.retrieval.actions.SRAMessages
3279: 1 24 com.tc.config.schema.ConfigTCPropertiesFromObject
3280: 1 24 com.sun.jmx.remote.opt.internal.ArrayNotificationBuffer$BufferListener
3281: 1 24 java.text.FieldPosition[]
3282: 1 24 org.apache.xmlbeans.PrePostExtension[]
3283: 1 24 com.tc.bytes.TCByteBufferFactory$1
3284: 1 24 org.apache.xml.security.algorithms.SignatureAlgorithm$1
3285: 1 24 com.tc.util.runtime.ThreadIDMapJdk15
3286: 1 24 org.apache.jk.common.ChannelSocket$SocketAcceptor
3287: 1 24 org.apache.xmlbeans.impl.piccolo.xml.ASCIIXMLDecoder
3288: 1 24 sun.nio.ch.Util$1
3289: 1 24 sun.org.mozilla.javascript.internal.jdk13.VMBridge_jdk13
3290: 1 24 com.tc.backport175.Annotation[]
3291: 1 24 org.opensaml.saml2.binding.artifact.SAML2ArtifactType0004Builder
3292: 1 24 org.apache.xml.security.algorithms.SignatureAlgorithm$2
3293: 1 24 org.eclipse.jdt.internal.compiler.lookup.AnnotationBinding[]
3294: 1 24 org.apache.xml.security.utils.resolver.implementations.ResolverFragment
3295: 1 24 org.opensaml.saml1.binding.artifact.SAML1ArtifactType0001Builder
3296: 1 24 org.eclipse.jdt.internal.compiler.lookup.MethodBinding[]
3297: 1 24 com.tc.object.DistributedObjectClient$3
3298: 1 24 com.tc.object.bytecode.hook.impl.ClassProcessorHelper$State
3299: 1 24 com.tc.license.OpenSourceLicense
3300: 1 24 com.tc.object.bytecode.hook.impl.PreparedComponentsFromL2Connection
3301: 1 24
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDat
aConnector$LDAPValueEscapingStrategy
3302: 1 24 org.apache.catalina.mbeans.GlobalResourcesLifecycleListener
3303: 1 24 com.tc.statistics.retrieval.actions.SRAVmGarbageCollector
3304: 1 24 org.apache.xerces.impl.xs.SubstitutionGroupHandler$OneSubGroup[]
3305: 1 24 org.apache.xmlbeans.impl.piccolo.xml.ISO8859_1XMLDecoder
3306: 1 24 com.tc.statistics.retrieval.actions.SRAL1TransactionsPerBatch
3307: 1 24 com.tc.statistics.retrieval.actions.SRACpu
3308: 1 24 java.security.Provider[]
3309: 1 24 org.apache.xmlbeans.SchemaProperty[]
3310: 1 24 java.text.MessageFormat$Field
3311: 1 24 org.apache.xml.security.transforms.implementations.TransformC14NExclusive
3312: 1 24 sun.util.calendar.Gregorian
3313: 1 24 java.util.regex.Pattern$CharPropertyNames$8
3314: 1 24 org.apache.catalina.deploy.SecurityConstraint[]
3315: 1 24 com.tc.net.protocol.delivery.OOOProtocolMessageParser
3316: 1 24 com.tc.object.bytecode.ManagerImpl$MethodDisplayNames
3317: 1 24 com.tc.logging.ClientIDLoggerProvider
3318: 1 24 com.tc.net.protocol.NullProtocolAdaptor
3319: 1 24 com.tc.object.ObjectRequestID
3320: 1 24 java.util.Collections$EmptySet
3321: 1 24 java.util.regex.Pattern$CharPropertyNames$16
3322: 1 24 com.tc.object.applicator.ArrayApplicator
3323: 1 24 org.apache.catalina.util.CharsetMapper
3324: 1 24 org.slf4j.impl.LogbackMDCAdapter
3325: 1 24 sun.text.normalizer.NormalizerBase$Mode
3326: 1 24 org.eclipse.jdt.internal.compiler.lookup.TypeVariableBinding[]
3327: 1 24 com.tc.util.ToggleableReferenceManager
3328: 1 24 org.apache.xerces.impl.dv.xs.MonthDV
3329: 1 24 com.tc.object.dna.impl.StorageDNAEncodingImpl
3330: 1 24 org.terracotta.modules.tomcat.common.adapters.BootstrapAdapter
3331: 1 24 org.apache.catalina.mbeans.ServerLifecycleListener
3332: 1 24 com.sun.net.ssl.internal.ssl.EphemeralKeyManager
3333: 1 24 com.tc.util.sequence.SimpleSequence
3334: 1 24 org.slf4j.helpers.SubstituteLoggerFactory
3335: 1 24 ch.qos.logback.classic.selector.DefaultContextSelector
3336: 1 24 org.apache.catalina.Engine[]
3337: 1 24 org.springframework.web.context.ContextLoaderListener
3338: 1 24 org.apache.xmlbeans.impl.store.Locale$DefaultQNameFactory
3339: 1 24 java.nio.channels.spi.AbstractSelector$1
3340: 1 24 com.tc.statistics.retrieval.actions.SRADiskActivity
3341: 1 24 org.joda.time.tz.DefaultNameProvider
3342: 1 24 javax.servlet.jsp.tagext.VariableInfo[]
3343: 1 24 com.tc.object.tx.TransactionIDGenerator
3344: 1 24 com.tc.config.schema.setup.BaseTVSConfigurationSetupManager$1
3345: 1 24 org.apache.xerces.impl.dv.xs.YearDV
3346: 1 24 org.eclipse.jdt.internal.compiler.impl.LongConstant
3347: 1 24 org.apache.xmlbeans.SchemaIdentityConstraint[]
3348: 1 24 sun.net.www.protocol.http.AuthCacheImpl
3349: 1 24 org.apache.catalina.util.DefaultAnnotationProcessor
3350: 1 24 java.util.regex.Pattern$CharPropertyNames$12
3351: 1 24 com.tc.management.lock.stats.LockStatisticsManager$LockStatConfig
3352: 1 24 com.tc.statistics.retrieval.impl.StatisticsRetrievalRegistryImpl
3353: 1 24 com.tc.util.AdaptedClassDumper
3354: 1 24 org.apache.xml.security.transforms.implementations.TransformEnvelopedSignature
3355: 1 24 java.util.regex.Pattern$CharPropertyNames$21
3356: 1 24 org.apache.xml.security.utils.UnsyncByteArrayOutputStream$1
3357: 1 24 com.tc.object.bytecode.JavaUtilConcurrentLocksAQSAdapter
3358: 1 24 com.tc.statistics.retrieval.actions.SRANetworkActivity
3359: 1 24 com.sun.jmx.mbeanserver.SecureClassLoaderRepository
3360: 1 24 com.tc.runtime.logging.LongGCEventType
3361: 1 24 sun.text.normalizer.NormalizerBase$NFCMode
3362: 1 24 javax.management.remote.generic.ServerIntermediary$RequestHandler
3363: 1 24 com.tc.object.config.DSOClientConfigHelperLogger
3364: 1 24 com.tc.statistics.retrieval.actions.SRACpuCombined
3365: 1 24 com.tc.util.SequenceGenerator
3366: 1 24 org.apache.xml.security.utils.resolver.implementations.ResolverLocalFilesystem
3367: 1 24 org.opensaml.xml.security.credential.BasicKeyInfoGeneratorFactory
3368: 1 24 org.joda.time.format.DateTimeFormatterBuilder$StringLiteral
3369: 1 24 com.tc.bytes.TCByteBufferFactory$2
3370: 1 24 java.lang.Enum[]
3371: 1 24 org.apache.xerces.xni.grammars.Grammar[]
3372: 1 24 org.apache.juli.logging.LogFactory
3373: 1 24 org.apache.xml.security.utils.UnsyncBufferedOutputStream$1
3374: 1 24 com.tc.logging.ThreadDumpHandler
3375: 1 24 com.tc.net.protocol.transport.TypeOfService
3376: 1 24 com.sun.jmx.remote.opt.internal.ArrayNotificationBuffer$1
3377: 1 24 org.apache.xmlbeans.SchemaLocalAttribute[]
3378: 1 24 com.sun.naming.internal.VersionHelper12
3379: 1 24 sun.text.normalizer.NormalizerBase$NFDMode
3380: 1 24 EDU.oswego.cs.dl.util.concurrent.ConcurrentHashMap$Values
3381: 1 24 java.util.regex.Pattern$CharPropertyNames$9
3382: 1 24 com.tc.statistics.retrieval.actions.SRAL1PendingBatchesSize
3383: 1 24 com.tc.net.core.TCConnectionManagerJDK14$ListenerEvents
3384: 1 24 com.tc.management.ManagementResources
3385: 1 24 org.apache.xerces.util.SecurityManager
3386: 1 24 java.util.regex.Pattern$CharPropertyNames$17
3387: 1 24 java.nio.charset.CoderResult$1
3388: 1 24 org.opensaml.xml.security.keyinfo.KeyInfoGeneratorManager
3389: 1 24 org.apache.xerces.impl.dv.xs.YearMonthDurationDV
3390: 1 24 org.apache.xerces.impl.dv.xs.TimeDV
3391: 1 24 sun.security.provider.JavaKeyStore$JKS
3392: 1 24 org.apache.xml.security.algorithms.SignatureAlgorithm$3
3393: 1 24 com.tc.object.lockmanager.impl.StandardLockDistributionStrategy
3394: 1 24 org.apache.xml.security.utils.resolver.implementations.ResolverDirectHTTP
3395: 1 24 com.tc.statistics.retrieval.actions.SRAL1OutstandingBatches
3396: 1 24
com.tc.net.protocol.tcm.CommunicationsManagerImpl$MessageTransportFactoryImpl$1
3397: 1 24 org.slf4j.impl.CopyOnInheritThreadLocal
3398: 1 24 org.apache.velocity.app.VelocityEngine
3399: 1 24 com.tc.util.concurrent.NoExceptionLinkedQueue
3400: 1 24 org.apache.xmlbeans.impl.piccolo.xml.UTF8XMLDecoder
3401: 1 24 com.tc.net.protocol.transport.ClientMessageTransport$1
3402: 1 24 sun.net.spi.DefaultProxySelector
3403: 1 24 com.tc.net.protocol.tcm.ClientMessageChannelImpl$ChannelIDProviderImpl
3404: 1 24 javax.management.ObjectName[]
3405: 1 24 org.terracotta.modules.tomcat.common.adapters.WebAppLoaderAdapter
3406: 1 24 com.tc.config.schema.setup.LogSettingConfigItemListener
3407: 1 24 com.tc.object.tx.ClientTransactionManagerImpl$2
3408: 1 24 org.apache.catalina.deploy.ApplicationParameter[]
3409: 1 24 java.math.BigDecimal$1
3410: 1 24 java.util.regex.Pattern$CharPropertyNames$13
3411: 1 24 com.tc.util.concurrent.QueueFactory
3412: 1 24 com.tc.object.bytecode.ManagerImpl$ShutdownAction
3413: 1 24 org.mozilla.javascript.jdk15.VMBridge_jdk15
3414: 1 24 com.tc.statistics.retrieval.actions.SRAStageQueueDepths
3415: 1 24 org.apache.xerces.impl.dv.xs.MonthDayDV
3416: 1 24 com.tc.object.bytecode.aspectwerkz.ExpressionHelper
3417: 1 24 org.terracotta.modules.DSOUnsafeAdapter
3418: 1 24 org.apache.xmlbeans.impl.piccolo.xml.UnicodeBigXMLDecoder
3419: 1 24 com.sun.jmx.mbeanserver.MBeanInstantiator
3420: 1 24 org.terracotta.modules.tomcat.common.adapters.CatalinaAdapter
3421: 1 24 java.beans.EventSetDescriptor[]
3422: 1 24 java.util.regex.Pattern$Node
3423: 1 24 com.sun.script.javascript.RhinoWrapFactory
3424: 1 24 javax.management.openmbean.OpenType[]
3425: 1 24 com.tc.net.protocol.tcm.CommunicationsManagerImpl$2
3426: 1 24 com.tc.object.Traverser
3427: 1 24 java.util.regex.Pattern$CharPropertyNames$10
3428: 1 24 org.apache.xml.security.algorithms.SignatureAlgorithm$4
3429: 1 24 sun.jkernel.DownloadManager$1
3430: 1 24 org.apache.catalina.Session[]
3431: 1 24 sun.misc.Launcher
3432: 1 24 java.util.regex.Pattern$CharPropertyNames$18
3433: 1 24 com.tc.net.protocol.tcm.TCMessageParser
3434: 1 24 org.apache.jasper.el.ExpressionEvaluatorImpl
3435: 1 24 org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor
3436: 1 24 java.lang.Short[]
3437: 1 24 org.apache.xmlbeans.InterfaceExtension[]
3438: 1 24 org.apache.xml.security.algorithms.MessageDigestAlgorithm$1
3439: 1 24 java.lang.Double[]
3440: 1 24 com.tc.net.core.event.TCListenerEvent
3441: 1 24 com.tc.config.schema.setup.StandardL1TVSConfigurationSetupManager$1
3442: 1 24 org.apache.commons.lang.builder.ReflectionToStringBuilder$1
3443: 1 24 com.tc.statistics.retrieval.actions.SRAL1TransactionSize
3444: 1 24 org.apache.catalina.startup.EngineConfig
3445: 1 24 java.nio.charset.CoderResult$2
3446: 1 24 org.knopflerfish.framework.PackageAdminImpl
3447: 1 24 org.eclipse.jdt.internal.compiler.lookup.ElementValuePair[]
3448: 1 24 java.util.regex.Pattern$5
3449: 1 24 org.apache.catalina.core.JasperListener
3450: 1 24 com.tc.net.core.TCListener[]
3451: 1 24 org.apache.commons.ssl.asn1.DERNull
3452: 1 24 org.apache.catalina.core.AprLifecycleListener
3453: 1 24 org.apache.velocity.runtime.log.LogChuteSystem
3454: 1 24 org.apache.xmlbeans.XmlObject[]
3455: 1 24 java.util.regex.Pattern$CharPropertyNames$14
3456: 1 24 ch.qos.logback.classic.spi.StackTraceElementProxy[]
3457: 1 24 com.tc.net.core.TCConnectionManagerJDK14$ConnectionEvents
3458: 1 24 org.opensaml.saml1.binding.artifact.SAML1ArtifactBuilderFactory
3459: 1 24 com.tc.object.ApplicatorDNAEncodingImpl
3460: 1 24 org.apache.xmlbeans.XmlBeans$1
3461: 1 24 com.tc.util.ResourceBundleHelper
3462: 1 24 com.tc.backport175.bytecode.AnnotationElement$Annotation[]
3463: 1 24 org.apache.xerces.impl.dv.xs.YearMonthDV
3464: 1 24 com.tc.object.tx.ClientTransactionFactoryImpl
3465: 1 24 com.tc.object.field.TCFieldFactory
3466: 1 24 java.util.regex.Pattern$CharPropertyNames$6
3467: 1 24 org.apache.commons.httpclient.DefaultHttpMethodRetryHandler
3468: 1 16 org.opensaml.ws.wssecurity.impl.SignatureConfirmationBuilder
3469: 1 16 sun.org.mozilla.javascript.internal.Undefined
3470: 1 16 sun.reflect.GeneratedMethodAccessor108
3471: 1 16 sun.reflect.GeneratedMethodAccessor56
3472: 1 16 org.opensaml.xml.schema.impl.XSIntegerBuilder
3473: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$LOCK_RECALL_MESSAGEFactory
3474: 1 16 com.tc.statistics.retrieval.actions.SRACacheObjectsEvictRequest
3475: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor70
3476: 1 16 org.opensaml.xml.encryption.impl.GeneratorBuilder
3477: 1 16 sun.reflect.GeneratedConstructorAccessor9
3478: 1 16 sun.reflect.GeneratedConstructorAccessor1269
3479: 1 16 com.tc.object.NullObjectRequestMonitor
3480: 1 16 org.opensaml.saml2.metadata.validator.PDPDescriptorSchemaValidator
3481: 1 16 org.opensaml.ws.wsaddressing.impl.FaultToBuilder
3482: 1 16 org.opensaml.saml2.core.validator.ResponseSchemaValidator
3483: 1 16 sun.reflect.GeneratedMethodAccessor17
3484: 1 16 com.tc.util.SequenceID$1
3485: 1 16 org.opensaml.saml2.core.impl.StatusMessageBuilder
3486: 1 16 sun.reflect.GeneratedConstructorAccessor1227
3487: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor78
3488: 1 16 com.sun.jmx.mbeanserver.MXBeanIntrospector
3489: 1 16 org.springframework.web.context.request.RequestScope
3490: 1 16 org.joda.time.convert.LongConverter
3491: 1 16 org.opensaml.saml2.metadata.validator.EmailAddressSchemaValidator
3492: 1 16 org.opensaml.ws.wssecurity.impl.BinarySecurityTokenBuilder
3493: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$LOCK_REQUEST_MESSAGEFactory
3494: 1 16 sun.reflect.GeneratedMethodAccessor37
3495: 1 16 sun.reflect.GeneratedMethodAccessor52
3496: 1 16 sun.reflect.GeneratedConstructorAccessor72
3497: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor35
3498: 1 16 sun.reflect.GeneratedConstructorAccessor30
3499: 1 16 org.opensaml.saml2.core.validator.StatusCodeSchemaValidator
3500: 1 16 org.opensaml.xml.signature.impl.ExponentBuilder
3501: 1 16 sun.reflect.ReflectionFactory
3502: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor39
3503: 1 16 org.opensaml.saml2.metadata.validator.NameIDMappingServiceSpecValidator
3504: 1 16 sun.reflect.GeneratedMethodAccessor31
3505: 1 16 com.tc.net.protocol.tcm.NullMessageMonitor
3506: 1 16 org.opensaml.xml.encryption.validator.EncryptionMethodSchemaValidator
3507: 1 16 org.springframework.web.context.support.WebApplicationContextUtils$2
3508: 1 16 org.knopflerfish.framework.Pkg$1
3509: 1 16 org.opensaml.saml2.core.validator.NewIDSchemaValidator
3510: 1 16 org.slf4j.impl.StaticMDCBinder
3511: 1 16
org.apache.xmlbeans.impl.values.XmlObjectBase$ValueOutOfRangeValidationContext
3512: 1 16 sun.reflect.GeneratedMethodAccessor51
3513: 1 16 sun.reflect.GeneratedConstructorAccessor8
3514: 1 16 org.opensaml.saml2.metadata.impl.AttributeProfileBuilder
3515: 1 16 org.opensaml.ws.wssecurity.impl.SecurityBuilder
3516: 1 16 org.opensaml.saml2.core.impl.AuthnContextClassRefBuilder
3517: 1 16 org.opensaml.saml2.core.validator.AuthenticatingAuthoritySchemaValidator
3518: 1 16 sun.reflect.GeneratedConstructorAccessor55
3519: 1 16 org.opensaml.saml2.metadata.validator.SPSSODescriptorSchemaValidator
3520: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor73
3521: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$REQUEST_ROOT_RESPONSE_MESSAGEF
actory
3522: 1 16 org.opensaml.ws.wsfed.impl.AppliesToBuilder
3523: 1 16 org.opensaml.xml.encryption.impl.EncryptionPropertiesBuilder
3524: 1 16 sun.reflect.GeneratedConstructorAccessor51
3525: 1 16 org.opensaml.xml.signature.impl.PGPKeyIDBuilder
3526: 1 16 org.joda.time.convert.ReadablePeriodConverter
3527: 1 16 org.opensaml.saml1.core.validator.StatusSchemaValidator
3528: 1 16 org.opensaml.saml2.metadata.impl.NameIDFormatBuilder
3529: 1 16 org.opensaml.saml2.core.impl.EncryptedIDBuilder
3530: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor33
3531: 1 16 com.sun.jmx.trace.TraceManager
3532: 1 16 org.opensaml.samlext.idpdisco.DiscoveryResponseBuilder
3533: 1 16 org.opensaml.saml2.metadata.validator.ArtifactResolutionServiceSpecValidator
3534: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$NODES_WITH_OBJECTS_MESSAGEFactor
y
3535: 1 16 com.tc.injection.DsoClusterInjectionInstrumentation
3536: 1 16 org.eclipse.jdt.internal.compiler.lookup.ReferenceBinding$3
3537: 1 16 org.opensaml.xacml.ctx.impl.StatusMessageTypeImplBuilder
3538: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor68
3539: 1 16 sun.nio.ch.DevPollSelectorProvider
3540: 1 16 org.opensaml.xml.signature.validator.RSAKeyValueSchemaValidator
3541: 1 16 com.sun.jndi.toolkit.dir.HierarchicalNameParser
3542: 1 16 org.opensaml.xml.encryption.impl.CipherDataBuilder
3543: 1 16 sun.reflect.GeneratedMethodAccessor38
3544: 1 16 org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory
3545: 1 16 org.knopflerfish.framework.BundlePackages$1
3546: 1 16 com.tc.object.bytecode.NullManager
3547: 1 16 org.opensaml.ws.wssecurity.impl.TransformationParametersBuilder
3548: 1 16 org.opensaml.saml2.core.impl.EncryptedAttributeBuilder
3549: 1 16 java.net.UnknownContentHandler
3550: 1 16 org.opensaml.ws.wsaddressing.impl.RetryAfterBuilder
3551: 1 16 org.apache.xerces.impl.xs.util.ShortListImpl$1
3552: 1 16 org.opensaml.saml2.metadata.impl.EncryptionMethodBuilder
3553: 1 16 org.opensaml.saml1.core.validator.AssertionSchemaValidator
3554: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor31
3555: 1 16 sun.misc.ASCIICaseInsensitiveComparator
3556: 1 16 org.apache.xerces.impl.dv.xs.AnyURIDV
3557: 1 16 com.tc.object.config.NullInstrumentationDescriptor
3558: 1 16 org.opensaml.samlext.saml2mdquery.impl.AttributeQueryDescriptorTypeBuilder
3559: 1 16 org.opensaml.xml.signature.impl.X509SKIBuilder
3560: 1 16 org.bouncycastle.math.ec.FpNafMultiplier
3561: 1 16 org.opensaml.xml.signature.impl.PgenCounterBuilder
3562: 1 16 javax.management.MBeanServerBuilder
3563: 1 16 org.apache.xerces.impl.dv.xs.PrecisionDecimalDV
3564: 1 16 org.opensaml.saml2.core.validator.NameIDMappingRequestSchemaValidator
3565: 1 16 org.opensaml.saml2.core.validator.AssertionSchemaValidator
3566: 1 16 org.opensaml.saml2.metadata.impl.AssertionConsumerServiceBuilder
3567: 1 16 sun.reflect.GeneratedMethodAccessor15
3568: 1 16 org.opensaml.saml2.metadata.impl.AssertionIDRequestServiceBuilder
3569: 1 16 sun.reflect.GeneratedMethodAccessor111
3570: 1 16 org.apache.velocity.util.introspection.ClassMap$MethodCache$CacheMiss
3571: 1 16 com.tc.statistics.retrieval.actions.SRASystemProperties
3572: 1 16 org.opensaml.saml1.core.impl.AudienceBuilder
3573: 1 16 org.opensaml.ws.wssecurity.impl.SaltBuilder
3574: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor37
3575: 1 16 org.apache.xerces.impl.dv.xs.ListDV
3576: 1 16 org.opensaml.saml2.metadata.validator.AttributeServiceSchemaValidator
3577: 1 16 org.opensaml.saml2.core.impl.AssertionIDRefBuilder
3578: 1 16 sun.reflect.GeneratedConstructorAccessor61
3579: 1 16 com.tc.aspectwerkz.expression.ast.ExpressionParser
3580: 1 16 java.util.logging.Logging
3581: 1 16 org.opensaml.xml.encryption.impl.RecipientKeyInfoBuilder
3582: 1 16 org.opensaml.ws.wssecurity.impl.PasswordBuilder
3583: 1 16 sun.reflect.GeneratedConstructorAccessor69
3584: 1 16 sun.reflect.GeneratedConstructorAccessor48
3585: 1 16 sun.reflect.GeneratedMethodAccessor44
3586: 1 16 org.opensaml.ws.wsaddressing.impl.ReplyToBuilder
3587: 1 16 sun.reflect.GeneratedMethodAccessor104
3588: 1 16 org.opensaml.ws.wsaddressing.impl.ActionBuilder
3589: 1 16 org.opensaml.ws.wssecurity.impl.EncryptedHeaderBuilder
3590: 1 16 sun.reflect.GeneratedConstructorAccessor58
3591: 1 16 org.opensaml.saml2.core.impl.NewEncryptedIDBuilder
3592: 1 16 org.opensaml.xml.encryption.impl.OriginatorKeyInfoBuilder
3593: 1 16 org.opensaml.xml.schema.impl.XSURIBuilder
3594: 1 16 sun.reflect.GeneratedMethodAccessor106
3595: 1 16 com.tc.async.impl.StageImpl$1
3596: 1 16
org.opensaml.samlext.saml2mdquery.impl.AuthzDecisionQueryDescriptorTypeBuilder
3597: 1 16 sun.reflect.GeneratedConstructorAccessor5
3598: 1 16 org.joda.time.convert.ReadableInstantConverter
3599: 1 16 org.opensaml.xml.signature.impl.X509CRLBuilder
3600: 1 16 java.util.Hashtable$EmptyIterator
3601: 1 16 org.opensaml.saml2.metadata.validator.KeyDescriptorSchemaValidator
3602: 1 16 org.opensaml.xml.encryption.impl.PgenCounterBuilder
3603: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$CLIENT_HANDSHAKE_ACK_MESSAGEF
actory
3604: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$LOCK_STATISTICS_RESPONSE_MESSAG
EFactory
3605: 1 16 org.opensaml.saml2.core.validator.AssertionURIRefSchemaValidator
3606: 1 16 org.opensaml.ws.wsaddressing.impl.ProblemActionBuilder
3607: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$CLUSTER_MEMBERSHIP_EVENT_MESS
AGEFactory
3608: 1 16 sun.reflect.GeneratedConstructorAccessor7
3609: 1 16 java.security.cert.CertPathHelperImpl
3610: 1 16 java.util.Collections$ReverseComparator
3611: 1 16 sun.misc.Launcher$Factory
3612: 1 16 java.util.jar.JavaUtilJarAccessImpl
3613: 1 16 org.opensaml.saml1.core.validator.SubjectSchemaValidator
3614: 1 16 com.tc.net.protocol.tcm.TCMessageFactoryImpl$JMX_MESSAGEFactory
3615: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$COMMIT_TRANSACTION_MESSAGEFact
ory
3616: 1 16 sun.reflect.GeneratedConstructorAccessor50
3617: 1 16 org.apache.jasper.xmlparser.MyErrorHandler
3618: 1 16 sun.reflect.GeneratedMethodAccessor28
3619: 1 16 sun.reflect.GeneratedMethodAccessor53
3620: 1 16 org.opensaml.xml.encryption.impl.EncryptedKeyBuilder
3621: 1 16 org.opensaml.xml.signature.impl.RSAKeyValueBuilder
3622: 1 16 org.opensaml.saml2.metadata.validator.OrganizationSchemaValidator
3623: 1 16 org.opensaml.saml2.core.impl.AuthnContextDeclRefBuilder
3624: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$JMXREMOTE_MESSAGE_CONNECTION_
MESSAGEFactory
3625: 1 16 org.opensaml.saml2.core.validator.ManageNameIDResponseSchemaValidator
3626: 1 16 sun.reflect.GeneratedMethodAccessor23
3627: 1 16 org.opensaml.ws.wsaddressing.impl.FromBuilder
3628: 1 16 org.opensaml.xml.encryption.impl.CipherValueBuilder
3629: 1 16 org.apache.tomcat.util.buf.StringCache
3630: 1 16 sun.reflect.GeneratedConstructorAccessor1
3631: 1 16 org.opensaml.saml2.metadata.validator.AttributeConsumingServiceSchemaValidator
3632: 1 16 sun.reflect.generics.tree.BottomSignature
3633: 1 16 com.tc.exception.RuntimeExceptionHelper
3634: 1 16 org.opensaml.saml2.core.validator.AuthnQuerySchemaValidator
3635: 1 16 sun.reflect.GeneratedConstructorAccessor23
3636: 1 16 org.opensaml.saml2.core.validator.IDPEntrySchemaValidator
3637: 1 16 com.tc.backport175.bytecode.DefaultBytecodeProvider
3638: 1 16 org.joda.time.convert.CalendarConverter
3639: 1 16 org.opensaml.xml.signature.impl.PGPKeyPacketBuilder
3640: 1 16 org.apache.xerces.impl.xs.XSConstraints$1
3641: 1 16 org.opensaml.saml2.metadata.validator.AuthnAuthorityDescriptorSchemaValidator
3642: 1 16 sun.reflect.GeneratedConstructorAccessor19
3643: 1 16 org.opensaml.saml1.core.validator.AuthenticationStatementSchemaValidator
3644: 1 16 org.opensaml.xml.encryption.impl.EncryptionPropertyBuilder
3645: 1 16 com.tc.config.schema.defaults.FromSchemaDefaultValueProvider
3646: 1 16 sun.reflect.GeneratedMethodAccessor26
3647: 1 16 sun.reflect.GeneratedMethodAccessor8
3648: 1 16 org.opensaml.xml.signature.validator.DSAKeyValueSchemaValidator
3649: 1 16 com.sun.jndi.ldap.DefaultResponseControlFactory
3650: 1 16 org.opensaml.saml2.metadata.impl.TelephoneNumberBuilder
3651: 1 16 com.tc.statistics.retrieval.SigarUtil$SigarFilenameFilter
3652: 1 16 org.opensaml.saml1.core.validator.EvidenceSchemaValidator
3653: 1 16 org.apache.xerces.impl.dv.dtd.NOTATIONDatatypeValidator
3654: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor40
3655: 1 16 org.opensaml.saml2.metadata.impl.AttributeServiceBuilder
3656: 1 16 sun.reflect.GeneratedMethodAccessor45
3657: 1 16 org.opensaml.xml.signature.impl.XPathBuilder
3658: 1 16 org.opensaml.ws.wssecurity.impl.KeyIdentifierBuilder
3659: 1 16 sun.reflect.GeneratedConstructorAccessor10
3660: 1 16 sun.reflect.GeneratedConstructorAccessor56
3661: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$LOCK_QUERY_RESPONSE_MESSAGEFac
tory
3662: 1 16 com.tc.async.impl.DefaultAddPredicate
3663: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor36
3664: 1 16 org.opensaml.saml2.core.validator.ActionSchemaValidator
3665: 1 16 org.opensaml.saml2.metadata.validator.SingleLogoutServiceSchemaValidator
3666: 1 16 org.opensaml.saml1.core.impl.RequestBuilder
3667: 1 16 org.opensaml.saml2.metadata.validator.EntityDescriptorSpecValidator
3668: 1 16 java.lang.String$CaseInsensitiveComparator
3669: 1 16 org.opensaml.saml2.ecp.impl.ResponseBuilder
3670: 1 16 sun.net.www.protocol.jar.JarFileFactory
3671: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor41
3672: 1 16 org.apache.xerces.dom.CharacterDataImpl$1
3673: 1 16 org.apache.xml.security.c14n.helper.AttrCompare
3674: 1 16 org.apache.catalina.core.ApplicationFilterFactory
3675: 1 16 org.opensaml.saml1.core.validator.AuthorizationDecisionQuerySchemaValidator
3676: 1 16 org.knopflerfish.framework.PermissionOps
3677: 1 16 com.tc.object.bytecode.AbstractListMethodCreator
3678: 1 16 org.opensaml.saml2.ecp.impl.RequestBuilder
3679: 1 16 sun.reflect.GeneratedConstructorAccessor1232
3680: 1 16 org.eclipse.jdt.internal.compiler.ast.CompilationUnitDeclaration$1
3681: 1 16 org.opensaml.ws.wsfed.impl.RequestSecurityTokenResponseBuilder
3682: 1 16 org.opensaml.saml2.metadata.impl.ArtifactResolutionServiceBuilder
3683: 1 16 org.opensaml.saml2.metadata.validator.EntityDescriptorSchemaValidator
3684: 1 16 org.opensaml.xml.encryption.validator.TransformsSchemaValidator
3685: 1 16 sun.reflect.GeneratedConstructorAccessor53
3686: 1 16 org.opensaml.xml.signature.impl.CryptoBinaryBuilder
3687: 1 16 javax.management.NotificationBroadcasterSupport$1
3688: 1 16 sun.reflect.GeneratedMethodAccessor11
3689: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$ACKNOWLEDGE_TRANSACTION_MESS
AGEFactory
3690: 1 16 sun.reflect.GeneratedConstructorAccessor28
3691: 1 16 sun.reflect.GeneratedMethodAccessor103
3692: 1 16 org.opensaml.saml2.metadata.validator.GivenNameSchemaValidator
3693: 1 16 sun.net.DefaultProgressMeteringPolicy
3694: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$OBJECT_ID_BATCH_REQUEST_RESPONS
E_MESSAGEFactory
3695: 1 16 com.tc.util.StandardResourceBundleFactory
3696: 1 16 org.opensaml.saml1.core.impl.StatusMessageBuilder
3697: 1 16 org.opensaml.xml.signature.impl.KeyInfoBuilder
3698: 1 16 org.knopflerfish.framework.BundlePackages$2
3699: 1 16 org.opensaml.xml.signature.validator.X509DataSchemaValidator
3700: 1 16 org.opensaml.samlext.saml2mdquery.impl.AuthnQueryDescriptorTypeBuilder
3701: 1 16 org.opensaml.xml.encryption.impl.DHKeyValueBuilder
3702: 1 16 sun.reflect.GeneratedConstructorAccessor1306
3703: 1 16 org.apache.xerces.impl.dv.xs.DecimalDV
3704: 1 16 org.apache.tomcat.util.digester.Digester$SystemPropertySource
3705: 1 16 sun.reflect.GeneratedConstructorAccessor1230
3706: 1 16 org.opensaml.saml2.core.validator.ManageNameIDRequestSchemaValidator
3707: 1 16 org.opensaml.saml2.core.validator.IDPListSchemaValidator
3708: 1 16 sun.reflect.GeneratedConstructorAccessor59
3709: 1 16 org.opensaml.xml.signature.impl.ModulusBuilder
3710: 1 16 sun.reflect.GeneratedMethodAccessor41
3711: 1 16 org.apache.xerces.impl.dv.dtd.StringDatatypeValidator
3712: 1 16 org.opensaml.saml2.metadata.impl.ServiceDescriptionBuilder
3713: 1 16 org.springframework.ui.velocity.CommonsLoggingLogSystem
3714: 1 16 org.opensaml.saml2.metadata.validator.AffiliateMemberSchemaValidator
3715: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor76
3716: 1 16 org.opensaml.saml1.core.validator.ActionSpecValidator
3717: 1 16 org.opensaml.ws.wssecurity.impl.EmbeddedBuilder
3718: 1 16 sun.reflect.GeneratedMethodAccessor40
3719: 1 16 org.opensaml.saml2.core.validator.RequestedAuthnContextSchemaValidator
3720: 1 16 org.opensaml.saml1.core.validator.RequestSchemaValidator
3721: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor29
3722: 1 16 sun.reflect.GeneratedConstructorAccessor46
3723: 1 16 org.opensaml.saml2.core.validator.ConditionsSpecValidator
3724: 1 16 org.apache.commons.ssl.Java14
3725: 1 16 org.opensaml.saml2.core.validator.AuthnRequestSchemaValidator
3726: 1 16 sun.reflect.GeneratedMethodAccessor58
3727: 1 16 org.opensaml.saml2.metadata.validator.EncryptionMethodSchemaValidator
3728: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$KEYS_FOR_ORPHANED_VALUES_RESP
ONSE_MESSAGEFactory
3729: 1 16 org.knopflerfish.framework.BundleClassLoader$1
3730: 1 16 org.opensaml.saml2.core.impl.AudienceBuilder
3731: 1 16 org.opensaml.saml2.core.validator.SessionIndexSchemaValidator
3732: 1 16
edu.internet2.middleware.shibboleth.common.xmlobject.impl.ShibbolethMetadataKeyAuthority
Builder
3733: 1 16 com.tc.object.StandardDSOClientBuilder
3734: 1 16 org.opensaml.xml.signature.impl.X509DataBuilder
3735: 1 16 org.opensaml.saml2.metadata.validator.CompanySchemaValidator
3736: 1 16 org.opensaml.saml2.core.validator.AuthzDecisionQuerySchemaValidator
3737: 1 16 org.apache.xerces.impl.xs.models.XSEmptyCM
3738: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$REQUEST_ROOT_MESSAGEFactory
3739: 1 16 sun.reflect.GeneratedConstructorAccessor1228
3740: 1 16 sun.reflect.GeneratedConstructorAccessor74
3741: 1 16 org.joda.time.convert.ReadableIntervalConverter
3742: 1 16 org.opensaml.saml1.core.validator.ResponseSchemaValidator
3743: 1 16 org.opensaml.saml2.core.validator.EvidenceSchemaValidator
3744: 1 16 org.apache.xerces.impl.dv.xs.UnionDV
3745: 1 16 java.net.InetAddress$1
3746: 1 16 java.lang.reflect.ReflectAccess
3747: 1 16 sun.reflect.GeneratedMethodAccessor25
3748: 1 16 org.opensaml.saml1.core.impl.ResponseBuilder
3749: 1 16 sun.reflect.GeneratedConstructorAccessor125
3750: 1 16 sun.reflect.GeneratedMethodAccessor35
3751: 1 16 org.opensaml.saml2.core.validator.AttributeStatementSchemaValidator
3752: 1 16 com.tc.config.schema.setup.FatalIllegalConfigurationChangeHandler
3753: 1 16 org.apache.naming.resources.DirContextURLStreamHandlerFactory
3754: 1 16 com.tc.object.NullTraverseTest
3755: 1 16 org.opensaml.ws.soap.soap11.impl.FaultCodeBuilder
3756: 1 16 org.opensaml.xml.encryption.impl.KANonceBuilder
3757: 1 16 org.opensaml.saml1.core.validator.AttributeSchemaValidator
3758: 1 16 org.opensaml.xml.encryption.validator.EncryptionPropertiesSchemaValidator
3759: 1 16 org.joda.time.convert.ReadablePartialConverter
3760: 1 16 org.opensaml.xml.signature.validator.SignatureSchemaValidator
3761: 1 16 org.opensaml.xml.signature.validator.TransformSchemaValidator
3762: 1 16 sun.reflect.GeneratedMethodAccessor107
3763: 1 16 org.opensaml.saml2.core.validator.LogoutRequestSchemaValidator
3764: 1 16 org.opensaml.xml.signature.validator.X509SerialNumberSchemaValidator
3765: 1 16 sun.reflect.GeneratedConstructorAccessor63
3766: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor72
3767: 1 16 org.opensaml.xml.encryption.impl.CarriedKeyNameBuilder
3768: 1 16 org.apache.commons.httpclient.cookie.CookiePathComparator
3769: 1 16 org.opensaml.saml2.metadata.validator.SurNameSchemaValidator
3770: 1 16 sun.reflect.GeneratedMethodAccessor50
3771: 1 16 org.opensaml.xml.signature.validator.KeyValueSchemaValidator
3772: 1 16 sun.reflect.GeneratedMethodAccessor68
3773: 1 16 sun.reflect.GeneratedConstructorAccessor47
3774: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$BATCH_TRANSACTION_ACK_MESSAGE
Factory
3775: 1 16 java.lang.System$2
3776: 1 16 sun.reflect.GeneratedMethodAccessor32
3777: 1 16 sun.reflect.GeneratedConstructorAccessor13
3778: 1 16 org.opensaml.xml.encryption.validator.CipherDataSchemaValidator
3779: 1 16 org.opensaml.xml.signature.impl.TransformsBuilder
3780: 1 16 sun.security.util.ByteArrayLexOrder
3781: 1 16 org.opensaml.saml2.metadata.validator.ServiceNameSchemaValidator
3782: 1 16 org.opensaml.saml2.core.validator.SubjectConfirmationSchemaValidator
3783: 1 16 sun.reflect.GeneratedMethodAccessor18
3784: 1 16 sun.reflect.GeneratedMethodAccessor9
3785: 1 16 org.joda.time.convert.StringConverter
3786: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$KEYS_FOR_ORPHANED_VALUES_MESS
AGEFactory
3787: 1 16 org.opensaml.xml.signature.impl.PGPDataBuilder
3788: 1 16 org.apache.xerces.impl.dv.dtd.NMTOKENDatatypeValidator
3789: 1 16 org.opensaml.saml1.core.validator.AudienceRestrictionConditionSchemaValidator
3790: 1 16 sun.reflect.GeneratedConstructorAccessor1270
3791: 1 16 org.opensaml.xml.signature.impl.X509IssuerSerialBuilder
3792: 1 16 org.apache.velocity.runtime.log.NullLogChute
3793: 1 16 org.opensaml.saml2.metadata.validator.AssertionIDRequestServiceSchemaValidator
3794: 1 16 org.opensaml.saml2.core.impl.EncryptedAssertionBuilder
3795: 1 16 org.springframework.util.ReflectionUtils$3
3796: 1 16 sun.reflect.GeneratedConstructorAccessor42
3797: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor74
3798: 1 16 com.tc.net.protocol.tcm.TCMessageFactoryImpl$LOCK_STAT_MESSAGEFactory
3799: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$OBJECT_ID_BATCH_REQUEST_MESSAG
EFactory
3800: 1 16 sun.reflect.GeneratedConstructorAccessor14
3801: 1 16 sun.reflect.GeneratedMethodAccessor101
3802: 1 16 org.opensaml.saml1.core.impl.AssertionArtifactBuilder
3803: 1 16 com.tc.statistics.retrieval.actions.SRACacheObjectsEvicted
3804: 1 16 org.apache.xerces.impl.dv.xs.XSSimpleTypeDecl$2
3805: 1 16 org.apache.xerces.impl.xs.util.XSObjectListImpl$1
3806: 1 16 org.apache.xerces.impl.dv.xs.AnyAtomicDV
3807: 1 16 org.opensaml.xml.signature.impl.KeyValueBuilder
3808: 1 16 org.apache.xerces.impl.dv.xs.DoubleDV
3809: 1 16 org.opensaml.xml.encryption.impl.PBuilder
3810: 1 16 org.opensaml.xml.encryption.impl.OAEPparamsBuilder
3811: 1 16 org.opensaml.saml2.metadata.validator.NameIDMappingServiceSchemaValidator
3812: 1 16 org.opensaml.xml.signature.impl.RetrievalMethodBuilder
3813: 1 16 sun.reflect.GeneratedMethodAccessor64
3814: 1 16 org.opensaml.ws.wsaddressing.impl.ToBuilder
3815: 1 16 org.apache.xerces.impl.dv.dtd.IDDatatypeValidator
3816: 1 16 org.opensaml.saml1.core.validator.SubjectStatementSchemaValidator
3817: 1 16 sun.reflect.GeneratedConstructorAccessor1309
3818: 1 16 org.apache.xerces.impl.dv.xs.IDREFDV
3819: 1 16 org.opensaml.saml2.metadata.validator.NameIDFormatSchemaValidator
3820: 1 16 sun.reflect.GeneratedConstructorAccessor3
3821: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor32
3822: 1 16 com.tc.exception.ExceptionWrapperImpl
3823: 1 16 org.opensaml.xml.signature.impl.SeedBuilder
3824: 1 16 java.net.URLClassLoader$7
3825: 1 16
edu.internet2.middleware.shibboleth.common.xmlobject.impl.ShibbolethScopedValueBuilder
3826: 1 16 org.opensaml.samlext.samlpthrpty.impl.RespondToBuilder
3827: 1 16 com.tc.object.session.NullSessionManager
3828: 1 16 com.tc.net.protocol.delivery.OOOProtocolMessageFactory
3829: 1 16 org.opensaml.saml2.core.validator.AssertionIDRefSchemaValidator
3830: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor71
3831: 1 16 org.opensaml.xml.encryption.impl.QBuilder
3832: 1 16 org.opensaml.saml2.core.validator.GetCompleteSchemaValidator
3833: 1 16 sun.reflect.GeneratedMethodAccessor43
3834: 1 16 sun.reflect.GeneratedMethodAccessor48
3835: 1 16 sun.reflect.GeneratedMethodAccessor105
3836: 1 16 java.util.regex.Pattern$CharPropertyNames$5
3837: 1 16 org.opensaml.xml.schema.impl.XSBase64BinaryBuilder
3838: 1 16 org.opensaml.saml2.metadata.validator.SingleSignOnServiceSchemaValidator
3839: 1 16 org.opensaml.saml2.core.validator.AssertionSpecValidator
3840: 1 16 com.tc.aspectwerkz.expression.ast.SimpleCharStream
3841: 1 16 com.tc.net.protocol.transport.NullConnectionPolicy
3842: 1 16 org.opensaml.saml2.core.validator.ArtifactResolveSchemaValidator
3843: 1 16 org.opensaml.ws.wsaddressing.impl.RelatesToBuilder
3844: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor45
3845: 1 16 sun.reflect.GeneratedConstructorAccessor4
3846: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$NODE_META_DATA_MESSAGEFactory
3847: 1 16 org.opensaml.xml.signature.impl.SPKIDataBuilder
3848: 1 16 org.opensaml.saml2.metadata.impl.GivenNameBuilder
3849: 1 16 org.opensaml.xml.encryption.impl.PublicBuilder
3850: 1 16 org.opensaml.ws.wsfed.impl.AddressBuilder
3851: 1 16 org.apache.xml.security.utils.ElementCheckerImpl$InternedNsChecker
3852: 1 16 java.util.Hashtable$EmptyEnumerator
3853: 1 16 sun.reflect.GeneratedConstructorAccessor54
3854: 1 16 org.opensaml.saml1.core.validator.AttributeDesignatorSchemaValidator
3855: 1 16 org.opensaml.xml.encryption.impl.CipherReferenceBuilder
3856: 1 16 org.opensaml.saml1.core.validator.StatusCodeSchemaValidator
3857: 1 16 org.opensaml.saml2.core.validator.IssuerSchemaValidator
3858: 1 16 org.opensaml.saml2.metadata.validator.SPSSODescriptorSpecValidator
3859: 1 16 org.opensaml.ws.wsaddressing.impl.MessageIDBuilder
3860: 1 16 org.opensaml.xml.signature.impl.YBuilder
3861: 1 16 org.apache.xerces.impl.xs.util.XIntPool
3862: 1 16 java.lang.Terminator$1
3863: 1 16 org.opensaml.xml.signature.impl.X509IssuerNameBuilder
3864: 1 16 org.opensaml.saml2.metadata.validator.OrganizationURLSchemaValidator
3865: 1 16 org.opensaml.xml.encryption.impl.SeedBuilder
3866: 1 16 com.tc.aspectwerkz.expression.ast.ExpressionParserTokenManager
3867: 1 16 org.opensaml.xml.signature.impl.TransformBuilder
3868: 1 16 sun.reflect.GeneratedMethodAccessor16
3869: 1 16 org.opensaml.ws.wsaddressing.impl.SoapActionBuilder
3870: 1 16 org.opensaml.saml2.metadata.impl.EmailAddressBuilder
3871: 1 16 org.apache.catalina.connector.Tomcat55CookieWriterFactory
3872: 1 16 org.opensaml.ws.soap.soap11.impl.EnvelopeBuilder
3873: 1 16 javax.management.JMX
3874: 1 16 org.opensaml.saml2.metadata.impl.SurNameBuilder
3875: 1 16 sun.reflect.GeneratedMethodAccessor27
3876: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$NODE_META_DATA_RESPONSE_MESSA
GEFactory
3877: 1 16 org.opensaml.ws.wsaddressing.impl.EndpointReferenceBuilder
3878: 1 16 org.opensaml.saml1.core.validator.SubjectConfirmationSchemaValidator
3879: 1 16 org.opensaml.ws.wsfed.impl.EndPointReferenceBuilder
3880: 1 16 org.opensaml.ws.soap.soap11.impl.FaultBuilder
3881: 1 16 org.opensaml.saml2.metadata.validator.AuthnQueryServiceSchemaValidator
3882: 1 16 sun.reflect.GeneratedMethodAccessor47
3883: 1 16 org.opensaml.samlext.saml2delrestrict.impl.DelegationRestrictionTypeBuilder
3884: 1 16 sun.reflect.GeneratedMethodAccessor13
3885: 1 16 org.opensaml.saml2.core.impl.GetCompleteBuilder
3886: 1 16 sun.reflect.GeneratedConstructorAccessor1234
3887: 1 16 org.apache.xerces.impl.dv.xs.Base64BinaryDV
3888: 1 16 org.opensaml.ws.wssecurity.impl.TimestampBuilder
3889: 1 16 org.opensaml.saml2.core.validator.AuthnContextDeclRefSchemaValidator
3890: 1 16 sun.reflect.GeneratedMethodAccessor109
3891: 1 16 com.sun.jndi.ldap.VersionHelper12
3892: 1 16 org.opensaml.saml2.core.validator.StatusMessageSchemaValidator
3893: 1 16 org.opensaml.xml.encryption.impl.EncryptionMethodBuilder
3894: 1 16 org.opensaml.saml2.core.validator.NameIDSchemaValidator
3895: 1 16 org.apache.log4j.or.DefaultRenderer
3896: 1 16 com.tc.object.tx.TimerSpecFactory
3897: 1 16 com.tc.aspectwerkz.transform.inlining.AsmNullAdapter$NullClassAdapter
3898: 1 16 org.opensaml.xml.signature.impl.GBuilder
3899: 1 16 org.opensaml.saml2.core.impl.IssuerBuilder
3900: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor43
3901: 1 16 com.tc.object.logging.NullInstrumentationLogger
3902: 1 16 com.sun.script.javascript.RhinoClassShutter
3903: 1 16 org.joda.time.convert.NullConverter
3904: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$CLIENT_JMX_READY_MESSAGEFactory
3905: 1 16 org.opensaml.xml.signature.impl.X509SerialNumberBuilder
3906: 1 16 org.opensaml.saml2.core.validator.AudienceRestrictionSchemaValidator
3907: 1 16 com.tc.plugins.ModulesLoader$1
3908: 1 16 sun.reflect.GeneratedConstructorAccessor90
3909: 1 16 org.knopflerfish.framework.ReferenceURLStreamHandler
3910: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor77
3911: 1 16 org.opensaml.xml.signature.impl.DSAKeyValueBuilder
3912: 1 16 org.opensaml.xml.signature.impl.X509CertificateBuilder
3913: 1 16 org.opensaml.saml1.core.validator.AttributeStatementSchemaValidator
3914: 1 16 com.tc.object.NonInstrumentedClasses
3915: 1 16 sun.reflect.GeneratedMethodAccessor12
3916: 1 16 sun.reflect.GeneratedMethodAccessor112
3917: 1 16 sun.reflect.GeneratedMethodAccessor6
3918: 1 16 org.opensaml.saml2.metadata.validator.OrganizationNameSchemaValidator
3919: 1 16 org.opensaml.saml2.metadata.impl.AuthnQueryServiceBuilder
3920: 1 16 sun.reflect.GeneratedConstructorAccessor52
3921: 1 16 org.opensaml.saml2.core.validator.NameIDMappingResponseSchemaValidator
3922: 1 16 org.opensaml.ws.wsaddressing.impl.MetadataBuilder
3923: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$REQUEST_MANAGED_OBJECT_MESSAG
EFactory
3924: 1 16 sun.reflect.GeneratedConstructorAccessor6
3925: 1 16 org.opensaml.saml1.core.validator.AudienceSpecValidator
3926: 1 16 sun.reflect.GeneratedMethodAccessor19
3927: 1 16 org.opensaml.saml2.metadata.impl.NameIDMappingServiceBuilder
3928: 1 16 sun.nio.ch.FileDispatcher
3929: 1 16 org.opensaml.saml2.core.validator.ArtifactResponseSchemaValidator
3930: 1 16 sun.reflect.GeneratedConstructorAccessor64
3931: 1 16 org.opensaml.xml.encryption.impl.EncryptedDataBuilder
3932: 1 16 org.opensaml.saml2.metadata.validator.RequestedAttributeSchemaValidator
3933: 1 16 sun.reflect.GeneratedMethodAccessor20
3934: 1 16 org.apache.xerces.impl.dv.xs.EntityDV
3935: 1 16 sun.reflect.GeneratedMethodAccessor7
3936: 1 16 sun.security.rsa.RSAKeyFactory
3937: 1 16 org.opensaml.saml2.metadata.validator.AssertionConsumerServiceSchemaValidator
3938: 1 16 org.knopflerfish.framework.BundlePackages$3
3939: 1 16 org.opensaml.saml2.metadata.impl.OrganizationURLBuilder
3940: 1 16 org.opensaml.ws.soap.soap11.impl.HeaderBuilder
3941: 1 16 sun.reflect.generics.tree.VoidDescriptor
3942: 1 16 org.opensaml.ws.soap.soap11.impl.BodyBuilder
3943: 1 16 sun.reflect.GeneratedConstructorAccessor49
3944: 1 16 com.tc.aspectwerkz.transform.inlining.AsmNullAdapter$NullMethodAdapter
3945: 1 16 java.lang.ApplicationShutdownHooks$1
3946: 1 16 sun.reflect.GeneratedMethodAccessor29
3947: 1 16 org.opensaml.saml2.metadata.validator.IDPSSODescriptorSpecValidator
3948: 1 16 org.opensaml.saml2.metadata.validator.ContactPersonSchemaValidator
3949: 1 16
edu.internet2.middleware.shibboleth.common.log.LogbackConfigurationChangeListener
3950: 1 16 org.opensaml.saml2.core.validator.RequesterIDSchemaValidator
3951: 1 16 org.joda.time.DateTimeUtils$SystemMillisProvider
3952: 1 16 org.apache.xml.serializer.SecuritySupport12
3953: 1 16 org.eclipse.jdt.internal.compiler.CompilationResult$1
3954: 1 16 org.opensaml.xml.encryption.validator.ReferenceListSchemaValidator
3955: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor69
3956: 1 16 org.opensaml.xml.encryption.impl.TransformsBuilder
3957: 1 16 sun.reflect.GeneratedMethodAccessor57
3958: 1 16 org.joda.time.convert.DateConverter
3959: 1 16 org.opensaml.ws.wssecurity.impl.CreatedBuilder
3960: 1 16 org.opensaml.ws.wssecurity.impl.ReferenceBuilder
3961: 1 16 org.opensaml.ws.soap.soap11.impl.FaultStringBuilder
3962: 1 16
org.opensaml.saml2.metadata.validator.AttributeAuthorityDescriptorSchemaValidator
3963: 1 16 org.opensaml.saml1.core.impl.RespondWithBuilder
3964: 1 16
edu.internet2.middleware.shibboleth.common.xmlobject.impl.ShibbolethMetadataScopeBuilder
3965: 1 16 org.opensaml.xml.signature.impl.DigestMethodBuilder
3966: 1 16 java.lang.ref.Reference$Lock
3967: 1 16 org.opensaml.saml2.metadata.validator.AttributeAuthorityDescriptorSpecValidator
3968: 1 16 org.opensaml.saml2.metadata.validator.AdditionalMetadataLocationSchemaValidator
3969: 1 16 org.apache.xerces.impl.dv.xs.BooleanDV
3970: 1 16 sun.reflect.GeneratedConstructorAccessor1226
3971: 1 16 org.opensaml.ws.wssecurity.impl.IterationBuilder
3972: 1 16 sun.reflect.GeneratedConstructorAccessor45
3973: 1 16 com.tc.net.protocol.delivery.OnceAndOnlyOnceProtocolNetworkLayerFactoryImpl
3974: 1 16 org.opensaml.saml2.metadata.impl.SingleLogoutServiceBuilder
3975: 1 16 org.opensaml.xml.signature.validator.RetrievalMethodSchemaValidator
3976: 1 16 org.opensaml.ws.wssecurity.impl.ExpiresBuilder
3977: 1 16 org.opensaml.xml.encryption.impl.KeySizeBuilder
3978: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor44
3979: 1 16 sun.reflect.GeneratedConstructorAccessor40
3980: 1 16 org.opensaml.common.impl.RandomIdentifierGenerator
3981: 1 16 sun.security.util.ByteArrayTagOrder
3982: 1 16 sun.reflect.GeneratedMethodAccessor54
3983: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor34
3984: 1 16 org.opensaml.saml2.metadata.validator.IDPSSODescriptorSchemaValidator
3985: 1 16 sun.reflect.GeneratedConstructorAccessor1231
3986: 1 16 org.opensaml.saml2.core.validator.AttributeQuerySchemaValidator
3987: 1 16 org.opensaml.saml2.core.validator.AudienceSchemaValidator
3988: 1 16 org.opensaml.xml.encryption.impl.DataReferenceBuilder
3989: 1 16 com.tc.exception.ExceptionHelperImpl$NullExceptionHelper
3990: 1 16 org.springframework.web.context.support.WebApplicationContextUtils$1
3991: 1 16 sun.reflect.GeneratedMethodAccessor110
3992: 1 16 sun.reflect.GeneratedMethodAccessor42
3993: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$OBJECTS_NOT_FOUND_RESPONSE_MES
SAGEFactory
3994: 1 16 org.opensaml.saml2.core.impl.AuthnContextDeclBuilder
3995: 1 16 org.knopflerfish.framework.Util$1
3996: 1 16 org.opensaml.saml1.core.validator.AuthorizationDecisionStatementSchemaValidator
3997: 1 16 org.opensaml.ws.wssecurity.impl.NonceBuilder
3998: 1 16 sun.reflect.GeneratedConstructorAccessor44
3999: 1 16 sun.reflect.GeneratedConstructorAccessor29
4000: 1 16 org.opensaml.xml.signature.validator.X509IssuerSerialSchemaValidator
4001: 1 16 sun.reflect.GeneratedConstructorAccessor60
4002: 1 16 org.opensaml.ws.wssecurity.impl.UsernameBuilder
4003: 1 16 org.opensaml.saml2.metadata.validator.SingleSignOnServiceSpecValidator
4004: 1 16 org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder
4005: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor38
4006: 1 16 org.apache.xerces.jaxp.validation.DraconianErrorHandler
4007: 1 16 org.opensaml.xml.signature.impl.SPKISexpBuilder
4008: 1 16 org.opensaml.saml1.core.validator.AuthenticationQuerySchemaValidator
4009: 1 16 com.sun.jmx.mbeanserver.StandardMBeanIntrospector
4010: 1 16 org.opensaml.saml2.core.validator.AuthnContextDeclSchemaValidator
4011: 1 16 org.opensaml.saml2.metadata.impl.OrganizationDisplayNameBuilder
4012: 1 16 org.opensaml.saml2.metadata.validator.ServiceDescriptionSchemaValidator
4013: 1 16 sun.reflect.GeneratedConstructorAccessor18
4014: 1 16 org.opensaml.xml.encryption.impl.KeyReferenceBuilder
4015: 1 16 org.opensaml.saml2.metadata.validator.AffiliationDescriptorSchemaValidator
4016: 1 16 com.tc.jrexx.regex.Terminal_EOF
4017: 1 16 org.opensaml.saml2.metadata.validator.OrganizationDisplayNameSchemaValidator
4018: 1 16 sun.reflect.GeneratedConstructorAccessor1268
4019: 1 16 org.opensaml.saml1.core.validator.AssertionSpecValidator
4020: 1 16 org.opensaml.saml2.metadata.impl.AffiliateMemberBuilder
4021: 1 16 org.apache.xerces.impl.dv.xs.HexBinaryDV
4022: 1 16 org.opensaml.ws.wsaddressing.impl.ReferenceParametersBuilder
4023: 1 16 sun.reflect.GeneratedConstructorAccessor57
4024: 1 16 sun.reflect.GeneratedMethodAccessor30
4025: 1 16 org.opensaml.xml.encryption.impl.AgreementMethodBuilder
4026: 1 16 org.knopflerfish.framework.Pkg$2
4027: 1 16 org.opensaml.saml2.core.impl.AuthenticatingAuthorityBuilder
4028: 1 16 sun.reflect.GeneratedMethodAccessor55
4029: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$REQUEST_MANAGED_OBJECT_RESPON
SE_MESSAGEFactory
4030: 1 16 org.opensaml.saml2.core.validator.SubjectSchemaValidator
4031: 1 16 org.opensaml.saml2.core.validator.StatusSchemaValidator
4032: 1 16 org.opensaml.saml1.core.validator.AuthorityBindingSchemaValidator
4033: 1 16 org.opensaml.ws.soap.soap11.impl.FaultActorBuilder
4034: 1 16 com.sun.jndi.ldap.LdapNameParser
4035: 1 16
com.tc.config.schema.beanfactory.TerracottaDomainConfigurationDocumentBeanFactory
4036: 1 16 sun.util.resources.LocaleData$LocaleDataResourceBundleControl
4037: 1 16 org.opensaml.samlext.saml2delrestrict.impl.DelegateBuilder
4038: 1 16 org.opensaml.ws.wsaddressing.impl.ProblemHeaderQNameBuilder
4039: 1 16 sun.management.HotSpotDiagnostic
4040: 1 16 org.opensaml.saml2.core.impl.ArtifactBuilder
4041: 1 16 sun.reflect.GeneratedMethodAccessor14
4042: 1 16 org.opensaml.saml2.metadata.impl.ServiceNameBuilder
4043: 1 16 org.opensaml.saml2.metadata.impl.CompanyBuilder
4044: 1 16 org.opensaml.saml2.core.impl.RequesterIDBuilder
4045: 1 16 org.opensaml.xml.signature.impl.X509SubjectNameBuilder
4046: 1 16 com.sun.jmx.remote.opt.internal.ArrayNotificationBuffer$BroadcasterQuery
4047: 1 16 sun.reflect.GeneratedMethodAccessor33
4048: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$LOCK_RESPONSE_MESSAGEFactory
4049: 1 16 sun.reflect.GeneratedMethodAccessor49
4050: 1 16 org.opensaml.samlext.saml2mdquery.impl.ActionNamespaceBuilder
4051: 1 16 org.opensaml.saml2.metadata.validator.AttributeProfileSchemaValidator
4052: 1 16 org.opensaml.xml.signature.validator.PGPDataSchemaValidator
4053: 1 16 org.knopflerfish.framework.StartLevelImpl$2
4054: 1 16 sun.reflect.GeneratedMethodAccessor10
4055: 1 16 org.opensaml.xml.encryption.impl.ReferenceListBuilder
4056: 1 16 org.opensaml.saml1.core.impl.AssertionIDReferenceBuilder
4057: 1 16 org.opensaml.saml2.metadata.validator.AuthzServiceSchemaValidator
4058: 1 16 org.opensaml.ws.wsfed.impl.RequestedSecurityTokenBuilder
4059: 1 16 sun.reflect.GeneratedMethodAccessor46
4060: 1 16 org.opensaml.saml2.core.validator.LogoutResponseSchemaValidator
4061: 1 16 org.apache.catalina.util.MD5Encoder
4062: 1 16 edu.internet2.middleware.shibboleth.common.log.LogbackLoggingService
4063: 1 16 org.opensaml.saml2.core.validator.AttributeSchemaValidator
4064: 1 16 org.opensaml.saml2.core.validator.AuthzDecisionStatementSchemaValidator
4065: 1 16 org.opensaml.xml.signature.impl.QBuilder
4066: 1 16 org.opensaml.saml2.metadata.validator.TelephoneNumberSchemaValidator
4067: 1 16 sun.reflect.GeneratedMethodAccessor5
4068: 1 16 org.opensaml.xml.signature.impl.KeyNameBuilder
4069: 1 16 com.sun.jmx.remote.generic.ObjectWrappingImpl
4070: 1 16 org.opensaml.ws.soap.soap11.impl.DetailBuilder
4071: 1 16 org.apache.xerces.impl.dv.dtd.IDREFDatatypeValidator
4072: 1 16 org.opensaml.saml2.metadata.impl.AuthzServiceBuilder
4073: 1 16 org.apache.xerces.impl.dv.xs.AnySimpleDV
4074: 1 16 sun.reflect.GeneratedConstructorAccessor11
4075: 1 16 org.apache.commons.ssl.Certificates$1
4076: 1 16 org.opensaml.xml.signature.impl.MgmtDataBuilder
4077: 1 16 com.tc.async.impl.NullSink
4078: 1 16 org.opensaml.saml2.metadata.impl.ManageNameIDServiceBuilder
4079: 1 16 com.sun.jmx.mbeanserver.MBeanAnalyzer$MethodOrder
4080: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor30
4081: 1 16 org.opensaml.saml2.metadata.validator.EntitiesDescriptorSchemaValidator
4082: 1 16 org.joda.time.field.MillisDurationField
4083: 1 16 sun.org.mozilla.javascript.internal.NativeGlobal
4084: 1 16 org.opensaml.ws.wssecurity.impl.SecurityTokenReferenceBuilder
4085: 1 16 com.tc.statistics.retrieval.actions.SRAThreadDump
4086: 1 16 sun.reflect.GeneratedConstructorAccessor1233
4087: 1 16 org.apache.tomcat.util.buf.MessageBytes$MessageBytesFactory
4088: 1 16 com.tc.util.CommonShutDownHook
4089: 1 16 org.opensaml.saml2.core.validator.AssertionIDRequestSchemaValidator
4090: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$NODES_WITH_OBJECTS_RESPONSE_ME
SSAGEFactory
4091: 1 16 org.opensaml.samlext.saml1md.impl.SourceIDBuilder
4092: 1 16 sun.reflect.GeneratedMethodAccessor102
4093: 1 16 sun.reflect.GeneratedConstructorAccessor1229
4094: 1 16 org.apache.xerces.impl.XMLEntityManager$1
4095: 1 16 sun.reflect.GeneratedConstructorAccessor22
4096: 1 16 org.opensaml.saml2.metadata.validator.EntitiesDescriptorSpecValidator
4097: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$CLIENT_HANDSHAKE_MESSAGEFactory
4098: 1 16 org.opensaml.saml2.metadata.validator.ManageNameIDServiceSchemaValidator
4099: 1 16 org.opensaml.saml2.ecp.impl.RelayStateBuilder
4100: 1 16 sun.security.pkcs11.P11TlsPrfGenerator$1
4101: 1 16 sun.reflect.GeneratedConstructorAccessor2
4102: 1 16 org.opensaml.xml.signature.impl.PBuilder
4103: 1 16 org.opensaml.xml.encryption.validator.CipherReferenceSchemaValidator
4104: 1 16 org.apache.commons.ssl.asn1.ASN1InputStream$1
4105: 1 16 org.opensaml.saml2.core.validator.AuthnStatementSchemaValidator
4106: 1 16 org.apache.xerces.impl.dv.xs.FloatDV
4107: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor75
4108: 1 16 java.lang.Runtime
4109: 1 16 com.tc.object.dna.impl.StorageDNAEncodingImpl$FailureClassProvider
4110: 1 16 sun.reflect.GeneratedConstructorAccessor1271
4111: 1 16 com.tc.statistics.retrieval.actions.SRAHttpSessions
4112: 1 16 org.apache.jasper.xmlparser.MyEntityResolver
4113: 1 16 org.knopflerfish.framework.BundlePackages$4
4114: 1 16 org.apache.xerces.impl.dv.xs.IntegerDV
4115: 1 16 sun.reflect.GeneratedConstructorAccessor43
4116: 1 16 sun.reflect.GeneratedConstructorAccessor1308
4117: 1 16 sun.reflect.GeneratedConstructorAccessor12
4118: 1 16 java.util.ResourceBundle$Control
4119: 1 16 sun.reflect.GeneratedConstructorAccessor1307
4120: 1 16 org.opensaml.saml2.metadata.validator.ArtifactResolutionServiceSchemaValidator
4121: 1 16 com.sun.script.javascript.RhinoScriptEngineFactory
4122: 1 16 org.joda.time.convert.ReadableDurationConverter
4123: 1 16 org.opensaml.saml2.core.impl.AssertionURIRefBuilder
4124: 1 16 sun.reflect.GeneratedSerializationConstructorAccessor42
4125: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$BROADCAST_TRANSACTION_MESSAGE
Factory
4126: 1 16 org.opensaml.xml.signature.validator.TransformsSchemaValidator
4127: 1 16 sun.reflect.GeneratedConstructorAccessor20
4128: 1 16 com.tc.aspectwerkz.transform.inlining.AsmNullAdapter$NullAnnotationVisitor
4129: 1 16 com.tc.util.concurrent.CopyOnWriteArrayMap$1
4130: 1 16 sun.reflect.GeneratedMethodAccessor100
4131: 1 16 sun.reflect.GeneratedConstructorAccessor21
4132: 1 16 org.opensaml.saml1.core.impl.ConfirmationMethodBuilder
4133: 1 16 org.opensaml.xml.signature.impl.JBuilder
4134: 1 16 com.tc.config.schema.utils.StandardXmlObjectComparator
4135: 1 16 sun.reflect.GeneratedConstructorAccessor70
4136: 1 16 org.mozilla.javascript.Undefined
4137: 1 16 org.opensaml.saml2.core.impl.ResponseBuilder
4138: 1 16
com.tc.net.protocol.tcm.TCMessageFactoryImpl$COMPLETED_TRANSACTION_LOWWAT
ERMARK_MESSAGEFactory
4139: 1 16 org.apache.xerces.impl.dv.xs.XSSimpleTypeDecl$1
4140: 1 16 org.opensaml.xml.signature.validator.SPKIDataSchemaValidator
4141: 1 16 org.opensaml.saml2.core.impl.SessionIndexBuilder
4142: 1 16 org.opensaml.ws.wssecurity.impl.UsernameTokenBuilder
4143: 1 16 org.opensaml.xml.schema.impl.XSQNameBuilder
4144: 1 16 org.opensaml.ws.wsaddressing.impl.ProblemIRIBuilder
4145: 1 16 org.apache.log4j.DefaultCategoryFactory
4146: 1 16 org.opensaml.xml.encryption.validator.EncryptionPropertySchemaValidator
4147: 1 16 org.apache.xerces.impl.dv.xs.StringDV
4148: 1 16 org.opensaml.saml2.core.impl.KeyInfoConfirmationDataTypeBuilder
4149: 1 16 sun.reflect.GeneratedMethodAccessor34
4150: 1 16 org.opensaml.saml2.core.impl.NewIDBuilder
4151: 1 16 sun.reflect.GeneratedConstructorAccessor17
4152: 1 16 org.opensaml.saml2.metadata.validator.AuthnAuthorityDescriptorSpecValidator
4153: 1 16 sun.reflect.GeneratedMethodAccessor36
4154: 1 16 org.opensaml.saml2.core.validator.ArtifactSchemaValidator
4155: 1 16 org.knopflerfish.framework.BundleClassLoader$2
4156: 1 16 org.eclipse.jdt.internal.compiler.lookup.ReferenceBinding$2
4157: 1 16 org.opensaml.saml2.metadata.impl.OrganizationNameBuilder
4158: 1 16 org.opensaml.ws.wsaddressing.impl.AddressBuilder
4159: 1 16 sun.reflect.GeneratedMethodAccessor39
4160: 1 16 org.apache.xerces.impl.dv.xs.IDDV
4161: 1 16 org.opensaml.saml2.metadata.validator.PDPDescriptorSpecValidator
Total : 23958014 1531276528


 Comments
Comment by Chad La Joie [ 23/Jul/10 ]
Russ, the only way I can really diagnose something like this is via a number of memory dumps
gotten from the command 'jmap -dump:format=b'. Note, however, that things like the passwords
in your config files show up in such a dump as well as possibly user passwords depending on
whether you have the IdP set to retain those. If you give me a 3-4 dumps with a week or two
between them I should be able to determine what is leaking.
Comment by Russell Beall [ 23/Jul/10 ]
I can't imagine I would be able to send that file. Last time I looked at such a file, many user
passwords were there. If you could tell me what you are looking for and what tool you would use
to analyze the dumps, perhaps I can do the work for you.

Does that command freeze the JVM or can it be run while the node is active in production?
Comment by Chad La Joie [ 02/Aug/10 ]
It's not something I can really describe. It takes a lot of inspecting and correlating data and code
paths to determine which objects should rightly be growing over time, whether various objects
are growing just because memory has reached a steady and state and is being garbage collected
less frequently, and various other aspects.

I can't reproduce the type of setup you're talking about and you (understandably) can't give me
access to the data I need to diagnose it, so nothing can really be done/
Comment by Scott Cantor [ 31/Jan/11 ]
Closing resolved issues.
[SIDP-393] WAYF/shire url in IDP 2.1.5 losing atrributes before sending
response to SP Created: 02/Jul/10 Updated: 31/Jan/11 Resolved: 26/Jul/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.5
Fix Version/s:     None

Type:              Bug                           Priority:          Major
Reporter:          martin kelly                  Assignee:          Chad La Joie
Resolution:        Invalid                       Votes:             0
Labels:            None

Java Version:      Sun 1.5
Servlet            Apache Tomcat 5.5
Container:

Description

Original SP WAYF/Shire url is correctly obtained by the IDP as:

https://coleg.intralibrary.com/?command=open-athens-auth%26federation=ukfed

After 'Invoking velocity template to create POST body' and 'Encoding action url' the WAYF url
to respond to becomes:

https://coleg.intralibrary.com/?command=open-athens-auth%26federation

Only happens with Shibboleth IDP 2.1.5 other IDPs such as 2.1.4 are successfully working.
Upgrading to 2.1.5 has been proven to cause the issue and reverting back is currently our only
solution.


IDP Log below:


09:38:53.673 - INFO [Shibboleth-Access:73] -
20100701T093853Z|10.1.21.151|cardshibidp.cardonald.ac.uk:443|/profile/Shibboleth/SSO|
09:38:53.673 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:85] -
shibboleth.HandlerManager: Looking up profile handler for request path: /Shibboleth/SSO
09:38:53.673 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:93] -
shibboleth.HandlerManager: Located profile handler of the following type for the request path:
edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler
09:38:53.673 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler:112] -
Processing incoming request
09:38:53.673 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler:118] -
Incoming request does not contain a login context, processing as first leg of request
09:38:53.673 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler:185] -
Decoding message with decoder binding urn:mace:shibboleth:1.0:profiles:AuthnRequest
09:38:53.673 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:72] -
Beginning to decode message from inbound transport of type:
org.opensaml.ws.transport.http.HttpServletRequestAdapter
09:38:53.689 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:193]
- Checking child metadata provider for entity descriptor with entity ID:
https://coleg.intralibrary.com/shibboleth
09:38:53.689 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237]
- Searching for entity descriptor with an entity ID of https://coleg.intralibrary.com/shibboleth
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:126] - Looking up relying party configuration for
https://coleg.intralibrary.com/shibboleth
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:132] - No custom relying party configuration found for
https://coleg.intralibrary.com/shibboleth, looking up configuration based on metadata groups.
09:38:54.845 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:193]
- Checking child metadata provider for entity descriptor with entity ID:
https://coleg.intralibrary.com/shibboleth
09:38:54.845 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237]
- Searching for entity descriptor with an entity ID of https://coleg.intralibrary.com/shibboleth
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:155] - No custom or group-based relying party configuration found for
https://coleg.intralibrary.com/shibboleth. Using default relying party configuration.
09:38:54.845 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:108] -
Evaluating security policy of type
'edu.internet2.middleware.shibboleth.common.security.ShibbolethSecurityPolicy' for decoded
message
09:38:54.845 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:81] -
Successfully decoded message.
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler:208] -
Decoded Shibboleth SSO request from relying party
'https://coleg.intralibrary.com/shibboleth&#39;
09:38:54.845 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:193]
- Checking child metadata provider for entity descriptor with entity ID:
https://coleg.intralibrary.com/shibboleth
09:38:54.845 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237]
- Searching for entity descriptor with an entity ID of https://coleg.intralibrary.com/shibboleth
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:126] - Looking up relying party configuration for
https://coleg.intralibrary.com/shibboleth
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:132] - No custom relying party configuration found for
https://coleg.intralibrary.com/shibboleth, looking up configuration based on metadata groups.
09:38:54.845 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:193]
- Checking child metadata provider for entity descriptor with entity ID:
https://coleg.intralibrary.com/shibboleth
09:38:54.845 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237]
- Searching for entity descriptor with an entity ID of https://coleg.intralibrary.com/shibboleth
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:155] - No custom or group-based relying party configuration found for
https://coleg.intralibrary.com/shibboleth. Using default relying party configuration.
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:198] - Processing
incoming request
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:228] - Beginning user
authentication process.
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:334] - Filtering configured
login handlers by requested athentication methods.
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:335] - Configured
LoginHandlers:
{urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth
.idp.authn.provider.PreviousSessionLoginHandler@156e0b4,
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.a
uthn.provider.RemoteUserLoginHandler@ba8180}
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:336] - Requested
authentication methods: []
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:236] - Possible
authentication handlers for this request:
{urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth
.idp.authn.provider.PreviousSessionLoginHandler@156e0b4,
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.a
uthn.provider.RemoteUserLoginHandler@ba8180}
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:246] - Possible
authentication handlers after filtering:
{urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth
.idp.authn.provider.PreviousSessionLoginHandler@156e0b4,
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.a
uthn.provider.RemoteUserLoginHandler@ba8180}
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:277] - Selecting
appropriate login handler for request
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:250] - Authenticating user
with login handler of type
edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler
09:38:54.845 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:155] -
LoginContext parition: loginContexts
09:38:54.845 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:161] -
LoginContext key: 4c1c5ebb-a6ec-4487-aeac-c5c4e48441c6
09:38:54.845 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler:75] -
Redirecting to https://cardshibidp.cardonald.ac.uk:443/idp/Authn/RemoteUser
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet:48] - Remote
user identified as graeme maccormick returning control back to authentication engine
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:143] - Returning control
to authentication engine
09:39:09.846 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:296] -
LoginContext not bound to HTTP request, retrieving it from storage service
09:39:09.846 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:307] -
LoginContext key is '4c1c5ebb-a6ec-4487-aeac-c5c4e48441c6'
09:39:09.846 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:310] -
parition: loginContexts
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:198] - Processing
incoming request
09:39:09.846 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:296] -
LoginContext not bound to HTTP request, retrieving it from storage service
09:39:09.846 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:307] -
LoginContext key is '4c1c5ebb-a6ec-4487-aeac-c5c4e48441c6'
09:39:09.846 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:310] -
parition: loginContexts
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:477] - Completing user
authentication process
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:537] - Validating
authentication was performed successfully
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:640] - Updating session
information for principal graeme maccormick
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:644] - Creating shibboleth
session for principal graeme maccormick
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:745] - Adding IdP session
cookie to HTTP response
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:657] - Recording
authentication and service information in Shibboleth session for principal: ##### ######
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:512] - User graeme
maccormick authenticated with method urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:160] - Returning control
to profile handler
09:39:09.846 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:296] -
LoginContext not bound to HTTP request, retrieving it from storage service
09:39:09.846 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:307] -
LoginContext key is '4c1c5ebb-a6ec-4487-aeac-c5c4e48441c6'
09:39:09.846 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:310] -
parition: loginContexts
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:170] - Returning control
to profile handler at: /profile/Shibboleth/SSO
09:39:09.846 - INFO [Shibboleth-Access:73] -
20100701T093909Z|10.1.21.151|cardshibidp.cardonald.ac.uk:443|/profile/Shibboleth/SSO|
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:85] -
shibboleth.HandlerManager: Looking up profile handler for request path: /Shibboleth/SSO
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:93] -
shibboleth.HandlerManager: Located profile handler of the following type for the request path:
edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler:112] -
Processing incoming request
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler:121] -
Incoming request contains a login context, processing as second leg of request
09:39:09.846 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:193]
- Checking child metadata provider for entity descriptor with entity ID:
https://coleg.intralibrary.com/shibboleth
09:39:09.846 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237]
- Searching for entity descriptor with an entity ID of https://coleg.intralibrary.com/shibboleth
09:39:09.846 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:193]
- Checking child metadata provider for entity descriptor with entity ID:
https://coleg.intralibrary.com/shibboleth
09:39:09.846 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237]
- Searching for entity descriptor with an entity ID of https://coleg.intralibrary.com/shibboleth
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:126] - Looking up relying party configuration for
https://coleg.intralibrary.com/shibboleth
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:132] - No custom relying party configuration found for
https://coleg.intralibrary.com/shibboleth, looking up configuration based on metadata groups.
09:39:09.846 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:193]
- Checking child metadata provider for entity descriptor with entity ID:
https://coleg.intralibrary.com/shibboleth
09:39:09.846 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237]
- Searching for entity descriptor with an entity ID of https://coleg.intralibrary.com/shibboleth
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:155] - No custom or group-based relying party configuration found for
https://coleg.intralibrary.com/shibboleth. Using default relying party configuration.
09:39:09.846 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:193]
- Checking child metadata provider for entity descriptor with entity ID:
https://cardshibidp.cardonald.ac.uk/shibboleth
09:39:09.846 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237]
- Searching for entity descriptor with an entity ID of
https://cardshibidp.cardonald.ac.uk/shibboleth
09:39:09.846 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOEndpointSelector:78] -
Selecting endpoint from metadata corresponding to provided ACS URL:
'https://coleg.intralibrary.com/?command=open-athens-auth%26federation=ukfed&#39;
09:39:09.893 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOEndpointSelector:82] -
Relying party role contains '1' endpoints
09:39:09.893 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler:501] -
Resolving attributes for principal 'graeme maccormick' for SAML request from relying party
'https://coleg.intralibrary.com/shibboleth&#39;
09:39:09.893 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRe
solver:118] - shibboleth.AttributeResolver resolving attributes for principal graeme maccormick
09:39:09.893 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRe
solver:249] - Specific attributes for principal graeme maccormick were not requested, resolving
all attributes.
09:39:09.893 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRe
solver:285] - Resolving attribute eduPersonPrincipalName for principal graeme maccormick
09:39:09.893 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRe
solver:325] - Resolving data connector myLDAP for principal graeme maccormick
09:39:09.893 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDa
taConnector:765] - Search filter: (samaccountname=###### #######)
09:39:09.893 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDa
taConnector:781] - Retrieving attributes from LDAP
09:39:09.893 - DEBUG [edu.vt.middleware.ldap.Ldap:566] - Search with the following
parameters:
09:39:09.893 - DEBUG [edu.vt.middleware.ldap.Ldap:567] - dn =
DC=college,DC=cardonald,DC=ac,DC=uk
09:39:09.893 - DEBUG [edu.vt.middleware.ldap.Ldap:568] - filter = (samaccountname=graeme
maccormick)
09:39:09.893 - DEBUG [edu.vt.middleware.ldap.Ldap:569] - filterArgs =
09:39:09.893 - DEBUG [edu.vt.middleware.ldap.Ldap:571] - none
09:39:09.893 - DEBUG [edu.vt.middleware.ldap.Ldap:575] - retAttrs =
09:39:09.893 - DEBUG [edu.vt.middleware.ldap.Ldap:579] - [sAMAccountName, url,
distinguishedName, objectGUID, objectSid]
09:39:24.894 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOEndpointSelector:78] -
Selecting endpoint from metadata corresponding to provided ACS URL:
'https://coleg.intralibrary.com/?command=open-athens-auth%26federation=ukfed&#39;
09:39:24.894 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOEndpointSelector:82] -
Relying party role contains '1' endpoints
09:39:24.894 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler:599] -
Determining if SAML assertion to relying party 'https://coleg.intralibrary.com/shibboleth&#39;
should be signed
09:39:24.894 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler:673] -
IdP relying party configuration 'default' indicates to sign assertions: false
09:39:24.894 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler:680] -
Entity metadata for relying party 'https://coleg.intralibrary.com/shibboleth 'indicates to sign
assertions: false
09:39:24.894 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:524] - Encoding
response to SAML request null from relying party https://coleg.intralibrary.com/shibboleth
09:39:24.894 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:47] -
Beginning encode message to outbound transport of type:
org.opensaml.ws.transport.http.HttpServletResponseAdapter
09:39:25.362 - DEBUG [edu.internet2.middleware.shibboleth.idp.StatusServlet:119] -
Attempting to authenticate client '194.83.68.142'
09:39:26.331 - DEBUG
[org.opensaml.saml1.binding.encoding.BaseSAML1MessageEncoder:135] - Signing outbound
SAML message.
09:39:26.331 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:99] - Starting to
marshall {http://www.w3.org/2000/09/xmldsig#}Signature
09:39:26.331 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:102] - Creating
XMLSignature object
09:39:26.331 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:112] - Adding
content to XMLSignature.
09:39:26.331 - DEBUG [org.opensaml.common.impl.SAMLObjectContentReference:172] -
Adding list of inclusive namespaces for signature exclusive canonicalization transform
09:39:26.331 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:117] - Creating
Signature DOM element
09:39:26.331 - DEBUG [org.opensaml.xml.signature.Signer:77] - Computing signature over
XMLSignature object
09:39:26.331 - DEBUG [org.opensaml.saml1.binding.encoding.HTTPPostEncoder:121] -
Invoking velocity template to create POST body
09:39:26.331 - DEBUG [org.opensaml.saml1.binding.encoding.HTTPPostEncoder:126] -
Encoding action url of: https://coleg.intralibrary.com/?command=open-athens-
auth%26federation
09:39:26.331 - DEBUG [org.opensaml.saml1.binding.encoding.HTTPPostEncoder:129] -
Marshalling and Base64 encoding SAML message
09:39:26.331 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:87] -
Marshalling message
09:39:26.331 - DEBUG [org.opensaml.saml1.binding.encoding.HTTPPostEncoder:135] -
Setting TARGET parameter to: /
09:39:26.347 - DEBUG [PROTOCOL_MESSAGE:64] -
<?xml version="1.0" encoding="UTF-8"?><saml1p:Response
xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2010-07-
01T09:39:24.894Z" MajorVersion="1" MinorVersion="1"
Recipient="https://coleg.intralibrary.com/?command=open-athens-auth%26federation"
ResponseID="_ede01938301c6200d0753a6b9f6d0573">
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_ede01938301c6200d0753a6b9f6d0573">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds saml1 saml1p"/>
          </ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>DcA4dRQts+WOuxBXMoh725FmYj4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
objW/JkCP4wzY8dLXY6ozyNI4zx3s/MIMtUQp8lfwOE9ERQVO8KtCBR4QXL42Ml3mxNW
9WT5ht2i
86YWKeTZOJ1Z265Lw9owmBS0WzvRcA/64DF7VP4UOYB2UyvnMw9YcTZJ5gP9trdpapcl
oLmdQR+4
mFaYLc4E5mKJj7J8h9k=
</ds:SignatureValue>
<ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate></ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <saml1p:Status>
    <saml1p:StatusCode Value="saml1p:Success"/>
  </saml1p:Status>
  <saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_75d14569a2fc01643109d5d46ccbcca6" IssueInstant="2010-07-
01T09:39:24.894Z" Issuer="https://cardshibidp.cardonald.ac.uk/shibboleth" MajorVersion="1"
MinorVersion="1">
    <saml1:Conditions NotBefore="2010-07-01T09:39:24.894Z" NotOnOrAfter="2010-07-
01T09:44:24.894Z">
      <saml1:AudienceRestrictionCondition>
        <saml1:Audience>https://coleg.intralibrary.com/shibboleth&lt;/saml1:Audience>
      </saml1:AudienceRestrictionCondition>
    </saml1:Conditions>
    <saml1:AuthenticationStatement AuthenticationInstant="2010-07-01T09:39:09.846Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified">
      <saml1:Subject>
        <saml1:SubjectConfirmation>
          <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml1:Confir
mationMethod>
        </saml1:SubjectConfirmation>
      </saml1:Subject>
      <saml1:SubjectLocality IPAddress="10.1.21.151"/>
    </saml1:AuthenticationStatement>
  </saml1:Assertion>
</saml1p:Response>

09:39:26.347 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:54] -
Successfully encoded message.
09:39:26.347 - INFO [Shibboleth-Audit:714] -
20100701T093926Z|urn:mace:shibboleth:1.0:profiles:AuthnRequest||https://coleg.intralibrary.co
m/shibboleth|urn:mace:shibboleth:2.0:profiles:saml1:sso|https://cardshibidp.cardonald.ac.uk/shib
boleth|urn:oasis:names:tc:SAML:1.0:profiles:browser-
post|_ede01938301c6200d0753a6b9f6d0573|graeme
maccormick|urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified|||_75d14569a2fc01643109d5d
46ccbcca6,|


 Comments
Comment by martin kelly [ 07/Jul/10 ]
Hi any response to this issue? Its basically stopping us from being able to support Shibboleth
IDP version 2.1.5 in our product. So far we've had to tell our customers to stop using 2.1.5 which
isn't ideal.
Comment by Jackie Graham [ 23/Jul/10 ]
Can you advise us what we can do to resolve this problem? I have 8 colleges who will lose
access to our service if they move up to version 2.1.5. Meanwhile we have them sitting on 2.1.4
or earlier, but they are keen to upgrade within the next two weeks if they can (before their users
return in mid August).
Comment by Chad La Joie [ 26/Jul/10 ]
The root of this problem is an improperly encoded URL in the metadata for your SP. Within
metadata you need to use XML encoding rules and not URL encoding rules, so the '%26' needs
to be '&amp;' instead. This worked prior to 2.1.5 because the URL string was used as is. In 2.1.5
we began doing some checks for javascript within the URL as this could result in cross-site
scripting attacks. As part of the checking process we have to parse the URL and since it was
improperly encoded the parsing ended up truncating the URL.

I've talked with Ian and he's talked with the UK support team. They tried contacting you July 8th
in order to fix this but received no response. They've just tried again today. The way to resolve
the issue will be to work with them.
Comment by Scott Cantor [ 31/Jan/11 ]
Closing resolved issues.
[SIDP-390] Add ability to over ride relay state Created: 07/May/10       Updated: 07/May/10 Resolved:
07/May/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.1.5
Fix Version/s:     None

Type:               New Feature                    Priority:           Minor
Reporter:           Paul Hethmon                   Assignee:           Chad La Joie
Resolution:         Invalid                        Votes:              0
Labels:             None


 Description
I have an SP partner that insists I add data to their Relay State during the authentication process.
I've added a Saml2LoginContext.setRelayState() to a custom build of Shibboleth, but would like
to not have to modify the main code body.

I realize that having the IdP do anything but send back the given Relay State is not spec, but I
still have a relying party that makes me do it.


Comments
Comment by Chad La Joie [ 07/May/10 ]
Sorry, the spec is perfectly clear with regards to this. I understand you can't control the SP, but
we also can't deviate from the spec simply because a particular SP implementation is broken.

If you choose to try and maintain this on your own, I'd recommend using a Servlet filter instead
of changing the IdP code itself, if you can. That way you won't have to patch the code for IdP
release, you just need to remember to install the filter.
[SIDP-388] Add eduPersonAssurance attribute to attribute-resolver.xml config
example Created: 04/May/10 Updated: 19/May/10 Resolved: 19/May/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.5
Fix Version/s:     2.2.0

Type:               Improvement                   Priority:        Minor
Reporter:           Patrik Schnellmann            Assignee:        Chad La Joie
Resolution:         Fixed                         Votes:           0
Labels:             None

Attachments:           eduPersonAssurance-resolver.xml

 Description
The attribute eduPersonAssurance defined in eduPerson 200806 is not in the attribute-
resolver.xml file delivered with the IdP.

Please add the attribute to the example config file.

Comments
Comment by Patrik Schnellmann [ 04/May/10 ]
AttributeDefinition
Comment by Chad La Joie [ 19/May/10 ]
Added in rev 2927
[SIDP-386] Session indexes not cleared when session is destroyed Created: 30/Apr/10
Updated: 23/Sep/10 Resolved: 03/Aug/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.2.0
Fix Version/s:     2.2.0

Type:                    Improvement          Priority:          Minor
Reporter:                Halm Reusser         Assignee:          Chad La Joie
Resolution:              Fixed                Votes:             0
Labels:                  None


 Description
In
edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerImpl#destroySession(Strin
g) session indexes are not cleared when the session is destroyed.

 Comments
Comment by Halm Reusser [ 19/May/10 ]
I addapted the the method like this:

  public void destroySession(String sessionID) {
    if (sessionID == null) {
       return;
    }
    SessionManagerEntry sessionEntry = sessionStore.remove(partition, sessionID);
    if (sessionEntry != null) {
       for (String index : sessionEntry.getSessionIndexes() ) {
          sessionStore.remove(partition, index);
       }
       sessionEntry.getSessionIndexes().clear();
    }
  }
Comment by Chad La Joie [ 03/Aug/10 ]
Fixed in rev 2935
[SIDP-384] Incorrect error message set for expired request in Shibboleth SSO
Profile Handler Created: 29/Mar/10 Updated: 19/May/10 Resolved: 19/May/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1
Affects Version/s: 2.1.5
Fix Version/s:     2.2.0

Type:               Bug                            Priority:           Minor
Reporter:           Robert Basch                   Assignee:           Chad La Joie
Resolution:         Fixed                          Votes:              0
Labels:             None

Java Version:       Sun 1.6
Servlet             Apache Tomcat 6.0
Container:

 Description
When an expired request (or other SecurityException) is detected by the Shibboleth SSO profile
handler, the error message is being set to the literal string "msg"; this string may be retrieved and
displayed to the user via error.jsp. The problem seems to be due to an obvious bug in
ShibbolethSSOProfileHandler's decodeRequest() method, which would be corrected with the
following patch:

Index:
src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSOProfileHand
ler.java
===================================================================
---
src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSOProfileHand
ler.java (revision 2924)
+++
src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSOProfileHand
ler.java (working copy)
@@ -214,7 +214,7 @@
      } catch (SecurityException e) {
         String msg = "Shibboleth SSO request does not meet security requirements: " +
e.getMessage();
         log.warn(msg);
- throw new ProfileException("msg", e);
+ throw new ProfileException(msg, e);
      }
     ShibbolethSSOLoginContext loginContext = new ShibbolethSSOLoginContext();

(I have not actually tried building with this patch).

Comments
Comment by Chad La Joie [ 19/May/10 ]
Fixed in rev 2926
[SIDP-383] servlet is not loaded when remote arp is not reachable Created: 23/Mar/10
Updated: 20/May/10 Resolved: 20/May/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.5
Fix Version/s:     None

Type:                    Bug                       Priority:            Major
Reporter:                Janusz Ulanowski          Assignee:            Chad La Joie
Resolution:              Won't Fix                 Votes:               0
Labels:                  None

Java Version:            Sun 1.6
Servlet                  Apache Tomcat 6.0
Container:

 Description
during tomcat restart idp servlet has not been loaded if remote arp is not available.
example of config.
<Service id="shibboleth.AttributeFilterEngine"
   xsi:type="attribute-afp:ShibbolethAttributeFilteringEngine"
   configurationResourcePollingFrequency="120000"
   configurationResourcePollingRetryAttempts="3">
 <ConfigurationResource
   file="/opt/shibboleth-idp/conf/attribute-filter.xml"
   xsi:type="resource:FilesystemResource" />
 <ConfigurationResource
   xsi:type="resource:FileBackedHttpResource"
   url="https://remote.example.com/path"
   file="/opt/shibboleth-idp/conf/attribute-filter-remote.xml" />
</Service>

 Comments
Comment by Chad La Joie [ 20/May/10 ]
Yes. By design the IdP will "fail-fast" if its configuration files are unusable. So, if a remote host
is down and there is no local copy of the file, then the IdP will fail to start up. It has no way of
knowing whether it would be okay to continue on without the file.
[SIDP-382] Less verbose logging for failed attribute queries due to missing name-
id Created: 19/Mar/10 Updated: 19/May/10 Resolved: 19/May/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.2.0
Fix Version/s:     2.2.0

Type:              Improvement                   Priority:          Minor
Reporter:          Patrik Schnellmann            Assignee:          Chad La Joie
Resolution:        Fixed                         Votes:             0
Labels:            None


Description
The error message blows up the log file when logged with the full stack trace:

14:50:36.450 - ERROR
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:539] -
Error resolving principal name for SAML request '_8cb93320f745386444dcfa4f7cd50651' from
relying party 'https://aai-demo.switch.ch/shibboleth&#39;
edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException:
No information associated with transient identifier: 26387e54-8a6d-4cdd-8e19-154992977116
      at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.principalConnector.Tra
nsientPrincipalConnector.resolve(TransientPrincipalConnector.java:79) [shibboleth-common-
1.2.0.jar:na]
      at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.principalConnector.Tra
nsientPrincipalConnector.resolve(TransientPrincipalConnector.java:32) [shibboleth-common-
1.2.0.jar:na]
      at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.principalConnector.Con
textualPrincipalConnector.resolve(ContextualPrincipalConnector.java:69) [shibboleth-common-
1.2.0.jar:na]
      at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.principalConnector.Con
textualPrincipalConnector.resolve(ContextualPrincipalConnector.java:29) [shibboleth-common-
1.2.0.jar:na]
[...]

Comments
Comment by Chad La Joie [ 19/May/10 ]
Fixed in rev 2928
[SIDP-381] Use duration notation for assertion lifetime in example config files
Created: 17/Mar/10 Updated: 23/Sep/10 Resolved: 19/May/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.2.0
Fix Version/s:     2.2.0

Type:                     Improvement                       Priority:   Trivial
Reporter:                 Halm Reusser                      Assignee:   Chad La Joie
Resolution:               Fixed                             Votes:      0
Labels:                   None


 Description
Shipped configuration files, should not throw those warnings:

11:38:33.650 - WARN
[edu.internet2.middleware.shibboleth.common.config.SpringConfigurationUtils:271] -
Numerical duration form is deprecated. The property 'assertionLifetime' on profile configuration
of type {urn:mace:shibboleth:2.0:relying-party:saml}ShibbolethSSOProfile should use the
duration notation: PT5M0.000S
11:38:33.659 - WARN
[edu.internet2.middleware.shibboleth.common.config.SpringConfigurationUtils:271] -
Numerical duration form is deprecated. The property 'assertionLifetime' on profile configuration
of type {urn:mace:shibboleth:2.0:relying-party:saml}SAML1AttributeQueryProfile should use
the duration notation: PT5M0.000S
11:38:33.661 - WARN
[edu.internet2.middleware.shibboleth.common.config.SpringConfigurationUtils:271] -
Numerical duration form is deprecated. The property 'assertionLifetime' on profile configuration
of type {urn:mace:shibboleth:2.0:relying-party:saml}SAML2SSOProfile should use the duration
notation: PT5M0.000S
11:38:33.663 - WARN
[edu.internet2.middleware.shibboleth.common.config.SpringConfigurationUtils:271] -
Numerical duration form is deprecated. The property 'assertionLifetime' on profile configuration
of type {urn:mace:shibboleth:2.0:relying-party:saml}SAML2AttributeQueryProfile should use
the duration notation: PT5M0.000S


Comments
Comment by Chad La Joie [ 19/May/10 ]
Fixed in 2930
[SIDP-380] Use of forwards between profile handlers and authentication engine
causes problems for uApprove Created: 15/Mar/10 Updated: 16/Aug/10 Resolved: 16/Aug/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.5
Fix Version/s:     2.2.0

Type:               Bug                           Priority:            Major
Reporter:           Halm Reusser                  Assignee:            Chad La Joie
Resolution:         Fixed                         Votes:               0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 6.0
Container:

Description
Current, requests are sent to the authentication engine, and returned to the profile handler, by
means of request forwards. This means that cookies, in particular the cookie that contains the
LoginContext key, are not available to filters, like uApprove, intercepting the these transitions.

 Comments
Comment by Janusz Ulanowski [ 23/Mar/10 ]
I have the same issue.
Comment by Chad La Joie [ 16/Aug/10 ]
Fixed in IdP rev 2940 and shib-common rev 908
[SIDP-379] Usage of general AuthenticationException in
UsernamePasswordLoginHandler Created: 15/Mar/10 Updated: 16/Mar/10 Resolved: 16/Mar/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.2.0
Fix Version/s:     2.2.0

Type:               Bug                           Priority:           Minor
Reporter:           Halm Reusser                  Assignee:           Chad La Joie
Resolution:         Fixed                         Votes:              0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 6.0
Container:

 Description
In the UsernameLoginHandler Servlet it get checked if an JAAS LoginException is throwded.
Instead putting that directly to the reuquest as AUTHENTICATION_EXCEPTION_KEY bundle
it in an AuthenticationException.

Comments
Comment by Chad La Joie [ 16/Mar/10 ]
Fixed in rev 2923
[SIDP-377] SPName Qualifier missing in NameID when persistentID is used in
combination with AffiliationDescriptor Created: 02/Mar/10 Updated: 23/Sep/10 Resolved: 02/Mar/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.2.0
Fix Version/s:     2.2.0

Type:              Bug                            Priority:          Minor
Reporter:          Lukas Hämmerle                 Assignee:          Chad La Joie
Resolution:        Fixed                          Votes:             0
Labels:            None

Java Version:      Sun 1.5
Servlet            Jetty 7
Container:

Description
The IdP sends the following SAML subject:

  <saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
g4489WICx4m/zeiOD0nCwxGPYeU=
</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="130.59.6.143"
InResponseTo="_ccb44b0734183e5d2190bc73cedddc24" NotOnOrAfter="2010-02-
25T13:20:06.596Z" Recipient="https://kelimutu.switch.ch/Shibboleth.sso/SAML2/POST" />
</saml2:SubjectConfirmation>
</saml2:Subject>

The SP then provides as persistentID value in the web server environment
"!!g4489WICx4m/zeiOD0nCwxGPYeU=", presumably because the SPNameQualifier is
missing.

 Comments
Comment by Scott Cantor [ 02/Mar/10 ]
I seem to recall Chad saying he fixed this just recently, but in terms of the SP, there's a
defaultQualifiers property on the decoder that determines whether it will be defaulted in. It's
false by default in order to prevent mistakes like in this case, where the qualifier would NOT be
the SP name but the affiliation name.
Comment by Lukas Hämmerle [ 02/Mar/10 ]
Ok, haven't heard of the fix yet :-) So, I guess this is in SVN then?

Regarding defaultQualifiers:
I find the definition given on
https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeDecoder for defaultQualifiers a bit
confusing.
("If true, the values of NameQualifier and SPNameQualifier will be defaulted, if not set by the
source, based on the identity provider and service provider identities.") The sentence is a bit long
and a bit too nested for my taste :-)

However, if I understand this correctly, defaultQualifiers *has* to be false in the scenario with
the AffiliationDescriptor. If defaultQualifiers was set to true, the SP entityID would be
overwritten with the one configured in shibboleth2.xml and not the one defined in metadata.
Right? Or would this only happen if defaultQualifiers was true and the IdP ("source") didn't
provide an SPNameQualifier?
Comment by Scott Cantor [ 02/Mar/10 ]
If I'm right, the fix should be in svn, but I may not be. I imagine this case is why he noticed it
was missing.

It doesn't have to false, it would only be defaulted if the IdP doesn't provide a value, which is a
bug in the case of affiliated IDs.
Comment by Chad La Joie [ 02/Mar/10 ]
Yes, the fix has already been committed.
Comment by Lukas Hämmerle [ 03/Mar/10 ]
Ok, just to confirm. This is issue is indeed fixed. On the SP it requires defaultQualifiers="true".

NameID with defaultQualifiers="false"
kelimutu: !https://testvo.dieng.switch.ch/vo!g4489WICx4m/zeiOD0nCwxGPYeU=
dieng: !https://testvo.dieng.switch.ch/vo!g4489WICx4m/zeiOD0nCwxGPYeU=

NameID with defaultQualifiers="true"
kelimutu: https://aai-demo-
idp.switch.ch/idp/shibboleth!https://testvo.dieng.switch.ch/vo!g4489WICx4m/zeiOD0nCwxGPY
eU=
dieng: https://aai-demo-
idp.switch.ch/idp/shibboleth!https://testvo.dieng.switch.ch/vo!g4489WICx4m/zeiOD0nCwxGPY
eU=

As for the eduPersonTargeteID the situation looks like this (which is expected according to
Chad):
kelimutu: https://aai-demo-
idp.switch.ch/idp/shibboleth!https://kelimutu.switch.ch/shibboleth!g4489WICx4m/zeiOD0nCwx
GPYeU=
dieng: https://aai-demo-
idp.switch.ch/idp/shibboleth!https://dieng.switch.ch/shibboleth!g4489WICx4m/zeiOD0nCwxGP
YeU=
Comment by Scott Cantor [ 03/Mar/10 ]
The SP setting should have no effect at all if the IdP is specifying the qualifiers. If you're saying
something different, there's still a bug on one end or the other.

Also, ePTID should be identical to using the NameID, but I don't know what you're testing with,
so I can't follow that part.
Comment by Lukas Hämmerle [ 03/Mar/10 ]
Well, then this seems to be a bug on the SP (2.3.0) because the SP receives from the IdP this
Subject:
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="https://testvo.dieng.switch.ch/vo">
g4489WICx4m/zeiOD0nCwxGPYeU=
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Address="2001:620:0:4:21e:c2ff:fe1b:b680"
InResponseTo="_65b2abbf3af07501cd5e507dd5cf110c" NotOnOrAfter="2010-03-
03T15:11:18.276Z" Recipient="https://kelimutu.switch.ch/Shibboleth.sso/SAML2/POST" />
</saml:SubjectConfirmation>
</saml:Subject>

The NameID contains the SPNameQualifier. However, if defaultQualifiers="false" in the
attribute-map.xml, the
persistent-id header will contain:
"!https://testvo.dieng.switch.ch/vo!g4489WICx4m/zeiOD0nCwxGPYeU="

If it is true:
persistent-id header will contain: "https://aai-demo-
idp.switch.ch/idp/shibboleth!https://testvo.dieng.switch.ch/vo!g4489WICx4m/zeiOD0nCwxGPY
eU="

The ePTID received by the IdP looks like this:
<saml:Attribute FriendlyName="eduPersonTargetedID"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://aai-demo-idp.switch.ch/idp/shibboleth"
SPNameQualifier="https://kelimutu.switch.ch/shibboleth">
g4489WICx4m/zeiOD0nCwxGPYeU=
</saml:NameID>
</saml:AttributeValue>
</saml:Attribute>


In all the above scenarios I used a Service Provider SessionInitiator on the SP that looks like this:
<SessionInitiator type="SAML2" acsByIndex="false" acsIndex="1"
template="bindingTemplate.html"
 SPNameQualifier="https://testvo.dieng.switch.ch/vo"
 NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />

Comment by Chad La Joie [ 03/Mar/10 ]
As I already told Lukas, the IdP does NOT support SPNameQualifier in attributes, only in
Subject/NameID. So the current behavior is as expected.
Comment by Scott Cantor [ 03/Mar/10 ]
Thanks for clarifying. I think the problem with the NameID cases is that the IdP is not including
its own NameQualifier. That's why the SP setting changes the result (this time it defaults in the
IdP name rather than the SP name).
[SIDP-376] Attribute Query with RDBM connector resolving issue Created: 24/Feb/10
Updated: 23/Sep/10 Resolved: 26/Feb/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.2.0
Fix Version/s:     None

Type:                     Bug                  Priority:          Minor
Reporter:                 Lukas Hämmerle       Assignee:          Chad La Joie
Resolution:               Invalid              Votes:             0
Labels:                   None

Java Version:             Sun 1.5
Servlet                   Jetty 7
Container:

Description
After upgrading a 2.1 IdP to 2.2 preview, the mySQL connector seems not to work anymore.

During startup everything is fine:
[...]
INFO - Parsing configuration for DataConnector plugin with ID: myDB
DEBUG - Setting the following attribute definition dependencies for plugin myDB: null
DEBUG - Created application managed data source for data connector myDB
DEBUG - Data connector myDB query template:

            SELECT CONCAT_WS(":", "vo-attribute", `group`, `role` )
            AS eduPersonEntitlement
            FROM GroupMembers
            WHERE uniqueID = '$requestContext.principalName'

DEBUG - Data connector myDB database query template: SELECT CONCAT_WS(":", "vo-
attribute", `group`, `role` )
           AS eduPersonEntitlement
           FROM GroupMembers
           WHERE uniqueID = '$requestContext.principalName'
DEBUG - Data connector myDB no results is error: false
DEBUG - Data connector myDB query uses stored procedures: false
DEBUG - Data connector myDB connections are read only: true
[...]
DEBUG - RDBMS data connector myDB - Validating configuration.
DEBUG - RDBMS data connector myDB - Connector configuration is valid.
But then when an attribute query request (for VO tests) is processed (without prior authN by the
user), the log says:

EBUG - Using principal connector saml2swissEduPersonUniqueID to resolve principal name.
DEBUG - Resolving attributes for principal '3141592@aaidemo.example.org' for SAML request
from relying party 'https://kelimutu.switch.ch/shibboleth&#39;
DEBUG - query message contains the following attributes: []
DEBUG - shibboleth.AttributeResolver resolving attributes for principal
3141592@aaidemo.example.org
DEBUG - Specific attributes for principal 3141592@aaidemo.example.org were not requested,
resolving all attributes.
DEBUG - Resolving attribute uid for principal 3141592@aaidemo.example.org
DEBUG - Resolving data connector myLDAP for principal 3141592@aaidemo.example.org
DEBUG - Search filter: (uid=3141592@aaidemo.example.org)
DEBUG - LDAP data connector myLDAP - Retrieving attributes from LDAP
DEBUG - Resolved attribute uid containing 0 values
DEBUG - Resolving attribute eduPersonAffiliation for principal
3141592@aaidemo.example.org
DEBUG - Resolved attribute eduPersonAffiliation containing 0 values
DEBUG - Resolving attribute swissEduPersonStudyLevel for principal
3141592@aaidemo.example.org
DEBUG - Resolved attribute swissEduPersonStudyLevel containing 0 values
DEBUG - Resolving attribute surname for principal 3141592@aaidemo.example.org
DEBUG - Resolved attribute surname containing 0 values
DEBUG - Resolving attribute givenName for principal 3141592@aaidemo.example.org
DEBUG - Resolved attribute givenName containing 0 values
DEBUG - Resolving attribute homePhone for principal 3141592@aaidemo.example.org
DEBUG - Resolved attribute homePhone containing 0 values
DEBUG - Resolving attribute password for principal 3141592@aaidemo.example.orgDEBUG -
Resolved attribute password containing 0 valuesDEBUG - Resolving attribute
preferredLanguage for principal 3141592@aaidemo.example.org
DEBUG - Resolved attribute preferredLanguage containing 0 values
DEBUG - Resolving attribute eduPersonOrgDN for principal 3141592@aaidemo.example.org
DEBUG - Resolved attribute eduPersonOrgDN containing 0 values
DEBUG - Resolving attribute swissEduPersonHomeOrganization for principal
3141592@aaidemo.example.orgDEBUG - Resolved attribute
swissEduPersonHomeOrganization containing 0 values
DEBUG - Resolving attribute swissEduPersonUniqueID for principal
3141592@aaidemo.example.orgDEBUG - Resolved attribute swissEduPersonUniqueID
containing 0 values
DEBUG - Resolving attribute eduPersonEntitlement for principal
3141592@aaidemo.example.orgDEBUG - Resolving data connector myDB for principal
3141592@aaidemo.example.org
DEBUG - RDBMS data connector myDB - Search Query:
(uid=3141592@aaidemo.example.org)
DEBUG - RDBMS data connector myDB - Querying database for attributes with query
(uid=3141592@aaidemo.example.org)
ERROR - RDBMS data connector [myDB, (uid=3141592@aaidemo.example.org), 42000, 1064]
- Unable to execute SQL query com.mysql.jdbc.exceptions.MySQLSyntaxErrorException: You
 have an error in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near 'uid=3141592@aaidemo.example.org)' at l
ine 1; SQL State: {}, SQL Code: {}
WARN - Error resolving attributes for principal '3141592@aaidemo.example.org'. No name
identifier or attribute statement will be included in response
ERROR - Error occured while processing request
java.lang.NullPointerException: null
     at
edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler.processReq
uest(AttributeQueryProfileHandler.java:118) [shibboleth-identitypr
ovider-2.2.0-SNAPSHOT.jar:na]
     at
edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler.processReq
uest(AttributeQueryProfileHandler.java:52) [shibboleth-identitypro
vider-2.2.0-SNAPSHOT.jar:na]

The strange thing however is that "uid" is only used in the LDAP context and never is used in the
mySQL query (see above). Any idea what's wrong here?
Switching back to the old version with the same config solves the problem.


 Comments
Comment by Lukas Hämmerle [ 25/Feb/10 ]
I now also did a clean install on our idp and there I found this in the log:

11:02:53.827 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRe
solver:307] - Resolved attribute principal containing 1 values
11:02:53.827 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.Reg
exSplitAttributeDefinition:72] - Value cn=SWITCHaai
Demouser2,ou=aaidemo,dc=example,dc=org did not result in any values when split by regular
expression ^.*CN=(.*?),.*$
11:02:53.827 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRe
solver:307] - Resolved attribute cnFromX509 containing 0 values
11:02:53.857 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDa
taConnector:294] - Search filter: (|(uid=cn=SWITCHaai
Demouser2,ou=aaidemo,dc=example,dc=org) (swissEduPersonUniqueID=cn=SWITCHaai
Demouser2,ou=aaidemo,dc=example,dc=org))

but the search filter is:

   #if ((${requestContext.principalAuthenticationMethod}) &&
(${requestContext.principalAuthenticationMethod} ==
"urn:oasis:names:tc:SAML:2.0:ac:classes:X509"))
             #if (!${emailFromX509.isEmpty()})
              (mail=${emailFromX509.get(0)})
             #else
              (cn=${cnFromX509.get(0)})
             #end
           #else
           (|(uid=${requestContext.principalName})
(swissEduPersonUniqueID=${requestContext.principalName}))
           #end
Comment by Lukas Hämmerle [ 25/Feb/10 ]
Hmm, it seems like requestContext.principalName doesn't contain anymore the loginname that
the user entered but the DN of that user's record.
Comment by Chad La Joie [ 26/Feb/10 ]
This is an issue with the way principal names within the system are handled. In most cases
anyone who logs in gets a few of them; their login name, their DN (if logging in via LDAP),
their Kerb5 name (if logging in via Kerberos), etc. The getPrincipal method only returns the first
of an unordered list of these.

I've update the code to prefer the login name where possible, but the issue remains the same.
[SIDP-375] Documentation indicates we populate an SLF4J MDC variable
'principalName', but code doesn't reflect this Created: 18/Feb/10 Updated: 26/Sep/10 Resolved: 03/Aug/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.5
Fix Version/s:     2.2.0

Type:                Bug                            Priority:            Minor
Reporter:            Brent Putman                   Assignee:            Chad La Joie
Resolution:          Fixed                          Votes:               0
Labels:              None

Java Version:        Sun 1.5
Servlet              Apache Tomcat 5.5
Container:

 Description
Section at bottom of logging docs wiki says we populate both principalName and idpSessionId
keys, but a search of the code indicates we actually only populate idpSessionId.

https://spaces.internet2.edu/display/SHIB2/IdPLogging

Did we populate principalName at some point and it just got removed, perhaps accidentally? If
docs are just wrong, can just fix those. But seems desirable to populate principalName if it's
feasible.

Comments
Comment by Chad La Joie [ 03/Aug/10 ]
Removed reference to principalName as MDC variable
[SIDP-374] Switch to use StaticBasicParserPool instead of BasicParserPool Created:
18/Feb/10 Updated: 19/May/10 Resolved: 19/May/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.2.0

Type:                    Improvement               Priority:           Minor
Reporter:                Brent Putman              Assignee:           Chad La Joie
Resolution:              Fixed                     Votes:              0
Labels:                  None


 Description
The StaticBasicParserPool has much less synchronization going on and is therefore more
efficient. We don't change the pool properties after initialization anyway, so nothing lost.

I think we pretty much agreed to do this sometime last year, but the change just never made it
into the project.

In internal.xml, make sure to also add an init-method="initialize" onto the bean definition, this
impl doesn't init itself like the old one did.

Comments
Comment by Chad La Joie [ 19/May/10 ]
Added in rev 2929
[SIDP-373] The SLF4J MDC state is not being properly cleared when request
processing is done. Created: 18/Feb/10 Updated: 16/Mar/10 Resolved: 16/Mar/10
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.2.0

Type:               Bug                          Priority:           Minor
Reporter:           Brent Putman                 Assignee:           Chad La Joie
Resolution:         Fixed                        Votes:              0
Labels:             None

Attachments:          SLF4JMDCCleanupFilter.java
Java Version:       Sun 1.5
Servlet             Apache Tomcat 6.0
Container:

 Description
MDC support is implemented by per-thread state stored via a TheadLocal. If the MDC state is
not reset at the end of request processing, then the state will persist in the thread, leading to
stale/incorrect logging data if the thread is later reused and logging output includes MDC
variables prior to being updated in the new request. We should clear the MDC state at the end of
the processing of a request, as documented in the slf4j user's guide. The most obvious way to do
is via a very simple servlet filter, attached.

http://logback.qos.ch/manual/mdc.html

Comments
Comment by Chad La Joie [ 16/Mar/10 ]
Fixed in rev 2922
[SIDP-369] Allow to have cookie Domain set for login context cookie Created: 29/Jan/10
Updated: 16/Mar/10 Resolved: 16/Mar/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.5
Fix Version/s:     2.2.0

Type:                    Improvement              Priority:           Minor
Reporter:                Patrik Schnellmann       Assignee:           Chad La Joie
Resolution:              Fixed                    Votes:              0
Labels:                  None


 Description
To enable certain scenarios with authentication, a possibility to explicitly set the cookie Domain
for the login context cookie would be useful.

Comments
Comment by Chad La Joie [ 16/Mar/10 ]
Fixed in rev 2924
[SIDP-368] Provide more acurate login error to servlet when
Username/Password login authentication has failed. Created: 21/Jan/10       Updated: 23/Sep/10 Resolved:
18/Feb/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: None
Fix Version/s:     2.2.0

Type:                New Feature                 Priority:          Minor
Reporter:            kevin foote                 Assignee:          Chad La Joie
Resolution:          Fixed                       Votes:             0
Labels:              None

Attachments:            servlet-mod.diff     shib.sidp-368.diff
Issue Links:         Related
                     is related to SIDP-275 Using standard JAAS LoginException in...          Closed

 Description
It would be advantageous to report a more accurate message than "Authentication Failed" to the
end user when the users password is expired or account is other wise locked or the likes.

I'm thinking LDAP and better reporting than the obvious error 49. If there is more information in
the message that LDAP returns then can we make use of it to give them a better "reason" than
their request has failed.

Comments
Comment by kevin foote [ 21/Jan/10 ]
Found in archives on nabble

http://n2.nabble.com/Problem-with-IdP-2-1-4-td3831613.html#none

The above archive thread details where SFSU has modified

IdP code: UsernamePasswordLoginServelt.java
vt-ldap code: LdapLoginModule.java
IdP login: login.jsp

To result in a more detailed message to the end user.

Will this work across LDAP servers (indicated is MSAD)?
Comment by kevin foote [ 01/Feb/10 ]
More leg work done on this topic.

I have reworked the default servlet to handle this case with a modified vt-ldap underneath.

The vt-ldap portions throws a modified error back to the servlet during the authenticateUser
phase.

Servlet then bases the error message to display on the exception thrown by the call to
authenticateUser.

I attached my diff from UsernamePasswordLoginServlet.java to this ticket

Link to modified vt-ldap:
http://www.people.iup.edu/kpfoote/files/vt-ldap-2.8.4.zip

Modifications to the login.jsp error message.
<% if ("true".equals(request.getAttribute("accountDisabled"))) { %>
<font color="#FF000"><b>Authentication Failed! - Account Disabled -</b></font>
<% } %>
<% if ("true".equals(request.getAttribute("passwordExpired"))) { %>
<font color="#FF000"><b>Authentication Failed! - Password Expired -</b></font>
<% } %>
<% if ("true".equals(request.getAttribute("invalidUsernameOrPassword"))) { %>
<font color="#FF000"><b>Authentication Failed! - Invalid Username/Password -</b></font>
<% } %>
<% if ("true".equals(request.getAttribute("accountLocked"))) { %>
<font color="#FF000"><b>Authentication Failed! - Account Locked -</b></font>
<% } %>
<% if ("true".equals(request.getAttribute("loginFailed"))) { %>
<font color="#FF000"><b>Authentication Failed!</b></font>
<% } %>
Comment by kevin foote [ 01/Feb/10 ]
Modifications to UsernamePasswordLoginServlet.java

should note revision used .. rev = 2909
Comment by Daniel Fisher [ 03/Feb/10 ]
vt-ldap 3.x returns the underlying exception message in the LoginException, so it should not
need to be modified in the future to support this behavior.
Two solutions that came to mind for this:
 1) provide the entire exception or exception message to the login.jsp via an attribute (similar to
SIDP-275)
 2) provide an API for users to parse a login exception and attach request parameters, which can
then be parsed on the login.jsp
#2 may be overkill, I guess it comes down to where the exception parsing work should be done.
Comment by kevin foote [ 04/Feb/10 ]
just thinking.

If the goal is for the ldap library to return the exception (I think so - rather than the hack to get
vt-ldap to parse it) it makes sense to parse it where it is coming back to. So initially I'd say the
parsing pre work needs to be done in the UsernameLoginServlet. then passed up the normal
parameter way or provide a simple API for the jsp to query.

_However_

For user simplicity and ease of install for others / newcomers it really makes sense to have the
exception all the way back to where the end installer will be able to parse or otherwise
manipulate it, all the way back to the jsp page

I guess I'd think 2 would be more functional but 1 would be far easier for anyone to understand

hope that made some sense..
Comment by Daniel Fisher [ 09/Feb/10 ]
Attached a patch that provides an interface for login exception parsing.
Allows users to return a map of parameter name to value which is then provided to login.jsp.
Comment by Daniel Fisher [ 09/Feb/10 ]
Kevin, I went with #2.
Please apply this patch and implement your own LoginExceptionParser.
Test with your modified vt-ldap-2.x jar and let me know what you think.
Comment by kevin foote [ 16/Feb/10 ]
Daniel

Some feed back. Great implementation (I think) very simple and usable if desired.

I created a simple CustomLoginExceptionParser class and do all the parsing there. I modified vt-
ldap-2.8.4 again to send back the results of the failed ldap call rather than my previoius vt-ldap
mod where I was parsing within vt-ldap. So now I get some thing like this (1) to parse in my
custom parser.

My understanding is this is more like what we will see in vt-ldap-3.x ??

(1) [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 773, vec.. ]

Just a note. The additions to web.xml should be there but commented out.
Comment by kevin foote [ 16/Feb/10 ]
Wondering about moving forward with this within the shib 2.1.x series..

Is there a way to get an "official" patch for the vt-ldap 2.8.4 generated that will be usable within
this setup? Even if the implementer has to build vt-ldap before building shib this could still be
desired.

I like what is happening in my current vt-ldap build, passing the entire ldap return back to the
shib parser. But mgmtt etc wants to be
certain that this is not leading to a forward incompatibility with libraries involved.

Any thoughts one way or the other?
Comment by Daniel Fisher [ 16/Feb/10 ]
My guess is this functionality will only be available in Shib 2.2 and greater.
If you aren't going to be an early adopter of Shib 2.2 I'll consider cutting a new version of vt-
ldap-2 to address this.
Whether or not you are an early adopter, I hope you can make some time to test this functionality
in a preview release of Shib 2.2.
Comment by Chad La Joie [ 18/Feb/10 ]
Fixed in rev 2916

After discussing this with Daniel we determined that the best way to proceed for this was expose
the LoginException as a request attribute so that the JSP author could do whatever they wanted
with whatever information could be retrieved from the exception. The reason we chose not to go
with the exception parser mechanism was that it increased complexity for the general user (even
though most people haven't expressed a wish for the feature) and it was very brittle because the
messages being parsed are completely non-standard and can change at the whim of the
authentication source provider.

Therefore, with the exception exposed those who wish to dig in to an exception and parse out
data can do so and can update that code when/if the string they are parsing from the
authentication source change and the rest of the deploys won't see a difference in how things
work today.
[SIDP-365] Expose uptime of IdP web application with status handler Created: 16/Dec/09
Updated: 23/Sep/10 Resolved: 11/Feb/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.2.0

Type:                     New Feature            Priority:           Minor
Reporter:                 Patrik Schnellmann     Assignee:           Chad La Joie
Resolution:               Fixed                  Votes:              0
Labels:                   None


 Description
I would like to see the uptime of the IdP web app on the status URL of the IdP. I don't care
whether it's a duration or the (UTC-) time the web app was started.

Comments
Comment by Chad La Joie [ 11/Feb/10 ]
Fixed in rev 2912
[SIDP-362] Only log exception message without stack trace for expired SAML
messages Created: 02/Dec/09 Updated: 23/Sep/10 Resolved: 16/Dec/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.2.0

Type:              Bug                          Priority:         Trivial
Reporter:          Patrik Schnellmann           Assignee:         Chad La Joie
Resolution:        Fixed                        Votes:            0
Labels:            None

Java Version:      Sun 1.6
Servlet            Apache Tomcat 6.0
Container:

Description
As a result of an expired SAML message, the IdP logs this:

WARN
[edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler:216] -
Shibboleth SSO request does not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Message was rejected due to issue instant
expiration
at org.opensaml.common.binding.security.IssueInstantRule.evaluate(IssueInstantRule.java:109)
[opensaml-2.3.1.jar:na]
at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:50)
[openws-1.3.0.jar:na]
at
org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDe
coder.java:110) [openws-1.3.0.jar:na]
at
org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79)
[openws-1.3.0.jar:na]
at
org.opensaml.saml1.binding.decoding.BaseSAML1MessageDecoder.decode(BaseSAML1Messa
geDecoder.java:108) [opensaml-2.3.1.jar:na]
at
[...and more stack trace...]

Only the message should be logged as the stack trace does not provide much useful information
and just blows up the log file. Please implement the same behaviour for the other profile
handlers, too.

Comments
Comment by Chad La Joie [ 16/Dec/09 ]
Fixed in rev 2906
[SIDP-360] Session isn't being set within the attribute request context during a
SAML1 attribute query Created: 20/Nov/09 Updated: 23/Sep/10 Resolved: 16/Dec/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.5
Fix Version/s:     2.2.0

Type:               Bug                            Priority:           Minor
Reporter:           Simon Shi                      Assignee:           Chad La Joie
Resolution:         Fixed                          Votes:              0
Labels:             None

Java Version:       Sun 1.6
Servlet             Apache Tomcat 6.0
Container:

 Description
I've tired to implement the feature that IdP releases password as attribute, but the script seems
unable to retrieve the user session. Chad suggested this is a bug that the session isn't being set
within the attribute request context during a SAML1 attribute query. I will test this with a
SAML2 SP and report the results a little bit later.

Script:
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
importPackage(Packages.edu.internet2.middleware.shibboleth.idp.authn.provider);
password = new BasicAttribute("password");
userSubject = requestContext.getUserSession().getSubject();
i = userSubject.getPrivateCredentials().iterator();
if( i.hasNext() )
{
password.getValues().add(i.next().getPassword());
}

Errors:
14:23:02.804 - ERROR
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.Scri
ptedAttributeDefinition:134] - ScriptletAttributeDefinition password unable to execute script
com.sun.phobos.script.util.ExtendedScriptException: org.mozilla.javascript.EcmaError:
TypeError: Cannot call method "getSubject" of null (<Unknown Source>#7) in <Unknown
Source> at line number 4
at com.sun.phobos.script.javascript.RhinoCompiledScript.eval(RhinoCompiledScript.java:68)
[js-engine-20080611.jar:na]
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.Scri
ptedAttributeDefinition.doResolve(ScriptedAttributeDefinition.java:121) [shibboleth-common-
1.1.4.jar:na]

Thanks,
Simon Shi
Stevens Institute of Technology

Comments
Comment by Chad La Joie [ 16/Dec/09 ]
Fixed in rev 2907
[SIDP-359] HttpServletHelper.getRelyingPartyConfirmationManager misnamed
Created: 20/Nov/09 Updated: 23/Sep/10 Resolved: 16/Dec/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.5
Fix Version/s:     2.2.0

Type:                     Bug                               Priority:   Minor
Reporter:                 Jim Fox                           Assignee:   Chad La Joie
Resolution:               Fixed                             Votes:      0
Labels:                   None

Java Version:             Sun 1.6
Servlet                   Apache Tomcat 6.0
Container:

 Description
The two methods in HttpServletHelper named getRelyingPartyConfirmationManager should be
named getRelyingPartyConfigurationManager.

Comments
Comment by Chad La Joie [ 16/Dec/09 ]
Fixed in rev 2908
[SIDP-357] Upgrade from 2.0 to 2.1.5. causing not able to be deployed the idp
war file Created: 13/Nov/09 Updated: 13/Nov/09 Resolved: 13/Nov/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.5
Fix Version/s:     None

Type:               Bug                           Priority:           Major
Reporter:           Simon Shi                     Assignee:           Chad La Joie
Resolution:         Invalid                       Votes:              0
Labels:             None

Java Version:       Sun 1.6
Servlet             Apache Tomcat 6.0
Container:

 Description
After the upgrade from idp 2.0 to idp 2.1.5, I wasn't able to deploy the new idp war file. But
somehow, it works fine if I copy back the 2.0 idp war file. I wonder if there are any new
improvements/bug fixes on the 2.1.5 idp war file that I should be used instead of the 2.0 war file.
How can I get it to work with the 2.1.5 war file? Thanks for the helps.

Tomcat error:
INFO: Deploying web application archive idp.war
Nov 13, 2009 10:55:40 AM org.apache.catalina.core.StandardContext start
SEVERE: Error listenerStart
Nov 13, 2009 10:55:40 AM org.apache.catalina.core.StandardContext start
SEVERE: Context [/idp] startup failed due to previous errors
Nov 13, 2009 10:55:40 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-80

Thanks,

Simon Shi
Systems Admin
Stevens Institute of Technology



Comments
Comment by Scott Cantor [ 13/Nov/09 ]
This is not a bug, please use the mailing list for questions.
[SIDP-356] AACLI does not work with AttributeRequesterInEntityGroup type
filter Created: 11/Nov/09 Updated: 16/Dec/09 Resolved: 16/Dec/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.4, 2.1.5
Fix Version/s:     None

Type:                Bug                            Priority:           Minor
Reporter:            Rod Widdowson                  Assignee:           Chad La Joie
Resolution:          Duplicate                      Votes:              0
Labels:              None

Attachments:           attribute-filter.xml
Java Version:        Sun 1.6
Servlet              Apache Tomcat 6.0
Container:

 Description
I found this while looking at the another bug (case to come once I have it sorted).

The bottom line is that in the AACLI case a AttributeRequesterInEntityGroup cannot get hold of
the metadata and so always fails. This means that any attributes protected by such a filter fail. If I
look at the attribute filter in the real IdP case then all is fine.

I'll append the resolver file but the rub is this statement:

<AttributeFilterPolicy>
    <PolicyRequirementRule xsi:type="basic:OR">
       <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup"
groupID="urn:mace:shibboleth:testshib:two" />
       <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup"
groupID="http://ukfederation.org.uk" />
       <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup"
groupID="urn:mace:switch.ch:SWITCHaai" />
    </PolicyRequirementRule>

    <Stuff/>

I run

aacli --configDir ..\conf --principal rdw2 --requester https://sp.testshib.org/shibboleth-sp
And I get this logging.

14:28:15.751 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilt
eringEngine:122] - Evaluating if filter policy null is active for principal rdw2
14:28:15.751 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.saml.AbstractEn
tityGroupMatchFunctor:70] - No entity metadata available, unable to check if entity is in group
urn:mace:shibboleth:testshib:two
14:28:15.751 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.saml.AbstractEn
tityGroupMatchFunctor:70] - No entity metadata available, unable to check if entity is in group
http://ukfederation.org.uk
14:28:15.751 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.saml.AbstractEn
tityGroupMatchFunctor:70] - No entity metadata available, unable to check if entity is in group
urn:mace:switch.ch:SWITCHaai

Whereas when I look at the IdOP from the testshib SP I get this

14:28:49.469 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilt
eringEngine:122] - Evaluating if filter policy releaseAnyone is active for principal rdw2
14:28:49.469 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilt
eringEngine:131] - Filter policy releaseAnyone is active for principal rdw2

And all the attributes escape just fine.

As a secondary buy I claim that the DEBUG message "at line 70 of
AbstractEntityGroupMatchFunctor should at the very least be an INFO since it took some pretty
dedicated log chasing to find that hint and not being able to get hold of metadata is always
worthy of note- isn't it?

Comments
Comment by Chad La Joie [ 16/Dec/09 ]
Duplicate of SIDP-234
[SIDP-353] Default login.jsp crashes on anonymous RPs Created: 26/Oct/09        Updated: 27/Oct/09
Resolved: 27/Oct/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.4
Fix Version/s:     2.1.5

Type:                 Bug                       Priority:          Minor
Reporter:             Scott Cantor              Assignee:          Chad La Joie
Resolution:           Fixed                     Votes:             0
Labels:               None

Java Version:         Sun 1.6
Servlet               Apache Tomcat 6.0
Container:

Description
The default login.jsp script has various debugging and informational content now based on the
RP metadata, and crashes internally with no output when an Anonymous RP is used.

Comments
Comment by Chad La Joie [ 27/Oct/09 ]
Fixed in rev 2899
[SIDP-351] Attribute resolution errors shouldn't prevent valid authn statement
being returned Created: 24/Sep/09 Updated: 24/Sep/09 Resolved: 24/Sep/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Attribute Resolution, Authentication
Affects Version/s: 2.1.0, 2.1.1, 2.1.2, 2.1.3
Fix Version/s:     2.1.4

Type:               Improvement                   Priority:           Minor
Reporter:           Chad La Joie                  Assignee:           Chad La Joie
Resolution:         Completed                     Votes:              0
Labels:             None


 Description
During an SSO request attributes are resolved in order to get the information necessary to create
name identifier and attributes however neither pieces of data are required within the
authentication statement. Currently when an attribute resolution error occurs it causes an error to
be sent back to the SP instead a valid authentication statement, without name identifier, should
be returned since authentication was, in fact, successful.

Comments
Comment by Chad La Joie [ 24/Sep/09 ]
Added in rev 2891
[SIDP-350] Installer does not remember installation directory when upgrading
Created: 24/Sep/09 Updated: 25/Sep/09 Resolved: 25/Sep/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.1.3
Fix Version/s:     2.1.4

Type:                     Bug                               Priority:   Trivial
Reporter:                 Chad La Joie                      Assignee:   Chad La Joie
Resolution:               Fixed                             Votes:      0
Labels:                   None

Java Version:             Sun 1.5
Servlet                   Apache Tomcat 5.5
Container:

 Description
When the installer runs the first time it saves the IDP_HOME directory that is entered for
subsequent invocations. When a new version of the IdP is installed the installer will ask for the
IDP_HOME and detect that a version is already installed there. If the default option of not
overwriting the existing configuration files is then chosen the installer does not remember
IDP_HOME entered and it must be re-entered each subsequent invocation.

Comments
Comment by Chad La Joie [ 25/Sep/09 ]
Fixed in rev 2893
[SIDP-349] LoginContext is not removed from StorageService after
Authentication Completes Created: 24/Sep/09 Updated: 24/Sep/09 Resolved: 24/Sep/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.3
Fix Version/s:     2.1.4

Type:               Bug                          Priority:           Trivial
Reporter:           Chad La Joie                 Assignee:           Chad La Joie
Resolution:         Fixed                        Votes:              0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 5.5
Container:

 Description
Before transferring control to a LoginHandler the IdP stores the LoginContext within the
StorageService, however once authentication completes the LoginContext is not properly
removed. It will eventually be removed by the StorageService sweeper thread but it's better to
clean it up properly.

Comments
Comment by Chad La Joie [ 24/Sep/09 ]
Fixed in rev 2890
[SIDP-348] Remove Terracotta Configuration from IdP Install Created: 24/Sep/09             Updated:
24/Sep/09 Resolved: 24/Sep/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.0, 2.1.1, 2.1.2, 2.1.3
Fix Version/s:     2.1.4

Type:                     Task                   Priority:           Minor
Reporter:                 Chad La Joie           Assignee:           Chad La Joie
Resolution:               Completed              Votes:              0
Labels:                   None


 Description
The terracotta configuration file is not necessary unless clustering support is enabled and it
changes with almost every TC release. So, instead of bundling it with the IdP we'll just keep it on
the wiki where it's easier to maintain.

Comments
Comment by Chad La Joie [ 24/Sep/09 ]
Done in rev 2889
[SIDP-347] Authentication fails for users with LDAP aliases. Created: 11/Sep/09        Updated:
31/Jan/11 Resolved: 30/Oct/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.3
Fix Version/s:     None

Type:                      New Feature               Priority:         Minor
Reporter:                  Dan McLaughlin            Assignee:         Chad La Joie
Resolution:                Fixed                     Votes:            0
Labels:                    None

Issue Links:               Dependency
                           depends on SC-73 Update LdapDataConnector for vt-ldap 3.x      Closed

 Description
Every time a user authenticates, the initial query performed against
LDAP doesn't include a filter. We need the filter to be applied b/c
our LDAP includes hundreds of users with LDAP Aliases
(objectclass=alias); the net result is that anytime a user with an
alias tries to login it fails. We see
"javax.naming.SizeLimitExceededException: [LDAP: error code 4 -
Sizelimit Exceeded]" in the idp-process.log b/c two results were
returned for the LDAP query lacking the filter (cn=testuser1)..the
first is the alias and the second is the person.

So far I've found two workarounds that have allowed me to get around
the problem, *but* my preference would still be to configure a filter
in the login.config so I could avoid ever finding the LDAP aliases in
the first place.

The first workaround was to set maxResultSize > the max number of
aliases any user in the organization might have. In our case none of
our users have more than one LDAP Alias so setting maxResultSize="2"
works around the issue. However, I'm hesitant to use this workaround
b/c it could potentially hide LDAP issues with users having the same
cn. We consider the cn attribute for a person to be unique across the
organization, so a query of (&(cn=testuser1)(objectclass=person))
should never exceed a result size of 1...but since Shibboleth is
searching using (cn=testuser1) and getting a result size of 2 (one
person and one alias) a maxResultSize="2" is required to avoid the
SizeLimitExceededException.
Example:

##Search w/out filter:
(cn=testuser1)

NOTE: Without maxResultSize=2 I will get a SizeLimitExceededException.

#Returns two results:
cn=testuser1, ou=example, o=org (objectclass=alias)
cn=testuser1, ou=example2, o=org (objectclass=person)


##Search w/ filter:
(&(cn=testuser1)(objectclass=person))

#Returns one result:
cn=testuser1, ou=example2, o=org (objectclass=person)

The second workaround was to define derefAliases="never" in the
login.config and the LDAP property
java.naming.ldap.derefAliases="never" in the DataConnector. This is
the solution we've gone with for now only b/c our baseDN is the root
of the organization and we will find every user regardless of the
alias. Below is my current config settings and what a login looks
like. NOTE: cn=TESTUSER1,ou=EXAMPLE,o=ORG that is found is actually
the alias, but by setting derefAliases="never" I avoid the
SizeLimitExceededException.

It's also my understanding that LDAP aliases aren't indexed by
default, so if you can avoid searches against them it is recommended.
Just another reason I would like to be able to define a filter in the
login.config.


##login.config
...
    edu.vt.middleware.ldap.jaas.LdapLoginModule sufficient
     host="ldap://example:636"
     port="636"
     base="T=EXAMPLE"
     ssl="true"
     userField="cn"
     subtreeSearch="true"
     derefAliases="never";
...
##attribute-resolver.xml
...
  <resolver:DataConnector xsi:type="LDAPDirectory"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
    id="NOVELLEDIR"
    ldapURL="ldaps://example.org:636"
    baseDN="T=EXAMPLE">

  <FilterTemplate>
   <![CDATA[
   (&(cn=$requestContext.principalName)(objectclass=person))
   ]]>
  </FilterTemplate>

  <ReturnAttributes>cn sn givenName mail telephoneNumber</
ReturnAttributes>

  <LDAPProperty name="java.naming.ldap.derefAliases" value="never"/>

  </resolver:DataConnector>
...


15:57:39.692 - TRACE [edu.vt.middleware.ldap.LdapProperties:340] -
edu.vt.middleware.ldap.derefAliases = never
15:57:39.693 - TRACE [edu.vt.middleware.ldap.LdapProperties:396] -
Called setDerefAliases for edu.vt.middleware.ldap.LdapConfig
15:57:39.693 - TRACE [edu.vt.middleware.ldap.LdapProperties:340] -
edu.vt.middleware.ldap.port = 636
15:57:39.693 - TRACE [edu.vt.middleware.ldap.LdapProperties:396] -
Called setPort for edu.vt.middleware.ldap.LdapConfig
15:57:39.693 - TRACE [edu.vt.middleware.ldap.LdapProperties:340] -
edu.vt.middleware.ldap.host = ldaps://example.org:636
15:57:39.693 - TRACE [edu.vt.middleware.ldap.LdapProperties:396] -
Called setHost for edu.vt.middleware.ldap.LdapConfig
15:57:39.694 - TRACE [edu.vt.middleware.ldap.LdapProperties:340] -
edu.vt.middleware.ldap.ssl = true
15:57:39.694 - TRACE [edu.vt.middleware.ldap.LdapProperties:396] -
Called setSsl for edu.vt.middleware.ldap.LdapConfig
15:57:39.694 - TRACE [edu.vt.middleware.ldap.LdapProperties:340] -
edu.vt.middleware.ldap.base = T=EXAMPLE
15:57:39.694 - TRACE [edu.vt.middleware.ldap.LdapProperties:396] -
Called setBase for edu.vt.middleware.ldap.LdapConfig
15:57:39.694 - DEBUG [edu.vt.middleware.ldap.LdapProperties:299] -
edu.vt.middleware.ldap.auth.userField = cn
15:57:39.694 - TRACE [edu.vt.middleware.ldap.LdapProperties:396] -
Called setUserField for edu.vt.middleware.ldap.Authenticator
15:57:39.695 - DEBUG [edu.vt.middleware.ldap.LdapProperties:299] -
edu.vt.middleware.ldap.auth.subtreeSearch = true
15:57:39.695 - TRACE [edu.vt.middleware.ldap.LdapProperties:396] -
Called setSubtreeSearch for edu.vt.middleware.ldap.Authenticator
15:57:39.695 - TRACE [edu.vt.middleware.ldap.LdapProperties:340] -
edu.vt.middleware.ldap.derefAliases = never
15:57:39.695 - TRACE [edu.vt.middleware.ldap.LdapProperties:396] -
Called setDerefAliases for edu.vt.middleware.ldap.LdapConfig
15:57:39.695 - TRACE [edu.vt.middleware.ldap.LdapProperties:340] -
edu.vt.middleware.ldap.port = 636
15:57:39.695 - TRACE [edu.vt.middleware.ldap.LdapProperties:396] -
Called setPort for edu.vt.middleware.ldap.LdapConfig
15:57:39.696 - TRACE [edu.vt.middleware.ldap.LdapProperties:340] -
edu.vt.middleware.ldap.host = ldaps://example.org:636
15:57:39.696 - TRACE [edu.vt.middleware.ldap.LdapProperties:396] -
Called setHost for edu.vt.middleware.ldap.LdapConfig
15:57:39.696 - TRACE [edu.vt.middleware.ldap.LdapProperties:340] -
edu.vt.middleware.ldap.ssl = true
15:57:39.696 - TRACE [edu.vt.middleware.ldap.LdapProperties:396] -
Called setSsl for edu.vt.middleware.ldap.LdapConfig
15:57:39.696 - TRACE [edu.vt.middleware.ldap.LdapProperties:340] -
edu.vt.middleware.ldap.base = T=EXAMPLE
15:57:39.696 - TRACE [edu.vt.middleware.ldap.LdapProperties:396] -
Called setBase for edu.vt.middleware.ldap.LdapConfig
15:57:39.696 - DEBUG [edu.vt.middleware.ldap.Authenticator:143] -
Looking up DN from userfield and base
15:57:39.697 - DEBUG [edu.vt.middleware.ldap.Ldap:549] - Search with
the following parameters:
15:57:39.697 - DEBUG [edu.vt.middleware.ldap.Ldap:550] - dn =
T=EXAMPLE
15:57:39.697 - DEBUG [edu.vt.middleware.ldap.Ldap:551] - filter =
(cn=testuser1)
15:57:39.697 - DEBUG [edu.vt.middleware.ldap.Ldap:552] - filterArgs =
15:57:39.697 - DEBUG [edu.vt.middleware.ldap.Ldap:554] - none
15:57:39.697 - DEBUG [edu.vt.middleware.ldap.Ldap:558] - retAttrs =
15:57:39.697 - DEBUG [edu.vt.middleware.ldap.Ldap:562] - []
15:57:39.698 - TRACE [edu.vt.middleware.ldap.Ldap:565] - config =
{java.naming.provider.url=ldaps://example.org:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never}
15:57:39.698 - DEBUG [edu.vt.middleware.ldap.Ldap:1538] - Bind with
the following parameters:
15:57:39.698 - DEBUG [edu.vt.middleware.ldap.Ldap:1539] - dn = null
15:57:39.698 - DEBUG [edu.vt.middleware.ldap.Ldap:1543] - credential
= <suppressed>
15:57:39.698 - TRACE [edu.vt.middleware.ldap.Ldap:1546] - config =
{java.naming.provider.url=ldaps://example.org:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never}
15:57:39.698 - TRACE [edu.vt.middleware.ldap.Ldap:1555] - dn or
credential is null, authtype set to none
15:57:39.699 - TRACE [edu.vt.middleware.ldap.Ldap:1566] - TLS not used
15:57:39.699 - TRACE [edu.vt.middleware.ldap.Ldap:1567] - authtype is
none
15:57:39.893 - DEBUG [edu.vt.middleware.ldap.Ldap:1538] - Bind with
the following parameters:
15:57:39.893 - DEBUG [edu.vt.middleware.ldap.Ldap:1539] - dn =
cn=TESTUSER1,ou=EXAMPLE,o=ORG
15:57:39.894 - DEBUG [edu.vt.middleware.ldap.Ldap:1543] - credential
= <suppressed>
15:57:39.894 - TRACE [edu.vt.middleware.ldap.Ldap:1546] - config =
{java.naming.provider.url=ldaps://example.org:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never}
15:57:39.894 - TRACE [edu.vt.middleware.ldap.Ldap:1566] - TLS not used
15:57:39.894 - TRACE [edu.vt.middleware.ldap.Ldap:1567] - authtype is
simple
15:57:39.981 - INFO [edu.vt.middleware.ldap.Authenticator:297] -
Authentication succeeded for user: cn=TESTUSER1,ou=EXAMPLE,o=ORG
15:57:40.000 - INFO [Shibboleth-Access:73] - 20090910T205740Z|
111.111.111.111|www.example.org:443|/profile/SAML2/Redirect/SSO|
15:57:40.035 - DEBUG [edu.vt.middleware.ldap.Ldap:549] - Search with
the following parameters:
15:57:40.036 - DEBUG [edu.vt.middleware.ldap.Ldap:550] - dn =
T=EXAMPLE
15:57:40.036 - DEBUG [edu.vt.middleware.ldap.Ldap:551] - filter = (&
(cn=testuser1)(objectclass=person))
15:57:40.036 - DEBUG [edu.vt.middleware.ldap.Ldap:552] - filterArgs =
15:57:40.036 - DEBUG [edu.vt.middleware.ldap.Ldap:554] - none
15:57:40.037 - DEBUG [edu.vt.middleware.ldap.Ldap:558] - retAttrs =
15:57:40.037 - DEBUG [edu.vt.middleware.ldap.Ldap:562] - [cn, sn,
givenName, mail, telephoneNumber]
15:57:40.037 - TRACE [edu.vt.middleware.ldap.Ldap:565] - config =
{java.naming.provider.url=ldaps://example.org:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never}
15:57:40.221 - INFO [Shibboleth-Audit:1015] - 20090910T205740Z|
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|
_c317c664ee9088080ff1ca2f6be7a8bd|https://crisdev.dot.state.tx.us/
shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://
www.example.org/exampleidp/shibboleth|urn:oasis:names:tc:SAML:
2.0:bindings:HTTP-POST|_ddb0fdabee57a3a76281b91b9e182305|testuser1|
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified||||


NOTICE: This e-mail message and all attachments transmitted with it
are for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is strictly prohibited. The contents
of this e-mail are confidential and may be subject to work product
privileges. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.


Comments
Comment by Daniel Fisher [ 30/Oct/09 ]
Fixed in patch set for vt-ldap 3.2.
See SC-71 and SC-73.
Comment by Scott Cantor [ 31/Jan/11 ]
Closing resolved issues.
[SIDP-345] strange behaviour with two SP sessions on same IdP and browser
back button Created: 08/Sep/09 Updated: 10/Feb/11 Resolved: 10/Feb/11
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.3
Fix Version/s:     None

Type:               Bug                            Priority:           Minor
Reporter:           Ina Müller                     Assignee:           Chad La Joie
Resolution:         Won't Fix                      Votes:              0
Labels:             None

Attachments:          velocity.patch
Java Version:       Sun 1.6
Servlet             Apache Tomcat 6.0
Container:

 Description
I am not sure if this is a IdP or a browser topic, but I wanted to document here for further testing.

If we have two SP sessions in one browser with the same IdP, we encounter strange behaviour
with browser back button:
step 1: log in to SP1 in browser tab 1
step 2: log in to SP2 in browser tab 2

Firefox 3.5.2 and IE 8:
-----------------------------
step 3: browser back button in SP2 (tab 2) results in
org.opensaml.ws.security.SecurityPolicyException:
Rejecting replayed message ID '_e2a3c20efa9ec3018f45a2d67cb0237b' from issuer <entityId
SP2>

step 4: browser back button in SP1 (tab 1) ends in start page of SP2 (originally tab 2)

Opera 10.0
---------------
shows the previous screens without any new communication with IdP or SP,
but with shift-reload in previous screens shows the same behaviour as Firefox/IE in step 3 and 4.


Safari 3.0.4
----------------
Same behaviour in step 3.

Different behaviour in step 4 - results in an SP1 error in tab 1

SP2 native.log:
2009-09-08 08:50:29 ERROR Shibboleth.Listener [2704] isapi_shib_extension: remoted
message returned an error: SAML message delivered with POST to incorrect server URL.
2009-09-08 08:50:29 ERROR Shibboleth.ISAPI [2704] isapi_shib_extension: SAML message
delivered with POST to incorrect server URL.

SP2 shibd.log:
2009-09-08 08:50:29 ERROR OpenSAML.MessageDecoder.SAML2POST [21]: POST targeted
at (<SP1>/Shibboleth.sso/SAML2/POST), but delivered to
(<SP2>/Shibboleth.sso/SAML2/POST)

more information:

Java 1.6.16 (Windows Server 2003)
Tomcat 6.0.20
RemoteUser Login Handler




 Comments
Comment by Chad La Joie [ 25/Sep/09 ]
Part of this was likely caused by a failure to properly clean up some state after the authentication
step completed (SIDP-249). If possible, could you build the latest IdP code from Subversion and
try your tests again?
Comment by Ina Müller [ 25/Sep/09 ]
same behaviour with current Subversion code (IdP 2.1.4).

What I understand from debug logs is:
- step 3 and 4 always process the message ID of step 2 (_e2a3c20efa9ec3018f45a2d67cb0237b
in above example)
- message ID of step 1 is never seen again
Comment by Chad La Joie [ 14/Sep/10 ]
As far as I can tell this is actually a bug in the browser, sending back cookies that were expired
by the IdP. I can't see anything in the IdP code that would cause this otherwise.

If you test with the latest 2.2 snapshot and the problem still remains then attack the IdP process
log, on debug. Make sure its the whole log covering both requests.
Comment by Scott Cantor [ 14/Sep/10 ]
I assume you're expiring all the pages generated by the IdP?
Comment by Ina Müller [ 15/Sep/10 ]
With 2.2 we have the same behaviour in IdP regardless of the number of active SP Sessions,
back button in each browser tab results in:

14:36:35.753 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:336] - Error
decoding authentication request message
org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or
SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message
at
org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectD
eflateDecoder.java:97) ~[opensaml-2.4.0.jar:na]
at
org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:75)
~[openws-1.4.0.jar:na]
at
org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2Messa
geDecoder.java:69) ~[opensaml-2.4.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decodeRequest(SSOP
rofileHandler.java:324) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthenticatio
n(SSOProfileHandler.java:186) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOP
rofileHandler.java:157) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOP
rofileHandler.java:84) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:83) [shibboleth-common-1.2.0.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:29
0) [catalina.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:
77) [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:23
5) [catalina.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
at
edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMD
CCleanupFilter.java:51) [shibboleth-common-1.2.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:23
5) [catalina.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
[catalina.jar:na]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[catalina.jar:na]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525)
[catalina.jar:na]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
[catalina.jar:na]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[catalina.jar:na]
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567)
[catalina.jar:na]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[catalina.jar:na]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
[catalina.jar:na]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849) [tomcat-
coyote.jar:na]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.jav
a:583) [tomcat-coyote.jar:na]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454) [tomcat-
coyote.jar:na]
at java.lang.Thread.run(Thread.java:619) [na:1.6.0_16]

This is fine for us, for now the error is really clear and reproducible.

I currently tested with:
- Firefox 3.6.9
- IE 8
- Safari 5.0.2
- Opera 10.62 (Opera does not resend request on back button, but with shift reload it is the same
as in the other browsers)
- IdP 2.2 Snapshot on Tomcat 6.0.20 with RemoteUser Login Handler (Jasig CAS)

Scott: No more errors on SP side - this seemed to be a special cookie problem of older Safari on
resend.
... I didn't understand your question "I assume you're expiring all the pages generated by the
IdP?" ...



Comment by Scott Cantor [ 15/Sep/10 ]
I meant if the IdP doesn't expire the pages it generates, browsers will have a tendency to reuse
responses when you hit the back button, Safari especially (sometimes it does it even when the
page has expired).
Comment by Scott Cantor [ 20/Dec/10 ]
I think Chad mentioned possibly setting these headers universally with a filter, but here's a
simple patch for just one of the error handlers, as an example.
Comment by Chad La Joie [ 10/Feb/11 ]
No further work will be done on this within the 2.x series
[SIDP-343] AuthnInstant is updated even when authentication doesn't happen
Created: 03/Sep/09 Updated: 28/Sep/09 Resolved: 28/Sep/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.2, 2.1.3
Fix Version/s:     2.1.4

Type:                     Bug                               Priority:   Minor
Reporter:                 Martin Smith                      Assignee:   Chad La Joie
Resolution:               Fixed                             Votes:      0
Labels:                   None

Java Version:             Sun 1.5
Servlet                   Apache Tomcat 5.5
Container:

 Description
We're having some SPs report that they are seeing
HTTP_SHIB_AUTHENTICATION_INSTANT get an updated value for users that are getting
redirected from an SP to our IdP and back, even when the user didn't have to re-authenticate
(seamless redirects from a user perspective).

I assumed that HTTP_SHIB_AUTHENTICATION_INSTANT / AuthnInstant was only updated
when the user entered credentials and those credentials were checked, not simply when the SP
establishes a new session from an existing IdP session. After reading SAML2 spec, I still think
my assumption is correct.


Comments
Comment by Martin Smith [ 03/Sep/09 ]
Scott Cantor wrote on 2009-09-03:
Martin B. Smith wrote on 2009-09-02:
> > Before I filed a bug, I wanted to see if anyone else could reproduce
> > this on a 2.1.2 IdP, or if anyone noticed that it _didn't_ happen before
> > the 2.1.2 IdP, i.e. has the behavior changed?

As of at least 2.1.3, there's a bug. I can change the asserted context class
in the PreviousSession handler to PasswordProtectedTransport, but doing so
doesn't prevent the AuthnInstant from refreshing. That should be the
trigger, I would think.
You should file a bug on this.

-- Scott



Comment by Scott Cantor [ 03/Sep/09 ]
The proximate cause is line 618 of AuthenticationEngine.java:

     AuthenticationMethodInformation authnMethodInfo = new
AuthenticationMethodInformationImpl(idpSession
         .getSubject(), authenticationPrincipal, authenticationMethod, new DateTime(),
loginHandler
         .getAuthenticationDuration());

     loginContext.setAuthenticationMethodInformation(authnMethodInfo);

The "new DateTime() parameter could be conditionally used if the method is set to
PreviousSession, but I don't know if the original timestamp is preserved, or where. Possibly by
just interrogating the Session before updating it?

So something like:

DateTime instant;
if (authenticationMethod.equals("urn:....:PreviousSession"))
   instant = new DateTime();
else
   instant = loginContext.getAuthenticationMethodInformation().getAuthenticationInstant();

That only works if the LoginContext has that info object populated ahead of time, don't know if
that's true or not.
Comment by Scott Cantor [ 03/Sep/09 ]
Related bug is that the feature to preserve the original AuthnContext/AuthnMethod appears to be
unusable. Regardless of the reportPreviousSessionAuthnMethod flag, the method ends up set to
PreviousSession in the assertion if that login handler gets used.

I think this is because of the code in the AuthenticationEngine at line 251:

       if (idpSession != null &&
possibleLoginHandlers.containsKey(AuthnContext.PREVIOUS_SESSION_AUTHN_CTX)) {
          loginContext.setAttemptedAuthnMethod(AuthnContext.PREVIOUS_SESSION_AUT
HN_CTX);
          loginHandler =
possibleLoginHandlers.get(AuthnContext.PREVIOUS_SESSION_AUTHN_CTX);
       } else {
It sets the attempted method, and that probably defaults in as the method used if the handler
doesn't override it. So we're hiding both the original context and the timestamp with the current
code when SSO gets done.
Comment by Chad La Joie [ 28/Sep/09 ]
Fixed in rev 2894
[SIDP-342] NameIdentifier encoder mix-up when the SP doesn't support the first
NameIdentifier format Created: 03/Sep/09 Updated: 25/Sep/09 Resolved: 25/Sep/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.3
Fix Version/s:     2.1.4

Type:                  Bug                         Priority:       Minor
Reporter:              Adam Lantos                 Assignee:       Chad La Joie
Resolution:            Fixed                       Votes:          0
Labels:                None

Attachments:             0001-Fix-NameIdentifier-encoder-issue-SIDP-342.patch
Java Version:          Sun 1.6
Servlet                Apache Tomcat 5.5
Container:

Description
Configuration snippets which triggers the issue:

attribute-resolver.xml:

<!-- Name Identifier related attributes -->
  <resolver:AttributeDefinition id="transientId"
xsi:type="TransientId" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
     <resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
       nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
  </resolver:AttributeDefinition>

 <resolver:AttributeDefinition id="persistentId" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad">
   <resolver:Dependency ref="persistentIdConnector" />
   <resolver:AttributeEncoder xsi:type="SAML2StringNameID"
      xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
      nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
      nameQualifier="idpEntityID" />
 </resolver:AttributeDefinition>

attribute-filter.xml
<AttributeFilterPolicy id="releaseNameIDToAnyone">
    <PolicyRequirementRule xsi:type="basic:ANY" />

    <AttributeRule attributeID="transientId">
       <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
    <AttributeRule attributeID="persistentId">
       <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
</AttributeFilterPolicy>

SP metadata contains only this NameIDFormat:

<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>


22:57:45.602 DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:854]
- Relying party 'https://papigw.aai.niif.hu/shibboleth&#39; supports the name formats:
[urn:oasis:names:tc:SAML:2.0:nameid-format:persistent]
22:57:45.604 DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:914]
- Using attribute 'persistentId' supporting NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-
format:transient' to create the
NameID for relying party


IdP releases the persistent identifier using the transient encoder:

<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">79311a47-
9cb6-4d74-9448-335fecbbf129</saml2:NameID>

When the SP supports the persistent identifier, it works well.
This might be some ordering issue with the SAML2StringNameID encoders.

 Comments
Comment by Scott Cantor [ 03/Sep/09 ]
I think you mean "When the SP supports the transient identifier, it works well".

In my testing, it does appear to be based on the order. I think you actually have the order in your
snippet backwards to reproduce the bug. In my testing, I copied from your email and put the
transientId def second, and that failed. If I reverse them and match what you have here, it works.

So, in other words, if the SP requires persistent in its metadata:
Resolver has transientId followed by persistentId, it works as expected, and returns a persistent.

Resolver has persistentId followed by transientId, it fails and returns the persistentId with
transient format.

Adam, can you confirm?

The bug would appear to be sensitive to the order of the attribute definitions, in other words.
Comment by Adam Lantos [ 03/Sep/09 ]
Scott, the issue is definitely triggered for me when the transientId is first. Now I tried to reorder
the attributedefinitons and it still fails.

I have Sun Java HotSpot(TM) Client VM (build 1.5.0_17-b04, mixed mode, sharing).
Comment by Scott Cantor [ 03/Sep/09 ]
I think I found the bug, and it will probably depend on the surrounding material in the resolver.

There's a nested for loop that's executing a break statement and fails to break out of the outer
loop, so the code cycles to the next attribute in the set and things get out of sync.

Code (for SAML 2 anyway) is in AbstractSAML2ProfileHandler.java in the buildNameId
function.

The outer loop needs to exit once nameIdAttribute is non-null. Adding a check for that after the
inner loop should fix it.

Probably need a similar fix in the SAML1 side.
Comment by Adam Lantos [ 03/Sep/09 ]
Yes, that's it, I've also found it and fixed it in my tree.
Comment by Adam Lantos [ 03/Sep/09 ]
Patch which fixed the issue for me.
Comment by Chad La Joie [ 25/Sep/09 ]
Fixed in rev 2892
[SIDP-340] Default tc-config.xml causes TCNonPortableObjectError Created: 27/Aug/09
Updated: 24/Sep/09 Resolved: 24/Sep/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.2, 2.1.3
Fix Version/s:     None

Type:                     Bug                   Priority:         Minor
Reporter:                 Adam Lantos           Assignee:         Chad La Joie
Resolution:               Fixed                 Votes:            0
Labels:                   None

Java Version:             Sun 1.5
Servlet                   Apache Tomcat 5.5
Container:

Description
The default tc-config.xml template does not contain

<instrumented-classes>
      <include>
       <class-expression>org.opensaml.xml.util.LazyList</class-expression>
      </include>
</instrumented-classes>

which causes runtime com.tc.exception.TCNonPortableObjectError.

Comments
Comment by Chad La Joie [ 24/Sep/09 ]
Fixed. New version placed in wiki:

https://spaces.internet2.edu/display/SHIB2/IdPCluster
[SIDP-335] NPE when testing SAML2 artifact Created: 30/Jul/09 Updated: 27/Oct/09 Resolved: 27/Oct/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.1.2
Fix Version/s:     None

Type:               Bug                           Priority:           Minor
Reporter:           Rod Widdowson                 Assignee:           Chad La Joie
Resolution:         Invalid                       Votes:              0
Labels:             None

Java Version:       Sun 1.6
Servlet             Apache Tomcat 6.0
Container:

 Description
The root cause might be PEBKAC in the installation (although I tried two installs). But the NPE
shouldn't happen.

I tried SAML2 artifact between two Shib2 entities via a DS [Starting at
Sp\Shibboleth.sso\DS?acsIndex=3 Where 3 is the urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
Artifact ACS].

This was the request:

<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://sh2testsp1.iay.org.uk/Shibboleth.sso/SAML2/Artifact"
Destination="https://dlib-adidp.ucs.ed.ac.uk/shibboleth-idp/profile/SAML2/Redirect/SSO"
ID="_3bb01d863f48e137626572229d1d7d32" IssueInstant="2009-07-30T10:43:14Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Version="2.0">
   <saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sh2testsp1.iay.org.uk/shibboleth&
lt;/saml:Issuer>
   <samlp:NameIDPolicy AllowCreate="1"/>
</samlp:AuthnRequest>

And this was the result in the log

11:43:11.729 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:541] - Encoding
response to SAML request _3bb01d863f48e137626572229d1d7d32 from relying party
https://sh2testsp1.iay.org.uk/shibboleth
11:43:11.729 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:47] -
Beginning encode message to outbound transport of type:
org.opensaml.ws.transport.http.HttpServletResponseAdapter
11:43:11.729 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPArtifactEncoder:179] -
Performing HTTP GET SAML 2 artifact encoding
11:43:11.729 - ERROR
[org.opensaml.saml2.binding.artifact.SAML2ArtifactType0004Builder:90] - Unable to select
source location for artifact. No artifact resolution service defined for issuer.
11:43:11.729 - ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85] -
Error processing profile request
java.lang.NullPointerException
at
org.opensaml.saml2.binding.artifact.SAML2ArtifactType0004Builder.buildArtifact(SAML2Arti
factType0004Builder.java:52) [opensaml-2.2.3.jar:na]
at
org.opensaml.saml2.binding.artifact.SAML2ArtifactType0004Builder.buildArtifact(SAML2Arti
factType0004Builder.java:1) [opensaml-2.2.3.jar:na]
at
org.opensaml.saml2.binding.encoding.HTTPArtifactEncoder.buildArtifact(HTTPArtifactEncode
r.java:214) [opensaml-2.2.3.jar:na]
at
org.opensaml.saml2.binding.encoding.HTTPArtifactEncoder.getEncode(HTTPArtifactEncoder.j
ava:185) [opensaml-2.2.3.jar:na]
at
org.opensaml.saml2.binding.encoding.HTTPArtifactEncoder.doEncode(HTTPArtifactEncoder.ja
va:134) [opensaml-2.2.3.jar:na]
at
org.opensaml.ws.message.encoder.BaseMessageEncoder.encode(BaseMessageEncoder.java:50)
[openws-1.2.2.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler.encodeResponse(
AbstractSAMLProfileHandler.java:545) [shibboleth-identityprovider-2.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.completeAuthenticati
onRequest(SSOProfileHandler.java:273) [shibboleth-identityprovider-2.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOP
rofileHandler.java:148) [shibboleth-identityprovider-2.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOP
rofileHandler.java:82) [shibboleth-identityprovider-2.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:82) [shibboleth-common-1.1.2.jar:na]
[SNIP]

 Comments
Comment by Gary Windham [ 13/Oct/09 ]
Just wondering if there's been any resolution to this issue...I encountered the same problem today
(with the same error messages and NPE) while trying to use SAML2 Artifact between a 2.1.2
IdP and 2.1.1 SP.
Comment by Chad La Joie [ 27/Oct/09 ]
This is due to a misconfigured IdP. The IdP must load it's own metadata and that metadata must
include appropriate artifact resolution services or else you get this error. I've made sure though
that an NPE doesn't bubble up the call stack so that the error is clearer.
[SIDP-329] Support for Bookmarked Login Pages Created: 09/Jul/09             Updated: 16/Jul/09 Resolved:
16/Jul/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.0.0, 2.1.0, 2.1.1, 2.1.2
Fix Version/s:     None

Type:               New Feature                    Priority:            Major
Reporter:           Nate Klingenstein              Assignee:            Chad La Joie
Resolution:         Won't Fix                      Votes:               0
Labels:             None


 Description
Many users like to bookmark their login page. Because all the session state is currently stored in
the IdP rather than the client, if they bookmark the login page to return to it later, their intended
SP and other information is lost.

Particularly because the information in 99% of AuthnRequests is unsigned and thus advisory, it
should be possible to add enough information to the query string to allow for sufficient
persistence/replay of the AuthnRequest to allow users to bookmark login pages successfully.
That information would probably look a lot like the old Shibboleth SSO authentication request
query string (?SHIRE=a&providerId=b&target=c).

A potential problem is the use of cookie-based relay state and targets by the SP. Deployments
that wanted to support this feature could make appropriate configuration changes, and there is
little impact on those that do not.

This would be a really nice feature to have.

 Comments
Comment by Scott Cantor [ 09/Jul/09 ]
I completely disagree. The result of login replay is that the back button traps you into an
application and causes a lot of user confusion. It's also not permitted by spec because replay
detection is part of the model.

This should NOT be allowed and in fact should be detected with a dedicated error page returned
to explain to people NOT to do this.
Comment by Chad La Joie [ 16/Jul/09 ]
As Scott mentioned, the timestamps and replay detection intentionally prohibit this and I'm not
about to remove those checks.
[SIDP-328] Direct link to IdP login page resuls in no loginContext being created.
User sees a 404 instead. Created: 08/Jul/09 Updated: 16/Jul/09 Resolved: 16/Jul/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: None
Fix Version/s:     None

Type:               Bug                           Priority:           Minor
Reporter:           Paul Hethmon                  Assignee:           Chad La Joie
Resolution:         Duplicate                     Votes:              0
Labels:             None

Java Version:       Sun 1.6
Servlet             Apache Tomcat 5.5
Container:

 Description
When a user bookmarks the IdP login page (the IdP is using a custom Username Password
servlet which renders the login page much like the standard one for JAAS), no login context is
evidently created. The user will enter their login credentials submit them, have them validated by
the login handler successfully. The login handler then calls
AuthenticationEngine.returnToAuthenticationEngine(request, response) which ends up in a 404
error to the browser since there is no target to send them to.

This might be caused in some way by my login servlet since I have a prior version that this
behavior just resulted in the user being dumped back to the login.jsp page through the servlet. I
will be investigating further and updating the issue.

 Comments
Comment by Chad La Joie [ 16/Jul/09 ]
Bookmarking of the login page will not be supported. If a custom error message needs to be
displayed the deployer should edit the error JSP page to look for this case (when the login
context is null) and display an appropriate error message.

There was a mistake in the error page URL though that inadvertently caused the IdP to send the
user to the 404 error page instead of the general error page. This has been fixed in rev 2869
[SIDP-324] Add additional information to Status handler Created: 30/Jun/09          Updated: 02/Jul/09
Resolved: 02/Jul/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0, 2.1.0, 2.1.1, 2.1.2
Fix Version/s:     2.1.3

Type:                 Improvement                Priority:           Minor
Reporter:             Chad La Joie               Assignee:           Chad La Joie
Resolution:           Fixed                      Votes:              0
Labels:               None


 Description
Add the following information to the status handler:
OS info: jdk version, total CPUs, total memory used, max memory available, current time in
UTC
IdP version, start time, # of current sessions
*entity info: entity ID, public key, configured profiles
*session info: session ID, principals, active authentication method, services to which
authenticated

There would be two options:
 - Basic/Full view (full view includes the '*' items)
 - Relying party view which gives the entity info for the given relying party

The Status handler would also become IP protected in a similar fashion to the SP's Session view
page.

Comments
Comment by Scott Cantor [ 30/Jun/09 ]
An advanced possibility would be validation of connections to resolver data stores.
Comment by Chad La Joie [ 02/Jul/09 ]
Added in rev 2860

Could not display session information but other information is present as well as request feature
to show the relying party configuration used for a given relying party
[SIDP-322] Exception thrown when SP requests a particular authentication
method that is not configured Created: 25/Jun/09 Updated: 30/Jun/09 Resolved: 30/Jun/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.0.0, 2.1.0, 2.1.1, 2.1.2
Fix Version/s:     2.1.3

Type:               Bug                          Priority:          Minor
Reporter:           Chad La Joie                 Assignee:          Chad La Joie
Resolution:         Fixed                        Votes:             0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 5.5
Container:

 Description
If an SP requests a specific mechanism and the IdP is not configured for that mechanism an
exception is throw. This caused AuthenticationEngine line 319 does not check to see if there are
methods remaining after filtering. Attached is a trace.

----

8:08:33.557 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:352] - Configured
LoginHandlers:
{urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.
authn.provider.RemoteUserLoginHandler@ef7d74,
urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.i
dp.authn.provider.PreviousSessionLoginHandler@1157f77}
18:08:33.557 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:353] - Requested
authentication methods: org.opensaml.xml.util.LazyList@1bca486
18:08:33.557 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:300] - Possible
authentication handlers for this request:
{urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth
.idp.authn.provider.PreviousSessionLoginHandler@1157f77}
18:08:33.557 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:313] - Possible
authentication handlers after filtering:
{urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth
.idp.authn.provider.PreviousSessionLoginHandler@1157f77}
18:08:33.558 - ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85] -
Error processing profile request
java.util.NoSuchElementException
      at java.util.HashMap$HashIterator.nextEntry(HashMap.java:844) [na:1.5.0_14]
      at java.util.HashMap$EntryIterator.next(HashMap.java:883) [na:1.5.0_14]
      at java.util.HashMap$EntryIterator.next(HashMap.java:881) [na:1.5.0_14]
      at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.startUserAuthentication(A
uthenticationEngine.java:320) [shibboleth-identityprovider-2.1.2.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.service(AuthenticationEngi
ne.java:275) [shibboleth-identityprovider-2.1.2.jar:na]
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
      at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:29
0) [catalina.jar:na]
      at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
      at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:630)
[catalina.jar:na]
      at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
[catalina.jar:na]
      at
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
[catalina.jar:na]
      at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
[catalina.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthenticatio
n(SSOProfileHandler.java:192) [shibboleth-identityprovider-2.1.2.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOP
rofileHandler.java:145) [shibboleth-identityprovider-2.1.2.jar:na]
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOP
rofileHandler.java:82) [shibboleth-identityprovider-2.1.2.jar:na]
      at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:82) [shibboleth-common-1.1.2.jar:na]
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
      at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:29
0) [catalina.jar:na]
     at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
     at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:
77) [shibboleth-identityprovider-2.1.2.jar:na]
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:23
5) [catalina.jar:na]
     at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
     at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
[catalina.jar:na]
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[catalina.jar:na]
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
[catalina.jar:na]
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[catalina.jar:na]
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[catalina.jar:na]
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
[catalina.jar:na]
     at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-
coyote.jar:na]
     at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283) [tomcat-
coyote.jar:na]
     at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767) [tomcat-
coyote.jar:na]
     at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697)
[tomcat-coyote.jar:na]
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889)
[tomcat-coyote.jar:na]
     at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
[tomcat-coyote.jar:na]
     at java.lang.Thread.run(Thread.java:595) [na:1.5.0_14]

Comments
Comment by Chad La Joie [ 30/Jun/09 ]
Fixed in rev 2851
[SIDP-321] IdP metadata generator appear to be adding extraneous name spaces
to the metadata Created: 24/Jun/09 Updated: 19/Aug/09 Resolved: 19/Aug/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.2
Fix Version/s:     2.1.3

Type:               Bug                            Priority:            Major
Reporter:           Rod Widdowson                  Assignee:            Chad La Joie
Resolution:         Fixed                          Votes:               0
Labels:             None

Java Version:       Sun 1.6
Servlet             Apache Tomcat 6.0
Container:

 Description
*NOTE* I want to do some more analysis of this case and so I will asign it to myself. However I
am OOF for the next 3 days and I need to capture it now.

I have an IdP which comes from a QuickInstall. The installation process is pretty standard (the
MSI grabs some properties and then falls into the ant script. However I am not 100% sure that
the Quick installer isn't the core of the problems.

The QI starts with a slightly different template for the self metadata but the first few lines look
like this:

<EntityDescriptor entityID="$IDP_ENTITY_ID$"
          xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
          xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
          xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0
urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">

Which is fair enough.

Post installation the following is in the idp\metadata directory:

<EntityDescriptor entityID="https://idp.edina.ac.uk/shibboleth"
     xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
     xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0
urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"
     xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

And so on. The extra xmlns="urn:oasis:names:tc:SAML:2.0:metadata" (and there are many more
where that came from) is odd, but benign.

But it is when I load this from the metadata endpoint that things get truly funky:

<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
         entityID="https://idp.edina.ac.uk/shibboleth"
         xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
         xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0
urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

The "xmlns:xmlns" is super illegal and I had UK Federations Ops onto my case for giving them
illegal metadata...

I don't think that QI is implicated, but as I said at the top I don't have the cycles today to ensure.
So I'll take this case for now

 Comments
Comment by Chad La Joie [ 24/Jun/09 ]
At least the first part of this, where the namespaces are needlessly declared is probably due to
JXT-48. It is, as you said, benign. No initial thoughts on the real problem though.
Comment by Chad La Joie [ 30/Jun/09 ]
Okay, I tried to reproduce this on my non-QI test env and could not. The extra namespaces, per
JXT-48, where there but the xmlns:xmlns never showed up.

In my test env I tried using firefox to save the contents of the IdP metadata endpoint and had my
SP load the metadata from the endpoint. I both cases the XML was fine.
Comment by Rod Widdowson [ 30/Jun/09 ]
I'm going to work through this one slowly and see where I introduced the oddity.. The trouble I
had when putting this case together was working out exactly what the stages were... I'm hoping
that it will disappear in a puf of PEBKAC...

Comment by Chad La Joie [ 30/Jun/09 ]
Well, I can tell you what the IdP does.

During installation the metadata template in the src/installer/resources/metadata-tmpl directory is
filed in with things like the hostname and key and that is placed in $IDP_HOME/metadata/idp-
metadata.xml

When the IdP serves the metadata up it's using the
'edu.internet2.middleware.shibboleth.idp.profile.SAMLMetadataProfileHandler'. The profile
handler reads the metadata via the FileystemMetadataProvider and caches it. When a request
comes in the metadata is remarshalled and written to the HttpServletRequest OutputStream.

It's because of that marshalling step that JXT-48 comes in to play.
Comment by Rod Widdowson [ 03/Jul/09 ]
So this is partial PEBKAC.

Using a standard QI all happens OK - we get spurious extra namespaces (because of JXT-48) but
that is more of a mild pain for those that edit metadata than anything else. We do *NOT* get bad
xml.

What I did was flush a more serious side effect of JXT-48.

At some stage during the configuration of my IdP I took the output of the metadata generator and
fed it back into IDP_HOME\metadata\idp-metadata.xml. So idp-metadata was correctly formed,
but had the extra name spaces. When *that* metadata is fed into into the metadata generator we
get the mutiple namespaces including the xmlns:xmlns:"foo" constract that Ian was bending my
ear about.

I guess how relaxed I am about this is a function of how imaginative we thing people will be
with their edits to idp-metadata.xml. I have been in the habit of telling people to make changes to
idp-metadata.xml to reflect changes in their configuration. That way their metadata endpoint
carries on telling the truth (it's a vain hope, but it's a hope). Now we have the case whereby a
manipulation which creates valid XML can cause the IdP to spit out invalid XML.

OTOH this is a bug which is already reported as JXT-48 so we can certainly close this case if we
want.

I'll let Chad decide.
Comment by Chad La Joie [ 03/Jul/09 ]
Okay, until JXT-48 is resolved this bug is tabled.
Comment by Scott Cantor [ 17/Aug/09 ]
I believe the source of this bug, at least, is that the AbstractXMLObjectUnmarshaller class in
xmltooling has a broken function unmarshallNamespaceAttribute that parses xmlns="uri" as a
Namespace object with a prefix of "xmlns". This causes marshalling code later to generate
xmlns:xmlns on the way back out.

The case of a default namespace decl probably should be special cases as a null or empty prefix
field.
Comment by Chad La Joie [ 19/Aug/09 ]
Both the unnecessary declaration of namespaces (JXT-48) and the invalid default namespace
defining attribute of "xmlns:xmlns" (JXT-62) are fixed in the next release of xmltooling which
will be included in IdP 2.1.3
[SIDP-318] IdP erroneously logs many normal events as errors. Created: 19/Jun/09 Updated:
30/Jun/09 Resolved: 30/Jun/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.1.3

Type:                      Bug                     Priority:         Minor
Reporter:                  Jim Fox                 Assignee:         Chad La Joie
Resolution:                Fixed                   Votes:            0
Labels:                    None

Java Version:              Sun 1.6
Servlet                    Apache Tomcat 6.0
Container:

 Description
The IdP inappropriately logs many events -- expired requests, unknown nameidentifiers, etc. --
as ERRORs. An ERROR ought to mean the IdP itself has failed in some way, not just that some
user has failed to get what she wants. I'd like to monitor the process log for errors, and maybe
alert someone, but I can't do that if I get an ERROR log every time someone hits the back button
on an old page.

In addition several of these put stack traces in the process log.



 Comments
Comment by Chad La Joie [ 19/Jun/09 ]
This bug needs the exact errors (Class names and line numbers as reported by the logging
framework) or else it will not be addressed.
Comment by Jim Fox [ 19/Jun/09 ]
these report ERROR when an authn request has been replayed, bookmarked, or delayed

  org.opensaml.common.binding.security.IssueInstantRule:101
  org.opensaml.common.binding.security.IssueInstantRule:107
  edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85
  edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler:210

this is hit when some non-saml remote client just happens to hit a profile endpoint
 edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler:207

this is hit when a user tries to login with cookies blocked

 edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:211


I see now how to remove or truncate logging of stack traces on these errors, so that's not an issue.
Comment by Chad La Joie [ 30/Jun/09 ]
Fixed in rev 2850
[SIDP-317] Multiple HEAD requests when downloading attribute-filter.xml Created:
10/Jun/09 Updated: 01/Jul/09 Resolved: 01/Jul/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.2
Fix Version/s:     None

Type:                      Bug                     Priority:         Minor
Reporter:                  Lukas Hämmerle          Assignee:         Chad La Joie
Resolution:                Won't Fix               Votes:            0
Labels:                    None

Java Version:              Sun 1.5
Servlet                    Apache Tomcat 5.5
Container:

 Description
For some reason the IdP always issues two HEAD requests when downloading the attribute-
filter.xml (and potentially other files).

That's how the apache access log file looks like in the case where the attribute-filter.xml has not
changed (etag stays the same previously downloaded file. last-modified time stays also the same)
193.5.54.127 - - [10/Jun/2009:15:55:35 +0200] "HEAD /switchaai/hsz-t.ch/attribute-filter.xml
HTTP/1.1" 200 -
193.5.54.127 - - [10/Jun/2009:15:55:37 +0200] "HEAD /switchaai/hsz-t.ch/attribute-filter.xml
HTTP/1.1" 200 -
130.92.13.155 - - [10/Jun/2009:16:34:54 +0200] "HEAD /switchaai/unibe.ch/attribute-filter.xml
HTTP/1.1" 200 -
130.92.13.155 - - [10/Jun/2009:16:34:55 +0200] "HEAD /switchaai/unibe.ch/attribute-filter.xml
HTTP/1.1" 200 -
130.59.10.127 - - [10/Jun/2009:16:35:33 +0200] "HEAD /switchaai/switch.ch/attribute-filter.xml
HTTP/1.1" 200 -
130.59.10.127 - - [10/Jun/2009:16:35:34 +0200] "HEAD /switchaai/switch.ch/attribute-filter.xml
HTTP/1.1" 200 -

And this is what it looks like if the attribute-filter.xml changed:
193.5.54.127 - - [10/Jun/2009:14:55:38 +0200] "HEAD /switchaai/hsz-t.ch/attribute-filter.xml
HTTP/1.1" 200 -
193.5.54.127 - - [10/Jun/2009:14:55:40 +0200] "HEAD /switchaai/hsz-t.ch/attribute-filter.xml
HTTP/1.1" 200 -
193.5.54.127 - - [10/Jun/2009:14:55:41 +0200] "HEAD /switchaai/hsz-t.ch/attribute-filter.xml
HTTP/1.1" 200 -
193.5.54.127 - - [10/Jun/2009:14:55:43 +0200] "GET /switchaai/hsz-t.ch/attribute-filter.xml
HTTP/1.1" 200 256919

So, here it's even four requests :-)

 Comments
Comment by Chad La Joie [ 01/Jul/09 ]
This caused by the generic way in which the IdP treats its configurations sources. There is no
way to address this without losing the generic nature and eliminating a couple HEAD requests
isn't worth that trade off.
[SIDP-316] The IdP configuration should be able to apply the clock skew to the
NotBefore value in the <Condition> Created: 08/Jun/09 Updated: 29/Jul/09 Resolved: 29/Jul/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.1.2
Fix Version/s:     None

Type:               New Feature                    Priority:           Minor
Reporter:           Rod Widdowson                  Assignee:           Chad La Joie
Resolution:         Invalid                        Votes:              0
Labels:             None


Description
This comes from an issue that an IdP has had interacting with GoogleApps.

Google is failing "GoogleApps - This service cannot be accessed because your login credentials
are not yet valid". A repost will work (so much for replay detection!). The IDP is otherwise
correctly configured and interops fine with Shib SPs.

The disucssion is still open, but either way it would be nice to put a negative dither into a
condition validity period to deal with SPs which won't bring themselve up to date and are
intolerant of others being ahead of them.

For the record Chad states that line 352 of
edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler is the
place to start

I may need to start programming to debug this at Google. If so I'll keep this case posted.

 Comments
Comment by Chad La Joie [ 03/Jul/09 ]
The more I think about this the more I think it's just wrong. I get that Google is *the* big boy
(bully) in this case but I can't justify changing this behavior. Doing so could end up causing
issues with every other SP in the world since the time in the assertion would now, purposefully,
be off. As such anyone properly checking this field might end up failing if their clock skew
window was equal to, or less than, whatever "fudge" factor was would have been added as a
result of this issue.
Comment by Glenn Wearen [ 29/Jul/09 ]
I've noticed the same issue on this version of the IdP, I take the point about having to fudge for
Google
However, we're not talking about minutes of drift here, I've noticed that a drift of almost one
second is enough to trigger this issue.
Surely the IdP should allow a little tolerance? it doesn't have to be a global adjustment either,
this could be done on a per SP basis in a RelyingParty element.
Comment by Glenn Wearen [ 29/Jul/09 ]
re-opening becuase I'm not sure if my last comment will be seen if the ticket is closed.
Comment by Rod Widdowson [ 29/Jul/09 ]
Glen,
This issue is not the IdP is intolerant - it isn't. It is the SP which is intolerant. Google is
effectively saying "the SP is intolerant of time screw, but you have to fix it by macking bogus
assertions" - this is what Chad and Scott are concerned about. Just because someone is market
leader doesn't mean that we enjoy letting them not listen to the specs.

Can you mail me offline (at rdw at steadingsoftware dot com) where you are located? I have a
feeling that the issue might be with one specific Google SP and that might be findable by
geography. FWIW the IdP which this was created for was near Liverpool, England..
[SIDP-315] Credential provided by UsernamePasswordLogin handler as
attribute Created: 04/Jun/09 Updated: 01/Jul/09 Resolved: 01/Jul/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     None

Type:                Bug                              Priority:     Minor
Reporter:            Lukas Hämmerle                   Assignee:     Chad La Joie
Resolution:          Fixed                            Votes:        0
Labels:              None

Java Version:        Sun 1.5
Servlet              Apache Tomcat 5.5
Container:

 Description
I gave your hints a try in order to make the UsernamePasswordHandler
servlet place the credential as an attribute.

After some twaking I got it to work with this scripted attribute:

<Script>
      <![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
importPackage(Packages.java.util);
importPackage(Packages.javax.security.auth);
importPackage(Packages.edu.internet2.middleware.shibboleth.idp.authn.provider);
importPackage(Packages.edu.vt.middleware.ldap.jaas);

// Create new password attribute
password = new BasicAttribute("password");

// How to get subject?
userSubject = requestContext.getUserSession().getSubject();

// Get credentials
i = userSubject.getPrivateCredentials().iterator();

if( i.hasNext() ){
       // Set real password
       credential = i.next();
       password.getValues().add(credential.getPassword());
}
      ]]>
</Script>

However, I got it only to work after changing the code from:
if(getInitParameter(storeCredentials) != null){
  storeCredentialsInSubject =
Boolean.parseBoolean(getInitParameter(storeCredentials));
}


to

if(true){
  storeCredentialsInSubject =
Boolean.parseBoolean(getInitParameter(storeCredentials));
}


... because I couldn't figure out how to add the property value correctly.

I assumed this property has to be added to the IdP's web.xml. So, I
added this to the UsernamePasswordAuthHandler servlet like:

<servlet>
     <servlet-name>UsernamePasswordAuthHandler</servlet-name>

<servlet-
class>edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet</
servlet-class>
     <load-on-startup>4</load-on-startup>

       <!-- To get password entered by user as attribute -->
       <storeCredentialsInSubject>true</storeCredentialsInSubject>
     </servlet>

Didn't work. I also added the storeCredentialsInSubject to all other
servlets to no avail. Because I then wasn't sure whether I'm adding this
property correctly (probably not...) I also tried to add:

<context-param>
    <param-name>storeCredentialsInSubject</param-name>
    <param-value>true</param-value>
  </context-param>
at the top of the web.xml. This didn't work either.

So, what and where would be the correct way to set this property so that
it can be read with getInitParameter()?

Comments
Comment by Chad La Joie [ 01/Jul/09 ]
Fixed in rev 2854

The UsernamePassword login handler now *always* places the user's password in to the
subject's private credential set. The authentication engine now has two init parameters
'retainSubjectsPublicCredentials' and 'retainSubjectsPrivateCredentials' which control whether
public or privates credentials (respectively) are retained within the Session Subject after the
authentication event. The default is not to retain either set of credentials.
[SIDP-312] LoginEvents with Null Subject from SessionManagerImpl Created:
22/May/09 Updated: 17/Aug/09 Resolved: 17/Aug/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.2
Fix Version/s:     None

Type:                    Bug                       Priority:         Minor
Reporter:                Henri Mikkonen            Assignee:         Chad La Joie
Resolution:              Won't Fix                 Votes:            0
Labels:                  None

Java Version:            Sun 1.6
Servlet                  Apache Tomcat 6.0
Container:

 Description
SessionManagerImpl class publishes a LoginEvent in two cases:

1) when createSession() method is called
2) when its ApplicationListener sees AddEntryEvent

First, it would be more logical for the listeners if the event was published only once.
Second, currently there is a race condition, depending on the timing, the ApplicationListeners
may not be able to get the subject / principal information from the Session object, because they
are set a little bit later by the AuthenticationEngine.

 Comments
Comment by Chad La Joie [ 23/Jun/09 ]
Given a variety of issues surrounding the generation and prorogation of such events across a
cluster my current plan is to remove them. Is there some specific goal you were attempting to use
these to solve?
Comment by Henri Mikkonen [ 24/Jun/09 ]
We use Shibboleth for SSO inside organization, and our idea was to use the events for collecting
data for statistics, including both reports and "live information" like "who's logged in at the
moment". By listening the events, we wouldn't have to touch/extend any Shibboleth classes, just
implementing and deploying a listener would do it.

The types of events we are interested in would be:
- Login (when the user authenticates, ie. first SP)
- SSO (when the previous session is used)
- Logout (when the user logs out himself (*))
- Session expiration (timeout)

(*) I know that the IDP doesn't support logout at the moment
Comment by Chad La Joie [ 24/Jun/09 ]
Okay, I'll address each of those use cases in turn.

IdP 2.2 will ship with a script that allows you to parse the log files and get usage information
(good for monitoring and creating reports). You can find the script attached to issue SC-30.

Live information will be provided by status page in the next release. Currently its set to include
IdP version, # of active sessions, basic session information (session ID, creation time, last usage
time), and optionally expanded session information (principal names, authentication methods,
services to which the user was logged in to, etc.). For a complete list of information available in
the Session data structure take a look at edu.internet2.middleware.shibboleth.idp.session.Session
in the java-idp package and its parent interface in commons package.
Comment by Chad La Joie [ 17/Aug/09 ]
okay, hearing nothing further on this, and with the removal of those events in the next release,
I'm closing this out.
[SIDP-310] Change default relying-party.xml settings for SAML 2 profiles'
encryptNameIds parameter from "conditional" to "never" Created: 14/May/09 Updated:
14/May/09 Resolved: 14/May/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.1.2
Fix Version/s:     2.1.3

Type:                    Improvement             Priority:          Minor
Reporter:                Brent Putman            Assignee:          Brent Putman
Resolution:              Fixed                   Votes:             0
Labels:                  None


 Description
This is redundant with the default config of conditionally encrypting the Assertion, which
contains the NameID. The extra crypto operation is unnecessary overhead.

Comments
Comment by Brent Putman [ 14/May/09 ]
Fixed in r2847.
[SIDP-306] Remove ClientCertAuth rule from SAML 2 SSO SecurityPolicy in
relying-party.xml Created: 30/Apr/09 Updated: 30/Apr/09 Resolved: 30/Apr/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication, SAML 2
Affects Version/s: 2.1.2
Fix Version/s:     2.1.3

Type:               Improvement                   Priority:            Minor
Reporter:           Brent Putman                  Assignee:            Brent Putman
Resolution:         Fixed                         Votes:               0
Labels:             None


 Description
For the standard cases, this security policy applies to a profile handler which is always a front-
channel binding, therefore no SP client TLS cert will ever be present. This rule causes request
failure when a user browser client cert is presented, for example when authN to the IdP with
client cert is desired.

 Comments
Comment by Brent Putman [ 30/Apr/09 ]
Ideally this would be handled by work indicated in JOWS-5, but that is not forthcoming soon, as
it requires some redesign. So this sidesteps the issue at least for this use case in a pragmatic
manner.
Comment by Brent Putman [ 30/Apr/09 ]
Commited in r2845.
[SIDP-305] Dependencies in pom.xml of java-jce have the wrong scope Created:
28/Apr/09 Updated: 30/Jun/09 Resolved: 30/Jun/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.1.2
Fix Version/s:     None

Type:                     Bug                      Priority:          Minor
Reporter:                 André Cruz               Assignee:          Chad La Joie
Resolution:               Invalid                  Votes:             0
Labels:                   None

Java Version:             Sun 1.6
Servlet                   Apache Tomcat 5.5
Container:

 Description
I had to make these modifications in order to build the shibboleth-jce.jar:

diff --git a/pom.xml b/pom.xml
index 8dda457..23be64a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -34,13 +34,13 @@
         <groupId>tomcat</groupId>
         <artifactId>catalina</artifactId>
         <version>5.5.23</version>
- <scope>runtime</scope>
+ <scope>compile</scope>
       </dependency>
       <dependency>
         <groupId>tomcat</groupId>
         <artifactId>tomcat-util</artifactId>
         <version>5.5.23</version>
- <scope>runtime</scope>
+ <scope>compile</scope>
       </dependency>

       <!-- Test dependencies -->


Comments
Comment by Chad La Joie [ 30/Jun/09 ]
This is not an IdP issue. The problem in the java-jce project though has been corrected
[SIDP-301] Remove use of events in SessionManager so that different
StorageService implementations may be more easily used Created: 13/Apr/09 Updated: 26/Sep/10
Resolved: 03/Aug/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.2
Fix Version/s:     2.2.0

Type:                 New Feature                 Priority:           Minor
Reporter:             André Cruz                  Assignee:           Chad La Joie
Resolution:           Fixed                       Votes:              0
Labels:               None


 Description
Terracotta is a big dependency to have for just sharing data between nodes. Most of the systems
already have some sort of store for clustering other data that could be used for storing the IDP
state.

If a StorageService API existed (as exists for the SP) people could use the store they wanted.

 Comments
Comment by Chad La Joie [ 13/Apr/09 ]
It does exist and is used by the IdP for all storage needs.
Comment by André Cruz [ 17/Apr/09 ]
Indeed it does exist, but the Session Manager implementation that comes with the IDP depends
on a specific implementation of the StorageService API because of the events (AddEntryEvent
and RemoveEntryEvent).

Would it be possible to remove this dependency? Otherwise who wants to use another
StorageService has to implement another SessionManager as well...

Thanks.
Comment by André Cruz [ 09/Jun/09 ]
Hello Chad.

I would just like to know your current stance on this issue. Making it simple to integrate new
Storage Services would be a big plus for the IDP since it will be very difficult for everyone to
agree on which infrastructure to use. Terracotta is probably a good platform but most people
have their own clustering solution which is working and do not react well to an unknown and
complex component being installed and relied upon.

If the API is changed to permit it I'll gladly donate a Memcache StorageService for the IDP.

Best regards,
André
Comment by Chad La Joie [ 03/Aug/10 ]
Fixed in Rev 2937

I've removed the use of events within the session manager. So it should be easier to create an
alternative StorageService impl. Whether or not you can get MemCache to do what is required I
have no idea.
[SIDP-300] Unable to unmarshall metadata Created: 09/Apr/09           Updated: 30/Jun/09 Resolved: 30/Jun/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.2
Fix Version/s:     None

Type:               Bug                            Priority:            Major
Reporter:           Olivier Salaün                 Assignee:            Chad La Joie
Resolution:         Invalid                        Votes:               0
Labels:             None

Attachments:          idp2.1.2-error-unmarshall.txt         lexisnexis.xml           lexisnexis.xml
Java Version:       Sun 1.6
Servlet             Apache Tomcat 6.0
Container:

 Description
Shibboleth IdP servlet fails to start when adding the following MetadataProvider :

   <MetadataProvider id="lexis-nexis" xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
              metadataURL="https://cdc2-www.lexisnexis.com/start/shib/metadata"
              backingFile="/tmp/lexisnexis-test-metadata.xml">
   </MetadataProvider>

The main error seems to be :

15:49:11.241 - ERROR [org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:253] -
Unable to unmarshall metadata
org.opensaml.xml.io.UnmarshallingException: org.opensaml.xml.parse.XMLParserException:
Invalid XML

Attached is the content of the metadata and the full log sequence.

 Comments
Comment by Chad La Joie [ 30/Jun/09 ]
oopss... click on wrong thing
Comment by Chad La Joie [ 30/Jun/09 ]
This is not a bug in the software, the metadata itself is invalid as it is missing all of namesapce
declarations. In the future questions like this should be sent to the shibboleth-users mailing list.
[SIDP-296] Make LoginContext / IdP Session availabe through the public API
Created: 11/Mar/09 Updated: 03/Jul/09 Resolved: 03/Jul/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.2
Fix Version/s:     2.1.3

Type:                      Improvement                      Priority:   Minor
Reporter:                  Halm Reusser                     Assignee:   Chad La Joie
Resolution:                Fixed                            Votes:      0
Labels:                    None


 Description
You told me that my access method to the LoginContext in uApprove is not relaiable on
clustererd setups...

 Comments
Comment by Chad La Joie [ 02/Jul/09 ]
Login Context can now be retrieved via the HttpServletHelper#getLoginContext method added
in rev 2860. Support for retrieving the user session will be added to this same helper class.
Comment by Chad La Joie [ 03/Jul/09 ]
Completed in rev 2862
[SIDP-295] If no cookies are supported/enabled in user agent (browser), display
better error message Created: 11/Mar/09 Updated: 16/Jul/09 Resolved: 16/Jul/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.2
Fix Version/s:     2.1.3

Type:               Improvement                   Priority:           Minor
Reporter:           Halm Reusser                  Assignee:           Chad La Joie
Resolution:         Fixed                         Votes:              0
Labels:             None


 Description
If the user agent (browser) do not send cookies in the log file following appears:

ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:211] - No login
context available, unable to return to authentication engine
  Improvement: Add information, that no cookies are sent

On the error.jsp following is printed (/idp/Authn/UserPassword):

Error Message: Invalid IdP URL (HTTP 404)
 Improvement: Your Browser has not enabled cookies, or similar

Comments
Comment by Chad La Joie [ 16/Jul/09 ]
Fixed in rev 2869
[SIDP-294] Loglevel of AbstractSAML1ProfileHandler Created: 10/Mar/09            Updated: 01/Jul/09
Resolved: 01/Jul/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1
Affects Version/s: 2.1.2
Fix Version/s:     2.1.3

Type:                 Improvement                Priority:           Minor
Reporter:             Halm Reusser               Assignee:           Chad La Joie
Resolution:           Fixed                      Votes:              0
Labels:               None


 Description
When an SP queries the IdP for new attribtutes, using an handle which is unknown for the IdP,
following ERROR incl. Stacktrace is logged:

ERROR
[edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler:558] -
Error resolving attributes for SAML request from relying party https://www.switch.ch/shibboleth
edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException:
No information associated with transient identifier: _70da14e771da5d275a1a8af6f2164c4f

This happens a lot. In my Opinion 'unusal' operation which are not disturbing the service (end
user has no affects), messages of this kind should not be logged as ERROR. WARN would be
appropiate. (Also for backbutton issues...)

In other way, monitoring idp-process.log makes no sense, cause lot of false positives.

Comments
Comment by Chad La Joie [ 01/Jul/09 ]
Fixed in rev 2850
[SIDP-293] Ant installer target for renewing idp certificate Created: 10/Mar/09       Updated:
14/Mar/11 Resolved: 07/Feb/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.1.2
Fix Version/s:     2.3.0

Type:                     Improvement             Priority:          Minor
Reporter:                 Halm Reusser            Assignee:          Rod Widdowson
Resolution:               Duplicate               Votes:             0
Labels:                   None


 Description
I added the following target to src/installer/resources/build.xml:

  <target name="renew-cert" description="Installs the identity provider software.">
    <input message="Are u sure?" addproperty="renew.cert.do" validargs="yes,no"
defaultvalue="no" />
    <if> <equals arg1="${renew.cert.do}" arg2="yes" /> <then>
     <pathToAbsolutePath path="${idp.home}" addproperty="idp.home.path" />

     <input message="What is the fully qualified hostname of the Shibboleth Identity Provider
server?"
             addproperty="idp.hostname.input"
             defaultvalue="${idp.hostname}" />
     <var name="idp.hostname" value="${idp.hostname.input}" />
     <var name="idp.entity.id" value="https://${idp.hostname}/idp/shibboleth" />

     <input message="A keystore is about to be generated for you. Please enter a password that
will be used to protect it."
               addproperty="idp.keystore.pass" />

      <echo message="Generating signing and encryption key, certificate, and keystore. " />
           <selfSignedCert hostname="${idp.hostname}"
                    privateKeyFile="${idp.home.path}/credentials/idp.key"
                    certificateFile="${idp.home.path}/credentials/idp.crt"
                    keystoreFile="${idp.home.path}/credentials/idp.jks"
                    keystorePassword="${idp.keystore.pass}"
                    uriSubjectAltNames="${idp.entity.id}" />
    </then></if>
   </target>
which allows using install.sh renew-cert to renew the idp cert, if it was expired...


 Comments
Comment by Halm Reusser [ 07/Oct/09 ]
It is better to backup (rename) the old crt and key file, instead of overwriting it.
Comment by Rod Widdowson [ 04/Feb/11 ]
See also https://bugs.internet2.edu/jira/browse/Sidp-272
Comment by Rod Widdowson [ 07/Feb/11 ]
Duplicated as SIDP272
[SIDP-292] login.jsp: wrong using of the attribute rawspan within the tag <td>
Created: 06/Mar/09 Updated: 01/Jul/09 Resolved: 01/Jul/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.2
Fix Version/s:     2.1.3

Type:                      Bug                              Priority:   Trivial
Reporter:                  Franck Borel                     Assignee:   Chad La Joie
Resolution:                Fixed                            Votes:      0
Labels:                    None

Java Version:              Sun 1.5
Servlet                    Apache Tomcat 5.5
Container:

Description
Wrong using of the attribute rawspan within the tag <td> at the last line of the block table:

<td rawspan="2"><input type="submit" value="login" tabindex="3"/></td>

should be changed to

<td colspan="2"><input type="submit" value="login" tabindex="3"/></td>

Comments
Comment by Chad La Joie [ 01/Jul/09 ]
Fixed in rev 2855
[SIDP-291] Update libs for 2.1.3 release Created: 03/Mar/09   Updated: 03/Mar/09 Resolved: 03/Mar/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.1.3

Type:               Improvement                Priority:              Minor
Reporter:           Chad La Joie               Assignee:              Chad La Joie
Resolution:         Fixed                      Votes:                 0
Labels:             None


 Description
shib-common from 1.1.2 to 1.1.3

Comments
Comment by Chad La Joie [ 03/Mar/09 ]
Added in rev 2838
[SIDP-289] allow disabling of previous session handler during IdP login Created:
26/Feb/09 Updated: 10/Feb/11 Resolved: 10/Feb/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: None
Fix Version/s:     None

Type:                     New Feature              Priority:            Minor
Reporter:                 Peter Schober            Assignee:            Chad La Joie
Resolution:               Won't Fix                Votes:               0
Labels:                   None


 Description
A checkbox on the login.jsp to disable the previous session handler (or someting along those
lines) for this one session could help with kiosk PCs etc., where logout might not easily be
possible.

 Comments
Comment by Chad La Joie [ 10/Feb/11 ]
This issue will not be addressed in IdP v2. It is unclear, at this point, whether it will be added in
to v3.
[SIDP-288] Improve consistency of XML configuration defaults/examples Created:
26/Feb/09 Updated: 31/Jan/11 Resolved: 03/Aug/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.2
Fix Version/s:     None

Type:                     Improvement              Priority:           Trivial
Reporter:                 Scott Cantor             Assignee:           Chad La Joie
Resolution:               Completed                Votes:              0
Labels:                   None


 Description
One thing I noticed while working on the JA-SIG workshop material was that there's some
inconsistency on how the various plugin examples in the config files are done with regard to the
XML. Sometimes the xsi:types are prefixed and sometimes they're not, and sometimes the
namespaces are redeclared in each element, and other times the prefix defined at the root of the
file is used.

I think the best we can hope for is consistency and IMHO the least XML markup possible. My
suggestion would be to declare all the namespaces we can at the root (which I think is generally
being done), and use the prefixes whenever possible, rather than any default xmlns=""
declarations.

Basically, I think this:

   <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">

is generally better for people than this:

    <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata" >

While it's true that the latter is self-contained and therefore movable, I think in most cases people
will understand declaring the namespaces at the root, and have an easier time seeing the
"options" they're using and spot mistakes easier with less markup.


Comments
Comment by Chad La Joie [ 03/Aug/10 ]
Done in rev 2938
Comment by Scott Cantor [ 31/Jan/11 ]
Closing resolved issues.
[SIDP-287] Specify validity of self-signed certificate for installation Created: 25/Feb/09
Updated: 26/Feb/09 Resolved: 26/Feb/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.2
Fix Version/s:     None

Type:                     New Feature              Priority:           Minor
Reporter:                 Patrik Schnellmann       Assignee:           Chad La Joie
Resolution:               Duplicate                Votes:              0
Labels:                   None

Attachments:                 SIDP-287-1.patch

 Description
By default, the self-signed certificate generated by the installer is valid for 20. Our federation
policies require a shorter validity of 3 years. Instead of the hardcoded 20 years, the number of
years should be supplied as a parameter for the installer's ant task.

 Comments
Comment by Patrik Schnellmann [ 25/Feb/09 ]
Patch for SelfSignedCertificate ant task
Comment by Chad La Joie [ 26/Feb/09 ]
same as SIDP-286
[SIDP-286] Configurable validity period for self signed certificate Created: 25/Feb/09
Updated: 11/Jan/11 Resolved: 11/Jan/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.1.2
Fix Version/s:     2.2.1

Type:                     Improvement                Priority:            Minor
Reporter:                 Daniel J. Lauk             Assignee:            Chad La Joie
Resolution:               Fixed                      Votes:               0
Labels:                   None

Attachments:                  ant-ext.patch   ant-ext-selfsignedcertificate.patch    java-idp.patch


Description
This is an improvement to SIDP-136.

Currently the self signed certificates generated by the installation process are valid for 20 years
(hard coded).
Some federations reject certificates valid for such a long period of time.
Therefore I'd suggest that the validity period be configurable.

 Comments
Comment by Daniel J. Lauk [ 25/Feb/09 ]
The attached files contain patches to the ant extensions (i.e. the ant task) and the IdP installer.
I have not tested them but I think they should provide a reasonable starting point.

Both are based on a recent checkout of the respective subversion trunk.
Comment by Patrik Schnellmann [ 11/Nov/10 ]
Alternative patch for the same problem without user interaction in the installer task. That way,
the behaviour of install.sh stays the same. Users will have to manually adapt the selfSignedCert
ant task in the build.xml file (add attribute years="x").
Comment by Chad La Joie [ 11/Jan/11 ]
add in rev 2981

You can now use the environment variable "IdPCertLifetime" with the install script to override
the number of years for which a certificate is valid.
[SIDP-285] Use $IDP_SCOPE$ to populate IdP scope in conf-tmpl\attribute-
resolver.xml Created: 18/Feb/09 Updated: 03/Mar/09 Resolved: 03/Mar/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.1.2
Fix Version/s:     2.1.3

Type:              Improvement                   Priority:           Minor
Reporter:          Rod Widdowson                 Assignee:           Chad La Joie
Resolution:        Fixed                         Votes:              0
Labels:            None


 Description
I am playing with the installation for the Windoze thing. I just spotted that the metadata has
$IDP_SCOPE$ which is updated, but the attribute resolver just has "example.org" hardwired.

Is there any reason why we don't change the attribute resolver so that the selected scope goes in?

I'm in the area and I can make thing change if you want, but I know that there are major changes
proposed for 2.2....

R

Comments
Comment by Chad La Joie [ 19/Feb/09 ]
No, this seems fine. Go ahead and do that.
Comment by Chad La Joie [ 03/Mar/09 ]
Added in rev 2837
[SIDP-282] Make AuthenticationEngine part of the public API Created: 06/Feb/09              Updated:
11/Feb/10 Resolved: 11/Feb/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: None
Fix Version/s:     2.1.3

Type:                     Improvement             Priority:            Minor
Reporter:                 Chad La Joie            Assignee:            Chad La Joie
Resolution:               Fixed                   Votes:               0
Labels:                   None


 Description
Currently the AuthenticationEngine is not part of the public API
(https://spaces.internet2.edu/display/SHIB2/IdPAPI) but LoginHandlers are and they are
required to call the currently static methods of the Engine. So, at least part of the Engine API
needs to be public.
[SIDP-281] Customize login.jsp appearance based on relying party Created: 30/Jan/09
Updated: 02/Jul/09 Resolved: 02/Jul/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.0.0, 2.1.0, 2.1.1, 2.1.2
Fix Version/s:     2.1.3

Type:                      New Feature           Priority:           Minor
Reporter:                  Nate Klingenstein     Assignee:           Chad La Joie
Resolution:                Fixed                 Votes:              1
Labels:                    None


 Description
Many sites would like to rebrand the login.jsp page according to the SP that has issued the
AuthnRequest. In order to support that, it would be nice to provide an entityID variable to the
JSP page that is persistent through a failed login attempt.

Documentation would have to point out to deployers the increased probability of phishing that
may result, and the entityID might need to be sanitized for XSS attacks.

 Comments
Comment by Chad La Joie [ 02/Jul/09 ]
Added in rev 2860, directions on how to do this will be added to 'The Login Page' section of this
document
https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass
[SIDP-279] IdP should log NameID for auditing Created: 23/Jan/09          Updated: 20/Sep/10 Resolved:
03/Mar/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.2
Fix Version/s:     2.1.3

Type:               Bug                            Priority:            Major
Reporter:           Kristof Bajnok                 Assignee:            Chad La Joie
Resolution:         Fixed                          Votes:               0
Labels:             None

Java Version:       Sun 1.6
Servlet             Apache Tomcat 6.0
Container:

 Description
Without NameID logged, it's hard (or even impossible) to track back for which user belonged a
certain SP session.
Actually haven't checked this with SAML1 NameIdentifiers.

Feel free to reject it there's some other way to do this. Shib-users:
http://marc.info/?t=123271285500002&r=1&w=2

 Comments
Comment by Kristof Bajnok [ 26/Jan/09 ]
Since 2.1 NameID is logged provided it is not encrypted. However it is by default, so I'd still call
this issue a bug.
There might be a way to log unencrypted NameID unconditionally.
Comment by Chad La Joie [ 06/Feb/09 ]
This is just notes for me.

This is because, on the front channel, encryption of the information is occurring before the
information is logged (and the log doesn't log the encrypted info). On the back channel you don't
normally encrypt on the back channel and so your don't run in to this. If you turned on
encryption there you'd end up with the same problem.
Comment by Chad La Joie [ 03/Mar/09 ]
Fixed in rev 2839
Comment by Peter Schober [ 20/Sep/10 ]
There's a thread on shibboleth-users
https://lists.internet2.edu/sympa/arc/shibboleth-users/2010-09/msg00014.html
with two people (incl myself) seemingly not getting NameIDs logged. Since we also don't get
any replies on the list I'm raising this here so we can find out what's wrong with our
configuration.

I can't reopen this issue here to attach any config files, so how do we handle this?
Comment by Chad La Joie [ 20/Sep/10 ]
Peter, that's a different issue than what Kristof first reported. I opened a new bug, SIDP-415, for
the issue you reported.
[SIDP-278] Log authentication success/failure at higher level than debug Created:
22/Jan/09 Updated: 02/Mar/09 Resolved: 02/Mar/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.2
Fix Version/s:     None

Type:                     Improvement              Priority:           Trivial
Reporter:                 Etienne Dysli            Assignee:           Chad La Joie
Resolution:               Won't Fix                Votes:              0
Labels:                   None


 Description
For auditing purposes it would be better to log authentication successes and, especially, failures
at a higher level than debug; for instance info.

 Comments
Comment by Chad La Joie [ 02/Mar/09 ]
No, that would provide a very easy way to take down a server (by hammering it until you filled
up it's log directory). Logging of authentication related items (such as failures and the like) are
the domain of the actual authentication system.
[SIDP-277] Incorrect null check for request context in
UsernamePasswordServlet Created: 15/Jan/09 Updated: 03/Mar/09 Resolved: 03/Mar/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.2
Fix Version/s:     2.1.3

Type:                Bug                             Priority:            Minor
Reporter:            Jon Stockdill                   Assignee:            Chad La Joie
Resolution:          Fixed                           Votes:               1
Labels:              None

Java Version:        Sun 1.5
Servlet              Apache Tomcat 5.5
Container:

 Description
In the following code, should (request == null) be (requestContext ==
null) ?

requestContext + request.getServletPath() seems to be being set to:
null/Authn/UserPassword

I also think the requestContext = "/" should be replaced w/ "". See the patch below.

I haven't used the trunk code, which has changed significantly, but it looks like it needs the same
fix.

--jon


protected void redirectToLoginPage(HttpServletRequest request,
HttpServletResponse response,
      List<Pair<String, String>> queryParams) {

    String requestContext =
DatatypeHelper.safeTrimOrNullString(request.getContextPath());
    if(request == null){
       requestContext = "/";
    }
    request.setAttribute("actionUrl", requestContext +
request.getServletPath());



Index: UsernamePasswordLoginServlet.java
===================================================================
--- UsernamePasswordLoginServlet.java (revision 2828)
+++ UsernamePasswordLoginServlet.java (working copy)
@@ -126,8 +126,8 @@
        List<Pair<String, String>> queryParams) {

       String requestContext = DatatypeHelper.safeTrimOrNullString(request.getContextPath());
- if(request == null){
- requestContext = "/";
+ if(requestContext == null){
+ requestContext = "";
       }
       request.setAttribute("actionUrl", requestContext + request.getServletPath());



Comments
Comment by Chad La Joie [ 03/Mar/09 ]
Fixed in rev 2835
[SIDP-276] Example RDB Connector, quote principal Created: 14/Jan/09 Updated: 02/Mar/09
Resolved: 02/Mar/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Attribute Resolution
Affects Version/s: 2.1.2
Fix Version/s:     2.1.3

Type:                 Bug                     Priority:         Trivial
Reporter:             Halm Reusser            Assignee:         Chad La Joie
Resolution:           Fixed                   Votes:            0
Labels:               None

Java Version:         Sun 1.6
Servlet               Apache Tomcat 5.5
Container:

 Description
  <!-- Example Relational Database Connector -->
  <resolver:DataConnector id="mySIS" xsi:type="RelationalDatabase"
xmlns="urn:mace:shibboleth:2.0:resolver:dc">
    ....
    <QueryTemplate>
        <![CDATA[
           SELECT * FROM student WHERE gzbtpid = $requestContext.principalName
        ]]>
    </QueryTemplate>


--> SELECT * FROM student WHERE gzbtpid = '$requestContext.principalName'

Comments
Comment by Chad La Joie [ 02/Mar/09 ]
Fixed in rev 2834
[SIDP-275] Using standard JAAS LoginException in UP LoginHandler servlet
Created: 13/Jan/09 Updated: 23/Sep/10 Resolved: 18/Feb/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.2
Fix Version/s:     2.2.0

Type:                      Improvement                            Priority:       Minor
Reporter:                  Halm Reusser                           Assignee:       Chad La Joie
Resolution:                Fixed                                  Votes:          0
Labels:                    None

Attachments:                  login.jsp.patch               patch.txt    UsernamePasswordServlet.java.patch

Issue Links:               Related
                           is related to SIDP-368 Provide more acurate login error to s...           Closed

Description
Attached patches. Please verify. My auto build on eclipse doesn't wor with maven :-( Sorry

Comments
Comment by Halm Reusser [ 22/Jan/09 ]
Here, the NEW patch files.

Note:

in current release a the request attribute with key "loginFailure" and value "true" indicates, if
authentication failed.

now it is the requestAttribute with key "loginException" and value LoginException.
Comment by Chad La Joie [ 18/Feb/10 ]
Fixed in rev 2916
[SIDP-274] Log Exception in UP LoginHandler Servlet Created: 13/Jan/09           Updated: 13/Jan/09
Resolved: 13/Jan/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.2
Fix Version/s:     2.1.3

Type:                 Bug                        Priority:             Trivial
Reporter:             Halm Reusser               Assignee:             Chad La Joie
Resolution:           Fixed                      Votes:                0
Labels:               None

Java Version:         Sun 1.6
Servlet               Apache Tomcat 5.5
Container:

 Description
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet
 protected boolean authenticateUser(HttpServletRequest request)
 ...
 } catch (Throwable e) {
        log.debug("User authentication for {} failed", new Object[] {username}, e);
 ...

--> log.debug("User authentication for " + username + " failed", e);

Comments
Comment by Chad La Joie [ 13/Jan/09 ]
Fix in 2828
[SIDP-273] Update local IdP metadata file with installer task Created: 08/Jan/09           Updated:
10/Feb/11 Resolved: 10/Feb/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.2.1
Fix Version/s:     None

Type:                     New Feature              Priority:            Major
Reporter:                 Patrik Schnellmann       Assignee:            Chad La Joie
Resolution:               Won't Fix                Votes:               0
Labels:                   None


 Description
This is related to
https://bugs.internet2.edu/jira/browse/SIDP-272

A possibility to (automatically) update the local IdP metadata file should be available. E.g. after
the IdP credentials change.

 Comments
Comment by Rod Widdowson [ 07/Feb/11 ]
Should be realtively easy to add. NOTE that this will "extract" the entity Id from the hostname,
I'll add the ability to override this from the environment (similar to IdPCertLifetime)
Comment by Scott Cantor [ 07/Feb/11 ]
Seems like we'll need to either make it clear that people shouldn't modify that metadata
themselves (which seems problematic) or have some way to detect whether to overwrite/update
it.
Comment by Rod Widdowson [ 07/Feb/11 ]
I'm in two minds about this case. On one hand if the user wants to run this proposed script just
because they have changed the certicate then the chances are they haven't edited the metadata
(becasue it will be faster to edit the metadata than run this script). Equally I can avoid too much
foot-bullet interaction by saving the old version away. However if they *have* tinkered with the
generated metadata and got themselves in a terrible stramash, maybe we need this as a way to
reset the metadata (so call it "install metadata-reset" rather than "install metadata-refresh").

But your comment has made me think that this is probably a step too far - we are going to
completely re-jig this who bit of installation for 3.x, so I'll hold off on any doing anything on this
case for a while and let the case mature.
Patrik (if you're there) what do you think.

Comment by Scott Cantor [ 07/Feb/11 ]
Certainly backing it up is probably sufficient to avoid any real damage (that's more or less like an
RPM config(replace).
Comment by Patrik Schnellmann [ 08/Feb/11 ]
A task such as "install metadata-reset" is certainly useful. My suggestion would be "install
default-metadata" for the case the admin wants to get a proper default configuration again. If an
admin manually adapts the metadata, we should assume he knows what he's doing and the
installer should not overwrite the changes. The manual changes could be detected using hashing,
a signature or a "smart diff" to the template the IdP provides in the sources
(src/installer/resources/metadata-tmpl/idp-metadata.xml).

The motivation to file this issue and SIDP-272 was to support the IdP admin with the key
rollover. The procedure of two federations supporting this is documented here
https://spaces.internet2.edu/display/InCCollaborate/Certificate+Migration and here
http://www.switch.ch/aai/support/certificate-migration.html#idp .

As a first step - this refers to SIDP-272 - having a task that places the newly generated
credentials into the idp-metadata.xml file would be helpful. The Rolls-Royce version would be to
fully implement the key rollover procedure in the installer task:
1) generate a new set of credentials (with new filenames as the old credentials are still to be used
by the IdP and the web app connector)
2) update local metadata with new KeyDescriptor element containing new credentials (keeping
the old one)
3) update local metadata removing old KeyDescriptor element
4) put new credentials in place of old credentials

Between steps 2) and 3), the admin will publish the metadata and wait until he assumes it has
propagated to the SPs.
Other and manual tasks will still be required from the admin such as restarting the web app
container.
Comment by Chad La Joie [ 10/Feb/11 ]
This issue will not be addressed in IdP v2. Regenerating metadata can not be easily and reliably
done given data currently available within the installer. This will be taken up in v3.
[SIDP-272] Regenerate self-signed certificate with installer task Created: 08/Jan/09         Updated:
14/Mar/11 Resolved: 07/Feb/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.2
Fix Version/s:     2.3.0

Type:                     New Feature             Priority:            Major
Reporter:                 Patrik Schnellmann      Assignee:            Rod Widdowson
Resolution:               Fixed                   Votes:               0
Labels:                   None


 Description
Add the possibility to generate a new key-pair as IdP credentials. Specifying the validity is also
required, e.g. in years. Our federation requires certificates to be included into metadata to have a
maximum validity which is 3 years according to the current rules.

 Comments
Comment by Chad La Joie [ 04/Feb/11 ]
Also see for SIDP-293 for related issue.
Comment by Rod Widdowson [ 04/Feb/11 ]
I'm going to aim for 2.3 with this one
Comment by Rod Widdowson [ 07/Feb/11 ]
Fixed as checkin 2987.
Documented as https://spaces.internet2.edu/display/SHIB2/IdPCertRenew

% EXPORT IdPCertLifetime 42
% install renew-cert
[SIDP-271] AuthenticationEngine doesn't correctly handle passive return from
login servlet Created: 29/Dec/08 Updated: 01/Jul/09 Resolved: 01/Jul/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.2
Fix Version/s:     2.1.3

Type:               Bug                             Priority:            Minor
Reporter:           Jim Fox                         Assignee:            Chad La Joie
Resolution:         Fixed                           Votes:               0
Labels:             None

Java Version:       Sun 1.6
Servlet             Apache Tomcat 6.0
Container:

 Description
The completeAuthentication method of AuthenticationEngine does not correctly handle a case
where a login servlet has processed a passive login request and declined to handle it - due to no
established session. The combination of passive login request and no remote user should throw a
PassiveAuthenticationException, not a AuthenticationException.

 Comments
Comment by Chad La Joie [ 29/Dec/08 ]
Are you saying you have a login handler that says it handles passive authentication an then
doesn't? If so, this isn't a bug in the IdP, it's a bug in your handler. If a handler says it supports
passive then it has to support passive. If it can't authenticate the user then that's an authentication
exception.
Comment by Jim Fox [ 29/Dec/08 ]
Handling passive authentication means I'll check to see if the user has a session (with pubcookie
in my case). If there's already a session I'll send a remote user to the auth engine. If there's no
session I just return to the auth engine with no remote user. That's what passive means.

Possibly there could be a cascade of some sort: check fo rexisting shib session; check for existing
pubcookie session.
Comment by Chad La Joie [ 06/Jan/09 ]
Actually, that's not what passive means at all. Passive authentication simply means that the IdP
can authenticate the user without taking visible control of the UI. So, for example, IP-based or
DSL line number authentication might be used. To the IdP there is no such thing as SSO, it's
*always* validating something during authentication time.


I think I see the issue you're ultimately getting at though. The authentication engine is
rewrapping the exception that comes back from the login handler so that fact that a passive
authentication exception is returned is lost. That I can fix.
Comment by Chad La Joie [ 01/Jul/09 ]
Fixed in rev 2859

The login handler may now send back an exception to the authentication engine. If it does, that
exception will be set as the authentication failure on the login context and escape the engine. So,
in your case, your PubCookie handler would set a PassiveAuthenticationException
[SIDP-269] Expose the user's IP address in the resolver Created: 17/Dec/08            Updated: 19/May/11
Resolved: 21/Mar/11

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.1
Fix Version/s:     2.3.0

Type:                 New Feature                   Priority:             Minor
Reporter:             Bernd Oberknapp               Assignee:             Chad La Joie
Resolution:           Invalid                       Votes:                0
Labels:               None


 Description
The user's IP address is necessary for releasing the library-walk-in affiliation
or the common-lib-terms entitlement for users at a library terminal. See
http://groups.google.com/group/shibboleth-users/msg/8407f64a7c66c5bb .

Comments
Comment by Bernd Oberknapp [ 29/Oct/09 ]
Chad, is there a chance that this feature will be implemented?
Comment by Chad La Joie [ 29/Oct/09 ]
At some point, probably
Comment by Chad La Joie [ 21/Mar/11 ]
While it's ugly this data is already available via the request context.

((HTTPInTransport)ShibbolethResolutionContext.getAttributeRequestContext().getInboundMes
sageTransport()).getPeerAddress();
Comment by Bernd Oberknapp [ 21/Mar/11 ]
Isn't this the IP address of the SP that is requesting the attributes?
Comment by Bernd Oberknapp [ 22/Mar/11 ]
If a SOAP binding is used for fetching the attributes this indeed is the IP address of the SP, not
the IP address of the user. Is there a workaround for this problem?
Comment by Chad La Joie [ 22/Mar/11 ]
No, if SOAP is being used then the SP is the client and that's the IP address you'll get.
Comment by Bernd Oberknapp [ 22/Mar/11 ]
Then that's not a solution for the problem since there are SPs which require SOAP for fetching
the attributes. Isn't it possible to add the IP address from the authentication request (if present) to
one of the objects available in the resolver?
Comment by Chad La Joie [ 22/Mar/11 ]
No, because there is no guarantee that there was an authentication request. The only thing the IdP
will give you access to is the IP of the user-agent.
Comment by Bernd Oberknapp [ 22/Mar/11 ]
Of course it would be fine if the value is null if there wasn't an authentication request.
Comment by Manuel Haim [ 19/May/11 ]
Hi, we're currently using a modified UsernamePasswordLoginServlet in our test setup (can be
easily exchanged in web.xml) which modifies the stored Principal name to hold a realm (based
on a login.jsp field) and the IP address (based on the login request) (e.g. "jsmith" becomes
"jsmith@staff!1.2.3.4"):

protected boolean authenticateUser(HttpServletRequest request) {
// do authentication
...
// after successful authentication, set the principal name
Set<Principal> principals = new HashSet<Principal>();
principals.add(new UsernamePrincipal(username+"@"+realm+"!"+request.getRemoteAddr());
...
}

In the Attribute Resolver, we separate the username from the IP address again. This way, any
back-channel query may get the user's IP address. (Please note that a simple change in uApprove
is also needed to make sure it only uses username@realm as principal name, without the IP
address.)
[SIDP-268] Expose Metadata on entityID URL Created: 17/Dec/08        Updated: 19/Dec/08 Resolved:
19/Dec/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.1
Fix Version/s:     2.1.2

Type:               New Feature                  Priority:          Minor
Reporter:           Patrik Schnellmann           Assignee:          Chad La Joie
Resolution:         Completed                    Votes:             0
Labels:             None


 Description
Add a feature to get the IdP's metadata from the default entityID
https://HOSTNAME/idp/shibboleth .

As an example, in web.xml put:
----
   <servlet>
     <servlet-name>shibboleth_jsp</servlet-name>
     <jsp-file>/shibboleth.jsp</jsp-file>
   </servlet>

   <servlet-mapping>
     <servlet-name>shibboleth_jsp</servlet-name>
     <url-pattern>/shibboleth</url-pattern>
   </servlet-mapping>
---
The shibboleth.jsp file is:
<jsp:forward page="/profile/Metadata/SAML" />

Comments
Comment by Chad La Joie [ 19/Dec/08 ]
Added in rev 2823
[SIDP-267] check if cookies are set on error.jsp Created: 16/Dec/08     Updated: 19/Dec/08 Resolved:
19/Dec/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.2
Fix Version/s:     2.1.2

Type:               Improvement                  Priority:           Minor
Reporter:           Halm Reusser                 Assignee:           Chad La Joie
Resolution:         Fixed                        Votes:              0
Labels:             None


 Description
Adjustment of the error.jsp template to check if cookies are set/enabled.
If not print out some meaningful/helpful error message to the user.

Comments
Comment by Chad La Joie [ 19/Dec/08 ]
Warning added in rev 2824
[SIDP-266] General errors triggers error-404.jsp instead of error.jsp Created: 16/Dec/08
Updated: 16/Jul/09 Resolved: 16/Jul/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.2
Fix Version/s:     2.1.3

Type:                      Bug                   Priority:           Minor
Reporter:                  Halm Reusser          Assignee:           Chad La Joie
Resolution:                Fixed                 Votes:              0
Labels:                    None

Java Version:              Sun 1.6
Servlet                    Apache Tomcat 5.5
Container:

 Description
If some general error occurs, the wrong error page (404) is displayed.
Examples:
 - Back Button
 - No Login cotext/session found

Comments
Comment by Chad La Joie [ 16/Jul/09 ]
Fixed in rev 2869
[SIDP-265] Distinguish requested AuthMethod and default AuthMethod Created:
04/Dec/08 Updated: 01/Jul/09 Resolved: 01/Jul/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication, SAML 2
Affects Version/s: 2.1.1
Fix Version/s:     2.1.3

Type:                      Improvement                  Priority:         Minor
Reporter:                  Halm Reusser                 Assignee:         Chad La Joie
Resolution:                Fixed                        Votes:            0
Labels:                    None

Attachments:                   sidp-265-distinguish-between-default-and-requested-authnmethod.patch

 Comments
Comment by Adam Lantos [ 16/Jun/09 ]
Proposed patch to support default authentication method.
Comment by Adam Lantos [ 16/Jun/09 ]
I propose a patch for this enhancement:

- add defaultAuthenticationMethod field to LoginContext
- populate this field in SSO profile handlers, and leave the requested authentication methods
empty
- use the field in authentication engine: if the possible login handlers map contains the default
method, use that for authentication

With this patch I was able to achieve correct PreviousSession behavior with multiple login
handlers (X.509, UsernamePassword and a default unspecified handler which uses both
UserPassword and X.509).

Without this distinguishment the authentication engine ends up calling my default unspecified
handler again instead of respecting previous authentication with other login handlers.
Comment by Chad La Joie [ 01/Jul/09 ]
Fixed in rev 2857
[SIDP-263] Suggest adding defaultSigningCredentialRef to the
AnonymousRelyingParty element in the default config Created: 03/Dec/08         Updated: 03/Mar/09
Resolved: 03/Mar/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0, 2.1.0, 2.1.1
Fix Version/s:     2.1.3

Type:                 Improvement                Priority:          Trivial
Reporter:             Scott Cantor               Assignee:          Chad La Joie
Resolution:           Fixed                      Votes:             0
Labels:               None


 Description
It's easy to forget to add the defaultSigningCredentialRef to the Anonymous element if you try to
enable SSO by adding a profile handler, since the entityID is already set, so I'd suggest we just
add it in the default config.


Comments
Comment by Chad La Joie [ 03/Mar/09 ]
Added in rev 2836
[SIDP-262] MIME type on metadata profile handler is incorrect Created: 03/Dec/08
Updated: 19/Dec/08 Resolved: 19/Dec/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.0, 2.1.1
Fix Version/s:     2.1.2

Type:                    Bug                    Priority:          Minor
Reporter:                Scott Cantor           Assignee:          Chad La Joie
Resolution:              Fixed                  Votes:             0
Labels:                  None

Java Version:            Sun 1.6
Servlet                  Apache Tomcat 6.0
Container:

 Description
The /profiles/Metadata/SAML handler that returns metadata is using text/xml as a MIME type,
but the SAML resolution profile requires application/samlmetadata+xml

The advantage is nobody can read the metadata in their browser because it prompts for an
unknown MIME type, so it's a big win...;-(


Comments
Comment by Chad La Joie [ 19/Dec/08 ]
Fixed in rev 2825
[SIDP-260] NPE in login-err.jsp Created: 02/Dec/08    Updated: 15/Dec/08 Resolved: 15/Dec/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.1
Fix Version/s:     2.1.2

Type:               Bug                           Priority:                Minor
Reporter:           Bob Allison                   Assignee:                Chad La Joie
Resolution:         Fixed                         Votes:                   0
Labels:             None

Java Version:       Sun 1.6
Servlet             Apache Tomcat 6.0
Container:

 Description
I am using the /Authn/RemoteUser process for sign-in.

If I log in and provide an incorrect password, I get the following exception:
org.apache.jasper.JasperException: An exception occurred processing JSP page /login-error.jsp
at line 12
      ...
Caused by: java.lang.NullPointerException
at org.apache.jsp.login_002derror_jsp._jspService(login_002derror_jsp.java:69)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:374)
... 23 more

I can eliminate the exception by adding the following lines after line 4:
if (error == null) {
   error = new Throwable("Username or password is incorrect.");
}

Comments
Comment by Chad La Joie [ 15/Dec/08 ]
Fixed in rev 2822
[SIDP-259] Installer does not remove old library versions from IDP_HOME/lib
Created: 02/Dec/08 Updated: 02/Dec/08 Resolved: 02/Dec/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0, 2.1.0
Fix Version/s:     2.1.1

Type:                     Bug                               Priority:   Minor
Reporter:                 Chad La Joie                      Assignee:   Chad La Joie
Resolution:               Fixed                             Votes:      0
Labels:                   None

Java Version:             Sun 1.5
Servlet                   Apache Tomcat 5.5
Container:

 Description
The IdP copies updated libraries in to the IDP_HOME/lib directory but it does not remove the
old versions.

Comments
Comment by Chad La Joie [ 02/Dec/08 ]
Fixed in rev 2818
[SIDP-258] Authentication Engine does not check to ensure returned
authenticaiton mechanism from Login Handler is acceptable to the SP Created:
30/Nov/08 Updated: 03/Jul/09 Resolved: 03/Jul/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.0.0, 2.1.0
Fix Version/s:     2.1.3

Type:                      Bug                     Priority:        Minor
Reporter:                  Chad La Joie            Assignee:        Chad La Joie
Resolution:                Fixed                   Votes:           0
Labels:                    None

Java Version:              Sun 1.5
Servlet                    Apache Tomcat 5.5
Container:

 Description
The Authentication Engine chooses a Login Handler based on information from the SP, if it's
provided. If the AuthN Engine can't meet the requirement an error is returned. However, Login
Handlers can override their default authentication method and return a different one. The engine
does not currently check, after the actual authentication method is determined if that method is
acceptable to the SP.

For example, a LoginHandler does username/password and OTP authentication and it's
registered under username/password. The SP requests username/password (and only
username/password). The engine selects the appropriate handler but the user does something to
trigger and use OTP. The LoginHandler return the OTP authentication method.

The correct behavior should be that the engine returns the same error message that would be
returned if no LoginHandler was found to meet the SP's criteria.

Comments
Comment by Chad La Joie [ 01/Dec/08 ]
Fixed in rev 2816
Comment by Adam Lantos [ 16/Jun/09 ]
The fix was reverted in r2817, what's the status of this now?
Comment by Chad La Joie [ 03/Jul/09 ]
Fixed, for real this time, in rev 2861
[SIDP-257] Prevous session is used if the user has an existing session but the SP
requests an authentication method that is not currently active. Created: 27/Nov/08 Updated:
27/Nov/08 Resolved: 27/Nov/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.0.0, 2.1.0
Fix Version/s:     2.1.1

Type:                    Bug                     Priority:          Major
Reporter:                Chad La Joie            Assignee:          Chad La Joie
Resolution:              Fixed                   Votes:             0
Labels:                  None

Java Version:            Sun 1.5
Servlet                  Apache Tomcat 5.5
Container:

 Description
If a user has an existing session, established by authentication mechanism A, and the SP requests
authentication mechanism B (which has not yet been used by the user) the IdP will use the
previous session login handler.

Comments
Comment by Chad La Joie [ 27/Nov/08 ]
Fixed in rev 2815
[SIDP-255] Login Handler sets AuthMethod, but is not in Assertion Created: 27/Nov/08
Updated: 28/Nov/08 Resolved: 28/Nov/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.1.0
Fix Version/s:     2.1.1

Type:                    Bug                   Priority:        Minor
Reporter:                Halm Reusser          Assignee:        Chad La Joie
Resolution:              Fixed                 Votes:           0
Labels:                  None

Java Version:            Sun 1.5
Servlet                  Apache Tomcat 5.5
Container:

Description
Login Handler sets AuthMethod to "...X509"

In Audit Log it appeaers right: INFO [Shibboleth-
Audit:901]...|urn:oasis:names:tc:SAML:2.0:ac:classes:X509|...

But in the SAML2 Assertion, the is no AuthStatement found:

 <saml:AuthnStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   AuthnInstant="2008-11-26T15:18:25.621Z"
   SessionIndex="...">
  <saml:SubjectLocality xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
     Address="2001:620:0:4:21b:63ff:fe94:bae2"/>
  <saml:AuthnContext xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
 </saml:AuthnStatement>

Comments
Comment by Chad La Joie [ 28/Nov/08 ]
Fixed in rev 2814
[SIDP-253] NullPointerException in
AbstractSAML1ProfileHandler.buildErrorResponse Created: 17/Nov/08                Updated: 26/Nov/08
Resolved: 26/Nov/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1
Affects Version/s: 2.1.0
Fix Version/s:     None

Type:                 Bug                          Priority:           Minor
Reporter:             Russell Beall                Assignee:           Chad La Joie
Resolution:           Duplicate                    Votes:              0
Labels:               None

Java Version:         Sun 1.5
Servlet               Apache Tomcat 5.5
Container:

 Description
On a message replay rejection, the SAML1 profile handler tries to build an error response but
has a failure. Here is a log snippet showing some detail:

 14:37:08.140 ERROR
[edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:175] -
Message did not meet security requirements
 org.opensaml.ws.security.SecurityPolicyException: Rejecting replayed message ID
'_5e8f71d7352a1cdc63fe2b4c513e4db0' from issuer https://blackboard.usc.edu/shibboleth-sp
     at
org.opensaml.common.binding.security.MessageReplayRule.evaluate(MessageReplayRule.java:
93)
14:37:08.142 ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85] -
Error processing profile request
 java.lang.NullPointerException
     at
edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler.buildError
Response(AbstractSAML1ProfileHandler.java:419)

This is probably occurring on the backend channel where the 1.3 SP is re-querying for attributes
after the assertion lifetime is up but the IdP session has expired (even though the SP session is
still valid).

This error is probably ignored by the SP where they set their strictValidity flag to false.
Comments
Comment by Chad La Joie [ 26/Nov/08 ]
This is actually the same bug as SIDP-251
[SIDP-252] IdPSessionFilter throws ArrayIndexOutOfBoundsException on
validation of unexpected cookie Created: 17/Nov/08 Updated: 26/Nov/08 Resolved: 26/Nov/08
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.0
Fix Version/s:     2.1.1

Type:                Bug                            Priority:            Minor
Reporter:            Russell Beall                  Assignee:            Chad La Joie
Resolution:          Fixed                          Votes:               0
Labels:              None

Java Version:        Sun 1.5
Servlet              Apache Tomcat 5.5
Container:

 Description
We have regular cookie validation errors reported in the logs. I can reproduce this error by
deleting the value of the _idp_session cookie. This error causes a user to see an IdP error page.

I can fix my reproduced version by adding these lines to IdPSessionFilter (REL_2 branch) line
137:

     if (valueComponents.length < 3) {
      return null;
     }

I expect this will fix the errors showing in the logs, but I will have to try it in production.



 Comments
Comment by Russell Beall [ 18/Nov/08 ]
This code mentioned above does indeed solve the problem. So far this morning 125 users have
been saved from hitting the error page and having to flush their cookies to get around it.

Here is a larger code snippet to show some context on this. I also added a warning to indicate in
the logs that this happened:

  protected Session validateCookie(Cookie sessionCookie, HttpServletRequest httpRequest) {
    if (sessionCookie == null) {
        return null;
    }

   // index 0: remote address
   // index 1: session ID
   // index 2: Base64(HMAC(index 0 + index 1))
   String[] valueComponents =
HTTPTransportUtils.urlDecode(sessionCookie.getValue()).split("\\|");

    if (valueComponents.length < 3) {
     log.warn("Session cookie was incomplete");
     return null;
    }

    byte[] remoteAddressBytes = Base64.decode(valueComponents[0]);
    byte[] sessionIdBytes = Base64.decode(valueComponents[1]);
    byte[] signatureBytes = Base64.decode(valueComponents[2]);
Comment by Chad La Joie [ 26/Nov/08 ]
Fixed in rev 2806
[SIDP-251] NPE when SAML1 Attribute Query Handler hit with GET request
Created: 14/Nov/08 Updated: 26/Nov/08 Resolved: 26/Nov/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.0
Fix Version/s:     2.1.1

Type:                     Bug                               Priority:   Minor
Reporter:                 Patrik Schnellmann                Assignee:   Chad La Joie
Resolution:               Fixed                             Votes:      0
Labels:                   None

Java Version:             Sun 1.6
Servlet                   Apache Tomcat 5.5
Container:

Description
A simple GET request on /profile/SAML1/SOAP/AttributeQuery leads to the
NullPointerException.

07:50:56.579 - INFO [Shibboleth-Access:72] -
20081114T065056Z|127.0.0.1|toba.switch.ch:8443|/profile/SAML1/SOAP/AttributeQuery|
07:50:56.583 - ERROR
[edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:171] -
Error decoding attribute query message
org.opensaml.ws.message.decoder.MessageDecodingException: This message deocoder only
supports the HTTP POST method
at
org.opensaml.saml1.binding.decoding.HTTPSOAP11Decoder.doDecode(HTTPSOAP11Decode
r.java:119) [opensaml-2.2.2.jar:na]
at
org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:74)
[openws-1.2.1.jar:na]
at
org.opensaml.saml1.binding.decoding.BaseSAML1MessageDecoder.decode(BaseSAML1Messa
geDecoder.java:88) [opensaml-2.2.2.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler.decodeReq
uest(AttributeQueryProfileHandler.java:158) [shibboleth-identityprovider-2.1.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler.processReq
uest(AttributeQueryProfileHandler.java:80) [shibboleth-identityprovider-2.1.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler.processReq
uest(AttributeQueryProfileHandler.java:54) [shibboleth-identityprovider-2.1.0.jar:na]
at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:82) [shibboleth-common-1.1.0.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) [servlet-api-2.4.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:25
2) [catalina.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
[catalina.jar:na]
at ch.SWITCH.aai.arpfilter.ArpFilter.doFilter(ArpFilter.java:276) [arpfilter.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:20
2) [catalina.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
[catalina.jar:na]
at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:
77) [shibboleth-identityprovider-2.1.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:20
2) [catalina.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
[catalina.jar:na]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
[catalina.jar:na]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
[catalina.jar:na]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
[catalina.jar:na]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
[catalina.jar:na]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
[catalina.jar:na]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
[catalina.jar:na]
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199) [tomcat-ajp.jar:na]
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282) [tomcat-ajp.jar:na]
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767) [tomcat-ajp.jar:na]
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697) [tomcat-
ajp.jar:na]
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889)
[tomcat-ajp.jar:na]
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
[tomcat-util.jar:5.1]
at java.lang.Thread.run(Thread.java:619) [na:1.6.0_07]
07:50:56.590 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:255] - No
metadata for relying party null, treating party as anonymous
07:50:56.590 - ERROR
[edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:224] -
Decoder did not contain an attribute query, an error occured decoding the message
07:50:56.591 - ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85] -
Error processing profile request
java.lang.NullPointerException
at
edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler.buildError
Response(AbstractSAML1ProfileHandler.java:419) [shibboleth-identityprovider-2.1.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler.processReq
uest(AttributeQueryProfileHandler.java:114) [shibboleth-identityprovider-2.1.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler.processReq
uest(AttributeQueryProfileHandler.java:54) [shibboleth-identityprovider-2.1.0.jar:na]
at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:82) [shibboleth-common-1.1.0.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) [servlet-api-2.4.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:25
2) [catalina.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
[catalina.jar:na]
at ch.SWITCH.aai.arpfilter.ArpFilter.doFilter(ArpFilter.java:276) [arpfilter.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:20
2) [catalina.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
[catalina.jar:na]
at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:
77) [shibboleth-identityprovider-2.1.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:20
2) [catalina.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
[catalina.jar:na]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
[catalina.jar:na]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
[catalina.jar:na]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
[catalina.jar:na]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
[catalina.jar:na]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
[catalina.jar:na]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
[catalina.jar:na]
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199) [tomcat-ajp.jar:na]
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282) [tomcat-ajp.jar:na]
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767) [tomcat-ajp.jar:na]
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697) [tomcat-
ajp.jar:na]
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889)
[tomcat-ajp.jar:na]
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
[tomcat-util.jar:5.1]
at java.lang.Thread.run(Thread.java:619) [na:1.6.0_07]

Comments
Comment by Chad La Joie [ 26/Nov/08 ]
Fixed in rev 2810
[SIDP-250] AuthenticationEngine::returnToAuthenticationEngine() static
method called before servlet init() when clustered. Created: 13/Nov/08 Updated: 26/Nov/08 Resolved:
26/Nov/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.0
Fix Version/s:     2.1.1

Type:               Bug                           Priority:           Minor
Reporter:           Bill Kuker                    Assignee:           Chad La Joie
Resolution:         Fixed                         Votes:              0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 6.0
Container:

 Description
I have found an issue with Terracotta and Idp 2.1. I am using mod_jk load balancing to two
tomcat instances. Under some circumstances the RemoteUserAuthServlet calls static functions in
AuthenticationEngine before tomcat has called the AuthenticationEngine's init() function. In this
case the storageService static variable is null and the attempt to look up the login context fails
like so:

java.lang.NullPointerException
     at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.retrieveLoginContext(Auth
enticationEngine.java:186)
     at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.returnToAuthenticationEng
ine(AuthenticationEngine.java:208)
     at
edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet.service(Remote
UserAuthServlet.java:50)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:29
0)
     at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
     at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
     at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
     at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767)
     at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697)
     at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889)
     at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
     at java.lang.Thread.run(Thread.java:595)

The chain of events, immediately after startup:

0. Mod_JK sends a request for /profile/SAML2/Redirect/SSO to server A
1. Server A receives the request for /profile/SAML2/Redirect/SSO
2. Server A inits the AuthenticationEngine servlet in the process of servicing [1]
3. Server A redirects the client to /idp/Authn/RemoteUser
4. Mod_JK sends a request for /idp/Authn/RemoteUser to server B
5. Server B uses the RemoteUserAuthServlet servlet which calls the static method
returnToAuthenticationEngine in AuthenticationEngine
6. AuthenticationEngine has NOT been initialized on server B
7. Null Pointer Exception ensues.


Once servers A & B have both received an SSO request they have initialized
AuthenticationEngine, and they seem to work from then on. Enabling session stickiness in
mod_jk wold be an ok workaround, because the IDP would always receive the SSO request
before the RemoteUser request. I guess one should always use session stickyness for
performance reasons, but it should not be needed for correct operation.


 Comments
Comment by Gary Windham [ 24/Nov/08 ]
I can confirm this issue. We are also running IdP 2.1 w/ Terracotta and are using a Cisco ACE
load balancer. Here are some idp-process.log entries corresponding to steps 0-3 and 4-7 of the
"chain of events" detailed by the ticket submitter:

==== Steps 0-3 (Server A) ====

09:10:57.256 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:105] -
Attempting to retrieve IdP session cookie.
09:10:57.258 - INFO [Shibboleth-Access:72] -
20081124T161057Z|150.135.112.88|shibboleth.arizona.edu:443|/profile/SAML2/Redirect/SSO|
09:10:57.260 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:85] -
shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO
09:10:57.261 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:93] -
shibboleth.HandlerManager: Located profile handler of the following type for the request path:
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler
09:10:57.261 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:143] - Incoming
request does not contain a login context, processing as first leg of request
09:10:57.261 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:287] - Decoding
message with decoder binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
09:10:57.271 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:126] - Looking up relying party configuration for
https://shibtest.ccit.arizona.edu/shibboleth
09:10:57.271 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:132] - No custom relying party configuration found for
https://shibtest.ccit.arizona.edu/shibboleth, looking up configuration based on metadata groups.
09:10:57.271 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:155] - No custom or group-based relying party configuration found for
https://shibtest.ccit.arizona.edu/shibboleth. Using default relying party configuration.
09:10:57.307 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:306] - Decoded
request
09:10:57.308 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:126] - Looking up relying party configuration for
https://shibtest.ccit.arizona.edu/shibboleth
09:10:57.308 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:132] - No custom relying party configuration found for
https://shibtest.ccit.arizona.edu/shibboleth, looking up configuration based on metadata groups.
09:10:57.308 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:155] - No custom or group-based relying party configuration found for
https://shibtest.ccit.arizona.edu/shibboleth. Using default relying party configuration.
09:10:57.308 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:178] - Creating login
context and transferring control to authentication engine
09:10:57.312 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:261] - Processing
incoming request
09:10:57.312 - TRACE
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:161] - Login context
retrieved from HTTP request attribute
09:10:57.313 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:291] - Beginning user
authentication process
09:10:57.313 - TRACE
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:349] - Supported login
handlers:
{urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.
authn.provider.RemoteUserLoginHandler@3456ad30,
urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.i
dp.authn.provider.PreviousSessionLoginHandler@26844528}
09:10:57.313 - TRACE
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:350] - Requested
authentication methods: []
09:10:57.313 - TRACE
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:354] - No preference
given for authentication methods
09:10:57.313 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:299] - Possible
authentication handlers for this request:
{urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.
authn.provider.RemoteUserLoginHandler@3456ad30,
urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.i
dp.authn.provider.PreviousSessionLoginHandler@26844528}
09:10:57.313 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:312] - Possible
authentication handlers after filtering
{urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.
authn.provider.RemoteUserLoginHandler@3456ad30,
urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.i
dp.authn.provider.PreviousSessionLoginHandler@26844528}
09:10:57.313 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:325] - Authenticating user
with login handler of type
edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler
09:10:57.335 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler:75] -
Redirecting to https://shibboleth.arizona.edu:443/idp/Authn/RemoteUser

==== Steps 4-7 (Server B) ====

09:12:14.677 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet:48] - Remote
user identified as windhamg returning control back to authentication engine
09:12:14.682 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:207] - Returning control
to authentication engine
09:12:14.683 - TRACE
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:173] - Located cookie
with login context key
09:12:14.683 - TRACE
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:181] - Using login context
key _7d9b7df2b3fac46ba5d515862e8b87cf to look up login context
09:12:14.684 - ERROR
[org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/idp].[RemoteUserAuthHandler]:
260] - Servlet.service() for servlet RemoteUserAuthHandler threw exception
java.lang.NullPointerException
at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.retrieveLoginContext(Auth
enticationEngine.java:186) [shibboleth-identityprovider-2.1.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.returnToAuthenticationEng
ine(AuthenticationEngine.java:208) [shibboleth-identityprovider-2.1.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet.service(Remote
UserAuthServlet.java:50) [shibboleth-identityprovider-2.1.0.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) [tomcat5-servlet-2.4-api-
5.5.25.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:26
9) [catalina-5.5.25.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
[catalina-5.5.25.jar:na]
at
org.jasig.cas.client.util.HttpServletRequestWrapperFilter.doFilter(HttpServletRequestWrapperFil
ter.java:50) [cas-client-core-3.1.3.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:21
5) [catalina-5.5.25.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
[catalina-5.5.25.jar:na]
at
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationF
ilter.java:167) [cas-client-core-3.1.3.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:21
5) [catalina-5.5.25.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
[catalina-5.5.25.jar:na]
at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:111)
[cas-client-core-3.1.3.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:21
5) [catalina-5.5.25.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
[catalina-5.5.25.jar:na]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
[catalina-5.5.25.jar:na]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
[catalina-5.5.25.jar:na]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina-
5.5.25.jar:na]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) [catalina-
5.5.25.jar:na]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
[catalina-5.5.25.jar:na]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151) [catalina-
5.5.25.jar:na]
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200) [tomcat-ajp-
5.5.25.jar:na]
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283) [tomcat-ajp-
5.5.25.jar:na]
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773) [tomcat-ajp-
5.5.25.jar:na]
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703) [tomcat-
ajp-5.5.25.jar:na]
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895)
[tomcat-ajp-5.5.25.jar:na]
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
[tomcat-util-5.5.25.jar:5.1]
at java.lang.Thread.run(Thread.java:595) [na:1.5.0_15]
Comment by Bill Kuker [ 24/Nov/08 ]
To follow up on my workaround comment, enabling session stickiness on mod_jk and my
hardware LB does mitigate the problem.
Also the problem does "get better" after a couple users authenticate and the servlet has initialized
on each server.
Comment by Chad La Joie [ 26/Nov/08 ]
Fixed in rev 2807
[SIDP-249] PreviousSession INFO message printed as ERROR message Created:
13/Nov/08 Updated: 26/Nov/08 Resolved: 26/Nov/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.0
Fix Version/s:     2.1.1

Type:                    Bug                       Priority:       Trivial
Reporter:                Russell Beall             Assignee:       Chad La Joie
Resolution:              Fixed                     Votes:          0
Labels:                  None

Java Version:            Sun 1.5
Servlet                  Apache Tomcat 5.5
Container:

 Description
When returning to the IdP from a second SP after initial authentication, the
PreviousSessionLoginHandler takes effect and logs me in to the next shibbolized service. There
is an INFO message regarding this, however it is printed as an error:

 11:11:49.738 ERROR
[edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler:111] -
Using existing IdP session for beall



Comments
Comment by Chad La Joie [ 26/Nov/08 ]
Fixed in rev 2808
[SIDP-248] Signing code in profile handlers and encoders should not just check
that a signing credential is supplied, but that a signing key is available in that
credential. Created: 11/Nov/08 Updated: 26/Nov/08 Resolved: 26/Nov/08
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1, SAML 2
Affects Version/s: 2.0.0, 2.1.0
Fix Version/s:     2.1.1

Type:               Improvement                   Priority:           Minor
Reporter:           Brent Putman                  Assignee:           Brent Putman
Resolution:         Fixed                         Votes:              0
Labels:             None


 Description
Sanity check that signing credential has either a private key or a secret/symmetric key. One or
the other is necessary for signing.

Some code currently throws NPE when actual signing key is null.

Note: We can't really do this in the config processing level because we don't differentiate
Credential elements used for different purposes. Private or secret key is optional for the general
case (peer credentials with only public keys).



Comments
Comment by Brent Putman [ 11/Nov/08 ]
Example from SAML 1 flow:

12:14:10.613 DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler:571] -
Determining if SAML assertion to relying party https://sp.identity-provider.de/shibboleth should
be signed
12:14:10.614 DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:526] - Encoding
response to SAML request null from relying party https://sp.identity-provider.de/shibboleth
12:14:10.616 ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85] -
Error processing profile request
java.lang.NullPointerException
    at org.apache.xml.security.algorithms.JCEMapper.getAlgorithmClassFromURI(Unknown
Source)
    at org.opensaml.xml.security.SecurityHelper.isHMAC(SecurityHelper.java:97)

Comment by Chad La Joie [ 26/Nov/08 ]
Fixed in rev 2809
[SIDP-245] Installer fails if credentials directory doesn't exist Created: 03/Nov/08            Updated:
03/Mar/09 Resolved: 03/Mar/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.1.0
Fix Version/s:     None

Type:                    Bug                         Priority:             Trivial
Reporter:                Russell Beall               Assignee:             Chad La Joie
Resolution:              Invalid                     Votes:                0
Labels:                  None

Java Version:            Sun 1.5
Servlet                  Apache Tomcat 5.5
Container:

 Description
If the credentials/ directory in the installation location does not exist with a cert in it, the installer
fails to run when "no" is selected as the option for whether or not to overwrite configuration.

We traditionally delete this directory upon installation since it is not needed, and when changes
to the IdP war file are needed we re-run the installer.

It would be better for us not to have to confuse the install location with unused files just to be
able to run the installer.

(When that directory exists, and "no" is selected, the install proceeds and did not overwrite
configuration as indicated by the upgrade instructions).

 Comments
Comment by Chad La Joie [ 03/Mar/09 ]
If you select that you do not want the IdP to overwrite its configuration it will still add any new
files to your conf. Part of preping a new file for addition is the replacement of certain macros,
including the IdP's cert. So, the IdP must have access to its cert in the expected credentials
directory.
[SIDP-244] Error message on invalid ACS could be improved Created: 03/Nov/08             Updated:
01/Jul/09 Resolved: 01/Jul/09

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1, SAML 2
Affects Version/s: 2.1.0
Fix Version/s:     2.1.3

Type:                      Improvement           Priority:           Minor
Reporter:                  Scott Cantor          Assignee:           Chad La Joie
Resolution:                Fixed                 Votes:              0
Labels:                    None


 Description
The old IdP reports an "invalid ACS" error when the request asks for an endpoint that isn't
allowed for an SP (not in metadata). The new IdP bundles this into the larger set of "no peer
endpoint" errors, which is somewhat more confusing.

Comments
Comment by Chad La Joie [ 01/Jul/09 ]
Fixed in rev opensaml 1405

The interface for the endpoint selector doesn't allow me to thrown an exception and I don't really
want to add that. Instead I've added WARN logging messages that indicate that a proper
endpoint could not be found given the SP's criteria.
[SIDP-243] IDP_HOME check in aacli.bat cannot handle directories with spaces.
Created: 29/Oct/08 Updated: 30/Oct/08 Resolved: 29/Oct/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.1.0
Fix Version/s:     2.1.0

Type:                      Improvement                      Priority:   Minor
Reporter:                  Rod Widdowson                    Assignee:   Chad La Joie
Resolution:                Fixed                            Votes:      0
Labels:                    None


 Description
In aacli.bat we find these lines:

if not exist %IDP_HOME% (
  echo Error: IDP_HOME is not defined correctly.
  exit /b
)

(Iindeed I think I added them). This doesn't handle IDP_HOME have spaces. If should be

if not exist "%IDP_HOME%" (
  echo Error: IDP_HOME is not defined correctly.
  exit /b
)

Tested using the 2.0 distro but with an aacli.bat form a 2.1 distro

Comments
Comment by Rod Widdowson [ 29/Oct/08 ]
Also version.bat

checkin 2794
Comment by Rod Widdowson [ 30/Oct/08 ]
Tested with current build
[SIDP-242] Cleanup StorageService entry classes Created: 29/Oct/08   Updated: 29/Oct/08 Resolved:
29/Oct/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:               Improvement                   Priority:   Minor
Reporter:           Chad La Joie                  Assignee:   Chad La Joie
Resolution:         Completed                     Votes:      0
Labels:             None


 Description
- Make classes serializable
- Use AbstractExpiringObject as a base class
- Moe entry classes from inner classes to top-level classes

Comments
Comment by Chad La Joie [ 29/Oct/08 ]
Done in 2792
[SIDP-241] Destination URL not unescaped? Created: 21/Oct/08        Updated: 09/Dec/08 Resolved: 09/Dec/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:              Bug                           Priority:           Minor
Reporter:          André Cruz                    Assignee:           Chad La Joie
Resolution:        Fixed                         Votes:              0
Labels:            None

Java Version:      Sun 1.5
Servlet            Apache Tomcat 5.5
Container:

Description
Hello.

When I try to access a SP protected URL, after the Login finishes, I end up at the wrong location.
It seems the url is not unescaped. Can this be a problem on my LoginHandler?

IDP - sso1.sso.bk.sapo.pt
SP - sso2.sso.bk.sapo.pt

17:36:34.164[26ms][total 26ms] Status: 302[Found]
GET http://sso2.sso.bk.sapo.pt/secure/headers.pl
  Response Headers:
    Date[Tue, 21 Oct 2008 16:36:36 GMT]
    Server[Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 mod_ssl/2.2.3
OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8]
    Set-
Cookie[_shibsession_64656661756c7468747470733a2f2f7370312e73736f322e73736f2e626b2e
7361706f2e70742f73686962626f6c657468=; path=/; expires=Mon, 01 Jan 2001 00:00:00 GMT]
    Location[https://sso1.sso.bk.sapo.pt/idp/profile/Shibboleth/SSO?shire=http%3A%2F%2Fsso
2.sso.bk.sapo.pt%2FShibboleth.sso%2FSAML%2FArtifact&time=1224606996&target=http%3
A%2F%2Fsso2.sso.bk.sapo.pt%2Fsecure%2Fheaders.pl&providerId=https%3A%2F%2Fsp1.sso
2.sso.bk.sapo.pt%2Fshibboleth]
    Content-Length[464]
    Keep-Alive[timeout=15, max=100]
    Connection[Keep-Alive]
    Content-Type[text/html; charset=iso-8859-1]
17:36:34.195[52ms][total 52ms] Status: 302[Moved Temporarily]
GET
https://sso1.sso.bk.sapo.pt/idp/profile/Shibboleth/SSO?shire=http%3A%2F%2Fsso2.sso.bk.sapo.
pt%2FShibboleth.sso%2FSAML%2FArtifact&time=1224606996&target=http%3A%2F%2Fsso
2.sso.bk.sapo.pt%2Fsecure%2Fheaders.pl&providerId=https%3A%2F%2Fsp1.sso2.sso.bk.sapo.
pt%2Fshibboleth Load
  Response Headers:
    Server[Apache-Coyote/1.1]
    Set-Cookie[JSESSIONID=090D7E13F264F0689C474A18C71F9ED5.sso1; Path=/idp;
Secure]
    Location[https://sso1.sso.bk.sapo.pt:443/idp/Authn/RemoteUser?]
    Content-Length[0]
    Date[Tue, 21 Oct 2008 16:36:36 GMT]


17:36:34.249[16ms][total 16ms] Status: 302[Moved Temporarily]
GET https://sso1.sso.bk.sapo.pt/idp/Authn/RemoteUser?
  Response Headers:
    Server[Apache-Coyote/1.1]
    Location[https://sso1.sso.bk.sapo.pt/shibboleth-
idp/login.jsp?to=%2Fidp%2FAuthn%2FRemoteUser]
    Content-Length[0]
    Date[Tue, 21 Oct 2008 16:36:36 GMT]


17:36:34.266[15ms][total 854ms] Status: 200[OK]
GET https://sso1.sso.bk.sapo.pt/shibboleth-idp/login.jsp?to=%2Fidp%2FAuthn%2FRemoteUser
  Response Headers:
   Server[Apache-Coyote/1.1]
   Content-Type[text/html;charset=ISO-8859-1]
   Transfer-Encoding[chunked]
   Date[Tue, 21 Oct 2008 16:36:36 GMT]


17:37:53.785[358ms][total 358ms] Status: 302[Moved Temporarily]
POST https://sso1.sso.bk.sapo.pt/shibboleth-
idp/Login.do?to=%2Fidp%2FAuthn%2FRemoteUser&from=SSL&
  Response Headers:
    Server[Apache-Coyote/1.1]
    Set-Cookie[auth=8f92f11d-7410-4435-871a-25ae73a06935; Expires=Wed, 22-Oct-2008
16:37:56 GMT; Path=/; Secure]
    Location[https://sso1.sso.bk.sapo.pt/idp/Authn/RemoteUser]
    Content-Length[0]
    Date[Tue, 21 Oct 2008 16:37:56 GMT]
17:37:54.146[37ms][total 37ms] Status: 302[Moved Temporarily]
GET https://sso1.sso.bk.sapo.pt/idp/Authn/RemoteUser
  Response Headers:
    Server[Apache-Coyote/1.1]
    Set-
Cookie[_idp_session=f5b050ad5e0be05c71d5222ee475a948f8a96f841c55543438109fd98400a8
36; Path=/idp]
    Location[http://sso2.sso.bk.sapo.pt/Shibboleth.sso/SAML/Artifact?TARGET=http%253A%2
52F%252Fsso2.sso.bk.sapo.pt%252Fsecure%252Fheaders.pl&SAMLart=AAGeRwDA74A4sTx
pH92LE%2F9CLxSE1s5E%2BAlWeEyXcAgNaaveZqtc9B2y]
    Content-Length[0]
    Date[Tue, 21 Oct 2008 16:37:56 GMT]


17:37:54.185[152ms][total 152ms] Status: 302[Found]
GET
http://sso2.sso.bk.sapo.pt/Shibboleth.sso/SAML/Artifact?TARGET=http%253A%252F%252Fss
o2.sso.bk.sapo.pt%252Fsecure%252Fheaders.pl&SAMLart=AAGeRwDA74A4sTxpH92LE%2F
9CLxSE1s5E%2BAlWeEyXcAgNaaveZqtc9B2y
  Response Headers:
    Date[Tue, 21 Oct 2008 16:37:56 GMT]
    Server[Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 mod_ssl/2.2.3
OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8]
    Set-
Cookie[_shibsession_64656661756c7468747470733a2f2f7370312e73736f322e73736f2e626b2e
7361706f2e70742f73686962626f6c657468=_6dfd0f04b094977bcd83b81402eddff0; path=/;
expires=Wed, 22 Oct 2008 00:37:57 GMT]
    Location[http%3A%2F%2Fsso2.sso.bk.sapo.pt%2Fsecure%2Fheaders.pl]
    Content-Length[238]
    Keep-Alive[timeout=15, max=100]
    Connection[Keep-Alive]
    Content-Type[text/html; charset=iso-8859-1]


17:37:54.340[37ms][total 110ms] Status: 404[Not Found]
GET
http://sso2.sso.bk.sapo.pt/Shibboleth.sso/SAML/http%3A%2F%2Fsso2.sso.bk.sapo.pt%2Fsecur
e%2Fheaders.pl
  Response Headers:
    Date[Tue, 21 Oct 2008 16:37:57 GMT]
    Server[Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 mod_ssl/2.2.3
OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8]
    Content-Length[262]
    Keep-Alive[timeout=15, max=99]
   Connection[Keep-Alive]
   Content-Type[text/html; charset=iso-8859-1]




 Comments
Comment by Chad La Joie [ 28/Nov/08 ]
Is this fixed in 2.1? I seem to recall a similar escaping issue that was fixed in 2.1.
Comment by André Cruz [ 09/Dec/08 ]
Yes. I tried 2.1 and couldn't reproduce the problem.
[SIDP-238] Inconsistencies on bean names in LoginHandler Created: 15/Oct/08           Updated:
15/Oct/08 Resolved: 15/Oct/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:                     Bug                    Priority:           Minor
Reporter:                 André Cruz             Assignee:           Chad La Joie
Resolution:               Invalid                Votes:              0
Labels:                   None

Java Version:             Sun 1.5
Servlet                   Apache Tomcat 5.5
Container:

 Description
AbstractLoginHandlerBeanDefinitionParser assumes that AbstractLoginHandler has a property
called "authenticationMethods". But the property is called "supportedAuthenticationMethods".
Also, there's no setter for "supportedAuthenticationMethods".

 Comments
Comment by Chad La Joie [ 15/Oct/08 ]
There is no requirement that the bean properties be the same name as the XML nodes used to
populate them. Also, in general, bean properties which are collections do not have setters within
the shib code.
[SIDP-237] Re-run of install.sh does not create war again Created: 15/Oct/08   Updated: 15/Oct/08
Resolved: 15/Oct/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.1.0
Fix Version/s:     2.1.0

Type:                 Bug                    Priority:         Minor
Reporter:             Halm Reusser           Assignee:         Chad La Joie
Resolution:           Fixed                  Votes:            0
Labels:               None

Java Version:         Sun 1.5
Servlet               Apache Tomcat 5.5
Container:

Comments
Comment by Chad La Joie [ 15/Oct/08 ]
Fixed in rev 2782
[SIDP-236] handling the X500Principal object, getName() or toString() Created:
15/Oct/08 Updated: 15/Oct/08 Resolved: 15/Oct/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.0
Fix Version/s:     None

Type:                     Improvement              Priority:        Minor
Reporter:                 Halm Reusser             Assignee:        Chad La Joie
Resolution:               Completed                Votes:           0
Labels:                   None


Description
Check if toString() or getName() is the appropiate method to deal with the String form of an
X500Principal object.

 Comments
Comment by Chad La Joie [ 15/Oct/08 ]
We are going to stick with getName() for now, toString() simply does not produce reasonably
"canonical" string forms of the principal name across all the various implementations of the
Principal interface.
[SIDP-235] IdPSessionFilter lacks on Source IP verification and cookie signature
checking Created: 15/Oct/08 Updated: 29/Oct/08 Resolved: 29/Oct/08
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.1.0
Fix Version/s:     2.1.0

Type:               Bug                           Priority:            Minor
Reporter:           Halm Reusser                  Assignee:            Chad La Joie
Resolution:         Fixed                         Votes:               0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 5.5
Container:

 Description
ERROR with IPv6 enabled:
10:22:13.686 ERROR [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:139] -
Client sent a cookie from addres 2001:620:0:4:21b:63ff:fe94:bae2 but the cookie was issued to
address 2001

ERROR with IPv6 disabled, running IPv4:
0:30:51.132 ERROR [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:157] -
Session cookie signature did not match, the session cookie has been tampered with

 Comments
Comment by Chad La Joie [ 15/Oct/08 ]
I attempted to fix this in rev 2784. Can you please verify that this fix actually works? I don't have
an IPv6 host.
Comment by Derek Morr [ 15/Oct/08 ]
Chad,

I'd be happy to add IPv6 to one or more test machines (VMs, testshib) at PSU.

Also, switch uses IPv6 heavily, so you should be able to get IPv6 addresses from them.
Comment by Chad La Joie [ 29/Oct/08 ]
Derek, we have IPv6 machines here. In fact all our servers run primarily on IPv6. I just didn't
have access to the server that Halm was testing on at the time.
This has been confirmed to work.
[SIDP-233] Typo on operation name - public void
setAuthenticationDurection(long duration) Created: 09/Oct/08   Updated: 15/Oct/08 Resolved: 15/Oct/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:               Bug                        Priority:          Minor
Reporter:           André Cruz                 Assignee:          Chad La Joie
Resolution:         Fixed                      Votes:             0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 5.5
Container:

Description
Your head must have been somewhere else.. :)


edu.internet2.middleware.shibboleth.idp.authn.provider.AbstractLoginHandler:

  public void setAuthenticationDurection(long duration) {
    authenticationDuration = duration;
  }




 Comments
Comment by Chad La Joie [ 15/Oct/08 ]
fixed in rev 2783
[SIDP-230] sanity check provided credentials Created: 30/Sep/08       Updated: 07/Oct/08 Resolved: 05/Oct/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:               New Feature                   Priority:            Minor
Reporter:           Ian Young                     Assignee:            Brent Putman
Resolution:         Completed                     Votes:               0
Labels:             None

Issue Links:        Related
                    is related to   CPPXT-29     sanity check provided credentials               Closed

 Description
In the IdP configuration, credentials are configured in two parts, thus:

<security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
  <security:PrivateKey>.../idp.key</security:PrivateKey>
  <security:Certificate>.../idp.crt</security:Certificate>
</security:Credential>

If someone replaces only one of these files, the IdP doesn't notice and signs with a private key
which then doesn't allow messages to be validated against the public key provided with the
certificate. This is very hard to debug.

The IdP could verify that the public key in the certificate and in the key file were the same, and
throw an error if not. This would make the error obvious in the IdP logs without needing the co-
operation of an SP to debug the issue.

Comments
Comment by Brent Putman [ 05/Oct/08 ]
Added in java-xmltooling r592, java-shib-common r789.

Approach is to sanity check the keys in the Spring factory bean. Sign some data with the private
key and verify with the public key. A mismatch will result in an error during Spring config
wiring.
[SIDP-228] Improve error reporting in SAML 2 profile handlers when no
encryption key is resolveable for the peer entity ID Created: 26/Sep/08 Updated: 26/Sep/08   Resolved:
26/Sep/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:               Improvement                   Priority:            Minor
Reporter:           Brent Putman                  Assignee:            Brent Putman
Resolution:         Fixed                         Votes:               0
Labels:             None


Description
Currently this case produces:

10:59:36.643 ERROR
edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:282] -
Unable to construct encrypter
  org.opensaml.xml.security.SecurityException: Key encryption credential may not be null
      at
  org.opensaml.xml.security.SecurityHelper.buildKeyEncryptionParams(SecurityHelper.java:621
)


Indicate more explicitly the actual error condition to the end-user.

Comments
Comment by Brent Putman [ 26/Sep/08 ]
Addressed in r2770.
[SIDP-227] Default relying-party.xml has SAML2-specific security policy rules
included in SAML 1 security policies Created: 26/Sep/08 Updated: 26/Sep/08 Resolved: 26/Sep/08
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:               Bug                         Priority:           Minor
Reporter:           Brent Putman                Assignee:           Brent Putman
Resolution:         Fixed                       Votes:              0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 5.5
Container:

Comments
Comment by Brent Putman [ 26/Sep/08 ]
Fixed in r2769
[SIDP-224] Add version information in library JAR manifest and provide
command line tool to view it Created: 16/Sep/08 Updated: 16/Sep/08 Resolved: 16/Sep/08
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:               New Feature                   Priority:           Minor
Reporter:           Chad La Joie                  Assignee:           Chad La Joie
Resolution:         Fixed                         Votes:              0
Labels:             None


 Description
Add the implementation title, version, and vendor to the manifest files for the xmltooling jar.
Provide a command line tool to then display this information.

Comments
Comment by Chad La Joie [ 16/Sep/08 ]
Added in rev 2762
[SIDP-223] Provide a profile handler that returns metadata for the IdP Created:
28/Aug/08 Updated: 28/Aug/08 Resolved: 28/Aug/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     None

Type:                    New Feature               Priority:           Minor
Reporter:                Chad La Joie              Assignee:           Chad La Joie
Resolution:              Fixed                     Votes:              0
Labels:                  None


Description
Create a new profile handler that will return the metadata for the IdP.

 Comments
Comment by Chad La Joie [ 28/Aug/08 ]
Initial implementation reads the installer generated metadata file. It provides an optional 'entity'
URL parameter that allows the requester to specify the entity ID for the entity (in case the IdP
has more than one entity descriptor in its metadata file).
[SIDP-222] Template engine used by LDAP and database connectors throw an
NPE on startup Created: 26/Aug/08 Updated: 31/Aug/08 Resolved: 31/Aug/08
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.0
Fix Version/s:     2.1.0

Type:               Bug                        Priority:          Blocker
Reporter:           Steven Carmody             Assignee:          Chad La Joie
Resolution:         Fixed                      Votes:             0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 5.5
Container:

 Description
If use current 2.1 HEAD, and enable either an LDAP or SQL Data connector in the resolver file,
then you get an NPE on startup. Using a Statis Dataconnector does NOT cause a problem.

Comments
Comment by Chad La Joie [ 31/Aug/08 ]
Fixed in rev 2755
[SIDP-220] creation of mapped attribute in attribute-resolver doesn't seem
correct Created: 14/Aug/08 Updated: 03/Sep/08 Resolved: 03/Sep/08
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:              Bug                           Priority:           Major
Reporter:          Joy Veronneau                 Assignee:           Chad La Joie
Resolution:        Fixed                         Votes:              0
Labels:            None

Java Version:      Sun 1.5
Servlet            Apache Tomcat 5.5
Container:

 Description
Hi, I am having a problem creating a mapped attribute. What I would like to do is for an
edupersonprimaryaffiliation value of staff or student, return an edupersonentitlement value of
urn:mace:dir:entitlement:common-lib-terms.

Consider this entry in attribute-resolver.xml which returns an edupersonentitlement value of
"staff" and "urn:mace:dir:entitlement:common-lib-terms" vs the following example:
--------------------------------
Example 1:
   <resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
      sourceAttributeID="MappedEduPE">
      <resolver:Dependency ref="MappedEduPE" />

    <resolver:AttributeEncoder xsi:type="SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
      name="urn:mace:dir:attribute-def:eduPersonEntitlement" />

    <resolver:AttributeEncoder xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
       name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
  </resolver:AttributeDefinition>

<resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                   id="MappedEduPE" dependencyOnly="true"
                   sourceAttributeID="edupersonprimaryaffiliation">

   <resolver:Dependency ref="myLDAP" />

   <ValueMap>
     <ReturnValue>urn:mace:dir:entitlement:common-lib-terms</ReturnValue>

     <SourceValue ignoreCase="true" partialMatch="true">staff</SourceValue>
     <SourceValue ignoreCase="true" partialMatch="true">student</SourceValue>

   </ValueMap>
</resolver:AttributeDefinition>

Which returns:
../bin/aacli.sh --principal=jv11 --configDir=../conf

<?xml version="1.0" encoding="UTF-8"?><saml:AttributeStatement
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml:Attribute FriendlyName="eduPersonPrimaryAffiliation"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">staff</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute FriendlyName="eduPersonEntitlement"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">staff</saml:AttributeValue>
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">urn:mace:dir:entitlement:common-lib-terms</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

---------------------------------------
Example 2 - just take out this line from attribute-resolver.xml:

     <SourceValue ignoreCase="true" partialMatch="true">student</SourceValue>

and it returns an edupersonentitlement of only urn:mace:dir:entitlement:common-lib-terms:

 <saml:Attribute FriendlyName="eduPersonPrimaryAffiliation"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">staff</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute FriendlyName="eduPersonEntitlement"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">urn:mace:dir:entitlement:common-lib-terms</saml:AttributeValue>
  </saml:Attribute>

I don't know why it should insert "staff" into the first example.

Thanks

Joy


 Comments
Comment by Joy Veronneau [ 14/Aug/08 ]
it must have something to do with the ignoreCase and partialMatch parameters. This seems to
work fine:

  <ValueMap>
    <ReturnValue>urn:mace:dir:entitlement:common-lib-terms</ReturnValue>

      <SourceValue>staff</SourceValue>
      <SourceValue>student</SourceValue>

   </ValueMap>

returns:
  <saml:Attribute FriendlyName="eduPersonPrimaryAffiliation"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">staff</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute FriendlyName="eduPersonEntitlement"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">urn:mace:dir:entitlement:common-lib-terms</saml:AttributeValue>
Comment by Chad La Joie [ 03/Sep/08 ]
Does the account you were testing with have both the student and staff affiliation, or just one or
the other?
Comment by Chad La Joie [ 03/Sep/08 ]
Ignore my previous question, I was able to reproduce the issue.

Fixed in shib-common rev 773
[SIDP-219] sourceAttributeID in attribute-resolver.xml is case sensitive even for
ldap Created: 14/Aug/08 Updated: 16/Aug/08 Resolved: 16/Aug/08
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:               Bug                            Priority:           Minor
Reporter:           Joy Veronneau                  Assignee:           Chad La Joie
Resolution:         Won't Fix                      Votes:              0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 5.5
Container:

 Description
It seems that this sourceAttributeID is case sensitive. i.e. if I use EduPersonPrimaryAffiliation I
don't get any attribute returned, but if I use edupersonprimaryaffiliation, I get the attribute. My
directory uses edupersonprimaryaffiliation as the attribute name. I think this might be a historic
artifact.

I really am not sure if this is a bug or not. I can see that you would want to have it be case
sensitive for some types of data connectors, but I think for ldap it should be case INsensitive.




 Comments
Comment by Chad La Joie [ 16/Aug/08 ]
I'm not sure if I'd consider this a bug either but I'm not going to change the functionality. I
believe having to describe when and where an attribute ID was case sensitive and when it was
not would be thoroughly confusing and would likely also result in very error prone code and
configurations.

As a side note, the LDAP spec does define the names of attributes as being case-sensitive, when
stored. However most LDAP servers use a case-insensitive search when searching over them
(though I believe this is really just a defacto implementation decision, I don't think it's required
by the spec).
[SIDP-216] Second of two signed sources of metadata fail after cache expiration
Created: 29/Jul/08 Updated: 31/Jan/11 Resolved: 29/Sep/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:                      Bug                              Priority:         Critical
Reporter:                  Karsten Huneycutt                Assignee:         Brent Putman
Resolution:                Fixed                            Votes:            1
Labels:                    None

Attachments:                 idp-process-2008-07-28.log           java.security
Java Version:              Sun 1.6
Servlet                    JBoss 4.2 Tomcat
Container:

 Description
I have the following configuration for metadata:

 <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata">

<MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider"
metadataFile="/opt/local/shibboleth/metadata/miscellaneous.xml"
maintainExpiredMetadata="true"/>

<MetadataProvider id="ProviderA"
xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="http://urla/metadata.xml"
cacheDuration="600"
backingFile="/opt/local/shibboleth/metadata/a-metadata.xml">
<MetadataFilter xsi:type="SignatureValidation"
trustEngineRef="FederationAMetadataTrustEngine"
               requireSignedMetadata="true"/>
</MetadataProvider>

<MetadataProvider id="BProvider"
xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="https://urlb/metadata.xml"
cacheDuration="21600"
backingFile="/opt/local/shibboleth/metadata/b-metadata.xml">
<MetadataFilter xsi:type="SignatureValidation"
trustEngineRef="FederationBMetadataTrustEngine"
               requireSignedMetadata="true"/>
</MetadataProvider>

 </MetadataProvider>

followed by:

  <security:TrustEngine id="FederationBMetadataTrustEngine"
xsi:type="security:StaticExplicitKeySignature">
     <security:Credential id="FederationBCredential" xsi:type="security:X509Filesystem">
       <security:Certificate>/opt/local/shibboleth/credentials/b-
federation.crt</security:Certificate>
     </security:Credential>
  </security:TrustEngine>
  <security:TrustEngine id="FederationAMetadataTrustEngine"
xsi:type="security:StaticExplicitKeySignature">
     <security:Credential id="FederationACredential" xsi:type="security:X509Filesystem">
       <security:Certificate>/opt/local/shibboleth/credentials/a-
federation.crt</security:Certificate>
     </security:Credential>
  </security:TrustEngine>

Both of these credentials exist and are readable by the process.

This configuration works perfectly on startup, and it works perfectly whenever it's reloaded
because the relying-party.xml file was changed. It downloads both remote sources of metadata
and successfully validates the signature on both of them.

However, when the cache for the ProviderB times out and it attempts to download that metadata
again, it is no longer able to validate the signature on the ProviderB metadata. ProviderA works
just fine: it can download the metadata and validate the signature on it successfully. However, if
I touch the relying-party.xml file *immediately* after it fails to validate the signature on
ProviderB, it is able to reload the configuration and validate both signatures.

The problem always stays with the second entry; if I switch the two entries around so that the
ProviderB is first and the ProviderA is second, ProviderA is no longer able to be validated after a
cache timeout, but ProviderB works just fine.

I have complete debug logs from when this happens, but for the sake of space I will paste where
it all starts to go wrong:
11:52:35.416 DEBUG [org.opensaml.xml.signature.SignatureValidator:53] - Attempting to
validate signature using key from supplied credential
11:52:35.416 DEBUG [org.opensaml.xml.signature.SignatureValidator:89] - Creating
XMLSignature object
11:52:35.417 DEBUG [org.opensaml.xml.signature.SignatureValidator:63] - Validating
signature with signature algorithm URI:http://www.w3.org/2000/09/xmldsig#rsa-sha1
11:52:35.417 DEBUG [org.opensaml.xml.signature.SignatureValidator:64] - Validation
credential key algorithm 'RSA', key instance class
'sun.security.pkcs11.P11Key$P11RSAPublicKey'
11:52:35.433 DEBUG [org.opensaml.xml.signature.SignatureValidator:69] - Signature validated
with key from supplied credential
11:52:35.434 DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:147] -
Signature validation using candidate credential was successful
11:52:35.434 DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:100] -
Successfully verified signature using KeyInfo-derived credential
11:52:35.435 DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:101] -
Attempting to establish trust of KeyInfo-derived credential
11:52:35.435 DEBUG [org.opensaml.xml.security.trust.ExplicitKeyTrustEvaluator:94] - Failed
to validate untrusted credential against trusted key
11:52:35.436 DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:106] -
Failed to establish trust of KeyInfo-derived credential
11:52:35.436 DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:114] -
Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
11:52:35.436 DEBUG [org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine:106]
- Attempting to verify signature using trusted credentials
11:52:35.437 DEBUG [org.opensaml.xml.signature.SignatureValidator:53] - Attempting to
validate signature using key from supplied credential
11:52:35.437 DEBUG [org.opensaml.xml.signature.SignatureValidator:89] - Creating
XMLSignature object
11:52:35.438 DEBUG [org.opensaml.xml.signature.SignatureValidator:63] - Validating
signature with signature algorithm URI:http://www.w3.org/2000/09/xmldsig#rsa-sha1
11:52:35.438 DEBUG [org.opensaml.xml.signature.SignatureValidator:64] - Validation
credential key algorithm 'RSA', key instance class
'sun.security.pkcs11.P11Key$P11RSAPublicKey'
11:52:35.454 DEBUG [org.opensaml.xml.signature.SignatureValidator:76] - Signature did not
validate against the credential's key
11:52:35.455 DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:143] -
Signature validation using candidate validation credential failed
org.opensaml.xml.validation.ValidationException: Signature did not validate against the
credential's key
... stack trace ...
11:52:35.456 ERROR [org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine:114]
- Failed to verify signature using either KeyInfo-derived or directly trusted credentials


I am working around this with a script that will touch the relying-party.xml file (and therefore
reload the metadata) on a regular interval. This is clearly not ideal.

 Comments
Comment by Brent Putman [ 06/Aug/08 ]
Karsten,
Please go ahead and attach to this issue (as an attachment, not cut and paste) the full debug log
file from when this happens, and also the effective java.security file that is in use by your JVM.
It should be in either JAVA_HOME/lib/security or JAVA_HOME/jre/lib/security, depending on
whether you are using a JRE or full JDK installation. Also let me know which exact version of
Java you are using (e.g. 1.6.0_X) and vendor (Sun, IBM, etc). This will help me confirm the
following.

Based on the log snippet above, it seems that the actual XML signature validation with the
KeyInfo key is succeeding, but the subsequent trust evaluation of that key is failing (and also the
subsequent signature validation with the configured trusted key). This evaluation is very simple,
it's just untrustedKey.equals(trustedKey). So it's very puzzling that the equals() could work
sometimes and not others - until I noticed that the RSA key impl that is getting using is from the
new PKCS11 provider. I'm assuming that's because your exact JRE/JDK version in use must
have by default included that early on in your security provider config, or else you did it for
some conscious reason. The only place where I've found this included by default is on new Mac
versions of 1.6.0. That provider class would be: sun.security.pkcs11.SunPKCS11.

The PKCS11 key types have some code which apparently can render them expired or invalid
under various circumstances, which I don't completely understand. Still looking at that, but it
will cause the equals() evaluation to fail. Not sure that's happening here, but that's my working
hypothesis. Also not sure why if would work for the first, but then fail for the second.

Also, unless you're actually using functionality that requires PKCS11 features (smart cards,
hardware acceleration, etc), a possible workaround might be to just remove that PKCS11
provider from the security provider config and let it use the more standard impls of
RSAPublicKey. If you want to give that a try, just remove or comment out the provider listing
for sun.security.pkcs11.SunPKCS11 and renumber the providers so they start from 1 and are
consecutive.
Comment by Karsten Huneycutt [ 06/Aug/08 ]
Sun JDK on Solaris 10 x86, version:

java version "1.6.0_06"
Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
Java HotSpot(TM) Server VM (build 10.0-b22, mixed mode)

Of course, I modified the java.security file that was distributed with the JDK, but I only added
the security provider for the DelegateToApplication trust manager. I did NOT change/add/delete
anything else...
Comment by Karsten Huneycutt [ 06/Aug/08 ]
Here's the java.security file. It does have the PKCS11 provider listed first...
Comment by Karsten Huneycutt [ 07/Aug/08 ]
Here's the log.
Comment by Brent Putman [ 20/Sep/08 ]
Karsten,
By any chance did you ever try the workaround of removing the PKCS11 provider from your
java.security config, to see if that addressed this issue? If not, I'll try and reproduce.
Comment by Brent Putman [ 27/Sep/08 ]
Ok, finally nailed this down. Has nothing to do with the PKCS11 provider as I initially
suspected. The reasons that trust eval of untrustedKey.equals(trustedKey) is failing is...drum
roll... it really isn't the same key.

This is caused by a perfect storm of things related to the chaining metadata provider:

1) The shib-common BaseMetadataProviderBeanDefinitionParser is incorrectly using
Element#getElementsByTagNameNS to locate and process the MetadataFilter element. When
the provider element is the chaining one and the chaining element itself doesn't have a
MetadataFilter child, it's finding the MetadataFilter that is under its first child (its grandchild)
and that is incorrectly getting set as the chain's filter.

2) The ChainingMetadataProvider in opensaml2 sets its own metadata filter as the filter on all its
children, either when setMetadataFilter is called or when a child is added via
addMetadataProvider.

So here: When the chain member provider beans are initially instantiated and initialized() -
before they are actually chain members - all is good. Each has the right signature validation filter
and the signature validates. However, after the chain provider instance is created, all the member
providers have the filter that was set on the chain. In this case, because of #1, it's the filter of the
first chain member, and that means all except the first have the wrong signature validation filter,
with the wrong trust engine, etc.

#1 is easy to fix, just fix up the parsing code. However this then means that the chaining filter
gets no filter at all, and therefore all its members also ultimately have no filter.

In some ways it's good we had this bug, because had #1 been correct in the first place, all the
children would only have the filter processed on the initial load, not on metadata refreshes. On
the latter case, no filter, so always, silently, success.

The methodology in #2 is the issue at hand, it fundamentally doesn't work. We need to either:

- disallow filters on the chaining provider altogether and get rid of this logic

- find some approach to combine the filter on the chain with the filter on each child (e.g.
dynamically create a 2-member chaining filter). This might be doable, but there's issues here
with ordering and side effects. Some filters require a DOM to be present, but the providers
usually drop the DOM after processing; some filters modify the metadata, but others will fail if
it's been modified (and no DOM). This will also be tricky to manage across changes to either
chain or member.

In the short term IMHO I think we ought to just disallow a filter on the chaining provider.
Comment by Chad La Joie [ 27/Sep/08 ]
Go ahead and remove the filters from the chaining and write a WARN out to the log that they
will be ignored if any are present in the configuration.
Comment by Brent Putman [ 29/Sep/08 ]
Fixes commited in:
java-shib-common r785
java-opensaml1 r1349.

Filters are now disallowed on the ChainingMetadataProvider.
Comment by Karsten Huneycutt [ 01/Oct/08 ]
My apologies for not responding earlier.

Just to clarify, the fix will still allow the sub-providers to have separate metadata filters (like are
in the configuration above), correct? It just disallows the enclosing provider from having a filter.
Comment by Brent Putman [ 01/Oct/08 ]
Yes, absolutely, filters on the members of the chain are still supported.

The main downside to this change is that if you wanted the same filter to be applied to all
chaining provider members, you have to somewhat redundantly declare them on each chain
member individually. For the signature filter that's probably the most natural approach anyway,
since you often have different trust models for each metadata set. But for others it might seem
desirable to do that (schema validation, whitelists/blacklists, etc).

FWIW, this change is also consistent with what the C++ OpenSAML and SP does, filters are not
allowed on the chain there either.
Comment by Scott Cantor [ 31/Jan/11 ]
Closing resolved issues.
[SIDP-215] SHIB-JCE.jar missing from 2.1.0 kit Created: 23/Jul/08   Updated: 19/Sep/08 Resolved:
19/Sep/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.1.0
Fix Version/s:     2.1.0

Type:               Bug                      Priority:        Critical
Reporter:           Rod Widdowson            Assignee:        Chad La Joie
Resolution:         Fixed                    Votes:           0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 5.5
Container:

 Description
Just what it says

Comments
Comment by Chad La Joie [ 19/Sep/08 ]
Fixed in rev 2765
[SIDP-214] Installer needs to put (at least) bcprov onto the calsspath before it
runs ant Created: 23/Jul/08 Updated: 23/Jul/08 Resolved: 23/Jul/08
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.1.0
Fix Version/s:     2.1.0

Type:                Bug                            Priority:            Critical
Reporter:            Rod Widdowson                  Assignee:            Chad La Joie
Resolution:          Fixed                          Votes:               0
Labels:              None

Java Version:        Sun 1.5
Servlet              Apache Tomcat 6.0
Container:

 Description
in Install.bat I changed the adding of two jar files within the lib directory to this:

for %%i in (%ANT_HOME%\lib\*.jar) do (
call %ANT_HOME%\cpappend.bat %%i
)

(added *before* the setting of elements from src\installer\lib)

and the install then ran. Without this chnage we fell over looking for something inside bouncy
castle

Comments
Comment by Chad La Joie [ 23/Jul/08 ]
Fixed in rev 2748
[SIDP-213] aacli.sh computedid Exception in thread "main"
java.lang.NullPointerException Created: 18/Jul/08 Updated: 19/Jul/08 Resolved: 19/Jul/08
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:                 Bug                              Priority:             Minor
Reporter:             John Williams                    Assignee:             Chad La Joie
Resolution:           Fixed                            Votes:                0
Labels:               None

Java Version:         Sun 1.6
Servlet               Apache Tomcat 5.5
Container:

 Description
oot@shib02:/opt/shib2/conf# ../bin/aacli.sh --configDir=/opt/shib2/conf/ --principal=williamj
Exception in thread "main" java.lang.NullPointerException
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.Comput
edIDDataConnector.resolve(ComputedIDDataConnector.java:130)
         at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.Comput
edIDDataConnector.resolve(ComputedIDDataConnector.java:41)
etc

Brent supplied workround but said:
At a minimum, we should probably fail in this case more gracefully, with a better exception
message. However, this brings up an interesting question, though, of what we should do if the
SAML requester really is not known, i.e. the anonymous relying party case. Computed ID sort of
doesn't make sense in that case, but perhaps there is some valid reason to support (all anonymous
RP's would essentially get the same computed ID).

Please file a bug at http://bugs.internet2.edu/jira/ under the "Shibboleth Common - Java" project.
We'll fix one way or the other.

Comments
Comment by Chad La Joie [ 19/Jul/08 ]
Fixed in rev 764
[SIDP-212] Wrong confirmation method used with SAML 1.x artifact profile
Created: 16/Jul/08 Updated: 01/Oct/08 Resolved: 01/Oct/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:                      Bug                              Priority:    Major
Reporter:                  Scott Cantor                     Assignee:    Chad La Joie
Resolution:                Fixed                            Votes:       1
Labels:                    None

Java Version:              Sun 1.5
Servlet                    Apache Tomcat 5.5
Container:

 Description
Based on report from list, and perusing the code, the IdP is using the "bearer" confirmation
method regardless of which SAML 1 profile is used. Unfortunately that's not strictly correct, and
the old SP is being strict about it. I think the new one isn't as strict, due to the fact that using the
other method was so stupid to begin with.

Anyway, to be correct, the code has to generate a different confirmation method depending on
the profile used.

Comments
Comment by Chad La Joie [ 01/Oct/08 ]
Fixed in rev 2766
[SIDP-209] Enforce SAML 2 metadata
SPSSODescriptor/@AuthnRequestsSigned Created: 12/Jul/08          Updated: 18/Jul/08 Resolved: 18/Jul/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication, SAML 2
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:              Bug                           Priority:           Major
Reporter:          Brent Putman                  Assignee:           Brent Putman
Resolution:        Fixed                         Votes:              0
Labels:            None

Issue Links:       Dependency
                   depends on JOST-50 Security policy rule which evaluates ...                     Closed
Java Version:      Sun 1.5
Servlet            Apache Tomcat 5.5
Container:

Description
Add new java-opensaml2 security policy rule to the relevant profile handler(s).

Comments
Comment by Brent Putman [ 18/Jul/08 ]
New security policy rule added to SAML 2 SSO profile handler.

java-shib-common r763
java-idp r2746
[SIDP-208] BasicSAMLArtifactMapEntry contains reference to parser pool
from parent BasicSAMLArtifactMap Created: 10/Jul/08 Updated: 01/Sep/08 Resolved: 01/Sep/08
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:               Improvement                  Priority:           Minor
Reporter:           Karsten Huneycutt            Assignee:           Chad La Joie
Resolution:         Fixed                        Votes:              0
Labels:             None


 Description
The BasicSAMLArtifactMapEntry keeps a reference to a parser pool from the parent
BasicSAMLArtifactMap. This becomes an issue in a clustered environment -- the parser pool is
not replicated across the cluster, and so when the MapEntry is clustered, the code that relies on
the MapEntry is unable to retrieve the parsed artifact.

I fixed this for our clustered environment by causing the MapEntry itself to create the XML
parser, but that is less than ideal.

Comments
Comment by Chad La Joie [ 01/Sep/08 ]
Fixed in opensaml2 rev 1343
[SIDP-207] Changes to attribute-resolver.xml choke loaded IdP Created: 10/Jul/08               Updated:
31/Jan/11 Resolved: 03/Aug/10

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:                     Bug                      Priority:            Major
Reporter:                 Russell Beall            Assignee:            Chad La Joie
Resolution:               Cannot Reproduce         Votes:               0
Labels:                   None

Attachments:                attr-resolver.patch
Java Version:             Sun 1.5
Servlet                   Apache Tomcat 5.5
Container:

 Description
This is a snippet of an e-mail which was submitted to shibboleth-users@internet2.edu with no
response, so I am assuming nothing is known about this issue:

At USC we have been running the 2.0 IdP for a while now. We are able to update the metadata
and attribute-filter.xml without problem so that we can successfully make configuration changes
to add new SPs and tweak requirements.

Recently we needed to add some data definitions for releasing new data to an SP. I added these
definitions to our hot backup server and tested it out. The test worked fine and the configuration
was auto-loaded. When I made this same change into our running production IdP with a
significant load, the server choked and stopped returning data to SPs. Access requests continued
to pour in, and I could get to the login page, but the server hung on responses.

Tomcat required a restart to restore service responses.

Later, I made a tweak to our LDAP connector module, just to change the timeout on requests. I
even tried to wait for a time where the load appeared to lighten up a bit. After saving this file, the
same situation occurred and restarting Tomcat was required.

I have found no data in either the wiki, jira, or searching the mail archive in regards to this.

The log trace shows a number of error messages like this one before the "freeze":
16:05:46.692 ERROR [org.opensaml.ws.message.decoder.BaseMessageDecoder:165] -
Encountered error parsing message into its DOM representation
org.opensaml.xml.parse.XMLParserException: Invalid XML
    at org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:213

Other errors were reported as well pretty much in the same vein and I could send a detailed log
trace if someone is interested.



 Comments
Comment by Chad La Joie [ 03/Aug/10 ]
There was an issue with the new 2.2.0 snapshot that caused a problem but I wasn't able to cause
the exact error you had. Various things related to parsing have changed in response to other
issues since your filed the bug so it may have be resolved.
Comment by Karsten Huneycutt [ 17/Nov/10 ]
I also have this problem now in 2.2.0 final. It does seem random, but I think it's not. Even with
debug logging on, the last thing it prints is "Reloading configuration for...". After reading the
source, I think it's having an issue getting the write lock on the config.

Sure enough, if anything fails while resolving an attribute, there's a read lock that's never
released. The attached patch surrounds that in a try-finally block, ensuring that the read lock on
the configuration is released.

I'm still testing the patch, and with issues like this that seem random one can never be sure one
has fixed the issue, but I think it fits the symptoms.
Comment by Karsten Huneycutt [ 17/Nov/10 ]
Patch referenced in previous comment
Comment by Scott Cantor [ 31/Jan/11 ]
Closing resolved issues.
[SIDP-206] SessionManagerEntry's back reference to the SessionManager object
interferes with clustering Created: 10/Jul/08 Updated: 02/Sep/08 Resolved: 02/Sep/08
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:                Improvement                  Priority:            Minor
Reporter:            Karsten Huneycutt            Assignee:            Chad La Joie
Resolution:          Fixed                        Votes:               0
Labels:              None


 Description
The SessionManagerEntry object keeps a back reference to the SessionManager object for one
purpose: to send logout notifications. This back reference wreaks havoc with clustering.

To eliminate the Session Manager's use of the explicit back reference, could the StorageService
send Spring events on object add/remove that the SessionManager could then listen for and use
to send the login/logout events? Since the StorageService is also a Spring bean, it can easily
accept the ApplicationContext necessary to publish events. That would decouple the objects in
the storage from the generator of those objects, make them independent of the environment in
which they're generated, and move the responsibility for clustering the change events onto the
storage service (which is where it belongs, I think). It would also allow other things that use the
StorageService to be notified easily on removal of objects, if that ever becomes necessary.

I implemented this idea, and I can share the code, if that would be something you're interested in
-- the changes are very very very minor from the released version.


Comments
Comment by Chad La Joie [ 02/Sep/08 ]
Fixed in rev 2757

Told you'd get to this... eventually. :)
[SIDP-205] Provide internationalization facilities Created: 10/Jul/08    Updated: 10/Jul/08 Resolved:
10/Jul/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:              New Feature                   Priority:           Minor
Reporter:          Etienne Dysli                 Assignee:           Chad La Joie
Resolution:        Invalid                       Votes:              0
Labels:            None


 Description
It would be nice to be able to support multiple languages for the login/error web pages. IIRC, the
Spring Framework provides means to support internationalization (i.e. resource bundles to
translate strings, locale selection based on browser request or user choice).

 Comments
Comment by Chad La Joie [ 10/Jul/08 ]
Those pages are *examples*. You can do whatever you want with them, including adding
internationalization support.
[SIDP-204] Remove defaults from configuration schema files and move in to code
Created: 08/Jul/08 Updated: 24/Jul/08 Resolved: 24/Jul/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:                      Improvement                      Priority:   Minor
Reporter:                  Chad La Joie                     Assignee:   Chad La Joie
Resolution:                Fixed                            Votes:      0
Labels:                    None


 Description
Currently default configuration option are only in the schema. This causes issues with the
schema files shared by the SP and also means that beans created programmaticly have different
defaults than those created by configuration.

So, move the schema defaults into the bean classes.

Comments
Comment by Chad La Joie [ 24/Jul/08 ]
Fixed in rev 2751
[SIDP-203] Insufficient information logged to track down errant users Created: 04/Jul/08
Updated: 10/Jul/08 Resolved: 10/Jul/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:                      Bug                         Priority:         Minor
Reporter:                  Simon McLeish               Assignee:         Chad La Joie
Resolution:                Fixed                       Votes:            0
Labels:                    None

Issue Links:               Duplicate
                           duplicates SSPCPP-118 Insufficient information logged to tr...   Closed
Java Version:              Sun 1.5
Servlet                    Apache Tomcat 5.5
Container:

 Description
With default settings for logging on Shib 2.0 SP and Shib 2.0 IdP on RedHat, there is too little
information to enable linking a session on the SP to a session on the IdP. There are no shared
identifiers between the following log entries, other than the time stamp and that cannot be relied
on. If a user misuses the resource, this means that the IdP cannot work out who this person was
from information supplied by the SP.

This bug will be duplicated for the SP as it affects both systems.

Sample log entries:

SP

shid.log
2008-07-04 12:38:16 INFO Shibboleth.SessionCache [26]: new session created: ID
(_b2c31b4ed82daa948745cbcc110b2258) IdP (https://far-project.lse.ac.uk/shibboleth-idp)
Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (158.143.8.41)

transaction.log
2008-07-04 12:38:16 INFO Shibboleth-TRANSACTION [26]: New session (ID:
_b2c31b4ed82daa948745cbcc110b2258) with (applicationId: default) for principal from (IdP:
https://far-project.lse.ac.uk/shibboleth-idp) at (ClientAddress: 158.143.8.41) with
(NameIdentifier: _caec77a8594c1ecc9e1c0445815f4b8d) using (Protocol:
urn:oasis:names:tc:SAML:2.0:protocol)
2008-07-04 12:38:16 INFO Shibboleth-TRANSACTION [26]: Cached the following attributes
with session (ID: _b2c31b4ed82daa948745cbcc110b2258) for (applicationId: default) {
2008-07-04 12:38:16 INFO Shibboleth-TRANSACTION [26]: uid (1 values)
2008-07-04 12:38:16 INFO Shibboleth-TRANSACTION [26]: unscoped-affiliation (2 values)
2008-07-04 12:38:16 INFO Shibboleth-TRANSACTION [26]: eppn (1 values)
2008-07-04 12:38:16 INFO Shibboleth-TRANSACTION [26]: organizationName (1 values)
2008-07-04 12:38:16 INFO Shibboleth-TRANSACTION [26]: sn (1 values)
2008-07-04 12:38:16 INFO Shibboleth-TRANSACTION [26]: affiliation (2 values)
2008-07-04 12:38:16 INFO Shibboleth-TRANSACTION [26]: givenName (1 values)
2008-07-04 12:38:16 INFO Shibboleth-TRANSACTION [26]: entitlement (1 values)
2008-07-04 12:38:16 INFO Shibboleth-TRANSACTION [26]: ou (1 values)
2008-07-04 12:38:16 INFO Shibboleth-TRANSACTION [26]: computedID (1 values)
2008-07-04 12:38:16 INFO Shibboleth-TRANSACTION [26]: email (1 values)
2008-07-04 12:38:16 INFO Shibboleth-TRANSACTION [26]: l (1 values)
2008-07-04 12:38:16 INFO Shibboleth-TRANSACTION [26]: }

IdP

idp-process.log
12:38:08.668 INFO [Shibboleth-Access:72] - 20080704T113808Z|158.143.8.41|far-
project.lse.ac.uk:443|/profile/SAML2/Redirect/SSO|
12:38:15.230 INFO [Shibboleth-Access:72] - 20080704T113815Z|158.143.8.41|far-
project.lse.ac.uk:443|/profile/SAML2/Redirect/SSO|
12:38:15.293 INFO [Shibboleth-Audit:557] -
20080704T113815Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
Redirect|_0e06becbc36df1b59fa1025377d9938a|https://far-project.lse.ac.uk/shibboleth-
sp|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://far-project.lse.ac.uk/shibboleth-
idp|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
POST|_cab9d943427cde134eb065ccbe0f6917|marysmith|urn:oasis:names:tc:SAML:2.0:ac:class
es:unspecified||

idp-audit.log
20080704T113815Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
Redirect|_0e06becbc36df1b59fa1025377d9938a|https://far-project.lse.ac.uk/shibboleth-
sp|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://far-project.lse.ac.uk/shibboleth-
idp|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
POST|_cab9d943427cde134eb065ccbe0f6917|marysmith|urn:oasis:names:tc:SAML:2.0:ac:class
es:unspecified||

idp-access.log
20080704T113808Z|158.143.8.41|far-project.lse.ac.uk:443|/profile/SAML2/Redirect/SSO|
20080704T113815Z|158.143.8.41|far-project.lse.ac.uk:443|/profile/SAML2/Redirect/SSO|

Comments
Comment by Scott Cantor [ 05/Jul/08 ]
Linking to SP version of issue. SP logging is actually more extensive than before, so I think IdP
is missing something. Probably the NameIdentifier, although of course that's not guaranteed to
be present.
Comment by Chad La Joie [ 08/Jul/08 ]
Talked with Scott about this and I'll add the value of the name identifier to the audit log. As he
mentions this isn't guaranteed to be present.
Comment by Chad La Joie [ 10/Jul/08 ]
I actually added the name identifier and the assertion IDs to the audit log message. As was
mentioned, the name identifiers are optional so we can't guarantee that those can be used to do
the correlation. The assertion IDs are required but the 1.3 SP doesn't log them but Scott is adding
them to the 2.1 SP log message.

So, if it's a 1.3 SP use the name identifier, if it's a 2.X SP, use the assertion ID (or name
identifier).

Documentation on the log entry format has also been updated.
https://spaces.internet2.edu/display/SHIB2/IdPLogging
[SIDP-202] Saml2LoginContext unable to deserialize serialized AuthnRequest
Created: 30/Jun/08 Updated: 29/Oct/08 Resolved: 29/Oct/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:                      Bug                              Priority:   Minor
Reporter:                  Karsten Huneycutt                Assignee:   Chad La Joie
Resolution:                Fixed                            Votes:      0
Labels:                    None

Java Version:              Sun 1.6
Servlet                    JBoss 4.2 Tomcat
Container:

 Description
In a clustered environment, when the Saml2LoginContext attempts to call deserializeRequest() to
reconstruct the AuthnRequest object, it gets an IllegalArgumentException in
XMLHelper.constructQName(String, String, String) called from
XMLHelper.getNodeQName(Node) called from the OpenSAML
UnmarshallerFactory.getUnmarshaller(Element) method in order to construct the QName from
the Element -- "local part cannot be null".

The XML is parsed properly, but both the getLocalName() and the getNamespaceURI() methods
on the Element return null. The parser isn't configured correctly. You only see this issue in a
configuration where the HttpSession object is clustered, because the server that generated the
Saml2LoginContext object is able to keep the de-serialized (transient) AuthnRequest object and
doesn't have to re-parse the XML.

Whether that's because of an issue with the Xerces 2.7.1 that I have to use because of JBoss or
whether it's still the default behavior of Xerces in the 2.9 series I'm not sure. I had to add the
following to the deserializeRequest() method:

builderFactory.setNamespaceAware(true);
builderFactory.setCoalescing(true);
builderFactory.setIgnoringComments(true);
builderFactory.setIgnoringElementContentWhitespace(true);
builderFactory.setValidating(false);
builderFactory.setXIncludeAware(false);

I'm not sure which of the above settings fixed it (it wasn't just NamespaceAware, that I do
know), but with those configuration settings (all of which are set in the parser pool, which clearly
works), it works properly. After deploying this along with the proper clustering stuff in JBoss,
the load balancer can switch servers with no ill effects.

 Comments
Comment by Chad La Joie [ 08/Jul/08 ]
Can you give me an example authn request that is causing this, and what element it's failing on?
getLocalName() should never return null. That would you mean you had an element like <>
which is obviously not valid XML so something isn't correct.
Comment by Karsten Huneycutt [ 10/Jul/08 ]
Sorry for the delay -- it's a standard samlp:AuthnRequest from testshib, and it looks perfectly
normal and valid, and indeed parses correctly. I can't get the logs back from when I was
debugging this, but I can write up a little test program later today and post it here if you like,
along with a random AuthnRequest from our test environment.

What I found from reading the Xerces code (!) is that unless certain flags are enabled, the default
implementations of Element will return null for getLocalName() and getNamespaceURI().

When those flags are properly set, the exact same AuthnRequest parses properly. The ParserPool
already sets these flags, which is why it hasn't shown up elsewhere in the code.
Comment by Chad La Joie [ 29/Oct/08 ]
This has been dealt with in shib-common rev.805 and IdP rev.2793.

The fix was to remove all of this functionality from the SAML2LoginContext. The object now
only keeps the serialized message.
[SIDP-201] IdP sends SAML 1 authentication responses without audience
conditions Created: 17/Jun/08 Updated: 19/Jun/08 Resolved: 19/Jun/08
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:               Bug                           Priority:            Major
Reporter:           Ian Young                     Assignee:            Chad La Joie
Resolution:         Fixed                         Votes:               0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 5.5
Container:

 Description
SAML 1 authentication responses generated by the Shibboleth 2.0 IdP do not contain an
Audience condition containing the SP's entity ID, where the 1.3 and prior IdPs did do so.

Scott's comment:

It's a bug in the IdP to do this, we definitely shouldn't be issuing
untargeted bearer assertions. I don't see any code in the profile handlers
for audience, so it's missing.



Comments
Comment by Chad La Joie [ 19/Jun/08 ]
Fixed in rev 2741
[SIDP-200] attribute-filter.xml AtributeRule ignoreCase logic is backwards Created:
16/Jun/08 Updated: 19/Jun/08 Resolved: 19/Jun/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.1.0

Type:                     Bug                      Priority:         Minor
Reporter:                 Jeffrey Crawford         Assignee:         Chad La Joie
Resolution:               Fixed                    Votes:            0
Labels:                   None

Java Version:             Sun 1.5
Servlet                   Apache Tomcat 6.0
Container:

 Description
In the following example, the filter policy "DOES NOT" ignore case:

      <AttributeRule attributeID="eduPersonAffiliation">
        <PermitValueRule xsi:type="basic:OR">
          <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true"
/>
             <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true"
/>
          <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" />
          <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" />
          <basic:Rule xsi:type="basic:AttributeValueString" value="member"
ignoreCase="true" />
          <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true"
/>
          <basic:Rule xsi:type="basic:AttributeValueString" value="employee"
ignoreCase="true" />
          <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in"
ignoreCase="true" />
       </PermitValueRule>
     </AttributeRule>

If you switch ignoreCase to false, then the case is truly ignored.
Currently working around by using:

      <AttributeRule attributeID="eduPersonAffiliation">
       <PermitValueRule xsi:type="basic:ANY" />
     </AttributeRule>

to prevent breakdown of function when this is fixed.

Please note there is a similar bug in the SP C++ Product that Scott is working on here:
https://bugs.internet2.edu/jira/browse/SSPCPP-115

Comments
Comment by Chad La Joie [ 19/Jun/08 ]
Fixed in shib-common rev 761
[SIDP-199] loss of login context when deploying the IdP to tomcat's ROOT
context Created: 12/Jun/08 Updated: 15/Jun/08 Resolved: 15/Jun/08
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:              Bug                           Priority:           Minor
Reporter:          Peter Schober                 Assignee:           Chad La Joie
Resolution:        Fixed                         Votes:              0
Labels:            None

Attachments:         idp.patch
Java Version:      Sun 1.6
Servlet            Apache Tomcat 6.0
Container:

 Description
This happens only when deploying the IdP to / (e.g. via a context deployment fragment
conf/Catalina/localhost/ROOT.xml):
When using the UsernamePassword LoginHandler for AuthN, during the POST of the
credentials the _idp_session cookie is being set with an empty path (Path=""), which effectively
sets the path to /Authn.
So when subsequently accessing other SPs the RFC 2965-conforming UA does not present the
_idp_session cookie to the SSO service (in this case using HTTP-Redirect, at
/profile/SAML2/Redirect/SSO?SAMLRequest=....) because the path is not prefixed with
"/Authn", hence no login context is being found, the PreviousSession login handlers fails and the
UsernamePassword handler is invoked.


Comments
Comment by Peter Schober [ 14/Jun/08 ]
Fixes SIDP-199 as well as SIDP-164, at least for me.
Note that I know nothing about Java and if this patch works realiably or not.
Comment by Chad La Joie [ 15/Jun/08 ]
Fixed in rev 2737
[SIDP-197] Misleading error message for ValidationInfo element in relying-
party.xml Created: 04/Jun/08 Updated: 06/Jun/08 Resolved: 06/Jun/08
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:               Bug                             Priority:           Trivial
Reporter:           Patrik Schnellmann              Assignee:           Chad La Joie
Resolution:         Won't Fix                       Votes:              0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 5.5
Container:

 Description
When omitting the Attribute 'id' for 'ValidationInfo', the config parser complains about not
having 'Id' specified.

14:11:43.953 ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:187] -
Configuration was not loaded for shibboleth.RelyingPartyConfigurationManager service, error
creating components. The root cause of this error was: Configuration problem: Configuration
problem: Id is required for element 'ValidationInfo' when used as a top-level tag

The correct error message should be "[...] problem: id is required for element [...]", 'Id' is not
accepted:

14:18:55.666 ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:187] -
Configuration was not loaded for shibboleth.RelyingPartyConfigurationManager service, error
creating components. The root cause of this error was: cvc-complex-type.3.2.2: Attribute 'Id' is
not allowed to appear in element 'security:ValidationInfo'.

 Comments
Comment by Chad La Joie [ 06/Jun/08 ]
This is actually Spring code creating this error so I can't do anything about it. I've made it a
required field in the schema though so now it will fail validation if 'id' isn't declared.
[SIDP-195] Exception with SAML1 Artifact Resolution serving simultaneous
requests Created: 29/May/08 Updated: 02/Mar/09 Resolved: 02/Mar/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1
Affects Version/s: 2.0.0
Fix Version/s:     2.1.3

Type:              Bug                          Priority:          Major
Reporter:          André Cruz                   Assignee:          Chad La Joie
Resolution:        Fixed                        Votes:             0
Labels:            None

Java Version:      Sun 1.5
Servlet            Apache Tomcat 5.5
Container:

 Description
During the tests I'm encountering more exceptions. These ones occur when there are multiple
simultaneous requests for SAML1 Artifact Resolution (I manage to trigger this with 10 users).

16:58:20.870 DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:93] -
shibboleth.HandlerManager: Located profile handler of the fo
llowing type for the request path:
edu.internet2.middleware.shibboleth.idp.profile.saml1.ArtifactResolution
16:58:20.870 DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.ArtifactResolution:139] - Decoding
message with decoder binding urn:oasis:names:tc:SA
ML:1.0:bindings:SOAP-binding
16:58:20.871 ERROR [org.opensaml.ws.message.decoder.BaseMessageDecoder:165] -
Encountered error parsing message into its DOM representation
org.opensaml.xml.parse.XMLParserException: Invalid XML
     at org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:213)
     at
org.opensaml.ws.message.decoder.BaseMessageDecoder.unmarshallMessage(BaseMessageDeco
der.java:143)
     at
org.opensaml.saml1.binding.decoding.HTTPSOAP11Decoder.doDecode(HTTPSOAP11Decode
r.java:123)
     at
org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:74)
     at
org.opensaml.saml1.binding.decoding.BaseSAML1MessageDecoder.decode(BaseSAML1Messa
geDecoder.java:88)
     at
edu.internet2.middleware.shibboleth.idp.profile.saml1.ArtifactResolution.decodeRequest(Artifac
tResolution.java:158)
     at
edu.internet2.middleware.shibboleth.idp.profile.saml1.ArtifactResolution.processRequest(Artifa
ctResolution.java:96)
     at
edu.internet2.middleware.shibboleth.idp.profile.saml1.ArtifactResolution.processRequest(Artifa
ctResolution.java:58)
     at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:82)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:25
2)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:
72)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:20
2)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
     at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
     at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:425)
     at
org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:452
)
     at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1285)
     at java.lang.Thread.run(Thread.java:595)
Caused by: org.xml.sax.SAXException: FWK005 parse may not be called while parsing.
     at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
     at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
     at javax.xml.parsers.DocumentBuilder.parse(Unknown Source)
     at
org.opensaml.xml.parse.BasicParserPool$DocumentBuilderProxy.parse(BasicParserPool.java:60
7)
     at org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:210)
     ... 25 common frames omitted


16:58:20.871 ERROR
[edu.internet2.middleware.shibboleth.idp.profile.saml1.ArtifactResolution:162] - Error decoding
artifact resolve message
org.opensaml.ws.message.decoder.MessageDecodingException: Encountered error parsing
message into its DOM representation
     at
org.opensaml.ws.message.decoder.BaseMessageDecoder.unmarshallMessage(BaseMessageDeco
der.java:166)
     at
org.opensaml.saml1.binding.decoding.HTTPSOAP11Decoder.doDecode(HTTPSOAP11Decode
r.java:123)
     at
org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:74)
     at
org.opensaml.saml1.binding.decoding.BaseSAML1MessageDecoder.decode(BaseSAML1Messa
geDecoder.java:88)
     at
edu.internet2.middleware.shibboleth.idp.profile.saml1.ArtifactResolution.decodeRequest(Artifac
tResolution.java:158)
     at
edu.internet2.middleware.shibboleth.idp.profile.saml1.ArtifactResolution.processRequest(Artifa
ctResolution.java:96)
     at
edu.internet2.middleware.shibboleth.idp.profile.saml1.ArtifactResolution.processRequest(Artifa
ctResolution.java:58)
     at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:82)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:25
2)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:
72)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:20
2)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
     at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
     at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:425)
     at
org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:452
)
     at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1285)
     at java.lang.Thread.run(Thread.java:595)
Caused by: org.opensaml.xml.parse.XMLParserException: Invalid XML
     at org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:213)
     at
org.opensaml.ws.message.decoder.BaseMessageDecoder.unmarshallMessage(BaseMessageDeco
der.java:143)
     ... 24 common frames omitted


Caused by: org.xml.sax.SAXException: FWK005 parse may not be called while parsing.
    at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
    at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
    at javax.xml.parsers.DocumentBuilder.parse(Unknown Source)
    at
org.opensaml.xml.parse.BasicParserPool$DocumentBuilderProxy.parse(BasicParserPool.java:60
7)
    at org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:210)
    ... 25 common frames omitted
16:58:20.872 WARN
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:255] - No
metadata for relying party null, treating party as anon
ymous
16:58:20.872 ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85] -
Error processing profile request
edu.internet2.middleware.shibboleth.common.profile.ProfileException: Error decoding artifact
resolve message
    at
edu.internet2.middleware.shibboleth.idp.profile.saml1.ArtifactResolution.decodeRequest(Artifac
tResolution.java:164)
    at
edu.internet2.middleware.shibboleth.idp.profile.saml1.ArtifactResolution.processRequest(Artifa
ctResolution.java:96)
    at
edu.internet2.middleware.shibboleth.idp.profile.saml1.ArtifactResolution.processRequest(Artifa
ctResolution.java:58)
     at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:82)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:25
2)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:
72)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:20
2)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
     at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
     at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:425)
     at
org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:452
)
     at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1285)
     at java.lang.Thread.run(Thread.java:595)
16:58:20.874 WARN
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:255] - No
metadata for relying party null, treating party as anon
ymous
16:58:20.875 ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85] -
Error processing profile request
java.lang.NullPointerException
     at
org.opensaml.ws.message.decoder.BaseMessageDecoder.unmarshallMessage(BaseMessageDeco
der.java:144)
     at
org.opensaml.saml1.binding.decoding.HTTPSOAP11Decoder.doDecode(HTTPSOAP11Decode
r.java:123)
     at
org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:74)
     at
org.opensaml.saml1.binding.decoding.BaseSAML1MessageDecoder.decode(BaseSAML1Messa
geDecoder.java:88)
     at
edu.internet2.middleware.shibboleth.idp.profile.saml1.ArtifactResolution.decodeRequest(Artifac
tResolution.java:158)
     at
edu.internet2.middleware.shibboleth.idp.profile.saml1.ArtifactResolution.processRequest(Artifa
ctResolution.java:96)
     at
edu.internet2.middleware.shibboleth.idp.profile.saml1.ArtifactResolution.processRequest(Artifa
ctResolution.java:58)
     at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:82)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:25
2)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:
72)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:20
2)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
     at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
     at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:425)
     at
org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:452
)


Sorry for dumping all this.. I know you probably just need the root exception but it's better be
safe than sorry.
From the SP side I get this in the logs:

2008-05-28 17:01:19 DEBUG XMLTooling.SOAPClient [7]: marshalled envelope:
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><samlp:Request
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2008-05
-28T16:01:19Z" MajorVersion="1" MinorVersion="1"
RequestID="_0fc46fcaf888aa57bfe424e1d2844d2f"><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_0fc46fcaf888aa57bfe424e1d2844d2f">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds samlp"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>cgmiLY0aAgBskTGrBpdffGdRqbw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>REJ8KPOK/AiFOYcCcAFHUgivpH9bfanLq2eSFodn8gAd/VK+yajgznkJ
EX8cOmQs
ZQJLJT5AlicDmGxzbwc/GIdip0A12oiFy07PK4w+79do0VX2mMaYBFnF1B+50/Sm
k8J0KYf+z78riedCUfeMdd9UBMOWDh2sQ0eX3rKULks8DFeF05HIa1b2kT7GNCDl
J/Rea3VfAosgozk9nm+fGU2xCnWObQUkPF+neonHnqQuAW5r5HLjxpYAPgiDfKoL
yy3ujEIvphe9xTiCEHYhxaj2RDvgh0lV1IYxI2Olnci7pAL/ZAu5PO1yesAnSqhp
urKEAKz4bnlwqVTsyR/NaA==</ds:SignatureValue>
<ds:KeyInfo><ds:KeyName>sso2.sso.bk.sapo.pt</ds:KeyName><ds:X509Data><ds:X509Subje
ctName>emailAddress=andre.cruz@segula.pt,CN=sso2.sso.bk.sapo.pt,OU=Segula,O=S
APO,L=Lisbon,ST=Lisbon,C=PT</ds:X509SubjectName><ds:X509IssuerSerial><ds:X509Issu
erName>CN=SAPO testes,OU=Segula,O=SAPO testes,L=Lisbon,ST=Lisbon,C=PT</ds:X509
IssuerName><ds:X509SerialNumber>4</ds:X509SerialNumber></ds:X509IssuerSerial><ds:X5
09Certificate>MIIC8jCCAlsCAQQwDQYJKoZIhvcNAQEFBQAwbDELMAkGA1UEBhMCU
FQxDzANBg
NV
BAgTBkxpc2JvbjEPMA0GA1UEBxMGTGlzYm9uMRQwEgYDVQQKEwtTQVBPIHRlc3Rl
czEPMA0GA1UECxMGU2VndWxhMRQwEgYDVQQDEwtTQVBPIHRlc3RlczAeFw0wNzE
y
MTcxNjU2NTBaFw0xNzEyMTQxNjU2NTBaMIGSMQswCQYDVQQGEwJQVDEPMA0GA
1UE
CBMGTGlzYm9uMQ8wDQYDVQQHEwZMaXNib24xDTALBgNVBAoTBFNBUE8xDzAN
BgNV
BAsTBlNlZ3VsYTEcMBoGA1UEAxMTc3NvMi5zc28uYmsuc2Fwby5wdDEjMCEGCSqG
SIb3DQEJARYUYW5kcmUuY3J1ekBzZWd1bGEucHQwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC3VZecXAqLwm73toIpvICnJNWuyh5I1E0GogNjX8oU88pv
4fCfig+sEVkOE4Jn3B1UnZofePXJv8gIlzi5iqSZXOiCIwB003F6V02AAi5euluC
LtciVb/Sbuk6eeRGnFFC3mG4r+99z3k3sBUl5Q3A3opyFCHiEPgT4R5gg/EjRlZo
omIytvILdj1UKaR7OBxuijJkHRjuaaNBrc0GDBmAtzpKwuIdYIyL7Uf6EbTdiYfo
ioPj07orSHuJ0ifUgJS4uNh7bsD670FoPb5vGKilMr6iu068q98Cae3wQOQFRy2j
HtQ6CGx5BC/X0anz9c++kvrMr0za1ERZCxFZTHxdAgMBAAEwDQYJKoZIhvcNAQEF
BQADgYEAUZL7QhKKDfozJTK0O51eCGReOei4UGVt+y9vRnYE454n9dduQu4jnKFB
6vcdS/XxlDPKfBiEy9lNqxPx8g1a4YPVAYFlk5+Hh0NIU+Z4PkGT5q0wRNSCRdCG
ptmBzk3hzitw0YeaJ3vgbfQbd/nEAU/P4+3G5akp7jLkVu84yC8=
</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:AssertionArtifact>
AAGeRwDA74A4sTxpH92LE/9CLxSE1qRRsAGkbooR2fxyw+7ZgcGgt2gd</samlp:Asserti
onArtifact></samlp:Request></S:Body></S:Envelope>
2008-05-28 17:01:19 DEBUG XMLTooling.SOAPClient [11]: received XML:
<soap11:Envelope
xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/"><soap11:Body><samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" InRes
ponseTo="_5bf46a46743c61fb0e79dd2a461f8ed3" IssueInstant="2008-05-28T15:58:20.820Z"
MajorVersion="1" MinorVersion="1" ResponseID="_11fd045fecbdee2910de43fc6950
b398"><samlp:Status><samlp:StatusCode
Value="samlp:Success"/></samlp:Status><saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_39
d6ec42bcb54f8722efbb455a0c88e6" IssueInstant="2008-05-28T15:58:20.505Z"
Issuer="https://idp.sapo.pt/shibboleth" MajorVersion="1" MinorVersion="1"><saml:Conditi
ons NotBefore="2008-05-28T15:58:20.505Z" NotOnOrAfter="2008-05-28T16:03:20.505Z"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"/><saml:AuthenticationStatem
ent AuthenticationInstant="2008-05-28T15:58:20.481Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"
xmlns:saml="urn:oasis:names:tc:S
AML:1.0:assertion"><saml:Subject><saml:NameIdentifier
Format="urn:mace:shibboleth:1.0:nameIdentifier">_8c6781aa1b379f549e05c4d6bf399e12</sam
l:NameIdentifier><s
aml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml
:SubjectLocality
IPAddress="10.135.3.100"/></saml:AuthenticationStatement></saml:Assertion></samlp:Respo
nse></soap11:Body></soap11:Envelope>
2008-05-28 17:01:19 DEBUG XMLTooling.SOAPTransport.CURL [7]: sending SOAP message
to https://sso1.sso.bk.sapo.pt/idp/profile/SAML1/SOAP/ArtifactResolution
2008-05-28 17:01:19 DEBUG XMLTooling.SOAPTransport.CURL [7]: invoking custom X.509
verify callback
2008-05-28 17:01:19 DEBUG XMLTooling.TrustEngine.ExplicitKey [7]: attempting to match
credentials from peer with end-entity certificate
2008-05-28 17:01:19 DEBUG XMLTooling.TrustEngine.ExplicitKey [7]: end-entity certificate
matches peer RSA key information
2008-05-28 17:01:19 ERROR Shibboleth.ArtifactResolver [7]: exception resolving SAML 1.x
artifact(s): Incorrect content type (text/html;charset=ISO-8859-1) for
SOAP response.


Comments
Comment by Chad La Joie [ 02/Mar/09 ]
This is confirmed fixed with OpenSAML 2.2.4 which will be used by the 2.1.3 release of the
IdP.
[SIDP-194] Installer can remember the wrong thing Created: 27/May/08              Updated: 23/Jul/08 Resolved:
23/Jul/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:                Bug                            Priority:            Minor
Reporter:            Rod Widdowson                  Assignee:            Chad La Joie
Resolution:          Fixed                          Votes:               0
Labels:              None

Java Version:        Sun 1.5
Servlet              Apache Tomcat 5.5
Container:

 Description
I am enterring this as a tracking item. I spotted it happening 3 or 4 time at Installfest and
although I have not had a chance to reproduce it.

The best symtom seemed to be if someone ran the installation to the wrong target directory (say
/opt/shibboleth-V2.0/ and then re-ran the install with a different target (say /opt/shibboleth/) then
installer wiould have some memory of the old location. install.properties was correct, but the
web.xml would still point to the old, bad target.

Because there was often a failed install unpacked into that directory things sometime limped on
further.

In one ocurrance (and I trust the reporter) there was no previous attempt at an install....

The workaround I adopted is to copy install.properties somewhere safe, then nuke the unpacked
tree put install.properties back and then run ant. This causes everything to be re-built.

Chad, fee free to assign this to me for further analysis.

 Comments
Comment by Rod Widdowson [ 14/Jul/08 ]
Couple of issues here (so far). Firstly, if the warfile exists the jar to create the new one doesn't. If
I add

<delete file="${idp.home}/war/${war.name}" failonerror="false"/>
That clears that issue.

The next problem is that the web.xml file is not being overwritten by the edit stage:

     <copy todir="${webinf-temp.dir}" preservelastmodified="false" >
       <fileset dir="${webinf.dir}" />
       <filterset begintoken="$" endtoken="$">
         <filter token="IDP_HOME" value="${idp.home}" />
         <filter token="IDP_VERSION" value="${version}" />
       </filterset>
     </copy>

I'm assuming that if I explicitly delete $webinf-temp.dir that will work.

More soon
Comment by Rod Widdowson [ 14/Jul/08 ]
As part of the mavenization, the ant script has changed. In particular the web.xml is built:

        preservelastmodified="true"
         overwrite="true">

and the warfile is build with a <war> directive.

I am assuming that this is therefore fixed, but I will test it when I am up and running with
maven#
Comment by Rod Widdowson [ 14/Jul/08 ]
Whilst Ill buy that at worst deleing the war file is benign. I'm now not convinced that deleting the
web.xml file would be a good idea (what happens if you make a local copy for some reason (as I
am going to do for the purposes of looking at SIDP-20). Surely you want it changed?

I'm betting that the issue is that the web.xml file in the build directory *is* more recent than the
sourcfe and so it is correct to not replace it. However the point is that the parameter which will
be used to do the substitution may have changed (if install.properties has).

So we need to figure out a way to update the web.xml if the source is newer *or*
install.properties has changed,

On second thoughts if you are smart enough to go in and edit random files in the staging area
you deserve all you get. We'll just delete the old one.
Comment by Rod Widdowson [ 14/Jul/08 ]
Assigning to Chad so he can see the comments so far (summary - I need to try a build using the
latest prost maven technology, if its still broken we have a solution, if the existing changes to
build.xml work then we are done)
Comment by Chad La Joie [ 23/Jul/08 ]
This was fixed as a byproduct of the move to Maven and separating the project build system
from the software installation system.
[SIDP-193] Wrong error message, if no cert found for encrypt assertion Created:
22/May/08 Updated: 22/May/08 Resolved: 22/May/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:                    Bug                       Priority:           Trivial
Reporter:                Halm Reusser              Assignee:           Chad La Joie
Resolution:              Duplicate                 Votes:              0
Labels:                  None

Java Version:            Sun 1.5
Servlet                  Apache Tomcat 5.5
Container:

 Description
If no cert for the specific SP (relying party) is found in the metadata. But the Assertion has to be
encrypted by SAML2 default configuration. The following error message is send from idp to sp:

Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Message: Unable to construct NameID

This should be improved by an exacter error message.
[SIDP-192] Wrong error message, if no cert found for encrypt assertion Created:
22/May/08 Updated: 22/May/08 Resolved: 22/May/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:                    Bug                       Priority:           Trivial
Reporter:                Halm Reusser              Assignee:           Chad La Joie
Resolution:              Duplicate                 Votes:              0
Labels:                  None

Java Version:            Sun 1.5
Servlet                  Apache Tomcat 5.5
Container:

 Description
If no cert for the specific SP (relying party) is found in the metadata. But the Assertion has to be
encrypted by SAML2 default configuration. The following error message is send from idp to sp:

Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Message: Unable to construct NameID

This should be improved by an exacter error message.
[SIDP-191] Wrong error message, if no cert found for encrypt assertion Created:
22/May/08 Updated: 22/May/08 Resolved: 22/May/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: None
Fix Version/s:     None

Type:                    Bug                       Priority:           Trivial
Reporter:                Halm Reusser              Assignee:           Chad La Joie
Resolution:              Duplicate                 Votes:              0
Labels:                  None

Java Version:            Sun 1.5
Servlet                  Apache Tomcat 5.5
Container:

 Description
If no cert for the specific SP (relying party) is found in the metadata. But the Assertion has to be
encrypted by SAML2 default configuration. The following error message is send from idp to sp:

Status: urn:oasis:names:tc:SAML:2.0:status:Responder
  Message: Unable to construct NameID

This should be improved by an exacter error message.
[SIDP-190] Wrong error message, if no cert found for encrypt assertion Created:
22/May/08 Updated: 15/Jun/08 Resolved: 15/Jun/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: None
Fix Version/s:     2.1.0

Type:                     Bug                      Priority:           Trivial
Reporter:                 Halm Reusser             Assignee:           Chad La Joie
Resolution:               Fixed                    Votes:              0
Labels:                   None

Java Version:             Sun 1.5
Servlet                   Apache Tomcat 5.5
Container:

 Description
If no cert for the specific SP (relying party) is found in the metadata. But the Assertion has to be
encrypted by SAML2 default configuration. The following error message is send from idp to sp:

Status: urn:oasis:names:tc:SAML:2.0:status:Responder
  Message: Unable to construct NameID

This should be improved by an exacter error message.



 Comments
Comment by Joana Matos Fonseca da Trindade [ 13/Jun/08 ]
This happens for any SecurityException or EncryptionException thrown by a SAML2 profile
handler, as seen in the following lines from
idp.profile.saml2.AbstractSAML2ProfileHandler#buildSubject:

(...)
             } catch (SecurityException e) {
                log.error("Unable to construct encrypter", e);
                requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
                     "Unable to construct NameID"));
                throw new ProfileException("Unable to construct encrypter", e);
             } catch (EncryptionException e) {
                log.error("Unable to encrypt NameID", e);
             requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
                  "Unable to construct NameID"));
             throw new ProfileException("Unable to encrypt NameID", e);
         }
(...)

If replacing the "Unable to construct NameID" with the error message used by the logger is ok, I
can submit a patch.
Comment by Chad La Joie [ 15/Jun/08 ]
Fixed in rev. 2736.

Thanks Joana for pointing out where this was.
[SIDP-189] NPE in AbstractSAML2ProfileHandler Created: 20/May/08 Updated: 23/May/08
Resolved: 22/May/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:                 Bug                     Priority:         Minor
Reporter:             Dr. Y                   Assignee:         Chad La Joie
Resolution:           Fixed                   Votes:            0
Labels:               None

Java Version:         Sun 1.6
Servlet               Apache Tomcat 6.0
Container:

Description
NullPointerException when optional NameIDPolicy tag does not exist in AuthnRequest.
Example AuthnRequest:

<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://omiitest12.omii.ac.uk:9443/idp/profile/SAML2/POST/SSO"
ForceAuthn="false" ID="_0x566e295de8567e3616d8bc6011374dd1" IsPassive="false"
IssueInstant="2008-05-20T11:05:38.143Z" Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://yewbie.omii.ac.uk:7002/weblogic
&lt;/saml:Issuer&gt;&lt;/samlp:AuthnRequest>


Exception thrown is :


14:27:37.465 DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:790] -
Using attribute transientId supporting NameID format urn:oasis:names:tc:SAML:2.0:nameid-
format:transient to create the NameID.
14:27:37.469 ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85] -
Error processing profile request
java.lang.NullPointerException
     at
edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.buildSubj
ect(AbstractSAML2ProfileHandler.java:650)
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.buildResp
onse(AbstractSAML2ProfileHandler.java:267)
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.completeAuthenticati
onRequest(SSOProfileHandler.java:257)
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOP
rofileHandler.java:138)
      at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOP
rofileHandler.java:72)
      at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:82)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
      at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:29
0)
      at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:630)
      at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
      at
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
      at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
      at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.forwardRequest(Authentic
ationEngine.java:134)
      at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.returnToProfileHandler(Au
thenticationEngine.java:120)
      at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.completeAuthentication(A
uthenticationEngine.java:450)
      at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.service(AuthenticationEngi
ne.java:169)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
      at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:29
0)
      at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:630)
     at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
     at
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
     at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
     at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.forwardRequest(Authentic
ationEngine.java:134)
     at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.returnToAuthenticationEng
ine(AuthenticationEngine.java:104)
     at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.service
(UsernamePasswordLoginServlet.java:101)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:29
0)
     at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:
72)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:23
5)
     at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
     at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
     at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.jav
a:583)
     at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
     at java.lang.Thread.run(Thread.java:619)


Comments
Comment by Chad La Joie [ 22/May/08 ]
Fixed in rev 2732
[SIDP-187] SAML 2 AuthnContext classes used as 1.1 auth methods and 2.0 decl
refs Created: 12/May/08 Updated: 18/Oct/09 Resolved: 03/Mar/09
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 1, SAML 2
Affects Version/s: 2.0.0
Fix Version/s:     2.1.3

Type:               Bug                            Priority:           Minor
Reporter:           Scott Cantor                   Assignee:           Chad La Joie
Resolution:         Fixed                          Votes:              0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 5.5
Container:

 Description
Technically we shouldn't use the SAML 2 class strings as 1.1 auth methods. We definitely
shouldn't use them as decl refs.

Better choice for now might be to just hardcode them as class refs and not support decls.

Longer term a more complex config may be needed.

Comments
Comment by Paul Hethmon [ 24/Feb/09 ]
So, if I understand this correctly, Shib is sending something like this:

<saml:AuthnContext>
    <saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedT
ransport</saml:AuthnContextDeclRef>
</saml:AuthnContext>

but should be sending:

<saml:AuthnContext>
    <saml:AuthnContextDecl>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTran
sport</saml:AuthnContextDecl>
</saml:AuthnContext>
Is this correct? I need a fix for it and want to make sure I'm poking code where I should be.
Comment by Scott Cantor [ 24/Feb/09 ]
No, the IdP should be sending:

<saml:AuthnContext>
 <saml:AuthnContextClassRef>
   urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
 </saml:AuthnContextClassRef>
</saml:AuthnContext>

The other problem is that it's hardwired to send the same string for either SAML version, and
those strings aren't technically defined as SAML 1 AuthenticationMethods.
Comment by Scott Cantor [ 24/Feb/09 ]
I just checked in a partial fix that changes the element used in the normal case where the
AuthnRequest doesn't include anything. That's where the wrong element was coming from.

A more complete fix is a different story, but if we're going to hardwire the config strings to map
to a particular element, the ClassRef is the right choice.
Comment by Paul Hethmon [ 26/Feb/09 ]
Ok. Makes sense. I think I typoed my comment.

I've done a build here and tested a bit and it seems to work (albeit with your caveats).

I did a test on a 2.1.2 server sending it a bad <requestedAuthnContextClassRef> and it's
throwing an exception at AuthenticationEngine:719 (java.util.NoSuchElementException) in a
HashMap. Maybe not pertinent to this issue, but related somewhat. I have not researched to see
what should happen at that point (per protocol).
Comment by Chad La Joie [ 03/Mar/09 ]
I'm closing this out then. If we ever chose to support more complex authentication context
mechanics another ticket can be opened and tracked.
Comment by Scott Cantor [ 03/Mar/09 ]
I'm ok with that, provided that a custom LoginHandler can be written to populate
AuthenticationMethod in a SAML 1.1 request differently from a 2.0 request. Anybody using
current method strings in SAML 1.1 will need to be able to handle the difference to migrate
properly.

I believe handlers can set the method dynamically now, but can they tell the SAML verson being
used?
Comment by jameson [ 18/Oct/09 ]
Also key here is http://www.voucher-code-discount.co.uk
[SIDP-185] NullPointerException after AttributeQuery when Security Rule fails
Created: 25/Apr/08 Updated: 28/May/08 Resolved: 28/May/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:                     Bug                               Priority:   Minor
Reporter:                 Patrik Schnellmann                Assignee:   Chad La Joie
Resolution:               Fixed                             Votes:      0
Labels:                   None

Java Version:             Sun 1.5
Servlet                   Apache Tomcat 5.5
Container:

 Description
PKIX validation was not enabled, so the SP's client certificate of the AttributeQuery could not be
verified. This results in an NPE.

22:13:25.752 ERROR
[edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:175] -
Message did not meet security requirementsorg.opensaml.ws.security.SecurityPolicyException:
Client certificate authentication failed for context issuer entity ID
     at
org.opensaml.ws.security.provider.ClientCertAuthRule.doEvaluate(ClientCertAuthRule.java:143
)
     at
org.opensaml.ws.security.provider.ClientCertAuthRule.evaluate(ClientCertAuthRule.java:109)
     at
org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:50)
     at
org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:84)
     at
org.opensaml.saml1.binding.decoding.BaseSAML1MessageDecoder.decode(BaseSAML1Messa
geDecoder.java:88)
     at
edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler.decodeReq
uest(AttributeQueryProfileHandler.java:158)
     at
edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler.processReq
uest(AttributeQueryProfileHandler.java:80)
     at
edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler.processReq
uest(AttributeQueryProfileHandler.java:54)
     at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:82)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:25
2)
     at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:
72)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:20
2)
     at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
     at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199)
     at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282)
     at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767)
     at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697)
     at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889)
     at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
     at java.lang.Thread.run(Thread.java:595)
22:13:25.753 DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:216] -
Checking child metadata provider for entity descriptor with entity ID:
https://kelimutu.switch.ch/shibboleth
22:13:25.753 DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:73] -
Getting descriptor for entity https://kelimutu.switch.ch/shibboleth
22:13:25.754 DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:206] -
Searching for entity descriptor with an entity ID of https://kelimutu.switch.ch/shibboleth
22:13:25.754 DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:208] -
Entity descriptor for the ID https://kelimutu.switch.ch/shibboleth was found in index cache,
returning
22:13:25.754 DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:216] -
Checking child metadata provider for entity descriptor with entity ID:
https://kelimutu.switch.ch/shibboleth
22:13:25.754 DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:73] -
Getting descriptor for entity https://kelimutu.switch.ch/shibboleth
22:13:25.755 DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:206] -
Searching for entity descriptor with an entity ID of https://kelimutu.switch.ch/shibboleth
22:13:25.755 DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:208] -
Entity descriptor for the ID https://kelimutu.switch.ch/shibboleth was found in index cache,
returning
22:13:25.755 DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:126] - Looking up relying party configuration for https://kelimutu.switch.
ch/shibboleth
22:13:25.756 DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:132] - No custom relying party configuration found for https://kelimutu.sw
itch.ch/shibboleth, looking up configuration based on metadata groups.
22:13:25.756 DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:216] -
Checking child metadata provider for entity descriptor with entity ID:
https://kelimutu.switch.ch/shibboleth
22:13:25.756 DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:73] -
Getting descriptor for entity https://kelimutu.switch.ch/shibboleth
22:13:25.756 DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:206] -
Searching for entity descriptor with an entity ID of https://kelimutu.switch.ch/shibboleth
22:13:25.757 DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:208] -
Entity descriptor for the ID https://kelimutu.switch.ch/shibboleth was found in index cache,
returning
22:13:25.757 DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyCo
nfigurationManager:155] - No custom or group-based relying party configuration found for http
s://kelimutu.switch.ch/shibboleth. Using default relying party configuration.
22:13:25.757 DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:216] -
Checking child metadata provider for entity descriptor with entity ID:
https://lawu.switch.ch/idp/shibboleth
22:13:25.758 DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:73] -
Getting descriptor for entity https://lawu.switch.ch/idp/shibboleth
22:13:25.758 DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:206] -
Searching for entity descriptor with an entity ID of https://lawu.switch.ch/idp/shibboleth
22:13:25.758 DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:208] -
Entity descriptor for the ID https://lawu.switch.ch/idp/shibboleth was found in index cache,
returning
22:13:25.759 ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85] -
Error processing profile request
java.lang.NullPointerException
      at
edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler.populateS
tatusResponse(AbstractSAML1ProfileHandler.java:427)
     at
edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler.buildError
Response(AbstractSAML1ProfileHandler.java:410)
     at
edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler.processReq
uest(AttributeQueryProfileHandler.java:114)
     at
edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler.processReq
uest(AttributeQueryProfileHandler.java:54)
     at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:82)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:25
2)
     at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:
72)
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:20
2)
     at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
     at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199)
     at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282)
     at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767)
     at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697)
     at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889)
     at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
     at java.lang.Thread.run(Thread.java:595)


Comments
Comment by Chad La Joie [ 28/May/08 ]
Fixed in rev 2735
[SIDP-183] make idp session available to logging system Created: 21/Apr/08        Updated: 24/Apr/08
Resolved: 24/Apr/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.1.0
Fix Version/s:     None

Type:                 Improvement                Priority:           Minor
Reporter:             Will Norris                Assignee:           Chad La Joie
Resolution:           Fixed                      Votes:              0
Labels:               None


 Description
use SLF4J Mapped Diagnostic Contexts to make either the idp session ID or tomcat session ID
(or something other ID... thread maybe?) available for logging. This allows deployers to identify
which request the IdP was processing when a particular message was logged.

 Comments
Comment by Chad La Joie [ 24/Apr/08 ]
The IdP session ID and user's principal name are now available with in the logging diagnostic
context. Thread ID was always available. Example on how to use this information has been
included in the example logging configuration file. Shib wiki has also been updated.
[SIDP-182] Allow configuration files to include other files Created: 18/Apr/08         Updated: 25/Apr/08
Resolved: 25/Apr/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:                 New Feature                  Priority:            Minor
Reporter:             Christopher Bongaarts        Assignee:            Chad La Joie
Resolution:           Completed                    Votes:               0
Labels:               None

Issue Links:          Dependency
                      depends on JOWS-8 Allow a filter to be attached to a Re...              Closed

 Description
Have a directive that works like the C preprocessor #include directive to allow a configuration
file to include another configuration file at a particular point. It might be useful to allow included
files to include other files, though my particular use case does not require it.

I'm not proficient enough in XML to know if there is already a standard way to do this, or how
one might ideally define such a feature so that the XML still validates.

Comments
Comment by Chad La Joie [ 24/Apr/08 ]
The IdP is able to load more than one configuration file for a given service however this feature
was undocumented. This has now been fixed:

https://spaces.internet2.edu/display/SHIB2/IdPConfigConfig

If this ability meets your need please close out this bug.

Additionally, an add-on feature request, related to this, has been submitted:
https://bugs.internet2.edu/jira/browse/SIDP-184
Comment by Christopher Bongaarts [ 25/Apr/08 ]
Looks like the service.xml multiple config files will meet my needs.
[SIDP-181] Released Attributes not logged when using SAML2 Created: 17/Apr/08             Updated:
17/Apr/08 Resolved: 17/Apr/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:                     Bug                    Priority:          Minor
Reporter:                 Ina Müller             Assignee:          Chad La Joie
Resolution:               Fixed                  Votes:             0
Labels:                   None

Java Version:             Sun 1.5
Servlet                   Apache Tomcat 5.5
Container:

 Description
SAML 2 requests do not log released attributes in neiter audit.log nor process.log:
|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
Redirect|...|urn:mace:shibboleth:2.0:profiles:saml2:sso|...|urn:oasis:names:tc:SAML:2.0:bindings:
HTTP-POST|...|urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified||

using SAML1 the released attributes are logged:
|urn:oasis:names:tc:SAML:1.0:bindings:SOAP-
binding|...|urn:mace:shibboleth:2.0:profiles:saml1:query:attribute|...|urn:oasis:names:tc:SAML:1.
0:bindings:SOAP-binding|....||displayName,eduPersonEntitlement,email,eduPersonOrgDN,.....,|



Comments
Comment by Chad La Joie [ 17/Apr/08 ]
Fixed in rev 2742
[SIDP-180] Double comment entry in relying-party.xml Created: 14/Apr/08           Updated: 17/Apr/08
Resolved: 17/Apr/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:                 Task                        Priority:          Trivial
Reporter:             Franck Borel                Assignee:          Chad La Joie
Resolution:           Invalid                     Votes:             0
Labels:               None


 Description
Following comment appears twice in the relying-party.xml

<!--
      The attributes provided for each of these profile is set to its default value
      that is, the values that would be in effect if those attributes were not present.
      We list them here so that people are aware of them (since they seem reluctant to
      read the documentation).
    -->




Comments
Comment by Chad La Joie [ 17/Apr/08 ]
This was already addressed
[SIDP-179] Duplicate dependencies cause failed resolution Created: 08/Apr/08       Updated:
17/Apr/08 Resolved: 17/Apr/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:                     Bug                     Priority:          Minor
Reporter:                 Nate Klingenstein       Assignee:          Will Norris
Resolution:               Cannot Reproduce        Votes:             0
Labels:                   None

Java Version:             Sun 1.5
Servlet                   Apache Tomcat 5.5
Container:

 Description
Inclusion of double dependencies in the same attribute definition, such as:

<resolver:AttributeDefinition...>
 <resolver:Dependency ref="staticAttributes" />
 <resolver:Dependency ref="staticAttributes" />

<!-- encoders go here -->

</resolver>

cause a failure to define any attribute values. This might not be expected behavior, and a WARN
or simply ignoring the duplicate would be helpful.
[SIDP-178] Addition of an example PrincipalName AttributeDefinition Created:
08/Apr/08 Updated: 28/May/08 Resolved: 28/May/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:                    Improvement               Priority:         Trivial
Reporter:                Nate Klingenstein         Assignee:         Chad La Joie
Resolution:              Won't Fix                 Votes:            0
Labels:                  None


 Description
It'd be nice to include a PrincipalName attribute definition in the distribution attribute-
resolver.xml since I've found many deployers would like to use it. Shouldn't pose any risk
without other dependent mappings and/or a release filter.

 Comments
Comment by Chad La Joie [ 28/May/08 ]
There is already an example of how to define this within out documentation. I'm not going to
provide examples in the config file for every possible option.

https://spaces.internet2.edu/display/SHIB2/ResolverPrincipalNameDefinition
[SIDP-176] useKeyTab should be set to true Created: 04/Apr/08      Updated: 17/Apr/08 Resolved: 17/Apr/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:              Improvement                   Priority:           Minor
Reporter:          Markus Grandpre               Assignee:           Chad La Joie
Resolution:        Fixed                         Votes:              0
Labels:            None


Description
When I started the Shibboleth IdP in order use the Kerberos support for authentication

ShibUserPassAuth {

...

// Example Kerberos authentication, requires Sun's JVM
// See: https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass

  com.sun.security.auth.module.Krb5LoginModule required
    keyTab="/etc/apache2/apache2.keytab";
};


I get the following error/debug message

DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:186] -
User authentication failed
javax.security.auth.login.LoginException: Configuration Error - useKeyTab should be set to true
to use the keytab/etc/apache2/apache2.keytab ...

This error can be fixed by adding 'useKeyTab="true"':

ShibUserPassAuth {

...

// Example Kerberos authentication, requires Sun's JVM
// See: https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass

  com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab="true"
    keyTab="/etc/apache2/apache2.keytab";
};


Markus

Comments
Comment by Chad La Joie [ 17/Apr/08 ]
Fixed in rev 2725 and documentation updated.
[SIDP-175] Security role name missing in web.xml Created: 03/Apr/08 Updated: 28/May/08 Resolved:
28/May/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:               Bug                           Priority:         Minor
Reporter:           Markus Grandpre               Assignee:         Chad La Joie
Resolution:         Fixed                         Votes:            0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 5.5
Container:

Description
After I downloaded the stable release of Shibboleth 2.0.0 IdP and deployed it into
ApacheTomcat-5.5.20 environment, catalina returns

INFO: WARNING: Security role name user used in an <auth-constraint> without being defined
in a <security-role>

after first startup. There simply was the following code:

  <security-role>
   <description>
    An example role defined in "conf/tomcat-users.xml"
   </description>
   <role-name>user</role-name>
  </security-role>

in WEB-INF/web.xml file missing.

Markus

Comments
Comment by Chad La Joie [ 28/May/08 ]
Add in rev 2733
[SIDP-174] Jira Misconfigured Created: 03/Apr/08     Updated: 03/Apr/08 Resolved: 03/Apr/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:               Bug                           Priority:                Major
Reporter:           Hendrik Brummermann           Assignee:                Chad La Joie
Resolution:         Invalid                       Votes:                   0
Labels:             None

Java Version:       Sun 1.6
Servlet             Apache Tomcat 5.0
Container:

 Description
It is not possible to create entries without selecting anything in the sections "Endorsed Libraries"
and "Servlet Container". I don't have anything in my endoresed dir, so i am forced to lie in oder
to be able to create a bug report.

Comments
Comment by Chad La Joie [ 03/Apr/08 ]
Shibboleth requires Xerces and Xalan to be endorsed.
[SIDP-173] IllegalStateException while parsing hostname Created: 03/Apr/08            Updated: 28/May/08
Resolved: 28/May/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Build
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:                 Bug                          Priority:           Major
Reporter:             Hendrik Brummermann          Assignee:           Chad La Joie
Resolution:           Invalid                      Votes:              0
Labels:               None

Java Version:         Sun 1.6
Servlet               Apache Tomcat 5.0
Container:

 Description
/usr/src/identityprovider# sh ant.sh
Buildfile: build.xml

install:
Is this a new installation? Answering yes will overwrite your current configuration. [yes|no]
yes
Where should the Shibboleth Identity Provider software be installed? [default:
/usr/local/shibboleth-idp-2.0.0]

What is the hostname of the Shibboleth Identity Provider server? [default: localhost]

A keystore is about to be generated for you. Please enter a password that will be used to protect
it.

Updating property file: /usr/src/identityprovider/install.properties

BUILD FAILED
/usr/src/identityprovider/build.xml:190: java.lang.IllegalStateException: No match found

Total time: 11 seconds


NOTE: The entries in "Endoresed Libraries" and "Servlet Contrainer" a just there to make the
misconfigured Jira happy. Ignore them.
Comments
Comment by Chad La Joie [ 28/May/08 ]
This is because you're not using a fully qualified hostname.

I've changed the text of the installed to explicitly say that the fully qualified hostname is
required.
[SIDP-172] AACLI.BAT should check whether IDP_HOME is defined before
testing whether it exists. Created: 02/Apr/08 Updated: 14/Jul/08 Resolved: 14/Jul/08
Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:               Bug                            Priority:           Trivial
Reporter:           Rod Widdowson                  Assignee:           Chad La Joie
Resolution:         Fixed                          Votes:              0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 5.5
Container:

 Description
If you don't have it set then the batch file will fail with an inpenetrable "The Syntax of the
command is incorrect".

I can fix this once the streams situation has settled down.

Comments
Comment by Chad La Joie [ 15/Jun/08 ]
Can you go ahead and fix this up in the IdP REL_2 branch?
Comment by Rod Widdowson [ 14/Jul/08 ]
Fixed in version 2743
Comment by Rod Widdowson [ 14/Jul/08 ]
Closed (no further test needed). Over to Chad
[SIDP-171] Cannot deploy to directories in spaces in the names Created: 01/Apr/08              Updated:
23/Jul/08 Resolved: 15/Jul/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:                      Improvement               Priority:            Minor
Reporter:                  Rod Widdowson             Assignee:            Rod Widdowson
Resolution:                Fixed                     Votes:               0
Labels:                    None


Description
Tracking only. I'll find time to chase this up further. The initial failure is:

01-Apr-2008 15:10:25 org.apache.catalina.core.StandardContext listenerStart
SEVERE: Exception sending context initialized event to listener instance of class
org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.BeanDefinitionStoreException: IOException parsing XML
document from URL [file:/program]; nested exception is java.io.FileNotFoundException:
\program (The system cannot find the file specified)

Eddited to add:

The is also an issue with "MSDOS drives" under windows (C:\ &c) which is related to this. They
should be fixed together

 Comments
Comment by Rod Widdowson [ 01/Apr/08 ]
as part of this i have discoverred that there is some stickiness involved with an install. - i rebuilt
with a new root for the idp but the web.xml put into the war file had the 'old' root in it.
Comment by Chad La Joie [ 17/Apr/08 ]
This should be fixed in the latest rev in the REL_2 branch. Can you verify?
Comment by Rod Widdowson [ 15/Jul/08 ]
We believe that this is fixed. so I am going to mark it resolved. To be tested we we have a
candidate
Comment by Chad La Joie [ 23/Jul/08 ]
Fixed and verified
[SIDP-170] Attribute Filter refresh won't work with
"resource:FileBackedHttpResource" Created: 31/Mar/08 Updated: 30/May/08      Resolved: 30/May/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:               Bug                            Priority:           Minor
Reporter:           Lukas Hämmerle                 Assignee:           Chad La Joie
Resolution:         Fixed                          Votes:              0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 5.5
Container:

 Description
If the IdP shall refresh the attribute-filter.xml file from a URL, one can use something like:

<ConfigurationResource url="https://talang.switch.ch/gen_attribute-
filter.php/aaitest/lewotolo.switch.ch/attribute-filter.xml" xsi:type="resource:HttpResource" />

in the server.xml. This works fine, but for availability reasons it would be a better idea to use a
FileBackedHttpResource" with:

<ConfigurationResource url="https://talang.switch.ch/gen_attribute-
filter.php/aaitest/lewotolo.switch.ch/attribute-filter.xml" file="/opt/shibboleth-idp-
trunk/conf/attribute-filter.xml" xs
i:type="resource:FileBackedHttpResource" />

However, when using this I get:
11:04:16.683 [main] ERROR o.s.web.context.ContextLoader - Context initialization failed
org.springframework.beans.factory.BeanDefinitionStoreException: Unexpected exception
parsing XML document from URL [file:/opt/shibboleth-idp-trunk/conf/service.xml]; nested
exception is java.lang.IllegalArgumentException: Cannot locate BeanDefinitionParser for
element: {urn:mace:shibboleth:2.0:services}ConfigurationResource
   at
org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(Xml
BeanDefinitionReader.java:405)
   at
org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBe
anDefinitionReader.java:327)
...
Caused by: java.lang.IllegalArgumentException: Cannot locate BeanDefinitionParser for
element: {urn:mace:shibboleth:2.0:services}ConfigurationResource
    at
edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler.findParserF
orElement(BaseSpringNamespaceHandler.java:119)


Comments
Comment by Chad La Joie [ 30/May/08 ]
Fixed in shib-common rev 750
[SIDP-169] relying-party.xml has duplicated comment, typo Created: 28/Mar/08           Updated:
17/Apr/08 Resolved: 17/Apr/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:                     Bug                      Priority:            Trivial
Reporter:                 Ian Young                Assignee:            Chad La Joie
Resolution:               Fixed                    Votes:               0
Labels:                   None

Java Version:             Sun 1.5
Servlet                   Apache Tomcat 5.5
Container:

 Description
The example relying-party.xml file has a big comment at the top of it. Twice. Once is surely
enough.

Also, it should be "these profiles" in the first line of the comment.

Comments
Comment by Chad La Joie [ 17/Apr/08 ]
Fixed in rev 2726
[SIDP-168] eduPersonTargetedID.old default scope is Ian instead of example.org
Created: 24/Mar/08 Updated: 23/May/08 Resolved: 25/Mar/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     None

Type:                     Bug                               Priority:   Trivial
Reporter:                 Nate Klingenstein                 Assignee:   Chad La Joie
Resolution:               Fixed                             Votes:      0
Labels:                   None

Java Version:             Sun 1.5
Servlet                   Apache Tomcat 5.5
Container:

 Description
  <resolver:AttributeDefinition id="eduPersonTargetedID.old" xsi:type="Scoped"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
    scope="iay.org.uk" sourceAttributeID="computedID">
    <resolver:Dependency ref="computedID" />

    <resolver:AttributeEncoder xsi:type="SAML1ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
       name="urn:mace:dir:attribute-def:eduPersonTargetedID" />
  </resolver:AttributeDefinition>


Comments
Comment by Chad La Joie [ 25/Mar/08 ]
Fixed in rev 2712
[SIDP-167] Missing tags and incomplete login.jsp Created: 20/Mar/08   Updated: 17/Apr/08 Resolved:
17/Apr/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.0.0
Fix Version/s:     2.1.0

Type:               Bug                        Priority:        Minor
Reporter:           Franck Borel               Assignee:        Chad La Joie
Resolution:         Fixed                      Votes:           0
Labels:             None

Java Version:       Sun 1.5
Servlet             Apache Tomcat 5.5
Container:

 Description
1) Missing body end tag in the login.jsp.

Solution:
Add </body>

2) Missing head and title tags in login.jsp:
Solution:

Add < head><title>Shibboleth Identity Provider</title></head>

Comments
Comment by Chad La Joie [ 17/Apr/08 ]
Fixed in rev 2727
[SIDP-166] AuthnRequest with forceAuthn="1" attribute has no effect Created:
19/Mar/08 Updated: 23/May/08 Resolved: 20/Mar/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       Authentication
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:                    Bug                        Priority:           Minor
Reporter:                Ivan Novakov               Assignee:           Chad La Joie
Resolution:              Fixed                      Votes:              0
Labels:                  None

Java Version:            Sun 1.6
Servlet                  Apache Tomcat 5.5
Container:

 Description
Session initiation:

https://sp2.example.org/Shibboleth.sso/Login?entityID=https://idp2.example.org/idp/shibboleth
&forceAuthn=1&target=https://sp2.example.org/secure


SAML AuthnRequest as decoded at the IdP:

<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="1"
Destination="https://idp2.example.org/idp/profile/SAML2/Redirect/SSO" ForceAuthn="1"
ID="_6527abdf684eb7600be5e60b23d3c6d7" IssueInstant="2008-03-19T13:38:57Z"
Version="2.0">
 <saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp2.example.org/shibboleth/cztest
fed/sp&lt;/saml:Issuer>
 <samlp:NameIDPolicy AllowCreate="1"/>
</samlp:AuthnRequest>


It seems that the IdP detects the 'forceAuthn' attribute, but it has no effect, since the IdP runs the
PreviosSession authentication handler:

14:38:57.764 DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:183] - Beginning user
authentication process
14:38:57.764 DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:187] - Existing IdP
session available for principal novakov
14:38:57.764 DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:191] - Possible
authentication handlers for this request:
{urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth
.idp.authn.provider.PreviousSessionLoginHandler@39826,
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware
.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@1fa10da}
14:38:57.764 DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:270] - Forced
authentication is required, filtering possible login handlers accordingly
14:38:57.765 DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:287] - Authentication
handlers remaining after forced authentication requirement filtering:
{urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth
.idp.authn.provider.PreviousSessionLoginHandler@39826,
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware
.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@1fa10da}
14:38:57.765 DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:204] - Possible
authentication handlers after filtering:
{urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth
.idp.authn.provider.PreviousSessionLoginHandler@39826,
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware
.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@1fa10da}
14:38:57.765 DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:338] - Authenticating user
by way of existing session.


Obviously, when forced authentication is required, some kind of filtering of the auth handlers is
performed, but without any effect.

Comments
Comment by Ivan Novakov [ 20/Mar/08 ]
Fixed in 2.0.0
[SIDP-165] Support for SessionNotOnOrAfter Created: 11/Mar/08            Updated: 18/Apr/08 Resolved:
18/Apr/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:               New Feature                    Priority:           Minor
Reporter:           Scott Cantor                   Assignee:           Chad La Joie
Resolution:         Fixed                          Votes:              0
Labels:             None


 Description
Would be nice to hack in a SAML2SSO profile handler attribute for setting a
SessionNotOnOrAfter value when issuing SSO assertions.


 Comments
Comment by Scott Cantor [ 14/Apr/08 ]
The authenticationDuration LoginHandler attribute (which defaults to 30) is being used to set
this value.

I suggest splitting that out and making this a separate profile handler attribute (or relying party
setting?).
Comment by Chad La Joie [ 18/Apr/08 ]
Added an option on the SAML SSO profile configuration that allows deployer to specify
maximum SP session lifetime. shibcommon rev 742 and idp rev 2728
[SIDP-164] Option to make session cookie secure. Created: 10/Mar/08 Updated: 15/Jun/08    Resolved:
15/Jun/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: None
Fix Version/s:     2.1.0

Type:               Improvement                    Priority:               Minor
Reporter:           Scott Cantor                   Assignee:               Chad La Joie
Resolution:         Fixed                          Votes:                  0
Labels:             None


 Description
It looks like the authentication engine hardcodes the setSecure method to false when it creates
the session cookie, would be nice to make that an option for people that aren't dumb enough to
run this over http.


 Comments
Comment by Peter Schober [ 14/Jun/08 ]
I added a tiny patch to SIDP-199 that also tries to fix this issue with:
- sessionCookie.setSecure(false);
+ sessionCookie.setSecure(httpRequest.isSecure());
Comment by Chad La Joie [ 15/Jun/08 ]
Fixed in rev. 2738
[SIDP-162] 2.0 AA response issues Created: 09/Mar/08    Updated: 23/May/08 Resolved: 11/Mar/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       SAML 2
Affects Version/s: 2.0.0
Fix Version/s:     None

Type:               Bug                           Priority:             Minor
Reporter:           Scott Cantor                  Assignee:             Chad La Joie
Resolution:         Fixed                         Votes:                0
Labels:             None

Java Version:       Sun 1.6
Servlet             Apache Tomcat 6.0
Container:

 Description
The 2.0 AA query endpoint returned, when no attributes were released, an empty assertion.
Suggest this be changed to an empty Response to avoid useless caching of the assertion by the
SP.

I also noticed it was using the sender-vouches confirmation method. The profile isn't terribly
specific on that, but it's generally accepted that they shouldn't have a confirmation method. The
code had a branch to a function that requires a conf method, but an if null check should bypass
that logic.

Didn't test the 1.1 AA yet.

Comments
Comment by Chad La Joie [ 11/Mar/08 ]
Fixed in rev. 2688
[SIDP-161] PersistentID cannot be set/read from postgres/MySQL DB Created:
04/Mar/08 Updated: 17/Mar/08 Resolved: 17/Mar/08

Status:            Closed
Project:           Shibboleth IdP 2 - Java
Component/s:       None
Affects Version/s: 2.0.0
Fix Version/s:     2.0.0

Type:                    Bug                       Priority:         Major
Reporter:                Lukas Hämmerle            Assignee:         Will Norris
Resolution:              Fixed                     Votes:            0
Labels:                  None

Java Version:            Sun 1.5
Servlet                  Apache Tomcat 5.5
Container:

 Description
I configured the persistentID generation in the attribute-resolver.xml using the configuration
below:

  <resolver:AttributeDefinition id="persistentID" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad">
     <resolver:Dependency ref="myPersistentID" />
     <resolver:AttributeEncoder xsi:type="SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-
def:persistentId" />
     <resolver:AttributeEncoder xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:2.16.840.1.113730.3.1.3.0001" friendlyName="persistentID" />
  </resolver:AttributeDefinition>



   <resolver:DataConnector xsi:type="StoredId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
              id="myPersistentID"
              sourceAttributeID="uniqueID"
              salt="bcb185de26c0c2e65e8f7972dde598ea">

       <resolver:Dependency ref="uniqueID" />

<!--
       <ApplicationManagedConnection jdbcDriver="com.mysql.jdbc.Driver"
                      jdbcURL="jdbc:mysql://127.0.0.1/shibboleth"
                      jdbcUserName="shibboleth"
                      jdbcPassword="demo" />
-->

      <ApplicationManagedConnection jdbcDriver="org.postgresql.Driver"
                    jdbcURL="jdbc:postgresql://127.0.0.1/shibboleth"
                    jdbcUserName="shibboleth"
                    jdbcPassword="demo" />

  </resolver:DataConnector>


However, when the assertion is created, I get this error in the process log:

11:12:07.698 DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRe
solver:294] - Resolving attribute persistentID for principal demouser2
11:12:07.699 DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRe
solver:334] - Resolving data connector myPersistentID for principal demouser2
11:12:07.699 DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRe
solver:316] - Resolved attribute uniqueID containing 1 values
11:12:07.700 WARN
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.StoredI
DDataConnector:203] - Source attribute uniqueID for connector myPersistentID has m
ore than one value, only the first value is used
11:12:07.700 DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.StoredI
DStore:355] - Selecting persistent ID entry based on SQL query: SELECT * FROM shi
bpid WHERE localEntity = 'urn:mace:switch.ch:aaitest:lewotolo.switch.ch' AND peerEntity =
'https://dieng.switch.ch/shibboleth&#39; AND localId = '3141592@aaitest.example.ch' AND
deactivationDate IS
 NULL
11:15:02.946 ERROR [com.mchange.v2.resourcepool.BasicResourcePool:1853] - A
RESOURCE POOL IS PERMANENTLY BROKEN!
[com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask@14d774f]
11:15:02.955 ERROR [com.mchange.v2.resourcepool.BasicResourcePool:866] -
com.mchange.v2.resourcepool.BasicResourcePool@1860045 -- Unexpectedly broken!!!
com.mchange.v2.resourcepool.ResourcePoolException: Unexpected Break Stack Trace!
      at
com.mchange.v2.resourcepool.BasicResourcePool.unexpectedBreak(BasicResourcePool.java:86
6)
      at
com.mchange.v2.resourcepool.BasicResourcePool.access$1100(BasicResourcePool.java:32)
    at
com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask.run(BasicResourcePool.java:18
54)
    at
com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchro
nousRunner.java:547)



It doesnt play a role wheter I use postgres or MySQL, the error message stays the same. The
query is valid and can be executed when using the same credentials and a mysql/postgres
terminal client.


 Comments
Comment by Chad La Joie [ 10/Mar/08 ]
Will, it is my hunch that what is occurring here is that the pool code attempts to run a validation
query on the connection when it the connection is pulled from the pool. The first thing I'd do is
add a default validation SQL query within the code. If that fixes the problem just add a new
configuration property to take such a query.

This likely effects the database data connector as well so check that one out.
Comment by Lukas Hämmerle [ 14/Mar/08 ]
I checked out from trunk again yesterday and tried again with MySQL and postgres. However,
still doesn't seem to be working for none of them. The error now looks a bit different though and
the query is not logged anymore.

14:27:10.011 DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRe
solver:294] - Resolving attribute persistentID for principal demouser2
14:27:10.011 DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRe
solver:334] - Resolving data connector myPersistentID for principal demouser2
14:27:10.012 DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRe
solver:316] - Resolved attribute uniqueID containing 1 values

14:30:05.274 ERROR [com.mchange.v2.resourcepool.BasicResourcePool:1853] - A
RESOURCE POOL IS PERMANENTLY BROKEN!
[com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask@b103dd]
14:30:05.273 ERROR [com.mchange.v2.resourcepool.BasicResourcePool:1853] - A
RESOURCE POOL IS PERMANENTLY BROKEN!
[com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask@19dbc3b]
14:30:05.283 ERROR [com.mchange.v2.resourcepool.BasicResourcePool:866] -
com.mchange.v2.resourcepool.BasicResourcePool@1423820 -- Unexpectedly broken!!!
com.mchange.v2.resourcepool.ResourcePoolException: Unexpected Break Stack Trace!
at
com.mchange.v2.resourcepool.BasicResourcePool.unexpectedBreak(BasicResourcePool.java:86
6)
at com.mchange.v2.resourcepool.BasicResourcePool.access$1100(BasicResourcePool.java:32)
at
com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask.run(BasicResourcePool.java:18
54)
at
com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchro
nousRunner.java:547)
14:30:05.285 ERROR [com.mchange.v2.resourcepool.BasicResourcePool:1853] - A
RESOURCE POOL IS PERMANENTLY BROKEN!
[com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask@322394]
14:30:05.286 ERROR [com.mchange.v2.resourcepool.BasicResourcePool:866] -
com.mchange.v2.resourcepool.BasicResourcePool@1423820 -- Unexpectedly broken!!!
com.mchange.v2.resourcepool.ResourcePoolException: Unexpected Break Stack Trace!
at
com.mchange.v2.resourcepool.BasicResourcePool.unexpectedBreak(BasicResourcePool.java:86
6)
at com.mchange.v2.resourcepool.BasicResourcePool.access$1100(BasicResourcePool.java:32)
at
com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask.run(BasicResourcePool.java:18
54)
at
com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchro
nousRunner.java:547)
14:30:05.289 ERROR
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.StoredI
DDataConnector:180] - Database error retrieving persistent identifier
java.sql.SQLException: An SQLException was provoked by the following failure:
java.lang.InterruptedException
at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:106)
at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:65)
at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:62)
at
com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0Poole
dConnectionPool.java:531)
at
com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource.getConnection(AbstractPoolBacked
DataSource.java:128)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.StoredI
DStore.getActivePersistentIdEntry(StoredIDStore.java:214)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.StoredI
DDataConnector.getStoredId(StoredIDDataConnector.java:171)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.StoredI
DDataConnector.resolve(StoredIDDataConnector.java:137)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.StoredI
DDataConnector.resolve(StoredIDDataConnector.java:51)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.Context
ualDataConnector.resolve(ContextualDataConnector.java:76)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.Context
ualDataConnector.resolve(ContextualDataConnector.java:30)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRes
olver.resolveDataConnector(ShibbolethAttributeResolver.java:354)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRes
olver.resolveDependencies(ShibbolethAttributeResolver.java:386)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRes
olver.resolveAttribute(ShibbolethAttributeResolver.java:312)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRes
olver.resolveAttributes(ShibbolethAttributeResolver.java:266)
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeRes
olver.resolveAttributes(ShibbolethAttributeResolver.java:132)
at
edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAut
hority.getAttributes(ShibbolethSAML2AttributeAuthority.java:173)
at
edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAut
hority.getAttributes(ShibbolethSAML2AttributeAuthority.java:57)
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.resolveAtt
ributes(AbstractSAML2ProfileHandler.java:419)
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.completeAuthenticati
onRequest(SSOProfileHandler.java:244)
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOP
rofileHandler.java:138)
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOP
rofileHandler.java:72)
at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(Pr
ofileRequestDispatcherServlet.java:82)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:25
2)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:672)
at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:463)
at org.apache.catalina.core.ApplicationDispatcher.doF