SAML token validation error after job deployment

Six Stars

SAML token validation error after job deployment

Dear Talend Community

 

I'm facing a random behavior with the deployment of services with SAML authentication enabled on Talend Runtime.

 

Sometimes after a service is deployed, all requests with a valid SAML token are refused returning a HTTP 401 Unauthorized and most of the times this is resolved with a simple bundle:refresh command. Hard times require a new deploy.

 

Although a workaround is already found, I wonder if some of you have already faced this behavior and if is there a solution to avoid this kind of exception. Please find bellow a log sample of this error:

 

 

--------------------------------------
2018-05-08 20:19:58,257 | INFO  | 1695614865-12924 | LoggingInInterceptor             | 32 - org.apache.cxf.cxf-core - 3.1.11 | Inbound Message
----------------------------
ID: 28
Address: http://my-domain/services/auth-services/1.0/password-policy?cultureName=pt-BR
Http-Method: GET
Content-Type:
Headers: {Accept=[*/*], accept-encoding=[gzip, deflate], Authorization=[SAML aVdZb+o6EH6v1P9QcR4RzcIa1FZyVgIEyMrychQSZ4EsECck4ddfA21v27NLefF4ZvzNN+Px5AnZcUQPAUIwy8M0eajiKEHDq/S5UWTJMLVRiIaJHUM0zJ2hDpTpkH4kh/abSePVpkLucyPI88OQIMqyfCzbj2nmEzRJUsRKmepOAGP7f+Xwz8qtMEG5nTiw8SDzz43vXrfbZiB0Wp2+47U6tk21bIbptSCz7bjtQa9t97ZYFaECylfL/LlBk9SgRXZb5MCgBkP80cxju8NsGg8WzBCGj1UeSQwLhcO8PsDnxhdGDCxsvDzdpFff2YthRzBxBZ39rhv6TfZEfNJ4ctFQD/3EzosMvsbsol+ETBIkQ2AdF4X+t8a7LXTlxEuvS85O0iR07Cg82xdQCsyD1H0AkZ9mYR7Ev+SSIi+OW7ByWg7VSb41iM/Q/toR2XlD2IrTDH7LkN1CgU13e68uNejBDOJkPZia/Nz49nfZupoamZ0gL81i9Hn5R1ifiIPJCUbpAbot9BbdK7S/d/gTwl6eoDOUEycqUHiCs8s9ONgORK9Jhc7fu3pYZNALq2mIcGHi63KBR3zE92V5o4MPfYjyf0wUTsS3T+m5ebHsqIAvYtaliBO32JAjebWOqME5Zph4lYyFOS3Ig7JNU/TOaZ7ckfB8RfTR+Cp4T/Zt+aVa36vrZjHSp50etcibwXYmB0F/zS2ISVgXywXigWs3x0aHXc76vVUsL/c2N6gYSxS2ibmsQOfI813BQruVnrYDzyg6Cu0H/sTXyuUpP3HF0qsXHKKjlOV7K48hjgsrPpknfoXqWT7QaUsWBBVImigds4m5S1NK481uTeyNlHEqJK7c1I5SYbSuZFKQnOf3cD7gv4Q0gfV7eKsuyfB2br8vuEun8PD1zOGLIst8d8dxgGz6oJRZ4MtjsLADy1VocxFuFUBKnH6UdHnb5lWBZVUTKLJ0UFRUcuqat1RVEsqxZZ4F7f5OAQMJUKbAsYpsLMUaLqtgG6uVsAMq688sFjgGZ46D7Ug7bJdMvTGEg8I5N5tA8U1azB2pimRxZt7fmTXIpzo7NyjV1/aMLousbpCapVLa2CA7lbgD5s0rMngzMmVBixxJrF2JiraJWok80G/7inF/x7Xdtlt3z+5IKdY0kytaWkpgPZ6kGzk4OTOg7lnRz/H+DDht7TyNZ6etAaBYkpVigFrh99WcVzqKMbPv77C0vknX79Jf8fInVu7v/oWXP7GCsf0DL39i5f7u57xwbHIGM9bfH4N9KDElyQJVEAGYszsVlP56z/lrAaRNb+CjztLJ4dTVF8v7u0U8aDphLZz7ZysG/b3DSaKqnqI5ieJKs8LlmKqadRIaXbMY9MwMqLtKG9f4qDRWszDzhP5kkSVc3Asxb3Mk8UKSF/IGeH1eXCTZqXtoNndgoxZa+xR3NqOVOBcNfFWbhMh3wXHqzUKqX4VGteH4dc27fJvhZqKRsfd39GLPgVIAwJ5zQJNL3xfmCktesuDyvrpkWc0mQXsQpJEqb8eKuOzH3Y1eNkOLH/Ec2/Zx3jVyx8ojHKkijwz/dxYTic16Opthy6MhTBWwv+abDRTOspRKMMDiliX/Ur0CFThJhNbL7l7B2ARwrbGRUEbcelmR9pI6ObFZTQyQ3KxSA1dLsF2xaKOzhiUq/lQnfWPP4JslC5uFGeK7vGcEy5yZusnMFW1dijevU6GkxhbHCpsVi0/V8s2ySyqaWgr+dZ8XyhzXjVNc6uH+7lYRgq2w/sdeMQbaenrRUEcz0qm7uy1Nc5zK06m1MmYR34nPQLlgHWmKwBqAB+qIuPSQHzsO6Egs4A5MPaFkJms2D7VokHXm2BYVU3qx7RXZeNSUKnXK2kZiIHsxLc5H2seRovHoUO67K99nmzIPe0w4mcBtv2PlA3sOuwWSlxbQ/ZBx9keudD3juC56E4lhI3g+jjauUCWyRJ8Ih8fY2rP9JOvPCbvP76Kt0BM3HYlKsrlnjfe7GAK7l1f5Oqb4mPCurflru30X3hoy8bFVf2rlbxMcDm4HnfxteXnPZf5BxK+tnf9+4L1IQrflXVWHh8v0iHKY5I2HixO1wMOZF8Ls/WF2Ku/RxqNCAK+PM8pR44WXWe07WCyot3Hxdv4XcFyaeOHllMtAfnv4fw/NiYdbaGcwu04UPw0U+3TDi0P0MEtzFuIw4C+m4y6Jp2OsNE/mGfDyS0if9Tr/6xFv/kGeZ+G2yKGe47zEmJcfdq48PTfydA+TVgaPBZ4p0uxG31sCfsPdV3fXx/nD3I4HqiHCe4nfeLGLPMAQrjXivjHy2fLlB/GPkg+xEF9+C17+Az==], Cache-Control=[no-cache], connection=[keep-alive], Content-Type=[null], Host=[esbq2.dibrazil.talend.intranet.cnb:34040], Postman-Token=[2594e022-36e9-4411-b004-b1374d957744], User-Agent=[PostmanRuntime/7.1.1]}
--------------------------------------
2018-05-08 20:19:58,260 | WARN  | 5]-nio2-thread-2 | ServerSessionImpl                | 144 - org.apache.sshd.core - 1.4.0 | exceptionCaught(ServerSessionImpl[enrot@/10.249.34.59:59032])[state=Opened] InterruptedByTimeoutException: null
2018-05-08 20:19:58,268 | WARN  | 1695614865-12924 | AbstractSamlInHandler            | 189 - org.apache.cxf.cxf-rt-rs-security-xml - 3.1.11 | Assertion can not be validated: java.lang.IllegalArgumentException: Illegal character in path at index 8: $service{security.signature.properties}
        at java.net.URI.create(URI.java:852)
        at org.apache.cxf.rt.security.utils.SecurityUtils.loadResource(SecurityUtils.java:112)
        at org.apache.cxf.rt.security.utils.SecurityUtils.loadResource(SecurityUtils.java:84)
        at org.apache.cxf.rs.security.common.CryptoLoader.getCrypto(CryptoLoader.java:74)
        at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:140)
        at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:115)
        at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:98)
        at org.apache.cxf.rs.security.saml.AbstractSamlBase64InHandler.handleToken(AbstractSamlBase64InHandler.java:53)
        at org.apache.cxf.rs.security.saml.SamlHeaderInHandler.filter(SamlHeaderInHandler.java:53)
        at org.apache.cxf.jaxrs.utils.JAXRSUtils.runContainerRequestFilters(JAXRSUtils.java:1650)
        at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:106)
        at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:77)
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:262)
        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:299)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:223)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:274)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:845)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:584)
        at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:72)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180)
        at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:284)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:80)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
        at org.eclipse.jetty.server.Server.handle(Server.java:534)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
        at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)
        at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
        at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
        at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.net.URISyntaxException: Illegal character in path at index 8: $service{security.signature.properties}
        at java.net.URI$Parser.fail(URI.java:2848)
        at java.net.URI$Parser.checkChars(URI.java:3021)
        at java.net.URI$Parser.parseHierarchical(URI.java:3105)
        at java.net.URI$Parser.parse(URI.java:3063)
        at java.net.URI.<init>(URI.java:588)
        at java.net.URI.create(URI.java:850)
        ... 48 more

2018-05-08 20:19:58,269 | WARN  | 1695614865-12924 | WebApplicationExceptionMapper    | 45 - org.apache.cxf.cxf-rt-frontend-jaxrs - 3.1.11 | javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
        at org.apache.cxf.jaxrs.utils.SpecExceptions.toNotAuthorizedException(SpecExceptions.java:94)
        at org.apache.cxf.jaxrs.utils.ExceptionUtils.toNotAuthorizedException(ExceptionUtils.java:137)
        at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.throwFault(AbstractSamlInHandler.java:270)
        at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:190)
        at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:115)
        at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:98)
        at org.apache.cxf.rs.security.saml.AbstractSamlBase64InHandler.handleToken(AbstractSamlBase64InHandler.java:53)
        at org.apache.cxf.rs.security.saml.SamlHeaderInHandler.filter(SamlHeaderInHandler.java:53)
        at org.apache.cxf.jaxrs.utils.JAXRSUtils.runContainerRequestFilters(JAXRSUtils.java:1650)
        at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:106)
        at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:77)
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:262)
        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:299)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:223)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:274)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:845)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:584)
        at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:72)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180)
        at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:284)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:80)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
        at org.eclipse.jetty.server.Server.handle(Server.java:534)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
        at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)
        at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
        at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
        at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
        at java.lang.Thread.run(Thread.java:745)

2018-05-08 20:19:58,271 | INFO  | 1695614865-12924 | LoggingOutInterceptor            | 32 - org.apache.cxf.cxf-core - 3.1.11 | Outbound Message
---------------------------
ID: 28
Response-Code: 401
Content-Type:
Headers: {Content-Type=[application/xml], Date=[Tue, 08 May 2018 18:19:58 GMT], Content-Length=[0]}

 

Thanks in advance.

 

Best regards,

 

Anselmo

 



http://www.talendbrasil.com.br
Moderator

Re: SAML token validation error after job deployment

Hello,

 Could you please clarify in which Talend ESB version/edition you are?

Best regards

Sabrina

--
Don't forget to give kudos when a reply is helpful and click Accept the solution when you think you're good with it.
Six Stars

Re: SAML token validation error after job deployment

Hi Sabrina,

 

I experienced this issue on both TOS ESB 6.1.2 and Talend Real-time Big Data Platform 6.4.1.

 

Thank you.

Best regards,

 

Anselmo



http://www.talendbrasil.com.br
Moderator

Re: SAML token validation error after job deployment

Hello,

 A free trial of Talend Real-time Big Data Platform 6.4.1? Here exist a jira issue:https://jira.talendforge.org/browse/TESB-20590

Have you tried to use talend latest build version to see if this issue is fixed?

Best regards

Sabrina.

--
Don't forget to give kudos when a reply is helpful and click Accept the solution when you think you're good with it.

2019 GARNER MAGIC QUADRANT FOR DATA INTEGRATION TOOL

Talend named a Leader.

Get your copy

OPEN STUDIO FOR DATA INTEGRATION

Kickstart your first data integration and ETL projects.

Download now

What’s New for Talend Summer ’19

Watch the recorded webinar!

Watch Now

Definitive Guide to Data Quality

Create systems and workflow to manage clean data ingestion and data transformation.

Download

Tutorial

Introduction to Talend Open Studio for Data Integration.

Watch

Downloads and Trials

Test drive Talend's enterprise products.

Downloads