SAML token validation error after job deployment

Six Stars

SAML token validation error after job deployment

Dear Talend Community

 

I'm facing a random behavior with the deployment of services with SAML authentication enabled on Talend Runtime.

 

Sometimes after a service is deployed, all requests with a valid SAML token are refused returning a HTTP 401 Unauthorized and most of the times this is resolved with a simple bundle:refresh command. Hard times require a new deploy.

 

Although a workaround is already found, I wonder if some of you have already faced this behavior and if is there a solution to avoid this kind of exception. Please find bellow a log sample of this error:

 

 

--------------------------------------
2018-05-08 20:19:58,257 | INFO  | 1695614865-12924 | LoggingInInterceptor             | 32 - org.apache.cxf.cxf-core - 3.1.11 | Inbound Message
----------------------------
ID: 28
Address: http://my-domain/services/auth-services/1.0/password-policy?cultureName=pt-BR
Http-Method: GET
Content-Type:
Headers: {Accept=[*/*], accept-encoding=[gzip, deflate], Authorization=[SAML aVdZb+o6EH6v1P9QcR4RzcIa1FZyVgIEyMrychQSZ4EsECck4ddfA21v27NLefF4ZvzNN+Px5AnZcUQPAUIwy8M0eajiKEHDq/S5UWTJMLVRiIaJHUM0zJ2hDpTpkH4kh/abSePVpkLucyPI88OQIMqyfCzbj2nmEzRJUsRKmepOAGP7f+Xwz8qtMEG5nTiw8SDzz43vXrfbZiB0Wp2+47U6tk21bIbptSCz7bjtQa9t97ZYFaECylfL/LlBk9SgRXZb5MCgBkP80cxju8NsGg8WzBCGj1UeSQwLhcO8PsDnxhdGDCxsvDzdpFff2YthRzBxBZ39rhv6TfZEfNJ4ctFQD/3EzosMvsbsol+ETBIkQ2AdF4X+t8a7LXTlxEuvS85O0iR07Cg82xdQCsyD1H0AkZ9mYR7Ev+SSIi+OW7ByWg7VSb41iM/Q/toR2XlD2IrTDH7LkN1CgU13e68uNejBDOJkPZia/Nz49nfZupoamZ0gL81i9Hn5R1ifiIPJCUbpAbot9BbdK7S/d/gTwl6eoDOUEycqUHiCs8s9ONgORK9Jhc7fu3pYZNALq2mIcGHi63KBR3zE92V5o4MPfYjyf0wUTsS3T+m5ebHsqIAvYtaliBO32JAjebWOqME5Zph4lYyFOS3Ig7JNU/TOaZ7ckfB8RfTR+Cp4T/Zt+aVa36vrZjHSp50etcibwXYmB0F/zS2ISVgXywXigWs3x0aHXc76vVUsL/c2N6gYSxS2ibmsQOfI813BQruVnrYDzyg6Cu0H/sTXyuUpP3HF0qsXHKKjlOV7K48hjgsrPpknfoXqWT7QaUsWBBVImigds4m5S1NK481uTeyNlHEqJK7c1I5SYbSuZFKQnOf3cD7gv4Q0gfV7eKsuyfB2br8vuEun8PD1zOGLIst8d8dxgGz6oJRZ4MtjsLADy1VocxFuFUBKnH6UdHnb5lWBZVUTKLJ0UFRUcuqat1RVEsqxZZ4F7f5OAQMJUKbAsYpsLMUaLqtgG6uVsAMq688sFjgGZ46D7Ug7bJdMvTGEg8I5N5tA8U1azB2pimRxZt7fmTXIpzo7NyjV1/aMLousbpCapVLa2CA7lbgD5s0rMngzMmVBixxJrF2JiraJWok80G/7inF/x7Xdtlt3z+5IKdY0kytaWkpgPZ6kGzk4OTOg7lnRz/H+DDht7TyNZ6etAaBYkpVigFrh99WcVzqKMbPv77C0vknX79Jf8fInVu7v/oWXP7GCsf0DL39i5f7u57xwbHIGM9bfH4N9KDElyQJVEAGYszsVlP56z/lrAaRNb+CjztLJ4dTVF8v7u0U8aDphLZz7ZysG/b3DSaKqnqI5ieJKs8LlmKqadRIaXbMY9MwMqLtKG9f4qDRWszDzhP5kkSVc3Asxb3Mk8UKSF/IGeH1eXCTZqXtoNndgoxZa+xR3NqOVOBcNfFWbhMh3wXHqzUKqX4VGteH4dc27fJvhZqKRsfd39GLPgVIAwJ5zQJNL3xfmCktesuDyvrpkWc0mQXsQpJEqb8eKuOzH3Y1eNkOLH/Ec2/Zx3jVyx8ojHKkijwz/dxYTic16Opthy6MhTBWwv+abDRTOspRKMMDiliX/Ur0CFThJhNbL7l7B2ARwrbGRUEbcelmR9pI6ObFZTQyQ3KxSA1dLsF2xaKOzhiUq/lQnfWPP4JslC5uFGeK7vGcEy5yZusnMFW1dijevU6GkxhbHCpsVi0/V8s2ySyqaWgr+dZ8XyhzXjVNc6uH+7lYRgq2w/sdeMQbaenrRUEcz0qm7uy1Nc5zK06m1MmYR34nPQLlgHWmKwBqAB+qIuPSQHzsO6Egs4A5MPaFkJms2D7VokHXm2BYVU3qx7RXZeNSUKnXK2kZiIHsxLc5H2seRovHoUO67K99nmzIPe0w4mcBtv2PlA3sOuwWSlxbQ/ZBx9keudD3juC56E4lhI3g+jjauUCWyRJ8Ih8fY2rP9JOvPCbvP76Kt0BM3HYlKsrlnjfe7GAK7l1f5Oqb4mPCurflru30X3hoy8bFVf2rlbxMcDm4HnfxteXnPZf5BxK+tnf9+4L1IQrflXVWHh8v0iHKY5I2HixO1wMOZF8Ls/WF2Ku/RxqNCAK+PM8pR44WXWe07WCyot3Hxdv4XcFyaeOHllMtAfnv4fw/NiYdbaGcwu04UPw0U+3TDi0P0MEtzFuIw4C+m4y6Jp2OsNE/mGfDyS0if9Tr/6xFv/kGeZ+G2yKGe47zEmJcfdq48PTfydA+TVgaPBZ4p0uxG31sCfsPdV3fXx/nD3I4HqiHCe4nfeLGLPMAQrjXivjHy2fLlB/GPkg+xEF9+C17+Az==], Cache-Control=[no-cache], connection=[keep-alive], Content-Type=[null], Host=[esbq2.dibrazil.talend.intranet.cnb:34040], Postman-Token=[2594e022-36e9-4411-b004-b1374d957744], User-Agent=[PostmanRuntime/7.1.1]}
--------------------------------------
2018-05-08 20:19:58,260 | WARN  | 5]-nio2-thread-2 | ServerSessionImpl                | 144 - org.apache.sshd.core - 1.4.0 | exceptionCaught(ServerSessionImpl[enrot@/10.249.34.59:59032])[state=Opened] InterruptedByTimeoutException: null
2018-05-08 20:19:58,268 | WARN  | 1695614865-12924 | AbstractSamlInHandler            | 189 - org.apache.cxf.cxf-rt-rs-security-xml - 3.1.11 | Assertion can not be validated: java.lang.IllegalArgumentException: Illegal character in path at index 8: $service{security.signature.properties}
        at java.net.URI.create(URI.java:852)
        at org.apache.cxf.rt.security.utils.SecurityUtils.loadResource(SecurityUtils.java:112)
        at org.apache.cxf.rt.security.utils.SecurityUtils.loadResource(SecurityUtils.java:84)
        at org.apache.cxf.rs.security.common.CryptoLoader.getCrypto(CryptoLoader.java:74)
        at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:140)
        at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:115)
        at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:98)
        at org.apache.cxf.rs.security.saml.AbstractSamlBase64InHandler.handleToken(AbstractSamlBase64InHandler.java:53)
        at org.apache.cxf.rs.security.saml.SamlHeaderInHandler.filter(SamlHeaderInHandler.java:53)
        at org.apache.cxf.jaxrs.utils.JAXRSUtils.runContainerRequestFilters(JAXRSUtils.java:1650)
        at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:106)
        at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:77)
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:262)
        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:299)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:223)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:274)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:845)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:584)
        at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:72)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180)
        at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:284)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:80)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
        at org.eclipse.jetty.server.Server.handle(Server.java:534)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
        at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)
        at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
        at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
        at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.net.URISyntaxException: Illegal character in path at index 8: $service{security.signature.properties}
        at java.net.URI$Parser.fail(URI.java:2848)
        at java.net.URI$Parser.checkChars(URI.java:3021)
        at java.net.URI$Parser.parseHierarchical(URI.java:3105)
        at java.net.URI$Parser.parse(URI.java:3063)
        at java.net.URI.<init>(URI.java:588)
        at java.net.URI.create(URI.java:850)
        ... 48 more

2018-05-08 20:19:58,269 | WARN  | 1695614865-12924 | WebApplicationExceptionMapper    | 45 - org.apache.cxf.cxf-rt-frontend-jaxrs - 3.1.11 | javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
        at org.apache.cxf.jaxrs.utils.SpecExceptions.toNotAuthorizedException(SpecExceptions.java:94)
        at org.apache.cxf.jaxrs.utils.ExceptionUtils.toNotAuthorizedException(ExceptionUtils.java:137)
        at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.throwFault(AbstractSamlInHandler.java:270)
        at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:190)
        at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:115)
        at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:98)
        at org.apache.cxf.rs.security.saml.AbstractSamlBase64InHandler.handleToken(AbstractSamlBase64InHandler.java:53)
        at org.apache.cxf.rs.security.saml.SamlHeaderInHandler.filter(SamlHeaderInHandler.java:53)
        at org.apache.cxf.jaxrs.utils.JAXRSUtils.runContainerRequestFilters(JAXRSUtils.java:1650)
        at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:106)
        at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:77)
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:262)
        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:299)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:223)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:274)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:845)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:584)
        at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:72)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180)
        at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:284)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:80)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
        at org.eclipse.jetty.server.Server.handle(Server.java:534)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
        at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)
        at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
        at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
        at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
        at java.lang.Thread.run(Thread.java:745)

2018-05-08 20:19:58,271 | INFO  | 1695614865-12924 | LoggingOutInterceptor            | 32 - org.apache.cxf.cxf-core - 3.1.11 | Outbound Message
---------------------------
ID: 28
Response-Code: 401
Content-Type:
Headers: {Content-Type=[application/xml], Date=[Tue, 08 May 2018 18:19:58 GMT], Content-Length=[0]}

 

Thanks in advance.

 

Best regards,

 

Anselmo

 

Moderator

Re: SAML token validation error after job deployment

Hello,

 Could you please clarify in which Talend ESB version/edition you are?

Best regards

Sabrina

--
Don't forget to give kudos when a reply is helpful and click Accept the solution when you think you're good with it.
Six Stars

Re: SAML token validation error after job deployment

Hi Sabrina,

 

I experienced this issue on both TOS ESB 6.1.2 and Talend Real-time Big Data Platform 6.4.1.

 

Thank you.

Best regards,

 

Anselmo

Moderator

Re: SAML token validation error after job deployment

Hello,

 A free trial of Talend Real-time Big Data Platform 6.4.1? Here exist a jira issue:https://jira.talendforge.org/browse/TESB-20590

Have you tried to use talend latest build version to see if this issue is fixed?

Best regards

Sabrina.

--
Don't forget to give kudos when a reply is helpful and click Accept the solution when you think you're good with it.