Shibboleth 3.3 support?

Question

Shibboleth 3.3 support?

Closed this issue 7 years ago · 5 comments

Hello,

I'm trying to get this to run in Shibobleth 3.3.0, and I'm running into problems. I'm not much of a Java person, but I think I followed your installation guide closely.

I'm running Jetty 9.3, and on startup I receive this message in the shibboleth logs:

ERROR [net.shibboleth.utilities.java.support.service.AbstractReloadableService:181] - 
Service 'shibboleth.AttributeResolverService': 
Initial load failed net.shibboleth.utilities.java.support.service.ServiceException: 
org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: 
Line 154 in XML document from file [/opt/shibboleth-idp/conf/attribute-resolver.xml] 
is invalid; 
nested exception is org.xml.sax.SAXParseException; 
lineNumber: 154; columnNumber: 3; cvc-complex-type.2.4.a
: Invalid content was found starting with element 'DataConnector'. 
One of '{"urn:mace:shibboleth:2.0:resolver":AttributeDefinition, 
"urn:mace:shibboleth:2.0:resolver":DataConnector, 
"urn:mace:shibboleth:2.0:resolver":Principal
Connector}' is expected.

It almost seems like the jar file isn't loading, but I do have the bean defined in global.xml like:

       <bean id="GwsDataSource"
                class="edu.washington.shibboleth.attribute.resolver.dc.rws.HttpDataSource"
                destroy-method="close"
                p:acceptHeader="text/xml"
        />

And here's the relevant snippet of my attribute-resolver.xml:

<AttributeResolver
        xmlns="urn:mace:shibboleth:2.0:resolver"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:uwdc="urn:mace:washington.edu:idp:resolver:dc"
        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver
                http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
                urn:mace:washington.edu:idp:resolver:dc
                classpath:/schema/uw-rws-connector.xsd"
>

       <DataConnector xsi:type="WebService" 
               id="gws" xmlns="urn:mace:washington.edu:idp:resolver:dc"
                baseURL="http://myserver"
                maxConnections="5"
                maxResultSize="100"
                mergeResults="true"
                httpDataSourceRef="GwsDataSource"
        >

Any help would be appreciated!

Answer 1 · 2017-03-02T23:16:21.000Z

The parser is getting the wrong namespace. I always specify the namespace on all elements. e.g. My resolver xml starts: <resolver:AttributeResolver xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc" ... and my elements look like <resolver:AttributeDefinition id="uwRegID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uwRegID"> ... You might try adding xmlns:resolver="urn:mace:shibboleth:2.0:resolver" to your resolver attributes (i.e. about the fourth line of your file) and specify the data connector with <resolver:DataConnector xsi:type="WebService" id="gws" xmlns="urn:mace:washington.edu:idp:resolver:dc" baseURL="http://myserver" maxConnections="5" maxResultSize="100" mergeResults="true" httpDataSourceRef="GwsDataSource" See if that works. Jim

…

On Thu, 2 Mar 2017, Cal Heldenbrand wrote: Date: Thu, 2 Mar 2017 14:30:57 From: Cal Heldenbrand ***@***.***> To: UWIT-IAM/uw-idp-rws-connector ***@***.***> Cc: Subscribed ***@***.***> Reply-To: UWIT-IAM/uw-idp-rws-connector <reply+005633e7f6cb4f26a657b662ad3981415bed39d2e9626bda92cf0000000114d05f2 ***@***.***> Subject: [UWIT-IAM/uw-idp-rws-connector] Shibboleth 3.3 support? (#4) Hello, I'm trying to get this to run in Shibobleth 3.3.0, and I'm running into problems. I'm not much of a Java person, but I think I followed your installation guide closely. I'm running Jetty 9.3, and on startup I receive this message in the shibboleth logs: ERROR [net.shibboleth.utilities.java.support.service.AbstractReloadableService:181] - Service 'shibboleth.AttributeResolverService': Initial load failed net.shibboleth.utilities.java.support.service.ServiceException: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 154 in XML document from file [/opt/shibboleth-idp/conf/attribute-resolver.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 154; columnNumber: 3; cvc-complex-type.2.4.a : Invalid content was found starting with element 'DataConnector'. One of '{"urn:mace:shibboleth:2.0:resolver":AttributeDefinition, "urn:mace:shibboleth:2.0:resolver":DataConnector, "urn:mace:shibboleth:2.0:resolver":Principal Connector}' is expected. It almost seems like the jar file isn't loading, but I do have the bean defined in global.xml like: <bean id="GwsDataSource" class="edu.washington.shibboleth.attribute.resolver.dc.rws.HttpDataSource" destroy-method="close" p:acceptHeader="text/xml" /> And here's the relevant snippet of my attribute-resolver.xml: <AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:uwdc="urn:mace:washington.edu:idp:resolver:dc" xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd urn:mace:washington.edu:idp:resolver:dc classpath:/schema/uw-rws-connector.xsd" > <DataConnector xsi:type="WebService" id="gws" xmlns="urn:mace:washington.edu:idp:resolver:dc" baseURL="http://myserver" maxConnections="5" maxResultSize="100" mergeResults="true" httpDataSourceRef="GwsDataSource" > Any help would be appreciated! — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.[AFYz554xAK7p5AwP8RdHX6TdhKYMZWctks5rh0MhgaJpZM4MRnrU.gif]

Answer 2 · 2017-03-03T17:36:49.000Z

Thanks for the quick reply Jim, that worked! For anyone in the future, I also didn't have authenticationType="NONE" in my DataConnector, that appears to be a required attribute.

Second small issue: I'm using Shibboleth in Docker, and linking a helper app into my IdP. So, there's no need for authentication or TLS in my use case.

My current error looks like this:

INFO [org.apache.http.impl.execchain.RetryExec:94] - 
I/O exception (org.apache.http.conn.UnsupportedSchemeException) 
caught when processing request to 
{}->http://shibboleth-helper:8080: http protocol is not supported

ERROR [edu.washington.shibboleth.attribute.resolver.dc.rws.HttpDataSource:206] - 
rws get error: org.apache.http.conn.UnsupportedSchemeException: 
http protocol is not supported

Is there an easy way to relax the security constraint there and allow unencrypted http?

Thank you!

--Cal

Answer 3 · 2017-03-03T18:29:34.000Z

I'm going to close this issue to move the conversation to PR #5

Answer 4 · 2017-03-03T18:48:15.000Z

What was the error when you omitted authenticationType? I don't see where it is required. Jim

…

On Fri, 3 Mar 2017, Cal Heldenbrand wrote: Date: Fri, 3 Mar 2017 09:36:49 From: Cal Heldenbrand ***@***.***> To: UWIT-IAM/uw-idp-rws-connector ***@***.***> Cc: Jim Fox ***@***.***>, Comment ***@***.***> Reply-To: UWIT-IAM/uw-idp-rws-connector <reply+005633e7485c64ebb0327d150141b58940146bf8d1a57b5192cf0000000114d16bb ***@***.***> Subject: Re: [UWIT-IAM/uw-idp-rws-connector] Shibboleth 3.3 support? (#4) Thanks for the quick reply Jim, that worked! For anyone in the future, I also didn't have authenticationType="NONE" in my DataConnector, that appears to be a required attribute. Second small issue: I'm using Shibboleth in Docker, and linking a helper app into my IdP. So, there's no need for authentication or TLS in my use case. My current error looks like this: INFO [org.apache.http.impl.execchain.RetryExec:94] - I/O exception (org.apache.http.conn.UnsupportedSchemeException) caught when processing reques t to {}->http://shibboleth-helper:8080: http protocol is not supported ERROR [edu.washington.shibboleth.attribute.resolver.dc.rws.HttpDataSource:206] - rws get error: org.apache.http.conn.UnsupportedSchemeException: h ttp protocol is not supported Is there an easy way to relax the security constraint there and allow unencrypted http? Thank you! --Cal — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.[AFYz5y6KniiTrvlC30UC4GZMMTB-OoEpks5riE-xgaJpZM4MRnrU.gif]

Answer 5 · 2017-03-03T18:50:40.000Z

ERROR [net.shibboleth.utilities.java.support.service.AbstractReloadableService:181] - 
Service 'shibboleth.AttributeResolverService': 
Initial load failed net.shibboleth.utilities.java.support.service.ServiceException: 
org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException:
 Line 155 in XML document from file [/opt/shibboleth-idp/conf/attribute-resolver.xml] 
is invalid; nested exception is org.xml.sax.SAXParseException; 
lineNumber: 155; columnNumber: 3; cvc-complex-type.4: 
Attribute 'authenticationType' must appear on element 'resolver:DataConnector'.
        at 
net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:336)