Spring SAML on Weblogic 12c

Question

I'm currently working on an application that is making use of the Spring SAML (http://projects.spring.io/spring-security-saml/) project as part of our authentication. I know it is still in RC but so is the application we are working on. We have the library integrated and fully functioning when deployed to Tomcat7 but are running into issues when deploying to Weblogic 12c (12.0.1.2). On Weblogic without throwing any errors the assertion values will be decrpyted as empty no errors.

The problem seems to be in the Xerces libraries. Spring SAML (due to OpenSAML) requires 2.10.0 as far as I am able to tell but Weblogic provides 2.8.0 of the Xerces library.I have attempted to update Xerces library version by including the proper xercesImpl and xml-apis jars in the projects WEB-INF/lib folder. This fixes the decrpyting issue with Spring SAML but breaks Weblogics ability to parse JSP pages. I have included part of the stack trace for the non-upgraded and upgraded Xerces exceptions below. If anyone has any idea of how to properly fix this issue so that Spring SAML can function of Weblogic while not breaking the default functionality I would greatly appreciate it.

This is the stack trace before updating Xerces

2014-07-31 10:43:37,675 [[ACTIVE] ExecuteThread: '2' for queue:     'weblogic.kernel.Default (self-tuning)'] DEBUG org.apache.xml.security.algorithms.JCEMapper   - Request for U
RI http://www.w3.org/2001/04/xmlenc#aes256-cbc
2014-07-31 10:43:37,675 [[ACTIVE] ExecuteThread: '2' for queue:    'weblogic.kernel.Default (self-tuning)'] DEBUG org.apache.xml.security.encryption.XMLCipher    - JCE Algorithm
 = AES/CBC/ISO10126Padding
<Jul 31, 2014 10:43:37 AM EDT> <Error> <HTTP> <BEA-101020>     <[ServletContext@1538876008[app:intranet module:intranet.war path:null spec-version:3.0]]    Servlet failed with an
Exception
java.lang.NumberFormatException: For input string: ""
    at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
    at java.lang.Integer.parseInt(Integer.java:504)
    at java.lang.Integer.valueOf(Integer.java:582)
    at org.opensaml.common.SAMLVersion.valueOf(SAMLVersion.java:89)
    at org.opensaml.saml2.core.impl.AssertionUnmarshaller.processAttribute(AssertionUnmarshaller.java:71)
    at org.opensaml.xml.io.AbstractXMLObjectUnmarshaller.unmarshallAttribute(AbstractXMLObjectUnmarshaller.java:254)
    at org.opensaml.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:113)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:479)
    at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403)
    at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
    at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:190)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)

This is the stack trace after updating Xerces to 2.10.0.

weblogic.servlet.jsp.CompilationException: Failed to compile JSP /WEB-  INF/jsp/errors/500.jsp
500.jsp:1:1: The validator class: "org.apache.taglibs.standard.tlv.JstlCoreTLV" has       failed with the following exception: "java.lang.ClassCastException: weblogic.xml.jaxp.Re
gistrySAXParserFactory cannot be cast to javax.xml.parsers.SAXParserFactory".
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
^-------------------------------------------------------------^
500.jsp:2:5: No tag library could be found with this URI. Possible causes could be that     the URI is incorrect, or that there were errors during parsing of the .tld file.
<%@ taglib prefix="int" uri="intranet"%>
^----^
 500.jsp:2:5: No tag library could be found with this URI. Possible causes could be   that the URI is incorrect, or that there were errors during parsing of the .tld file.
<%@ taglib prefix="int" uri="intranet"%>
^----^
500.jsp:6:3: This tag can only appear as a subelement of a standard or custom action.    Exceptions are: jsp:body, jsp:attribute, jsp:expression, jsp:scriptlet, and jsp:declaration.
    <jsp:attribute name="minifiedJs">
     ^-----------^
 500.jsp:8:3: This tag can only appear as a subelement of a standard or custom action.   Exceptions are: jsp:body, jsp:attribute, jsp:expression, jsp:scriptlet, and jsp:declaration.
    <jsp:attribute name="nonMinifiedJs">
     ^-----------^
  500.jsp:11:3: This tag can only appear as a subelement of a standard or custom action. Exceptions are: jsp:body, jsp:attribute, jsp:expression, jsp:scriptlet, and jsp:declaration.
    <jsp:body>
     ^------^

    at weblogic.servlet.jsp.JavelinxJSPStub.reportCompilationErrorIfNeccessary(JavelinxJSPStub.java:243)
    at weblogic.servlet.jsp.JavelinxJSPStub.compilePage0(JavelinxJSPStub.java:179)
    at weblogic.servlet.jsp.JavelinxJSPStub.access$000(JavelinxJSPStub.java:50)
    at weblogic.servlet.jsp.JavelinxJSPStub$1.run(JavelinxJSPStub.java:108)
    at java.security.AccessController.doPrivileged(Native Method)
    at weblogic.servlet.jsp.JavelinxJSPStub.compilePage(JavelinxJSPStub.java:105)
    at weblogic.servlet.jsp.JspStub.prepareServlet(JspStub.java:247)
    at weblogic.servlet.jsp.JspStub.prepareServlet(JspStub.java:200)
    at weblogic.servlet.internal.ServletStubImpl.getServlet(ServletStubImpl.java:403)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:295)
    at weblogic.servlet.internal.ServletStubImpl.onAddToMapException(ServletStubImpl.java:478)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:367)
    at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)
    ...

Answer 1

The following approach allows bundling of custom Xerces and Xalan libraries in Weblogic:

1. Create ear archive spring-security-saml2-sample.ear
2. Include Spring SAML file spring-security-saml2-sample.war inside the ear, the war should contain own version of Xerces and Xalan.

3. Create file META-INF/application.xml inside the ear with the following content:

   <application xmlns="http://java.sun.com/xml/ns/javaee"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/application_5.xsd" version="5">
     <module>
       <web>
         <web-uri>spring-security-saml2-sample.war</web-uri>
         <context-root>spring-security-saml2-sample</context-root>
       </web>
     </module>
   </application>
   

4. Create file META-INF/weblogic-application.xml with the following content:

   <weblogic-application xmlns="http://www.bea.com/ns/weblogic/90"
                         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                         xsi:schemaLocation="http://www.bea.com/ns/weblogic/90 http://www.oracle.com/technology/weblogic/920/weblogic-application.xsd">
       <xml>
           <parser-factory>
               <saxparser-factory>
                   org.apache.xerces.jaxp.SAXParserFactoryImpl
               </saxparser-factory>
               <document-builder-factory>
                   org.apache.xerces.jaxp.DocumentBuilderFactoryImpl
               </document-builder-factory>
               <transformer-factory>
                   org.apache.xalan.processor.TransformerFactoryImpl
               </transformer-factory>
           </parser-factory>
       </xml>
       <prefer-application-packages>
           <package-name>org.opensaml.*</package-name>
           <package-name>org.apache.xerces.*</package-name>
           <package-name>org.apache.xalan.*</package-name>
       </prefer-application-packages>                       
   </weblogic-application>
   

5. Deploy the archive

Answer 2

For anyone who comes upon this later. I ended up solving the issue by updating to xercesImpl version 2.9.0. This seems to be a sweet spot version for this issue, even though it is less than what OpenSAML requests it fixes the issue while not causing any other issues with Weblogic (as far as I've currently encountered). Xerces 2.10.0 required an updated version of xml-apis to function and that was causing the issues with Weblogic (2.9.0 seems to work with version of xml-apis included in Weblogic).

Answer 3

Have you played with prefer-web-inf-classes for a war file or prefer-application-packages for an ear file? One of them will likely resolve the problem:

In weblogic-application.xml:

<wls:prefer-application-packages>
    <wls:package-name>org.apache.xerces.xni.parser.*</wls:package-name>
    <wls:package-name>org.apache.xerces.parsers.*</wls:package-name>
    <wls:package-name>org.apache.xalan.*</wls:package-name>
</wls:prefer-application-packages>

In weblogic.xml:

<wls:container-descriptor>
    <wls:prefer-web-inf-classes>true</prefer-web-inf-classes>
</wls:container-descriptor>

See these Oracle docs here