Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-23359

SAML - NPE thrown if IdP metadata does not contain SingleLogoutService element

    XMLWordPrintable

    Details

      Description

      NXRM throws a NullPointerException on upload of IdP metadata if the metadata does not contain a SingleLogoutService element:

      2020-03-31 14:30:52,068+0000 WARN [qtp1982938232-141] admin org.sonatype.nexus.siesta.internal.UnexpectedExceptionMapper - (ID a66af136-be71-4572-874b-6c4116562faa) Unexpected exception: java.lang.NullPointerException
      java.lang.NullPointerException: null
      at com.sonatype.nexus.saml.internal.SamlDeploymentManager.getLogoutService(SamlDeploymentManager.java:259)
      at com.sonatype.nexus.saml.internal.SamlDeploymentManager.buildIdp(SamlDeploymentManager.java:200)
      at com.sonatype.nexus.saml.internal.SamlDeploymentManager.parse(SamlDeploymentManager.java:152)
      at com.sonatype.nexus.saml.internal.SamlDeploymentManager.updateFromConfiguration(SamlDeploymentManager.java:116)
      at com.sonatype.nexus.saml.persist.internal.DefaultSamlConfigurationManager.create(DefaultSamlConfigurationManager.java:83)
      at com.sonatype.nexus.saml.internal.rest.SamlConfigurationResource.update(SamlConfigurationResource.java:77)
      at org.apache.shiro.guice.aop.AopAllianceMethodInvocationAdapter.proceed(AopAllianceMethodInvocationAdapter.java:49)
      at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.invoke(AuthorizingAnnotationMethodInterceptor.java:68)
      at org.apache.shiro.guice.aop.AopAllianceMethodInterceptorAdapter.invoke(AopAllianceMethodInterceptorAdapter.java:36)
      at org.apache.shiro.guice.aop.AopAllianceMethodInvocationAdapter.proceed(AopAllianceMethodInvocationAdapter.java:49)
      at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.invoke(AuthorizingAnnotationMethodInterceptor.java:68)
      at org.apache.shiro.guice.aop.AopAllianceMethodInterceptorAdapter.invoke(AopAllianceMethodInterceptorAdapter.java:36)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
      at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:294)
      at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:248)
      at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:235)
      at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
      at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
      at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
      at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
      at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
      at org.sonatype.nexus.siesta.internal.resteasy.ComponentContainerImpl.service(ComponentContainerImpl.java:109)
      at org.sonatype.nexus.siesta.SiestaServlet.service(SiestaServlet.java:137)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

      This prevent users from saving the SAML config and proceeding with SSO setup.

      Expected

      The SAML v2 spec indicates SingleLogoutService is not a required element:

       <SingleLogoutService> [Zero or More] 
      Zero or more elements of type EndpointType that describe endpoints that support the Single Logout profiles defined in [SAMLProf].

      https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

      But if it is required by NXRM, then it should validate and reject the metadata with a message indicating the SingleLogoutService element is missing.

       

      To prevent the error, configure a 'single logout URL' on the IdP side and regenerate the metadata (please refer to your IdP docs for further guidance).

        Attachments

          Activity

            People

            Assignee:
            sdelvalle Santiago Del Valle
            Reporter:
            hardeepn Hardeep Nagra
            Last Updated By:
            Wes Wannemacher
            Team:
            NXRM - Neo
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title

                  PagerDuty