TechQA.

SpringSecurity-SAML(OpenSAML): Failed to unmarshall assertion: getting org.w3c.dom.DOMException: WRONG_DOCUMENT_ERR

1.8k views Asked by At

Using spring-security-saml for handling assertions from IDP, getting below error after server is up for 1 to 2 hours. Issue is not reproducible all the time. By looking at stacktrace, issue seems to be related to parser pool used in spring saml configuration. Please share any thoughts.

library versions: opensaml 2.6.1 spring-security-saml2 1.0.0.RELEASE

parser pool config:

<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize">
    <property name="builderFeatures">
        <map>
            <entry key="http://apache.org/xml/features/dom/defer-node-expansion" value="false"/>
        </map>
    </property>
</bean>
<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>

The stack trace is:

org.w3c.dom.DOMException: WRONG_DOCUMENT_ERR: A node is used in a different document than the one that created it. 
        at org.apache.xerces.dom.ParentNode.internalInsertBefore(Unknown Source) 
        at org.apache.xerces.dom.ParentNode.insertBefore(Unknown Source) 
        at org.apache.xerces.dom.NodeImpl.appendChild(Unknown Source) 
        at org.opensaml.xml.encryption.Decrypter.parseInputStream(Decrypter.java:821) 
        at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:599) 
        at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:784) 
        at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:524) 
        at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442) 
        at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403) 
        at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141) 
        at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69) 
        at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:199) 
        at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
spring-saml opensaml
Original Q&A
2

There are 2 answers

0
Srini On

Root cause: Multiple implementations of xerces in the project.

Found the issue. My project also has docx4j used for word document processing, docx4j changed the system property javax.xml.parsers.DocumentBuilderFactory to "com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl" when it is initialized and if system property is not already set and java version < 8, which internally caused to return a DocumentBuilderFactory implementation that is different from the one opensaml was initialized with. i.e org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl

Fix is setting system property javax.xml.parsers.DocumentBuilderFactory to com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl by using following java runtime option

-Djavax.xml.parsers.DocumentBuilderFactory=com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl

0
hfm On

As @Srini said, the root cause is multiple implementations of xerces in the project.

I solved this by overriding the docx4j properties in docx4j.properties:

javax.xml.parsers.DocumentBuilderFactory=org.apache.xerces.jaxp.DocumentBuilderFactoryImpl

Related Questions in SPRING-SAML

Related Questions in OPENSAML

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions