5 Replies Latest reply on Feb 6, 2014 12:33 PM by ~Sid~

    SAML assertion exceptions within EJB

      Okay, I'll try to keep this simple:<br /><br />We are implementing the standard LC Java API's for rendering forms (using the FormsServiceClient) and then transforming the rendered content to PDF/A using the outputClient. Since we have a lot of simultaneous requests the logic is implemented within a stateless session EJB. <br /><br />I instantiate the ServiceClientFactory within the EJB's init() method and then store the ServiceClientFactory reference as a class variable so that on subsequent business method invocations, the same ServiceClientFactory object can be reused (without going throug the overhead of instantiating one on each req). (Note that on each request, I create a new FormsServiceClient or OutputClient using the SAME ServiceClientFactory object). I have some questions/concerns:<br /><br />1) Is this form of reuse of the ServiceClientFactory object okay?<br /><br />2) We keep getting the following error:<br />><i>" <Warning> <com.adobe.idp.common.errors.exception.IDPLoggedException> <000000> <UserM:GENERIC_WARNING: [Thread Hashcode: 668113225] | [AuthenticationManagerBean] errorCode:12804 errorCodeHEX:0x3204 message:Could not validate SAML Token --- Assertion is not valid. Current time is greater than NOTonOrAfter time specified in the Assertion>"</i><br /><br />After a simple restart of the EJB, the error goes away. How can this be fixed? What's causing this?<br /><br />Any help would be much appreciated!
        • 1. Re: SAML assertion exceptions within EJB
          patb23

          Hi,

          I understand that this post was old.

          I am getting the same error (calling from a POJO client) and everytime I need to restart the client server that accesses the Livecycle.

           

          Were you able to resolve this?

           

           

           

          Caused by: | [com.adobe.idp.um.api.impl.AuthenticationManagerImpl] errorCode:16421 errorCodeHEX:0x4025 message:Could not validate SAML Token --- Assertion is not valid. Current time is greater than NOTonOrAfter time specified in the Assertion| [IDPLoggedException] errorCode:12804 errorCodeHEX:0x3204 message:Could not validate SAML Token --- Assertion is not valid. Current time is greater than NOTonOrAfter time specified in the Assertion
              at com.adobe.idp.um.api.impl.ManagerImpl.handleException(ManagerImpl.java:246)
              at com.adobe.idp.um.api.impl.ManagerImpl.handleException(ManagerImpl.java:192)
              at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.validateAssertionCheck(AuthenticationManagerImpl.java:587)
              at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.validateAssertion(AuthenticationManagerImpl.java:552)
              at com.adobe.idp.dsc.provider.impl.base.AbstractMessageReceiver.authenticate(AbstractMessageReceiver.java:132)
              ... 46 more
          • 2. Re: SAML assertion exceptions within EJB
            lcfun

            I am facing the same issue as well. We are using EJB API to render forms. And from time to time we got "errorCode:16421 errorCodeHEX:0x4025 message:Could not validate SAML Token --- Assertion is not valid. Current time is greater than NOTonOrAfter time specified in the Assertion| [IDPLoggedException] errorCode:12804 errorCodeHEX:0x3204 message:Could not validate SAML Token --- Assertion is not valid. Current time is greater than NOTonOrAfter time specified in the Assertion"

             

             

            Did anyone found a solution?

             

            Thanks!

            lcfun

            • 3. Re: SAML assertion exceptions within EJB
              lcfun Level 1

              I am facing the same issue as well. We are using EJB API to render forms. And from time to time we got "errorCode:16421 errorCodeHEX:0x4025 message:Could not validate SAML Token --- Assertion is not valid. Current time is greater than NOTonOrAfter time specified in the Assertion| [IDPLoggedException] errorCode:12804 errorCodeHEX:0x3204 message:Could not validate SAML Token --- Assertion is not valid. Current time is greater than NOTonOrAfter time specified in the Assertion"

               

               

              Did anyone found a solution?

               

              Thanks!

              lcfun

              • 4. Re: SAML assertion exceptions within EJB
                david.mcmahon

                You have probably found the answer already, but for future reference here is a description of the problem and proposed solution:

                http://cookbooks.adobe.com/post_Renewing_the_context_to_handle_session_expiry-16410.html

                • 5. Re: SAML assertion exceptions within EJB
                  ~Sid~ Level 2

                  PROBLEM

                  Using the same instance of ServiceClientFactory to remotely invoke the services exposed by the LiveCycle container can lead to

                  exception related to assertion expiry

                   

                  Solution

                  To handle the timeout use the ThrowHandler mechanism provided by the ServiceClientFactory framework

                   

                  Detailed explanation

                  LiveCycle provides a client sdk for java based client to invoke its services remotely.

                  An invocation involves Creation of a ServiceClientFactory instance Setting the user credential in thefactory instance Pass that factory to a service client or use that to create InvocationRequest directly

                  Use the client to make the actual request.

                   

                  For more details refer to Invoking

                  LiveCycle ES Using the Java API .

                   

                  A ServiceClientFactory instance once created is valid for a ceratin

                  period of time which is by default 120 min. if the same instance is used to invoke beyond this period then it would lead to an exception stating that

                   

                  the session has expired [com.adobe.idp.um.api.impl.AuthenticationManagerImpl]

                  errorCode:16421 errorCodeHEX:0x4025 message:Could not validate SAML

                  Token --- Assertion has expired and hence not valid for user

                  [administrator@DefaultDom]. Its valid till time [Thu Oct 22

                  17:07:53 IST

                  2009] was found to be before the current time [Thu Oct

                  22 17:58:18 IST 2009]

                   

                  This is not an issue if the ServiceClientFactory instance is used for short duration. However if you are going to perform a long

                  running task like converting large number of documents to pdf ,applying policies to them etc then it would be an issue.

                   

                   

                  Session Expiry

                  Before fxing the issue some info on what is session expiry.

                  • When you use a ServiceClientFactory instance to invoke the service following fow happens
                  • You set the credentials in the properties and invoke theservice
                  • LiveCycle on server side validates the credentials and issues a Context. It is sort of a ticket which can be reused later instead of the actual credentials.
                  • Upon receiving the response from the server the ServiceClientFactory instance deletes its own copy of credentials and instead stores the Context For later invocations this Context instance is passed instead of the user credentials
                  • This whole fow is done to ensure that user's credentials are not sent for each remote call thus improving the security.

                  For more information on Context refer to

                  User Identity in LiveCycle .

                   

                   

                  Solution

                  To fx this issue you would have to re authenticate to LiveCycle and get the Context reissued. the best way to do that is to make use of the ThrowHandler provided by the ServiceClientFactory framework

                   

                   

                  STEP1 -  Create a Throwhandler

                  __________________________________________________________________________________________ __________________________

                   

                  /**

                  * This ThrowHandler caches the user credentials and uses them

                  to refresh the Context in the

                  * ServiceClientFactory upon expiry.

                  */

                   

                  private static class SimpleTimeoutThrowHandler implements

                  ThrowHandler {

                  private String username;

                  private String password;

                  public SimpleTimeoutThrowHandler(String username, String

                  password) {

                  this.username = username;

                  this.password = password;

                  }

                  public boolean handleThrowable(Throwable t, ServiceClient

                  sc,

                  ServiceClientFactory scf, MessageDispatcher md,

                  InvocationRequest ir, int numTries) throws

                  DSCException {

                  if(timeoutError(t)){

                  //The call to AuthenticationManager do not require

                  authentication so the default properties

                  //are suffcient

                  AuthenticationManager am =

                  new

                  AuthenticationManagerServiceClient(ServiceClientFactory.createInstance(getDefaultPropertie s()));

                  AuthResult ar = null;

                  try {

                  ar =

                  am.authenticate(username,password.getBytes());

                  } catch (UMException e) {

                  throw new IllegalStateException(e);

                  }

                  Context ctx = new Context();

                  ctx.initPrincipal(ar);

                  //Refresh the ServiceClientFactory instance with

                  the new context

                  scf.setContext(ctx);

                  logger.info("Refreshed the context associated with

                  ServiceCLientFactory");

                  //Now tell SCF to try the invocation again

                  return true;

                  }

                  //Check so that we do not wrap the exception again

                  if(t instanceof DSCException)

                  throw (DSCException)t;

                  if(t instanceof RuntimeException)

                  throw (RuntimeException)t;

                  // how is it possible to get this far?

                  throw new IllegalStateException(t);

                  }

                  private boolean timeoutError(Throwable t) {

                  if(!(t.getCause() instanceof UMException)){

                  return false;

                  }

                  UMException ue = (UMException) t.getCause();

                  //Check that UMException is due to the

                  assertion/context expiry

                  if(UMConstants.ErrorCodes.E_TOKEN_INVALID ==

                  ue.getErrCode()){

                  return true;

                  }

                  return false;

                  }

                  }

                  __________________________________________________________________________________________ ______________________

                   

                   

                   

                  This ThrowHandler would be invoked by the ServiceClientFactory upon receiving any exception. The handler would then determine if its a timeout related exception and then would refresh the Context associated with the factory instance and tells it to retry the invocation.

                   

                   

                  STEP - 2 Register the handler

                   

                  __________________________________________________________________________________________ ______________________

                   

                  ServiceClientFactory.installThrowHandler(new

                  SimpleTimeoutThrowHandler(username, password));

                  __________________________________________________________________________________________ ______________________

                  Note: The handler should be registered only once in the application

                   

                   

                   

                   

                  STEP 3 - Perform your invocation

                  Following sample would try to apply policies on all the fles present in a directory

                  __________________________________________________________________________________________ ______________________

                  Properties p = getDefaultProperties();

                  p.setProperty(DSC_CREDENTIAL_USERNAME, username);

                  p.setProperty(DSC_CREDENTIAL_PASSWORD, password);

                  ServiceClientFactory scf =

                  ServiceClientFactory.createInstance(p);

                  //Now do some long running operation

                  String inputDirName ="path-to-input-dir";

                  String outDirName = "path-to-out-dir";

                  String policyName = "the-policy-name";

                  File inDir = new File(inputDirName);

                  File outDir = new File(outDirName);

                  RightsManagementClient rmClient = new

                  RightsManagementClient(scf);

                  DocumentManager docManager = rmClient.getDocumentManager();

                  //Iterate over all the pdf in the inDir and apply the

                  policies. If this takes a

                  for(File pdfFile : inDir.listFiles()){

                  Document inDoc = new Document(pdfFile, false);

                  Document securedDoc = docManager.applyPolicy(inDoc,

                  pdfFile.getName(), null, policyName, null, null);

                  securedDoc.copyToFile(new

                  File(outDir,pdfFile.getName()));

                  }

                  __________________________________________________________________________________________ ______________________

                  Now the invocation would complete even if it takes a long time. if any session expiry occurs then our ThrowHandler would take care of that.

                   

                  here's a sample:

                  TimeOutSample.zip