Skip to main content
RYAN MCGARRY
RYAN MCGARRY
Inspiring
January 31, 2023
Question

SAML SSO fails when Security Sandboxes are enabled.

  • January 31, 2023
  • 1 reply
  • 1203 views

I have an ADFS server acting as the IDP, 

 

CF2021 update 5 using a simple SP setup running on RHEL 8/httpd.

 

Oracle JDK 11.0.17, SELinux is disabled.  Signing and Encryption are disabled on the SP.

 

SSO was working until I created a security sandbox around the code webroot. 

 

I created a default  security sandbox around the web root, I started getting this error message:  "Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd"

 

I enabled all Tags and Functions, "Other", and opened up the File/Folder permissions to absolutely everything, but it still fails.

 

If I remove the security sandbox, it starts working again.

 

coldfusion-out.log shows this:

 

01/31 10:26:40 [ajp-nio-127.0.0.1-8020-exec-3] WARN  Error executing validateXML: schema_reference.4: Failed to read schema document 'bundle://5a95f7f4-292b-4044-9e7d-2bd1e4eb78ed_272.0:1/schemas/saml-schema-protocol-2.0.xsd', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not <xsd:schema>.
org.xml.sax.SAXParseException: schema_reference.4: Failed to read schema document 'bundle://5a95f7f4-292b-4044-9e7d-2bd1e4eb78ed_272.0:1/schemas/saml-schema-protocol-2.0.xsd', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not <xsd:schema>.
	at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source) ~[xercesImpl.jar:?]
    This topic has been closed for replies.

    1 reply

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    April 23, 2023

    I have discovered a troubling Sandbox Security issue, which I wish to share with you. Though I am on CF2021 Update 6 + Windows 10 Pro + JDK 11.0.18, the issue might still be related to what you are experiencing.

     

    I tested by enabling Sandbox Security in the ColdFusion Administrator, but without specifying a directory or file. The result was that ColdFusion would not restart.

     

    When I looked at the logs, I saw SEVERE errors, such as the following, in coldfusion-error.log:

     

    Apr 23, 2023 5:46:33 PM org.apache.catalina.core.ApplicationContext log
SEVERE: Servlet.init() for servlet [PMSGenericServlet] threw exception
java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\ColdFusion2021\cfusion\wwwroot" "read")
	at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
	at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
	at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:661)
	at java.base/java.io.File.exists(File.java:826)
...
...
	
Apr 23, 2023 5:46:33 PM org.apache.catalina.core.StandardContext loadOnStartup
SEVERE: Servlet [PMSGenericServlet] in web application [] threw load() exception
java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\ColdFusion2021\cfusion\wwwroot" "read")
	at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
	at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
	at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:661)
	at java.base/java.io.File.exists(File.java:826)
...
...

Apr 23, 2023 5:46:33 PM org.apache.catalina.core.ApplicationContext log
SEVERE: Servlet.init() for servlet [CFSecurityAnalyzerServlet] threw exception
java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\ColdFusion2021\cfusion\wwwroot" "read")
	at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
	at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
	at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:661)
	at java.base/java.io.File.exists(File.java:826)
...
...

     

    When I compared /lib/neo-security.xml with the back-up copy, /lib/neo-security.bak, I noticed a single difference. Namely in the element sbs.security.enabled.

     

    Before the change: <var name='sbs.security.enabled'><boolean value='false'/></var>

    After the change: <var name='sbs.security.enabled'><boolean value='true'/></var>

     

    When I reverted to the file with 'false', I was then able restart ColdFusion without any problem. I wonder whether this is a bug.

     

    In any case, the moral is clear. If you enabled Sandbox Security without specifying a directory or file to be sandboxed, there might be severe security errors.

     

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    April 23, 2023

    Looking at it from another angle, does the following code run successfully?

    Before the Sandbox Security change and after?

    <cfscript>
adminPermissionObject=createobject("java","org.osgi.framework.AdminPermission");
writedump(AdminPermissionObject);
</cfscript>

     

    RYAN MCGARRY
    RYAN MCGARRYAuthor
    Inspiring
    April 25, 2023

    I am unsure what the purpose of this test would be;  the issue I'm reporting is regarding the new SAML plugin only. 

     

    In the course of my testing, I could find no combination of permissions that would allow the SAML plugin to work properly, even if all permissions to all filesystems were opened up.

     

    My SSO issue appears to be an issue where the sandbox is preventing the SAML code from performing a schema check on an XML file using an XSD file that's stored within a JAR file (and accessible only via a URL)

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices