cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthew Broadhead <matthew.broadh...@nbmlaw.co.uk>
Subject Re: fediz production
Date Tue, 24 Oct 2017 11:57:43 GMT
i spoke too soon.

i am completely stuck with the same stack trace and no amount of 
reloading the certificates is helping.  is there any way to debug what 
the actual problem is?

2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN 
org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor for 
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue

has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to 
stream: RequireClientCertificate is set, but no local certificates were 
negotiated.  Is the server set to ask for client authorization?
     at 
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
     at 
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
     at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
     at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:427)
     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:328)
     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:281)
     at 
org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:861)
     at 
org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurityTokenResponse(IdpSTSClient.java:47)
     at 
org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurityTokenResponse(IdpSTSClient.java:42)
     at 
org.apache.cxf.fediz.service.idp.beans.STSClientAction.submit(STSClientAction.java:296)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
     at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     at java.lang.reflect.Method.invoke(Method.java:498)
     at 
org.springframework.expression.spel.support.ReflectiveMethodExecutor.execute(ReflectiveMethodExecutor.java:113)
     at 
org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:129)
     at 
org.springframework.expression.spel.ast.MethodReference.access$000(MethodReference.java:49)
     at 
org.springframework.expression.spel.ast.MethodReference$MethodValueRef.getValue(MethodReference.java:347)
     at 
org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:88)
     at 
org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:131)
     at 
org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:297)
     at 
org.springframework.binding.expression.spel.SpringELExpression.getValue(SpringELExpression.java:84)
     at 
org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:75)
     at 
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
     at 
org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)
     at 
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
     at 
org.springframework.webflow.engine.ActionList.execute(ActionList.java:154)
     at org.springframework.webflow.engine.State.enter(State.java:193)
     at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
     at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
     at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
     at 
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)
     at 
org.springframework.webflow.engine.SubflowState.handleEvent(SubflowState.java:116)
     at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
     at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)
     at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)
     at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.endActiveFlowSession(FlowExecutionImpl.java:414)
     at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
     at 
org.springframework.webflow.engine.EndState.doEnter(EndState.java:107)
     at org.springframework.webflow.engine.State.enter(State.java:194)
     at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
     at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
     at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
     at 
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)
     at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
     at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)
     at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)
     at 
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105)
     at org.springframework.webflow.engine.State.enter(State.java:194)
     at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
     at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
     at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
     at 
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)
     at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
     at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)
     at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)
     at 
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105)
     at org.springframework.webflow.engine.State.enter(State.java:194)
     at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
     at 
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)
     at org.springframework.webflow.engine.State.enter(State.java:194)
     at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
     at 
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)
     at org.springframework.webflow.engine.State.enter(State.java:194)
     at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
     at 
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)
     at org.springframework.webflow.engine.State.enter(State.java:194)
     at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
     at 
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)
     at org.springframework.webflow.engine.State.enter(State.java:194)
     at org.springframework.webflow.engine.Flow.start(Flow.java:527)
     at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)
     at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.start(RequestControlContextImpl.java:234)
     at 
org.springframework.webflow.engine.SubflowState.doEnter(SubflowState.java:101)
     at org.springframework.webflow.engine.State.enter(State.java:194)
     at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
     at 
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)
     at org.springframework.webflow.engine.State.enter(State.java:194)
     at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
     at 
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)
     at org.springframework.webflow.engine.State.enter(State.java:194)
     at org.springframework.webflow.engine.Flow.start(Flow.java:527)
     at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)
     at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223)
     at 
org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)
     at 
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:263)
     at 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
     at 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
     at 
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
     at 
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
     at 
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
     at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
     at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
     at 
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
     at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
     at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
     at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
     at 
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
     at 
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
     at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
     at 
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
     at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
     at 
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
     at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
     at 
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
     at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
     at 
org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
     at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
     at 
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
     at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
     at 
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
     at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
     at 
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
     at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
     at 
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
     at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
     at 
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
     at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
     at 
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
     at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
     at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
     at 
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
     at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
     at 
org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:74)
     at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
     at 
org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:144)
     at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
     at 
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
     at 
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
     at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
     at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
     at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
     at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
     at 
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
     at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
     at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
     at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
     at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
     at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
     at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
     at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
     at 
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
     at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
     at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
     at 
org.apache.coyote.http2.StreamProcessor.service(StreamProcessor.java:245)
     at 
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
     at 
org.apache.coyote.http2.StreamProcessor.process(StreamProcessor.java:65)
     at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.java:35)
     at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
     at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
     at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
     at java.lang.Thread.run(Thread.java:748)
Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is 
set, but no local certificates were negotiated.  Is the server set to 
ask for client authorization?
     at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255)
     at 
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
     ... 154 more
Caused by: 
org.apache.cxf.transport.http.UntrustedURLConnectionIOException: 
RequireClientCertificate is set, but no local certificates were 
negotiated.  Is the server set to ask for client authorization?
     at 
org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:143)
     at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.makeTrustDecision(HTTPConduit.java:1780)
     at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1323)
     at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1293)
     at 
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:309)
     at 
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
     at 
org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(AbstractThresholdOutputStream.java:89)
     at 
org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:63)
     at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
     at 
com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:241)
     at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:253)
     ... 155 more
2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR 
org.apache.cxf.fediz.service.idp.beans.STSClientAction  - Error in 
retrieving a token

On 23/10/2017 19:41, Matthew Broadhead wrote:
> Thanks for your help Colm.  I now have it working using the production 
> certificate by following this example 
> https://stackoverflow.com/a/2141229/3052312 to export the pems into 
> jks files.
>
> but in the end i also had to copy idp-ssl-key.jks and 
> idp-ssl-trust.jks into webapps/idp/WEB-INF/classes as well as having 
> them in catalina base.  this seems impractical in production as the 
> certificates get reissued every 6 months.  is it possible for 
> sec:keyStore to define the resource as being in catalina base?
>
> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>> sec:keyStore supports either JKS or PKCS12 keystores. There is also a
>> sec:certStore that works with PEM files, but only for TrustStores I 
>> think.
>> As a workaround you can just use the Java keytool command to import your
>> PEM key/cert into a JKS keystore.
>>
>>> this document 
>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but no
>> idp-ssl-key.jks.
>>
>> SVN is not used any more by CXF or Fediz, that page is old. The correct
>> version is on github:
>>
>> https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html

>>
>>
>> Colm.
>>
>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>
>>> Hi Colm,
>>>
>>> is there any way for sec:keyStore to be pointed at a pem certificate
>>> instead of a java keystore?  where is the doumentation for 
>>> sec:keyStore?
>>>
>>> Matt
>>>
>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>
>>>> I haven't used the APR connector. The following works for me in the 
>>>> tests,
>>>> perhaps you could duplicate this config and get it working first 
>>>> before
>>>> switching over to the APR connector:
>>>>
>>>>    <Connector port="9443"
>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" 
>>>> keystorePass="tompass"
>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>> truststorePass="ispass" />
>>>>
>>>> Yes you will need to specify the truststore and keystore in 
>>>> cxf-tls.xml to
>>>> communicate with the STS from the IdP. The truststore should 
>>>> contain the
>>>> issuing cert of the Tomcat instance hosting your STS + then 
>>>> keystore the
>>>> private key of your IdP.
>>>>
>>>> Colm.
>>>>
>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>
>>>> i am using my own certificate with APR in the tomcat server.xml.  I 
>>>> added
>>>>> clientVerification="required" to SSLHostConfig but I still have 
>>>>> the same
>>>>> problem
>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>> tp11.Http11AprProtocol"
>>>>>                  maxThreads="150" SSLEnabled="true">
>>>>>           <UpgradeProtocol className="org.apache.coyote.h
>>>>> ttp2.Http2Protocol"
>>>>> />
>>>>>           <SSLHostConfig clientVerification="required">
>>>>>               <Certificate certificateKeyFile="/etc/letse
>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
>>>>>                            type="RSA" />
>>>>>           </SSLHostConfig>
>>>>>       </Connector>
>>>>>
>>>>> I commented the trustManagers and keyManagers in
>>>>> services/idp/src/main/resources/cxf-tls.xml.  Could this be the 
>>>>> problem?
>>>>> How would I use production certificates?
>>>>> <http:conduit name="*.http-conduit">
>>>>>           <http:tlsClientParameters
>>>>>               disableCNCheck="true">
>>>>>               <!-- <sec:trustManagers>
>>>>>                   <sec:keyStore type="jks" password="ispass"
>>>>> resource="idp-ssl-trust.jks" />
>>>>>               </sec:trustManagers>
>>>>>               <sec:keyManagers keyPassword="tompass">
>>>>>                   <sec:keyStore type="jks" password="tompass"
>>>>> resource="idp-ssl-key.jks"/>
>>>>>               </sec:keyManagers> -->
>>>>>           </http:tlsClientParameters>
>>>>>       </http:conduit>
>>>>>
>>>>>
>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>
>>>>> ok...i fixed the last error by dropping the schema and restarting.
>>>>>> but now i have this
>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>>>> org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor for {
>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
>>>>>> has
>>>>>> thrown exception, unwinding now
>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model
to
>>>>>> stream: RequireClientCertificate is set, but no local 
>>>>>> certificates were
>>>>>> negotiated.  Is the server set to ask for client authorization?
>>>>>>       at 
>>>>>> org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>       at 
>>>>>> org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>       at 
>>>>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>>>>>> InterceptorChain.java:308)
>>>>>>       at 
>>>>>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:
>>>>>> 518)
>>>>>>       ...
>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: 
>>>>>> RequireClientCertificate
>>>>>> is
>>>>>> set, but no local certificates were negotiated.  Is the server 
>>>>>> set to
>>>>>> ask
>>>>>> for client authorization?
>>>>>>       at 
>>>>>> com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java
>>>>>> :255)
>>>>>>       at 
>>>>>> org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>       ... 154 more
>>>>>> Caused by: 
>>>>>> org.apache.cxf.transport.http.UntrustedURLConnectionIOExcept
>>>>>> ion:
>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>> negotiated.  Is the server set to ask for client authorization?
>>>>>>       at 
>>>>>> org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>       at 
>>>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>       at 
>>>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>       ...
>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>>>>> retrieving a token
>>>>>>
>>>>>>
>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>
>>>>>> ok i now have a different error and it doesn't load the login screen
>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator

>>>>>>> - No
>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Role 'IDP_READ' not found
>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Role 'IDP_LIST' not found
>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Enriched AuthenticationToken added
>>>>>>>
>>>>>>> the previous one was caused by
>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>> should have been
>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>> p-sts/REALMMYREALM"
>>>>>>> />
>>>>>>> according to original file
>>>>>>>
>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>
>>>>>>> Hi Colm,
>>>>>>>> Yes I have:
>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>> ...
>>>>>>>>           <property name="applications">
>>>>>>>>               <util:list>
>>>>>>>>                   <ref bean="srv-fedizhelloworld"
/>
>>>>>>>>           <!-- <ref bean="srv-oidc" />
-->
>>>>>>>>               </util:list>
>>>>>>>>           </property>
>>>>>>>> ...
>>>>>>>> </bean>
>>>>>>>>
>>>>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>           <property name="realm" value="urn:org:apache:cxf:fedi
>>>>>>>> z:fedizhelloworld"
>>>>>>>> />
>>>>>>>>           <property name="protocol" value="http://docs.oasis-open.
>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>           <property name="serviceDisplayName"

>>>>>>>> value="Fedizhelloworld"
>>>>>>>> />
>>>>>>>>           <property name="serviceDescription"
value="Web 
>>>>>>>> Application to
>>>>>>>> illustrate WS-Federation" />
>>>>>>>>           <property name="role" value="ApplicationServiceType"
/>
>>>>>>>>           <property name="tokenType" 
>>>>>>>> value="http://docs.oasis-open.
>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>           <property name="lifeTime" value="3600"
/>
>>>>>>>>           <property name="passiveRequestorEndpointConstraint"
>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>           <property name="logoutEndpointConstraint"
>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>> </bean>
>>>>>>>>
>>>>>>>> <bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat
>>>>>>>> ionClaimEntity">
>>>>>>>>           <property name="application" 
>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>           <property name="claim" ref="claim_role"
/>
>>>>>>>>           <property name="optional" value="false"
/>
>>>>>>>> </bean>
>>>>>>>>
>>>>>>>> etc.
>>>>>>>>
>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>
>>>>>>>> Do you have an
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>>>>>> instance in
>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml
with
>>>>>>>>> realm
>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>
>>>>>>>>> Colm.
>>>>>>>>>
>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp
and i am
>>>>>>>>>> trying to
>>>>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet.
it
>>>>>>>>>> correctly redirects to the login page and seems to

>>>>>>>>>> authenticate ok
>>>>>>>>>>
>>>>>>>>>> but then i get the following error
>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8]
INFO
>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken
- 
>>>>>>>>>> Token
>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
successfully 
>>>>>>>>>> cached.
>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8]
WARN
>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator 

>>>>>>>>>> -
>>>>>>>>>> No
>>>>>>>>>> service config found for 
>>>>>>>>>> urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>>>>>
>>>>>>>>>> Matthew
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>
>


Mime
View raw message