cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthew Broadhead <matthew.broadh...@nbmlaw.co.uk>
Subject Re: fediz production
Date Wed, 25 Oct 2017 11:39:50 GMT
How would I enable the debug? 
services/idp/src/main/webapp/WEB-INF/security-config.xml <security:debug/>?

On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
> If you change it to "required" does it fail? If so, you could try running
> the Tomcat IdP with Java SSL debugging enabled and it should tell you why
> the IdP can't connect to the STS.
>
> Colm.
>
> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> Hi Colm,
>>
>> I realise now that this html file was included in the examples/samplekeys
>> directory in the code.  but i was taking it from the internet.
>>
>> I am 100% using clientAuth="want" on my Tomcat connector but I am still
>> getting the same error over and again.  I can browse the wsdl without
>> having to provide a client certificate.  could you point me to the part of
>> the idp-sts configuration which might be causing it to not ask for the keys
>> properly?  or is it definitely a tomcat server.xml issue?
>>
>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>
>>> You can see the HTML here:
>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>> ateKeysREADME.html
>>>
>>> I'll update the webpage to point to github instead of SVN.
>>>
>>> Colm.
>>>
>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>> Hi Colm
>>>> Firstly is there somewhere to see these instructions correctly formatted
>>>> in html?
>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>> plekeys/HowToGenerateKeysREADME.html
>>>>
>>>> Secondly there is a massive difference between
>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>> plekeys/HowToGenerateKeysREADME.html
>>>> and
>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>> (svn being the one linked from the main fediz pages)
>>>>
>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to
>>>> ststrust.jks.
>>>>
>>>> I have some more things to try now so I will let you know if I get
>>>> further
>>>>
>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>
>>>> Why not try the simple Connector configuration I gave earlier but with
>>>>> your
>>>>> own keys?
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>
>>>>> in Tomcat 8 https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#
>>>>>
>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>> clientAuth
>>>>>> This is an alias for the certificateVerification attribute of the
>>>>>> default
>>>>>> SSLHostConfig element.
>>>>>>
>>>>>> then
>>>>>> certificateVerification
>>>>>> Set to required if you want the SSL stack to require a valid
>>>>>> certificate
>>>>>> chain from the client before accepting a connection. Set to optional if
>>>>>> you
>>>>>> want the SSL stack to request a client Certificate, but not fail if one
>>>>>> isn't presented. Set to optionalNoCA if you want client certificates to
>>>>>> be
>>>>>> optional and you don't want Tomcat to check them against the list of
>>>>>> trusted CAs. If the TLS provider doesn't support this option (OpenSSL
>>>>>> does,
>>>>>> JSSE does not) it is treated as if optional was specified. A none value
>>>>>> (which is the default) will not require a certificate chain unless the
>>>>>> client requests a resource protected by a security constraint that uses
>>>>>> CLIENT-CERT authentication.
>>>>>>
>>>>>> so i changed clientAuth="want" to clientAuth="required". now i cannot
>>>>>> access the site at all with
>>>>>> Secure Connection Failed
>>>>>> An error occurred during a connection to domain.tld:9443. SSL peer
>>>>>> cannot
>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>>>>>
>>>>>> maybe i should try using Tomcat 7?
>>>>>>
>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>
>>>>>> The problem is that your Tomcat container hosting the STS is not asking
>>>>>>
>>>>>>> for
>>>>>>> client authentication. You can check this by using a web browser or
>>>>>>> curl
>>>>>>> to
>>>>>>> view the WSDL of the STS - if you can get it to work then the
>>>>>>> configuration
>>>>>>> is incorrect, as it should error on the browser not supplying a client
>>>>>>> cert.
>>>>>>>
>>>>>>> Colm.
>>>>>>>
>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>
>>>>>>> i spoke too soon.
>>>>>>>
>>>>>>> i am completely stuck with the same stack trace and no amount of
>>>>>>>> reloading
>>>>>>>> the certificates is helping.  is there any way to debug what the
>>>>>>>> actual
>>>>>>>> problem is?
>>>>>>>>
>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor for {
>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
>>>>>>>> has
>>>>>>>> thrown exception, unwinding now
>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>>>>>>>> stream: RequireClientCertificate is set, but no local certificates
>>>>>>>> were
>>>>>>>> negotiated.  Is the server set to ask for client authorization?
>>>>>>>>         at org.apache.cxf.binding.soap.sa
>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>         at org.apache.cxf.binding.soap.sa
>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>         at org.apache.cxf.phase.PhaseInte
>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>> InterceptorChain.java:308)
>>>>>>>>         at org.apache.cxf.endpoint.Client
>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>> 518)
>>>>>>>>         at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>>>> 427)
>>>>>>>>         at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>>>> 328)
>>>>>>>>         at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>>>> 281)
>>>>>>>>         at org.apache.cxf.ws.security.tru
>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>> tractSTSClient.java:861)
>>>>>>>>         at org.apache.cxf.fediz.service.i
>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>         at org.apache.cxf.fediz.service.i
>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>         at org.apache.cxf.fediz.service.i
>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>>>>>> Method)
>>>>>>>>         at sun.reflect.NativeMethodAccess
>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>> ssorImpl.java:62)
>>>>>>>>         at sun.reflect.DelegatingMethodAc
>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>         at java.lang.reflect.Method.invoke(Method.java:498)
>>>>>>>>         at org.springframework.expression
>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>         at org.springframework.expression
>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>         at org.springframework.expression.spel.ast.MethodReference.
>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>         at org.springframework.expression
>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>         at org.springframework.expression
>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>         at org.springframework.expression.spel.ast.SpelNodeImpl.
>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>         at org.springframework.expression
>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>         at org.springframework.binding.ex
>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>         at org.springframework.webflow.ac
>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>> EvaluateAction.java:75)
>>>>>>>>         at org.springframework.webflow.ac
>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>> stractAction.java:188)
>>>>>>>>         at org.springframework.webflow.ex
>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>         at org.springframework.webflow.ex
>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.ActionList.execute(Action
>>>>>>>> List.java:154)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 3)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.RequestControlContex
>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.TransitionableState.handl
>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>> SubflowState.java:116)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>> a:547)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.RequestControlContex
>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.RequestControlContex
>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>> .java:107)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.RequestControlContex
>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.TransitionableState.handl
>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>> a:547)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.RequestControlContex
>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>> nState.java:105)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.RequestControlContex
>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.TransitionableState.handl
>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>> a:547)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.RequestControlContex
>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>> nState.java:105)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>> isionState.java:51)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>> isionState.java:51)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>> isionState.java:51)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>> isionState.java:51)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.RequestControlContex
>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>> lowState.java:101)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>> isionState.java:51)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>> isionState.java:51)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>         at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>         at org.springframework.webflow.ex
>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>         at org.springframework.webflow.mv
>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>         at org.springframework.web.servle
>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>         at org.springframework.web.servle
>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>         at org.springframework.web.servle
>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>         at org.springframework.web.servlet.FrameworkServlet.doGet(
>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>         at javax.servlet.http.HttpServlet
>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>         at org.springframework.web.servlet.FrameworkServlet.service(
>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>         at javax.servlet.http.HttpServlet
>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>         at org.apache.catalina.core.Appli
>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>         at org.apache.catalina.core.Appli
>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>> licationFilterChain.java:166)
>>>>>>>>         at org.apache.tomcat.websocket.se
>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>> r.java:52)
>>>>>>>>         at org.apache.catalina.core.Appli
>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>         at org.apache.catalina.core.Appli
>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>> licationFilterChain.java:166)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.session.SessionManagementFi
>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>         at org.apache.cxf.fediz.service.i
>>>>>>>> dp.service.security.GrantedAut
>>>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.authentication.logout.Logou
>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.context.request.async.WebAs
>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>         at org.springframework.web.filter
>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.context.SecurityContextPers
>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>         at org.apache.cxf.fediz.service.i
>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>> ortFilter.java:74)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>         at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>         at org.springframework.web.filter
>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>         at org.springframework.web.filter
>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>         at org.apache.catalina.core.Appli
>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>         at org.apache.catalina.core.Appli
>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>> licationFilterChain.java:166)
>>>>>>>>         at org.springframework.web.filter
>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>         at org.springframework.web.filter
>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>         at org.apache.catalina.core.Appli
>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>         at org.apache.catalina.core.Appli
>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>> licationFilterChain.java:166)
>>>>>>>>         at org.apache.catalina.core.Stand
>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>> dWrapperValve.java:198)
>>>>>>>>         at org.apache.catalina.core.Stand
>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>> dContextValve.java:96)
>>>>>>>>         at org.apache.catalina.core.Stand
>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>> stValve.java:140)
>>>>>>>>         at org.apache.catalina.valves.Err
>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>> rtValve.java:80)
>>>>>>>>         at org.apache.catalina.valves.Abs
>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>         at org.apache.catalina.core.Stand
>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>> EngineValve.java:87)
>>>>>>>>         at org.apache.catalina.connector.
>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>> apter.java:342)
>>>>>>>>         at org.apache.coyote.http2.Stream
>>>>>>>> Processor.service(StreamProces
>>>>>>>> sor.java:245)
>>>>>>>>         at org.apache.coyote.AbstractProc
>>>>>>>> essorLight.process(AbstractPro
>>>>>>>> cessorLight.java:66)
>>>>>>>>         at org.apache.coyote.http2.Stream
>>>>>>>> Processor.process(StreamProces
>>>>>>>> sor.java:65)
>>>>>>>>         at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.
>>>>>>>> java:35)
>>>>>>>>         at java.util.concurrent.ThreadPoo
>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>> Executor.java:1142)
>>>>>>>>         at java.util.concurrent.ThreadPoo
>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>> lExecutor.java:617)
>>>>>>>>         at org.apache.tomcat.util.threads
>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>> run(TaskThread.java:61)
>>>>>>>>         at java.lang.Thread.run(Thread.java:748)
>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>> RequireClientCertificate
>>>>>>>> is
>>>>>>>> set, but no local certificates were negotiated.  Is the server set to
>>>>>>>> ask
>>>>>>>> for client authorization?
>>>>>>>>         at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>>>>>> java:255)
>>>>>>>>         at org.apache.cxf.binding.soap.sa
>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>         ... 154 more
>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>> ion:
>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>> negotiated.  Is the server set to ask for client authorization?
>>>>>>>>         at org.apache.cxf.ws.security.pol
>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>         at org.apache.cxf.transport.http.
>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>         at org.apache.cxf.transport.http.
>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>         at org.apache.cxf.transport.http.
>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>         at org.apache.cxf.transport.http.
>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>> Conduit.java:309)
>>>>>>>>         at org.apache.cxf.io.AbstractWrap
>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>         at org.apache.cxf.io.AbstractThre
>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>         at org.apache.cxf.io.AbstractThre
>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>         at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
>>>>>>>>         at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>> java:241)
>>>>>>>>         at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>>>>>> java:253)
>>>>>>>>         ... 155 more
>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction  - Error in
>>>>>>>> retrieving a token
>>>>>>>>
>>>>>>>>
>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>
>>>>>>>> Thanks for your help Colm.  I now have it working using the
>>>>>>>> production
>>>>>>>>
>>>>>>>> certificate by following this example https://stackoverflow.com/a/21
>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>
>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in catalina
>>>>>>>>> base.
>>>>>>>>> this seems impractical in production as the certificates get
>>>>>>>>> reissued
>>>>>>>>> every
>>>>>>>>> 6 months.  is it possible for sec:keyStore to define the resource as
>>>>>>>>> being
>>>>>>>>> in catalina base?
>>>>>>>>>
>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>
>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is also
>>>>>>>>> a
>>>>>>>>>
>>>>>>>>> sec:certStore that works with PEM files, but only for TrustStores I
>>>>>>>>>> think.
>>>>>>>>>> As a workaround you can just use the Java keytool command to import
>>>>>>>>>> your
>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>
>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>
>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>
>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks
>>>>>>>>>>> but
>>>>>>>>>>>
>>>>>>>>>>> no
>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>
>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old. The
>>>>>>>>>> correct
>>>>>>>>>> version is on github:
>>>>>>>>>>
>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>
>>>>>>>>>> Colm.
>>>>>>>>>>
>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi Colm,
>>>>>>>>>>
>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem
>>>>>>>>>> certificate
>>>>>>>>>>
>>>>>>>>>>> instead of a java keystore?  where is the doumentation for
>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>
>>>>>>>>>>> Matt
>>>>>>>>>>>
>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>
>>>>>>>>>>> I haven't used the APR connector. The following works for me in
>>>>>>>>>>> the
>>>>>>>>>>>
>>>>>>>>>>> tests,
>>>>>>>>>>>
>>>>>>>>>>>> perhaps you could duplicate this config and get it working first
>>>>>>>>>>>> before
>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>
>>>>>>>>>>>>        <Connector port="9443"
>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>
>>>>>>>>>>>> Yes you will need to specify the truststore and keystore in
>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>> communicate with the STS from the IdP. The truststore should
>>>>>>>>>>>> contain
>>>>>>>>>>>> the
>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then
>>>>>>>>>>>> keystore
>>>>>>>>>>>> the
>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>
>>>>>>>>>>>> Colm.
>>>>>>>>>>>>
>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> i am using my own certificate with APR in the tomcat
>>>>>>>>>>>> server.xml.  I
>>>>>>>>>>>> added
>>>>>>>>>>>>
>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I still have
>>>>>>>>>>>> the
>>>>>>>>>>>>
>>>>>>>>>>>> same
>>>>>>>>>>>>> problem
>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>                      maxThreads="150" SSLEnabled="true">
>>>>>>>>>>>>>               <UpgradeProtocol className="org.apache.coyote.h
>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>> />
>>>>>>>>>>>>>               <SSLHostConfig clientVerification="required">
>>>>>>>>>>>>>                   <Certificate certificateKeyFile="/etc/letse
>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc
>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>                                type="RSA" />
>>>>>>>>>>>>>               </SSLHostConfig>
>>>>>>>>>>>>>           </Connector>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml.  Could this be the
>>>>>>>>>>>>> problem?
>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>               <http:tlsClientParameters
>>>>>>>>>>>>>                   disableCNCheck="true">
>>>>>>>>>>>>>                   <!-- <sec:trustManagers>
>>>>>>>>>>>>>                       <sec:keyStore type="jks" password="ispass"
>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>                   </sec:trustManagers>
>>>>>>>>>>>>>                   <sec:keyManagers keyPassword="tompass">
>>>>>>>>>>>>>                       <sec:keyStore type="jks" password="tompass"
>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>                   </sec:keyManagers> -->
>>>>>>>>>>>>>               </http:tlsClientParameters>
>>>>>>>>>>>>>           </http:conduit>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and
>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>
>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor for
>>>>>>>>>>>>>> {
>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>> has
>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
>>>>>>>>>>>>>> model
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>> were
>>>>>>>>>>>>>> negotiated.  Is the server set to ask for client authorization?
>>>>>>>>>>>>>>           at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>           at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>           at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>           at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>           ...
>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>> is
>>>>>>>>>>>>>> set, but no local certificates were negotiated.  Is the server
>>>>>>>>>>>>>> set
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>           at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>           at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>           ... 154 more
>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>>>>>>>> negotiated.  Is the server set to ask for client authorization?
>>>>>>>>>>>>>>           at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>           at org.apache.cxf.transport.http.
>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>           at org.apache.cxf.transport.http.
>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>           ...
>>>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error
>>>>>>>>>>>>>> in
>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ok i now have a different error and it doesn't load the login
>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida
>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>               <property name="applications">
>>>>>>>>>>>>>>>>                   <util:list>
>>>>>>>>>>>>>>>>                       <ref bean="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>               <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>>>>>                   </util:list>
>>>>>>>>>>>>>>>>               </property>
>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>               <property name="realm"
>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>               <property name="protocol" value="
>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>               <property name="serviceDisplayName"
>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>               <property name="serviceDescription" value="Web
>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>               <property name="role"
>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>               <property name="tokenType" value="
>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>>>>>>>>>               <property name="lifeTime" value="3600" />
>>>>>>>>>>>>>>>>               <property name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>               <property name="logoutEndpointConstraint"
>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>               <property name="application"
>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>               <property name="claim" ref="claim_role" />
>>>>>>>>>>>>>>>>               <property name="optional" value="false" />
>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml
>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i
>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to
>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8]
>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8]
>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>
>



Mime
View raw message