cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthew Broadhead <matthew.broadh...@nbmlaw.co.uk>
Subject Re: fediz production
Date Thu, 26 Oct 2017 11:06:06 GMT
Hi Colm,

I am not sure that would be very easy to provide a test case? Everything 
was working fine on localhost with the test certificates.

Testing on production is completely different using letsencrypt certs 
and having to change lots of configuration files in the code? You would 
be welcome to look directly at my setup although you are probably busy?

It looks as though the idpcert in the ststrust.jks is not being properly 
sent and trusted by the idp during handshake?  i am converting it using 
openssl to pkcs12 and then importing it into a jks.  then i export the 
cert.  is it possible the chain is being dropped?
openssl pkcs12 -export -in ${cert}fullchain.pem -inkey 
${cert}privkey.pem -out ${p12} -name mytomidpkey -password pass:tompass
keytool -importkeystore -deststorepass tompass -destkeypass tompass 
-destkeystore ${idpKey} -srckeystore ${p12} -srcstoretype PKCS12 
-srcstorepass tompass -alias mytomidpkey
keytool -keystore ${idpKey} -storepass tompass -export -alias 
mytomidpkey -file ${idpCert}

also i get a lot of these warnings when creating keystores.  should i be 
changing everything to use pkcs12?
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate 
to PKCS12 which is an industry standard format using

Matthew

On 26/10/2017 10:43, Colm O hEigeartaigh wrote:
> Could you create a test-case and upload it to github somewhere + I will
> take a look?
>
> Colm.
>
> On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> Thanks for pointing me in the right direction.
>>
>> basically what the documentation lacks is that the ststrust.jks must
>> contain MyTCIDP.cer, i.e.
>> keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass
>> -alias idpcert -file MyTCIDP.cer -noprompt
>> i looked through the original ststrust.jks and it contained the alias
>> idpcert which confirmed the suspicion
>>
>> the other problem was that the cipher of the letsencrypt certificate was
>> not supported by java so i had to enable apr for openssl support.
>> -Djavax.net.debug=all helped to debug that.
>>
>> but i still have some strange problems.  when i first connect with
>> fedizhelloworld it pops up a box asking for a certificate.  and also if i
>> leave it logged in for a while and then try to logout chrome tells me
>> This site can’t provide a secure connection
>> ERR_SSL_PROTOCOL_ERROR
>>
>> On 25/10/2017 14:28, Colm O hEigeartaigh wrote:
>>
>>> Your truststore in cxf-tls.xml must trust the certificate presented by the
>>> STS. Also, it must contain a keystore with the private key of the IdP,
>>> which in turn must be trusted by the STS.
>>>
>>> Colm.
>>>
>>> On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>> Are the two keystores responsible for the trust between idp and sts are
>>>> supposed to be
>>>> stsrealm_a.jks and ststrust.jks
>>>>
>>>> it is just that the cert it is not trusting is the idp-ssl-key.jks
>>>> (domain.tld) which makes sense if it is hitting domain.tls:9443/idp etc
>>>>
>>>> does this mean ststrust.jks should contain MyTCIDP.cer as well as
>>>> MyTCRP.cer?
>>>>
>>>> On 25/10/2017 14:03, Colm O hEigeartaigh wrote:
>>>>
>>>> You'll need to go through the output to figure out why the cert is not
>>>>> trusted. If you generate some test certs + create a testcase somewhere I
>>>>> will take a look.
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>
>>>>> i get a load of stuff, but in the middle of the one before the error i
>>>>> get
>>>>>
>>>>>> Warning: no suitable certificate found - continuing without client
>>>>>> authentication
>>>>>>
>>>>>>
>>>>>> On 25/10/2017 13:42, Matthew Broadhead wrote:
>>>>>>
>>>>>> ahhh...
>>>>>>
>>>>>>> -Djavax.net.debug=all
>>>>>>>
>>>>>>> On 25/10/2017 13:39, Matthew Broadhead wrote:
>>>>>>>
>>>>>>> How would I enable the debug? services/idp/src/main/webapp/W
>>>>>>>
>>>>>>>> EB-INF/security-config.xml
>>>>>>>> <security:debug/>?
>>>>>>>>
>>>>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>>>>>>>
>>>>>>>> If you change it to "required" does it fail? If so, you could try
>>>>>>>>
>>>>>>>>> running
>>>>>>>>> the Tomcat IdP with Java SSL debugging enabled and it should tell
>>>>>>>>> you
>>>>>>>>> why
>>>>>>>>> the IdP can't connect to the STS.
>>>>>>>>>
>>>>>>>>> Colm.
>>>>>>>>>
>>>>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>
>>>>>>>>> Hi Colm,
>>>>>>>>>
>>>>>>>>> I realise now that this html file was included in the
>>>>>>>>>> examples/samplekeys
>>>>>>>>>> directory in the code.  but i was taking it from the internet.
>>>>>>>>>>
>>>>>>>>>> I am 100% using clientAuth="want" on my Tomcat connector but I am
>>>>>>>>>> still
>>>>>>>>>> getting the same error over and again.  I can browse the wsdl
>>>>>>>>>> without
>>>>>>>>>> having to provide a client certificate.  could you point me to the
>>>>>>>>>> part of
>>>>>>>>>> the idp-sts configuration which might be causing it to not ask for
>>>>>>>>>> the
>>>>>>>>>> keys
>>>>>>>>>> properly?  or is it definitely a tomcat server.xml issue?
>>>>>>>>>>
>>>>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>>>>>>>
>>>>>>>>>> You can see the HTML here:
>>>>>>>>>>
>>>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>>>>>>>> ateKeysREADME.html
>>>>>>>>>>>
>>>>>>>>>>> I'll update the webpage to point to github instead of SVN.
>>>>>>>>>>>
>>>>>>>>>>> Colm.
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi Colm
>>>>>>>>>>>
>>>>>>>>>>> Firstly is there somewhere to see these instructions correctly
>>>>>>>>>>>
>>>>>>>>>>>> formatted
>>>>>>>>>>>> in html?
>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>
>>>>>>>>>>>> Secondly there is a massive difference between
>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>> and
>>>>>>>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>>>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>>>>>>>
>>>>>>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to
>>>>>>>>>>>> ststrust.jks.
>>>>>>>>>>>>
>>>>>>>>>>>> I have some more things to try now so I will let you know if I
>>>>>>>>>>>> get
>>>>>>>>>>>> further
>>>>>>>>>>>>
>>>>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Why not try the simple Connector configuration I gave earlier but
>>>>>>>>>>>> with
>>>>>>>>>>>>
>>>>>>>>>>>> your
>>>>>>>>>>>>
>>>>>>>>>>>>> own keys?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc
>>>>>>>>>>>>> at-8.5-doc/config/http.html#
>>>>>>>>>>>>>
>>>>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>>>>>>>
>>>>>>>>>>>>> clientAuth
>>>>>>>>>>>>>> This is an alias for the certificateVerification attribute of
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> default
>>>>>>>>>>>>>> SSLHostConfig element.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> then
>>>>>>>>>>>>>> certificateVerification
>>>>>>>>>>>>>> Set to required if you want the SSL stack to require a valid
>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>> chain from the client before accepting a connection. Set to
>>>>>>>>>>>>>> optional if
>>>>>>>>>>>>>> you
>>>>>>>>>>>>>> want the SSL stack to request a client Certificate, but not
>>>>>>>>>>>>>> fail
>>>>>>>>>>>>>> if one
>>>>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client
>>>>>>>>>>>>>> certificates to
>>>>>>>>>>>>>> be
>>>>>>>>>>>>>> optional and you don't want Tomcat to check them against the
>>>>>>>>>>>>>> list
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this option
>>>>>>>>>>>>>> (OpenSSL
>>>>>>>>>>>>>> does,
>>>>>>>>>>>>>> JSSE does not) it is treated as if optional was specified. A
>>>>>>>>>>>>>> none
>>>>>>>>>>>>>> value
>>>>>>>>>>>>>> (which is the default) will not require a certificate chain
>>>>>>>>>>>>>> unless
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> client requests a resource protected by a security constraint
>>>>>>>>>>>>>> that
>>>>>>>>>>>>>> uses
>>>>>>>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> so i changed clientAuth="want" to clientAuth="required". now i
>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>> access the site at all with
>>>>>>>>>>>>>> Secure Connection Failed
>>>>>>>>>>>>>> An error occurred during a connection to domain.tld:9443. SSL
>>>>>>>>>>>>>> peer
>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The problem is that your Tomcat container hosting the STS is
>>>>>>>>>>>>>> not
>>>>>>>>>>>>>> asking
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> client authentication. You can check this by using a web
>>>>>>>>>>>>>>> browser
>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>> curl
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>> view the WSDL of the STS - if you can get it to work then the
>>>>>>>>>>>>>>> configuration
>>>>>>>>>>>>>>> is incorrect, as it should error on the browser not supplying
>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>> cert.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> i spoke too soon.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> i am completely stuck with the same stack trace and no amount
>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> reloading
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> the certificates is helping.  is there any way to debug what
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> actual
>>>>>>>>>>>>>>>> problem is?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor
>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
>>>>>>>>>>>>>>>> model to
>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>> negotiated.  Is the server set to ask for client
>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>            at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>            at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>            at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>            at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>            at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>> 427)
>>>>>>>>>>>>>>>>            at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>> 328)
>>>>>>>>>>>>>>>>            at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>> 281)
>>>>>>>>>>>>>>>>            at org.apache.cxf.ws.security.tru
>>>>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>>>>>>>>            at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>>>>>>>>            at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>>>>>>>>            at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>>>>>>>>            at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>> orImpl.invoke0(Native
>>>>>>>>>>>>>>>> Method)
>>>>>>>>>>>>>>>>            at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>>>>>>>>            at sun.reflect.DelegatingMethodAc
>>>>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>>>>>>>>            at java.lang.reflect.Method.invok
>>>>>>>>>>>>>>>> e(Method.java:498)
>>>>>>>>>>>>>>>>            at org.springframework.expression
>>>>>>>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>>>>>>>>            at org.springframework.expression
>>>>>>>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>>>>>>>>            at org.springframework.expression
>>>>>>>>>>>>>>>> .spel.ast.MethodReference.
>>>>>>>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>>>>>>>>            at org.springframework.expression
>>>>>>>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>>>>>>>>            at org.springframework.expression
>>>>>>>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>>>>>>>>            at org.springframework.expression
>>>>>>>>>>>>>>>> .spel.ast.SpelNodeImpl.
>>>>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>>>>>>>>            at org.springframework.expression
>>>>>>>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>>>>>>>>            at org.springframework.binding.ex
>>>>>>>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.ac
>>>>>>>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.ac
>>>>>>>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>>>>>>>> stractAction.java:188)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.ex
>>>>>>>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.ex
>>>>>>>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>>>>>>>> List.java:154)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 3)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:
>>>>>>>>>>>>>>>> 238)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>>>>>>>> .java:107)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>>>>>>>> lowState.java:101)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.ex
>>>>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>>>>>>>>            at org.springframework.webflow.mv
>>>>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>>>>>>>>            at org.springframework.web.servle
>>>>>>>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>>>>>>>>            at org.springframework.web.servle
>>>>>>>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>>>>>>>>            at org.springframework.web.servle
>>>>>>>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>>>>>>>>            at org.springframework.web.servle
>>>>>>>>>>>>>>>> t.FrameworkServlet.doGet(
>>>>>>>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>>>>>>>>            at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>>>>>>>>            at org.springframework.web.servle
>>>>>>>>>>>>>>>> t.FrameworkServlet.service(
>>>>>>>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>>>>>>>>            at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>>>>>>>>            at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>>>>>>>>            at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>            at org.apache.tomcat.websocket.se
>>>>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>>>>>>>> r.java:52)
>>>>>>>>>>>>>>>>            at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>            at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>>>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.jav
>>>>>>>>>>>>>>>> a:113)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>            at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.jav
>>>>>>>>>>>>>>>> a:97)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:
>>>>>>>>>>>>>>>> 150)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>>>>>>>>            at org.springframework.web.filter
>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.
>>>>>>>>>>>>>>>> java:87)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>            at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>>>>>>>>            at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>>>>>>>>            at org.springframework.web.filter
>>>>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>>>>>>>>            at org.springframework.web.filter
>>>>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>>>>>>>>            at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>            at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>            at org.springframework.web.filter
>>>>>>>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>>>>>>>>            at org.springframework.web.filter
>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>            at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>            at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>            at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>>>>>>>>            at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>>>>>>>>            at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>>>>>>>> stValve.java:140)
>>>>>>>>>>>>>>>>            at org.apache.catalina.valves.Err
>>>>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>>>>>>>> rtValve.java:80)
>>>>>>>>>>>>>>>>            at org.apache.catalina.valves.Abs
>>>>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>>>>>>>>            at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>>>>>>>>            at org.apache.catalina.connector.
>>>>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>>>>>>>> apter.java:342)
>>>>>>>>>>>>>>>>            at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>>>>>>>> sor.java:245)
>>>>>>>>>>>>>>>>            at org.apache.coyote.AbstractProc
>>>>>>>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>>>>>>>>            at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>>>>>>>> sor.java:65)
>>>>>>>>>>>>>>>>            at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>> Runnable.run(StreamRunnable.
>>>>>>>>>>>>>>>> java:35)
>>>>>>>>>>>>>>>>            at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>>>>>>>> Executor.java:1142)
>>>>>>>>>>>>>>>>            at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>>>>>>>>            at org.apache.tomcat.util.threads
>>>>>>>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>>>>>>>>            at java.lang.Thread.run(Thread.java:748)
>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the server
>>>>>>>>>>>>>>>> set to
>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>            at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>> java:255)
>>>>>>>>>>>>>>>>            at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>            ... 154 more
>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates
>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>> negotiated.  Is the server set to ask for client
>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>            at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>            at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>            at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>            at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>>>>>>>>            at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>>>>>>>>> Conduit.java:309)
>>>>>>>>>>>>>>>>            at org.apache.cxf.io.AbstractWrap
>>>>>>>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>>>>>>>>            at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>>>>>>>>            at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>>>>>>>>            at com.ctc.wstx.io.UTF8Writer.flu
>>>>>>>>>>>>>>>> sh(UTF8Writer.java:100)
>>>>>>>>>>>>>>>>            at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>>>>>>>> java:241)
>>>>>>>>>>>>>>>>            at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>> java:253)
>>>>>>>>>>>>>>>>            ... 155 more
>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction  -
>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks for your help Colm.  I now have it working using the
>>>>>>>>>>>>>>>> production
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> certificate by following this example
>>>>>>>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in
>>>>>>>>>>>>>>>>> catalina
>>>>>>>>>>>>>>>>> base.
>>>>>>>>>>>>>>>>> this seems impractical in production as the certificates get
>>>>>>>>>>>>>>>>> reissued
>>>>>>>>>>>>>>>>> every
>>>>>>>>>>>>>>>>> 6 months.  is it possible for sec:keyStore to define the
>>>>>>>>>>>>>>>>> resource as
>>>>>>>>>>>>>>>>> being
>>>>>>>>>>>>>>>>> in catalina base?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There
>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>> also
>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> sec:certStore that works with PEM files, but only for
>>>>>>>>>>>>>>>>> TrustStores I
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> think.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool command
>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>> import
>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old.
>>>>>>>>>>>>>>>>>> The
>>>>>>>>>>>>>>>>>> correct
>>>>>>>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem
>>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> instead of a java keystore?  where is the doumentation for
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I haven't used the APR connector. The following works for
>>>>>>>>>>>>>>>>>>> me
>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it working
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> first
>>>>>>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>           <Connector port="9443"
>>>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and keystore
>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The truststore
>>>>>>>>>>>>>>>>>>>> should
>>>>>>>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS +
>>>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat
>>>>>>>>>>>>>>>>>>>> server.xml.  I
>>>>>>>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I
>>>>>>>>>>>>>>>>>>>> still
>>>>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>>>>>>>>                         maxThreads="150"
>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true">
>>>>>>>>>>>>>>>>>>>>>                  <UpgradeProtocol
>>>>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>                  <SSLHostConfig
>>>>>>>>>>>>>>>>>>>>> clientVerification="required">
>>>>>>>>>>>>>>>>>>>>>                      <Certificate
>>>>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr
>>>>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let
>>>>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>>>>>>>>                  </SSLHostConfig>
>>>>>>>>>>>>>>>>>>>>>              </Connector>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml.  Could
>>>>>>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>>>>>>>>                      <!-- <sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>                          <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>                      <sec:keyManagers
>>>>>>>>>>>>>>>>>>>>> keyPassword="tompass">
>>>>>>>>>>>>>>>>>>>>>                          <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>>>>>>>>              </http:conduit>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and
>>>>>>>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9]
>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing
>>>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>> negotiated.  Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>              at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>              at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>              at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>>>>              at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>>>>              ...
>>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated.  Is the
>>>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>>>>              at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>>>>>>>>              at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>              ... 154 more
>>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>> negotiated.  Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>              at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>>>>              at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>>>>              at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>>>>              ...
>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't load the
>>>>>>>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2
>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W
>>>>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:9443
>>>>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:0/id
>>>>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>                  <property name="applications">
>>>>>>>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>>>>>>>>                          <ref
>>>>>>>>>>>>>>>>>>>>>>>> bean="srv-fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>                  <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>>>>>>>>                  </property>
>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>>>>>>>>                  <property name="realm"
>>>>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>                  <property name="protocol" value="
>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>>>>>>>>                  <property name="serviceDisplayName"
>>>>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>                  <property name="serviceDescription"
>>>>>>>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>>>>>>>>                  <property name="role"
>>>>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>                  <property name="tokenType" value="
>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>                  <property name="lifeTime"
>>>>>>>>>>>>>>>>>>>>>>>> value="3600"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>                  <property
>>>>>>>>>>>>>>>>>>>>>>>> name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>                  <property
>>>>>>>>>>>>>>>>>>>>>>>> name="logoutEndpointConstraint
>>>>>>>>>>>>>>>>>>>>>>>> "
>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>>>>>>>>                  <property name="application"
>>>>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>>>>>>>                  <property name="claim"
>>>>>>>>>>>>>>>>>>>>>>>> ref="claim_role"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>                  <property name="optional"
>>>>>>>>>>>>>>>>>>>>>>>> value="false"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml
>>>>>>>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.)
>>>>>>>>>>>>>>>>>>>>>>>>> domain.tld:9443/idp
>>>>>>>>>>>>>>>>>>>>>>>>> and i
>>>>>>>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to
>>>>>>>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
>>>>>>>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>


Mime
View raw message