cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: fediz production
Date Wed, 25 Oct 2017 09:42:21 GMT
The problem is that your Tomcat container hosting the STS is not asking for
client authentication. You can check this by using a web browser or curl to
view the WSDL of the STS - if you can get it to work then the configuration
is incorrect, as it should error on the browser not supplying a client cert.

Colm.

On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:

> i spoke too soon.
>
> i am completely stuck with the same stack trace and no amount of reloading
> the certificates is helping.  is there any way to debug what the actual
> problem is?
>
> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
> org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor for {
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has
> thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
> stream: RequireClientCertificate is set, but no local certificates were
> negotiated.  Is the server set to ask for client authorization?
>     at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>     at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>     at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
> InterceptorChain.java:308)
>     at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
>     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:427)
>     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:328)
>     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:281)
>     at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(Abs
> tractSTSClient.java:861)
>     at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
> yTokenResponse(IdpSTSClient.java:47)
>     at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
> yTokenResponse(IdpSTSClient.java:42)
>     at org.apache.cxf.fediz.service.idp.beans.STSClientAction.submi
> t(STSClientAction.java:296)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
> ssorImpl.java:62)
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
> thodAccessorImpl.java:43)
>     at java.lang.reflect.Method.invoke(Method.java:498)
>     at org.springframework.expression.spel.support.ReflectiveMethod
> Executor.execute(ReflectiveMethodExecutor.java:113)
>     at org.springframework.expression.spel.ast.MethodReference.getV
> alueInternal(MethodReference.java:129)
>     at org.springframework.expression.spel.ast.MethodReference.
> access$000(MethodReference.java:49)
>     at org.springframework.expression.spel.ast.MethodReference$Meth
> odValueRef.getValue(MethodReference.java:347)
>     at org.springframework.expression.spel.ast.CompoundExpression.g
> etValueInternal(CompoundExpression.java:88)
>     at org.springframework.expression.spel.ast.SpelNodeImpl.
> getTypedValue(SpelNodeImpl.java:131)
>     at org.springframework.expression.spel.standard.SpelExpression.
> getValue(SpelExpression.java:297)
>     at org.springframework.binding.expression.spel.SpringELExpressi
> on.getValue(SpringELExpression.java:84)
>     at org.springframework.webflow.action.EvaluateAction.doExecute(
> EvaluateAction.java:75)
>     at org.springframework.webflow.action.AbstractAction.execute(Ab
> stractAction.java:188)
>     at org.springframework.webflow.execution.AnnotatedAction.execut
> e(AnnotatedAction.java:145)
>     at org.springframework.webflow.execution.ActionExecutor.execute
> (ActionExecutor.java:51)
>     at org.springframework.webflow.engine.ActionList.execute(Action
> List.java:154)
>     at org.springframework.webflow.engine.State.enter(State.java:193)
>     at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
>     at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
> ecute(FlowExecutionImpl.java:395)
>     at org.springframework.webflow.engine.impl.RequestControlContex
> tImpl.execute(RequestControlContextImpl.java:214)
>     at org.springframework.webflow.engine.TransitionableState.handl
> eEvent(TransitionableState.java:116)
>     at org.springframework.webflow.engine.SubflowState.handleEvent(
> SubflowState.java:116)
>     at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
>     at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
> ndleEvent(FlowExecutionImpl.java:390)
>     at org.springframework.webflow.engine.impl.RequestControlContex
> tImpl.handleEvent(RequestControlContextImpl.java:210)
>     at org.springframework.webflow.engine.impl.FlowExecutionImpl.en
> dActiveFlowSession(FlowExecutionImpl.java:414)
>     at org.springframework.webflow.engine.impl.RequestControlContex
> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>     at org.springframework.webflow.engine.EndState.doEnter(EndState
> .java:107)
>     at org.springframework.webflow.engine.State.enter(State.java:194)
>     at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
>     at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
> ecute(FlowExecutionImpl.java:395)
>     at org.springframework.webflow.engine.impl.RequestControlContex
> tImpl.execute(RequestControlContextImpl.java:214)
>     at org.springframework.webflow.engine.TransitionableState.handl
> eEvent(TransitionableState.java:116)
>     at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
>     at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
> ndleEvent(FlowExecutionImpl.java:390)
>     at org.springframework.webflow.engine.impl.RequestControlContex
> tImpl.handleEvent(RequestControlContextImpl.java:210)
>     at org.springframework.webflow.engine.ActionState.doEnter(Actio
> nState.java:105)
>     at org.springframework.webflow.engine.State.enter(State.java:194)
>     at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
>     at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
> ecute(FlowExecutionImpl.java:395)
>     at org.springframework.webflow.engine.impl.RequestControlContex
> tImpl.execute(RequestControlContextImpl.java:214)
>     at org.springframework.webflow.engine.TransitionableState.handl
> eEvent(TransitionableState.java:116)
>     at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
>     at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
> ndleEvent(FlowExecutionImpl.java:390)
>     at org.springframework.webflow.engine.impl.RequestControlContex
> tImpl.handleEvent(RequestControlContextImpl.java:210)
>     at org.springframework.webflow.engine.ActionState.doEnter(Actio
> nState.java:105)
>     at org.springframework.webflow.engine.State.enter(State.java:194)
>     at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
>     at org.springframework.webflow.engine.DecisionState.doEnter(Dec
> isionState.java:51)
>     at org.springframework.webflow.engine.State.enter(State.java:194)
>     at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
>     at org.springframework.webflow.engine.DecisionState.doEnter(Dec
> isionState.java:51)
>     at org.springframework.webflow.engine.State.enter(State.java:194)
>     at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
>     at org.springframework.webflow.engine.DecisionState.doEnter(Dec
> isionState.java:51)
>     at org.springframework.webflow.engine.State.enter(State.java:194)
>     at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
>     at org.springframework.webflow.engine.DecisionState.doEnter(Dec
> isionState.java:51)
>     at org.springframework.webflow.engine.State.enter(State.java:194)
>     at org.springframework.webflow.engine.Flow.start(Flow.java:527)
>     at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
> art(FlowExecutionImpl.java:368)
>     at org.springframework.webflow.engine.impl.RequestControlContex
> tImpl.start(RequestControlContextImpl.java:234)
>     at org.springframework.webflow.engine.SubflowState.doEnter(Subf
> lowState.java:101)
>     at org.springframework.webflow.engine.State.enter(State.java:194)
>     at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
>     at org.springframework.webflow.engine.DecisionState.doEnter(Dec
> isionState.java:51)
>     at org.springframework.webflow.engine.State.enter(State.java:194)
>     at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
>     at org.springframework.webflow.engine.DecisionState.doEnter(Dec
> isionState.java:51)
>     at org.springframework.webflow.engine.State.enter(State.java:194)
>     at org.springframework.webflow.engine.Flow.start(Flow.java:527)
>     at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
> art(FlowExecutionImpl.java:368)
>     at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
> art(FlowExecutionImpl.java:223)
>     at org.springframework.webflow.executor.FlowExecutorImpl.launch
> Execution(FlowExecutorImpl.java:140)
>     at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.
> handle(FlowHandlerAdapter.java:263)
>     at org.springframework.web.servlet.DispatcherServlet.doDispatch
> (DispatcherServlet.java:967)
>     at org.springframework.web.servlet.DispatcherServlet.doService(
> DispatcherServlet.java:901)
>     at org.springframework.web.servlet.FrameworkServlet.processRequ
> est(FrameworkServlet.java:970)
>     at org.springframework.web.servlet.FrameworkServlet.doGet(
> FrameworkServlet.java:861)
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
>     at org.springframework.web.servlet.FrameworkServlet.service(
> FrameworkServlet.java:846)
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
> lter(ApplicationFilterChain.java:231)
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
> licationFilterChain.java:166)
>     at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
> r.java:52)
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
> lter(ApplicationFilterChain.java:193)
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
> licationFilterChain.java:166)
>     at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:330)
>     at org.springframework.security.web.access.intercept.FilterSecu
> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>     at org.springframework.security.web.access.intercept.FilterSecu
> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>     at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
>     at org.springframework.security.web.access.ExceptionTranslation
> Filter.doFilter(ExceptionTranslationFilter.java:113)
>     at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
>     at org.springframework.security.web.session.SessionManagementFi
> lter.doFilter(SessionManagementFilter.java:103)
>     at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
>     at org.springframework.security.web.authentication.AnonymousAut
> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
>     at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
>     at org.apache.cxf.fediz.service.idp.service.security.GrantedAut
> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
>     at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
>     at org.springframework.security.web.servletapi.SecurityContextH
> olderAwareRequestFilter.doFilter(SecurityContextHolder
> AwareRequestFilter.java:154)
>     at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
>     at org.springframework.security.web.savedrequest.RequestCacheAw
> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>     at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
>     at org.springframework.security.web.authentication.www.BasicAut
> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>     at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
>     at org.springframework.security.web.authentication.AbstractAuth
> enticationProcessingFilter.doFilter(AbstractAuthenticatio
> nProcessingFilter.java:199)
>     at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
>     at org.springframework.security.web.authentication.logout.Logou
> tFilter.doFilter(LogoutFilter.java:110)
>     at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
>     at org.springframework.security.web.context.request.async.WebAs
> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
> erIntegrationFilter.java:50)
>     at org.springframework.web.filter.OncePerRequestFilter.doFilter
> (OncePerRequestFilter.java:107)
>     at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
>     at org.springframework.security.web.context.SecurityContextPers
> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>     at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
>     at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSP
> ortFilter.java:74)
>     at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
>     at org.springframework.security.web.access.channel.ChannelProce
> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>     at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
>     at org.springframework.security.web.FilterChainProxy.doFilterIn
> ternal(FilterChainProxy.java:192)
>     at org.springframework.security.web.FilterChainProxy.doFilter(F
> ilterChainProxy.java:160)
>     at org.springframework.web.filter.DelegatingFilterProxy.invokeD
> elegate(DelegatingFilterProxy.java:346)
>     at org.springframework.web.filter.DelegatingFilterProxy.doFilte
> r(DelegatingFilterProxy.java:262)
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
> lter(ApplicationFilterChain.java:193)
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
> licationFilterChain.java:166)
>     at org.springframework.web.filter.CharacterEncodingFilter.doFil
> terInternal(CharacterEncodingFilter.java:197)
>     at org.springframework.web.filter.OncePerRequestFilter.doFilter
> (OncePerRequestFilter.java:107)
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
> lter(ApplicationFilterChain.java:193)
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
> licationFilterChain.java:166)
>     at org.apache.catalina.core.StandardWrapperValve.invoke(Standar
> dWrapperValve.java:198)
>     at org.apache.catalina.core.StandardContextValve.invoke(Standar
> dContextValve.java:96)
>     at org.apache.catalina.core.StandardHostValve.invoke(StandardHo
> stValve.java:140)
>     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
> rtValve.java:80)
>     at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs
> tractAccessLogValve.java:650)
>     at org.apache.catalina.core.StandardEngineValve.invoke(Standard
> EngineValve.java:87)
>     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
> apter.java:342)
>     at org.apache.coyote.http2.StreamProcessor.service(StreamProces
> sor.java:245)
>     at org.apache.coyote.AbstractProcessorLight.process(AbstractPro
> cessorLight.java:66)
>     at org.apache.coyote.http2.StreamProcessor.process(StreamProces
> sor.java:65)
>     at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.java:35)
>     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
> Executor.java:1142)
>     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
> lExecutor.java:617)
>     at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.
> run(TaskThread.java:61)
>     at java.lang.Thread.run(Thread.java:748)
> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is
> set, but no local certificates were negotiated.  Is the server set to ask
> for client authorization?
>     at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255)
>     at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>     ... 154 more
> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
> RequireClientCertificate is set, but no local certificates were
> negotiated.  Is the server set to ask for client authorization?
>     at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
> ttpsTokenInterceptorProvider.java:143)
>     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
> m.makeTrustDecision(HTTPConduit.java:1780)
>     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
> m.onFirstWrite(HTTPConduit.java:1293)
>     at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLCo
> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
> Conduit.java:309)
>     at org.apache.cxf.io.AbstractWrappedOutputStream.write(Abstract
> WrappedOutputStream.java:47)
>     at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(Abs
> tractThresholdOutputStream.java:89)
>     at org.apache.cxf.io.AbstractThresholdOutputStream.write(Abstra
> ctThresholdOutputStream.java:63)
>     at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
>     at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.
> java:241)
>     at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:253)
>     ... 155 more
> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
> org.apache.cxf.fediz.service.idp.beans.STSClientAction  - Error in
> retrieving a token
>
>
> On 23/10/2017 19:41, Matthew Broadhead wrote:
>
>> Thanks for your help Colm.  I now have it working using the production
>> certificate by following this example https://stackoverflow.com/a/21
>> 41229/3052312 to export the pems into jks files.
>>
>> but in the end i also had to copy idp-ssl-key.jks and idp-ssl-trust.jks
>> into webapps/idp/WEB-INF/classes as well as having them in catalina base.
>> this seems impractical in production as the certificates get reissued every
>> 6 months.  is it possible for sec:keyStore to define the resource as being
>> in catalina base?
>>
>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>
>>> sec:keyStore supports either JKS or PKCS12 keystores. There is also a
>>> sec:certStore that works with PEM files, but only for TrustStores I
>>> think.
>>> As a workaround you can just use the Java keytool command to import your
>>> PEM key/cert into a JKS keystore.
>>>
>>> this document http://svn.apache.org/viewvc/c
>>>> xf/fediz/trunk/examples/sample
>>>>
>>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but no
>>> idp-ssl-key.jks.
>>>
>>> SVN is not used any more by CXF or Fediz, that page is old. The correct
>>> version is on github:
>>>
>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>> plekeys/HowToGenerateKeysREADME.html
>>>
>>> Colm.
>>>
>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>> Hi Colm,
>>>>
>>>> is there any way for sec:keyStore to be pointed at a pem certificate
>>>> instead of a java keystore?  where is the doumentation for sec:keyStore?
>>>>
>>>> Matt
>>>>
>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>
>>>> I haven't used the APR connector. The following works for me in the
>>>>> tests,
>>>>> perhaps you could duplicate this config and get it working first before
>>>>> switching over to the APR connector:
>>>>>
>>>>>    <Connector port="9443"
>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
>>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass"
>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>> truststorePass="ispass" />
>>>>>
>>>>> Yes you will need to specify the truststore and keystore in
>>>>> cxf-tls.xml to
>>>>> communicate with the STS from the IdP. The truststore should contain
>>>>> the
>>>>> issuing cert of the Tomcat instance hosting your STS + then keystore
>>>>> the
>>>>> private key of your IdP.
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>
>>>>> i am using my own certificate with APR in the tomcat server.xml.  I
>>>>> added
>>>>>
>>>>>> clientVerification="required" to SSLHostConfig but I still have the
>>>>>> same
>>>>>> problem
>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>> tp11.Http11AprProtocol"
>>>>>>                  maxThreads="150" SSLEnabled="true">
>>>>>>           <UpgradeProtocol className="org.apache.coyote.h
>>>>>> ttp2.Http2Protocol"
>>>>>> />
>>>>>>           <SSLHostConfig clientVerification="required">
>>>>>>               <Certificate certificateKeyFile="/etc/letse
>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
>>>>>>                            type="RSA" />
>>>>>>           </SSLHostConfig>
>>>>>>       </Connector>
>>>>>>
>>>>>> I commented the trustManagers and keyManagers in
>>>>>> services/idp/src/main/resources/cxf-tls.xml.  Could this be the
>>>>>> problem?
>>>>>> How would I use production certificates?
>>>>>> <http:conduit name="*.http-conduit">
>>>>>>           <http:tlsClientParameters
>>>>>>               disableCNCheck="true">
>>>>>>               <!-- <sec:trustManagers>
>>>>>>                   <sec:keyStore type="jks" password="ispass"
>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>               </sec:trustManagers>
>>>>>>               <sec:keyManagers keyPassword="tompass">
>>>>>>                   <sec:keyStore type="jks" password="tompass"
>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>               </sec:keyManagers> -->
>>>>>>           </http:tlsClientParameters>
>>>>>>       </http:conduit>
>>>>>>
>>>>>>
>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>
>>>>>> ok...i fixed the last error by dropping the schema and restarting.
>>>>>>
>>>>>>> but now i have this
>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor for
{
>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
>>>>>>> has
>>>>>>> thrown exception, unwinding now
>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model
to
>>>>>>> stream: RequireClientCertificate is set, but no local certificates
>>>>>>> were
>>>>>>> negotiated.  Is the server set to ask for client authorization?
>>>>>>>       at org.apache.cxf.binding.soap.sa
>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>       at org.apache.cxf.binding.soap.sa
>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>       at org.apache.cxf.phase.PhaseInte
>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>> InterceptorChain.java:308)
>>>>>>>       at org.apache.cxf.endpoint.Client
>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>> 518)
>>>>>>>       ...
>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>> RequireClientCertificate
>>>>>>> is
>>>>>>> set, but no local certificates were negotiated.  Is the server
set to
>>>>>>> ask
>>>>>>> for client authorization?
>>>>>>>       at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>> :255)
>>>>>>>       at org.apache.cxf.binding.soap.sa
>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>       ... 154 more
>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>> ion:
>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>> negotiated.  Is the server set to ask for client authorization?
>>>>>>>       at org.apache.cxf.ws.security.pol
>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>       at org.apache.cxf.transport.http.
>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>       at org.apache.cxf.transport.http.
>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>       ...
>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error
in
>>>>>>> retrieving a token
>>>>>>>
>>>>>>>
>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>
>>>>>>> ok i now have a different error and it doesn't load the login
screen
>>>>>>>
>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator
-
>>>>>>>> No
>>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>
>>>>>>>> the previous one was caused by
>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>> should have been
>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>> />
>>>>>>>> according to original file
>>>>>>>>
>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>
>>>>>>>> Hi Colm,
>>>>>>>>
>>>>>>>>> Yes I have:
>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>> ...
>>>>>>>>>           <property name="applications">
>>>>>>>>>               <util:list>
>>>>>>>>>                   <ref bean="srv-fedizhelloworld"
/>
>>>>>>>>>           <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>               </util:list>
>>>>>>>>>           </property>
>>>>>>>>> ...
>>>>>>>>> </bean>
>>>>>>>>>
>>>>>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>           <property name="realm" value="urn:org:apache:cxf:fedi
>>>>>>>>> z:fedizhelloworld"
>>>>>>>>> />
>>>>>>>>>           <property name="protocol" value="http://docs.oasis-open.
>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>           <property name="serviceDisplayName"
>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>> />
>>>>>>>>>           <property name="serviceDescription" value="Web
>>>>>>>>> Application to
>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>           <property name="role" value="ApplicationServiceType"
/>
>>>>>>>>>           <property name="tokenType" value="http://docs.oasis-open
>>>>>>>>> .
>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>>           <property name="lifeTime" value="3600" />
>>>>>>>>>           <property name="passiveRequestorEndpointConstraint"
>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>           <property name="logoutEndpointConstraint"
>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>> </bean>
>>>>>>>>>
>>>>>>>>> <bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat
>>>>>>>>> ionClaimEntity">
>>>>>>>>>           <property name="application" ref="srv-fedizhelloworld"
/>
>>>>>>>>>           <property name="claim" ref="claim_role"
/>
>>>>>>>>>           <property name="optional" value="false"
/>
>>>>>>>>> </bean>
>>>>>>>>>
>>>>>>>>> etc.
>>>>>>>>>
>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>
>>>>>>>>> Do you have an
>>>>>>>>>
>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>>>>>>> instance in
>>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml
with
>>>>>>>>>> realm
>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>
>>>>>>>>>> Colm.
>>>>>>>>>>
>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead
<
>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp
and i am
>>>>>>>>>>> trying to
>>>>>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet.
it
>>>>>>>>>>> correctly redirects to the login page and seems
to authenticate
>>>>>>>>>>> ok
>>>>>>>>>>>
>>>>>>>>>>> but then i get the following error
>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8]
INFO
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken
-
>>>>>>>>>>> Token
>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
successfully
>>>>>>>>>>> cached.
>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8]
WARN
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator
>>>>>>>>>>> -
>>>>>>>>>>> No
>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>> helloworld
>>>>>>>>>>>
>>>>>>>>>>> Matthew
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>
>>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message