cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthew Broadhead <matthew.broadh...@nbmlaw.co.uk>
Subject Re: fediz production
Date Mon, 30 Oct 2017 08:35:10 GMT
hi Colm,

Sorry to keep bothering you with this issue.

It is still prompting me for a certificate when redirecting to the idp.  
I have checked line by line the differences between the original code 
and my production code and cannot see any major difference.  i have 
tried with the production certificate and with a custom generated 
certificate but both are the same.

Is there anything else I can try for debugging?

Matthew

On 26/10/2017 14:58, Matthew Broadhead wrote:
> comments below
>
> On 26/10/2017 13:46, Colm O hEigeartaigh wrote:
>> Are you using Java 9? If so please try with Java 8 instead. The warnings
>> should be harmless, however I haven't tested Fediz with Java 9.
> i am using openjdk 1.8.0.151
>>
>> "when i first connect with fedizhelloworld it pops up a box asking for a
>> certificate." - can you reproduce this with a test-case? It sounds as if
>> you are not using the "up" endpoint of the IdP but instead the client 
>> cert
>> endpoint?
> my fediz_config.xml has
> <issuer>https://domain.tld:9443/idp/federation</issuer>
>
> security-up-config.xml is the same as the example except with the 
> endpoints changed from localhost:9443 to domain.tld:9443
>
> if it is not related to that can you tell me where i should be looking 
> for the endpoint config?
>>
>> Colm.
>>
>> On Thu, Oct 26, 2017 at 12:06 PM, Matthew Broadhead <
>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>
>>> Hi Colm,
>>>
>>> I am not sure that would be very easy to provide a test case? 
>>> Everything
>>> was working fine on localhost with the test certificates.
>>>
>>> Testing on production is completely different using letsencrypt 
>>> certs and
>>> having to change lots of configuration files in the code? You would be
>>> welcome to look directly at my setup although you are probably busy?
>>>
>>> It looks as though the idpcert in the ststrust.jks is not being 
>>> properly
>>> sent and trusted by the idp during handshake?  i am converting it using
>>> openssl to pkcs12 and then importing it into a jks.  then i export the
>>> cert.  is it possible the chain is being dropped?
>>> openssl pkcs12 -export -in ${cert}fullchain.pem -inkey 
>>> ${cert}privkey.pem
>>> -out ${p12} -name mytomidpkey -password pass:tompass
>>> keytool -importkeystore -deststorepass tompass -destkeypass tompass
>>> -destkeystore ${idpKey} -srckeystore ${p12} -srcstoretype PKCS12
>>> -srcstorepass tompass -alias mytomidpkey
>>> keytool -keystore ${idpKey} -storepass tompass -export -alias 
>>> mytomidpkey
>>> -file ${idpCert}
>>>
>>> also i get a lot of these warnings when creating keystores. should i be
>>> changing everything to use pkcs12?
>>> Warning:
>>> The JKS keystore uses a proprietary format. It is recommended to 
>>> migrate
>>> to PKCS12 which is an industry standard format using
>>>
>>> Matthew
>>>
>>> On 26/10/2017 10:43, Colm O hEigeartaigh wrote:
>>>
>>>> Could you create a test-case and upload it to github somewhere + I 
>>>> will
>>>> take a look?
>>>>
>>>> Colm.
>>>>
>>>> On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead <
>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>
>>>> Thanks for pointing me in the right direction.
>>>>> basically what the documentation lacks is that the ststrust.jks must
>>>>> contain MyTCIDP.cer, i.e.
>>>>> keytool -import -trustcacerts -keystore ststrust.jks -storepass 
>>>>> storepass
>>>>> -alias idpcert -file MyTCIDP.cer -noprompt
>>>>> i looked through the original ststrust.jks and it contained the alias
>>>>> idpcert which confirmed the suspicion
>>>>>
>>>>> the other problem was that the cipher of the letsencrypt 
>>>>> certificate was
>>>>> not supported by java so i had to enable apr for openssl support.
>>>>> -Djavax.net.debug=all helped to debug that.
>>>>>
>>>>> but i still have some strange problems.  when i first connect with
>>>>> fedizhelloworld it pops up a box asking for a certificate.  and 
>>>>> also if i
>>>>> leave it logged in for a while and then try to logout chrome tells me
>>>>> This site can’t provide a secure connection
>>>>> ERR_SSL_PROTOCOL_ERROR
>>>>>
>>>>> On 25/10/2017 14:28, Colm O hEigeartaigh wrote:
>>>>>
>>>>> Your truststore in cxf-tls.xml must trust the certificate 
>>>>> presented by
>>>>>> the
>>>>>> STS. Also, it must contain a keystore with the private key of the 
>>>>>> IdP,
>>>>>> which in turn must be trusted by the STS.
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> Are the two keystores responsible for the trust between idp and 
>>>>>> sts are
>>>>>>
>>>>>>> supposed to be
>>>>>>> stsrealm_a.jks and ststrust.jks
>>>>>>>
>>>>>>> it is just that the cert it is not trusting is the idp-ssl-key.jks
>>>>>>> (domain.tld) which makes sense if it is hitting 
>>>>>>> domain.tls:9443/idp etc
>>>>>>>
>>>>>>> does this mean ststrust.jks should contain MyTCIDP.cer as well as
>>>>>>> MyTCRP.cer?
>>>>>>>
>>>>>>> On 25/10/2017 14:03, Colm O hEigeartaigh wrote:
>>>>>>>
>>>>>>> You'll need to go through the output to figure out why the cert 
>>>>>>> is not
>>>>>>>
>>>>>>>> trusted. If you generate some test certs + create a testcase
>>>>>>>> somewhere I
>>>>>>>> will take a look.
>>>>>>>>
>>>>>>>> Colm.
>>>>>>>>
>>>>>>>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>
>>>>>>>> i get a load of stuff, but in the middle of the one before the 
>>>>>>>> error i
>>>>>>>> get
>>>>>>>>
>>>>>>>> Warning: no suitable certificate found - continuing without client
>>>>>>>>> authentication
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 25/10/2017 13:42, Matthew Broadhead wrote:
>>>>>>>>>
>>>>>>>>> ahhh...
>>>>>>>>>
>>>>>>>>> -Djavax.net.debug=all
>>>>>>>>>> On 25/10/2017 13:39, Matthew Broadhead wrote:
>>>>>>>>>>
>>>>>>>>>> How would I enable the debug? services/idp/src/main/webapp/W
>>>>>>>>>>
>>>>>>>>>> EB-INF/security-config.xml
>>>>>>>>>>> <security:debug/>?
>>>>>>>>>>>
>>>>>>>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>>>>>>>>>>
>>>>>>>>>>> If you change it to "required" does it fail? If so, you 
>>>>>>>>>>> could try
>>>>>>>>>>>
>>>>>>>>>>> running
>>>>>>>>>>>> the Tomcat IdP with Java SSL debugging enabled and it 
>>>>>>>>>>>> should tell
>>>>>>>>>>>> you
>>>>>>>>>>>> why
>>>>>>>>>>>> the IdP can't connect to the STS.
>>>>>>>>>>>>
>>>>>>>>>>>> Colm.
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>
>>>>>>>>>>>> I realise now that this html file was included in the
>>>>>>>>>>>>
>>>>>>>>>>>>> examples/samplekeys
>>>>>>>>>>>>> directory in the code.  but i was taking it from the 
>>>>>>>>>>>>> internet.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I am 100% using clientAuth="want" on my Tomcat connector 
>>>>>>>>>>>>> but I am
>>>>>>>>>>>>> still
>>>>>>>>>>>>> getting the same error over and again.  I can browse the wsdl
>>>>>>>>>>>>> without
>>>>>>>>>>>>> having to provide a client certificate. could you point me to
>>>>>>>>>>>>> the
>>>>>>>>>>>>> part of
>>>>>>>>>>>>> the idp-sts configuration which might be causing it to not 
>>>>>>>>>>>>> ask
>>>>>>>>>>>>> for
>>>>>>>>>>>>> the
>>>>>>>>>>>>> keys
>>>>>>>>>>>>> properly?  or is it definitely a tomcat server.xml issue?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> You can see the HTML here:
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>>>>>>>>>>
>>>>>>>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>>>>>>>>>>> ateKeysREADME.html
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'll update the webpage to point to github instead of SVN.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Colm
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Firstly is there somewhere to see these instructions 
>>>>>>>>>>>>>> correctly
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> formatted
>>>>>>>>>>>>>>> in html?
>>>>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam 
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Secondly there is a massive difference between
>>>>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam 
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample 
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>>>>>>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer 
>>>>>>>>>>>>>>> key to
>>>>>>>>>>>>>>> ststrust.jks.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I have some more things to try now so I will let you 
>>>>>>>>>>>>>>> know if I
>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>> further
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Why not try the simple Connector configuration I gave 
>>>>>>>>>>>>>>> earlier
>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> own keys?
>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc
>>>>>>>>>>>>>>>> at-8.5-doc/config/http.html#
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> clientAuth
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> This is an alias for the certificateVerification 
>>>>>>>>>>>>>>>>> attribute of
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> default
>>>>>>>>>>>>>>>>> SSLHostConfig element.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>> certificateVerification
>>>>>>>>>>>>>>>>> Set to required if you want the SSL stack to require a 
>>>>>>>>>>>>>>>>> valid
>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>> chain from the client before accepting a connection. 
>>>>>>>>>>>>>>>>> Set to
>>>>>>>>>>>>>>>>> optional if
>>>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>>> want the SSL stack to request a client Certificate, 
>>>>>>>>>>>>>>>>> but not
>>>>>>>>>>>>>>>>> fail
>>>>>>>>>>>>>>>>> if one
>>>>>>>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client
>>>>>>>>>>>>>>>>> certificates to
>>>>>>>>>>>>>>>>> be
>>>>>>>>>>>>>>>>> optional and you don't want Tomcat to check them 
>>>>>>>>>>>>>>>>> against the
>>>>>>>>>>>>>>>>> list
>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this 
>>>>>>>>>>>>>>>>> option
>>>>>>>>>>>>>>>>> (OpenSSL
>>>>>>>>>>>>>>>>> does,
>>>>>>>>>>>>>>>>> JSSE does not) it is treated as if optional was 
>>>>>>>>>>>>>>>>> specified. A
>>>>>>>>>>>>>>>>> none
>>>>>>>>>>>>>>>>> value
>>>>>>>>>>>>>>>>> (which is the default) will not require a certificate 
>>>>>>>>>>>>>>>>> chain
>>>>>>>>>>>>>>>>> unless
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> client requests a resource protected by a security 
>>>>>>>>>>>>>>>>> constraint
>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>>> uses
>>>>>>>>>>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> so i changed clientAuth="want" to 
>>>>>>>>>>>>>>>>> clientAuth="required". now
>>>>>>>>>>>>>>>>> i
>>>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>>>> access the site at all with
>>>>>>>>>>>>>>>>> Secure Connection Failed
>>>>>>>>>>>>>>>>> An error occurred during a connection to 
>>>>>>>>>>>>>>>>> domain.tld:9443. SSL
>>>>>>>>>>>>>>>>> peer
>>>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>>>> verify your certificate. Error code: 
>>>>>>>>>>>>>>>>> SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> The problem is that your Tomcat container hosting the 
>>>>>>>>>>>>>>>>> STS is
>>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>> asking
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> client authentication. You can check this by using a web
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> browser
>>>>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>>>>> curl
>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>> view the WSDL of the STS - if you can get it to work 
>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>> configuration
>>>>>>>>>>>>>>>>>> is incorrect, as it should error on the browser not
>>>>>>>>>>>>>>>>>> supplying
>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>>>> cert.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> i spoke too soon.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> i am completely stuck with the same stack trace and no
>>>>>>>>>>>>>>>>>> amount
>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> reloading
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> the certificates is helping.  is there any way to 
>>>>>>>>>>>>>>>>>> debug what
>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>> actual
>>>>>>>>>>>>>>>>>>> problem is?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain  - 
>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing
>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>> model to
>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>> negotiated.  Is the server set to ask for client
>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>> 427)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>> 328)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>> 281)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.ws.security.tru
>>>>>>>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>>>>>>>>>>>             at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>>>> orImpl.invoke0(Native
>>>>>>>>>>>>>>>>>>> Method)
>>>>>>>>>>>>>>>>>>>             at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>>>>>>>>>>>             at sun.reflect.DelegatingMethodAc
>>>>>>>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>>>>>>>>>>>             at java.lang.reflect.Method.invok
>>>>>>>>>>>>>>>>>>> e(Method.java:498)
>>>>>>>>>>>>>>>>>>>             at org.springframework.expression
>>>>>>>>>>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>>>>>>>>>>>             at org.springframework.expression
>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>>>>>>>>>>>             at org.springframework.expression
>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.
>>>>>>>>>>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>>>>>>>>>>>             at org.springframework.expression
>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>>>>>>>>>>>             at org.springframework.expression
>>>>>>>>>>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>>>>>>>>>>>             at org.springframework.expression
>>>>>>>>>>>>>>>>>>> .spel.ast.SpelNodeImpl.
>>>>>>>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>>>>>>>>>>>             at org.springframework.expression
>>>>>>>>>>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>>>>>>>>>>>             at org.springframework.binding.ex
>>>>>>>>>>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>>>>>>>>>>> stractAction.java:188)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>>>>>>>>>>> List.java:154)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 3)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java: 
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 238)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>>>>>>>>>>> .java:107)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>>>>>>>>>>> lowState.java:101)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>>>>>>>>>>>             at org.springframework.webflow.mv
>>>>>>>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>>>>>>>>>>>             at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>>>>>>>>>>>             at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>>>>>>>>>>>             at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>>>>>>>>>>>             at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.doGet(
>>>>>>>>>>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>>>>>>>>>>>             at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>>>>>>>>>>>             at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.service(
>>>>>>>>>>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>>>>>>>>>>>             at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>>>>>>>>>>>             at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>>>>>>>>>>>             at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>             at org.apache.tomcat.websocket.se
>>>>>>>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>>>>>>>>>>> r.java:52)
>>>>>>>>>>>>>>>>>>>             at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>             at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118) 
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>>>> rityInterceptor.doFilter(Filte
>>>>>>>>>>>>>>>>>>> rSecurityInterceptor.java:84)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(Ano
>>>>>>>>>>>>>>>>>>> nymousAuthenticationFilter.jav
>>>>>>>>>>>>>>>>>>> a:113)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>> horityEntitlements.doFilter(Gr
>>>>>>>>>>>>>>>>>>> antedAuthorityEntitlements.jav
>>>>>>>>>>>>>>>>>>> a:97)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java: 
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 150)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio 
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag 
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>>>>>>>>>>>             at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter. 
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> java:87)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>>>>>>>>>>>             at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>>>>>>>>>>>             at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>>>>>>>>>>>             at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>>>>>>>>>>>             at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>             at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>             at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>>>>>>>>>>>             at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>>>>             at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>             at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>             at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>>>>>>>>>>>             at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>>>>>>>>>>>             at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>>>>>>>>>>> stValve.java:140)
>>>>>>>>>>>>>>>>>>>             at org.apache.catalina.valves.Err
>>>>>>>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>>>>>>>>>>> rtValve.java:80)
>>>>>>>>>>>>>>>>>>>             at org.apache.catalina.valves.Abs
>>>>>>>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>>>>>>>>>>>             at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>>>>>>>>>>>             at org.apache.catalina.connector.
>>>>>>>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>>>>>>>>>>> apter.java:342)
>>>>>>>>>>>>>>>>>>>             at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>>>>>>>>>>> sor.java:245)
>>>>>>>>>>>>>>>>>>>             at org.apache.coyote.AbstractProc
>>>>>>>>>>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>>>>>>>>>>>             at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>>>>>>>>>>> sor.java:65)
>>>>>>>>>>>>>>>>>>>             at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>> Runnable.run(StreamRunnable.
>>>>>>>>>>>>>>>>>>> java:35)
>>>>>>>>>>>>>>>>>>>             at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>>>>>>>>>>> Executor.java:1142)
>>>>>>>>>>>>>>>>>>>             at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>>>>>>>>>>>             at org.apache.tomcat.util.threads
>>>>>>>>>>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>>>>>>>>>>>             at java.lang.Thread.run(Thread.java:748)
>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the
>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>> set to
>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>             at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>>>> java:255)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>             ... 154 more
>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local 
>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>> negotiated.  Is the server set to ask for client
>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP 
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Conduit.java:309)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.io.AbstractWrap
>>>>>>>>>>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>>>>>>>>>>>             at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>>>>>>>>>>>             at com.ctc.wstx.io.UTF8Writer.flu
>>>>>>>>>>>>>>>>>>> sh(UTF8Writer.java:100)
>>>>>>>>>>>>>>>>>>>             at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>>>>>>>>>>> java:241)
>>>>>>>>>>>>>>>>>>>             at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>>>> java:253)
>>>>>>>>>>>>>>>>>>>             ... 155 more
>>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction  
>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Thanks for your help Colm.  I now have it working 
>>>>>>>>>>>>>>>>>>> using the
>>>>>>>>>>>>>>>>>>> production
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> certificate by following this example
>>>>>>>>>>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>>>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having 
>>>>>>>>>>>>>>>>>>>> them in
>>>>>>>>>>>>>>>>>>>> catalina
>>>>>>>>>>>>>>>>>>>> base.
>>>>>>>>>>>>>>>>>>>> this seems impractical in production as the 
>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>>>>>> reissued
>>>>>>>>>>>>>>>>>>>> every
>>>>>>>>>>>>>>>>>>>> 6 months.  is it possible for sec:keyStore to 
>>>>>>>>>>>>>>>>>>>> define the
>>>>>>>>>>>>>>>>>>>> resource as
>>>>>>>>>>>>>>>>>>>> being
>>>>>>>>>>>>>>>>>>>> in catalina base?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores.
>>>>>>>>>>>>>>>>>>>> There
>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>> also
>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> sec:certStore that works with PEM files, but only for
>>>>>>>>>>>>>>>>>>>> TrustStores I
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> think.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool 
>>>>>>>>>>>>>>>>>>>> command
>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>> import
>>>>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that 
>>>>>>>>>>>>>>>>>>>>>> page is
>>>>>>>>>>>>>>>>>>>>> old.
>>>>>>>>>>>>>>>>>>>>> The
>>>>>>>>>>>>>>>>>>>>> correct
>>>>>>>>>>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at 
>>>>>>>>>>>>>>>>>>>>> a pem
>>>>>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> instead of a java keystore?  where is the 
>>>>>>>>>>>>>>>>>>>>> doumentation
>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> I haven't used the APR connector. The following 
>>>>>>>>>>>>>>>>>>>>>> works
>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>> me
>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it
>>>>>>>>>>>>>>>>>>>>>> working
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> first
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" 
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>>>>>>>>>>> keyPass="tompass" 
>>>>>>>>>>>>>>>>>>>>>>> truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and
>>>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The 
>>>>>>>>>>>>>>>>>>>>>>> truststore
>>>>>>>>>>>>>>>>>>>>>>> should
>>>>>>>>>>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your 
>>>>>>>>>>>>>>>>>>>>>>> STS +
>>>>>>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew 
>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> i am using my own certificate with APR in the 
>>>>>>>>>>>>>>>>>>>>>>> tomcat
>>>>>>>>>>>>>>>>>>>>>>> server.xml.  I
>>>>>>>>>>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig 
>>>>>>>>>>>>>>>>>>>>>>> but I
>>>>>>>>>>>>>>>>>>>>>>> still
>>>>>>>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443" 
>>>>>>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.ht
>>>>>>>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>>>>>>>>>>>                          maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true">
>>>>>>>>>>>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>> <SSLHostConfig
>>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required">
>>>>>>>>>>>>>>>>>>>>>>>>                       <Certificate
>>>>>>>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr
>>>>>>>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let
>>>>>>>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml.  
>>>>>>>>>>>>>>>>>>>>>>>> Could
>>>>>>>>>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>>>>>>>>>>>                       <!-- <sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>>>>                           <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>>>>                       <sec:keyManagers
>>>>>>>>>>>>>>>>>>>>>>>> keyPassword="tompass">
>>>>>>>>>>>>>>>>>>>>>>>>                           <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the 
>>>>>>>>>>>>>>>>>>>>>>>> schema and
>>>>>>>>>>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 
>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem
>>>>>>>>>>>>>>>>>>>>>>>>> writing
>>>>>>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but 
>>>>>>>>>>>>>>>>>>>>>>>>> no local
>>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>>>> negotiated.  Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>               at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>               at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>               at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>>>>>>>               at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>>>>>>>               ...
>>>>>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were 
>>>>>>>>>>>>>>>>>>>>>>>>> negotiated.  Is
>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>               at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>>>>>>>>>>>               at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>               ... 154 more
>>>>>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>>>> negotiated.  Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>               at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>>>>>>>               at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>>>>>>>               at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) 
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>               ...
>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542
>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't 
>>>>>>>>>>>>>>>>>>>>>>>>> load
>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175
>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2
>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W
>>>>>>>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:9443
>>>>>>>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:0/id
>>>>>>>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>>>>>>>>>>>                           <ref
>>>>>>>>>>>>>>>>>>>>>>>>>>> bean="srv-fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>                   <!-- <ref bean="srv-oidc" 
>>>>>>>>>>>>>>>>>>>>>>>>>>> /> -->
>>>>>>>>>>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>>>>>>>>>>>                   </property>
>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>                   <property name="realm"
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>                   <property name="protocol" 
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="
>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>                   <property
>>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDisplayName"
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>                   <property
>>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDescription"
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>                   <property name="role"
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>                   <property name="tokenType" 
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="
>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" 
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>                   <property name="lifeTime"
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="3600"
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>                   <property
>>>>>>>>>>>>>>>>>>>>>>>>>>> name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>                   <property
>>>>>>>>>>>>>>>>>>>>>>>>>>> name="logoutEndpointConstraint
>>>>>>>>>>>>>>>>>>>>>>>>>>> "
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>                   <property name="application"
>>>>>>>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>                   <property name="claim"
>>>>>>>>>>>>>>>>>>>>>>>>>>> ref="claim_role"
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>                   <property name="optional"
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="false"
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml
>>>>>>>>>>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.)
>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain.tld:9443/idp
>>>>>>>>>>>>>>>>>>>>>>>>>>>> and i
>>>>>>>>>>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> seems
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [<something>]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>
>


Mime
View raw message