Re: fediz production

Tue, 24 Oct 2017 04:58:21 -0700 

i spoke too soon.
i am completely stuck with the same stack trace and no amount of reloading the certificates is helping.  is there any way to debug what the actual problem is? 


2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN 
org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor for 
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue 
has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to 
stream: RequireClientCertificate is set, but no local certificates were 
negotiated.  Is the server set to ask for client authorization?
    at 
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
    at 
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
    at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)

    at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:427)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:328)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:281)

    at 
org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:861)
    at 
org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurityTokenResponse(IdpSTSClient.java:47)
    at 
org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurityTokenResponse(IdpSTSClient.java:42)
    at 
org.apache.cxf.fediz.service.idp.beans.STSClientAction.submit(STSClientAction.java:296)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

    at java.lang.reflect.Method.invoke(Method.java:498)

    at 
org.springframework.expression.spel.support.ReflectiveMethodExecutor.execute(ReflectiveMethodExecutor.java:113)
    at 
org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:129)
    at 
org.springframework.expression.spel.ast.MethodReference.access$000(MethodReference.java:49)
    at 
org.springframework.expression.spel.ast.MethodReference$MethodValueRef.getValue(MethodReference.java:347)
    at 
org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:88)
    at 
org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:131)
    at 
org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:297)
    at 
org.springframework.binding.expression.spel.SpringELExpression.getValue(SpringELExpression.java:84)
    at 
org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:75)
    at 
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
    at 
org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)
    at 
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
    at 
org.springframework.webflow.engine.ActionList.execute(ActionList.java:154)

    at org.springframework.webflow.engine.State.enter(State.java:193)

    at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
    at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
    at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
    at 
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)
    at 
org.springframework.webflow.engine.SubflowState.handleEvent(SubflowState.java:116)

    at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)

    at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)
    at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)
    at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.endActiveFlowSession(FlowExecutionImpl.java:414)
    at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
    at 
org.springframework.webflow.engine.EndState.doEnter(EndState.java:107)

    at org.springframework.webflow.engine.State.enter(State.java:194)

    at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
    at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
    at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
    at 
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)

    at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)

    at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)
    at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)
    at 
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105)

    at org.springframework.webflow.engine.State.enter(State.java:194)

    at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
    at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
    at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
    at 
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)

    at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)

    at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)
    at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)
    at 
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105)

    at org.springframework.webflow.engine.State.enter(State.java:194)

    at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
    at 
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)

    at org.springframework.webflow.engine.State.enter(State.java:194)

    at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
    at 
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)

    at org.springframework.webflow.engine.State.enter(State.java:194)

    at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
    at 
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)

    at org.springframework.webflow.engine.State.enter(State.java:194)

    at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
    at 
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)

    at org.springframework.webflow.engine.State.enter(State.java:194)
    at org.springframework.webflow.engine.Flow.start(Flow.java:527)

    at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)
    at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.start(RequestControlContextImpl.java:234)
    at 
org.springframework.webflow.engine.SubflowState.doEnter(SubflowState.java:101)

    at org.springframework.webflow.engine.State.enter(State.java:194)

    at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
    at 
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)

    at org.springframework.webflow.engine.State.enter(State.java:194)

    at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
    at 
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)

    at org.springframework.webflow.engine.State.enter(State.java:194)
    at org.springframework.webflow.engine.Flow.start(Flow.java:527)

    at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)
    at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223)
    at 
org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)
    at 
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:263)
    at 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
    at 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
    at 
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
    at 
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)

    at 
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)

    at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
    at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at 
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at 
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
    at 
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at 
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at 
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at 
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at 
org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at 
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at 
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at 
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at 
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at 
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at 
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
    at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at 
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at 
org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:74)
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at 
org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:144)
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at 
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at 
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
    at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at 
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
    at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
    at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
    at 
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
    at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
    at 
org.apache.coyote.http2.StreamProcessor.service(StreamProcessor.java:245)
    at 
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at 
org.apache.coyote.http2.StreamProcessor.process(StreamProcessor.java:65)

    at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.java:35)

    at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

    at java.lang.Thread.run(Thread.java:748)

Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is 
set, but no local certificates were negotiated.  Is the server set to 
ask for client authorization?

    at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255)

    at 
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)

    ... 154 more

Caused by: 
org.apache.cxf.transport.http.UntrustedURLConnectionIOException: 
RequireClientCertificate is set, but no local certificates were 
negotiated.  Is the server set to ask for client authorization?
    at 
org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:143)
    at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.makeTrustDecision(HTTPConduit.java:1780)
    at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1323)
    at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1293)
    at 
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:309)
    at 
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
    at 
org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(AbstractThresholdOutputStream.java:89)
    at 
org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:63)

    at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)

    at 
com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:241)

    at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:253)
    ... 155 more

2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR 
org.apache.cxf.fediz.service.idp.beans.STSClientAction  - Error in 
retrieving a token


On 23/10/2017 19:41, Matthew Broadhead wrote:

Thanks for your help Colm.  I now have it working using the production 
certificate by following this example 
https://stackoverflow.com/a/2141229/3052312 to export the pems into 
jks files.



but in the end i also had to copy idp-ssl-key.jks and 
idp-ssl-trust.jks into webapps/idp/WEB-INF/classes as well as having 
them in catalina base.  this seems impractical in production as the 
certificates get reissued every 6 months.  is it possible for 
sec:keyStore to define the resource as being in catalina base?


On 23/10/2017 18:11, Colm O hEigeartaigh wrote:

sec:keyStore supports either JKS or PKCS12 keystores. There is also a

sec:certStore that works with PEM files, but only for TrustStores I 
think.

As a workaround you can just use the Java keytool command to import your
PEM key/cert into a JKS keystore.


this document 
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample

keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but no
idp-ssl-key.jks.

SVN is not used any more by CXF or Fediz, that page is old. The correct
version is on github:


https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html 



Colm.

On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
[email protected]> wrote:


Hi Colm,

is there any way for sec:keyStore to be pointed at a pem certificate

instead of a java keystore?  where is the doumentation for 
sec:keyStore?


Matt

On 23/10/2017 17:11, Colm O hEigeartaigh wrote:


I haven't used the APR connector. The following works for me in the 
tests,
perhaps you could duplicate this config and get it working first 
before

switching over to the APR connector:

   <Connector port="9443"
protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
SSLEnabled="true" scheme="https" secure="true" clientAuth="want"

sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" 
keystorePass="tompass"

keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
truststorePass="ispass" />


Yes you will need to specify the truststore and keystore in 
cxf-tls.xml to
communicate with the STS from the IdP. The truststore should 
contain the
issuing cert of the Tomcat instance hosting your STS + then 
keystore the

private key of your IdP.

Colm.

On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
[email protected]> wrote:


i am using my own certificate with APR in the tomcat server.xml.  I 
added

clientVerification="required" to SSLHostConfig but I still have 
the same

problem
<Connector port="9443" protocol="org.apache.coyote.ht
tp11.Http11AprProtocol"
                 maxThreads="150" SSLEnabled="true">
          <UpgradeProtocol className="org.apache.coyote.h
ttp2.Http2Protocol"
/>
          <SSLHostConfig clientVerification="required">
              <Certificate certificateKeyFile="/etc/letse
ncrypt/live/domain.tld/privkey.pem"
certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
                           type="RSA" />
          </SSLHostConfig>
      </Connector>

I commented the trustManagers and keyManagers in

services/idp/src/main/resources/cxf-tls.xml.  Could this be the 
problem?

How would I use production certificates?
<http:conduit name="*.http-conduit">
          <http:tlsClientParameters
              disableCNCheck="true">
              <!-- <sec:trustManagers>
                  <sec:keyStore type="jks" password="ispass"
resource="idp-ssl-trust.jks" />
              </sec:trustManagers>
              <sec:keyManagers keyPassword="tompass">
                  <sec:keyStore type="jks" password="tompass"
resource="idp-ssl-key.jks"/>
              </sec:keyManagers> -->
          </http:tlsClientParameters>
      </http:conduit>


On 22/10/2017 00:38, Matthew Broadhead wrote:

ok...i fixed the last error by dropping the schema and restarting.

but now i have this
2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor for {
http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
has
thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to

stream: RequireClientCertificate is set, but no local 
certificates were

negotiated.  Is the server set to ask for client authorization?

      at 
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE

ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)

      at 
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE

ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)

      at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase

InterceptorChain.java:308)

      at 
org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:

518)
      ...

Caused by: com.ctc.wstx.exc.WstxIOException: 
RequireClientCertificate

is

set, but no local certificates were negotiated.  Is the server 
set to

ask
for client authorization?

      at 
com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java

:255)

      at 
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE

ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
      ... 154 more

Caused by: 
org.apache.cxf.transport.http.UntrustedURLConnectionIOExcept

ion:
RequireClientCertificate is set, but no local certificates were
negotiated.  Is the server set to ask for client authorization?

      at 
org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt

erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
ttpsTokenInterceptorProvider.java:143)

      at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea

m.makeTrustDecision(HTTPConduit.java:1780)

      at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea

m.handleHeadersTrustCaching(HTTPConduit.java:1323)
      ...
2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
retrieving a token


On 20/10/2017 23:05, Matthew Broadhead wrote:

ok i now have a different error and it doesn't load the login screen

2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN

org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator 
- No

service config found for urn:org:apache:cxf:fediz:fedizhelloworld
2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'CLAIM_LIST' not found
2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'IDP_READ' not found
2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'IDP_LIST' not found
2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'TRUSTEDIDP_LIST' not found
2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'CLAIM_READ' not found
2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'APPLICATION_LIST' not found
2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'APPLICATION_READ' not found
2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'TRUSTEDIDP_READ' not found
2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Enriched AuthenticationToken added

the previous one was caused by
services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
<property name="stsUrl" value="https://domain.tld:9443
/idp-sts/REALMMYREALM" />
should have been
<property name="stsUrl" value="https://domain.tld:0/id
p-sts/REALMMYREALM"
/>
according to original file

On 20/10/2017 18:27, Matthew Broadhead wrote:

Hi Colm,

Yes I have:
<bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
rvice.idp.service.jpa.IdpEntity">
...
          <property name="applications">
              <util:list>
                  <ref bean="srv-fedizhelloworld" />
          <!-- <ref bean="srv-oidc" /> -->
              </util:list>
          </property>
...
</bean>

<bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
rvice.idp.service.jpa.ApplicationEntity">
          <property name="realm" value="urn:org:apache:cxf:fedi
z:fedizhelloworld"
/>
          <property name="protocol" value="http://docs.oasis-open.
org/wsfed/federation/200706" />

          <property name="serviceDisplayName" 
value="Fedizhelloworld"

/>

          <property name="serviceDescription" value="Web 
Application to

illustrate WS-Federation" />
          <property name="role" value="ApplicationServiceType" />

          <property name="tokenType" 
value="http://docs.oasis-open.

org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
          <property name="lifeTime" value="3600" />
          <property name="passiveRequestorEndpointConstraint"
value="https://localhost:?(\d)*/.*" />
          <property name="logoutEndpointConstraint"
value="https://localhost:?(\d)*/.*" />
</bean>

<bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat
ionClaimEntity">

          <property name="application" 
ref="srv-fedizhelloworld" />

          <property name="claim" ref="claim_role" />
          <property name="optional" value="false" />
</bean>

etc.

On 20/10/2017 18:08, Colm O hEigeartaigh wrote:

Do you have an

org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
instance in
your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with
realm
"urn:org:apache:cxf:fediz:fedizhelloworld"?

Colm.

On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
[email protected]> wrote:

Hi,


i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
trying to
use it from localhost:9443/fedizhelloworld/secure/fedservlet. it

correctly redirects to the login page and seems to 
authenticate ok


but then i get the following error
2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO

org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - 
Token
[IDP_TOKEN=<something>] for realm [<something>] successfully 
cached.

2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN

org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator  
-

No

service config found for 
urn:org:apache:cxf:fediz:fedizhelloworld


Matthew































					Reply via email to