If you change it to "required" does it fail? If so, you could try running the Tomcat IdP with Java SSL debugging enabled and it should tell you why the IdP can't connect to the STS.
Colm. On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead < [email protected]> wrote: > Hi Colm, > > I realise now that this html file was included in the examples/samplekeys > directory in the code. but i was taking it from the internet. > > I am 100% using clientAuth="want" on my Tomcat connector but I am still > getting the same error over and again. I can browse the wsdl without > having to provide a client certificate. could you point me to the part of > the idp-sts configuration which might be causing it to not ask for the keys > properly? or is it definitely a tomcat server.xml issue? > > On 25/10/2017 12:55, Colm O hEigeartaigh wrote: > >> You can see the HTML here: >> https://htmlpreview.github.io/?https://raw.githubusercontent >> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener >> ateKeysREADME.html >> >> I'll update the webpage to point to github instead of SVN. >> >> Colm. >> >> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead < >> [email protected]> wrote: >> >> Hi Colm >>> >>> Firstly is there somewhere to see these instructions correctly formatted >>> in html? >>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>> plekeys/HowToGenerateKeysREADME.html >>> >>> Secondly there is a massive difference between >>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>> plekeys/HowToGenerateKeysREADME.html >>> and >>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample >>> keys/HowToGenerateKeysREADME.html?view=co >>> (svn being the one linked from the main fediz pages) >>> >>> On the SVN one it doesn't mention adding the MyTCRP.cer key to >>> ststrust.jks. >>> >>> I have some more things to try now so I will let you know if I get >>> further >>> >>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote: >>> >>> Why not try the simple Connector configuration I gave earlier but with >>>> your >>>> own keys? >>>> >>>> Colm. >>>> >>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead < >>>> [email protected]> wrote: >>>> >>>> in Tomcat 8 https://tomcat.apache.org/tomcat-8.5-doc/config/http.html# >>>> >>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says >>>>> clientAuth >>>>> This is an alias for the certificateVerification attribute of the >>>>> default >>>>> SSLHostConfig element. >>>>> >>>>> then >>>>> certificateVerification >>>>> Set to required if you want the SSL stack to require a valid >>>>> certificate >>>>> chain from the client before accepting a connection. Set to optional if >>>>> you >>>>> want the SSL stack to request a client Certificate, but not fail if one >>>>> isn't presented. Set to optionalNoCA if you want client certificates to >>>>> be >>>>> optional and you don't want Tomcat to check them against the list of >>>>> trusted CAs. If the TLS provider doesn't support this option (OpenSSL >>>>> does, >>>>> JSSE does not) it is treated as if optional was specified. A none value >>>>> (which is the default) will not require a certificate chain unless the >>>>> client requests a resource protected by a security constraint that uses >>>>> CLIENT-CERT authentication. >>>>> >>>>> so i changed clientAuth="want" to clientAuth="required". now i cannot >>>>> access the site at all with >>>>> Secure Connection Failed >>>>> An error occurred during a connection to domain.tld:9443. SSL peer >>>>> cannot >>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT >>>>> >>>>> maybe i should try using Tomcat 7? >>>>> >>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote: >>>>> >>>>> The problem is that your Tomcat container hosting the STS is not asking >>>>> >>>>>> for >>>>>> client authentication. You can check this by using a web browser or >>>>>> curl >>>>>> to >>>>>> view the WSDL of the STS - if you can get it to work then the >>>>>> configuration >>>>>> is incorrect, as it should error on the browser not supplying a client >>>>>> cert. >>>>>> >>>>>> Colm. >>>>>> >>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead < >>>>>> [email protected]> wrote: >>>>>> >>>>>> i spoke too soon. >>>>>> >>>>>> i am completely stuck with the same stack trace and no amount of >>>>>>> reloading >>>>>>> the certificates is helping. is there any way to debug what the >>>>>>> actual >>>>>>> problem is? >>>>>>> >>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN >>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for { >>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT >>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue >>>>>>> has >>>>>>> thrown exception, unwinding now >>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to >>>>>>> stream: RequireClientCertificate is set, but no local certificates >>>>>>> were >>>>>>> negotiated. Is the server set to ask for client authorization? >>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) >>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) >>>>>>> at org.apache.cxf.phase.PhaseInte >>>>>>> rceptorChain.doIntercept(Phase >>>>>>> InterceptorChain.java:308) >>>>>>> at org.apache.cxf.endpoint.Client >>>>>>> Impl.doInvoke(ClientImpl.java: >>>>>>> 518) >>>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java: >>>>>>> 427) >>>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java: >>>>>>> 328) >>>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java: >>>>>>> 281) >>>>>>> at org.apache.cxf.ws.security.tru >>>>>>> st.AbstractSTSClient.issue(Abs >>>>>>> tractSTSClient.java:861) >>>>>>> at org.apache.cxf.fediz.service.i >>>>>>> dp.IdpSTSClient.requestSecurit >>>>>>> yTokenResponse(IdpSTSClient.java:47) >>>>>>> at org.apache.cxf.fediz.service.i >>>>>>> dp.IdpSTSClient.requestSecurit >>>>>>> yTokenResponse(IdpSTSClient.java:42) >>>>>>> at org.apache.cxf.fediz.service.i >>>>>>> dp.beans.STSClientAction.submi >>>>>>> t(STSClientAction.java:296) >>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >>>>>>> Method) >>>>>>> at sun.reflect.NativeMethodAccess >>>>>>> orImpl.invoke(NativeMethodAcce >>>>>>> ssorImpl.java:62) >>>>>>> at sun.reflect.DelegatingMethodAc >>>>>>> cessorImpl.invoke(DelegatingMe >>>>>>> thodAccessorImpl.java:43) >>>>>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>>>>> at org.springframework.expression >>>>>>> .spel.support.ReflectiveMethod >>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113) >>>>>>> at org.springframework.expression >>>>>>> .spel.ast.MethodReference.getV >>>>>>> alueInternal(MethodReference.java:129) >>>>>>> at org.springframework.expression.spel.ast.MethodReference. >>>>>>> access$000(MethodReference.java:49) >>>>>>> at org.springframework.expression >>>>>>> .spel.ast.MethodReference$Meth >>>>>>> odValueRef.getValue(MethodReference.java:347) >>>>>>> at org.springframework.expression >>>>>>> .spel.ast.CompoundExpression.g >>>>>>> etValueInternal(CompoundExpression.java:88) >>>>>>> at org.springframework.expression.spel.ast.SpelNodeImpl. >>>>>>> getTypedValue(SpelNodeImpl.java:131) >>>>>>> at org.springframework.expression >>>>>>> .spel.standard.SpelExpression. >>>>>>> getValue(SpelExpression.java:297) >>>>>>> at org.springframework.binding.ex >>>>>>> pression.spel.SpringELExpressi >>>>>>> on.getValue(SpringELExpression.java:84) >>>>>>> at org.springframework.webflow.ac >>>>>>> tion.EvaluateAction.doExecute( >>>>>>> EvaluateAction.java:75) >>>>>>> at org.springframework.webflow.ac >>>>>>> tion.AbstractAction.execute(Ab >>>>>>> stractAction.java:188) >>>>>>> at org.springframework.webflow.ex >>>>>>> ecution.AnnotatedAction.execut >>>>>>> e(AnnotatedAction.java:145) >>>>>>> at org.springframework.webflow.ex >>>>>>> ecution.ActionExecutor.execute >>>>>>> (ActionExecutor.java:51) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.ActionList.execute(Action >>>>>>> List.java:154) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.State.enter(State.java:19 >>>>>>> 3) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.Transition.execute(Transi >>>>>>> tion.java:228) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.RequestControlContex >>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.TransitionableState.handl >>>>>>> eEvent(TransitionableState.java:116) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.SubflowState.handleEvent( >>>>>>> SubflowState.java:116) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>> a:547) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.RequestControlContex >>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.FlowExecutionImpl.en >>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.RequestControlContex >>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.EndState.doEnter(EndState >>>>>>> .java:107) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.State.enter(State.java:19 >>>>>>> 4) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.Transition.execute(Transi >>>>>>> tion.java:228) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.RequestControlContex >>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.TransitionableState.handl >>>>>>> eEvent(TransitionableState.java:116) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>> a:547) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.RequestControlContex >>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.ActionState.doEnter(Actio >>>>>>> nState.java:105) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.State.enter(State.java:19 >>>>>>> 4) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.Transition.execute(Transi >>>>>>> tion.java:228) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.RequestControlContex >>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.TransitionableState.handl >>>>>>> eEvent(TransitionableState.java:116) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>> a:547) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.RequestControlContex >>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.ActionState.doEnter(Actio >>>>>>> nState.java:105) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.State.enter(State.java:19 >>>>>>> 4) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.Transition.execute(Transi >>>>>>> tion.java:228) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.DecisionState.doEnter(Dec >>>>>>> isionState.java:51) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.State.enter(State.java:19 >>>>>>> 4) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.Transition.execute(Transi >>>>>>> tion.java:228) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.DecisionState.doEnter(Dec >>>>>>> isionState.java:51) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.State.enter(State.java:19 >>>>>>> 4) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.Transition.execute(Transi >>>>>>> tion.java:228) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.DecisionState.doEnter(Dec >>>>>>> isionState.java:51) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.State.enter(State.java:19 >>>>>>> 4) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.Transition.execute(Transi >>>>>>> tion.java:228) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.DecisionState.doEnter(Dec >>>>>>> isionState.java:51) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.State.enter(State.java:19 >>>>>>> 4) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.Flow.start(Flow.java:527) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>> art(FlowExecutionImpl.java:368) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.RequestControlContex >>>>>>> tImpl.start(RequestControlContextImpl.java:234) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.SubflowState.doEnter(Subf >>>>>>> lowState.java:101) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.State.enter(State.java:19 >>>>>>> 4) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.Transition.execute(Transi >>>>>>> tion.java:228) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.DecisionState.doEnter(Dec >>>>>>> isionState.java:51) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.State.enter(State.java:19 >>>>>>> 4) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.Transition.execute(Transi >>>>>>> tion.java:228) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.DecisionState.doEnter(Dec >>>>>>> isionState.java:51) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.State.enter(State.java:19 >>>>>>> 4) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.Flow.start(Flow.java:527) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>> art(FlowExecutionImpl.java:368) >>>>>>> at org.springframework.webflow.en >>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>> art(FlowExecutionImpl.java:223) >>>>>>> at org.springframework.webflow.ex >>>>>>> ecutor.FlowExecutorImpl.launch >>>>>>> Execution(FlowExecutorImpl.java:140) >>>>>>> at org.springframework.webflow.mv >>>>>>> c.servlet.FlowHandlerAdapter. >>>>>>> handle(FlowHandlerAdapter.java:263) >>>>>>> at org.springframework.web.servle >>>>>>> t.DispatcherServlet.doDispatch >>>>>>> (DispatcherServlet.java:967) >>>>>>> at org.springframework.web.servle >>>>>>> t.DispatcherServlet.doService( >>>>>>> DispatcherServlet.java:901) >>>>>>> at org.springframework.web.servle >>>>>>> t.FrameworkServlet.processRequ >>>>>>> est(FrameworkServlet.java:970) >>>>>>> at org.springframework.web.servlet.FrameworkServlet.doGet( >>>>>>> FrameworkServlet.java:861) >>>>>>> at javax.servlet.http.HttpServlet >>>>>>> .service(HttpServlet.java:635) >>>>>>> at org.springframework.web.servlet.FrameworkServlet.service( >>>>>>> FrameworkServlet.java:846) >>>>>>> at javax.servlet.http.HttpServlet >>>>>>> .service(HttpServlet.java:742) >>>>>>> at org.apache.catalina.core.Appli >>>>>>> cationFilterChain.internalDoFi >>>>>>> lter(ApplicationFilterChain.java:231) >>>>>>> at org.apache.catalina.core.Appli >>>>>>> cationFilterChain.doFilter(App >>>>>>> licationFilterChain.java:166) >>>>>>> at org.apache.tomcat.websocket.se >>>>>>> rver.WsFilter.doFilter(WsFilte >>>>>>> r.java:52) >>>>>>> at org.apache.catalina.core.Appli >>>>>>> cationFilterChain.internalDoFi >>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>> at org.apache.catalina.core.Appli >>>>>>> cationFilterChain.doFilter(App >>>>>>> licationFilterChain.java:166) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>> terChain.doFilter(FilterChainProxy.java:330) >>>>>>> at org.springframework.security.w >>>>>>> eb.access.intercept.FilterSecu >>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118) >>>>>>> at org.springframework.security.w >>>>>>> eb.access.intercept.FilterSecu >>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>> at org.springframework.security.w >>>>>>> eb.access.ExceptionTranslation >>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>> at org.springframework.security.w >>>>>>> eb.session.SessionManagementFi >>>>>>> lter.doFilter(SessionManagementFilter.java:103) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>> at org.springframework.security.w >>>>>>> eb.authentication.AnonymousAut >>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>> at org.apache.cxf.fediz.service.i >>>>>>> dp.service.security.GrantedAut >>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>> at org.springframework.security.w >>>>>>> eb.servletapi.SecurityContextH >>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder >>>>>>> AwareRequestFilter.java:154) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>> at org.springframework.security.w >>>>>>> eb.savedrequest.RequestCacheAw >>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>> at org.springframework.security.w >>>>>>> eb.authentication.www.BasicAut >>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>> at org.springframework.security.w >>>>>>> eb.authentication.AbstractAuth >>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio >>>>>>> nProcessingFilter.java:199) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>> at org.springframework.security.w >>>>>>> eb.authentication.logout.Logou >>>>>>> tFilter.doFilter(LogoutFilter.java:110) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>> at org.springframework.security.w >>>>>>> eb.context.request.async.WebAs >>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag >>>>>>> erIntegrationFilter.java:50) >>>>>>> at org.springframework.web.filter >>>>>>> .OncePerRequestFilter.doFilter >>>>>>> (OncePerRequestFilter.java:107) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>> at org.springframework.security.w >>>>>>> eb.context.SecurityContextPers >>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>> at org.apache.cxf.fediz.service.i >>>>>>> dp.STSPortFilter.doFilter(STSP >>>>>>> ortFilter.java:74) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>> at org.springframework.security.w >>>>>>> eb.access.channel.ChannelProce >>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy.doFilterIn >>>>>>> ternal(FilterChainProxy.java:192) >>>>>>> at org.springframework.security.w >>>>>>> eb.FilterChainProxy.doFilter(F >>>>>>> ilterChainProxy.java:160) >>>>>>> at org.springframework.web.filter >>>>>>> .DelegatingFilterProxy.invokeD >>>>>>> elegate(DelegatingFilterProxy.java:346) >>>>>>> at org.springframework.web.filter >>>>>>> .DelegatingFilterProxy.doFilte >>>>>>> r(DelegatingFilterProxy.java:262) >>>>>>> at org.apache.catalina.core.Appli >>>>>>> cationFilterChain.internalDoFi >>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>> at org.apache.catalina.core.Appli >>>>>>> cationFilterChain.doFilter(App >>>>>>> licationFilterChain.java:166) >>>>>>> at org.springframework.web.filter >>>>>>> .CharacterEncodingFilter.doFil >>>>>>> terInternal(CharacterEncodingFilter.java:197) >>>>>>> at org.springframework.web.filter >>>>>>> .OncePerRequestFilter.doFilter >>>>>>> (OncePerRequestFilter.java:107) >>>>>>> at org.apache.catalina.core.Appli >>>>>>> cationFilterChain.internalDoFi >>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>> at org.apache.catalina.core.Appli >>>>>>> cationFilterChain.doFilter(App >>>>>>> licationFilterChain.java:166) >>>>>>> at org.apache.catalina.core.Stand >>>>>>> ardWrapperValve.invoke(Standar >>>>>>> dWrapperValve.java:198) >>>>>>> at org.apache.catalina.core.Stand >>>>>>> ardContextValve.invoke(Standar >>>>>>> dContextValve.java:96) >>>>>>> at org.apache.catalina.core.Stand >>>>>>> ardHostValve.invoke(StandardHo >>>>>>> stValve.java:140) >>>>>>> at org.apache.catalina.valves.Err >>>>>>> orReportValve.invoke(ErrorRepo >>>>>>> rtValve.java:80) >>>>>>> at org.apache.catalina.valves.Abs >>>>>>> tractAccessLogValve.invoke(Abs >>>>>>> tractAccessLogValve.java:650) >>>>>>> at org.apache.catalina.core.Stand >>>>>>> ardEngineValve.invoke(Standard >>>>>>> EngineValve.java:87) >>>>>>> at org.apache.catalina.connector. >>>>>>> CoyoteAdapter.service(CoyoteAd >>>>>>> apter.java:342) >>>>>>> at org.apache.coyote.http2.Stream >>>>>>> Processor.service(StreamProces >>>>>>> sor.java:245) >>>>>>> at org.apache.coyote.AbstractProc >>>>>>> essorLight.process(AbstractPro >>>>>>> cessorLight.java:66) >>>>>>> at org.apache.coyote.http2.Stream >>>>>>> Processor.process(StreamProces >>>>>>> sor.java:65) >>>>>>> at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable. >>>>>>> java:35) >>>>>>> at java.util.concurrent.ThreadPoo >>>>>>> lExecutor.runWorker(ThreadPool >>>>>>> Executor.java:1142) >>>>>>> at java.util.concurrent.ThreadPoo >>>>>>> lExecutor$Worker.run(ThreadPoo >>>>>>> lExecutor.java:617) >>>>>>> at org.apache.tomcat.util.threads >>>>>>> .TaskThread$WrappingRunnable. >>>>>>> run(TaskThread.java:61) >>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>>> RequireClientCertificate >>>>>>> is >>>>>>> set, but no local certificates were negotiated. Is the server set to >>>>>>> ask >>>>>>> for client authorization? >>>>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter. >>>>>>> java:255) >>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) >>>>>>> ... 154 more >>>>>>> Caused by: org.apache.cxf.transport.http. >>>>>>> UntrustedURLConnectionIOExcept >>>>>>> ion: >>>>>>> RequireClientCertificate is set, but no local certificates were >>>>>>> negotiated. Is the server set to ask for client authorization? >>>>>>> at org.apache.cxf.ws.security.pol >>>>>>> icy.interceptors.HttpsTokenInt >>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H >>>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>> at org.apache.cxf.transport.http. >>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>> at org.apache.cxf.transport.http. >>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>> at org.apache.cxf.transport.http. >>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>> m.onFirstWrite(HTTPConduit.java:1293) >>>>>>> at org.apache.cxf.transport.http. >>>>>>> URLConnectionHTTPConduit$URLCo >>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP >>>>>>> Conduit.java:309) >>>>>>> at org.apache.cxf.io.AbstractWrap >>>>>>> pedOutputStream.write(Abstract >>>>>>> WrappedOutputStream.java:47) >>>>>>> at org.apache.cxf.io.AbstractThre >>>>>>> sholdOutputStream.unBuffer(Abs >>>>>>> tractThresholdOutputStream.java:89) >>>>>>> at org.apache.cxf.io.AbstractThre >>>>>>> sholdOutputStream.write(Abstra >>>>>>> ctThresholdOutputStream.java:63) >>>>>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100) >>>>>>> at com.ctc.wstx.sw.BufferingXmlWr >>>>>>> iter.flush(BufferingXmlWriter. >>>>>>> java:241) >>>>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter. >>>>>>> java:253) >>>>>>> ... 155 more >>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR >>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in >>>>>>> retrieving a token >>>>>>> >>>>>>> >>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote: >>>>>>> >>>>>>> Thanks for your help Colm. I now have it working using the >>>>>>> production >>>>>>> >>>>>>> certificate by following this example https://stackoverflow.com/a/21 >>>>>>>> 41229/3052312 to export the pems into jks files. >>>>>>>> >>>>>>>> but in the end i also had to copy idp-ssl-key.jks and >>>>>>>> idp-ssl-trust.jks >>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in catalina >>>>>>>> base. >>>>>>>> this seems impractical in production as the certificates get >>>>>>>> reissued >>>>>>>> every >>>>>>>> 6 months. is it possible for sec:keyStore to define the resource as >>>>>>>> being >>>>>>>> in catalina base? >>>>>>>> >>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote: >>>>>>>> >>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is also >>>>>>>> a >>>>>>>> >>>>>>>> sec:certStore that works with PEM files, but only for TrustStores I >>>>>>>>> think. >>>>>>>>> As a workaround you can just use the Java keytool command to import >>>>>>>>> your >>>>>>>>> PEM key/cert into a JKS keystore. >>>>>>>>> >>>>>>>>> this document http://svn.apache.org/viewvc/c >>>>>>>>> >>>>>>>>> xf/fediz/trunk/examples/sample >>>>>>>>> >>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks >>>>>>>>>> but >>>>>>>>>> >>>>>>>>>> no >>>>>>>>> idp-ssl-key.jks. >>>>>>>>> >>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old. The >>>>>>>>> correct >>>>>>>>> version is on github: >>>>>>>>> >>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>>>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>>>> >>>>>>>>> Colm. >>>>>>>>> >>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>> Hi Colm, >>>>>>>>> >>>>>>>>> is there any way for sec:keyStore to be pointed at a pem >>>>>>>>> certificate >>>>>>>>> >>>>>>>>>> instead of a java keystore? where is the doumentation for >>>>>>>>>> sec:keyStore? >>>>>>>>>> >>>>>>>>>> Matt >>>>>>>>>> >>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote: >>>>>>>>>> >>>>>>>>>> I haven't used the APR connector. The following works for me in >>>>>>>>>> the >>>>>>>>>> >>>>>>>>>> tests, >>>>>>>>>> >>>>>>>>>>> perhaps you could duplicate this config and get it working first >>>>>>>>>>> before >>>>>>>>>>> switching over to the APR connector: >>>>>>>>>>> >>>>>>>>>>> <Connector port="9443" >>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>>>>>>>>>> maxThreads="150" >>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want" >>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" >>>>>>>>>>> keystorePass="tompass" >>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks" >>>>>>>>>>> truststorePass="ispass" /> >>>>>>>>>>> >>>>>>>>>>> Yes you will need to specify the truststore and keystore in >>>>>>>>>>> cxf-tls.xml to >>>>>>>>>>> communicate with the STS from the IdP. The truststore should >>>>>>>>>>> contain >>>>>>>>>>> the >>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then >>>>>>>>>>> keystore >>>>>>>>>>> the >>>>>>>>>>> private key of your IdP. >>>>>>>>>>> >>>>>>>>>>> Colm. >>>>>>>>>>> >>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>> i am using my own certificate with APR in the tomcat >>>>>>>>>>> server.xml. I >>>>>>>>>>> added >>>>>>>>>>> >>>>>>>>>>> clientVerification="required" to SSLHostConfig but I still have >>>>>>>>>>> the >>>>>>>>>>> >>>>>>>>>>> same >>>>>>>>>>>> problem >>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht >>>>>>>>>>>> tp11.Http11AprProtocol" >>>>>>>>>>>> maxThreads="150" SSLEnabled="true"> >>>>>>>>>>>> <UpgradeProtocol className="org.apache.coyote.h >>>>>>>>>>>> ttp2.Http2Protocol" >>>>>>>>>>>> /> >>>>>>>>>>>> <SSLHostConfig clientVerification="required"> >>>>>>>>>>>> <Certificate certificateKeyFile="/etc/letse >>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem" >>>>>>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem" >>>>>>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc >>>>>>>>>>>> hain.pem" >>>>>>>>>>>> type="RSA" /> >>>>>>>>>>>> </SSLHostConfig> >>>>>>>>>>>> </Connector> >>>>>>>>>>>> >>>>>>>>>>>> I commented the trustManagers and keyManagers in >>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this be the >>>>>>>>>>>> problem? >>>>>>>>>>>> How would I use production certificates? >>>>>>>>>>>> <http:conduit name="*.http-conduit"> >>>>>>>>>>>> <http:tlsClientParameters >>>>>>>>>>>> disableCNCheck="true"> >>>>>>>>>>>> <!-- <sec:trustManagers> >>>>>>>>>>>> <sec:keyStore type="jks" password="ispass" >>>>>>>>>>>> resource="idp-ssl-trust.jks" /> >>>>>>>>>>>> </sec:trustManagers> >>>>>>>>>>>> <sec:keyManagers keyPassword="tompass"> >>>>>>>>>>>> <sec:keyStore type="jks" password="tompass" >>>>>>>>>>>> resource="idp-ssl-key.jks"/> >>>>>>>>>>>> </sec:keyManagers> --> >>>>>>>>>>>> </http:tlsClientParameters> >>>>>>>>>>>> </http:conduit> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote: >>>>>>>>>>>> >>>>>>>>>>>> ok...i fixed the last error by dropping the schema and >>>>>>>>>>>> restarting. >>>>>>>>>>>> >>>>>>>>>>>> but now i have this >>>>>>>>>>>> >>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN >>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for >>>>>>>>>>>>> { >>>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT >>>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051 >>>>>>>>>>>>> 2/}Issue >>>>>>>>>>>>> has >>>>>>>>>>>>> thrown exception, unwinding now >>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ >>>>>>>>>>>>> model >>>>>>>>>>>>> to >>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local >>>>>>>>>>>>> certificates >>>>>>>>>>>>> were >>>>>>>>>>>>> negotiated. Is the server set to ask for client authorization? >>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) >>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) >>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte >>>>>>>>>>>>> rceptorChain.doIntercept(Phase >>>>>>>>>>>>> InterceptorChain.java:308) >>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java: >>>>>>>>>>>>> 518) >>>>>>>>>>>>> ... >>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>>>>>>>>> RequireClientCertificate >>>>>>>>>>>>> is >>>>>>>>>>>>> set, but no local certificates were negotiated. Is the server >>>>>>>>>>>>> set >>>>>>>>>>>>> to >>>>>>>>>>>>> ask >>>>>>>>>>>>> for client authorization? >>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>>>> er.flush(BaseStreamWriter.java >>>>>>>>>>>>> :255) >>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) >>>>>>>>>>>>> ... 154 more >>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http. >>>>>>>>>>>>> UntrustedURLConnectionIOExcept >>>>>>>>>>>>> ion: >>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates were >>>>>>>>>>>>> negotiated. Is the server set to ask for client authorization? >>>>>>>>>>>>> at org.apache.cxf.ws.security.pol >>>>>>>>>>>>> icy.interceptors.HttpsTokenInt >>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H >>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>>>>>>>> ... >>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR >>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error >>>>>>>>>>>>> in >>>>>>>>>>>>> retrieving a token >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> ok i now have a different error and it doesn't load the login >>>>>>>>>>>>> screen >>>>>>>>>>>>> >>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida >>>>>>>>>>>>>> tor >>>>>>>>>>>>>> - >>>>>>>>>>>>>> No >>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz >>>>>>>>>>>>>> helloworld >>>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found >>>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>> - Role 'IDP_READ' not found >>>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>> - Role 'IDP_LIST' not found >>>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found >>>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>> - Role 'CLAIM_READ' not found >>>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found >>>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found >>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found >>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO >>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>> - Enriched AuthenticationToken added >>>>>>>>>>>>>> >>>>>>>>>>>>>> the previous one was caused by >>>>>>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myreal >>>>>>>>>>>>>> m.xml >>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443 >>>>>>>>>>>>>> /idp-sts/REALMMYREALM" /> >>>>>>>>>>>>>> should have been >>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id >>>>>>>>>>>>>> p-sts/REALMMYREALM" >>>>>>>>>>>>>> /> >>>>>>>>>>>>>> according to original file >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hi Colm, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Yes I have: >>>>>>>>>>>>>> >>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se >>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity"> >>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>> <property name="applications"> >>>>>>>>>>>>>>> <util:list> >>>>>>>>>>>>>>> <ref bean="srv-fedizhelloworld" /> >>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> --> >>>>>>>>>>>>>>> </util:list> >>>>>>>>>>>>>>> </property> >>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class=" >>>>>>>>>>>>>>> org.apache.cxf.fediz.se >>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity"> >>>>>>>>>>>>>>> <property name="realm" >>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi >>>>>>>>>>>>>>> z:fedizhelloworld" >>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>> <property name="protocol" value=" >>>>>>>>>>>>>>> http://docs.oasis-open. >>>>>>>>>>>>>>> org/wsfed/federation/200706" /> >>>>>>>>>>>>>>> <property name="serviceDisplayName" >>>>>>>>>>>>>>> value="Fedizhelloworld" >>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>> <property name="serviceDescription" value="Web >>>>>>>>>>>>>>> Application to >>>>>>>>>>>>>>> illustrate WS-Federation" /> >>>>>>>>>>>>>>> <property name="role" >>>>>>>>>>>>>>> value="ApplicationServiceType" >>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>> <property name="tokenType" value=" >>>>>>>>>>>>>>> http://docs.oasis-open >>>>>>>>>>>>>>> . >>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> >>>>>>>>>>>>>>> <property name="lifeTime" value="3600" /> >>>>>>>>>>>>>>> <property name="passiveRequestorEndpoint >>>>>>>>>>>>>>> Constraint" >>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>>>>>> <property name="logoutEndpointConstraint" >>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se >>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat >>>>>>>>>>>>>>> ionClaimEntity"> >>>>>>>>>>>>>>> <property name="application" >>>>>>>>>>>>>>> ref="srv-fedizhelloworld" /> >>>>>>>>>>>>>>> <property name="claim" ref="claim_role" /> >>>>>>>>>>>>>>> <property name="optional" value="false" /> >>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Do you have an >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEnti >>>>>>>>>>>>>>> ty >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> instance in >>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml >>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>> realm >>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead < >>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i >>>>>>>>>>>>>>>> am >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> trying to >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld >>>>>>>>>>>>>>>>> /secure/fedservlet. >>>>>>>>>>>>>>>>> it >>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to >>>>>>>>>>>>>>>>> authenticate >>>>>>>>>>>>>>>>> ok >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> but then i get the following error >>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] >>>>>>>>>>>>>>>>> INFO >>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken >>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>> Token >>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] >>>>>>>>>>>>>>>>> successfully >>>>>>>>>>>>>>>>> cached. >>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] >>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida >>>>>>>>>>>>>>>>> tor >>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>> No >>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz >>>>>>>>>>>>>>>>> helloworld >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Matthew >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>> >> > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
