Could you create a test-case and upload it to github somewhere + I will take a look?
Colm. On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead < [email protected]> wrote: > Thanks for pointing me in the right direction. > > basically what the documentation lacks is that the ststrust.jks must > contain MyTCIDP.cer, i.e. > keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass > -alias idpcert -file MyTCIDP.cer -noprompt > i looked through the original ststrust.jks and it contained the alias > idpcert which confirmed the suspicion > > the other problem was that the cipher of the letsencrypt certificate was > not supported by java so i had to enable apr for openssl support. > -Djavax.net.debug=all helped to debug that. > > but i still have some strange problems. when i first connect with > fedizhelloworld it pops up a box asking for a certificate. and also if i > leave it logged in for a while and then try to logout chrome tells me > This site can’t provide a secure connection > ERR_SSL_PROTOCOL_ERROR > > On 25/10/2017 14:28, Colm O hEigeartaigh wrote: > >> Your truststore in cxf-tls.xml must trust the certificate presented by the >> STS. Also, it must contain a keystore with the private key of the IdP, >> which in turn must be trusted by the STS. >> >> Colm. >> >> On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead < >> [email protected]> wrote: >> >> Are the two keystores responsible for the trust between idp and sts are >>> supposed to be >>> stsrealm_a.jks and ststrust.jks >>> >>> it is just that the cert it is not trusting is the idp-ssl-key.jks >>> (domain.tld) which makes sense if it is hitting domain.tls:9443/idp etc >>> >>> does this mean ststrust.jks should contain MyTCIDP.cer as well as >>> MyTCRP.cer? >>> >>> On 25/10/2017 14:03, Colm O hEigeartaigh wrote: >>> >>> You'll need to go through the output to figure out why the cert is not >>>> trusted. If you generate some test certs + create a testcase somewhere I >>>> will take a look. >>>> >>>> Colm. >>>> >>>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead < >>>> [email protected]> wrote: >>>> >>>> i get a load of stuff, but in the middle of the one before the error i >>>> get >>>> >>>>> Warning: no suitable certificate found - continuing without client >>>>> authentication >>>>> >>>>> >>>>> On 25/10/2017 13:42, Matthew Broadhead wrote: >>>>> >>>>> ahhh... >>>>> >>>>>> -Djavax.net.debug=all >>>>>> >>>>>> On 25/10/2017 13:39, Matthew Broadhead wrote: >>>>>> >>>>>> How would I enable the debug? services/idp/src/main/webapp/W >>>>>> >>>>>>> EB-INF/security-config.xml >>>>>>> <security:debug/>? >>>>>>> >>>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote: >>>>>>> >>>>>>> If you change it to "required" does it fail? If so, you could try >>>>>>> >>>>>>>> running >>>>>>>> the Tomcat IdP with Java SSL debugging enabled and it should tell >>>>>>>> you >>>>>>>> why >>>>>>>> the IdP can't connect to the STS. >>>>>>>> >>>>>>>> Colm. >>>>>>>> >>>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>> Hi Colm, >>>>>>>> >>>>>>>> I realise now that this html file was included in the >>>>>>>>> examples/samplekeys >>>>>>>>> directory in the code. but i was taking it from the internet. >>>>>>>>> >>>>>>>>> I am 100% using clientAuth="want" on my Tomcat connector but I am >>>>>>>>> still >>>>>>>>> getting the same error over and again. I can browse the wsdl >>>>>>>>> without >>>>>>>>> having to provide a client certificate. could you point me to the >>>>>>>>> part of >>>>>>>>> the idp-sts configuration which might be causing it to not ask for >>>>>>>>> the >>>>>>>>> keys >>>>>>>>> properly? or is it definitely a tomcat server.xml issue? >>>>>>>>> >>>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote: >>>>>>>>> >>>>>>>>> You can see the HTML here: >>>>>>>>> >>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent >>>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener >>>>>>>>>> ateKeysREADME.html >>>>>>>>>> >>>>>>>>>> I'll update the webpage to point to github instead of SVN. >>>>>>>>>> >>>>>>>>>> Colm. >>>>>>>>>> >>>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>> Hi Colm >>>>>>>>>> >>>>>>>>>> Firstly is there somewhere to see these instructions correctly >>>>>>>>>> >>>>>>>>>>> formatted >>>>>>>>>>> in html? >>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>>>>>> >>>>>>>>>>> Secondly there is a massive difference between >>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>>>>>> and >>>>>>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample >>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co >>>>>>>>>>> (svn being the one linked from the main fediz pages) >>>>>>>>>>> >>>>>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to >>>>>>>>>>> ststrust.jks. >>>>>>>>>>> >>>>>>>>>>> I have some more things to try now so I will let you know if I >>>>>>>>>>> get >>>>>>>>>>> further >>>>>>>>>>> >>>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote: >>>>>>>>>>> >>>>>>>>>>> Why not try the simple Connector configuration I gave earlier but >>>>>>>>>>> with >>>>>>>>>>> >>>>>>>>>>> your >>>>>>>>>>> >>>>>>>>>>>> own keys? >>>>>>>>>>>> >>>>>>>>>>>> Colm. >>>>>>>>>>>> >>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc >>>>>>>>>>>> at-8.5-doc/config/http.html# >>>>>>>>>>>> >>>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says >>>>>>>>>>>> >>>>>>>>>>>> clientAuth >>>>>>>>>>>>> This is an alias for the certificateVerification attribute of >>>>>>>>>>>>> the >>>>>>>>>>>>> default >>>>>>>>>>>>> SSLHostConfig element. >>>>>>>>>>>>> >>>>>>>>>>>>> then >>>>>>>>>>>>> certificateVerification >>>>>>>>>>>>> Set to required if you want the SSL stack to require a valid >>>>>>>>>>>>> certificate >>>>>>>>>>>>> chain from the client before accepting a connection. Set to >>>>>>>>>>>>> optional if >>>>>>>>>>>>> you >>>>>>>>>>>>> want the SSL stack to request a client Certificate, but not >>>>>>>>>>>>> fail >>>>>>>>>>>>> if one >>>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client >>>>>>>>>>>>> certificates to >>>>>>>>>>>>> be >>>>>>>>>>>>> optional and you don't want Tomcat to check them against the >>>>>>>>>>>>> list >>>>>>>>>>>>> of >>>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this option >>>>>>>>>>>>> (OpenSSL >>>>>>>>>>>>> does, >>>>>>>>>>>>> JSSE does not) it is treated as if optional was specified. A >>>>>>>>>>>>> none >>>>>>>>>>>>> value >>>>>>>>>>>>> (which is the default) will not require a certificate chain >>>>>>>>>>>>> unless >>>>>>>>>>>>> the >>>>>>>>>>>>> client requests a resource protected by a security constraint >>>>>>>>>>>>> that >>>>>>>>>>>>> uses >>>>>>>>>>>>> CLIENT-CERT authentication. >>>>>>>>>>>>> >>>>>>>>>>>>> so i changed clientAuth="want" to clientAuth="required". now i >>>>>>>>>>>>> cannot >>>>>>>>>>>>> access the site at all with >>>>>>>>>>>>> Secure Connection Failed >>>>>>>>>>>>> An error occurred during a connection to domain.tld:9443. SSL >>>>>>>>>>>>> peer >>>>>>>>>>>>> cannot >>>>>>>>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT >>>>>>>>>>>>> >>>>>>>>>>>>> maybe i should try using Tomcat 7? >>>>>>>>>>>>> >>>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> The problem is that your Tomcat container hosting the STS is >>>>>>>>>>>>> not >>>>>>>>>>>>> asking >>>>>>>>>>>>> >>>>>>>>>>>>> for >>>>>>>>>>>>> >>>>>>>>>>>>> client authentication. You can check this by using a web >>>>>>>>>>>>>> browser >>>>>>>>>>>>>> or >>>>>>>>>>>>>> curl >>>>>>>>>>>>>> to >>>>>>>>>>>>>> view the WSDL of the STS - if you can get it to work then the >>>>>>>>>>>>>> configuration >>>>>>>>>>>>>> is incorrect, as it should error on the browser not supplying >>>>>>>>>>>>>> a >>>>>>>>>>>>>> client >>>>>>>>>>>>>> cert. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead < >>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> i spoke too soon. >>>>>>>>>>>>>> >>>>>>>>>>>>>> i am completely stuck with the same stack trace and no amount >>>>>>>>>>>>>> of >>>>>>>>>>>>>> >>>>>>>>>>>>>> reloading >>>>>>>>>>>>>> >>>>>>>>>>>>>>> the certificates is helping. is there any way to debug what >>>>>>>>>>>>>>> the >>>>>>>>>>>>>>> actual >>>>>>>>>>>>>>> problem is? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN >>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor >>>>>>>>>>>>>>> for >>>>>>>>>>>>>>> { >>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT >>>>>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051 >>>>>>>>>>>>>>> 2/}Issue >>>>>>>>>>>>>>> has >>>>>>>>>>>>>>> thrown exception, unwinding now >>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ >>>>>>>>>>>>>>> model to >>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local >>>>>>>>>>>>>>> certificates >>>>>>>>>>>>>>> were >>>>>>>>>>>>>>> negotiated. Is the server set to ask for client >>>>>>>>>>>>>>> authorization? >>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) >>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) >>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte >>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase >>>>>>>>>>>>>>> InterceptorChain.java:308) >>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java: >>>>>>>>>>>>>>> 518) >>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java: >>>>>>>>>>>>>>> 427) >>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java: >>>>>>>>>>>>>>> 328) >>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java: >>>>>>>>>>>>>>> 281) >>>>>>>>>>>>>>> at org.apache.cxf.ws.security.tru >>>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs >>>>>>>>>>>>>>> tractSTSClient.java:861) >>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit >>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47) >>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit >>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42) >>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>> dp.beans.STSClientAction.submi >>>>>>>>>>>>>>> t(STSClientAction.java:296) >>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess >>>>>>>>>>>>>>> orImpl.invoke0(Native >>>>>>>>>>>>>>> Method) >>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess >>>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce >>>>>>>>>>>>>>> ssorImpl.java:62) >>>>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc >>>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe >>>>>>>>>>>>>>> thodAccessorImpl.java:43) >>>>>>>>>>>>>>> at java.lang.reflect.Method.invok >>>>>>>>>>>>>>> e(Method.java:498) >>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>> .spel.support.ReflectiveMethod >>>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113) >>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>> .spel.ast.MethodReference.getV >>>>>>>>>>>>>>> alueInternal(MethodReference.java:129) >>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>> .spel.ast.MethodReference. >>>>>>>>>>>>>>> access$000(MethodReference.java:49) >>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>> .spel.ast.MethodReference$Meth >>>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347) >>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>> .spel.ast.CompoundExpression.g >>>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88) >>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>> .spel.ast.SpelNodeImpl. >>>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131) >>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>> .spel.standard.SpelExpression. >>>>>>>>>>>>>>> getValue(SpelExpression.java:297) >>>>>>>>>>>>>>> at org.springframework.binding.ex >>>>>>>>>>>>>>> pression.spel.SpringELExpressi >>>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84) >>>>>>>>>>>>>>> at org.springframework.webflow.ac >>>>>>>>>>>>>>> tion.EvaluateAction.doExecute( >>>>>>>>>>>>>>> EvaluateAction.java:75) >>>>>>>>>>>>>>> at org.springframework.webflow.ac >>>>>>>>>>>>>>> tion.AbstractAction.execute(Ab >>>>>>>>>>>>>>> stractAction.java:188) >>>>>>>>>>>>>>> at org.springframework.webflow.ex >>>>>>>>>>>>>>> ecution.AnnotatedAction.execut >>>>>>>>>>>>>>> e(AnnotatedAction.java:145) >>>>>>>>>>>>>>> at org.springframework.webflow.ex >>>>>>>>>>>>>>> ecution.ActionExecutor.execute >>>>>>>>>>>>>>> (ActionExecutor.java:51) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.ActionList.execute(Action >>>>>>>>>>>>>>> List.java:154) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.TransitionableState.handl >>>>>>>>>>>>>>> eEvent(TransitionableState.java:116) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.SubflowState.handleEvent( >>>>>>>>>>>>>>> SubflowState.java:116) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>>>>>>>>>> a:547) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en >>>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java: >>>>>>>>>>>>>>> 238) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.EndState.doEnter(EndState >>>>>>>>>>>>>>> .java:107) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.TransitionableState.handl >>>>>>>>>>>>>>> eEvent(TransitionableState.java:116) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>>>>>>>>>> a:547) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio >>>>>>>>>>>>>>> nState.java:105) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.TransitionableState.handl >>>>>>>>>>>>>>> eEvent(TransitionableState.java:116) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>>>>>>>>>> a:547) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio >>>>>>>>>>>>>>> nState.java:105) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf >>>>>>>>>>>>>>> lowState.java:101) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368) >>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>>>>>>>>>> art(FlowExecutionImpl.java:223) >>>>>>>>>>>>>>> at org.springframework.webflow.ex >>>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch >>>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140) >>>>>>>>>>>>>>> at org.springframework.webflow.mv >>>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter. >>>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263) >>>>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>>>> t.DispatcherServlet.doDispatch >>>>>>>>>>>>>>> (DispatcherServlet.java:967) >>>>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>>>> t.DispatcherServlet.doService( >>>>>>>>>>>>>>> DispatcherServlet.java:901) >>>>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>>>> t.FrameworkServlet.processRequ >>>>>>>>>>>>>>> est(FrameworkServlet.java:970) >>>>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>>>> t.FrameworkServlet.doGet( >>>>>>>>>>>>>>> FrameworkServlet.java:861) >>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet >>>>>>>>>>>>>>> .service(HttpServlet.java:635) >>>>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>>>> t.FrameworkServlet.service( >>>>>>>>>>>>>>> FrameworkServlet.java:846) >>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet >>>>>>>>>>>>>>> .service(HttpServlet.java:742) >>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231) >>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>>>>>> at org.apache.tomcat.websocket.se >>>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte >>>>>>>>>>>>>>> r.java:52) >>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.access.intercept.FilterSecu >>>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.access.intercept.FilterSecu >>>>>>>>>>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.access.ExceptionTranslation >>>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.session.SessionManagementFi >>>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.authentication.AnonymousAut >>>>>>>>>>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.jav >>>>>>>>>>>>>>> a:113) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.jav >>>>>>>>>>>>>>> a:97) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.servletapi.SecurityContextH >>>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder >>>>>>>>>>>>>>> AwareRequestFilter.java:154) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw >>>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.authentication.www.BasicAut >>>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java: >>>>>>>>>>>>>>> 150) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.authentication.AbstractAuth >>>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio >>>>>>>>>>>>>>> nProcessingFilter.java:199) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.authentication.logout.Logou >>>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.context.request.async.WebAs >>>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag >>>>>>>>>>>>>>> erIntegrationFilter.java:50) >>>>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter >>>>>>>>>>>>>>> (OncePerRequestFilter.java:107) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.context.SecurityContextPers >>>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter. >>>>>>>>>>>>>>> java:87) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP >>>>>>>>>>>>>>> ortFilter.java:74) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.access.channel.ChannelProce >>>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn >>>>>>>>>>>>>>> ternal(FilterChainProxy.java:192) >>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F >>>>>>>>>>>>>>> ilterChainProxy.java:160) >>>>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD >>>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346) >>>>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte >>>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262) >>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>>>> .CharacterEncodingFilter.doFil >>>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197) >>>>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter >>>>>>>>>>>>>>> (OncePerRequestFilter.java:107) >>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>>>>>> ardWrapperValve.invoke(Standar >>>>>>>>>>>>>>> dWrapperValve.java:198) >>>>>>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>>>>>> ardContextValve.invoke(Standar >>>>>>>>>>>>>>> dContextValve.java:96) >>>>>>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>>>>>> ardHostValve.invoke(StandardHo >>>>>>>>>>>>>>> stValve.java:140) >>>>>>>>>>>>>>> at org.apache.catalina.valves.Err >>>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo >>>>>>>>>>>>>>> rtValve.java:80) >>>>>>>>>>>>>>> at org.apache.catalina.valves.Abs >>>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs >>>>>>>>>>>>>>> tractAccessLogValve.java:650) >>>>>>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>>>>>> ardEngineValve.invoke(Standard >>>>>>>>>>>>>>> EngineValve.java:87) >>>>>>>>>>>>>>> at org.apache.catalina.connector. >>>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd >>>>>>>>>>>>>>> apter.java:342) >>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream >>>>>>>>>>>>>>> Processor.service(StreamProces >>>>>>>>>>>>>>> sor.java:245) >>>>>>>>>>>>>>> at org.apache.coyote.AbstractProc >>>>>>>>>>>>>>> essorLight.process(AbstractPro >>>>>>>>>>>>>>> cessorLight.java:66) >>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream >>>>>>>>>>>>>>> Processor.process(StreamProces >>>>>>>>>>>>>>> sor.java:65) >>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream >>>>>>>>>>>>>>> Runnable.run(StreamRunnable. >>>>>>>>>>>>>>> java:35) >>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo >>>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool >>>>>>>>>>>>>>> Executor.java:1142) >>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo >>>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo >>>>>>>>>>>>>>> lExecutor.java:617) >>>>>>>>>>>>>>> at org.apache.tomcat.util.threads >>>>>>>>>>>>>>> .TaskThread$WrappingRunnable. >>>>>>>>>>>>>>> run(TaskThread.java:61) >>>>>>>>>>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>>>>>>>>>>> RequireClientCertificate >>>>>>>>>>>>>>> is >>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the server >>>>>>>>>>>>>>> set to >>>>>>>>>>>>>>> ask >>>>>>>>>>>>>>> for client authorization? >>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>>>>>> er.flush(BaseStreamWriter. >>>>>>>>>>>>>>> java:255) >>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) >>>>>>>>>>>>>>> ... 154 more >>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http. >>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept >>>>>>>>>>>>>>> ion: >>>>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates >>>>>>>>>>>>>>> were >>>>>>>>>>>>>>> negotiated. Is the server set to ask for client >>>>>>>>>>>>>>> authorization? >>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol >>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt >>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H >>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293) >>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo >>>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP >>>>>>>>>>>>>>> Conduit.java:309) >>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap >>>>>>>>>>>>>>> pedOutputStream.write(Abstract >>>>>>>>>>>>>>> WrappedOutputStream.java:47) >>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre >>>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs >>>>>>>>>>>>>>> tractThresholdOutputStream.java:89) >>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre >>>>>>>>>>>>>>> sholdOutputStream.write(Abstra >>>>>>>>>>>>>>> ctThresholdOutputStream.java:63) >>>>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flu >>>>>>>>>>>>>>> sh(UTF8Writer.java:100) >>>>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr >>>>>>>>>>>>>>> iter.flush(BufferingXmlWriter. >>>>>>>>>>>>>>> java:241) >>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>>>>>> er.flush(BaseStreamWriter. >>>>>>>>>>>>>>> java:253) >>>>>>>>>>>>>>> ... 155 more >>>>>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] >>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - >>>>>>>>>>>>>>> Error >>>>>>>>>>>>>>> in >>>>>>>>>>>>>>> retrieving a token >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks for your help Colm. I now have it working using the >>>>>>>>>>>>>>> production >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> certificate by following this example >>>>>>>>>>>>>>> https://stackoverflow.com/a/21 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and >>>>>>>>>>>>>>>> idp-ssl-trust.jks >>>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in >>>>>>>>>>>>>>>> catalina >>>>>>>>>>>>>>>> base. >>>>>>>>>>>>>>>> this seems impractical in production as the certificates get >>>>>>>>>>>>>>>> reissued >>>>>>>>>>>>>>>> every >>>>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define the >>>>>>>>>>>>>>>> resource as >>>>>>>>>>>>>>>> being >>>>>>>>>>>>>>>> in catalina base? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There >>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>> also >>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> sec:certStore that works with PEM files, but only for >>>>>>>>>>>>>>>> TrustStores I >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> think. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool command >>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>> import >>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> idp-ssl-server.jks >>>>>>>>>>>>>>>>>> but >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> no >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> idp-ssl-key.jks. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old. >>>>>>>>>>>>>>>>> The >>>>>>>>>>>>>>>>> correct >>>>>>>>>>>>>>>>> version is on github: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> https://github.com/apache/cxf- >>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam >>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead < >>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hi Colm, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem >>>>>>>>>>>>>>>>> certificate >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> instead of a java keystore? where is the doumentation for >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> sec:keyStore? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Matt >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I haven't used the APR connector. The following works for >>>>>>>>>>>>>>>>>> me >>>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> tests, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it working >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> first >>>>>>>>>>>>>>>>>>> before >>>>>>>>>>>>>>>>>>> switching over to the APR connector: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> <Connector port="9443" >>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>>>>>>>>>>>>>>>>>> maxThreads="150" >>>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true" >>>>>>>>>>>>>>>>>>> clientAuth="want" >>>>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" >>>>>>>>>>>>>>>>>>> keystorePass="tompass" >>>>>>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks" >>>>>>>>>>>>>>>>>>> truststorePass="ispass" /> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and keystore >>>>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>>>> cxf-tls.xml to >>>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The truststore >>>>>>>>>>>>>>>>>>> should >>>>>>>>>>>>>>>>>>> contain >>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS + >>>>>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>> keystore >>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>> private key of your IdP. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead < >>>>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat >>>>>>>>>>>>>>>>>>> server.xml. I >>>>>>>>>>>>>>>>>>> added >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I >>>>>>>>>>>>>>>>>>> still >>>>>>>>>>>>>>>>>>> have >>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> same >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> problem >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht >>>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol" >>>>>>>>>>>>>>>>>>>> maxThreads="150" >>>>>>>>>>>>>>>>>>>> SSLEnabled="true"> >>>>>>>>>>>>>>>>>>>> <UpgradeProtocol >>>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h >>>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol" >>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>> <SSLHostConfig >>>>>>>>>>>>>>>>>>>> clientVerification="required"> >>>>>>>>>>>>>>>>>>>> <Certificate >>>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse >>>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem" >>>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr >>>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem" >>>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let >>>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> hain.pem" >>>>>>>>>>>>>>>>>>>> type="RSA" /> >>>>>>>>>>>>>>>>>>>> </SSLHostConfig> >>>>>>>>>>>>>>>>>>>> </Connector> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in >>>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could >>>>>>>>>>>>>>>>>>>> this >>>>>>>>>>>>>>>>>>>> be the >>>>>>>>>>>>>>>>>>>> problem? >>>>>>>>>>>>>>>>>>>> How would I use production certificates? >>>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit"> >>>>>>>>>>>>>>>>>>>> <http:tlsClientParameters >>>>>>>>>>>>>>>>>>>> disableCNCheck="true"> >>>>>>>>>>>>>>>>>>>> <!-- <sec:trustManagers> >>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks" >>>>>>>>>>>>>>>>>>>> password="ispass" >>>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" /> >>>>>>>>>>>>>>>>>>>> </sec:trustManagers> >>>>>>>>>>>>>>>>>>>> <sec:keyManagers >>>>>>>>>>>>>>>>>>>> keyPassword="tompass"> >>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks" >>>>>>>>>>>>>>>>>>>> password="tompass" >>>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/> >>>>>>>>>>>>>>>>>>>> </sec:keyManagers> --> >>>>>>>>>>>>>>>>>>>> </http:tlsClientParameters> >>>>>>>>>>>>>>>>>>>> </http:conduit> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and >>>>>>>>>>>>>>>>>>>> restarting. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> but now i have this >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] >>>>>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - >>>>>>>>>>>>>>>>>>>> Interceptor >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>> { >>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws- >>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT >>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis >>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051 >>>>>>>>>>>>>>>>>>>>> 2/}Issue >>>>>>>>>>>>>>>>>>>>> has >>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now >>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing >>>>>>>>>>>>>>>>>>>>> SAAJ >>>>>>>>>>>>>>>>>>>>> model >>>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local >>>>>>>>>>>>>>>>>>>>> certificates >>>>>>>>>>>>>>>>>>>>> were >>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client >>>>>>>>>>>>>>>>>>>>> authorization? >>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224) >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174) >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte >>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase >>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308) >>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java: >>>>>>>>>>>>>>>>>>>>> 518) >>>>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>>>>>>>>>>>>>>>>> RequireClientCertificate >>>>>>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the >>>>>>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>>>>>> set >>>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>> ask >>>>>>>>>>>>>>>>>>>>> for client authorization? >>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java >>>>>>>>>>>>>>>>>>>>> :255) >>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215) >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> ... 154 more >>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept >>>>>>>>>>>>>>>>>>>>> ion: >>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local >>>>>>>>>>>>>>>>>>>>> certificates >>>>>>>>>>>>>>>>>>>>> were >>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client >>>>>>>>>>>>>>>>>>>>> authorization? >>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol >>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt >>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut >>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9 >>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction >>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>> Error >>>>>>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>>>>>> retrieving a token >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't load the >>>>>>>>>>>>>>>>>>>>> login >>>>>>>>>>>>>>>>>>>>> screen >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2 >>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> tor >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>> No >>>>>>>>>>>>>>>>>>>>>> service config found for >>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz >>>>>>>>>>>>>>>>>>>>>> helloworld >>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found >>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found >>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found >>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found >>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found >>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found >>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found >>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found >>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>> INFO >>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> the previous one was caused by >>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W >>>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> m.xml >>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value=" >>>>>>>>>>>>>>>>>>>>>> https://domain.tld:9443 >>>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" /> >>>>>>>>>>>>>>>>>>>>>> should have been >>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value=" >>>>>>>>>>>>>>>>>>>>>> https://domain.tld:0/id >>>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM" >>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>> according to original file >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Hi Colm, >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Yes I have: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class=" >>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity"> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>>>>>> <property name="applications"> >>>>>>>>>>>>>>>>>>>>>>> <util:list> >>>>>>>>>>>>>>>>>>>>>>> <ref >>>>>>>>>>>>>>>>>>>>>>> bean="srv-fedizhelloworld" >>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> --> >>>>>>>>>>>>>>>>>>>>>>> </util:list> >>>>>>>>>>>>>>>>>>>>>>> </property> >>>>>>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class=" >>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se >>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity"> >>>>>>>>>>>>>>>>>>>>>>> <property name="realm" >>>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi >>>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld" >>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>> <property name="protocol" value=" >>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open. >>>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" /> >>>>>>>>>>>>>>>>>>>>>>> <property name="serviceDisplayName" >>>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld" >>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>> <property name="serviceDescription" >>>>>>>>>>>>>>>>>>>>>>> value="Web >>>>>>>>>>>>>>>>>>>>>>> Application to >>>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" /> >>>>>>>>>>>>>>>>>>>>>>> <property name="role" >>>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType" >>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>> <property name="tokenType" value=" >>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open >>>>>>>>>>>>>>>>>>>>>>> . >>>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" >>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>> <property name="lifeTime" >>>>>>>>>>>>>>>>>>>>>>> value="3600" >>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>> <property >>>>>>>>>>>>>>>>>>>>>>> name="passiveRequestorEndpoint >>>>>>>>>>>>>>>>>>>>>>> Constraint" >>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>>>>>>>>>>>>>> <property >>>>>>>>>>>>>>>>>>>>>>> name="logoutEndpointConstraint >>>>>>>>>>>>>>>>>>>>>>> " >>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se >>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat >>>>>>>>>>>>>>>>>>>>>>> ionClaimEntity"> >>>>>>>>>>>>>>>>>>>>>>> <property name="application" >>>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" /> >>>>>>>>>>>>>>>>>>>>>>> <property name="claim" >>>>>>>>>>>>>>>>>>>>>>> ref="claim_role" >>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>> <property name="optional" >>>>>>>>>>>>>>>>>>>>>>> value="false" >>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Do you have an >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> ty >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> instance in >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml >>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>> realm >>>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"? >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead < >>>>>>>>>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.) >>>>>>>>>>>>>>>>>>>>>>>> domain.tld:9443/idp >>>>>>>>>>>>>>>>>>>>>>>> and i >>>>>>>>>>>>>>>>>>>>>>>> am >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> trying to >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet. >>>>>>>>>>>>>>>>>>>>>>>>> it >>>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to >>>>>>>>>>>>>>>>>>>>>>>>> authenticate >>>>>>>>>>>>>>>>>>>>>>>>> ok >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error >>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 >>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8 >>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>> INFO >>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>>>>> Token >>>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] >>>>>>>>>>>>>>>>>>>>>>>>> successfully >>>>>>>>>>>>>>>>>>>>>>>>> cached. >>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 >>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8 >>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida >>>>>>>>>>>>>>>>>>>>>>>>> tor >>>>>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>>>>> No >>>>>>>>>>>>>>>>>>>>>>>>> service config found for >>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz >>>>>>>>>>>>>>>>>>>>>>>>> helloworld >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Matthew >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>> >>>>>> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
