Are you using Java 9? If so please try with Java 8 instead. The warnings should be harmless, however I haven't tested Fediz with Java 9.
"when i first connect with fedizhelloworld it pops up a box asking for a certificate." - can you reproduce this with a test-case? It sounds as if you are not using the "up" endpoint of the IdP but instead the client cert endpoint? Colm. On Thu, Oct 26, 2017 at 12:06 PM, Matthew Broadhead < [email protected]> wrote: > Hi Colm, > > I am not sure that would be very easy to provide a test case? Everything > was working fine on localhost with the test certificates. > > Testing on production is completely different using letsencrypt certs and > having to change lots of configuration files in the code? You would be > welcome to look directly at my setup although you are probably busy? > > It looks as though the idpcert in the ststrust.jks is not being properly > sent and trusted by the idp during handshake? i am converting it using > openssl to pkcs12 and then importing it into a jks. then i export the > cert. is it possible the chain is being dropped? > openssl pkcs12 -export -in ${cert}fullchain.pem -inkey ${cert}privkey.pem > -out ${p12} -name mytomidpkey -password pass:tompass > keytool -importkeystore -deststorepass tompass -destkeypass tompass > -destkeystore ${idpKey} -srckeystore ${p12} -srcstoretype PKCS12 > -srcstorepass tompass -alias mytomidpkey > keytool -keystore ${idpKey} -storepass tompass -export -alias mytomidpkey > -file ${idpCert} > > also i get a lot of these warnings when creating keystores. should i be > changing everything to use pkcs12? > Warning: > The JKS keystore uses a proprietary format. It is recommended to migrate > to PKCS12 which is an industry standard format using > > Matthew > > On 26/10/2017 10:43, Colm O hEigeartaigh wrote: > >> Could you create a test-case and upload it to github somewhere + I will >> take a look? >> >> Colm. >> >> On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead < >> [email protected]> wrote: >> >> Thanks for pointing me in the right direction. >>> >>> basically what the documentation lacks is that the ststrust.jks must >>> contain MyTCIDP.cer, i.e. >>> keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass >>> -alias idpcert -file MyTCIDP.cer -noprompt >>> i looked through the original ststrust.jks and it contained the alias >>> idpcert which confirmed the suspicion >>> >>> the other problem was that the cipher of the letsencrypt certificate was >>> not supported by java so i had to enable apr for openssl support. >>> -Djavax.net.debug=all helped to debug that. >>> >>> but i still have some strange problems. when i first connect with >>> fedizhelloworld it pops up a box asking for a certificate. and also if i >>> leave it logged in for a while and then try to logout chrome tells me >>> This site can’t provide a secure connection >>> ERR_SSL_PROTOCOL_ERROR >>> >>> On 25/10/2017 14:28, Colm O hEigeartaigh wrote: >>> >>> Your truststore in cxf-tls.xml must trust the certificate presented by >>>> the >>>> STS. Also, it must contain a keystore with the private key of the IdP, >>>> which in turn must be trusted by the STS. >>>> >>>> Colm. >>>> >>>> On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead < >>>> [email protected]> wrote: >>>> >>>> Are the two keystores responsible for the trust between idp and sts are >>>> >>>>> supposed to be >>>>> stsrealm_a.jks and ststrust.jks >>>>> >>>>> it is just that the cert it is not trusting is the idp-ssl-key.jks >>>>> (domain.tld) which makes sense if it is hitting domain.tls:9443/idp etc >>>>> >>>>> does this mean ststrust.jks should contain MyTCIDP.cer as well as >>>>> MyTCRP.cer? >>>>> >>>>> On 25/10/2017 14:03, Colm O hEigeartaigh wrote: >>>>> >>>>> You'll need to go through the output to figure out why the cert is not >>>>> >>>>>> trusted. If you generate some test certs + create a testcase >>>>>> somewhere I >>>>>> will take a look. >>>>>> >>>>>> Colm. >>>>>> >>>>>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead < >>>>>> [email protected]> wrote: >>>>>> >>>>>> i get a load of stuff, but in the middle of the one before the error i >>>>>> get >>>>>> >>>>>> Warning: no suitable certificate found - continuing without client >>>>>>> authentication >>>>>>> >>>>>>> >>>>>>> On 25/10/2017 13:42, Matthew Broadhead wrote: >>>>>>> >>>>>>> ahhh... >>>>>>> >>>>>>> -Djavax.net.debug=all >>>>>>>> >>>>>>>> On 25/10/2017 13:39, Matthew Broadhead wrote: >>>>>>>> >>>>>>>> How would I enable the debug? services/idp/src/main/webapp/W >>>>>>>> >>>>>>>> EB-INF/security-config.xml >>>>>>>>> <security:debug/>? >>>>>>>>> >>>>>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote: >>>>>>>>> >>>>>>>>> If you change it to "required" does it fail? If so, you could try >>>>>>>>> >>>>>>>>> running >>>>>>>>>> the Tomcat IdP with Java SSL debugging enabled and it should tell >>>>>>>>>> you >>>>>>>>>> why >>>>>>>>>> the IdP can't connect to the STS. >>>>>>>>>> >>>>>>>>>> Colm. >>>>>>>>>> >>>>>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>> Hi Colm, >>>>>>>>>> >>>>>>>>>> I realise now that this html file was included in the >>>>>>>>>> >>>>>>>>>>> examples/samplekeys >>>>>>>>>>> directory in the code. but i was taking it from the internet. >>>>>>>>>>> >>>>>>>>>>> I am 100% using clientAuth="want" on my Tomcat connector but I am >>>>>>>>>>> still >>>>>>>>>>> getting the same error over and again. I can browse the wsdl >>>>>>>>>>> without >>>>>>>>>>> having to provide a client certificate. could you point me to >>>>>>>>>>> the >>>>>>>>>>> part of >>>>>>>>>>> the idp-sts configuration which might be causing it to not ask >>>>>>>>>>> for >>>>>>>>>>> the >>>>>>>>>>> keys >>>>>>>>>>> properly? or is it definitely a tomcat server.xml issue? >>>>>>>>>>> >>>>>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote: >>>>>>>>>>> >>>>>>>>>>> You can see the HTML here: >>>>>>>>>>> >>>>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent >>>>>>>>>>> >>>>>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener >>>>>>>>>>>> ateKeysREADME.html >>>>>>>>>>>> >>>>>>>>>>>> I'll update the webpage to point to github instead of SVN. >>>>>>>>>>>> >>>>>>>>>>>> Colm. >>>>>>>>>>>> >>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi Colm >>>>>>>>>>>> >>>>>>>>>>>> Firstly is there somewhere to see these instructions correctly >>>>>>>>>>>> >>>>>>>>>>>> formatted >>>>>>>>>>>>> in html? >>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>>>>>>>> >>>>>>>>>>>>> Secondly there is a massive difference between >>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>>>>>>>> and >>>>>>>>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample >>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co >>>>>>>>>>>>> (svn being the one linked from the main fediz pages) >>>>>>>>>>>>> >>>>>>>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to >>>>>>>>>>>>> ststrust.jks. >>>>>>>>>>>>> >>>>>>>>>>>>> I have some more things to try now so I will let you know if I >>>>>>>>>>>>> get >>>>>>>>>>>>> further >>>>>>>>>>>>> >>>>>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Why not try the simple Connector configuration I gave earlier >>>>>>>>>>>>> but >>>>>>>>>>>>> with >>>>>>>>>>>>> >>>>>>>>>>>>> your >>>>>>>>>>>>> >>>>>>>>>>>>> own keys? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead < >>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc >>>>>>>>>>>>>> at-8.5-doc/config/http.html# >>>>>>>>>>>>>> >>>>>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says >>>>>>>>>>>>>> >>>>>>>>>>>>>> clientAuth >>>>>>>>>>>>>> >>>>>>>>>>>>>>> This is an alias for the certificateVerification attribute of >>>>>>>>>>>>>>> the >>>>>>>>>>>>>>> default >>>>>>>>>>>>>>> SSLHostConfig element. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> then >>>>>>>>>>>>>>> certificateVerification >>>>>>>>>>>>>>> Set to required if you want the SSL stack to require a valid >>>>>>>>>>>>>>> certificate >>>>>>>>>>>>>>> chain from the client before accepting a connection. Set to >>>>>>>>>>>>>>> optional if >>>>>>>>>>>>>>> you >>>>>>>>>>>>>>> want the SSL stack to request a client Certificate, but not >>>>>>>>>>>>>>> fail >>>>>>>>>>>>>>> if one >>>>>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client >>>>>>>>>>>>>>> certificates to >>>>>>>>>>>>>>> be >>>>>>>>>>>>>>> optional and you don't want Tomcat to check them against the >>>>>>>>>>>>>>> list >>>>>>>>>>>>>>> of >>>>>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this option >>>>>>>>>>>>>>> (OpenSSL >>>>>>>>>>>>>>> does, >>>>>>>>>>>>>>> JSSE does not) it is treated as if optional was specified. A >>>>>>>>>>>>>>> none >>>>>>>>>>>>>>> value >>>>>>>>>>>>>>> (which is the default) will not require a certificate chain >>>>>>>>>>>>>>> unless >>>>>>>>>>>>>>> the >>>>>>>>>>>>>>> client requests a resource protected by a security constraint >>>>>>>>>>>>>>> that >>>>>>>>>>>>>>> uses >>>>>>>>>>>>>>> CLIENT-CERT authentication. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> so i changed clientAuth="want" to clientAuth="required". now >>>>>>>>>>>>>>> i >>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>> access the site at all with >>>>>>>>>>>>>>> Secure Connection Failed >>>>>>>>>>>>>>> An error occurred during a connection to domain.tld:9443. SSL >>>>>>>>>>>>>>> peer >>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> maybe i should try using Tomcat 7? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The problem is that your Tomcat container hosting the STS is >>>>>>>>>>>>>>> not >>>>>>>>>>>>>>> asking >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> for >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> client authentication. You can check this by using a web >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> browser >>>>>>>>>>>>>>>> or >>>>>>>>>>>>>>>> curl >>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>> view the WSDL of the STS - if you can get it to work then >>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> configuration >>>>>>>>>>>>>>>> is incorrect, as it should error on the browser not >>>>>>>>>>>>>>>> supplying >>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>> client >>>>>>>>>>>>>>>> cert. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead < >>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> i spoke too soon. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> i am completely stuck with the same stack trace and no >>>>>>>>>>>>>>>> amount >>>>>>>>>>>>>>>> of >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> reloading >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> the certificates is helping. is there any way to debug what >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> actual >>>>>>>>>>>>>>>>> problem is? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] >>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor >>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>> { >>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws- >>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT >>>>>>>>>>>>>>>>> okenService#{http://docs.oasis >>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051 >>>>>>>>>>>>>>>>> 2/}Issue >>>>>>>>>>>>>>>>> has >>>>>>>>>>>>>>>>> thrown exception, unwinding now >>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing >>>>>>>>>>>>>>>>> SAAJ >>>>>>>>>>>>>>>>> model to >>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local >>>>>>>>>>>>>>>>> certificates >>>>>>>>>>>>>>>>> were >>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client >>>>>>>>>>>>>>>>> authorization? >>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224) >>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174) >>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte >>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase >>>>>>>>>>>>>>>>> InterceptorChain.java:308) >>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java: >>>>>>>>>>>>>>>>> 518) >>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java: >>>>>>>>>>>>>>>>> 427) >>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java: >>>>>>>>>>>>>>>>> 328) >>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java: >>>>>>>>>>>>>>>>> 281) >>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.tru >>>>>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs >>>>>>>>>>>>>>>>> tractSTSClient.java:861) >>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit >>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47) >>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit >>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42) >>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>> dp.beans.STSClientAction.submi >>>>>>>>>>>>>>>>> t(STSClientAction.java:296) >>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess >>>>>>>>>>>>>>>>> orImpl.invoke0(Native >>>>>>>>>>>>>>>>> Method) >>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess >>>>>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce >>>>>>>>>>>>>>>>> ssorImpl.java:62) >>>>>>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc >>>>>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe >>>>>>>>>>>>>>>>> thodAccessorImpl.java:43) >>>>>>>>>>>>>>>>> at java.lang.reflect.Method.invok >>>>>>>>>>>>>>>>> e(Method.java:498) >>>>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>>>> .spel.support.ReflectiveMethod >>>>>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113) >>>>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>>>> .spel.ast.MethodReference.getV >>>>>>>>>>>>>>>>> alueInternal(MethodReference.java:129) >>>>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>>>> .spel.ast.MethodReference. >>>>>>>>>>>>>>>>> access$000(MethodReference.java:49) >>>>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>>>> .spel.ast.MethodReference$Meth >>>>>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347) >>>>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>>>> .spel.ast.CompoundExpression.g >>>>>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88) >>>>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>>>> .spel.ast.SpelNodeImpl. >>>>>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131) >>>>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>>>> .spel.standard.SpelExpression. >>>>>>>>>>>>>>>>> getValue(SpelExpression.java:297) >>>>>>>>>>>>>>>>> at org.springframework.binding.ex >>>>>>>>>>>>>>>>> pression.spel.SpringELExpressi >>>>>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84) >>>>>>>>>>>>>>>>> at org.springframework.webflow.ac >>>>>>>>>>>>>>>>> tion.EvaluateAction.doExecute( >>>>>>>>>>>>>>>>> EvaluateAction.java:75) >>>>>>>>>>>>>>>>> at org.springframework.webflow.ac >>>>>>>>>>>>>>>>> tion.AbstractAction.execute(Ab >>>>>>>>>>>>>>>>> stractAction.java:188) >>>>>>>>>>>>>>>>> at org.springframework.webflow.ex >>>>>>>>>>>>>>>>> ecution.AnnotatedAction.execut >>>>>>>>>>>>>>>>> e(AnnotatedAction.java:145) >>>>>>>>>>>>>>>>> at org.springframework.webflow.ex >>>>>>>>>>>>>>>>> ecution.ActionExecutor.execute >>>>>>>>>>>>>>>>> (ActionExecutor.java:51) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.ActionList.execute(Action >>>>>>>>>>>>>>>>> List.java:154) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.TransitionableState.handl >>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.SubflowState.handleEvent( >>>>>>>>>>>>>>>>> SubflowState.java:116) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>>>>>>>>>>>> a:547) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en >>>>>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java: >>>>>>>>>>>>>>>>> 238) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.EndState.doEnter(EndState >>>>>>>>>>>>>>>>> .java:107) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.TransitionableState.handl >>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>>>>>>>>>>>> a:547) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio >>>>>>>>>>>>>>>>> nState.java:105) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.TransitionableState.handl >>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>>>>>>>>>>>> a:547) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio >>>>>>>>>>>>>>>>> nState.java:105) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf >>>>>>>>>>>>>>>>> lowState.java:101) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368) >>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:223) >>>>>>>>>>>>>>>>> at org.springframework.webflow.ex >>>>>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch >>>>>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140) >>>>>>>>>>>>>>>>> at org.springframework.webflow.mv >>>>>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter. >>>>>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263) >>>>>>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>>>>>> t.DispatcherServlet.doDispatch >>>>>>>>>>>>>>>>> (DispatcherServlet.java:967) >>>>>>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>>>>>> t.DispatcherServlet.doService( >>>>>>>>>>>>>>>>> DispatcherServlet.java:901) >>>>>>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>>>>>> t.FrameworkServlet.processRequ >>>>>>>>>>>>>>>>> est(FrameworkServlet.java:970) >>>>>>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>>>>>> t.FrameworkServlet.doGet( >>>>>>>>>>>>>>>>> FrameworkServlet.java:861) >>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet >>>>>>>>>>>>>>>>> .service(HttpServlet.java:635) >>>>>>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>>>>>> t.FrameworkServlet.service( >>>>>>>>>>>>>>>>> FrameworkServlet.java:846) >>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet >>>>>>>>>>>>>>>>> .service(HttpServlet.java:742) >>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231) >>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>>>>>>>> at org.apache.tomcat.websocket.se >>>>>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte >>>>>>>>>>>>>>>>> r.java:52) >>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu >>>>>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu >>>>>>>>>>>>>>>>> rityInterceptor.doFilter(Filte >>>>>>>>>>>>>>>>> rSecurityInterceptor.java:84) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.access.ExceptionTranslation >>>>>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.session.SessionManagementFi >>>>>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.authentication.AnonymousAut >>>>>>>>>>>>>>>>> henticationFilter.doFilter(Ano >>>>>>>>>>>>>>>>> nymousAuthenticationFilter.jav >>>>>>>>>>>>>>>>> a:113) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>> horityEntitlements.doFilter(Gr >>>>>>>>>>>>>>>>> antedAuthorityEntitlements.jav >>>>>>>>>>>>>>>>> a:97) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.servletapi.SecurityContextH >>>>>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder >>>>>>>>>>>>>>>>> AwareRequestFilter.java:154) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw >>>>>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.authentication.www.BasicAut >>>>>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java: >>>>>>>>>>>>>>>>> 150) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.authentication.AbstractAuth >>>>>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio >>>>>>>>>>>>>>>>> nProcessingFilter.java:199) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.authentication.logout.Logou >>>>>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.context.request.async.WebAs >>>>>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag >>>>>>>>>>>>>>>>> erIntegrationFilter.java:50) >>>>>>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter >>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.context.SecurityContextPers >>>>>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter. >>>>>>>>>>>>>>>>> java:87) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP >>>>>>>>>>>>>>>>> ortFilter.java:74) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.access.channel.ChannelProce >>>>>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn >>>>>>>>>>>>>>>>> ternal(FilterChainProxy.java:192) >>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F >>>>>>>>>>>>>>>>> ilterChainProxy.java:160) >>>>>>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD >>>>>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346) >>>>>>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte >>>>>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262) >>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>>>>>> .CharacterEncodingFilter.doFil >>>>>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197) >>>>>>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter >>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107) >>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>>>>>>>> ardWrapperValve.invoke(Standar >>>>>>>>>>>>>>>>> dWrapperValve.java:198) >>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>>>>>>>> ardContextValve.invoke(Standar >>>>>>>>>>>>>>>>> dContextValve.java:96) >>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>>>>>>>> ardHostValve.invoke(StandardHo >>>>>>>>>>>>>>>>> stValve.java:140) >>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Err >>>>>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo >>>>>>>>>>>>>>>>> rtValve.java:80) >>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Abs >>>>>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs >>>>>>>>>>>>>>>>> tractAccessLogValve.java:650) >>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>>>>>>>> ardEngineValve.invoke(Standard >>>>>>>>>>>>>>>>> EngineValve.java:87) >>>>>>>>>>>>>>>>> at org.apache.catalina.connector. >>>>>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd >>>>>>>>>>>>>>>>> apter.java:342) >>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream >>>>>>>>>>>>>>>>> Processor.service(StreamProces >>>>>>>>>>>>>>>>> sor.java:245) >>>>>>>>>>>>>>>>> at org.apache.coyote.AbstractProc >>>>>>>>>>>>>>>>> essorLight.process(AbstractPro >>>>>>>>>>>>>>>>> cessorLight.java:66) >>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream >>>>>>>>>>>>>>>>> Processor.process(StreamProces >>>>>>>>>>>>>>>>> sor.java:65) >>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream >>>>>>>>>>>>>>>>> Runnable.run(StreamRunnable. >>>>>>>>>>>>>>>>> java:35) >>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo >>>>>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool >>>>>>>>>>>>>>>>> Executor.java:1142) >>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo >>>>>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo >>>>>>>>>>>>>>>>> lExecutor.java:617) >>>>>>>>>>>>>>>>> at org.apache.tomcat.util.threads >>>>>>>>>>>>>>>>> .TaskThread$WrappingRunnable. >>>>>>>>>>>>>>>>> run(TaskThread.java:61) >>>>>>>>>>>>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>>>>>>>>>>>>> RequireClientCertificate >>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the >>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>> set to >>>>>>>>>>>>>>>>> ask >>>>>>>>>>>>>>>>> for client authorization? >>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter. >>>>>>>>>>>>>>>>> java:255) >>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215) >>>>>>>>>>>>>>>>> ... 154 more >>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept >>>>>>>>>>>>>>>>> ion: >>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates >>>>>>>>>>>>>>>>> were >>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client >>>>>>>>>>>>>>>>> authorization? >>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol >>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt >>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut >>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H >>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293) >>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo >>>>>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP >>>>>>>>>>>>>>>>> Conduit.java:309) >>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap >>>>>>>>>>>>>>>>> pedOutputStream.write(Abstract >>>>>>>>>>>>>>>>> WrappedOutputStream.java:47) >>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre >>>>>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs >>>>>>>>>>>>>>>>> tractThresholdOutputStream.java:89) >>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre >>>>>>>>>>>>>>>>> sholdOutputStream.write(Abstra >>>>>>>>>>>>>>>>> ctThresholdOutputStream.java:63) >>>>>>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flu >>>>>>>>>>>>>>>>> sh(UTF8Writer.java:100) >>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr >>>>>>>>>>>>>>>>> iter.flush(BufferingXmlWriter. >>>>>>>>>>>>>>>>> java:241) >>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter. >>>>>>>>>>>>>>>>> java:253) >>>>>>>>>>>>>>>>> ... 155 more >>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] >>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - >>>>>>>>>>>>>>>>> Error >>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>> retrieving a token >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thanks for your help Colm. I now have it working using the >>>>>>>>>>>>>>>>> production >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> certificate by following this example >>>>>>>>>>>>>>>>> https://stackoverflow.com/a/21 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and >>>>>>>>>>>>>>>>>> idp-ssl-trust.jks >>>>>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in >>>>>>>>>>>>>>>>>> catalina >>>>>>>>>>>>>>>>>> base. >>>>>>>>>>>>>>>>>> this seems impractical in production as the certificates >>>>>>>>>>>>>>>>>> get >>>>>>>>>>>>>>>>>> reissued >>>>>>>>>>>>>>>>>> every >>>>>>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define the >>>>>>>>>>>>>>>>>> resource as >>>>>>>>>>>>>>>>>> being >>>>>>>>>>>>>>>>>> in catalina base? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. >>>>>>>>>>>>>>>>>> There >>>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>> also >>>>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> sec:certStore that works with PEM files, but only for >>>>>>>>>>>>>>>>>> TrustStores I >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> think. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool command >>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>> import >>>>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> idp-ssl-server.jks >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> but >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> no >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> idp-ssl-key.jks. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is >>>>>>>>>>>>>>>>>>> old. >>>>>>>>>>>>>>>>>>> The >>>>>>>>>>>>>>>>>>> correct >>>>>>>>>>>>>>>>>>> version is on github: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf- >>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam >>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead < >>>>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Hi Colm, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem >>>>>>>>>>>>>>>>>>> certificate >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> instead of a java keystore? where is the doumentation >>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> sec:keyStore? >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Matt >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I haven't used the APR connector. The following works >>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>> me >>>>>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> tests, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it >>>>>>>>>>>>>>>>>>>> working >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> first >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> before >>>>>>>>>>>>>>>>>>>>> switching over to the APR connector: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> <Connector port="9443" >>>>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>>>>>>>>>>>>>>>>>>>> maxThreads="150" >>>>>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true" >>>>>>>>>>>>>>>>>>>>> clientAuth="want" >>>>>>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" >>>>>>>>>>>>>>>>>>>>> keystorePass="tompass" >>>>>>>>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks" >>>>>>>>>>>>>>>>>>>>> truststorePass="ispass" /> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and >>>>>>>>>>>>>>>>>>>>> keystore >>>>>>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>>>>>> cxf-tls.xml to >>>>>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The truststore >>>>>>>>>>>>>>>>>>>>> should >>>>>>>>>>>>>>>>>>>>> contain >>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS + >>>>>>>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>>>> keystore >>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>> private key of your IdP. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead < >>>>>>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat >>>>>>>>>>>>>>>>>>>>> server.xml. I >>>>>>>>>>>>>>>>>>>>> added >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I >>>>>>>>>>>>>>>>>>>>> still >>>>>>>>>>>>>>>>>>>>> have >>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> same >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> problem >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht >>>>>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol" >>>>>>>>>>>>>>>>>>>>>> maxThreads="150" >>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true"> >>>>>>>>>>>>>>>>>>>>>> <UpgradeProtocol >>>>>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h >>>>>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol" >>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>> <SSLHostConfig >>>>>>>>>>>>>>>>>>>>>> clientVerification="required"> >>>>>>>>>>>>>>>>>>>>>> <Certificate >>>>>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse >>>>>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem" >>>>>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr >>>>>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem" >>>>>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let >>>>>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> hain.pem" >>>>>>>>>>>>>>>>>>>>>> type="RSA" /> >>>>>>>>>>>>>>>>>>>>>> </SSLHostConfig> >>>>>>>>>>>>>>>>>>>>>> </Connector> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in >>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could >>>>>>>>>>>>>>>>>>>>>> this >>>>>>>>>>>>>>>>>>>>>> be the >>>>>>>>>>>>>>>>>>>>>> problem? >>>>>>>>>>>>>>>>>>>>>> How would I use production certificates? >>>>>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit"> >>>>>>>>>>>>>>>>>>>>>> <http:tlsClientParameters >>>>>>>>>>>>>>>>>>>>>> disableCNCheck="true"> >>>>>>>>>>>>>>>>>>>>>> <!-- <sec:trustManagers> >>>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks" >>>>>>>>>>>>>>>>>>>>>> password="ispass" >>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" /> >>>>>>>>>>>>>>>>>>>>>> </sec:trustManagers> >>>>>>>>>>>>>>>>>>>>>> <sec:keyManagers >>>>>>>>>>>>>>>>>>>>>> keyPassword="tompass"> >>>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks" >>>>>>>>>>>>>>>>>>>>>> password="tompass" >>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/> >>>>>>>>>>>>>>>>>>>>>> </sec:keyManagers> --> >>>>>>>>>>>>>>>>>>>>>> </http:tlsClientParameters> >>>>>>>>>>>>>>>>>>>>>> </http:conduit> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and >>>>>>>>>>>>>>>>>>>>>> restarting. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> but now i have this >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9 >>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - >>>>>>>>>>>>>>>>>>>>>> Interceptor >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>> { >>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws- >>>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT >>>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis >>>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051 >>>>>>>>>>>>>>>>>>>>>>> 2/}Issue >>>>>>>>>>>>>>>>>>>>>>> has >>>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now >>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem >>>>>>>>>>>>>>>>>>>>>>> writing >>>>>>>>>>>>>>>>>>>>>>> SAAJ >>>>>>>>>>>>>>>>>>>>>>> model >>>>>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local >>>>>>>>>>>>>>>>>>>>>>> certificates >>>>>>>>>>>>>>>>>>>>>>> were >>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client >>>>>>>>>>>>>>>>>>>>>>> authorization? >>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224) >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174) >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte >>>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase >>>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308) >>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java: >>>>>>>>>>>>>>>>>>>>>>> 518) >>>>>>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate >>>>>>>>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is >>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>>>>>>>> set >>>>>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>> ask >>>>>>>>>>>>>>>>>>>>>>> for client authorization? >>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java >>>>>>>>>>>>>>>>>>>>>>> :255) >>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215) >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> ... 154 more >>>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept >>>>>>>>>>>>>>>>>>>>>>> ion: >>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local >>>>>>>>>>>>>>>>>>>>>>> certificates >>>>>>>>>>>>>>>>>>>>>>> were >>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client >>>>>>>>>>>>>>>>>>>>>>> authorization? >>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol >>>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt >>>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut >>>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542 >>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9 >>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction >>>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>>> Error >>>>>>>>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>>>>>>>> retrieving a token >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't load >>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>> login >>>>>>>>>>>>>>>>>>>>>>> screen >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175 >>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2 >>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> tor >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>>>> No >>>>>>>>>>>>>>>>>>>>>>>> service config found for >>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz >>>>>>>>>>>>>>>>>>>>>>>> helloworld >>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084 >>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found >>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085 >>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found >>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090 >>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found >>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091 >>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found >>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092 >>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found >>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094 >>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found >>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095 >>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found >>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 >>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found >>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 >>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>> INFO >>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> the previous one was caused by >>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W >>>>>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> m.xml >>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value=" >>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:9443 >>>>>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" /> >>>>>>>>>>>>>>>>>>>>>>>> should have been >>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value=" >>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:0/id >>>>>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM" >>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>> according to original file >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Hi Colm, >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Yes I have: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class=" >>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity"> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>>>>>>>> <property name="applications"> >>>>>>>>>>>>>>>>>>>>>>>>> <util:list> >>>>>>>>>>>>>>>>>>>>>>>>> <ref >>>>>>>>>>>>>>>>>>>>>>>>> bean="srv-fedizhelloworld" >>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> --> >>>>>>>>>>>>>>>>>>>>>>>>> </util:list> >>>>>>>>>>>>>>>>>>>>>>>>> </property> >>>>>>>>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class=" >>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se >>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity"> >>>>>>>>>>>>>>>>>>>>>>>>> <property name="realm" >>>>>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi >>>>>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld" >>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>> <property name="protocol" value=" >>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open. >>>>>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" /> >>>>>>>>>>>>>>>>>>>>>>>>> <property >>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDisplayName" >>>>>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld" >>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>> <property >>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDescription" >>>>>>>>>>>>>>>>>>>>>>>>> value="Web >>>>>>>>>>>>>>>>>>>>>>>>> Application to >>>>>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" /> >>>>>>>>>>>>>>>>>>>>>>>>> <property name="role" >>>>>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType" >>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>> <property name="tokenType" value=" >>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open >>>>>>>>>>>>>>>>>>>>>>>>> . >>>>>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" >>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>> <property name="lifeTime" >>>>>>>>>>>>>>>>>>>>>>>>> value="3600" >>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>> <property >>>>>>>>>>>>>>>>>>>>>>>>> name="passiveRequestorEndpoint >>>>>>>>>>>>>>>>>>>>>>>>> Constraint" >>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>>>>>>>>>>>>>>>> <property >>>>>>>>>>>>>>>>>>>>>>>>> name="logoutEndpointConstraint >>>>>>>>>>>>>>>>>>>>>>>>> " >>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>>>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se >>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat >>>>>>>>>>>>>>>>>>>>>>>>> ionClaimEntity"> >>>>>>>>>>>>>>>>>>>>>>>>> <property name="application" >>>>>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" /> >>>>>>>>>>>>>>>>>>>>>>>>> <property name="claim" >>>>>>>>>>>>>>>>>>>>>>>>> ref="claim_role" >>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>> <property name="optional" >>>>>>>>>>>>>>>>>>>>>>>>> value="false" >>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Do you have an >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> ty >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> instance in >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml >>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>> realm >>>>>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"? >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew >>>>>>>>>>>>>>>>>>>>>>>>>> Broadhead < >>>>>>>>>>>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.) >>>>>>>>>>>>>>>>>>>>>>>>>> domain.tld:9443/idp >>>>>>>>>>>>>>>>>>>>>>>>>> and i >>>>>>>>>>>>>>>>>>>>>>>>>> am >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> trying to >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> it >>>>>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems >>>>>>>>>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>>>>>> authenticate >>>>>>>>>>>>>>>>>>>>>>>>>>> ok >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error >>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 >>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8 >>>>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>>>> INFO >>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>>>>>>> Token >>>>>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] >>>>>>>>>>>>>>>>>>>>>>>>>>> successfully >>>>>>>>>>>>>>>>>>>>>>>>>>> cached. >>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 >>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8 >>>>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida >>>>>>>>>>>>>>>>>>>>>>>>>>> tor >>>>>>>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>>>>>>> No >>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for >>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz >>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Matthew >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
