Are you using the same Tomcat instance for the IdP and the STS? Or is the Tomcat IdP instance set to ask for client authentication? Failing that, I don't have any more ideas - I need to see a test-case to help any further.
Colm. On Mon, Oct 30, 2017 at 8:35 AM, Matthew Broadhead < [email protected]> wrote: > hi Colm, > > Sorry to keep bothering you with this issue. > > It is still prompting me for a certificate when redirecting to the idp. I > have checked line by line the differences between the original code and my > production code and cannot see any major difference. i have tried with the > production certificate and with a custom generated certificate but both are > the same. > > Is there anything else I can try for debugging? > > Matthew > > On 26/10/2017 14:58, Matthew Broadhead wrote: > >> comments below >> >> On 26/10/2017 13:46, Colm O hEigeartaigh wrote: >> >>> Are you using Java 9? If so please try with Java 8 instead. The warnings >>> should be harmless, however I haven't tested Fediz with Java 9. >>> >> i am using openjdk 1.8.0.151 >> >>> >>> "when i first connect with fedizhelloworld it pops up a box asking for a >>> certificate." - can you reproduce this with a test-case? It sounds as if >>> you are not using the "up" endpoint of the IdP but instead the client >>> cert >>> endpoint? >>> >> my fediz_config.xml has >> <issuer>https://domain.tld:9443/idp/federation</issuer> >> >> security-up-config.xml is the same as the example except with the >> endpoints changed from localhost:9443 to domain.tld:9443 >> >> if it is not related to that can you tell me where i should be looking >> for the endpoint config? >> >>> >>> Colm. >>> >>> On Thu, Oct 26, 2017 at 12:06 PM, Matthew Broadhead < >>> [email protected]> wrote: >>> >>> Hi Colm, >>>> >>>> I am not sure that would be very easy to provide a test case? Everything >>>> was working fine on localhost with the test certificates. >>>> >>>> Testing on production is completely different using letsencrypt certs >>>> and >>>> having to change lots of configuration files in the code? You would be >>>> welcome to look directly at my setup although you are probably busy? >>>> >>>> It looks as though the idpcert in the ststrust.jks is not being properly >>>> sent and trusted by the idp during handshake? i am converting it using >>>> openssl to pkcs12 and then importing it into a jks. then i export the >>>> cert. is it possible the chain is being dropped? >>>> openssl pkcs12 -export -in ${cert}fullchain.pem -inkey >>>> ${cert}privkey.pem >>>> -out ${p12} -name mytomidpkey -password pass:tompass >>>> keytool -importkeystore -deststorepass tompass -destkeypass tompass >>>> -destkeystore ${idpKey} -srckeystore ${p12} -srcstoretype PKCS12 >>>> -srcstorepass tompass -alias mytomidpkey >>>> keytool -keystore ${idpKey} -storepass tompass -export -alias >>>> mytomidpkey >>>> -file ${idpCert} >>>> >>>> also i get a lot of these warnings when creating keystores. should i be >>>> changing everything to use pkcs12? >>>> Warning: >>>> The JKS keystore uses a proprietary format. It is recommended to migrate >>>> to PKCS12 which is an industry standard format using >>>> >>>> Matthew >>>> >>>> On 26/10/2017 10:43, Colm O hEigeartaigh wrote: >>>> >>>> Could you create a test-case and upload it to github somewhere + I will >>>>> take a look? >>>>> >>>>> Colm. >>>>> >>>>> On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead < >>>>> [email protected]> wrote: >>>>> >>>>> Thanks for pointing me in the right direction. >>>>> >>>>>> basically what the documentation lacks is that the ststrust.jks must >>>>>> contain MyTCIDP.cer, i.e. >>>>>> keytool -import -trustcacerts -keystore ststrust.jks -storepass >>>>>> storepass >>>>>> -alias idpcert -file MyTCIDP.cer -noprompt >>>>>> i looked through the original ststrust.jks and it contained the alias >>>>>> idpcert which confirmed the suspicion >>>>>> >>>>>> the other problem was that the cipher of the letsencrypt certificate >>>>>> was >>>>>> not supported by java so i had to enable apr for openssl support. >>>>>> -Djavax.net.debug=all helped to debug that. >>>>>> >>>>>> but i still have some strange problems. when i first connect with >>>>>> fedizhelloworld it pops up a box asking for a certificate. and also >>>>>> if i >>>>>> leave it logged in for a while and then try to logout chrome tells me >>>>>> This site can’t provide a secure connection >>>>>> ERR_SSL_PROTOCOL_ERROR >>>>>> >>>>>> On 25/10/2017 14:28, Colm O hEigeartaigh wrote: >>>>>> >>>>>> Your truststore in cxf-tls.xml must trust the certificate presented by >>>>>> >>>>>>> the >>>>>>> STS. Also, it must contain a keystore with the private key of the >>>>>>> IdP, >>>>>>> which in turn must be trusted by the STS. >>>>>>> >>>>>>> Colm. >>>>>>> >>>>>>> On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>> Are the two keystores responsible for the trust between idp and sts >>>>>>> are >>>>>>> >>>>>>> supposed to be >>>>>>>> stsrealm_a.jks and ststrust.jks >>>>>>>> >>>>>>>> it is just that the cert it is not trusting is the idp-ssl-key.jks >>>>>>>> (domain.tld) which makes sense if it is hitting domain.tls:9443/idp >>>>>>>> etc >>>>>>>> >>>>>>>> does this mean ststrust.jks should contain MyTCIDP.cer as well as >>>>>>>> MyTCRP.cer? >>>>>>>> >>>>>>>> On 25/10/2017 14:03, Colm O hEigeartaigh wrote: >>>>>>>> >>>>>>>> You'll need to go through the output to figure out why the cert is >>>>>>>> not >>>>>>>> >>>>>>>> trusted. If you generate some test certs + create a testcase >>>>>>>>> somewhere I >>>>>>>>> will take a look. >>>>>>>>> >>>>>>>>> Colm. >>>>>>>>> >>>>>>>>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>> i get a load of stuff, but in the middle of the one before the >>>>>>>>> error i >>>>>>>>> get >>>>>>>>> >>>>>>>>> Warning: no suitable certificate found - continuing without client >>>>>>>>> >>>>>>>>>> authentication >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 25/10/2017 13:42, Matthew Broadhead wrote: >>>>>>>>>> >>>>>>>>>> ahhh... >>>>>>>>>> >>>>>>>>>> -Djavax.net.debug=all >>>>>>>>>> >>>>>>>>>>> On 25/10/2017 13:39, Matthew Broadhead wrote: >>>>>>>>>>> >>>>>>>>>>> How would I enable the debug? services/idp/src/main/webapp/W >>>>>>>>>>> >>>>>>>>>>> EB-INF/security-config.xml >>>>>>>>>>> >>>>>>>>>>>> <security:debug/>? >>>>>>>>>>>> >>>>>>>>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote: >>>>>>>>>>>> >>>>>>>>>>>> If you change it to "required" does it fail? If so, you could >>>>>>>>>>>> try >>>>>>>>>>>> >>>>>>>>>>>> running >>>>>>>>>>>> >>>>>>>>>>>>> the Tomcat IdP with Java SSL debugging enabled and it should >>>>>>>>>>>>> tell >>>>>>>>>>>>> you >>>>>>>>>>>>> why >>>>>>>>>>>>> the IdP can't connect to the STS. >>>>>>>>>>>>> >>>>>>>>>>>>> Colm. >>>>>>>>>>>>> >>>>>>>>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hi Colm, >>>>>>>>>>>>> >>>>>>>>>>>>> I realise now that this html file was included in the >>>>>>>>>>>>> >>>>>>>>>>>>> examples/samplekeys >>>>>>>>>>>>>> directory in the code. but i was taking it from the internet. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I am 100% using clientAuth="want" on my Tomcat connector but >>>>>>>>>>>>>> I am >>>>>>>>>>>>>> still >>>>>>>>>>>>>> getting the same error over and again. I can browse the wsdl >>>>>>>>>>>>>> without >>>>>>>>>>>>>> having to provide a client certificate. could you point me to >>>>>>>>>>>>>> the >>>>>>>>>>>>>> part of >>>>>>>>>>>>>> the idp-sts configuration which might be causing it to not ask >>>>>>>>>>>>>> for >>>>>>>>>>>>>> the >>>>>>>>>>>>>> keys >>>>>>>>>>>>>> properly? or is it definitely a tomcat server.xml issue? >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> You can see the HTML here: >>>>>>>>>>>>>> >>>>>>>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent >>>>>>>>>>>>>> >>>>>>>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener >>>>>>>>>>>>>>> ateKeysREADME.html >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I'll update the webpage to point to github instead of SVN. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead < >>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi Colm >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Firstly is there somewhere to see these instructions >>>>>>>>>>>>>>> correctly >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> formatted >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> in html? >>>>>>>>>>>>>>>> https://github.com/apache/cxf- >>>>>>>>>>>>>>>> fediz/blob/master/examples/sam >>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Secondly there is a massive difference between >>>>>>>>>>>>>>>> https://github.com/apache/cxf- >>>>>>>>>>>>>>>> fediz/blob/master/examples/sam >>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>> http://svn.apache.org/viewvc/c >>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample >>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co >>>>>>>>>>>>>>>> (svn being the one linked from the main fediz pages) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key >>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>> ststrust.jks. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I have some more things to try now so I will let you know >>>>>>>>>>>>>>>> if I >>>>>>>>>>>>>>>> get >>>>>>>>>>>>>>>> further >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Why not try the simple Connector configuration I gave >>>>>>>>>>>>>>>> earlier >>>>>>>>>>>>>>>> but >>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> own keys? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead < >>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc >>>>>>>>>>>>>>>>> at-8.5-doc/config/http.html# >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> clientAuth >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> This is an alias for the certificateVerification attribute >>>>>>>>>>>>>>>>>> of >>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>> default >>>>>>>>>>>>>>>>>> SSLHostConfig element. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>> certificateVerification >>>>>>>>>>>>>>>>>> Set to required if you want the SSL stack to require a >>>>>>>>>>>>>>>>>> valid >>>>>>>>>>>>>>>>>> certificate >>>>>>>>>>>>>>>>>> chain from the client before accepting a connection. Set >>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>> optional if >>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>> want the SSL stack to request a client Certificate, but >>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>> fail >>>>>>>>>>>>>>>>>> if one >>>>>>>>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client >>>>>>>>>>>>>>>>>> certificates to >>>>>>>>>>>>>>>>>> be >>>>>>>>>>>>>>>>>> optional and you don't want Tomcat to check them against >>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>> list >>>>>>>>>>>>>>>>>> of >>>>>>>>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this >>>>>>>>>>>>>>>>>> option >>>>>>>>>>>>>>>>>> (OpenSSL >>>>>>>>>>>>>>>>>> does, >>>>>>>>>>>>>>>>>> JSSE does not) it is treated as if optional was >>>>>>>>>>>>>>>>>> specified. A >>>>>>>>>>>>>>>>>> none >>>>>>>>>>>>>>>>>> value >>>>>>>>>>>>>>>>>> (which is the default) will not require a certificate >>>>>>>>>>>>>>>>>> chain >>>>>>>>>>>>>>>>>> unless >>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>> client requests a resource protected by a security >>>>>>>>>>>>>>>>>> constraint >>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>> uses >>>>>>>>>>>>>>>>>> CLIENT-CERT authentication. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> so i changed clientAuth="want" to clientAuth="required". >>>>>>>>>>>>>>>>>> now >>>>>>>>>>>>>>>>>> i >>>>>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>>>>> access the site at all with >>>>>>>>>>>>>>>>>> Secure Connection Failed >>>>>>>>>>>>>>>>>> An error occurred during a connection to domain.tld:9443. >>>>>>>>>>>>>>>>>> SSL >>>>>>>>>>>>>>>>>> peer >>>>>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>>>>> verify your certificate. Error code: >>>>>>>>>>>>>>>>>> SSL_ERROR_BAD_CERT_ALERT >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> maybe i should try using Tomcat 7? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> The problem is that your Tomcat container hosting the STS >>>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>> asking >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> client authentication. You can check this by using a web >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> browser >>>>>>>>>>>>>>>>>>> or >>>>>>>>>>>>>>>>>>> curl >>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>> view the WSDL of the STS - if you can get it to work then >>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>> configuration >>>>>>>>>>>>>>>>>>> is incorrect, as it should error on the browser not >>>>>>>>>>>>>>>>>>> supplying >>>>>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>>>>> client >>>>>>>>>>>>>>>>>>> cert. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead < >>>>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> i spoke too soon. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> i am completely stuck with the same stack trace and no >>>>>>>>>>>>>>>>>>> amount >>>>>>>>>>>>>>>>>>> of >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> reloading >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> the certificates is helping. is there any way to debug >>>>>>>>>>>>>>>>>>> what >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>> actual >>>>>>>>>>>>>>>>>>>> problem is? >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] >>>>>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - >>>>>>>>>>>>>>>>>>>> Interceptor >>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>> { >>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws- >>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT >>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis >>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051 >>>>>>>>>>>>>>>>>>>> 2/}Issue >>>>>>>>>>>>>>>>>>>> has >>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now >>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing >>>>>>>>>>>>>>>>>>>> SAAJ >>>>>>>>>>>>>>>>>>>> model to >>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local >>>>>>>>>>>>>>>>>>>> certificates >>>>>>>>>>>>>>>>>>>> were >>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client >>>>>>>>>>>>>>>>>>>> authorization? >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte >>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase >>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java: >>>>>>>>>>>>>>>>>>>> 518) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java: >>>>>>>>>>>>>>>>>>>> 427) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java: >>>>>>>>>>>>>>>>>>>> 328) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java: >>>>>>>>>>>>>>>>>>>> 281) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.tru >>>>>>>>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs >>>>>>>>>>>>>>>>>>>> tractSTSClient.java:861) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit >>>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit >>>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction.submi >>>>>>>>>>>>>>>>>>>> t(STSClientAction.java:296) >>>>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess >>>>>>>>>>>>>>>>>>>> orImpl.invoke0(Native >>>>>>>>>>>>>>>>>>>> Method) >>>>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess >>>>>>>>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce >>>>>>>>>>>>>>>>>>>> ssorImpl.java:62) >>>>>>>>>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc >>>>>>>>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe >>>>>>>>>>>>>>>>>>>> thodAccessorImpl.java:43) >>>>>>>>>>>>>>>>>>>> at java.lang.reflect.Method.invok >>>>>>>>>>>>>>>>>>>> e(Method.java:498) >>>>>>>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>>>>>>> .spel.support.ReflectiveMethod >>>>>>>>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113) >>>>>>>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.getV >>>>>>>>>>>>>>>>>>>> alueInternal(MethodReference.java:129) >>>>>>>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference. >>>>>>>>>>>>>>>>>>>> access$000(MethodReference.java:49) >>>>>>>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference$Meth >>>>>>>>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347) >>>>>>>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>>>>>>> .spel.ast.CompoundExpression.g >>>>>>>>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88) >>>>>>>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>>>>>>> .spel.ast.SpelNodeImpl. >>>>>>>>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131) >>>>>>>>>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>>>>>>>>> .spel.standard.SpelExpression. >>>>>>>>>>>>>>>>>>>> getValue(SpelExpression.java:297) >>>>>>>>>>>>>>>>>>>> at org.springframework.binding.ex >>>>>>>>>>>>>>>>>>>> pression.spel.SpringELExpressi >>>>>>>>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac >>>>>>>>>>>>>>>>>>>> tion.EvaluateAction.doExecute( >>>>>>>>>>>>>>>>>>>> EvaluateAction.java:75) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac >>>>>>>>>>>>>>>>>>>> tion.AbstractAction.execute(Ab >>>>>>>>>>>>>>>>>>>> stractAction.java:188) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex >>>>>>>>>>>>>>>>>>>> ecution.AnnotatedAction.execut >>>>>>>>>>>>>>>>>>>> e(AnnotatedAction.java:145) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex >>>>>>>>>>>>>>>>>>>> ecution.ActionExecutor.execute >>>>>>>>>>>>>>>>>>>> (ActionExecutor.java:51) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.ActionList.execute(Action >>>>>>>>>>>>>>>>>>>> List.java:154) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl >>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.SubflowState.handleEvent( >>>>>>>>>>>>>>>>>>>> SubflowState.java:116) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>>>>>>>>>>>>>>> a:547) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en >>>>>>>>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> 238) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.EndState.doEnter(EndState >>>>>>>>>>>>>>>>>>>> .java:107) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl >>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>>>>>>>>>>>>>>> a:547) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio >>>>>>>>>>>>>>>>>>>> nState.java:105) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl >>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>>>>>>>>>>>>>>> a:547) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio >>>>>>>>>>>>>>>>>>>> nState.java:105) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf >>>>>>>>>>>>>>>>>>>> lowState.java:101) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:223) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex >>>>>>>>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch >>>>>>>>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140) >>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.mv >>>>>>>>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter. >>>>>>>>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263) >>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doDispatch >>>>>>>>>>>>>>>>>>>> (DispatcherServlet.java:967) >>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doService( >>>>>>>>>>>>>>>>>>>> DispatcherServlet.java:901) >>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.processRequ >>>>>>>>>>>>>>>>>>>> est(FrameworkServlet.java:970) >>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.doGet( >>>>>>>>>>>>>>>>>>>> FrameworkServlet.java:861) >>>>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet >>>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:635) >>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.service( >>>>>>>>>>>>>>>>>>>> FrameworkServlet.java:846) >>>>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet >>>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:742) >>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231) >>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>>>>>>>>>>> at org.apache.tomcat.websocket.se >>>>>>>>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte >>>>>>>>>>>>>>>>>>>> r.java:52) >>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu >>>>>>>>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118) >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu >>>>>>>>>>>>>>>>>>>> rityInterceptor.doFilter(Filte >>>>>>>>>>>>>>>>>>>> rSecurityInterceptor.java:84) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.access.ExceptionTranslation >>>>>>>>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.session.SessionManagementFi >>>>>>>>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.authentication.AnonymousAut >>>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(Ano >>>>>>>>>>>>>>>>>>>> nymousAuthenticationFilter.jav >>>>>>>>>>>>>>>>>>>> a:113) >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>> horityEntitlements.doFilter(Gr >>>>>>>>>>>>>>>>>>>> antedAuthorityEntitlements.jav >>>>>>>>>>>>>>>>>>>> a:97) >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.servletapi.SecurityContextH >>>>>>>>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder >>>>>>>>>>>>>>>>>>>> AwareRequestFilter.java:154) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw >>>>>>>>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.authentication.www.BasicAut >>>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> 150) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.authentication.AbstractAuth >>>>>>>>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> nProcessingFilter.java:199) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.authentication.logout.Logou >>>>>>>>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.context.request.async.WebAs >>>>>>>>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> erIntegrationFilter.java:50) >>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter >>>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.context.SecurityContextPers >>>>>>>>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> java:87) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP >>>>>>>>>>>>>>>>>>>> ortFilter.java:74) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.access.channel.ChannelProce >>>>>>>>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn >>>>>>>>>>>>>>>>>>>> ternal(FilterChainProxy.java:192) >>>>>>>>>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F >>>>>>>>>>>>>>>>>>>> ilterChainProxy.java:160) >>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD >>>>>>>>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346) >>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte >>>>>>>>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262) >>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>>>>>>>>> .CharacterEncodingFilter.doFil >>>>>>>>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197) >>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter >>>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107) >>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>>>>>>>>>>> ardWrapperValve.invoke(Standar >>>>>>>>>>>>>>>>>>>> dWrapperValve.java:198) >>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>>>>>>>>>>> ardContextValve.invoke(Standar >>>>>>>>>>>>>>>>>>>> dContextValve.java:96) >>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>>>>>>>>>>> ardHostValve.invoke(StandardHo >>>>>>>>>>>>>>>>>>>> stValve.java:140) >>>>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Err >>>>>>>>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo >>>>>>>>>>>>>>>>>>>> rtValve.java:80) >>>>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Abs >>>>>>>>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs >>>>>>>>>>>>>>>>>>>> tractAccessLogValve.java:650) >>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>>>>>>>>>>> ardEngineValve.invoke(Standard >>>>>>>>>>>>>>>>>>>> EngineValve.java:87) >>>>>>>>>>>>>>>>>>>> at org.apache.catalina.connector. >>>>>>>>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd >>>>>>>>>>>>>>>>>>>> apter.java:342) >>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream >>>>>>>>>>>>>>>>>>>> Processor.service(StreamProces >>>>>>>>>>>>>>>>>>>> sor.java:245) >>>>>>>>>>>>>>>>>>>> at org.apache.coyote.AbstractProc >>>>>>>>>>>>>>>>>>>> essorLight.process(AbstractPro >>>>>>>>>>>>>>>>>>>> cessorLight.java:66) >>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream >>>>>>>>>>>>>>>>>>>> Processor.process(StreamProces >>>>>>>>>>>>>>>>>>>> sor.java:65) >>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream >>>>>>>>>>>>>>>>>>>> Runnable.run(StreamRunnable. >>>>>>>>>>>>>>>>>>>> java:35) >>>>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo >>>>>>>>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool >>>>>>>>>>>>>>>>>>>> Executor.java:1142) >>>>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo >>>>>>>>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo >>>>>>>>>>>>>>>>>>>> lExecutor.java:617) >>>>>>>>>>>>>>>>>>>> at org.apache.tomcat.util.threads >>>>>>>>>>>>>>>>>>>> .TaskThread$WrappingRunnable. >>>>>>>>>>>>>>>>>>>> run(TaskThread.java:61) >>>>>>>>>>>>>>>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>>>>>>>>>>>>>>>> RequireClientCertificate >>>>>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the >>>>>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>>>>> set to >>>>>>>>>>>>>>>>>>>> ask >>>>>>>>>>>>>>>>>>>> for client authorization? >>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter. >>>>>>>>>>>>>>>>>>>> java:255) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215) >>>>>>>>>>>>>>>>>>>> ... 154 more >>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept >>>>>>>>>>>>>>>>>>>> ion: >>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local >>>>>>>>>>>>>>>>>>>> certificates >>>>>>>>>>>>>>>>>>>> were >>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client >>>>>>>>>>>>>>>>>>>> authorization? >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol >>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt >>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut >>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H >>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo >>>>>>>>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Conduit.java:309) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap >>>>>>>>>>>>>>>>>>>> pedOutputStream.write(Abstract >>>>>>>>>>>>>>>>>>>> WrappedOutputStream.java:47) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre >>>>>>>>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs >>>>>>>>>>>>>>>>>>>> tractThresholdOutputStream.java:89) >>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre >>>>>>>>>>>>>>>>>>>> sholdOutputStream.write(Abstra >>>>>>>>>>>>>>>>>>>> ctThresholdOutputStream.java:63) >>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flu >>>>>>>>>>>>>>>>>>>> sh(UTF8Writer.java:100) >>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr >>>>>>>>>>>>>>>>>>>> iter.flush(BufferingXmlWriter. >>>>>>>>>>>>>>>>>>>> java:241) >>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter. >>>>>>>>>>>>>>>>>>>> java:253) >>>>>>>>>>>>>>>>>>>> ... 155 more >>>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] >>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction >>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>> Error >>>>>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>>>>> retrieving a token >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Thanks for your help Colm. I now have it working using >>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>> production >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> certificate by following this example >>>>>>>>>>>>>>>>>>>> https://stackoverflow.com/a/21 >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> idp-ssl-trust.jks >>>>>>>>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having >>>>>>>>>>>>>>>>>>>>> them in >>>>>>>>>>>>>>>>>>>>> catalina >>>>>>>>>>>>>>>>>>>>> base. >>>>>>>>>>>>>>>>>>>>> this seems impractical in production as the >>>>>>>>>>>>>>>>>>>>> certificates >>>>>>>>>>>>>>>>>>>>> get >>>>>>>>>>>>>>>>>>>>> reissued >>>>>>>>>>>>>>>>>>>>> every >>>>>>>>>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define >>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>> resource as >>>>>>>>>>>>>>>>>>>>> being >>>>>>>>>>>>>>>>>>>>> in catalina base? >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. >>>>>>>>>>>>>>>>>>>>> There >>>>>>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>>>>> also >>>>>>>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> sec:certStore that works with PEM files, but only for >>>>>>>>>>>>>>>>>>>>> TrustStores I >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> think. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool >>>>>>>>>>>>>>>>>>>>> command >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>> import >>>>>>>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> idp-ssl-server.jks >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> but >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> no >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> idp-ssl-key.jks. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page >>>>>>>>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> old. >>>>>>>>>>>>>>>>>>>>>> The >>>>>>>>>>>>>>>>>>>>>> correct >>>>>>>>>>>>>>>>>>>>>> version is on github: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf- >>>>>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam >>>>>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead < >>>>>>>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Hi Colm, >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a >>>>>>>>>>>>>>>>>>>>>> pem >>>>>>>>>>>>>>>>>>>>>> certificate >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> instead of a java keystore? where is the doumentation >>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> sec:keyStore? >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Matt >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I haven't used the APR connector. The following works >>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>> me >>>>>>>>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> tests, >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it >>>>>>>>>>>>>>>>>>>>>>> working >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> first >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> before >>>>>>>>>>>>>>>>>>>>>>>> switching over to the APR connector: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443" >>>>>>>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> maxThreads="150" >>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true" >>>>>>>>>>>>>>>>>>>>>>>> clientAuth="want" >>>>>>>>>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" >>>>>>>>>>>>>>>>>>>>>>>> keystorePass="tompass" >>>>>>>>>>>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust. >>>>>>>>>>>>>>>>>>>>>>>> jks" >>>>>>>>>>>>>>>>>>>>>>>> truststorePass="ispass" /> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and >>>>>>>>>>>>>>>>>>>>>>>> keystore >>>>>>>>>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>>>>>>>>> cxf-tls.xml to >>>>>>>>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The >>>>>>>>>>>>>>>>>>>>>>>> truststore >>>>>>>>>>>>>>>>>>>>>>>> should >>>>>>>>>>>>>>>>>>>>>>>> contain >>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your >>>>>>>>>>>>>>>>>>>>>>>> STS + >>>>>>>>>>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>>>>>>> keystore >>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>> private key of your IdP. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead < >>>>>>>>>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat >>>>>>>>>>>>>>>>>>>>>>>> server.xml. I >>>>>>>>>>>>>>>>>>>>>>>> added >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I >>>>>>>>>>>>>>>>>>>>>>>> still >>>>>>>>>>>>>>>>>>>>>>>> have >>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> same >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> problem >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443" protocol=" >>>>>>>>>>>>>>>>>>>>>>>> org.apache.coyote.ht >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol" >>>>>>>>>>>>>>>>>>>>>>>>> maxThreads="150" >>>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true"> >>>>>>>>>>>>>>>>>>>>>>>>> <UpgradeProtocol >>>>>>>>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h >>>>>>>>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol" >>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>> <SSLHostConfig >>>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required"> >>>>>>>>>>>>>>>>>>>>>>>>> <Certificate >>>>>>>>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse >>>>>>>>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem" >>>>>>>>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr >>>>>>>>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem" >>>>>>>>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let >>>>>>>>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> hain.pem" >>>>>>>>>>>>>>>>>>>>>>>>> type="RSA" /> >>>>>>>>>>>>>>>>>>>>>>>>> </SSLHostConfig> >>>>>>>>>>>>>>>>>>>>>>>>> </Connector> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in >>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. >>>>>>>>>>>>>>>>>>>>>>>>> Could >>>>>>>>>>>>>>>>>>>>>>>>> this >>>>>>>>>>>>>>>>>>>>>>>>> be the >>>>>>>>>>>>>>>>>>>>>>>>> problem? >>>>>>>>>>>>>>>>>>>>>>>>> How would I use production certificates? >>>>>>>>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit"> >>>>>>>>>>>>>>>>>>>>>>>>> <http:tlsClientParameters >>>>>>>>>>>>>>>>>>>>>>>>> disableCNCheck="true"> >>>>>>>>>>>>>>>>>>>>>>>>> <!-- <sec:trustManagers> >>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks" >>>>>>>>>>>>>>>>>>>>>>>>> password="ispass" >>>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" /> >>>>>>>>>>>>>>>>>>>>>>>>> </sec:trustManagers> >>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyManagers >>>>>>>>>>>>>>>>>>>>>>>>> keyPassword="tompass"> >>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks" >>>>>>>>>>>>>>>>>>>>>>>>> password="tompass" >>>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/> >>>>>>>>>>>>>>>>>>>>>>>>> </sec:keyManagers> --> >>>>>>>>>>>>>>>>>>>>>>>>> </http:tlsClientParameters> >>>>>>>>>>>>>>>>>>>>>>>>> </http:conduit> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote: >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema >>>>>>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>>>>>> restarting. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> but now i have this >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 >>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9 >>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - >>>>>>>>>>>>>>>>>>>>>>>>> Interceptor >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> { >>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws- >>>>>>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT >>>>>>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis >>>>>>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051 >>>>>>>>>>>>>>>>>>>>>>>>>> 2/}Issue >>>>>>>>>>>>>>>>>>>>>>>>>> has >>>>>>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now >>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem >>>>>>>>>>>>>>>>>>>>>>>>>> writing >>>>>>>>>>>>>>>>>>>>>>>>>> SAAJ >>>>>>>>>>>>>>>>>>>>>>>>>> model >>>>>>>>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no >>>>>>>>>>>>>>>>>>>>>>>>>> local >>>>>>>>>>>>>>>>>>>>>>>>>> certificates >>>>>>>>>>>>>>>>>>>>>>>>>> were >>>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client >>>>>>>>>>>>>>>>>>>>>>>>>> authorization? >>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224) >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174) >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte >>>>>>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase >>>>>>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308) >>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java: >>>>>>>>>>>>>>>>>>>>>>>>>> 518) >>>>>>>>>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate >>>>>>>>>>>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. >>>>>>>>>>>>>>>>>>>>>>>>>> Is >>>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>>>>>>>>>>> set >>>>>>>>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>>>>> ask >>>>>>>>>>>>>>>>>>>>>>>>>> for client authorization? >>>>>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java >>>>>>>>>>>>>>>>>>>>>>>>>> :255) >>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215) >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> ... 154 more >>>>>>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept >>>>>>>>>>>>>>>>>>>>>>>>>> ion: >>>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local >>>>>>>>>>>>>>>>>>>>>>>>>> certificates >>>>>>>>>>>>>>>>>>>>>>>>>> were >>>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client >>>>>>>>>>>>>>>>>>>>>>>>>> authorization? >>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol >>>>>>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt >>>>>>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut >>>>>>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542 >>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9 >>>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction >>>>>>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>>>>>> Error >>>>>>>>>>>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>>>>>>>>>>> retrieving a token >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't >>>>>>>>>>>>>>>>>>>>>>>>>> load >>>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>>> login >>>>>>>>>>>>>>>>>>>>>>>>>> screen >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175 >>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2 >>>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> tor >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> No >>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for >>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz >>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld >>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084 >>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found >>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085 >>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found >>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090 >>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found >>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091 >>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found >>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092 >>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found >>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094 >>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found >>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095 >>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found >>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 >>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found >>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 >>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5 >>>>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>>>> INFO >>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> the previous one was caused by >>>>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W >>>>>>>>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> m.xml >>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value=" >>>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:9443 >>>>>>>>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" /> >>>>>>>>>>>>>>>>>>>>>>>>>>> should have been >>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value=" >>>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:0/id >>>>>>>>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM" >>>>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>>>> according to original file >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Colm, >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Yes I have: >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class=" >>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity"> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="applications"> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <util:list> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <ref >>>>>>>>>>>>>>>>>>>>>>>>>>>> bean="srv-fedizhelloworld" >>>>>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> >>>>>>>>>>>>>>>>>>>>>>>>>>>> --> >>>>>>>>>>>>>>>>>>>>>>>>>>>> </util:list> >>>>>>>>>>>>>>>>>>>>>>>>>>>> </property> >>>>>>>>>>>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class=" >>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se >>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity"> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="realm" >>>>>>>>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi >>>>>>>>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld" >>>>>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="protocol" >>>>>>>>>>>>>>>>>>>>>>>>>>>> value=" >>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open. >>>>>>>>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" /> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <property >>>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDisplayName" >>>>>>>>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld" >>>>>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <property >>>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDescription" >>>>>>>>>>>>>>>>>>>>>>>>>>>> value="Web >>>>>>>>>>>>>>>>>>>>>>>>>>>> Application to >>>>>>>>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" /> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="role" >>>>>>>>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType" >>>>>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="tokenType" >>>>>>>>>>>>>>>>>>>>>>>>>>>> value=" >>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open >>>>>>>>>>>>>>>>>>>>>>>>>>>> . >>>>>>>>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="lifeTime" >>>>>>>>>>>>>>>>>>>>>>>>>>>> value="3600" >>>>>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <property >>>>>>>>>>>>>>>>>>>>>>>>>>>> name="passiveRequestorEndpoint >>>>>>>>>>>>>>>>>>>>>>>>>>>> Constraint" >>>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <property >>>>>>>>>>>>>>>>>>>>>>>>>>>> name="logoutEndpointConstraint >>>>>>>>>>>>>>>>>>>>>>>>>>>> " >>>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se >>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat >>>>>>>>>>>>>>>>>>>>>>>>>>>> ionClaimEntity"> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="application" >>>>>>>>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" /> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="claim" >>>>>>>>>>>>>>>>>>>>>>>>>>>> ref="claim_role" >>>>>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="optional" >>>>>>>>>>>>>>>>>>>>>>>>>>>> value="false" >>>>>>>>>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> Do you have an >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> ty >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> instance in >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>>>> realm >>>>>>>>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"? >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Broadhead < >>>>>>>>>>>>>>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain.tld:9443/idp >>>>>>>>>>>>>>>>>>>>>>>>>>>>> and i >>>>>>>>>>>>>>>>>>>>>>>>>>>>> am >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> trying to >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> it >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> seems >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> authenticate >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ok >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> INFO >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Token >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [<something>] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cached. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tor >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Matthew >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
