You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by DTaylor <Da...@Merge.com> on 2012/04/16 16:04:26 UTC
No Token Provider for Saml Token V1.1
Hi all,
I'm currently attempting to acquire a SAML token from a CXF STS, but I am
receiving the following error in the catalina logs:
**WARNING: No token provider found for requested token type:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1**
and a SoapFault as a return to my client application.
I'm assuming that the actual problem is that I don't have the realm
configured correctly, and this is causing the SamlTokenProvider to reject
the incoming request.
Any help would be greatly appreciated, and I have attached my sts and client
configuration xml files.
Thanks,
Dan
http://cxf.547215.n5.nabble.com/file/n5643904/sts-servlet.xml
sts-servlet.xml
http://cxf.547215.n5.nabble.com/file/n5643904/client-config.xml
client-config.xml
--
View this message in context: http://cxf.547215.n5.nabble.com/No-Token-Provider-for-Saml-Token-V1-1-tp5643904p5643904.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: AW: No Token Provider for Saml Token V1.1
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Dan,
Ok I've fixed this issue in the STS. One note on your WSDL - the
Claims Element won't get copied through to the request unless it is a
child element of RequestSecurityTokenTemplate as in this example:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleIt.wsdl?view=markup
Colm,
On Tue, Apr 17, 2012 at 5:28 PM, DTaylor <Da...@merge.com> wrote:
> Hi Colm,
>
> After hooking up the debugger, I see that the SAMLTokenProvider is actually
> being registered as a token provider. While debugging through the request,
> I added a watch to the incoming tokenType parameter.
>
> From the watch, inside the SAMLTokenProvider.canHandleToken(String) method I
> get:
> *"tokenType"
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1\n\t\t\t\t\t\t\t\t\t\t
> * which would definitely be the issue since the tokenType is compared using
> .equals(...) to the straight up trimmed constant. This is also an issue for
> the KeyType as well, with the whitespace causing the comparison to fail.
> I'm unsure at this time whether or not the Address tags would have the same
> issue, but fixed them for safety's sake.
>
> Should the TokenType and KeyType not be trimmed at some point in the CXF
> code before being compared against the various key and token type constants?
>
> I have attached the WSDL Policy snippet which causes this issue, as well as
> a corrected snippet.
>
> http://cxf.547215.n5.nabble.com/file/n5646972/wsdl-policy-snippet-bad.txt
> wsdl-policy-snippet-bad.txt
> http://cxf.547215.n5.nabble.com/file/n5646972/wsdl-policy-snippet-works.txt
> wsdl-policy-snippet-works.txt
>
> Thanks for all the help Colm & Oliver it was much appreciated,
>
> Dan.
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/No-Token-Provider-for-Saml-Token-V1-1-tp5643904p5646972.html
> Sent from the cxf-user mailing list archive at Nabble.com.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: AW: No Token Provider for Saml Token V1.1
Posted by DTaylor <Da...@Merge.com>.
Hi Colm,
After hooking up the debugger, I see that the SAMLTokenProvider is actually
being registered as a token provider. While debugging through the request,
I added a watch to the incoming tokenType parameter.
>From the watch, inside the SAMLTokenProvider.canHandleToken(String) method I
get:
*"tokenType"
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1\n\t\t\t\t\t\t\t\t\t\t
* which would definitely be the issue since the tokenType is compared using
.equals(...) to the straight up trimmed constant. This is also an issue for
the KeyType as well, with the whitespace causing the comparison to fail.
I'm unsure at this time whether or not the Address tags would have the same
issue, but fixed them for safety's sake.
Should the TokenType and KeyType not be trimmed at some point in the CXF
code before being compared against the various key and token type constants?
I have attached the WSDL Policy snippet which causes this issue, as well as
a corrected snippet.
http://cxf.547215.n5.nabble.com/file/n5646972/wsdl-policy-snippet-bad.txt
wsdl-policy-snippet-bad.txt
http://cxf.547215.n5.nabble.com/file/n5646972/wsdl-policy-snippet-works.txt
wsdl-policy-snippet-works.txt
Thanks for all the help Colm & Oliver it was much appreciated,
Dan.
--
View this message in context: http://cxf.547215.n5.nabble.com/No-Token-Provider-for-Saml-Token-V1-1-tp5643904p5646972.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: AW: No Token Provider for Saml Token V1.1
Posted by Colm O hEigeartaigh <co...@apache.org>.
The logs don't tell us anything bar that no token provider is
installed that can handle the specified SAML 1.1 token type. Do you
have access to a debugger? If so can you see what is in the
"tokenProviders" member of TokenIssueOperation? The SAMLTokenProvider
should be installed in there but doesn't appear to be according to the
error message.
Colm.
On Mon, Apr 16, 2012 at 8:07 PM, DTaylor <Da...@merge.com> wrote:
> Hi Colm,
>
> I have attached the log with the FINE level of detail.
>
> Thanks,
>
> Dan
> http://cxf.547215.n5.nabble.com/file/n5644697/STS-log.txt STS-log.txt
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/No-Token-Provider-for-Saml-Token-V1-1-tp5643904p5644697.html
> Sent from the cxf-user mailing list archive at Nabble.com.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: AW: No Token Provider for Saml Token V1.1
Posted by DTaylor <Da...@Merge.com>.
Hi Colm,
I have attached the log with the FINE level of detail.
Thanks,
Dan
http://cxf.547215.n5.nabble.com/file/n5644697/STS-log.txt STS-log.txt
--
View this message in context: http://cxf.547215.n5.nabble.com/No-Token-Provider-for-Saml-Token-V1-1-tp5643904p5644697.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: AW: No Token Provider for Saml Token V1.1
Posted by Colm O hEigeartaigh <co...@apache.org>.
Could you set logging to "FINE" and attach the output when the STS
processes the request?
Colm.
On Mon, Apr 16, 2012 at 4:09 PM, DTaylor <Da...@merge.com> wrote:
> Hi Oliver,
>
> Sorry please find attached the corrected (and my original)
> http://cxf.547215.n5.nabble.com/file/n5644110/sts-servlet.xml
> sts-servlet.xml sts-servlet.xml file.
>
> With the corrected version I still receive the no token provider configured
> message.
>
> Thanks,
> Dan
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/No-Token-Provider-for-Saml-Token-V1-1-tp5643904p5644110.html
> Sent from the cxf-user mailing list archive at Nabble.com.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: AW: No Token Provider for Saml Token V1.1
Posted by DTaylor <Da...@Merge.com>.
Hi Oliver,
Sorry please find attached the corrected (and my original)
http://cxf.547215.n5.nabble.com/file/n5644110/sts-servlet.xml
sts-servlet.xml sts-servlet.xml file.
With the corrected version I still receive the no token provider configured
message.
Thanks,
Dan
--
View this message in context: http://cxf.547215.n5.nabble.com/No-Token-Provider-for-Saml-Token-V1-1-tp5643904p5644110.html
Sent from the cxf-user mailing list archive at Nabble.com.
AW: No Token Provider for Saml Token V1.1
Posted by Oliver Wulff <ow...@talend.com>.
Hi Dan
Could you share with us your STS configuration where the SamlTokenProvider is configured?
It also works if you haven't configured a realm. If you want to configure several logical instances within one STS runtime you can use the realm. Ex. if you connect different LDAP backends where each belongs to a security domain (equal to realm) then you need to take care about realm.
A working CXF STS example can be found here:
http://owulff.blogspot.com/2011/10/configure-and-deploy-cxf-25-sts-part-i.html
and check Colm's blog as he got a tutorial on his blog starting here:
http://coheigea.blogspot.com/2011/10/apache-cxf-sts-documentation-part-i.html
HTH
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
Von: DTaylor [Dan.Taylor@Merge.com]
Gesendet: Montag, 16. April 2012 16:04
Bis: users@cxf.apache.org
Betreff: No Token Provider for Saml Token V1.1
Hi all,
I'm currently attempting to acquire a SAML token from a CXF STS, but I am
receiving the following error in the catalina logs:
**WARNING: No token provider found for requested token type:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1**
and a SoapFault as a return to my client application.
I'm assuming that the actual problem is that I don't have the realm
configured correctly, and this is causing the SamlTokenProvider to reject
the incoming request.
Any help would be greatly appreciated, and I have attached my sts and client
configuration xml files.
Thanks,
Dan
http://cxf.547215.n5.nabble.com/file/n5643904/sts-servlet.xml
sts-servlet.xml
http://cxf.547215.n5.nabble.com/file/n5643904/client-config.xml
client-config.xml
--
View this message in context: http://cxf.547215.n5.nabble.com/No-Token-Provider-for-Saml-Token-V1-1-tp5643904p5643904.html
Sent from the cxf-user mailing list archive at Nabble.com.