You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Matthew Broadhead <ma...@nbmlaw.co.uk> on 2017/10/20 15:09:38 UTC
fediz production
Hi,
i have Fediz working now on (e.g.) domain.tld:9443/idp and i am trying
to use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
correctly redirects to the login page and seems to authenticate ok
but then i get the following error
2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - Token
[IDP_TOKEN=<something>] for realm [<something>] successfully cached.
2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
service config found for urn:org:apache:cxf:fediz:fedizhelloworld
Matthew
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
this document
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co
has idp-ssl-server.jks but no idp-ssl-key.jks.
On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
> I haven't used the APR connector. The following works for me in the tests,
> perhaps you could duplicate this config and get it working first before
> switching over to the APR connector:
>
> <Connector port="9443"
> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass"
> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
> truststorePass="ispass" />
>
> Yes you will need to specify the truststore and keystore in cxf-tls.xml to
> communicate with the STS from the IdP. The truststore should contain the
> issuing cert of the Tomcat instance hosting your STS + then keystore the
> private key of your IdP.
>
> Colm.
>
> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> i am using my own certificate with APR in the tomcat server.xml. I added
>> clientVerification="required" to SSLHostConfig but I still have the same
>> problem
>> <Connector port="9443" protocol="org.apache.coyote.ht
>> tp11.Http11AprProtocol"
>> maxThreads="150" SSLEnabled="true">
>> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
>> />
>> <SSLHostConfig clientVerification="required">
>> <Certificate certificateKeyFile="/etc/letse
>> ncrypt/live/domain.tld/privkey.pem"
>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
>> type="RSA" />
>> </SSLHostConfig>
>> </Connector>
>>
>> I commented the trustManagers and keyManagers in
>> services/idp/src/main/resources/cxf-tls.xml. Could this be the problem?
>> How would I use production certificates?
>> <http:conduit name="*.http-conduit">
>> <http:tlsClientParameters
>> disableCNCheck="true">
>> <!-- <sec:trustManagers>
>> <sec:keyStore type="jks" password="ispass"
>> resource="idp-ssl-trust.jks" />
>> </sec:trustManagers>
>> <sec:keyManagers keyPassword="tompass">
>> <sec:keyStore type="jks" password="tompass"
>> resource="idp-ssl-key.jks"/>
>> </sec:keyManagers> -->
>> </http:tlsClientParameters>
>> </http:conduit>
>>
>>
>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>
>>> ok...i fixed the last error by dropping the schema and restarting.
>>> but now i have this
>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has
>>> thrown exception, unwinding now
>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>>> stream: RequireClientCertificate is set, but no local certificates were
>>> negotiated. Is the server set to ask for client authorization?
>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>>> InterceptorChain.java:308)
>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
>>> ...
>>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is
>>> set, but no local certificates were negotiated. Is the server set to ask
>>> for client authorization?
>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255)
>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>> ... 154 more
>>> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
>>> RequireClientCertificate is set, but no local certificates were
>>> negotiated. Is the server set to ask for client authorization?
>>> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>> ttpsTokenInterceptorProvider.java:143)
>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>> ...
>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>> retrieving a token
>>>
>>>
>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>
>>>> ok i now have a different error and it doesn't load the login screen
>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'CLAIM_LIST' not found
>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'IDP_READ' not found
>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'IDP_LIST' not found
>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'CLAIM_READ' not found
>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'APPLICATION_LIST' not found
>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'APPLICATION_READ' not found
>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'TRUSTEDIDP_READ' not found
>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Enriched AuthenticationToken added
>>>>
>>>> the previous one was caused by
>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>> /idp-sts/REALMMYREALM" />
>>>> should have been
>>>> <property name="stsUrl" value="https://domain.tld:0/idp-sts/REALMMYREALM"
>>>> />
>>>> according to original file
>>>>
>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>
>>>>> Hi Colm,
>>>>>
>>>>> Yes I have:
>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>> ...
>>>>> <property name="applications">
>>>>> <util:list>
>>>>> <ref bean="srv-fedizhelloworld" />
>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>> </util:list>
>>>>> </property>
>>>>> ...
>>>>> </bean>
>>>>>
>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>> <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld"
>>>>> />
>>>>> <property name="protocol" value="http://docs.oasis-open.
>>>>> org/wsfed/federation/200706" />
>>>>> <property name="serviceDisplayName" value="Fedizhelloworld" />
>>>>> <property name="serviceDescription" value="Web Application to
>>>>> illustrate WS-Federation" />
>>>>> <property name="role" value="ApplicationServiceType" />
>>>>> <property name="tokenType" value="http://docs.oasis-open.
>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>> <property name="lifeTime" value="3600" />
>>>>> <property name="passiveRequestorEndpointConstraint"
>>>>> value="https://localhost:?(\d)*/.*" />
>>>>> <property name="logoutEndpointConstraint"
>>>>> value="https://localhost:?(\d)*/.*" />
>>>>> </bean>
>>>>>
>>>>> <bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat
>>>>> ionClaimEntity">
>>>>> <property name="application" ref="srv-fedizhelloworld" />
>>>>> <property name="claim" ref="claim_role" />
>>>>> <property name="optional" value="false" />
>>>>> </bean>
>>>>>
>>>>> etc.
>>>>>
>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>
>>>>>> Do you have an
>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>>> instance in
>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with realm
>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
>>>>>>> trying to
>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
>>>>>>> correctly redirects to the login page and seems to authenticate ok
>>>>>>>
>>>>>>> but then i get the following error
>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - Token
>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully cached.
>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>>
>>>>>>> Matthew
>>>>>>>
>>>>>>>
>>>>>>
>
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
Hmmm...just saw this today
http://janbernhardt.blogspot.com.es/2015/12/fediz-with-openid-connect-support-and_14.html.
That looks more like a better solution. Now I understand what you mean
about WS-Fed. But I still couldn't access the Idp without it asking for
a certificate. Although it was working fine once the certificate dialog
was dismissed
On 31/10/2017 20:35, Sergey Beryozkin wrote:
> Hi Matthew
>
> Thanks for the feedback. Finally I get a chance to contribute to this
> thread :-).
> Putting aside the fact KeyCloak is a high quality project, I'd like to
> say the fact you could not figure out how to set up the keys is not
> sufficient to conclude Fediz is not ready for use in production. I'm
> not sure you if were referring to the WS-Fed or not.
>
> FYI, Fediz OIDC is currently is in production. The actual number is
> small. And the team behind one of this productions put a lot of effort
> into getting it in. I agree and I believe we all do, a major effort is
> needed to push it to the next level, which is really making it very
> straightforward for the users to get started with it fast.
>
> Thanks, Sergey
> On 31/10/17 16:55, Matthew Broadhead wrote:
>> Thanks Colm,
>>
>> I really appreciate the time you took to respond to my emails. I
>> spent a lot of time trying to get Fediz to work. I also submitted a
>> couple of PRs on github.
>>
>> But in the end I have moved to keycloak. It is a much more mature
>> project and has an installation program and a web interface. I had
>> it fully working in under 2 hours!
>>
>> Fediz could move to the next level if it could be:
>> - simply installed standalone without any configuration whatsover
>> - reside behind apache httpd for ssl certificates rather than using
>> tomcat connector
>> - all configuration done in a web interface and stored in the
>> database rather than "spring" configuration files
>>
>> I would be happy to offer some time towards helping achieve that goal
>> but at the moment I don't think Fediz is ready for use in production.
>>
>> Cheers,
>> Matthew
>>
>> On 31/10/2017 11:50, Colm O hEigeartaigh wrote:
>>> Are you using the same Tomcat instance for the IdP and the STS? Or
>>> is the
>>> Tomcat IdP instance set to ask for client authentication? Failing
>>> that, I
>>> don't have any more ideas - I need to see a test-case to help any
>>> further.
>>>
>>> Colm.
>>>
>>> On Mon, Oct 30, 2017 at 8:35 AM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>>> hi Colm,
>>>>
>>>> Sorry to keep bothering you with this issue.
>>>>
>>>> It is still prompting me for a certificate when redirecting to the
>>>> idp. I
>>>> have checked line by line the differences between the original code
>>>> and my
>>>> production code and cannot see any major difference. i have tried
>>>> with the
>>>> production certificate and with a custom generated certificate but
>>>> both are
>>>> the same.
>>>>
>>>> Is there anything else I can try for debugging?
>>>>
>>>> Matthew
>>>>
>>>> On 26/10/2017 14:58, Matthew Broadhead wrote:
>>>>
>>>>> comments below
>>>>>
>>>>> On 26/10/2017 13:46, Colm O hEigeartaigh wrote:
>>>>>
>>>>>> Are you using Java 9? If so please try with Java 8 instead. The
>>>>>> warnings
>>>>>> should be harmless, however I haven't tested Fediz with Java 9.
>>>>>>
>>>>> i am using openjdk 1.8.0.151
>>>>>
>>>>>> "when i first connect with fedizhelloworld it pops up a box
>>>>>> asking for a
>>>>>> certificate." - can you reproduce this with a test-case? It
>>>>>> sounds as if
>>>>>> you are not using the "up" endpoint of the IdP but instead the
>>>>>> client
>>>>>> cert
>>>>>> endpoint?
>>>>>>
>>>>> my fediz_config.xml has
>>>>> <issuer>https://domain.tld:9443/idp/federation</issuer>
>>>>>
>>>>> security-up-config.xml is the same as the example except with the
>>>>> endpoints changed from localhost:9443 to domain.tld:9443
>>>>>
>>>>> if it is not related to that can you tell me where i should be
>>>>> looking
>>>>> for the endpoint config?
>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Thu, Oct 26, 2017 at 12:06 PM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> Hi Colm,
>>>>>>> I am not sure that would be very easy to provide a test case?
>>>>>>> Everything
>>>>>>> was working fine on localhost with the test certificates.
>>>>>>>
>>>>>>> Testing on production is completely different using letsencrypt
>>>>>>> certs
>>>>>>> and
>>>>>>> having to change lots of configuration files in the code? You
>>>>>>> would be
>>>>>>> welcome to look directly at my setup although you are probably
>>>>>>> busy?
>>>>>>>
>>>>>>> It looks as though the idpcert in the ststrust.jks is not being
>>>>>>> properly
>>>>>>> sent and trusted by the idp during handshake? i am converting
>>>>>>> it using
>>>>>>> openssl to pkcs12 and then importing it into a jks. then i
>>>>>>> export the
>>>>>>> cert. is it possible the chain is being dropped?
>>>>>>> openssl pkcs12 -export -in ${cert}fullchain.pem -inkey
>>>>>>> ${cert}privkey.pem
>>>>>>> -out ${p12} -name mytomidpkey -password pass:tompass
>>>>>>> keytool -importkeystore -deststorepass tompass -destkeypass tompass
>>>>>>> -destkeystore ${idpKey} -srckeystore ${p12} -srcstoretype PKCS12
>>>>>>> -srcstorepass tompass -alias mytomidpkey
>>>>>>> keytool -keystore ${idpKey} -storepass tompass -export -alias
>>>>>>> mytomidpkey
>>>>>>> -file ${idpCert}
>>>>>>>
>>>>>>> also i get a lot of these warnings when creating keystores.
>>>>>>> should i be
>>>>>>> changing everything to use pkcs12?
>>>>>>> Warning:
>>>>>>> The JKS keystore uses a proprietary format. It is recommended to
>>>>>>> migrate
>>>>>>> to PKCS12 which is an industry standard format using
>>>>>>>
>>>>>>> Matthew
>>>>>>>
>>>>>>> On 26/10/2017 10:43, Colm O hEigeartaigh wrote:
>>>>>>>
>>>>>>> Could you create a test-case and upload it to github somewhere +
>>>>>>> I will
>>>>>>>> take a look?
>>>>>>>>
>>>>>>>> Colm.
>>>>>>>>
>>>>>>>> On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead <
>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>
>>>>>>>> Thanks for pointing me in the right direction.
>>>>>>>>
>>>>>>>>> basically what the documentation lacks is that the
>>>>>>>>> ststrust.jks must
>>>>>>>>> contain MyTCIDP.cer, i.e.
>>>>>>>>> keytool -import -trustcacerts -keystore ststrust.jks -storepass
>>>>>>>>> storepass
>>>>>>>>> -alias idpcert -file MyTCIDP.cer -noprompt
>>>>>>>>> i looked through the original ststrust.jks and it contained
>>>>>>>>> the alias
>>>>>>>>> idpcert which confirmed the suspicion
>>>>>>>>>
>>>>>>>>> the other problem was that the cipher of the letsencrypt
>>>>>>>>> certificate
>>>>>>>>> was
>>>>>>>>> not supported by java so i had to enable apr for openssl support.
>>>>>>>>> -Djavax.net.debug=all helped to debug that.
>>>>>>>>>
>>>>>>>>> but i still have some strange problems. when i first connect
>>>>>>>>> with
>>>>>>>>> fedizhelloworld it pops up a box asking for a certificate.
>>>>>>>>> and also
>>>>>>>>> if i
>>>>>>>>> leave it logged in for a while and then try to logout chrome
>>>>>>>>> tells me
>>>>>>>>> This site can’t provide a secure connection
>>>>>>>>> ERR_SSL_PROTOCOL_ERROR
>>>>>>>>>
>>>>>>>>> On 25/10/2017 14:28, Colm O hEigeartaigh wrote:
>>>>>>>>>
>>>>>>>>> Your truststore in cxf-tls.xml must trust the certificate
>>>>>>>>> presented by
>>>>>>>>>
>>>>>>>>>> the
>>>>>>>>>> STS. Also, it must contain a keystore with the private key of
>>>>>>>>>> the
>>>>>>>>>> IdP,
>>>>>>>>>> which in turn must be trusted by the STS.
>>>>>>>>>>
>>>>>>>>>> Colm.
>>>>>>>>>>
>>>>>>>>>> On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>
>>>>>>>>>> Are the two keystores responsible for the trust between idp
>>>>>>>>>> and sts
>>>>>>>>>> are
>>>>>>>>>>
>>>>>>>>>> supposed to be
>>>>>>>>>>> stsrealm_a.jks and ststrust.jks
>>>>>>>>>>>
>>>>>>>>>>> it is just that the cert it is not trusting is the
>>>>>>>>>>> idp-ssl-key.jks
>>>>>>>>>>> (domain.tld) which makes sense if it is hitting
>>>>>>>>>>> domain.tls:9443/idp
>>>>>>>>>>> etc
>>>>>>>>>>>
>>>>>>>>>>> does this mean ststrust.jks should contain MyTCIDP.cer as
>>>>>>>>>>> well as
>>>>>>>>>>> MyTCRP.cer?
>>>>>>>>>>>
>>>>>>>>>>> On 25/10/2017 14:03, Colm O hEigeartaigh wrote:
>>>>>>>>>>>
>>>>>>>>>>> You'll need to go through the output to figure out why the
>>>>>>>>>>> cert is
>>>>>>>>>>> not
>>>>>>>>>>>
>>>>>>>>>>> trusted. If you generate some test certs + create a testcase
>>>>>>>>>>>> somewhere I
>>>>>>>>>>>> will take a look.
>>>>>>>>>>>>
>>>>>>>>>>>> Colm.
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> i get a load of stuff, but in the middle of the one before the
>>>>>>>>>>>> error i
>>>>>>>>>>>> get
>>>>>>>>>>>>
>>>>>>>>>>>> Warning: no suitable certificate found - continuing without
>>>>>>>>>>>> client
>>>>>>>>>>>>
>>>>>>>>>>>>> authentication
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 25/10/2017 13:42, Matthew Broadhead wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> ahhh...
>>>>>>>>>>>>>
>>>>>>>>>>>>> -Djavax.net.debug=all
>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 25/10/2017 13:39, Matthew Broadhead wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> How would I enable the debug? services/idp/src/main/webapp/W
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> EB-INF/security-config.xml
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> <security:debug/>?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If you change it to "required" does it fail? If so, you
>>>>>>>>>>>>>>> could
>>>>>>>>>>>>>>> try
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> running
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> the Tomcat IdP with Java SSL debugging enabled and it
>>>>>>>>>>>>>>>> should
>>>>>>>>>>>>>>>> tell
>>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>> why
>>>>>>>>>>>>>>>> the IdP can't connect to the STS.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I realise now that this html file was included in the
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> examples/samplekeys
>>>>>>>>>>>>>>>>> directory in the code. but i was taking it from the
>>>>>>>>>>>>>>>>> internet.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I am 100% using clientAuth="want" on my Tomcat
>>>>>>>>>>>>>>>>> connector but
>>>>>>>>>>>>>>>>> I am
>>>>>>>>>>>>>>>>> still
>>>>>>>>>>>>>>>>> getting the same error over and again. I can browse
>>>>>>>>>>>>>>>>> the wsdl
>>>>>>>>>>>>>>>>> without
>>>>>>>>>>>>>>>>> having to provide a client certificate. could you
>>>>>>>>>>>>>>>>> point me to
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> part of
>>>>>>>>>>>>>>>>> the idp-sts configuration which might be causing it to
>>>>>>>>>>>>>>>>> not ask
>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> keys
>>>>>>>>>>>>>>>>> properly? or is it definitely a tomcat server.xml issue?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> You can see the HTML here:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> ateKeysREADME.html
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I'll update the webpage to point to github instead of
>>>>>>>>>>>>>>>>>> SVN.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hi Colm
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Firstly is there somewhere to see these instructions
>>>>>>>>>>>>>>>>>> correctly
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> formatted
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> in html?
>>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Secondly there is a massive difference between
>>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>>>> http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>>>>>>>>>>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On the SVN one it doesn't mention adding the
>>>>>>>>>>>>>>>>>>> MyTCRP.cer key
>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>> ststrust.jks.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I have some more things to try now so I will let you
>>>>>>>>>>>>>>>>>>> know
>>>>>>>>>>>>>>>>>>> if I
>>>>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>>>>> further
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Why not try the simple Connector configuration I gave
>>>>>>>>>>>>>>>>>>> earlier
>>>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> own keys?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc
>>>>>>>>>>>>>>>>>>>> at-8.5-doc/config/http.html#
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> clientAuth
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> This is an alias for the certificateVerification
>>>>>>>>>>>>>>>>>>>> attribute
>>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>> default
>>>>>>>>>>>>>>>>>>>>> SSLHostConfig element.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>>>> certificateVerification
>>>>>>>>>>>>>>>>>>>>> Set to required if you want the SSL stack to
>>>>>>>>>>>>>>>>>>>>> require a
>>>>>>>>>>>>>>>>>>>>> valid
>>>>>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>>>>> chain from the client before accepting a
>>>>>>>>>>>>>>>>>>>>> connection. Set
>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>> optional if
>>>>>>>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>>>>>>> want the SSL stack to request a client
>>>>>>>>>>>>>>>>>>>>> Certificate, but
>>>>>>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>>>>>> fail
>>>>>>>>>>>>>>>>>>>>> if one
>>>>>>>>>>>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want
>>>>>>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>>>>>>> certificates to
>>>>>>>>>>>>>>>>>>>>> be
>>>>>>>>>>>>>>>>>>>>> optional and you don't want Tomcat to check them
>>>>>>>>>>>>>>>>>>>>> against
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>> list
>>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this
>>>>>>>>>>>>>>>>>>>>> option
>>>>>>>>>>>>>>>>>>>>> (OpenSSL
>>>>>>>>>>>>>>>>>>>>> does,
>>>>>>>>>>>>>>>>>>>>> JSSE does not) it is treated as if optional was
>>>>>>>>>>>>>>>>>>>>> specified. A
>>>>>>>>>>>>>>>>>>>>> none
>>>>>>>>>>>>>>>>>>>>> value
>>>>>>>>>>>>>>>>>>>>> (which is the default) will not require a certificate
>>>>>>>>>>>>>>>>>>>>> chain
>>>>>>>>>>>>>>>>>>>>> unless
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>> client requests a resource protected by a security
>>>>>>>>>>>>>>>>>>>>> constraint
>>>>>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>>>>>>> uses
>>>>>>>>>>>>>>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> so i changed clientAuth="want" to
>>>>>>>>>>>>>>>>>>>>> clientAuth="required".
>>>>>>>>>>>>>>>>>>>>> now
>>>>>>>>>>>>>>>>>>>>> i
>>>>>>>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>>>>>>>> access the site at all with
>>>>>>>>>>>>>>>>>>>>> Secure Connection Failed
>>>>>>>>>>>>>>>>>>>>> An error occurred during a connection to
>>>>>>>>>>>>>>>>>>>>> domain.tld:9443.
>>>>>>>>>>>>>>>>>>>>> SSL
>>>>>>>>>>>>>>>>>>>>> peer
>>>>>>>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>>>>>>>> verify your certificate. Error code:
>>>>>>>>>>>>>>>>>>>>> SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> The problem is that your Tomcat container hosting
>>>>>>>>>>>>>>>>>>>>> the STS
>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>>>>>> asking
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> client authentication. You can check this by using
>>>>>>>>>>>>>>>>>>>>> a web
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> browser
>>>>>>>>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>>>>>>>>> curl
>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>> view the WSDL of the STS - if you can get it to
>>>>>>>>>>>>>>>>>>>>>> work then
>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>> configuration
>>>>>>>>>>>>>>>>>>>>>> is incorrect, as it should error on the browser not
>>>>>>>>>>>>>>>>>>>>>> supplying
>>>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>>>>>>>> cert.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew
>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> i spoke too soon.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> i am completely stuck with the same stack trace
>>>>>>>>>>>>>>>>>>>>>> and no
>>>>>>>>>>>>>>>>>>>>>> amount
>>>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> reloading
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> the certificates is helping. is there any way to
>>>>>>>>>>>>>>>>>>>>>> debug
>>>>>>>>>>>>>>>>>>>>>> what
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>> actual
>>>>>>>>>>>>>>>>>>>>>>> problem is?
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,155
>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem
>>>>>>>>>>>>>>>>>>>>>>> writing
>>>>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>>>>> model to
>>>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no
>>>>>>>>>>>>>>>>>>>>>>> local
>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>> 427)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>> 328)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>> 281)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>>>>>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>>>>>>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>>>>>>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>>>>>>>> orImpl.invoke0(Native
>>>>>>>>>>>>>>>>>>>>>>> Method)
>>>>>>>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>>>>>>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>>>>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>>>>>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>>>>>>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>>>>>>>>>>>>>>> at java.lang.reflect.Method.invok
>>>>>>>>>>>>>>>>>>>>>>> e(Method.java:498)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>>>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>>>>>>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.
>>>>>>>>>>>>>>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>>>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>>>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>>> .spel.ast.SpelNodeImpl.
>>>>>>>>>>>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>>>>>>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.binding.ex
>>>>>>>>>>>>>>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>>>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>>>>>>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>>>>>>>>>>>>>>> stractAction.java:188)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>>>>>>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>>>>>>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>>>>>>>>>>>>>>> List.java:154)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 3)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>>>>>>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>>>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> 238)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>>>>>>>>>>>>>>> .java:107)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>>>>>>>>>>>>>>> lowState.java:101)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>>>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.mv
>>>>>>>>>>>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>>>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>>>>>>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>>>>>>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>>>>>>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.doGet(
>>>>>>>>>>>>>>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.service(
>>>>>>>>>>>>>>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>>>>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>>>>>>>>>>>>>>> r.java:52)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>>>>>>>> rityInterceptor.doFilter(Filte
>>>>>>>>>>>>>>>>>>>>>>> rSecurityInterceptor.java:84)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>>>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>>>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(Ano
>>>>>>>>>>>>>>>>>>>>>>> nymousAuthenticationFilter.jav
>>>>>>>>>>>>>>>>>>>>>>> a:113)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements.doFilter(Gr
>>>>>>>>>>>>>>>>>>>>>>> antedAuthorityEntitlements.jav
>>>>>>>>>>>>>>>>>>>>>>> a:97)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>>>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>>>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> 150)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>>>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>>>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>>>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>>>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> java:87)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>>>>>>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>>>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>>>>>>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>>>>>>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>>>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>>>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>>>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>>>>>>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>>>>>>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>>>>>>>>>>>>>>> stValve.java:140)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>>>>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>>>>>>>>>>>>>>> rtValve.java:80)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>>>>>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>>>>>>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>>>>>>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>>>>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>>>>>>>>>>>>>>> apter.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>>>>>>>>>>>>>>> sor.java:245)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>>>>>>>>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>>>>>>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>>>>>>>>>>>>>>> sor.java:65)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>>>>>> Runnable.run(StreamRunnable.
>>>>>>>>>>>>>>>>>>>>>>> java:35)
>>>>>>>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>>>>>>>>>>>>>>> Executor.java:1142)
>>>>>>>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>>>>>>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>>>>>>>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>>>>>>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>>>>>>>>>>>>>>> at
>>>>>>>>>>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:748)
>>>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated.
>>>>>>>>>>>>>>>>>>>>>>> Is the
>>>>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>>>>> set to
>>>>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>>>>>>>> java:255)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>>>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Conduit.java:309)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>>>>>>>>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>>>>>>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>>>>>>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>>>>>>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flu
>>>>>>>>>>>>>>>>>>>>>>> sh(UTF8Writer.java:100)
>>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>>>>>>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>>>>>>>>>>>>>>> java:241)
>>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>>>>>>>> java:253)
>>>>>>>>>>>>>>>>>>>>>>> ... 155 more
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,158
>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Thanks for your help Colm. I now have it
>>>>>>>>>>>>>>>>>>>>>>> working using
>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>> production
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> certificate by following this example
>>>>>>>>>>>>>>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> but in the end i also had to copy
>>>>>>>>>>>>>>>>>>>>>>> idp-ssl-key.jks and
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having
>>>>>>>>>>>>>>>>>>>>>>>> them in
>>>>>>>>>>>>>>>>>>>>>>>> catalina
>>>>>>>>>>>>>>>>>>>>>>>> base.
>>>>>>>>>>>>>>>>>>>>>>>> this seems impractical in production as the
>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>>>>>>>>>> reissued
>>>>>>>>>>>>>>>>>>>>>>>> every
>>>>>>>>>>>>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to
>>>>>>>>>>>>>>>>>>>>>>>> define
>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>> resource as
>>>>>>>>>>>>>>>>>>>>>>>> being
>>>>>>>>>>>>>>>>>>>>>>>> in catalina base?
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12
>>>>>>>>>>>>>>>>>>>>>>>> keystores.
>>>>>>>>>>>>>>>>>>>>>>>> There
>>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>>> also
>>>>>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> sec:certStore that works with PEM files, but
>>>>>>>>>>>>>>>>>>>>>>>> only for
>>>>>>>>>>>>>>>>>>>>>>>> TrustStores I
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> think.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool
>>>>>>>>>>>>>>>>>>>>>>>> command
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>> import
>>>>>>>>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz,
>>>>>>>>>>>>>>>>>>>>>>>>>> that page
>>>>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> old.
>>>>>>>>>>>>>>>>>>>>>>>>> The
>>>>>>>>>>>>>>>>>>>>>>>>> correct
>>>>>>>>>>>>>>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew
>>>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> is there any way for sec:keyStore to be
>>>>>>>>>>>>>>>>>>>>>>>>> pointed at a
>>>>>>>>>>>>>>>>>>>>>>>>> pem
>>>>>>>>>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> instead of a java keystore? where is the
>>>>>>>>>>>>>>>>>>>>>>>>> doumentation
>>>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> I haven't used the APR connector. The
>>>>>>>>>>>>>>>>>>>>>>>>>> following works
>>>>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>>>>> me
>>>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> perhaps you could duplicate this config and
>>>>>>>>>>>>>>>>>>>>>>>>>> get it
>>>>>>>>>>>>>>>>>>>>>>>>>> working
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> first
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>>>>>>>>>>>>>>> sslProtocol="TLS"
>>>>>>>>>>>>>>>>>>>>>>>>>>> keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>>>>>>>>>>>>>>> keyPass="tompass"
>>>>>>>>>>>>>>>>>>>>>>>>>>> truststoreFile="idp-ssl-trust.
>>>>>>>>>>>>>>>>>>>>>>>>>>> jks"
>>>>>>>>>>>>>>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and
>>>>>>>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The
>>>>>>>>>>>>>>>>>>>>>>>>>>> truststore
>>>>>>>>>>>>>>>>>>>>>>>>>>> should
>>>>>>>>>>>>>>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting
>>>>>>>>>>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>>>>>>>>>>> STS +
>>>>>>>>>>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> i am using my own certificate with APR in
>>>>>>>>>>>>>>>>>>>>>>>>>>> the tomcat
>>>>>>>>>>>>>>>>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>>>>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required" to
>>>>>>>>>>>>>>>>>>>>>>>>>>> SSLHostConfig but I
>>>>>>>>>>>>>>>>>>>>>>>>>>> still
>>>>>>>>>>>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443" protocol="
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.coyote.ht
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true">
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <SSLHostConfig
>>>>>>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required">
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <Certificate
>>>>>>>>>>>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let
>>>>>>>>>>>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> I commented the trustManagers and
>>>>>>>>>>>>>>>>>>>>>>>>>>>> keyManagers in
>>>>>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml.
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Could
>>>>>>>>>>>>>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <!--
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore
>>>>>>>>>>>>>>>>>>>>>>>>>>>> type="jks"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyManagers
>>>>>>>>>>>>>>>>>>>>>>>>>>>> keyPassword="tompass">
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore
>>>>>>>>>>>>>>>>>>>>>>>>>>>> type="jks"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the
>>>>>>>>>>>>>>>>>>>>>>>>>>>> schema
>>>>>>>>>>>>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541
>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Problem
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> writing
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> but no
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> local
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> negotiated.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Is
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ok i now have a different error and it
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> doesn't
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> load
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:9443
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:0/id
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <ref
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> bean="srv-fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <!-- <ref
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> bean="srv-oidc" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -->
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="protocol"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDisplayName"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDescription"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="tokenType"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="lifeTime"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="3600"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="logoutEndpointConstraint
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> "
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="application"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="claim"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ref="claim_role"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="optional"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="false"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain.tld:9443/idp
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> seems
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [<something>]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>
>>
Re: fediz production
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Matthew
Thanks for the feedback. Finally I get a chance to contribute to this
thread :-).
Putting aside the fact KeyCloak is a high quality project, I'd like to
say the fact you could not figure out how to set up the keys is not
sufficient to conclude Fediz is not ready for use in production. I'm not
sure you if were referring to the WS-Fed or not.
FYI, Fediz OIDC is currently is in production. The actual number is
small. And the team behind one of this productions put a lot of effort
into getting it in. I agree and I believe we all do, a major effort is
needed to push it to the next level, which is really making it very
straightforward for the users to get started with it fast.
Thanks, Sergey
On 31/10/17 16:55, Matthew Broadhead wrote:
> Thanks Colm,
>
> I really appreciate the time you took to respond to my emails. I spent
> a lot of time trying to get Fediz to work. I also submitted a couple of
> PRs on github.
>
> But in the end I have moved to keycloak. It is a much more mature
> project and has an installation program and a web interface. I had it
> fully working in under 2 hours!
>
> Fediz could move to the next level if it could be:
> - simply installed standalone without any configuration whatsover
> - reside behind apache httpd for ssl certificates rather than using
> tomcat connector
> - all configuration done in a web interface and stored in the database
> rather than "spring" configuration files
>
> I would be happy to offer some time towards helping achieve that goal
> but at the moment I don't think Fediz is ready for use in production.
>
> Cheers,
> Matthew
>
> On 31/10/2017 11:50, Colm O hEigeartaigh wrote:
>> Are you using the same Tomcat instance for the IdP and the STS? Or is the
>> Tomcat IdP instance set to ask for client authentication? Failing that, I
>> don't have any more ideas - I need to see a test-case to help any
>> further.
>>
>> Colm.
>>
>> On Mon, Oct 30, 2017 at 8:35 AM, Matthew Broadhead <
>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>
>>> hi Colm,
>>>
>>> Sorry to keep bothering you with this issue.
>>>
>>> It is still prompting me for a certificate when redirecting to the
>>> idp. I
>>> have checked line by line the differences between the original code
>>> and my
>>> production code and cannot see any major difference. i have tried
>>> with the
>>> production certificate and with a custom generated certificate but
>>> both are
>>> the same.
>>>
>>> Is there anything else I can try for debugging?
>>>
>>> Matthew
>>>
>>> On 26/10/2017 14:58, Matthew Broadhead wrote:
>>>
>>>> comments below
>>>>
>>>> On 26/10/2017 13:46, Colm O hEigeartaigh wrote:
>>>>
>>>>> Are you using Java 9? If so please try with Java 8 instead. The
>>>>> warnings
>>>>> should be harmless, however I haven't tested Fediz with Java 9.
>>>>>
>>>> i am using openjdk 1.8.0.151
>>>>
>>>>> "when i first connect with fedizhelloworld it pops up a box asking
>>>>> for a
>>>>> certificate." - can you reproduce this with a test-case? It sounds
>>>>> as if
>>>>> you are not using the "up" endpoint of the IdP but instead the client
>>>>> cert
>>>>> endpoint?
>>>>>
>>>> my fediz_config.xml has
>>>> <issuer>https://domain.tld:9443/idp/federation</issuer>
>>>>
>>>> security-up-config.xml is the same as the example except with the
>>>> endpoints changed from localhost:9443 to domain.tld:9443
>>>>
>>>> if it is not related to that can you tell me where i should be looking
>>>> for the endpoint config?
>>>>
>>>>> Colm.
>>>>>
>>>>> On Thu, Oct 26, 2017 at 12:06 PM, Matthew Broadhead <
>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>
>>>>> Hi Colm,
>>>>>> I am not sure that would be very easy to provide a test case?
>>>>>> Everything
>>>>>> was working fine on localhost with the test certificates.
>>>>>>
>>>>>> Testing on production is completely different using letsencrypt certs
>>>>>> and
>>>>>> having to change lots of configuration files in the code? You
>>>>>> would be
>>>>>> welcome to look directly at my setup although you are probably busy?
>>>>>>
>>>>>> It looks as though the idpcert in the ststrust.jks is not being
>>>>>> properly
>>>>>> sent and trusted by the idp during handshake? i am converting it
>>>>>> using
>>>>>> openssl to pkcs12 and then importing it into a jks. then i export
>>>>>> the
>>>>>> cert. is it possible the chain is being dropped?
>>>>>> openssl pkcs12 -export -in ${cert}fullchain.pem -inkey
>>>>>> ${cert}privkey.pem
>>>>>> -out ${p12} -name mytomidpkey -password pass:tompass
>>>>>> keytool -importkeystore -deststorepass tompass -destkeypass tompass
>>>>>> -destkeystore ${idpKey} -srckeystore ${p12} -srcstoretype PKCS12
>>>>>> -srcstorepass tompass -alias mytomidpkey
>>>>>> keytool -keystore ${idpKey} -storepass tompass -export -alias
>>>>>> mytomidpkey
>>>>>> -file ${idpCert}
>>>>>>
>>>>>> also i get a lot of these warnings when creating keystores. should
>>>>>> i be
>>>>>> changing everything to use pkcs12?
>>>>>> Warning:
>>>>>> The JKS keystore uses a proprietary format. It is recommended to
>>>>>> migrate
>>>>>> to PKCS12 which is an industry standard format using
>>>>>>
>>>>>> Matthew
>>>>>>
>>>>>> On 26/10/2017 10:43, Colm O hEigeartaigh wrote:
>>>>>>
>>>>>> Could you create a test-case and upload it to github somewhere + I
>>>>>> will
>>>>>>> take a look?
>>>>>>>
>>>>>>> Colm.
>>>>>>>
>>>>>>> On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead <
>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>
>>>>>>> Thanks for pointing me in the right direction.
>>>>>>>
>>>>>>>> basically what the documentation lacks is that the ststrust.jks
>>>>>>>> must
>>>>>>>> contain MyTCIDP.cer, i.e.
>>>>>>>> keytool -import -trustcacerts -keystore ststrust.jks -storepass
>>>>>>>> storepass
>>>>>>>> -alias idpcert -file MyTCIDP.cer -noprompt
>>>>>>>> i looked through the original ststrust.jks and it contained the
>>>>>>>> alias
>>>>>>>> idpcert which confirmed the suspicion
>>>>>>>>
>>>>>>>> the other problem was that the cipher of the letsencrypt
>>>>>>>> certificate
>>>>>>>> was
>>>>>>>> not supported by java so i had to enable apr for openssl support.
>>>>>>>> -Djavax.net.debug=all helped to debug that.
>>>>>>>>
>>>>>>>> but i still have some strange problems. when i first connect with
>>>>>>>> fedizhelloworld it pops up a box asking for a certificate. and
>>>>>>>> also
>>>>>>>> if i
>>>>>>>> leave it logged in for a while and then try to logout chrome
>>>>>>>> tells me
>>>>>>>> This site can’t provide a secure connection
>>>>>>>> ERR_SSL_PROTOCOL_ERROR
>>>>>>>>
>>>>>>>> On 25/10/2017 14:28, Colm O hEigeartaigh wrote:
>>>>>>>>
>>>>>>>> Your truststore in cxf-tls.xml must trust the certificate
>>>>>>>> presented by
>>>>>>>>
>>>>>>>>> the
>>>>>>>>> STS. Also, it must contain a keystore with the private key of the
>>>>>>>>> IdP,
>>>>>>>>> which in turn must be trusted by the STS.
>>>>>>>>>
>>>>>>>>> Colm.
>>>>>>>>>
>>>>>>>>> On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>
>>>>>>>>> Are the two keystores responsible for the trust between idp and
>>>>>>>>> sts
>>>>>>>>> are
>>>>>>>>>
>>>>>>>>> supposed to be
>>>>>>>>>> stsrealm_a.jks and ststrust.jks
>>>>>>>>>>
>>>>>>>>>> it is just that the cert it is not trusting is the
>>>>>>>>>> idp-ssl-key.jks
>>>>>>>>>> (domain.tld) which makes sense if it is hitting
>>>>>>>>>> domain.tls:9443/idp
>>>>>>>>>> etc
>>>>>>>>>>
>>>>>>>>>> does this mean ststrust.jks should contain MyTCIDP.cer as well as
>>>>>>>>>> MyTCRP.cer?
>>>>>>>>>>
>>>>>>>>>> On 25/10/2017 14:03, Colm O hEigeartaigh wrote:
>>>>>>>>>>
>>>>>>>>>> You'll need to go through the output to figure out why the
>>>>>>>>>> cert is
>>>>>>>>>> not
>>>>>>>>>>
>>>>>>>>>> trusted. If you generate some test certs + create a testcase
>>>>>>>>>>> somewhere I
>>>>>>>>>>> will take a look.
>>>>>>>>>>>
>>>>>>>>>>> Colm.
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>
>>>>>>>>>>> i get a load of stuff, but in the middle of the one before the
>>>>>>>>>>> error i
>>>>>>>>>>> get
>>>>>>>>>>>
>>>>>>>>>>> Warning: no suitable certificate found - continuing without
>>>>>>>>>>> client
>>>>>>>>>>>
>>>>>>>>>>>> authentication
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 25/10/2017 13:42, Matthew Broadhead wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> ahhh...
>>>>>>>>>>>>
>>>>>>>>>>>> -Djavax.net.debug=all
>>>>>>>>>>>>
>>>>>>>>>>>>> On 25/10/2017 13:39, Matthew Broadhead wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> How would I enable the debug? services/idp/src/main/webapp/W
>>>>>>>>>>>>>
>>>>>>>>>>>>> EB-INF/security-config.xml
>>>>>>>>>>>>>
>>>>>>>>>>>>>> <security:debug/>?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If you change it to "required" does it fail? If so, you could
>>>>>>>>>>>>>> try
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> running
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> the Tomcat IdP with Java SSL debugging enabled and it should
>>>>>>>>>>>>>>> tell
>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>> why
>>>>>>>>>>>>>>> the IdP can't connect to the STS.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I realise now that this html file was included in the
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> examples/samplekeys
>>>>>>>>>>>>>>>> directory in the code. but i was taking it from the
>>>>>>>>>>>>>>>> internet.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I am 100% using clientAuth="want" on my Tomcat connector
>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>> I am
>>>>>>>>>>>>>>>> still
>>>>>>>>>>>>>>>> getting the same error over and again. I can browse the
>>>>>>>>>>>>>>>> wsdl
>>>>>>>>>>>>>>>> without
>>>>>>>>>>>>>>>> having to provide a client certificate. could you point
>>>>>>>>>>>>>>>> me to
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> part of
>>>>>>>>>>>>>>>> the idp-sts configuration which might be causing it to
>>>>>>>>>>>>>>>> not ask
>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> keys
>>>>>>>>>>>>>>>> properly? or is it definitely a tomcat server.xml issue?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> You can see the HTML here:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>>>>>>>>>>>>>> ateKeysREADME.html
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I'll update the webpage to point to github instead of SVN.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi Colm
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Firstly is there somewhere to see these instructions
>>>>>>>>>>>>>>>>> correctly
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> formatted
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> in html?
>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Secondly there is a massive difference between
>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>>> http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>>>>>>>>>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On the SVN one it doesn't mention adding the
>>>>>>>>>>>>>>>>>> MyTCRP.cer key
>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>> ststrust.jks.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I have some more things to try now so I will let you know
>>>>>>>>>>>>>>>>>> if I
>>>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>>>> further
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Why not try the simple Connector configuration I gave
>>>>>>>>>>>>>>>>>> earlier
>>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> own keys?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc
>>>>>>>>>>>>>>>>>>> at-8.5-doc/config/http.html#
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> clientAuth
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> This is an alias for the certificateVerification
>>>>>>>>>>>>>>>>>>> attribute
>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> default
>>>>>>>>>>>>>>>>>>>> SSLHostConfig element.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>>> certificateVerification
>>>>>>>>>>>>>>>>>>>> Set to required if you want the SSL stack to require a
>>>>>>>>>>>>>>>>>>>> valid
>>>>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>>>> chain from the client before accepting a connection.
>>>>>>>>>>>>>>>>>>>> Set
>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>> optional if
>>>>>>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>>>>>> want the SSL stack to request a client Certificate, but
>>>>>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>>>>> fail
>>>>>>>>>>>>>>>>>>>> if one
>>>>>>>>>>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client
>>>>>>>>>>>>>>>>>>>> certificates to
>>>>>>>>>>>>>>>>>>>> be
>>>>>>>>>>>>>>>>>>>> optional and you don't want Tomcat to check them
>>>>>>>>>>>>>>>>>>>> against
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> list
>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this
>>>>>>>>>>>>>>>>>>>> option
>>>>>>>>>>>>>>>>>>>> (OpenSSL
>>>>>>>>>>>>>>>>>>>> does,
>>>>>>>>>>>>>>>>>>>> JSSE does not) it is treated as if optional was
>>>>>>>>>>>>>>>>>>>> specified. A
>>>>>>>>>>>>>>>>>>>> none
>>>>>>>>>>>>>>>>>>>> value
>>>>>>>>>>>>>>>>>>>> (which is the default) will not require a certificate
>>>>>>>>>>>>>>>>>>>> chain
>>>>>>>>>>>>>>>>>>>> unless
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> client requests a resource protected by a security
>>>>>>>>>>>>>>>>>>>> constraint
>>>>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>>>>>> uses
>>>>>>>>>>>>>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> so i changed clientAuth="want" to
>>>>>>>>>>>>>>>>>>>> clientAuth="required".
>>>>>>>>>>>>>>>>>>>> now
>>>>>>>>>>>>>>>>>>>> i
>>>>>>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>>>>>>> access the site at all with
>>>>>>>>>>>>>>>>>>>> Secure Connection Failed
>>>>>>>>>>>>>>>>>>>> An error occurred during a connection to
>>>>>>>>>>>>>>>>>>>> domain.tld:9443.
>>>>>>>>>>>>>>>>>>>> SSL
>>>>>>>>>>>>>>>>>>>> peer
>>>>>>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>>>>>>> verify your certificate. Error code:
>>>>>>>>>>>>>>>>>>>> SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> The problem is that your Tomcat container hosting
>>>>>>>>>>>>>>>>>>>> the STS
>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>>>>> asking
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> client authentication. You can check this by using a
>>>>>>>>>>>>>>>>>>>> web
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> browser
>>>>>>>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>>>>>>>> curl
>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>> view the WSDL of the STS - if you can get it to
>>>>>>>>>>>>>>>>>>>>> work then
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>> configuration
>>>>>>>>>>>>>>>>>>>>> is incorrect, as it should error on the browser not
>>>>>>>>>>>>>>>>>>>>> supplying
>>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>>>>>>> cert.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> i spoke too soon.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> i am completely stuck with the same stack trace and no
>>>>>>>>>>>>>>>>>>>>> amount
>>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> reloading
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> the certificates is helping. is there any way to
>>>>>>>>>>>>>>>>>>>>> debug
>>>>>>>>>>>>>>>>>>>>> what
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>> actual
>>>>>>>>>>>>>>>>>>>>>> problem is?
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,155
>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem
>>>>>>>>>>>>>>>>>>>>>> writing
>>>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>>>> model to
>>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>> 427)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>> 328)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>> 281)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>>>>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>>>>>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>>>>>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>>>>>>> orImpl.invoke0(Native
>>>>>>>>>>>>>>>>>>>>>> Method)
>>>>>>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>>>>>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>>>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>>>>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>>>>>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>>>>>>>>>>>>>> at java.lang.reflect.Method.invok
>>>>>>>>>>>>>>>>>>>>>> e(Method.java:498)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>>>>>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.
>>>>>>>>>>>>>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>> .spel.ast.SpelNodeImpl.
>>>>>>>>>>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>>>>>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.binding.ex
>>>>>>>>>>>>>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>>>>>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>>>>>>>>>>>>>> stractAction.java:188)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>>>>>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>>>>>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>>>>>>>>>>>>>> List.java:154)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>> 3)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>>>>>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> 238)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>>>>>>>>>>>>>> .java:107)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>>>>>>>>>>>>>> lowState.java:101)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.mv
>>>>>>>>>>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>>>>>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>>>>>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>>>>>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.doGet(
>>>>>>>>>>>>>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.service(
>>>>>>>>>>>>>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>>>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>>>>>>>>>>>>>> r.java:52)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>>>>>>> rityInterceptor.doFilter(Filte
>>>>>>>>>>>>>>>>>>>>>> rSecurityInterceptor.java:84)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(Ano
>>>>>>>>>>>>>>>>>>>>>> nymousAuthenticationFilter.jav
>>>>>>>>>>>>>>>>>>>>>> a:113)
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>> horityEntitlements.doFilter(Gr
>>>>>>>>>>>>>>>>>>>>>> antedAuthorityEntitlements.jav
>>>>>>>>>>>>>>>>>>>>>> a:97)
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> 150)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> java:87)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>>>>>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>>>>>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>>>>>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>>>>>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>>>>>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>>>>>>>>>>>>>> stValve.java:140)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>>>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>>>>>>>>>>>>>> rtValve.java:80)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>>>>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>>>>>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>>>>>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>>>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>>>>>>>>>>>>>> apter.java:342)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>>>>>>>>>>>>>> sor.java:245)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>>>>>>>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>>>>>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>>>>>>>>>>>>>> sor.java:65)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>>>>> Runnable.run(StreamRunnable.
>>>>>>>>>>>>>>>>>>>>>> java:35)
>>>>>>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>>>>>>>>>>>>>> Executor.java:1142)
>>>>>>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>>>>>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>>>>>>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>>>>>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>>>>>>>>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is
>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>>>> set to
>>>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>>>>>>> java:255)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Conduit.java:309)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>>>>>>>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>>>>>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>>>>>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>>>>>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flu
>>>>>>>>>>>>>>>>>>>>>> sh(UTF8Writer.java:100)
>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>>>>>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>>>>>>>>>>>>>> java:241)
>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>>>>>>> java:253)
>>>>>>>>>>>>>>>>>>>>>> ... 155 more
>>>>>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,158
>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Thanks for your help Colm. I now have it working
>>>>>>>>>>>>>>>>>>>>>> using
>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>> production
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> certificate by following this example
>>>>>>>>>>>>>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having
>>>>>>>>>>>>>>>>>>>>>>> them in
>>>>>>>>>>>>>>>>>>>>>>> catalina
>>>>>>>>>>>>>>>>>>>>>>> base.
>>>>>>>>>>>>>>>>>>>>>>> this seems impractical in production as the
>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>>>>>>>>> reissued
>>>>>>>>>>>>>>>>>>>>>>> every
>>>>>>>>>>>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define
>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>> resource as
>>>>>>>>>>>>>>>>>>>>>>> being
>>>>>>>>>>>>>>>>>>>>>>> in catalina base?
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12
>>>>>>>>>>>>>>>>>>>>>>> keystores.
>>>>>>>>>>>>>>>>>>>>>>> There
>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>> also
>>>>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> sec:certStore that works with PEM files, but only
>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>> TrustStores I
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> think.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool
>>>>>>>>>>>>>>>>>>>>>>> command
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>> import
>>>>>>>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that
>>>>>>>>>>>>>>>>>>>>>>>>> page
>>>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> old.
>>>>>>>>>>>>>>>>>>>>>>>> The
>>>>>>>>>>>>>>>>>>>>>>>> correct
>>>>>>>>>>>>>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew
>>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed
>>>>>>>>>>>>>>>>>>>>>>>> at a
>>>>>>>>>>>>>>>>>>>>>>>> pem
>>>>>>>>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> instead of a java keystore? where is the
>>>>>>>>>>>>>>>>>>>>>>>> doumentation
>>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> I haven't used the APR connector. The following
>>>>>>>>>>>>>>>>>>>>>>>>> works
>>>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>>>> me
>>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it
>>>>>>>>>>>>>>>>>>>>>>>>> working
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> first
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.
>>>>>>>>>>>>>>>>>>>>>>>>>> jks"
>>>>>>>>>>>>>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and
>>>>>>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The
>>>>>>>>>>>>>>>>>>>>>>>>>> truststore
>>>>>>>>>>>>>>>>>>>>>>>>>> should
>>>>>>>>>>>>>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your
>>>>>>>>>>>>>>>>>>>>>>>>>> STS +
>>>>>>>>>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> i am using my own certificate with APR in the
>>>>>>>>>>>>>>>>>>>>>>>>>> tomcat
>>>>>>>>>>>>>>>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>>>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig
>>>>>>>>>>>>>>>>>>>>>>>>>> but I
>>>>>>>>>>>>>>>>>>>>>>>>>> still
>>>>>>>>>>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443" protocol="
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.coyote.ht
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true">
>>>>>>>>>>>>>>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>> <SSLHostConfig
>>>>>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required">
>>>>>>>>>>>>>>>>>>>>>>>>>>> <Certificate
>>>>>>>>>>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr
>>>>>>>>>>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let
>>>>>>>>>>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml.
>>>>>>>>>>>>>>>>>>>>>>>>>>> Could
>>>>>>>>>>>>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>>>>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore
>>>>>>>>>>>>>>>>>>>>>>>>>>> type="jks"
>>>>>>>>>>>>>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyManagers
>>>>>>>>>>>>>>>>>>>>>>>>>>> keyPassword="tompass">
>>>>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore
>>>>>>>>>>>>>>>>>>>>>>>>>>> type="jks"
>>>>>>>>>>>>>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the
>>>>>>>>>>>>>>>>>>>>>>>>>>> schema
>>>>>>>>>>>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541
>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem
>>>>>>>>>>>>>>>>>>>>>>>>>>>> writing
>>>>>>>>>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no
>>>>>>>>>>>>>>>>>>>>>>>>>>>> local
>>>>>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for
>>>>>>>>>>>>>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>>>> at
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> at
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> at
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>>>>>>>>>> at
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated.
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Is
>>>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>>>> at
>>>>>>>>>>>>>>>>>>>>>>>>>>>> com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>>>>>>>>>>>>>> at
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for
>>>>>>>>>>>>>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>>>> at
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>>>>>>>>>> at
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>>>>>>>>>> at
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542
>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't
>>>>>>>>>>>>>>>>>>>>>>>>>>>> load
>>>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175
>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:9443
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:0/id
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <ref
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> bean="srv-fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <!-- <ref
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> bean="srv-oidc" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -->
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="protocol"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDisplayName"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDescription"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="tokenType"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="lifeTime"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="3600"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="logoutEndpointConstraint
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> "
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="application"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="claim"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ref="claim_role"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="optional"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="false"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain.tld:9443/idp
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> seems
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [<something>]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>
>
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
Thanks Colm,
I really appreciate the time you took to respond to my emails. I spent
a lot of time trying to get Fediz to work. I also submitted a couple of
PRs on github.
But in the end I have moved to keycloak. It is a much more mature
project and has an installation program and a web interface. I had it
fully working in under 2 hours!
Fediz could move to the next level if it could be:
- simply installed standalone without any configuration whatsover
- reside behind apache httpd for ssl certificates rather than using
tomcat connector
- all configuration done in a web interface and stored in the database
rather than "spring" configuration files
I would be happy to offer some time towards helping achieve that goal
but at the moment I don't think Fediz is ready for use in production.
Cheers,
Matthew
On 31/10/2017 11:50, Colm O hEigeartaigh wrote:
> Are you using the same Tomcat instance for the IdP and the STS? Or is the
> Tomcat IdP instance set to ask for client authentication? Failing that, I
> don't have any more ideas - I need to see a test-case to help any further.
>
> Colm.
>
> On Mon, Oct 30, 2017 at 8:35 AM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> hi Colm,
>>
>> Sorry to keep bothering you with this issue.
>>
>> It is still prompting me for a certificate when redirecting to the idp. I
>> have checked line by line the differences between the original code and my
>> production code and cannot see any major difference. i have tried with the
>> production certificate and with a custom generated certificate but both are
>> the same.
>>
>> Is there anything else I can try for debugging?
>>
>> Matthew
>>
>> On 26/10/2017 14:58, Matthew Broadhead wrote:
>>
>>> comments below
>>>
>>> On 26/10/2017 13:46, Colm O hEigeartaigh wrote:
>>>
>>>> Are you using Java 9? If so please try with Java 8 instead. The warnings
>>>> should be harmless, however I haven't tested Fediz with Java 9.
>>>>
>>> i am using openjdk 1.8.0.151
>>>
>>>> "when i first connect with fedizhelloworld it pops up a box asking for a
>>>> certificate." - can you reproduce this with a test-case? It sounds as if
>>>> you are not using the "up" endpoint of the IdP but instead the client
>>>> cert
>>>> endpoint?
>>>>
>>> my fediz_config.xml has
>>> <issuer>https://domain.tld:9443/idp/federation</issuer>
>>>
>>> security-up-config.xml is the same as the example except with the
>>> endpoints changed from localhost:9443 to domain.tld:9443
>>>
>>> if it is not related to that can you tell me where i should be looking
>>> for the endpoint config?
>>>
>>>> Colm.
>>>>
>>>> On Thu, Oct 26, 2017 at 12:06 PM, Matthew Broadhead <
>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>
>>>> Hi Colm,
>>>>> I am not sure that would be very easy to provide a test case? Everything
>>>>> was working fine on localhost with the test certificates.
>>>>>
>>>>> Testing on production is completely different using letsencrypt certs
>>>>> and
>>>>> having to change lots of configuration files in the code? You would be
>>>>> welcome to look directly at my setup although you are probably busy?
>>>>>
>>>>> It looks as though the idpcert in the ststrust.jks is not being properly
>>>>> sent and trusted by the idp during handshake? i am converting it using
>>>>> openssl to pkcs12 and then importing it into a jks. then i export the
>>>>> cert. is it possible the chain is being dropped?
>>>>> openssl pkcs12 -export -in ${cert}fullchain.pem -inkey
>>>>> ${cert}privkey.pem
>>>>> -out ${p12} -name mytomidpkey -password pass:tompass
>>>>> keytool -importkeystore -deststorepass tompass -destkeypass tompass
>>>>> -destkeystore ${idpKey} -srckeystore ${p12} -srcstoretype PKCS12
>>>>> -srcstorepass tompass -alias mytomidpkey
>>>>> keytool -keystore ${idpKey} -storepass tompass -export -alias
>>>>> mytomidpkey
>>>>> -file ${idpCert}
>>>>>
>>>>> also i get a lot of these warnings when creating keystores. should i be
>>>>> changing everything to use pkcs12?
>>>>> Warning:
>>>>> The JKS keystore uses a proprietary format. It is recommended to migrate
>>>>> to PKCS12 which is an industry standard format using
>>>>>
>>>>> Matthew
>>>>>
>>>>> On 26/10/2017 10:43, Colm O hEigeartaigh wrote:
>>>>>
>>>>> Could you create a test-case and upload it to github somewhere + I will
>>>>>> take a look?
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> Thanks for pointing me in the right direction.
>>>>>>
>>>>>>> basically what the documentation lacks is that the ststrust.jks must
>>>>>>> contain MyTCIDP.cer, i.e.
>>>>>>> keytool -import -trustcacerts -keystore ststrust.jks -storepass
>>>>>>> storepass
>>>>>>> -alias idpcert -file MyTCIDP.cer -noprompt
>>>>>>> i looked through the original ststrust.jks and it contained the alias
>>>>>>> idpcert which confirmed the suspicion
>>>>>>>
>>>>>>> the other problem was that the cipher of the letsencrypt certificate
>>>>>>> was
>>>>>>> not supported by java so i had to enable apr for openssl support.
>>>>>>> -Djavax.net.debug=all helped to debug that.
>>>>>>>
>>>>>>> but i still have some strange problems. when i first connect with
>>>>>>> fedizhelloworld it pops up a box asking for a certificate. and also
>>>>>>> if i
>>>>>>> leave it logged in for a while and then try to logout chrome tells me
>>>>>>> This site can’t provide a secure connection
>>>>>>> ERR_SSL_PROTOCOL_ERROR
>>>>>>>
>>>>>>> On 25/10/2017 14:28, Colm O hEigeartaigh wrote:
>>>>>>>
>>>>>>> Your truststore in cxf-tls.xml must trust the certificate presented by
>>>>>>>
>>>>>>>> the
>>>>>>>> STS. Also, it must contain a keystore with the private key of the
>>>>>>>> IdP,
>>>>>>>> which in turn must be trusted by the STS.
>>>>>>>>
>>>>>>>> Colm.
>>>>>>>>
>>>>>>>> On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>
>>>>>>>> Are the two keystores responsible for the trust between idp and sts
>>>>>>>> are
>>>>>>>>
>>>>>>>> supposed to be
>>>>>>>>> stsrealm_a.jks and ststrust.jks
>>>>>>>>>
>>>>>>>>> it is just that the cert it is not trusting is the idp-ssl-key.jks
>>>>>>>>> (domain.tld) which makes sense if it is hitting domain.tls:9443/idp
>>>>>>>>> etc
>>>>>>>>>
>>>>>>>>> does this mean ststrust.jks should contain MyTCIDP.cer as well as
>>>>>>>>> MyTCRP.cer?
>>>>>>>>>
>>>>>>>>> On 25/10/2017 14:03, Colm O hEigeartaigh wrote:
>>>>>>>>>
>>>>>>>>> You'll need to go through the output to figure out why the cert is
>>>>>>>>> not
>>>>>>>>>
>>>>>>>>> trusted. If you generate some test certs + create a testcase
>>>>>>>>>> somewhere I
>>>>>>>>>> will take a look.
>>>>>>>>>>
>>>>>>>>>> Colm.
>>>>>>>>>>
>>>>>>>>>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>
>>>>>>>>>> i get a load of stuff, but in the middle of the one before the
>>>>>>>>>> error i
>>>>>>>>>> get
>>>>>>>>>>
>>>>>>>>>> Warning: no suitable certificate found - continuing without client
>>>>>>>>>>
>>>>>>>>>>> authentication
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 25/10/2017 13:42, Matthew Broadhead wrote:
>>>>>>>>>>>
>>>>>>>>>>> ahhh...
>>>>>>>>>>>
>>>>>>>>>>> -Djavax.net.debug=all
>>>>>>>>>>>
>>>>>>>>>>>> On 25/10/2017 13:39, Matthew Broadhead wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> How would I enable the debug? services/idp/src/main/webapp/W
>>>>>>>>>>>>
>>>>>>>>>>>> EB-INF/security-config.xml
>>>>>>>>>>>>
>>>>>>>>>>>>> <security:debug/>?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> If you change it to "required" does it fail? If so, you could
>>>>>>>>>>>>> try
>>>>>>>>>>>>>
>>>>>>>>>>>>> running
>>>>>>>>>>>>>
>>>>>>>>>>>>>> the Tomcat IdP with Java SSL debugging enabled and it should
>>>>>>>>>>>>>> tell
>>>>>>>>>>>>>> you
>>>>>>>>>>>>>> why
>>>>>>>>>>>>>> the IdP can't connect to the STS.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I realise now that this html file was included in the
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> examples/samplekeys
>>>>>>>>>>>>>>> directory in the code. but i was taking it from the internet.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I am 100% using clientAuth="want" on my Tomcat connector but
>>>>>>>>>>>>>>> I am
>>>>>>>>>>>>>>> still
>>>>>>>>>>>>>>> getting the same error over and again. I can browse the wsdl
>>>>>>>>>>>>>>> without
>>>>>>>>>>>>>>> having to provide a client certificate. could you point me to
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> part of
>>>>>>>>>>>>>>> the idp-sts configuration which might be causing it to not ask
>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> keys
>>>>>>>>>>>>>>> properly? or is it definitely a tomcat server.xml issue?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> You can see the HTML here:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>>>>>>>>>>>>> ateKeysREADME.html
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I'll update the webpage to point to github instead of SVN.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi Colm
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Firstly is there somewhere to see these instructions
>>>>>>>>>>>>>>>> correctly
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> formatted
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> in html?
>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Secondly there is a massive difference between
>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>> http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>>>>>>>>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key
>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>> ststrust.jks.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I have some more things to try now so I will let you know
>>>>>>>>>>>>>>>>> if I
>>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>>> further
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Why not try the simple Connector configuration I gave
>>>>>>>>>>>>>>>>> earlier
>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> own keys?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc
>>>>>>>>>>>>>>>>>> at-8.5-doc/config/http.html#
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> clientAuth
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> This is an alias for the certificateVerification attribute
>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>> default
>>>>>>>>>>>>>>>>>>> SSLHostConfig element.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>> certificateVerification
>>>>>>>>>>>>>>>>>>> Set to required if you want the SSL stack to require a
>>>>>>>>>>>>>>>>>>> valid
>>>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>>> chain from the client before accepting a connection. Set
>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>> optional if
>>>>>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>>>>> want the SSL stack to request a client Certificate, but
>>>>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>>>> fail
>>>>>>>>>>>>>>>>>>> if one
>>>>>>>>>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client
>>>>>>>>>>>>>>>>>>> certificates to
>>>>>>>>>>>>>>>>>>> be
>>>>>>>>>>>>>>>>>>> optional and you don't want Tomcat to check them against
>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>> list
>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this
>>>>>>>>>>>>>>>>>>> option
>>>>>>>>>>>>>>>>>>> (OpenSSL
>>>>>>>>>>>>>>>>>>> does,
>>>>>>>>>>>>>>>>>>> JSSE does not) it is treated as if optional was
>>>>>>>>>>>>>>>>>>> specified. A
>>>>>>>>>>>>>>>>>>> none
>>>>>>>>>>>>>>>>>>> value
>>>>>>>>>>>>>>>>>>> (which is the default) will not require a certificate
>>>>>>>>>>>>>>>>>>> chain
>>>>>>>>>>>>>>>>>>> unless
>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>> client requests a resource protected by a security
>>>>>>>>>>>>>>>>>>> constraint
>>>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>>>>> uses
>>>>>>>>>>>>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> so i changed clientAuth="want" to clientAuth="required".
>>>>>>>>>>>>>>>>>>> now
>>>>>>>>>>>>>>>>>>> i
>>>>>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>>>>>> access the site at all with
>>>>>>>>>>>>>>>>>>> Secure Connection Failed
>>>>>>>>>>>>>>>>>>> An error occurred during a connection to domain.tld:9443.
>>>>>>>>>>>>>>>>>>> SSL
>>>>>>>>>>>>>>>>>>> peer
>>>>>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>>>>>> verify your certificate. Error code:
>>>>>>>>>>>>>>>>>>> SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> The problem is that your Tomcat container hosting the STS
>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>>>> asking
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> client authentication. You can check this by using a web
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> browser
>>>>>>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>>>>>>> curl
>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>> view the WSDL of the STS - if you can get it to work then
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> configuration
>>>>>>>>>>>>>>>>>>>> is incorrect, as it should error on the browser not
>>>>>>>>>>>>>>>>>>>> supplying
>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>>>>>> cert.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> i spoke too soon.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> i am completely stuck with the same stack trace and no
>>>>>>>>>>>>>>>>>>>> amount
>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> reloading
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> the certificates is helping. is there any way to debug
>>>>>>>>>>>>>>>>>>>> what
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>> actual
>>>>>>>>>>>>>>>>>>>>> problem is?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing
>>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>>> model to
>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>> 427)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>> 328)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>> 281)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>>>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>>>>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>>>>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>>>>>> orImpl.invoke0(Native
>>>>>>>>>>>>>>>>>>>>> Method)
>>>>>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>>>>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>>>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>>>>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>>>>>>>>>>>>> at java.lang.reflect.Method.invok
>>>>>>>>>>>>>>>>>>>>> e(Method.java:498)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>>>>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.
>>>>>>>>>>>>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>> .spel.ast.SpelNodeImpl.
>>>>>>>>>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>>>>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.binding.ex
>>>>>>>>>>>>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>>>>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>>>>>>>>>>>>> stractAction.java:188)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>>>>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>>>>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>>>>>>>>>>>>> List.java:154)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>> 3)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>>>>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> 238)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>>>>>>>>>>>>> .java:107)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>>>>>>>>>>>>> lowState.java:101)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.mv
>>>>>>>>>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>>>>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>>>>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>>>>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.doGet(
>>>>>>>>>>>>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.service(
>>>>>>>>>>>>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>>>>>>>>>>>>> r.java:52)
>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>>>>>> rityInterceptor.doFilter(Filte
>>>>>>>>>>>>>>>>>>>>> rSecurityInterceptor.java:84)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(Ano
>>>>>>>>>>>>>>>>>>>>> nymousAuthenticationFilter.jav
>>>>>>>>>>>>>>>>>>>>> a:113)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>> horityEntitlements.doFilter(Gr
>>>>>>>>>>>>>>>>>>>>> antedAuthorityEntitlements.jav
>>>>>>>>>>>>>>>>>>>>> a:97)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>>>>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> 150)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> java:87)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>>>>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>>>>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>>>>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>>>>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>>>>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>>>>>>>>>>>>> stValve.java:140)
>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>>>>>>>>>>>>> rtValve.java:80)
>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>>>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>>>>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>>>>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>>>>>>>>>>>>> apter.java:342)
>>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>>>>>>>>>>>>> sor.java:245)
>>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>>>>>>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>>>>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>>>>>>>>>>>>> sor.java:65)
>>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>>>> Runnable.run(StreamRunnable.
>>>>>>>>>>>>>>>>>>>>> java:35)
>>>>>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>>>>>>>>>>>>> Executor.java:1142)
>>>>>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>>>>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>>>>>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>>>>>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>>>>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>>>>>>>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the
>>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>>> set to
>>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>>>>>> java:255)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Conduit.java:309)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>>>>>>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>>>>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>>>>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>>>>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flu
>>>>>>>>>>>>>>>>>>>>> sh(UTF8Writer.java:100)
>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>>>>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>>>>>>>>>>>>> java:241)
>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>>>>>> java:253)
>>>>>>>>>>>>>>>>>>>>> ... 155 more
>>>>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Thanks for your help Colm. I now have it working using
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>> production
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> certificate by following this example
>>>>>>>>>>>>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having
>>>>>>>>>>>>>>>>>>>>>> them in
>>>>>>>>>>>>>>>>>>>>>> catalina
>>>>>>>>>>>>>>>>>>>>>> base.
>>>>>>>>>>>>>>>>>>>>>> this seems impractical in production as the
>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>>>>>>>> reissued
>>>>>>>>>>>>>>>>>>>>>> every
>>>>>>>>>>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define
>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>> resource as
>>>>>>>>>>>>>>>>>>>>>> being
>>>>>>>>>>>>>>>>>>>>>> in catalina base?
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores.
>>>>>>>>>>>>>>>>>>>>>> There
>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>> also
>>>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> sec:certStore that works with PEM files, but only for
>>>>>>>>>>>>>>>>>>>>>> TrustStores I
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> think.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool
>>>>>>>>>>>>>>>>>>>>>> command
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>> import
>>>>>>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page
>>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> old.
>>>>>>>>>>>>>>>>>>>>>>> The
>>>>>>>>>>>>>>>>>>>>>>> correct
>>>>>>>>>>>>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a
>>>>>>>>>>>>>>>>>>>>>>> pem
>>>>>>>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> instead of a java keystore? where is the doumentation
>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> I haven't used the APR connector. The following works
>>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>>> me
>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it
>>>>>>>>>>>>>>>>>>>>>>>> working
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> first
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.
>>>>>>>>>>>>>>>>>>>>>>>>> jks"
>>>>>>>>>>>>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and
>>>>>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The
>>>>>>>>>>>>>>>>>>>>>>>>> truststore
>>>>>>>>>>>>>>>>>>>>>>>>> should
>>>>>>>>>>>>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your
>>>>>>>>>>>>>>>>>>>>>>>>> STS +
>>>>>>>>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat
>>>>>>>>>>>>>>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I
>>>>>>>>>>>>>>>>>>>>>>>>> still
>>>>>>>>>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443" protocol="
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.coyote.ht
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true">
>>>>>>>>>>>>>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>> <SSLHostConfig
>>>>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required">
>>>>>>>>>>>>>>>>>>>>>>>>>> <Certificate
>>>>>>>>>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr
>>>>>>>>>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let
>>>>>>>>>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml.
>>>>>>>>>>>>>>>>>>>>>>>>>> Could
>>>>>>>>>>>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>>>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyManagers
>>>>>>>>>>>>>>>>>>>>>>>>>> keyPassword="tompass">
>>>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema
>>>>>>>>>>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem
>>>>>>>>>>>>>>>>>>>>>>>>>>> writing
>>>>>>>>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no
>>>>>>>>>>>>>>>>>>>>>>>>>>> local
>>>>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated.
>>>>>>>>>>>>>>>>>>>>>>>>>>> Is
>>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542
>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't
>>>>>>>>>>>>>>>>>>>>>>>>>>> load
>>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175
>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2
>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084
>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085
>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090
>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091
>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092
>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094
>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095
>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W
>>>>>>>>>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:9443
>>>>>>>>>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:0/id
>>>>>>>>>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <ref
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> bean="srv-fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -->
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="protocol"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDisplayName"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDescription"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="tokenType"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="lifeTime"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="3600"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="logoutEndpointConstraint
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> "
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="claim"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ref="claim_role"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="optional"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="false"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain.tld:9443/idp
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> seems
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [<something>]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
Re: fediz production
Posted by Colm O hEigeartaigh <co...@apache.org>.
Are you using the same Tomcat instance for the IdP and the STS? Or is the
Tomcat IdP instance set to ask for client authentication? Failing that, I
don't have any more ideas - I need to see a test-case to help any further.
Colm.
On Mon, Oct 30, 2017 at 8:35 AM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:
> hi Colm,
>
> Sorry to keep bothering you with this issue.
>
> It is still prompting me for a certificate when redirecting to the idp. I
> have checked line by line the differences between the original code and my
> production code and cannot see any major difference. i have tried with the
> production certificate and with a custom generated certificate but both are
> the same.
>
> Is there anything else I can try for debugging?
>
> Matthew
>
> On 26/10/2017 14:58, Matthew Broadhead wrote:
>
>> comments below
>>
>> On 26/10/2017 13:46, Colm O hEigeartaigh wrote:
>>
>>> Are you using Java 9? If so please try with Java 8 instead. The warnings
>>> should be harmless, however I haven't tested Fediz with Java 9.
>>>
>> i am using openjdk 1.8.0.151
>>
>>>
>>> "when i first connect with fedizhelloworld it pops up a box asking for a
>>> certificate." - can you reproduce this with a test-case? It sounds as if
>>> you are not using the "up" endpoint of the IdP but instead the client
>>> cert
>>> endpoint?
>>>
>> my fediz_config.xml has
>> <issuer>https://domain.tld:9443/idp/federation</issuer>
>>
>> security-up-config.xml is the same as the example except with the
>> endpoints changed from localhost:9443 to domain.tld:9443
>>
>> if it is not related to that can you tell me where i should be looking
>> for the endpoint config?
>>
>>>
>>> Colm.
>>>
>>> On Thu, Oct 26, 2017 at 12:06 PM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>> Hi Colm,
>>>>
>>>> I am not sure that would be very easy to provide a test case? Everything
>>>> was working fine on localhost with the test certificates.
>>>>
>>>> Testing on production is completely different using letsencrypt certs
>>>> and
>>>> having to change lots of configuration files in the code? You would be
>>>> welcome to look directly at my setup although you are probably busy?
>>>>
>>>> It looks as though the idpcert in the ststrust.jks is not being properly
>>>> sent and trusted by the idp during handshake? i am converting it using
>>>> openssl to pkcs12 and then importing it into a jks. then i export the
>>>> cert. is it possible the chain is being dropped?
>>>> openssl pkcs12 -export -in ${cert}fullchain.pem -inkey
>>>> ${cert}privkey.pem
>>>> -out ${p12} -name mytomidpkey -password pass:tompass
>>>> keytool -importkeystore -deststorepass tompass -destkeypass tompass
>>>> -destkeystore ${idpKey} -srckeystore ${p12} -srcstoretype PKCS12
>>>> -srcstorepass tompass -alias mytomidpkey
>>>> keytool -keystore ${idpKey} -storepass tompass -export -alias
>>>> mytomidpkey
>>>> -file ${idpCert}
>>>>
>>>> also i get a lot of these warnings when creating keystores. should i be
>>>> changing everything to use pkcs12?
>>>> Warning:
>>>> The JKS keystore uses a proprietary format. It is recommended to migrate
>>>> to PKCS12 which is an industry standard format using
>>>>
>>>> Matthew
>>>>
>>>> On 26/10/2017 10:43, Colm O hEigeartaigh wrote:
>>>>
>>>> Could you create a test-case and upload it to github somewhere + I will
>>>>> take a look?
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead <
>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>
>>>>> Thanks for pointing me in the right direction.
>>>>>
>>>>>> basically what the documentation lacks is that the ststrust.jks must
>>>>>> contain MyTCIDP.cer, i.e.
>>>>>> keytool -import -trustcacerts -keystore ststrust.jks -storepass
>>>>>> storepass
>>>>>> -alias idpcert -file MyTCIDP.cer -noprompt
>>>>>> i looked through the original ststrust.jks and it contained the alias
>>>>>> idpcert which confirmed the suspicion
>>>>>>
>>>>>> the other problem was that the cipher of the letsencrypt certificate
>>>>>> was
>>>>>> not supported by java so i had to enable apr for openssl support.
>>>>>> -Djavax.net.debug=all helped to debug that.
>>>>>>
>>>>>> but i still have some strange problems. when i first connect with
>>>>>> fedizhelloworld it pops up a box asking for a certificate. and also
>>>>>> if i
>>>>>> leave it logged in for a while and then try to logout chrome tells me
>>>>>> This site can’t provide a secure connection
>>>>>> ERR_SSL_PROTOCOL_ERROR
>>>>>>
>>>>>> On 25/10/2017 14:28, Colm O hEigeartaigh wrote:
>>>>>>
>>>>>> Your truststore in cxf-tls.xml must trust the certificate presented by
>>>>>>
>>>>>>> the
>>>>>>> STS. Also, it must contain a keystore with the private key of the
>>>>>>> IdP,
>>>>>>> which in turn must be trusted by the STS.
>>>>>>>
>>>>>>> Colm.
>>>>>>>
>>>>>>> On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>
>>>>>>> Are the two keystores responsible for the trust between idp and sts
>>>>>>> are
>>>>>>>
>>>>>>> supposed to be
>>>>>>>> stsrealm_a.jks and ststrust.jks
>>>>>>>>
>>>>>>>> it is just that the cert it is not trusting is the idp-ssl-key.jks
>>>>>>>> (domain.tld) which makes sense if it is hitting domain.tls:9443/idp
>>>>>>>> etc
>>>>>>>>
>>>>>>>> does this mean ststrust.jks should contain MyTCIDP.cer as well as
>>>>>>>> MyTCRP.cer?
>>>>>>>>
>>>>>>>> On 25/10/2017 14:03, Colm O hEigeartaigh wrote:
>>>>>>>>
>>>>>>>> You'll need to go through the output to figure out why the cert is
>>>>>>>> not
>>>>>>>>
>>>>>>>> trusted. If you generate some test certs + create a testcase
>>>>>>>>> somewhere I
>>>>>>>>> will take a look.
>>>>>>>>>
>>>>>>>>> Colm.
>>>>>>>>>
>>>>>>>>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>
>>>>>>>>> i get a load of stuff, but in the middle of the one before the
>>>>>>>>> error i
>>>>>>>>> get
>>>>>>>>>
>>>>>>>>> Warning: no suitable certificate found - continuing without client
>>>>>>>>>
>>>>>>>>>> authentication
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 25/10/2017 13:42, Matthew Broadhead wrote:
>>>>>>>>>>
>>>>>>>>>> ahhh...
>>>>>>>>>>
>>>>>>>>>> -Djavax.net.debug=all
>>>>>>>>>>
>>>>>>>>>>> On 25/10/2017 13:39, Matthew Broadhead wrote:
>>>>>>>>>>>
>>>>>>>>>>> How would I enable the debug? services/idp/src/main/webapp/W
>>>>>>>>>>>
>>>>>>>>>>> EB-INF/security-config.xml
>>>>>>>>>>>
>>>>>>>>>>>> <security:debug/>?
>>>>>>>>>>>>
>>>>>>>>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> If you change it to "required" does it fail? If so, you could
>>>>>>>>>>>> try
>>>>>>>>>>>>
>>>>>>>>>>>> running
>>>>>>>>>>>>
>>>>>>>>>>>>> the Tomcat IdP with Java SSL debugging enabled and it should
>>>>>>>>>>>>> tell
>>>>>>>>>>>>> you
>>>>>>>>>>>>> why
>>>>>>>>>>>>> the IdP can't connect to the STS.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I realise now that this html file was included in the
>>>>>>>>>>>>>
>>>>>>>>>>>>> examples/samplekeys
>>>>>>>>>>>>>> directory in the code. but i was taking it from the internet.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I am 100% using clientAuth="want" on my Tomcat connector but
>>>>>>>>>>>>>> I am
>>>>>>>>>>>>>> still
>>>>>>>>>>>>>> getting the same error over and again. I can browse the wsdl
>>>>>>>>>>>>>> without
>>>>>>>>>>>>>> having to provide a client certificate. could you point me to
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> part of
>>>>>>>>>>>>>> the idp-sts configuration which might be causing it to not ask
>>>>>>>>>>>>>> for
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> keys
>>>>>>>>>>>>>> properly? or is it definitely a tomcat server.xml issue?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> You can see the HTML here:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>>>>>>>>>>>> ateKeysREADME.html
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I'll update the webpage to point to github instead of SVN.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi Colm
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Firstly is there somewhere to see these instructions
>>>>>>>>>>>>>>> correctly
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> formatted
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> in html?
>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Secondly there is a massive difference between
>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>>>>>>>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key
>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>> ststrust.jks.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I have some more things to try now so I will let you know
>>>>>>>>>>>>>>>> if I
>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>> further
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Why not try the simple Connector configuration I gave
>>>>>>>>>>>>>>>> earlier
>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> own keys?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc
>>>>>>>>>>>>>>>>> at-8.5-doc/config/http.html#
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> clientAuth
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> This is an alias for the certificateVerification attribute
>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>> default
>>>>>>>>>>>>>>>>>> SSLHostConfig element.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>> certificateVerification
>>>>>>>>>>>>>>>>>> Set to required if you want the SSL stack to require a
>>>>>>>>>>>>>>>>>> valid
>>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>> chain from the client before accepting a connection. Set
>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>> optional if
>>>>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>>>> want the SSL stack to request a client Certificate, but
>>>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>>> fail
>>>>>>>>>>>>>>>>>> if one
>>>>>>>>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client
>>>>>>>>>>>>>>>>>> certificates to
>>>>>>>>>>>>>>>>>> be
>>>>>>>>>>>>>>>>>> optional and you don't want Tomcat to check them against
>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>> list
>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this
>>>>>>>>>>>>>>>>>> option
>>>>>>>>>>>>>>>>>> (OpenSSL
>>>>>>>>>>>>>>>>>> does,
>>>>>>>>>>>>>>>>>> JSSE does not) it is treated as if optional was
>>>>>>>>>>>>>>>>>> specified. A
>>>>>>>>>>>>>>>>>> none
>>>>>>>>>>>>>>>>>> value
>>>>>>>>>>>>>>>>>> (which is the default) will not require a certificate
>>>>>>>>>>>>>>>>>> chain
>>>>>>>>>>>>>>>>>> unless
>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>> client requests a resource protected by a security
>>>>>>>>>>>>>>>>>> constraint
>>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>>>> uses
>>>>>>>>>>>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> so i changed clientAuth="want" to clientAuth="required".
>>>>>>>>>>>>>>>>>> now
>>>>>>>>>>>>>>>>>> i
>>>>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>>>>> access the site at all with
>>>>>>>>>>>>>>>>>> Secure Connection Failed
>>>>>>>>>>>>>>>>>> An error occurred during a connection to domain.tld:9443.
>>>>>>>>>>>>>>>>>> SSL
>>>>>>>>>>>>>>>>>> peer
>>>>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>>>>> verify your certificate. Error code:
>>>>>>>>>>>>>>>>>> SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> The problem is that your Tomcat container hosting the STS
>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>>> asking
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> client authentication. You can check this by using a web
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> browser
>>>>>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>>>>>> curl
>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>> view the WSDL of the STS - if you can get it to work then
>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>> configuration
>>>>>>>>>>>>>>>>>>> is incorrect, as it should error on the browser not
>>>>>>>>>>>>>>>>>>> supplying
>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>>>>> cert.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> i spoke too soon.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> i am completely stuck with the same stack trace and no
>>>>>>>>>>>>>>>>>>> amount
>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> reloading
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> the certificates is helping. is there any way to debug
>>>>>>>>>>>>>>>>>>> what
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> actual
>>>>>>>>>>>>>>>>>>>> problem is?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing
>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>> model to
>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>> 427)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>> 328)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>> 281)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>>>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>>>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>>>>> orImpl.invoke0(Native
>>>>>>>>>>>>>>>>>>>> Method)
>>>>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>>>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>>>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>>>>>>>>>>>> at java.lang.reflect.Method.invok
>>>>>>>>>>>>>>>>>>>> e(Method.java:498)
>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>>>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.
>>>>>>>>>>>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>> .spel.ast.SpelNodeImpl.
>>>>>>>>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>>>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>>>>>>>>>>>> at org.springframework.binding.ex
>>>>>>>>>>>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>>>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>>>>>>>>>>>> stractAction.java:188)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>>>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>>>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>>>>>>>>>>>> List.java:154)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>> 3)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>>>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> 238)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>>>>>>>>>>>> .java:107)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>>>>>>>>>>>> lowState.java:101)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.mv
>>>>>>>>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>>>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>>>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>>>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.doGet(
>>>>>>>>>>>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.service(
>>>>>>>>>>>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>>>>>>>>>>>> r.java:52)
>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>>>>> rityInterceptor.doFilter(Filte
>>>>>>>>>>>>>>>>>>>> rSecurityInterceptor.java:84)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(Ano
>>>>>>>>>>>>>>>>>>>> nymousAuthenticationFilter.jav
>>>>>>>>>>>>>>>>>>>> a:113)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>> horityEntitlements.doFilter(Gr
>>>>>>>>>>>>>>>>>>>> antedAuthorityEntitlements.jav
>>>>>>>>>>>>>>>>>>>> a:97)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>>>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> 150)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> java:87)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>>>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>>>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>>>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>>>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>>>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>>>>>>>>>>>> stValve.java:140)
>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>>>>>>>>>>>> rtValve.java:80)
>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>>>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>>>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>>>>>>>>>>>> apter.java:342)
>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>>>>>>>>>>>> sor.java:245)
>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>>>>>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>>>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>>>>>>>>>>>> sor.java:65)
>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>>> Runnable.run(StreamRunnable.
>>>>>>>>>>>>>>>>>>>> java:35)
>>>>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>>>>>>>>>>>> Executor.java:1142)
>>>>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>>>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>>>>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>>>>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>>>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>>>>>>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the
>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>> set to
>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>>>>> java:255)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Conduit.java:309)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>>>>>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>>>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>>>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>>>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flu
>>>>>>>>>>>>>>>>>>>> sh(UTF8Writer.java:100)
>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>>>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>>>>>>>>>>>> java:241)
>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>>>>> java:253)
>>>>>>>>>>>>>>>>>>>> ... 155 more
>>>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Thanks for your help Colm. I now have it working using
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> production
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> certificate by following this example
>>>>>>>>>>>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having
>>>>>>>>>>>>>>>>>>>>> them in
>>>>>>>>>>>>>>>>>>>>> catalina
>>>>>>>>>>>>>>>>>>>>> base.
>>>>>>>>>>>>>>>>>>>>> this seems impractical in production as the
>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>>>>>>> reissued
>>>>>>>>>>>>>>>>>>>>> every
>>>>>>>>>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>> resource as
>>>>>>>>>>>>>>>>>>>>> being
>>>>>>>>>>>>>>>>>>>>> in catalina base?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores.
>>>>>>>>>>>>>>>>>>>>> There
>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>> also
>>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> sec:certStore that works with PEM files, but only for
>>>>>>>>>>>>>>>>>>>>> TrustStores I
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> think.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool
>>>>>>>>>>>>>>>>>>>>> command
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>> import
>>>>>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page
>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> old.
>>>>>>>>>>>>>>>>>>>>>> The
>>>>>>>>>>>>>>>>>>>>>> correct
>>>>>>>>>>>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a
>>>>>>>>>>>>>>>>>>>>>> pem
>>>>>>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> instead of a java keystore? where is the doumentation
>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> I haven't used the APR connector. The following works
>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>> me
>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it
>>>>>>>>>>>>>>>>>>>>>>> working
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> first
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.
>>>>>>>>>>>>>>>>>>>>>>>> jks"
>>>>>>>>>>>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and
>>>>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The
>>>>>>>>>>>>>>>>>>>>>>>> truststore
>>>>>>>>>>>>>>>>>>>>>>>> should
>>>>>>>>>>>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your
>>>>>>>>>>>>>>>>>>>>>>>> STS +
>>>>>>>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat
>>>>>>>>>>>>>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I
>>>>>>>>>>>>>>>>>>>>>>>> still
>>>>>>>>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443" protocol="
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.coyote.ht
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true">
>>>>>>>>>>>>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>> <SSLHostConfig
>>>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required">
>>>>>>>>>>>>>>>>>>>>>>>>> <Certificate
>>>>>>>>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr
>>>>>>>>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let
>>>>>>>>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml.
>>>>>>>>>>>>>>>>>>>>>>>>> Could
>>>>>>>>>>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyManagers
>>>>>>>>>>>>>>>>>>>>>>>>> keyPassword="tompass">
>>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema
>>>>>>>>>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541
>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem
>>>>>>>>>>>>>>>>>>>>>>>>>> writing
>>>>>>>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no
>>>>>>>>>>>>>>>>>>>>>>>>>> local
>>>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated.
>>>>>>>>>>>>>>>>>>>>>>>>>> Is
>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't
>>>>>>>>>>>>>>>>>>>>>>>>>> load
>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084
>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085
>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090
>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091
>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092
>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094
>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095
>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W
>>>>>>>>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:9443
>>>>>>>>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:0/id
>>>>>>>>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <ref
>>>>>>>>>>>>>>>>>>>>>>>>>>>> bean="srv-fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> -->
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="protocol"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDisplayName"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDescription"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="tokenType"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="lifeTime"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="3600"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="logoutEndpointConstraint
>>>>>>>>>>>>>>>>>>>>>>>>>>>> "
>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="claim"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ref="claim_role"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="optional"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="false"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain.tld:9443/idp
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> seems
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [<something>]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
hi Colm,
Sorry to keep bothering you with this issue.
It is still prompting me for a certificate when redirecting to the idp.
I have checked line by line the differences between the original code
and my production code and cannot see any major difference. i have
tried with the production certificate and with a custom generated
certificate but both are the same.
Is there anything else I can try for debugging?
Matthew
On 26/10/2017 14:58, Matthew Broadhead wrote:
> comments below
>
> On 26/10/2017 13:46, Colm O hEigeartaigh wrote:
>> Are you using Java 9? If so please try with Java 8 instead. The warnings
>> should be harmless, however I haven't tested Fediz with Java 9.
> i am using openjdk 1.8.0.151
>>
>> "when i first connect with fedizhelloworld it pops up a box asking for a
>> certificate." - can you reproduce this with a test-case? It sounds as if
>> you are not using the "up" endpoint of the IdP but instead the client
>> cert
>> endpoint?
> my fediz_config.xml has
> <issuer>https://domain.tld:9443/idp/federation</issuer>
>
> security-up-config.xml is the same as the example except with the
> endpoints changed from localhost:9443 to domain.tld:9443
>
> if it is not related to that can you tell me where i should be looking
> for the endpoint config?
>>
>> Colm.
>>
>> On Thu, Oct 26, 2017 at 12:06 PM, Matthew Broadhead <
>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>
>>> Hi Colm,
>>>
>>> I am not sure that would be very easy to provide a test case?
>>> Everything
>>> was working fine on localhost with the test certificates.
>>>
>>> Testing on production is completely different using letsencrypt
>>> certs and
>>> having to change lots of configuration files in the code? You would be
>>> welcome to look directly at my setup although you are probably busy?
>>>
>>> It looks as though the idpcert in the ststrust.jks is not being
>>> properly
>>> sent and trusted by the idp during handshake? i am converting it using
>>> openssl to pkcs12 and then importing it into a jks. then i export the
>>> cert. is it possible the chain is being dropped?
>>> openssl pkcs12 -export -in ${cert}fullchain.pem -inkey
>>> ${cert}privkey.pem
>>> -out ${p12} -name mytomidpkey -password pass:tompass
>>> keytool -importkeystore -deststorepass tompass -destkeypass tompass
>>> -destkeystore ${idpKey} -srckeystore ${p12} -srcstoretype PKCS12
>>> -srcstorepass tompass -alias mytomidpkey
>>> keytool -keystore ${idpKey} -storepass tompass -export -alias
>>> mytomidpkey
>>> -file ${idpCert}
>>>
>>> also i get a lot of these warnings when creating keystores. should i be
>>> changing everything to use pkcs12?
>>> Warning:
>>> The JKS keystore uses a proprietary format. It is recommended to
>>> migrate
>>> to PKCS12 which is an industry standard format using
>>>
>>> Matthew
>>>
>>> On 26/10/2017 10:43, Colm O hEigeartaigh wrote:
>>>
>>>> Could you create a test-case and upload it to github somewhere + I
>>>> will
>>>> take a look?
>>>>
>>>> Colm.
>>>>
>>>> On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead <
>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>
>>>> Thanks for pointing me in the right direction.
>>>>> basically what the documentation lacks is that the ststrust.jks must
>>>>> contain MyTCIDP.cer, i.e.
>>>>> keytool -import -trustcacerts -keystore ststrust.jks -storepass
>>>>> storepass
>>>>> -alias idpcert -file MyTCIDP.cer -noprompt
>>>>> i looked through the original ststrust.jks and it contained the alias
>>>>> idpcert which confirmed the suspicion
>>>>>
>>>>> the other problem was that the cipher of the letsencrypt
>>>>> certificate was
>>>>> not supported by java so i had to enable apr for openssl support.
>>>>> -Djavax.net.debug=all helped to debug that.
>>>>>
>>>>> but i still have some strange problems. when i first connect with
>>>>> fedizhelloworld it pops up a box asking for a certificate. and
>>>>> also if i
>>>>> leave it logged in for a while and then try to logout chrome tells me
>>>>> This site can’t provide a secure connection
>>>>> ERR_SSL_PROTOCOL_ERROR
>>>>>
>>>>> On 25/10/2017 14:28, Colm O hEigeartaigh wrote:
>>>>>
>>>>> Your truststore in cxf-tls.xml must trust the certificate
>>>>> presented by
>>>>>> the
>>>>>> STS. Also, it must contain a keystore with the private key of the
>>>>>> IdP,
>>>>>> which in turn must be trusted by the STS.
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> Are the two keystores responsible for the trust between idp and
>>>>>> sts are
>>>>>>
>>>>>>> supposed to be
>>>>>>> stsrealm_a.jks and ststrust.jks
>>>>>>>
>>>>>>> it is just that the cert it is not trusting is the idp-ssl-key.jks
>>>>>>> (domain.tld) which makes sense if it is hitting
>>>>>>> domain.tls:9443/idp etc
>>>>>>>
>>>>>>> does this mean ststrust.jks should contain MyTCIDP.cer as well as
>>>>>>> MyTCRP.cer?
>>>>>>>
>>>>>>> On 25/10/2017 14:03, Colm O hEigeartaigh wrote:
>>>>>>>
>>>>>>> You'll need to go through the output to figure out why the cert
>>>>>>> is not
>>>>>>>
>>>>>>>> trusted. If you generate some test certs + create a testcase
>>>>>>>> somewhere I
>>>>>>>> will take a look.
>>>>>>>>
>>>>>>>> Colm.
>>>>>>>>
>>>>>>>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>
>>>>>>>> i get a load of stuff, but in the middle of the one before the
>>>>>>>> error i
>>>>>>>> get
>>>>>>>>
>>>>>>>> Warning: no suitable certificate found - continuing without client
>>>>>>>>> authentication
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 25/10/2017 13:42, Matthew Broadhead wrote:
>>>>>>>>>
>>>>>>>>> ahhh...
>>>>>>>>>
>>>>>>>>> -Djavax.net.debug=all
>>>>>>>>>> On 25/10/2017 13:39, Matthew Broadhead wrote:
>>>>>>>>>>
>>>>>>>>>> How would I enable the debug? services/idp/src/main/webapp/W
>>>>>>>>>>
>>>>>>>>>> EB-INF/security-config.xml
>>>>>>>>>>> <security:debug/>?
>>>>>>>>>>>
>>>>>>>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>>>>>>>>>>
>>>>>>>>>>> If you change it to "required" does it fail? If so, you
>>>>>>>>>>> could try
>>>>>>>>>>>
>>>>>>>>>>> running
>>>>>>>>>>>> the Tomcat IdP with Java SSL debugging enabled and it
>>>>>>>>>>>> should tell
>>>>>>>>>>>> you
>>>>>>>>>>>> why
>>>>>>>>>>>> the IdP can't connect to the STS.
>>>>>>>>>>>>
>>>>>>>>>>>> Colm.
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>
>>>>>>>>>>>> I realise now that this html file was included in the
>>>>>>>>>>>>
>>>>>>>>>>>>> examples/samplekeys
>>>>>>>>>>>>> directory in the code. but i was taking it from the
>>>>>>>>>>>>> internet.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I am 100% using clientAuth="want" on my Tomcat connector
>>>>>>>>>>>>> but I am
>>>>>>>>>>>>> still
>>>>>>>>>>>>> getting the same error over and again. I can browse the wsdl
>>>>>>>>>>>>> without
>>>>>>>>>>>>> having to provide a client certificate. could you point me to
>>>>>>>>>>>>> the
>>>>>>>>>>>>> part of
>>>>>>>>>>>>> the idp-sts configuration which might be causing it to not
>>>>>>>>>>>>> ask
>>>>>>>>>>>>> for
>>>>>>>>>>>>> the
>>>>>>>>>>>>> keys
>>>>>>>>>>>>> properly? or is it definitely a tomcat server.xml issue?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> You can see the HTML here:
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>>>>>>>>>>
>>>>>>>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>>>>>>>>>>> ateKeysREADME.html
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'll update the webpage to point to github instead of SVN.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Colm
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Firstly is there somewhere to see these instructions
>>>>>>>>>>>>>> correctly
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> formatted
>>>>>>>>>>>>>>> in html?
>>>>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Secondly there is a massive difference between
>>>>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>>>>>>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer
>>>>>>>>>>>>>>> key to
>>>>>>>>>>>>>>> ststrust.jks.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I have some more things to try now so I will let you
>>>>>>>>>>>>>>> know if I
>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>> further
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Why not try the simple Connector configuration I gave
>>>>>>>>>>>>>>> earlier
>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> own keys?
>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc
>>>>>>>>>>>>>>>> at-8.5-doc/config/http.html#
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> clientAuth
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> This is an alias for the certificateVerification
>>>>>>>>>>>>>>>>> attribute of
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> default
>>>>>>>>>>>>>>>>> SSLHostConfig element.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>> certificateVerification
>>>>>>>>>>>>>>>>> Set to required if you want the SSL stack to require a
>>>>>>>>>>>>>>>>> valid
>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>> chain from the client before accepting a connection.
>>>>>>>>>>>>>>>>> Set to
>>>>>>>>>>>>>>>>> optional if
>>>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>>> want the SSL stack to request a client Certificate,
>>>>>>>>>>>>>>>>> but not
>>>>>>>>>>>>>>>>> fail
>>>>>>>>>>>>>>>>> if one
>>>>>>>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client
>>>>>>>>>>>>>>>>> certificates to
>>>>>>>>>>>>>>>>> be
>>>>>>>>>>>>>>>>> optional and you don't want Tomcat to check them
>>>>>>>>>>>>>>>>> against the
>>>>>>>>>>>>>>>>> list
>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this
>>>>>>>>>>>>>>>>> option
>>>>>>>>>>>>>>>>> (OpenSSL
>>>>>>>>>>>>>>>>> does,
>>>>>>>>>>>>>>>>> JSSE does not) it is treated as if optional was
>>>>>>>>>>>>>>>>> specified. A
>>>>>>>>>>>>>>>>> none
>>>>>>>>>>>>>>>>> value
>>>>>>>>>>>>>>>>> (which is the default) will not require a certificate
>>>>>>>>>>>>>>>>> chain
>>>>>>>>>>>>>>>>> unless
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> client requests a resource protected by a security
>>>>>>>>>>>>>>>>> constraint
>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>>> uses
>>>>>>>>>>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> so i changed clientAuth="want" to
>>>>>>>>>>>>>>>>> clientAuth="required". now
>>>>>>>>>>>>>>>>> i
>>>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>>>> access the site at all with
>>>>>>>>>>>>>>>>> Secure Connection Failed
>>>>>>>>>>>>>>>>> An error occurred during a connection to
>>>>>>>>>>>>>>>>> domain.tld:9443. SSL
>>>>>>>>>>>>>>>>> peer
>>>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>>>> verify your certificate. Error code:
>>>>>>>>>>>>>>>>> SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> The problem is that your Tomcat container hosting the
>>>>>>>>>>>>>>>>> STS is
>>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>> asking
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> client authentication. You can check this by using a web
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> browser
>>>>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>>>>> curl
>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>> view the WSDL of the STS - if you can get it to work
>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>> configuration
>>>>>>>>>>>>>>>>>> is incorrect, as it should error on the browser not
>>>>>>>>>>>>>>>>>> supplying
>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>>>> cert.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> i spoke too soon.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> i am completely stuck with the same stack trace and no
>>>>>>>>>>>>>>>>>> amount
>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> reloading
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> the certificates is helping. is there any way to
>>>>>>>>>>>>>>>>>> debug what
>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>> actual
>>>>>>>>>>>>>>>>>>> problem is?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing
>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>> model to
>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>> 427)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>> 328)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>> 281)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>>>> orImpl.invoke0(Native
>>>>>>>>>>>>>>>>>>> Method)
>>>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>>>>>>>>>>> at java.lang.reflect.Method.invok
>>>>>>>>>>>>>>>>>>> e(Method.java:498)
>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.
>>>>>>>>>>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>> .spel.ast.SpelNodeImpl.
>>>>>>>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>>>>>>>>>>> at org.springframework.binding.ex
>>>>>>>>>>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>>>>>>>>>>> stractAction.java:188)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>>>>>>>>>>> List.java:154)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 3)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 238)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>>>>>>>>>>> .java:107)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>>>>>>>>>>> lowState.java:101)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.mv
>>>>>>>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.doGet(
>>>>>>>>>>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.service(
>>>>>>>>>>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>>>>>>>>>>> r.java:52)
>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>>>> rityInterceptor.doFilter(Filte
>>>>>>>>>>>>>>>>>>> rSecurityInterceptor.java:84)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(Ano
>>>>>>>>>>>>>>>>>>> nymousAuthenticationFilter.jav
>>>>>>>>>>>>>>>>>>> a:113)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>> horityEntitlements.doFilter(Gr
>>>>>>>>>>>>>>>>>>> antedAuthorityEntitlements.jav
>>>>>>>>>>>>>>>>>>> a:97)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 150)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> java:87)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>>>>>>>>>>> stValve.java:140)
>>>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>>>>>>>>>>> rtValve.java:80)
>>>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>>>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>>>>>>>>>>> apter.java:342)
>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>>>>>>>>>>> sor.java:245)
>>>>>>>>>>>>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>>>>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>>>>>>>>>>> sor.java:65)
>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>> Runnable.run(StreamRunnable.
>>>>>>>>>>>>>>>>>>> java:35)
>>>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>>>>>>>>>>> Executor.java:1142)
>>>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>>>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>>>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>>>>>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the
>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>> set to
>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>>>> java:255)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Conduit.java:309)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>>>>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flu
>>>>>>>>>>>>>>>>>>> sh(UTF8Writer.java:100)
>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>>>>>>>>>>> java:241)
>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>>>> java:253)
>>>>>>>>>>>>>>>>>>> ... 155 more
>>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Thanks for your help Colm. I now have it working
>>>>>>>>>>>>>>>>>>> using the
>>>>>>>>>>>>>>>>>>> production
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> certificate by following this example
>>>>>>>>>>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>>>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having
>>>>>>>>>>>>>>>>>>>> them in
>>>>>>>>>>>>>>>>>>>> catalina
>>>>>>>>>>>>>>>>>>>> base.
>>>>>>>>>>>>>>>>>>>> this seems impractical in production as the
>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>>>>>> reissued
>>>>>>>>>>>>>>>>>>>> every
>>>>>>>>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to
>>>>>>>>>>>>>>>>>>>> define the
>>>>>>>>>>>>>>>>>>>> resource as
>>>>>>>>>>>>>>>>>>>> being
>>>>>>>>>>>>>>>>>>>> in catalina base?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores.
>>>>>>>>>>>>>>>>>>>> There
>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>> also
>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> sec:certStore that works with PEM files, but only for
>>>>>>>>>>>>>>>>>>>> TrustStores I
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> think.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool
>>>>>>>>>>>>>>>>>>>> command
>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>> import
>>>>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that
>>>>>>>>>>>>>>>>>>>>>> page is
>>>>>>>>>>>>>>>>>>>>> old.
>>>>>>>>>>>>>>>>>>>>> The
>>>>>>>>>>>>>>>>>>>>> correct
>>>>>>>>>>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at
>>>>>>>>>>>>>>>>>>>>> a pem
>>>>>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> instead of a java keystore? where is the
>>>>>>>>>>>>>>>>>>>>> doumentation
>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> I haven't used the APR connector. The following
>>>>>>>>>>>>>>>>>>>>>> works
>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>> me
>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it
>>>>>>>>>>>>>>>>>>>>>> working
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> first
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>>>>>>>>>>> keyPass="tompass"
>>>>>>>>>>>>>>>>>>>>>>> truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and
>>>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The
>>>>>>>>>>>>>>>>>>>>>>> truststore
>>>>>>>>>>>>>>>>>>>>>>> should
>>>>>>>>>>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your
>>>>>>>>>>>>>>>>>>>>>>> STS +
>>>>>>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew
>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> i am using my own certificate with APR in the
>>>>>>>>>>>>>>>>>>>>>>> tomcat
>>>>>>>>>>>>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig
>>>>>>>>>>>>>>>>>>>>>>> but I
>>>>>>>>>>>>>>>>>>>>>>> still
>>>>>>>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.ht
>>>>>>>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true">
>>>>>>>>>>>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>> <SSLHostConfig
>>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required">
>>>>>>>>>>>>>>>>>>>>>>>> <Certificate
>>>>>>>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr
>>>>>>>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let
>>>>>>>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml.
>>>>>>>>>>>>>>>>>>>>>>>> Could
>>>>>>>>>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyManagers
>>>>>>>>>>>>>>>>>>>>>>>> keyPassword="tompass">
>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the
>>>>>>>>>>>>>>>>>>>>>>>> schema and
>>>>>>>>>>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541
>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem
>>>>>>>>>>>>>>>>>>>>>>>>> writing
>>>>>>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but
>>>>>>>>>>>>>>>>>>>>>>>>> no local
>>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were
>>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is
>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542
>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't
>>>>>>>>>>>>>>>>>>>>>>>>> load
>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175
>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2
>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W
>>>>>>>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:9443
>>>>>>>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:0/id
>>>>>>>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>>>>>>>>>>> <ref
>>>>>>>>>>>>>>>>>>>>>>>>>>> bean="srv-fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc"
>>>>>>>>>>>>>>>>>>>>>>>>>>> /> -->
>>>>>>>>>>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="protocol"
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="
>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDisplayName"
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDescription"
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="tokenType"
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="
>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="lifeTime"
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="3600"
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>> name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>> name="logoutEndpointConstraint
>>>>>>>>>>>>>>>>>>>>>>>>>>> "
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="claim"
>>>>>>>>>>>>>>>>>>>>>>>>>>> ref="claim_role"
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="optional"
>>>>>>>>>>>>>>>>>>>>>>>>>>> value="false"
>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml
>>>>>>>>>>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.)
>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain.tld:9443/idp
>>>>>>>>>>>>>>>>>>>>>>>>>>>> and i
>>>>>>>>>>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> seems
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [<something>]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>
>
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
comments below
On 26/10/2017 13:46, Colm O hEigeartaigh wrote:
> Are you using Java 9? If so please try with Java 8 instead. The warnings
> should be harmless, however I haven't tested Fediz with Java 9.
i am using openjdk 1.8.0.151
>
> "when i first connect with fedizhelloworld it pops up a box asking for a
> certificate." - can you reproduce this with a test-case? It sounds as if
> you are not using the "up" endpoint of the IdP but instead the client cert
> endpoint?
my fediz_config.xml has
<issuer>https://domain.tld:9443/idp/federation</issuer>
security-up-config.xml is the same as the example except with the
endpoints changed from localhost:9443 to domain.tld:9443
if it is not related to that can you tell me where i should be looking
for the endpoint config?
>
> Colm.
>
> On Thu, Oct 26, 2017 at 12:06 PM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> Hi Colm,
>>
>> I am not sure that would be very easy to provide a test case? Everything
>> was working fine on localhost with the test certificates.
>>
>> Testing on production is completely different using letsencrypt certs and
>> having to change lots of configuration files in the code? You would be
>> welcome to look directly at my setup although you are probably busy?
>>
>> It looks as though the idpcert in the ststrust.jks is not being properly
>> sent and trusted by the idp during handshake? i am converting it using
>> openssl to pkcs12 and then importing it into a jks. then i export the
>> cert. is it possible the chain is being dropped?
>> openssl pkcs12 -export -in ${cert}fullchain.pem -inkey ${cert}privkey.pem
>> -out ${p12} -name mytomidpkey -password pass:tompass
>> keytool -importkeystore -deststorepass tompass -destkeypass tompass
>> -destkeystore ${idpKey} -srckeystore ${p12} -srcstoretype PKCS12
>> -srcstorepass tompass -alias mytomidpkey
>> keytool -keystore ${idpKey} -storepass tompass -export -alias mytomidpkey
>> -file ${idpCert}
>>
>> also i get a lot of these warnings when creating keystores. should i be
>> changing everything to use pkcs12?
>> Warning:
>> The JKS keystore uses a proprietary format. It is recommended to migrate
>> to PKCS12 which is an industry standard format using
>>
>> Matthew
>>
>> On 26/10/2017 10:43, Colm O hEigeartaigh wrote:
>>
>>> Could you create a test-case and upload it to github somewhere + I will
>>> take a look?
>>>
>>> Colm.
>>>
>>> On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>> Thanks for pointing me in the right direction.
>>>> basically what the documentation lacks is that the ststrust.jks must
>>>> contain MyTCIDP.cer, i.e.
>>>> keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass
>>>> -alias idpcert -file MyTCIDP.cer -noprompt
>>>> i looked through the original ststrust.jks and it contained the alias
>>>> idpcert which confirmed the suspicion
>>>>
>>>> the other problem was that the cipher of the letsencrypt certificate was
>>>> not supported by java so i had to enable apr for openssl support.
>>>> -Djavax.net.debug=all helped to debug that.
>>>>
>>>> but i still have some strange problems. when i first connect with
>>>> fedizhelloworld it pops up a box asking for a certificate. and also if i
>>>> leave it logged in for a while and then try to logout chrome tells me
>>>> This site can’t provide a secure connection
>>>> ERR_SSL_PROTOCOL_ERROR
>>>>
>>>> On 25/10/2017 14:28, Colm O hEigeartaigh wrote:
>>>>
>>>> Your truststore in cxf-tls.xml must trust the certificate presented by
>>>>> the
>>>>> STS. Also, it must contain a keystore with the private key of the IdP,
>>>>> which in turn must be trusted by the STS.
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>
>>>>> Are the two keystores responsible for the trust between idp and sts are
>>>>>
>>>>>> supposed to be
>>>>>> stsrealm_a.jks and ststrust.jks
>>>>>>
>>>>>> it is just that the cert it is not trusting is the idp-ssl-key.jks
>>>>>> (domain.tld) which makes sense if it is hitting domain.tls:9443/idp etc
>>>>>>
>>>>>> does this mean ststrust.jks should contain MyTCIDP.cer as well as
>>>>>> MyTCRP.cer?
>>>>>>
>>>>>> On 25/10/2017 14:03, Colm O hEigeartaigh wrote:
>>>>>>
>>>>>> You'll need to go through the output to figure out why the cert is not
>>>>>>
>>>>>>> trusted. If you generate some test certs + create a testcase
>>>>>>> somewhere I
>>>>>>> will take a look.
>>>>>>>
>>>>>>> Colm.
>>>>>>>
>>>>>>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>
>>>>>>> i get a load of stuff, but in the middle of the one before the error i
>>>>>>> get
>>>>>>>
>>>>>>> Warning: no suitable certificate found - continuing without client
>>>>>>>> authentication
>>>>>>>>
>>>>>>>>
>>>>>>>> On 25/10/2017 13:42, Matthew Broadhead wrote:
>>>>>>>>
>>>>>>>> ahhh...
>>>>>>>>
>>>>>>>> -Djavax.net.debug=all
>>>>>>>>> On 25/10/2017 13:39, Matthew Broadhead wrote:
>>>>>>>>>
>>>>>>>>> How would I enable the debug? services/idp/src/main/webapp/W
>>>>>>>>>
>>>>>>>>> EB-INF/security-config.xml
>>>>>>>>>> <security:debug/>?
>>>>>>>>>>
>>>>>>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>>>>>>>>>
>>>>>>>>>> If you change it to "required" does it fail? If so, you could try
>>>>>>>>>>
>>>>>>>>>> running
>>>>>>>>>>> the Tomcat IdP with Java SSL debugging enabled and it should tell
>>>>>>>>>>> you
>>>>>>>>>>> why
>>>>>>>>>>> the IdP can't connect to the STS.
>>>>>>>>>>>
>>>>>>>>>>> Colm.
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>
>>>>>>>>>>> I realise now that this html file was included in the
>>>>>>>>>>>
>>>>>>>>>>>> examples/samplekeys
>>>>>>>>>>>> directory in the code. but i was taking it from the internet.
>>>>>>>>>>>>
>>>>>>>>>>>> I am 100% using clientAuth="want" on my Tomcat connector but I am
>>>>>>>>>>>> still
>>>>>>>>>>>> getting the same error over and again. I can browse the wsdl
>>>>>>>>>>>> without
>>>>>>>>>>>> having to provide a client certificate. could you point me to
>>>>>>>>>>>> the
>>>>>>>>>>>> part of
>>>>>>>>>>>> the idp-sts configuration which might be causing it to not ask
>>>>>>>>>>>> for
>>>>>>>>>>>> the
>>>>>>>>>>>> keys
>>>>>>>>>>>> properly? or is it definitely a tomcat server.xml issue?
>>>>>>>>>>>>
>>>>>>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> You can see the HTML here:
>>>>>>>>>>>>
>>>>>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>>>>>>>>>
>>>>>>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>>>>>>>>>> ateKeysREADME.html
>>>>>>>>>>>>>
>>>>>>>>>>>>> I'll update the webpage to point to github instead of SVN.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Colm
>>>>>>>>>>>>>
>>>>>>>>>>>>> Firstly is there somewhere to see these instructions correctly
>>>>>>>>>>>>>
>>>>>>>>>>>>> formatted
>>>>>>>>>>>>>> in html?
>>>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Secondly there is a massive difference between
>>>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>>>>>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to
>>>>>>>>>>>>>> ststrust.jks.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I have some more things to try now so I will let you know if I
>>>>>>>>>>>>>> get
>>>>>>>>>>>>>> further
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Why not try the simple Connector configuration I gave earlier
>>>>>>>>>>>>>> but
>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> own keys?
>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc
>>>>>>>>>>>>>>> at-8.5-doc/config/http.html#
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> clientAuth
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> This is an alias for the certificateVerification attribute of
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> default
>>>>>>>>>>>>>>>> SSLHostConfig element.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>> certificateVerification
>>>>>>>>>>>>>>>> Set to required if you want the SSL stack to require a valid
>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>> chain from the client before accepting a connection. Set to
>>>>>>>>>>>>>>>> optional if
>>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>> want the SSL stack to request a client Certificate, but not
>>>>>>>>>>>>>>>> fail
>>>>>>>>>>>>>>>> if one
>>>>>>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client
>>>>>>>>>>>>>>>> certificates to
>>>>>>>>>>>>>>>> be
>>>>>>>>>>>>>>>> optional and you don't want Tomcat to check them against the
>>>>>>>>>>>>>>>> list
>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this option
>>>>>>>>>>>>>>>> (OpenSSL
>>>>>>>>>>>>>>>> does,
>>>>>>>>>>>>>>>> JSSE does not) it is treated as if optional was specified. A
>>>>>>>>>>>>>>>> none
>>>>>>>>>>>>>>>> value
>>>>>>>>>>>>>>>> (which is the default) will not require a certificate chain
>>>>>>>>>>>>>>>> unless
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> client requests a resource protected by a security constraint
>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>> uses
>>>>>>>>>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> so i changed clientAuth="want" to clientAuth="required". now
>>>>>>>>>>>>>>>> i
>>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>>> access the site at all with
>>>>>>>>>>>>>>>> Secure Connection Failed
>>>>>>>>>>>>>>>> An error occurred during a connection to domain.tld:9443. SSL
>>>>>>>>>>>>>>>> peer
>>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> The problem is that your Tomcat container hosting the STS is
>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>> asking
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> client authentication. You can check this by using a web
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> browser
>>>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>>>> curl
>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>> view the WSDL of the STS - if you can get it to work then
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> configuration
>>>>>>>>>>>>>>>>> is incorrect, as it should error on the browser not
>>>>>>>>>>>>>>>>> supplying
>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>>> cert.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> i spoke too soon.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> i am completely stuck with the same stack trace and no
>>>>>>>>>>>>>>>>> amount
>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> reloading
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> the certificates is helping. is there any way to debug what
>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>> actual
>>>>>>>>>>>>>>>>>> problem is?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor
>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing
>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>> model to
>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>> 427)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>> 328)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>> 281)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>>> orImpl.invoke0(Native
>>>>>>>>>>>>>>>>>> Method)
>>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>>>>>>>>>> at java.lang.reflect.Method.invok
>>>>>>>>>>>>>>>>>> e(Method.java:498)
>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.
>>>>>>>>>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>> .spel.ast.SpelNodeImpl.
>>>>>>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>>>>>>>>>> at org.springframework.binding.ex
>>>>>>>>>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>>>>>>>>>> stractAction.java:188)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>>>>>>>>>> List.java:154)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>> 3)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:
>>>>>>>>>>>>>>>>>> 238)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>>>>>>>>>> .java:107)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>>>>>>>>>> lowState.java:101)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>>>>>>>>>> at org.springframework.webflow.mv
>>>>>>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>> t.FrameworkServlet.doGet(
>>>>>>>>>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>> t.FrameworkServlet.service(
>>>>>>>>>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>>>>>>>>>> r.java:52)
>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>>> rityInterceptor.doFilter(Filte
>>>>>>>>>>>>>>>>>> rSecurityInterceptor.java:84)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(Ano
>>>>>>>>>>>>>>>>>> nymousAuthenticationFilter.jav
>>>>>>>>>>>>>>>>>> a:113)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>> horityEntitlements.doFilter(Gr
>>>>>>>>>>>>>>>>>> antedAuthorityEntitlements.jav
>>>>>>>>>>>>>>>>>> a:97)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:
>>>>>>>>>>>>>>>>>> 150)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.
>>>>>>>>>>>>>>>>>> java:87)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>>>>>>>>>> stValve.java:140)
>>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>>>>>>>>>> rtValve.java:80)
>>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>>>>>>>>>> apter.java:342)
>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>>>>>>>>>> sor.java:245)
>>>>>>>>>>>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>>>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>>>>>>>>>> sor.java:65)
>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>> Runnable.run(StreamRunnable.
>>>>>>>>>>>>>>>>>> java:35)
>>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>>>>>>>>>> Executor.java:1142)
>>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>>>>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the
>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>> set to
>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>>> java:255)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates
>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>>>>>>>>>>> Conduit.java:309)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>>>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flu
>>>>>>>>>>>>>>>>>> sh(UTF8Writer.java:100)
>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>>>>>>>>>> java:241)
>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>>> java:253)
>>>>>>>>>>>>>>>>>> ... 155 more
>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction -
>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Thanks for your help Colm. I now have it working using the
>>>>>>>>>>>>>>>>>> production
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> certificate by following this example
>>>>>>>>>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in
>>>>>>>>>>>>>>>>>>> catalina
>>>>>>>>>>>>>>>>>>> base.
>>>>>>>>>>>>>>>>>>> this seems impractical in production as the certificates
>>>>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>>>>> reissued
>>>>>>>>>>>>>>>>>>> every
>>>>>>>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define the
>>>>>>>>>>>>>>>>>>> resource as
>>>>>>>>>>>>>>>>>>> being
>>>>>>>>>>>>>>>>>>> in catalina base?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores.
>>>>>>>>>>>>>>>>>>> There
>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>> also
>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> sec:certStore that works with PEM files, but only for
>>>>>>>>>>>>>>>>>>> TrustStores I
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> think.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool command
>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>> import
>>>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is
>>>>>>>>>>>>>>>>>>>> old.
>>>>>>>>>>>>>>>>>>>> The
>>>>>>>>>>>>>>>>>>>> correct
>>>>>>>>>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem
>>>>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> instead of a java keystore? where is the doumentation
>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> I haven't used the APR connector. The following works
>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>> me
>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it
>>>>>>>>>>>>>>>>>>>>> working
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> first
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and
>>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The truststore
>>>>>>>>>>>>>>>>>>>>>> should
>>>>>>>>>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS +
>>>>>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat
>>>>>>>>>>>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I
>>>>>>>>>>>>>>>>>>>>>> still
>>>>>>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true">
>>>>>>>>>>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>> <SSLHostConfig
>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required">
>>>>>>>>>>>>>>>>>>>>>>> <Certificate
>>>>>>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr
>>>>>>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let
>>>>>>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could
>>>>>>>>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>>> <sec:keyManagers
>>>>>>>>>>>>>>>>>>>>>>> keyPassword="tompass">
>>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and
>>>>>>>>>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem
>>>>>>>>>>>>>>>>>>>>>>>> writing
>>>>>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is
>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542
>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't load
>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175
>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2
>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084
>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085
>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090
>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091
>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092
>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094
>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095
>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W
>>>>>>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:9443
>>>>>>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:0/id
>>>>>>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>>>>>>>>>> <ref
>>>>>>>>>>>>>>>>>>>>>>>>>> bean="srv-fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="protocol" value="
>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDisplayName"
>>>>>>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDescription"
>>>>>>>>>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="tokenType" value="
>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="lifeTime"
>>>>>>>>>>>>>>>>>>>>>>>>>> value="3600"
>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>> name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>> name="logoutEndpointConstraint
>>>>>>>>>>>>>>>>>>>>>>>>>> "
>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="claim"
>>>>>>>>>>>>>>>>>>>>>>>>>> ref="claim_role"
>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="optional"
>>>>>>>>>>>>>>>>>>>>>>>>>> value="false"
>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml
>>>>>>>>>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.)
>>>>>>>>>>>>>>>>>>>>>>>>>>> domain.tld:9443/idp
>>>>>>>>>>>>>>>>>>>>>>>>>>> and i
>>>>>>>>>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems
>>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424
>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433
>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
Re: fediz production
Posted by Colm O hEigeartaigh <co...@apache.org>.
Are you using Java 9? If so please try with Java 8 instead. The warnings
should be harmless, however I haven't tested Fediz with Java 9.
"when i first connect with fedizhelloworld it pops up a box asking for a
certificate." - can you reproduce this with a test-case? It sounds as if
you are not using the "up" endpoint of the IdP but instead the client cert
endpoint?
Colm.
On Thu, Oct 26, 2017 at 12:06 PM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:
> Hi Colm,
>
> I am not sure that would be very easy to provide a test case? Everything
> was working fine on localhost with the test certificates.
>
> Testing on production is completely different using letsencrypt certs and
> having to change lots of configuration files in the code? You would be
> welcome to look directly at my setup although you are probably busy?
>
> It looks as though the idpcert in the ststrust.jks is not being properly
> sent and trusted by the idp during handshake? i am converting it using
> openssl to pkcs12 and then importing it into a jks. then i export the
> cert. is it possible the chain is being dropped?
> openssl pkcs12 -export -in ${cert}fullchain.pem -inkey ${cert}privkey.pem
> -out ${p12} -name mytomidpkey -password pass:tompass
> keytool -importkeystore -deststorepass tompass -destkeypass tompass
> -destkeystore ${idpKey} -srckeystore ${p12} -srcstoretype PKCS12
> -srcstorepass tompass -alias mytomidpkey
> keytool -keystore ${idpKey} -storepass tompass -export -alias mytomidpkey
> -file ${idpCert}
>
> also i get a lot of these warnings when creating keystores. should i be
> changing everything to use pkcs12?
> Warning:
> The JKS keystore uses a proprietary format. It is recommended to migrate
> to PKCS12 which is an industry standard format using
>
> Matthew
>
> On 26/10/2017 10:43, Colm O hEigeartaigh wrote:
>
>> Could you create a test-case and upload it to github somewhere + I will
>> take a look?
>>
>> Colm.
>>
>> On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead <
>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>
>> Thanks for pointing me in the right direction.
>>>
>>> basically what the documentation lacks is that the ststrust.jks must
>>> contain MyTCIDP.cer, i.e.
>>> keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass
>>> -alias idpcert -file MyTCIDP.cer -noprompt
>>> i looked through the original ststrust.jks and it contained the alias
>>> idpcert which confirmed the suspicion
>>>
>>> the other problem was that the cipher of the letsencrypt certificate was
>>> not supported by java so i had to enable apr for openssl support.
>>> -Djavax.net.debug=all helped to debug that.
>>>
>>> but i still have some strange problems. when i first connect with
>>> fedizhelloworld it pops up a box asking for a certificate. and also if i
>>> leave it logged in for a while and then try to logout chrome tells me
>>> This site can’t provide a secure connection
>>> ERR_SSL_PROTOCOL_ERROR
>>>
>>> On 25/10/2017 14:28, Colm O hEigeartaigh wrote:
>>>
>>> Your truststore in cxf-tls.xml must trust the certificate presented by
>>>> the
>>>> STS. Also, it must contain a keystore with the private key of the IdP,
>>>> which in turn must be trusted by the STS.
>>>>
>>>> Colm.
>>>>
>>>> On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>
>>>> Are the two keystores responsible for the trust between idp and sts are
>>>>
>>>>> supposed to be
>>>>> stsrealm_a.jks and ststrust.jks
>>>>>
>>>>> it is just that the cert it is not trusting is the idp-ssl-key.jks
>>>>> (domain.tld) which makes sense if it is hitting domain.tls:9443/idp etc
>>>>>
>>>>> does this mean ststrust.jks should contain MyTCIDP.cer as well as
>>>>> MyTCRP.cer?
>>>>>
>>>>> On 25/10/2017 14:03, Colm O hEigeartaigh wrote:
>>>>>
>>>>> You'll need to go through the output to figure out why the cert is not
>>>>>
>>>>>> trusted. If you generate some test certs + create a testcase
>>>>>> somewhere I
>>>>>> will take a look.
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> i get a load of stuff, but in the middle of the one before the error i
>>>>>> get
>>>>>>
>>>>>> Warning: no suitable certificate found - continuing without client
>>>>>>> authentication
>>>>>>>
>>>>>>>
>>>>>>> On 25/10/2017 13:42, Matthew Broadhead wrote:
>>>>>>>
>>>>>>> ahhh...
>>>>>>>
>>>>>>> -Djavax.net.debug=all
>>>>>>>>
>>>>>>>> On 25/10/2017 13:39, Matthew Broadhead wrote:
>>>>>>>>
>>>>>>>> How would I enable the debug? services/idp/src/main/webapp/W
>>>>>>>>
>>>>>>>> EB-INF/security-config.xml
>>>>>>>>> <security:debug/>?
>>>>>>>>>
>>>>>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>>>>>>>>
>>>>>>>>> If you change it to "required" does it fail? If so, you could try
>>>>>>>>>
>>>>>>>>> running
>>>>>>>>>> the Tomcat IdP with Java SSL debugging enabled and it should tell
>>>>>>>>>> you
>>>>>>>>>> why
>>>>>>>>>> the IdP can't connect to the STS.
>>>>>>>>>>
>>>>>>>>>> Colm.
>>>>>>>>>>
>>>>>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi Colm,
>>>>>>>>>>
>>>>>>>>>> I realise now that this html file was included in the
>>>>>>>>>>
>>>>>>>>>>> examples/samplekeys
>>>>>>>>>>> directory in the code. but i was taking it from the internet.
>>>>>>>>>>>
>>>>>>>>>>> I am 100% using clientAuth="want" on my Tomcat connector but I am
>>>>>>>>>>> still
>>>>>>>>>>> getting the same error over and again. I can browse the wsdl
>>>>>>>>>>> without
>>>>>>>>>>> having to provide a client certificate. could you point me to
>>>>>>>>>>> the
>>>>>>>>>>> part of
>>>>>>>>>>> the idp-sts configuration which might be causing it to not ask
>>>>>>>>>>> for
>>>>>>>>>>> the
>>>>>>>>>>> keys
>>>>>>>>>>> properly? or is it definitely a tomcat server.xml issue?
>>>>>>>>>>>
>>>>>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>>>>>>>>
>>>>>>>>>>> You can see the HTML here:
>>>>>>>>>>>
>>>>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>>>>>>>>
>>>>>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>>>>>>>>> ateKeysREADME.html
>>>>>>>>>>>>
>>>>>>>>>>>> I'll update the webpage to point to github instead of SVN.
>>>>>>>>>>>>
>>>>>>>>>>>> Colm.
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi Colm
>>>>>>>>>>>>
>>>>>>>>>>>> Firstly is there somewhere to see these instructions correctly
>>>>>>>>>>>>
>>>>>>>>>>>> formatted
>>>>>>>>>>>>> in html?
>>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>
>>>>>>>>>>>>> Secondly there is a massive difference between
>>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>> and
>>>>>>>>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>>>>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>>>>>>>>
>>>>>>>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to
>>>>>>>>>>>>> ststrust.jks.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I have some more things to try now so I will let you know if I
>>>>>>>>>>>>> get
>>>>>>>>>>>>> further
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Why not try the simple Connector configuration I gave earlier
>>>>>>>>>>>>> but
>>>>>>>>>>>>> with
>>>>>>>>>>>>>
>>>>>>>>>>>>> your
>>>>>>>>>>>>>
>>>>>>>>>>>>> own keys?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc
>>>>>>>>>>>>>> at-8.5-doc/config/http.html#
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> clientAuth
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> This is an alias for the certificateVerification attribute of
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> default
>>>>>>>>>>>>>>> SSLHostConfig element.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>> certificateVerification
>>>>>>>>>>>>>>> Set to required if you want the SSL stack to require a valid
>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>> chain from the client before accepting a connection. Set to
>>>>>>>>>>>>>>> optional if
>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>> want the SSL stack to request a client Certificate, but not
>>>>>>>>>>>>>>> fail
>>>>>>>>>>>>>>> if one
>>>>>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client
>>>>>>>>>>>>>>> certificates to
>>>>>>>>>>>>>>> be
>>>>>>>>>>>>>>> optional and you don't want Tomcat to check them against the
>>>>>>>>>>>>>>> list
>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this option
>>>>>>>>>>>>>>> (OpenSSL
>>>>>>>>>>>>>>> does,
>>>>>>>>>>>>>>> JSSE does not) it is treated as if optional was specified. A
>>>>>>>>>>>>>>> none
>>>>>>>>>>>>>>> value
>>>>>>>>>>>>>>> (which is the default) will not require a certificate chain
>>>>>>>>>>>>>>> unless
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> client requests a resource protected by a security constraint
>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>> uses
>>>>>>>>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> so i changed clientAuth="want" to clientAuth="required". now
>>>>>>>>>>>>>>> i
>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>> access the site at all with
>>>>>>>>>>>>>>> Secure Connection Failed
>>>>>>>>>>>>>>> An error occurred during a connection to domain.tld:9443. SSL
>>>>>>>>>>>>>>> peer
>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The problem is that your Tomcat container hosting the STS is
>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>> asking
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> client authentication. You can check this by using a web
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> browser
>>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>>> curl
>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>> view the WSDL of the STS - if you can get it to work then
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> configuration
>>>>>>>>>>>>>>>> is incorrect, as it should error on the browser not
>>>>>>>>>>>>>>>> supplying
>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>> cert.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> i spoke too soon.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> i am completely stuck with the same stack trace and no
>>>>>>>>>>>>>>>> amount
>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> reloading
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> the certificates is helping. is there any way to debug what
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> actual
>>>>>>>>>>>>>>>>> problem is?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor
>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing
>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>> model to
>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>> 427)
>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>> 328)
>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>> 281)
>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>> orImpl.invoke0(Native
>>>>>>>>>>>>>>>>> Method)
>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>>>>>>>>> at java.lang.reflect.Method.invok
>>>>>>>>>>>>>>>>> e(Method.java:498)
>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.
>>>>>>>>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>> .spel.ast.SpelNodeImpl.
>>>>>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>>>>>>>>> at org.springframework.binding.ex
>>>>>>>>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>>>>>>>>> stractAction.java:188)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>>>>>>>>> List.java:154)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>> 3)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:
>>>>>>>>>>>>>>>>> 238)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>>>>>>>>> .java:107)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>>>>>>>>> lowState.java:101)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>>>>>>>>> at org.springframework.webflow.mv
>>>>>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>> t.FrameworkServlet.doGet(
>>>>>>>>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>> t.FrameworkServlet.service(
>>>>>>>>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>>>>>>>>> r.java:52)
>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>> rityInterceptor.doFilter(Filte
>>>>>>>>>>>>>>>>> rSecurityInterceptor.java:84)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>>>>>>>>> henticationFilter.doFilter(Ano
>>>>>>>>>>>>>>>>> nymousAuthenticationFilter.jav
>>>>>>>>>>>>>>>>> a:113)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>> horityEntitlements.doFilter(Gr
>>>>>>>>>>>>>>>>> antedAuthorityEntitlements.jav
>>>>>>>>>>>>>>>>> a:97)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:
>>>>>>>>>>>>>>>>> 150)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.
>>>>>>>>>>>>>>>>> java:87)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>>>>>>>>> stValve.java:140)
>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>>>>>>>>> rtValve.java:80)
>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>>>>>>>>> apter.java:342)
>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>>>>>>>>> sor.java:245)
>>>>>>>>>>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>>>>>>>>> sor.java:65)
>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>> Runnable.run(StreamRunnable.
>>>>>>>>>>>>>>>>> java:35)
>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>>>>>>>>> Executor.java:1142)
>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>>>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the
>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>> set to
>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>> java:255)
>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates
>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>>>>>>>>>> Conduit.java:309)
>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flu
>>>>>>>>>>>>>>>>> sh(UTF8Writer.java:100)
>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>>>>>>>>> java:241)
>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>> java:253)
>>>>>>>>>>>>>>>>> ... 155 more
>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction -
>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Thanks for your help Colm. I now have it working using the
>>>>>>>>>>>>>>>>> production
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> certificate by following this example
>>>>>>>>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in
>>>>>>>>>>>>>>>>>> catalina
>>>>>>>>>>>>>>>>>> base.
>>>>>>>>>>>>>>>>>> this seems impractical in production as the certificates
>>>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>>>> reissued
>>>>>>>>>>>>>>>>>> every
>>>>>>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define the
>>>>>>>>>>>>>>>>>> resource as
>>>>>>>>>>>>>>>>>> being
>>>>>>>>>>>>>>>>>> in catalina base?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores.
>>>>>>>>>>>>>>>>>> There
>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>> also
>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> sec:certStore that works with PEM files, but only for
>>>>>>>>>>>>>>>>>> TrustStores I
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> think.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool command
>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>> import
>>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is
>>>>>>>>>>>>>>>>>>> old.
>>>>>>>>>>>>>>>>>>> The
>>>>>>>>>>>>>>>>>>> correct
>>>>>>>>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem
>>>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> instead of a java keystore? where is the doumentation
>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> I haven't used the APR connector. The following works
>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>> me
>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it
>>>>>>>>>>>>>>>>>>>> working
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> first
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and
>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The truststore
>>>>>>>>>>>>>>>>>>>>> should
>>>>>>>>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS +
>>>>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat
>>>>>>>>>>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I
>>>>>>>>>>>>>>>>>>>>> still
>>>>>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true">
>>>>>>>>>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>> <SSLHostConfig
>>>>>>>>>>>>>>>>>>>>>> clientVerification="required">
>>>>>>>>>>>>>>>>>>>>>> <Certificate
>>>>>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr
>>>>>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let
>>>>>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could
>>>>>>>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>> <sec:keyManagers
>>>>>>>>>>>>>>>>>>>>>> keyPassword="tompass">
>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and
>>>>>>>>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem
>>>>>>>>>>>>>>>>>>>>>>> writing
>>>>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is
>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542
>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't load
>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175
>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084
>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085
>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090
>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091
>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092
>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094
>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095
>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W
>>>>>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:9443
>>>>>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:0/id
>>>>>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>>>>>>>>> <ref
>>>>>>>>>>>>>>>>>>>>>>>>> bean="srv-fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>> <property name="protocol" value="
>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDisplayName"
>>>>>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDescription"
>>>>>>>>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>> <property name="tokenType" value="
>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>> <property name="lifeTime"
>>>>>>>>>>>>>>>>>>>>>>>>> value="3600"
>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>> name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>> name="logoutEndpointConstraint
>>>>>>>>>>>>>>>>>>>>>>>>> "
>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>>>>>>>> <property name="claim"
>>>>>>>>>>>>>>>>>>>>>>>>> ref="claim_role"
>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>> <property name="optional"
>>>>>>>>>>>>>>>>>>>>>>>>> value="false"
>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml
>>>>>>>>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.)
>>>>>>>>>>>>>>>>>>>>>>>>>> domain.tld:9443/idp
>>>>>>>>>>>>>>>>>>>>>>>>>> and i
>>>>>>>>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems
>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424
>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433
>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
Hi Colm,
I am not sure that would be very easy to provide a test case? Everything
was working fine on localhost with the test certificates.
Testing on production is completely different using letsencrypt certs
and having to change lots of configuration files in the code? You would
be welcome to look directly at my setup although you are probably busy?
It looks as though the idpcert in the ststrust.jks is not being properly
sent and trusted by the idp during handshake? i am converting it using
openssl to pkcs12 and then importing it into a jks. then i export the
cert. is it possible the chain is being dropped?
openssl pkcs12 -export -in ${cert}fullchain.pem -inkey
${cert}privkey.pem -out ${p12} -name mytomidpkey -password pass:tompass
keytool -importkeystore -deststorepass tompass -destkeypass tompass
-destkeystore ${idpKey} -srckeystore ${p12} -srcstoretype PKCS12
-srcstorepass tompass -alias mytomidpkey
keytool -keystore ${idpKey} -storepass tompass -export -alias
mytomidpkey -file ${idpCert}
also i get a lot of these warnings when creating keystores. should i be
changing everything to use pkcs12?
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate
to PKCS12 which is an industry standard format using
Matthew
On 26/10/2017 10:43, Colm O hEigeartaigh wrote:
> Could you create a test-case and upload it to github somewhere + I will
> take a look?
>
> Colm.
>
> On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> Thanks for pointing me in the right direction.
>>
>> basically what the documentation lacks is that the ststrust.jks must
>> contain MyTCIDP.cer, i.e.
>> keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass
>> -alias idpcert -file MyTCIDP.cer -noprompt
>> i looked through the original ststrust.jks and it contained the alias
>> idpcert which confirmed the suspicion
>>
>> the other problem was that the cipher of the letsencrypt certificate was
>> not supported by java so i had to enable apr for openssl support.
>> -Djavax.net.debug=all helped to debug that.
>>
>> but i still have some strange problems. when i first connect with
>> fedizhelloworld it pops up a box asking for a certificate. and also if i
>> leave it logged in for a while and then try to logout chrome tells me
>> This site can’t provide a secure connection
>> ERR_SSL_PROTOCOL_ERROR
>>
>> On 25/10/2017 14:28, Colm O hEigeartaigh wrote:
>>
>>> Your truststore in cxf-tls.xml must trust the certificate presented by the
>>> STS. Also, it must contain a keystore with the private key of the IdP,
>>> which in turn must be trusted by the STS.
>>>
>>> Colm.
>>>
>>> On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>> Are the two keystores responsible for the trust between idp and sts are
>>>> supposed to be
>>>> stsrealm_a.jks and ststrust.jks
>>>>
>>>> it is just that the cert it is not trusting is the idp-ssl-key.jks
>>>> (domain.tld) which makes sense if it is hitting domain.tls:9443/idp etc
>>>>
>>>> does this mean ststrust.jks should contain MyTCIDP.cer as well as
>>>> MyTCRP.cer?
>>>>
>>>> On 25/10/2017 14:03, Colm O hEigeartaigh wrote:
>>>>
>>>> You'll need to go through the output to figure out why the cert is not
>>>>> trusted. If you generate some test certs + create a testcase somewhere I
>>>>> will take a look.
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>
>>>>> i get a load of stuff, but in the middle of the one before the error i
>>>>> get
>>>>>
>>>>>> Warning: no suitable certificate found - continuing without client
>>>>>> authentication
>>>>>>
>>>>>>
>>>>>> On 25/10/2017 13:42, Matthew Broadhead wrote:
>>>>>>
>>>>>> ahhh...
>>>>>>
>>>>>>> -Djavax.net.debug=all
>>>>>>>
>>>>>>> On 25/10/2017 13:39, Matthew Broadhead wrote:
>>>>>>>
>>>>>>> How would I enable the debug? services/idp/src/main/webapp/W
>>>>>>>
>>>>>>>> EB-INF/security-config.xml
>>>>>>>> <security:debug/>?
>>>>>>>>
>>>>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>>>>>>>
>>>>>>>> If you change it to "required" does it fail? If so, you could try
>>>>>>>>
>>>>>>>>> running
>>>>>>>>> the Tomcat IdP with Java SSL debugging enabled and it should tell
>>>>>>>>> you
>>>>>>>>> why
>>>>>>>>> the IdP can't connect to the STS.
>>>>>>>>>
>>>>>>>>> Colm.
>>>>>>>>>
>>>>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>
>>>>>>>>> Hi Colm,
>>>>>>>>>
>>>>>>>>> I realise now that this html file was included in the
>>>>>>>>>> examples/samplekeys
>>>>>>>>>> directory in the code. but i was taking it from the internet.
>>>>>>>>>>
>>>>>>>>>> I am 100% using clientAuth="want" on my Tomcat connector but I am
>>>>>>>>>> still
>>>>>>>>>> getting the same error over and again. I can browse the wsdl
>>>>>>>>>> without
>>>>>>>>>> having to provide a client certificate. could you point me to the
>>>>>>>>>> part of
>>>>>>>>>> the idp-sts configuration which might be causing it to not ask for
>>>>>>>>>> the
>>>>>>>>>> keys
>>>>>>>>>> properly? or is it definitely a tomcat server.xml issue?
>>>>>>>>>>
>>>>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>>>>>>>
>>>>>>>>>> You can see the HTML here:
>>>>>>>>>>
>>>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>>>>>>>> ateKeysREADME.html
>>>>>>>>>>>
>>>>>>>>>>> I'll update the webpage to point to github instead of SVN.
>>>>>>>>>>>
>>>>>>>>>>> Colm.
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi Colm
>>>>>>>>>>>
>>>>>>>>>>> Firstly is there somewhere to see these instructions correctly
>>>>>>>>>>>
>>>>>>>>>>>> formatted
>>>>>>>>>>>> in html?
>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>
>>>>>>>>>>>> Secondly there is a massive difference between
>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>> and
>>>>>>>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>>>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>>>>>>>
>>>>>>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to
>>>>>>>>>>>> ststrust.jks.
>>>>>>>>>>>>
>>>>>>>>>>>> I have some more things to try now so I will let you know if I
>>>>>>>>>>>> get
>>>>>>>>>>>> further
>>>>>>>>>>>>
>>>>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Why not try the simple Connector configuration I gave earlier but
>>>>>>>>>>>> with
>>>>>>>>>>>>
>>>>>>>>>>>> your
>>>>>>>>>>>>
>>>>>>>>>>>>> own keys?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc
>>>>>>>>>>>>> at-8.5-doc/config/http.html#
>>>>>>>>>>>>>
>>>>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>>>>>>>
>>>>>>>>>>>>> clientAuth
>>>>>>>>>>>>>> This is an alias for the certificateVerification attribute of
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> default
>>>>>>>>>>>>>> SSLHostConfig element.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> then
>>>>>>>>>>>>>> certificateVerification
>>>>>>>>>>>>>> Set to required if you want the SSL stack to require a valid
>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>> chain from the client before accepting a connection. Set to
>>>>>>>>>>>>>> optional if
>>>>>>>>>>>>>> you
>>>>>>>>>>>>>> want the SSL stack to request a client Certificate, but not
>>>>>>>>>>>>>> fail
>>>>>>>>>>>>>> if one
>>>>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client
>>>>>>>>>>>>>> certificates to
>>>>>>>>>>>>>> be
>>>>>>>>>>>>>> optional and you don't want Tomcat to check them against the
>>>>>>>>>>>>>> list
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this option
>>>>>>>>>>>>>> (OpenSSL
>>>>>>>>>>>>>> does,
>>>>>>>>>>>>>> JSSE does not) it is treated as if optional was specified. A
>>>>>>>>>>>>>> none
>>>>>>>>>>>>>> value
>>>>>>>>>>>>>> (which is the default) will not require a certificate chain
>>>>>>>>>>>>>> unless
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> client requests a resource protected by a security constraint
>>>>>>>>>>>>>> that
>>>>>>>>>>>>>> uses
>>>>>>>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> so i changed clientAuth="want" to clientAuth="required". now i
>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>> access the site at all with
>>>>>>>>>>>>>> Secure Connection Failed
>>>>>>>>>>>>>> An error occurred during a connection to domain.tld:9443. SSL
>>>>>>>>>>>>>> peer
>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The problem is that your Tomcat container hosting the STS is
>>>>>>>>>>>>>> not
>>>>>>>>>>>>>> asking
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> client authentication. You can check this by using a web
>>>>>>>>>>>>>>> browser
>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>> curl
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>> view the WSDL of the STS - if you can get it to work then the
>>>>>>>>>>>>>>> configuration
>>>>>>>>>>>>>>> is incorrect, as it should error on the browser not supplying
>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>> cert.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> i spoke too soon.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> i am completely stuck with the same stack trace and no amount
>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> reloading
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> the certificates is helping. is there any way to debug what
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> actual
>>>>>>>>>>>>>>>> problem is?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor
>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
>>>>>>>>>>>>>>>> model to
>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>> 427)
>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>> 328)
>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>> 281)
>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>> orImpl.invoke0(Native
>>>>>>>>>>>>>>>> Method)
>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>>>>>>>> at java.lang.reflect.Method.invok
>>>>>>>>>>>>>>>> e(Method.java:498)
>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>> .spel.ast.MethodReference.
>>>>>>>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>> .spel.ast.SpelNodeImpl.
>>>>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>>>>>>>> at org.springframework.binding.ex
>>>>>>>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>>>>>>>> stractAction.java:188)
>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>>>>>>>> List.java:154)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 3)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:
>>>>>>>>>>>>>>>> 238)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>>>>>>>> .java:107)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>>>>>>>> lowState.java:101)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>>>>>>>> at org.springframework.webflow.mv
>>>>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>> t.FrameworkServlet.doGet(
>>>>>>>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>> t.FrameworkServlet.service(
>>>>>>>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>>>>>>>> r.java:52)
>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>>>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.jav
>>>>>>>>>>>>>>>> a:113)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.jav
>>>>>>>>>>>>>>>> a:97)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:
>>>>>>>>>>>>>>>> 150)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.
>>>>>>>>>>>>>>>> java:87)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>>>>>>>> stValve.java:140)
>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>>>>>>>> rtValve.java:80)
>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>>>>>>>> apter.java:342)
>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>>>>>>>> sor.java:245)
>>>>>>>>>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>>>>>>>> sor.java:65)
>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>> Runnable.run(StreamRunnable.
>>>>>>>>>>>>>>>> java:35)
>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>>>>>>>> Executor.java:1142)
>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the server
>>>>>>>>>>>>>>>> set to
>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>> java:255)
>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates
>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>>>>>>>>> Conduit.java:309)
>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flu
>>>>>>>>>>>>>>>> sh(UTF8Writer.java:100)
>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>>>>>>>> java:241)
>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>> java:253)
>>>>>>>>>>>>>>>> ... 155 more
>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction -
>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks for your help Colm. I now have it working using the
>>>>>>>>>>>>>>>> production
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> certificate by following this example
>>>>>>>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in
>>>>>>>>>>>>>>>>> catalina
>>>>>>>>>>>>>>>>> base.
>>>>>>>>>>>>>>>>> this seems impractical in production as the certificates get
>>>>>>>>>>>>>>>>> reissued
>>>>>>>>>>>>>>>>> every
>>>>>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define the
>>>>>>>>>>>>>>>>> resource as
>>>>>>>>>>>>>>>>> being
>>>>>>>>>>>>>>>>> in catalina base?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There
>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>> also
>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> sec:certStore that works with PEM files, but only for
>>>>>>>>>>>>>>>>> TrustStores I
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> think.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool command
>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>> import
>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old.
>>>>>>>>>>>>>>>>>> The
>>>>>>>>>>>>>>>>>> correct
>>>>>>>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem
>>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> instead of a java keystore? where is the doumentation for
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I haven't used the APR connector. The following works for
>>>>>>>>>>>>>>>>>>> me
>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it working
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> first
>>>>>>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and keystore
>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The truststore
>>>>>>>>>>>>>>>>>>>> should
>>>>>>>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS +
>>>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat
>>>>>>>>>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I
>>>>>>>>>>>>>>>>>>>> still
>>>>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true">
>>>>>>>>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>> <SSLHostConfig
>>>>>>>>>>>>>>>>>>>>> clientVerification="required">
>>>>>>>>>>>>>>>>>>>>> <Certificate
>>>>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr
>>>>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let
>>>>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could
>>>>>>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>> <sec:keyManagers
>>>>>>>>>>>>>>>>>>>>> keyPassword="tompass">
>>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and
>>>>>>>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9]
>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing
>>>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the
>>>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't load the
>>>>>>>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2
>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W
>>>>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:9443
>>>>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:0/id
>>>>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>>>>>>>> <ref
>>>>>>>>>>>>>>>>>>>>>>>> bean="srv-fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>> <property name="protocol" value="
>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>>>>>>>> <property name="serviceDisplayName"
>>>>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>> <property name="serviceDescription"
>>>>>>>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>> <property name="tokenType" value="
>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>> <property name="lifeTime"
>>>>>>>>>>>>>>>>>>>>>>>> value="3600"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>> name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>> name="logoutEndpointConstraint
>>>>>>>>>>>>>>>>>>>>>>>> "
>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>>>>>>> <property name="claim"
>>>>>>>>>>>>>>>>>>>>>>>> ref="claim_role"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>> <property name="optional"
>>>>>>>>>>>>>>>>>>>>>>>> value="false"
>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml
>>>>>>>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.)
>>>>>>>>>>>>>>>>>>>>>>>>> domain.tld:9443/idp
>>>>>>>>>>>>>>>>>>>>>>>>> and i
>>>>>>>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to
>>>>>>>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
>>>>>>>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433
>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>
Re: fediz production
Posted by Colm O hEigeartaigh <co...@apache.org>.
Could you create a test-case and upload it to github somewhere + I will
take a look?
Colm.
On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:
> Thanks for pointing me in the right direction.
>
> basically what the documentation lacks is that the ststrust.jks must
> contain MyTCIDP.cer, i.e.
> keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass
> -alias idpcert -file MyTCIDP.cer -noprompt
> i looked through the original ststrust.jks and it contained the alias
> idpcert which confirmed the suspicion
>
> the other problem was that the cipher of the letsencrypt certificate was
> not supported by java so i had to enable apr for openssl support.
> -Djavax.net.debug=all helped to debug that.
>
> but i still have some strange problems. when i first connect with
> fedizhelloworld it pops up a box asking for a certificate. and also if i
> leave it logged in for a while and then try to logout chrome tells me
> This site can’t provide a secure connection
> ERR_SSL_PROTOCOL_ERROR
>
> On 25/10/2017 14:28, Colm O hEigeartaigh wrote:
>
>> Your truststore in cxf-tls.xml must trust the certificate presented by the
>> STS. Also, it must contain a keystore with the private key of the IdP,
>> which in turn must be trusted by the STS.
>>
>> Colm.
>>
>> On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>
>> Are the two keystores responsible for the trust between idp and sts are
>>> supposed to be
>>> stsrealm_a.jks and ststrust.jks
>>>
>>> it is just that the cert it is not trusting is the idp-ssl-key.jks
>>> (domain.tld) which makes sense if it is hitting domain.tls:9443/idp etc
>>>
>>> does this mean ststrust.jks should contain MyTCIDP.cer as well as
>>> MyTCRP.cer?
>>>
>>> On 25/10/2017 14:03, Colm O hEigeartaigh wrote:
>>>
>>> You'll need to go through the output to figure out why the cert is not
>>>> trusted. If you generate some test certs + create a testcase somewhere I
>>>> will take a look.
>>>>
>>>> Colm.
>>>>
>>>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>
>>>> i get a load of stuff, but in the middle of the one before the error i
>>>> get
>>>>
>>>>> Warning: no suitable certificate found - continuing without client
>>>>> authentication
>>>>>
>>>>>
>>>>> On 25/10/2017 13:42, Matthew Broadhead wrote:
>>>>>
>>>>> ahhh...
>>>>>
>>>>>> -Djavax.net.debug=all
>>>>>>
>>>>>> On 25/10/2017 13:39, Matthew Broadhead wrote:
>>>>>>
>>>>>> How would I enable the debug? services/idp/src/main/webapp/W
>>>>>>
>>>>>>> EB-INF/security-config.xml
>>>>>>> <security:debug/>?
>>>>>>>
>>>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>>>>>>
>>>>>>> If you change it to "required" does it fail? If so, you could try
>>>>>>>
>>>>>>>> running
>>>>>>>> the Tomcat IdP with Java SSL debugging enabled and it should tell
>>>>>>>> you
>>>>>>>> why
>>>>>>>> the IdP can't connect to the STS.
>>>>>>>>
>>>>>>>> Colm.
>>>>>>>>
>>>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>
>>>>>>>> Hi Colm,
>>>>>>>>
>>>>>>>> I realise now that this html file was included in the
>>>>>>>>> examples/samplekeys
>>>>>>>>> directory in the code. but i was taking it from the internet.
>>>>>>>>>
>>>>>>>>> I am 100% using clientAuth="want" on my Tomcat connector but I am
>>>>>>>>> still
>>>>>>>>> getting the same error over and again. I can browse the wsdl
>>>>>>>>> without
>>>>>>>>> having to provide a client certificate. could you point me to the
>>>>>>>>> part of
>>>>>>>>> the idp-sts configuration which might be causing it to not ask for
>>>>>>>>> the
>>>>>>>>> keys
>>>>>>>>> properly? or is it definitely a tomcat server.xml issue?
>>>>>>>>>
>>>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>>>>>>
>>>>>>>>> You can see the HTML here:
>>>>>>>>>
>>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>>>>>>> ateKeysREADME.html
>>>>>>>>>>
>>>>>>>>>> I'll update the webpage to point to github instead of SVN.
>>>>>>>>>>
>>>>>>>>>> Colm.
>>>>>>>>>>
>>>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi Colm
>>>>>>>>>>
>>>>>>>>>> Firstly is there somewhere to see these instructions correctly
>>>>>>>>>>
>>>>>>>>>>> formatted
>>>>>>>>>>> in html?
>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>
>>>>>>>>>>> Secondly there is a massive difference between
>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>> and
>>>>>>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>>>>>>
>>>>>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to
>>>>>>>>>>> ststrust.jks.
>>>>>>>>>>>
>>>>>>>>>>> I have some more things to try now so I will let you know if I
>>>>>>>>>>> get
>>>>>>>>>>> further
>>>>>>>>>>>
>>>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>
>>>>>>>>>>> Why not try the simple Connector configuration I gave earlier but
>>>>>>>>>>> with
>>>>>>>>>>>
>>>>>>>>>>> your
>>>>>>>>>>>
>>>>>>>>>>>> own keys?
>>>>>>>>>>>>
>>>>>>>>>>>> Colm.
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc
>>>>>>>>>>>> at-8.5-doc/config/http.html#
>>>>>>>>>>>>
>>>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>>>>>>
>>>>>>>>>>>> clientAuth
>>>>>>>>>>>>> This is an alias for the certificateVerification attribute of
>>>>>>>>>>>>> the
>>>>>>>>>>>>> default
>>>>>>>>>>>>> SSLHostConfig element.
>>>>>>>>>>>>>
>>>>>>>>>>>>> then
>>>>>>>>>>>>> certificateVerification
>>>>>>>>>>>>> Set to required if you want the SSL stack to require a valid
>>>>>>>>>>>>> certificate
>>>>>>>>>>>>> chain from the client before accepting a connection. Set to
>>>>>>>>>>>>> optional if
>>>>>>>>>>>>> you
>>>>>>>>>>>>> want the SSL stack to request a client Certificate, but not
>>>>>>>>>>>>> fail
>>>>>>>>>>>>> if one
>>>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client
>>>>>>>>>>>>> certificates to
>>>>>>>>>>>>> be
>>>>>>>>>>>>> optional and you don't want Tomcat to check them against the
>>>>>>>>>>>>> list
>>>>>>>>>>>>> of
>>>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this option
>>>>>>>>>>>>> (OpenSSL
>>>>>>>>>>>>> does,
>>>>>>>>>>>>> JSSE does not) it is treated as if optional was specified. A
>>>>>>>>>>>>> none
>>>>>>>>>>>>> value
>>>>>>>>>>>>> (which is the default) will not require a certificate chain
>>>>>>>>>>>>> unless
>>>>>>>>>>>>> the
>>>>>>>>>>>>> client requests a resource protected by a security constraint
>>>>>>>>>>>>> that
>>>>>>>>>>>>> uses
>>>>>>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>>>>>>
>>>>>>>>>>>>> so i changed clientAuth="want" to clientAuth="required". now i
>>>>>>>>>>>>> cannot
>>>>>>>>>>>>> access the site at all with
>>>>>>>>>>>>> Secure Connection Failed
>>>>>>>>>>>>> An error occurred during a connection to domain.tld:9443. SSL
>>>>>>>>>>>>> peer
>>>>>>>>>>>>> cannot
>>>>>>>>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>>>>>>
>>>>>>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> The problem is that your Tomcat container hosting the STS is
>>>>>>>>>>>>> not
>>>>>>>>>>>>> asking
>>>>>>>>>>>>>
>>>>>>>>>>>>> for
>>>>>>>>>>>>>
>>>>>>>>>>>>> client authentication. You can check this by using a web
>>>>>>>>>>>>>> browser
>>>>>>>>>>>>>> or
>>>>>>>>>>>>>> curl
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>> view the WSDL of the STS - if you can get it to work then the
>>>>>>>>>>>>>> configuration
>>>>>>>>>>>>>> is incorrect, as it should error on the browser not supplying
>>>>>>>>>>>>>> a
>>>>>>>>>>>>>> client
>>>>>>>>>>>>>> cert.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> i spoke too soon.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> i am completely stuck with the same stack trace and no amount
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> reloading
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> the certificates is helping. is there any way to debug what
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> actual
>>>>>>>>>>>>>>> problem is?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor
>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
>>>>>>>>>>>>>>> model to
>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>> 427)
>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>> 328)
>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>> 281)
>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>> orImpl.invoke0(Native
>>>>>>>>>>>>>>> Method)
>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>>>>>>> at java.lang.reflect.Method.invok
>>>>>>>>>>>>>>> e(Method.java:498)
>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>> .spel.ast.MethodReference.
>>>>>>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>> .spel.ast.SpelNodeImpl.
>>>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>>>>>>> at org.springframework.binding.ex
>>>>>>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>>>>>>> stractAction.java:188)
>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>>>>>>> List.java:154)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>> 3)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:
>>>>>>>>>>>>>>> 238)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>>>>>>> .java:107)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>>>>>>> lowState.java:101)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>>>>>>> at org.springframework.webflow.mv
>>>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>> t.FrameworkServlet.doGet(
>>>>>>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>> t.FrameworkServlet.service(
>>>>>>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>>>>>>> r.java:52)
>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.jav
>>>>>>>>>>>>>>> a:113)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.jav
>>>>>>>>>>>>>>> a:97)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:
>>>>>>>>>>>>>>> 150)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.
>>>>>>>>>>>>>>> java:87)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>>>>>>> stValve.java:140)
>>>>>>>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>>>>>>> rtValve.java:80)
>>>>>>>>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>>>>>>> apter.java:342)
>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>>>>>>> sor.java:245)
>>>>>>>>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>>>>>>> sor.java:65)
>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>> Runnable.run(StreamRunnable.
>>>>>>>>>>>>>>> java:35)
>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>>>>>>> Executor.java:1142)
>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the server
>>>>>>>>>>>>>>> set to
>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>> java:255)
>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates
>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>>>>>>>> Conduit.java:309)
>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flu
>>>>>>>>>>>>>>> sh(UTF8Writer.java:100)
>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>>>>>>> java:241)
>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>> java:253)
>>>>>>>>>>>>>>> ... 155 more
>>>>>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction -
>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks for your help Colm. I now have it working using the
>>>>>>>>>>>>>>> production
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> certificate by following this example
>>>>>>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in
>>>>>>>>>>>>>>>> catalina
>>>>>>>>>>>>>>>> base.
>>>>>>>>>>>>>>>> this seems impractical in production as the certificates get
>>>>>>>>>>>>>>>> reissued
>>>>>>>>>>>>>>>> every
>>>>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define the
>>>>>>>>>>>>>>>> resource as
>>>>>>>>>>>>>>>> being
>>>>>>>>>>>>>>>> in catalina base?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There
>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>> also
>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> sec:certStore that works with PEM files, but only for
>>>>>>>>>>>>>>>> TrustStores I
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> think.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool command
>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>> import
>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old.
>>>>>>>>>>>>>>>>> The
>>>>>>>>>>>>>>>>> correct
>>>>>>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem
>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> instead of a java keystore? where is the doumentation for
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I haven't used the APR connector. The following works for
>>>>>>>>>>>>>>>>>> me
>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it working
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> first
>>>>>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and keystore
>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The truststore
>>>>>>>>>>>>>>>>>>> should
>>>>>>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS +
>>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat
>>>>>>>>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I
>>>>>>>>>>>>>>>>>>> still
>>>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>> SSLEnabled="true">
>>>>>>>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>> <SSLHostConfig
>>>>>>>>>>>>>>>>>>>> clientVerification="required">
>>>>>>>>>>>>>>>>>>>> <Certificate
>>>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr
>>>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let
>>>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could
>>>>>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>>>>>>> <sec:keyManagers
>>>>>>>>>>>>>>>>>>>> keyPassword="tompass">
>>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and
>>>>>>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9]
>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing
>>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the
>>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't load the
>>>>>>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2
>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W
>>>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:9443
>>>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:0/id
>>>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>>>>>>> <ref
>>>>>>>>>>>>>>>>>>>>>>> bean="srv-fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>> <property name="protocol" value="
>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>>>>>>> <property name="serviceDisplayName"
>>>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>> <property name="serviceDescription"
>>>>>>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>> <property name="tokenType" value="
>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>> <property name="lifeTime"
>>>>>>>>>>>>>>>>>>>>>>> value="3600"
>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>> name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>> name="logoutEndpointConstraint
>>>>>>>>>>>>>>>>>>>>>>> "
>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>>>>>> <property name="claim"
>>>>>>>>>>>>>>>>>>>>>>> ref="claim_role"
>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>> <property name="optional"
>>>>>>>>>>>>>>>>>>>>>>> value="false"
>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml
>>>>>>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.)
>>>>>>>>>>>>>>>>>>>>>>>> domain.tld:9443/idp
>>>>>>>>>>>>>>>>>>>>>>>> and i
>>>>>>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to
>>>>>>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424
>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
>>>>>>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433
>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>
>>>>>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
Thanks for pointing me in the right direction.
basically what the documentation lacks is that the ststrust.jks must
contain MyTCIDP.cer, i.e.
keytool -import -trustcacerts -keystore ststrust.jks -storepass
storepass -alias idpcert -file MyTCIDP.cer -noprompt
i looked through the original ststrust.jks and it contained the alias
idpcert which confirmed the suspicion
the other problem was that the cipher of the letsencrypt certificate was
not supported by java so i had to enable apr for openssl support.
-Djavax.net.debug=all helped to debug that.
but i still have some strange problems. when i first connect with
fedizhelloworld it pops up a box asking for a certificate. and also if
i leave it logged in for a while and then try to logout chrome tells me
This site can’t provide a secure connection
ERR_SSL_PROTOCOL_ERROR
On 25/10/2017 14:28, Colm O hEigeartaigh wrote:
> Your truststore in cxf-tls.xml must trust the certificate presented by the
> STS. Also, it must contain a keystore with the private key of the IdP,
> which in turn must be trusted by the STS.
>
> Colm.
>
> On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> Are the two keystores responsible for the trust between idp and sts are
>> supposed to be
>> stsrealm_a.jks and ststrust.jks
>>
>> it is just that the cert it is not trusting is the idp-ssl-key.jks
>> (domain.tld) which makes sense if it is hitting domain.tls:9443/idp etc
>>
>> does this mean ststrust.jks should contain MyTCIDP.cer as well as
>> MyTCRP.cer?
>>
>> On 25/10/2017 14:03, Colm O hEigeartaigh wrote:
>>
>>> You'll need to go through the output to figure out why the cert is not
>>> trusted. If you generate some test certs + create a testcase somewhere I
>>> will take a look.
>>>
>>> Colm.
>>>
>>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>> i get a load of stuff, but in the middle of the one before the error i get
>>>> Warning: no suitable certificate found - continuing without client
>>>> authentication
>>>>
>>>>
>>>> On 25/10/2017 13:42, Matthew Broadhead wrote:
>>>>
>>>> ahhh...
>>>>> -Djavax.net.debug=all
>>>>>
>>>>> On 25/10/2017 13:39, Matthew Broadhead wrote:
>>>>>
>>>>> How would I enable the debug? services/idp/src/main/webapp/W
>>>>>> EB-INF/security-config.xml
>>>>>> <security:debug/>?
>>>>>>
>>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>>>>>
>>>>>> If you change it to "required" does it fail? If so, you could try
>>>>>>> running
>>>>>>> the Tomcat IdP with Java SSL debugging enabled and it should tell you
>>>>>>> why
>>>>>>> the IdP can't connect to the STS.
>>>>>>>
>>>>>>> Colm.
>>>>>>>
>>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>
>>>>>>> Hi Colm,
>>>>>>>
>>>>>>>> I realise now that this html file was included in the
>>>>>>>> examples/samplekeys
>>>>>>>> directory in the code. but i was taking it from the internet.
>>>>>>>>
>>>>>>>> I am 100% using clientAuth="want" on my Tomcat connector but I am
>>>>>>>> still
>>>>>>>> getting the same error over and again. I can browse the wsdl without
>>>>>>>> having to provide a client certificate. could you point me to the
>>>>>>>> part of
>>>>>>>> the idp-sts configuration which might be causing it to not ask for
>>>>>>>> the
>>>>>>>> keys
>>>>>>>> properly? or is it definitely a tomcat server.xml issue?
>>>>>>>>
>>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>>>>>
>>>>>>>> You can see the HTML here:
>>>>>>>>
>>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>>>>>> ateKeysREADME.html
>>>>>>>>>
>>>>>>>>> I'll update the webpage to point to github instead of SVN.
>>>>>>>>>
>>>>>>>>> Colm.
>>>>>>>>>
>>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>
>>>>>>>>> Hi Colm
>>>>>>>>>
>>>>>>>>> Firstly is there somewhere to see these instructions correctly
>>>>>>>>>> formatted
>>>>>>>>>> in html?
>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>
>>>>>>>>>> Secondly there is a massive difference between
>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>> and
>>>>>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>>>>>
>>>>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to
>>>>>>>>>> ststrust.jks.
>>>>>>>>>>
>>>>>>>>>> I have some more things to try now so I will let you know if I get
>>>>>>>>>> further
>>>>>>>>>>
>>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>
>>>>>>>>>> Why not try the simple Connector configuration I gave earlier but
>>>>>>>>>> with
>>>>>>>>>>
>>>>>>>>>> your
>>>>>>>>>>> own keys?
>>>>>>>>>>>
>>>>>>>>>>> Colm.
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>
>>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc
>>>>>>>>>>> at-8.5-doc/config/http.html#
>>>>>>>>>>>
>>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>>>>>
>>>>>>>>>>>> clientAuth
>>>>>>>>>>>> This is an alias for the certificateVerification attribute of the
>>>>>>>>>>>> default
>>>>>>>>>>>> SSLHostConfig element.
>>>>>>>>>>>>
>>>>>>>>>>>> then
>>>>>>>>>>>> certificateVerification
>>>>>>>>>>>> Set to required if you want the SSL stack to require a valid
>>>>>>>>>>>> certificate
>>>>>>>>>>>> chain from the client before accepting a connection. Set to
>>>>>>>>>>>> optional if
>>>>>>>>>>>> you
>>>>>>>>>>>> want the SSL stack to request a client Certificate, but not fail
>>>>>>>>>>>> if one
>>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client
>>>>>>>>>>>> certificates to
>>>>>>>>>>>> be
>>>>>>>>>>>> optional and you don't want Tomcat to check them against the list
>>>>>>>>>>>> of
>>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this option
>>>>>>>>>>>> (OpenSSL
>>>>>>>>>>>> does,
>>>>>>>>>>>> JSSE does not) it is treated as if optional was specified. A none
>>>>>>>>>>>> value
>>>>>>>>>>>> (which is the default) will not require a certificate chain
>>>>>>>>>>>> unless
>>>>>>>>>>>> the
>>>>>>>>>>>> client requests a resource protected by a security constraint
>>>>>>>>>>>> that
>>>>>>>>>>>> uses
>>>>>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>>>>>
>>>>>>>>>>>> so i changed clientAuth="want" to clientAuth="required". now i
>>>>>>>>>>>> cannot
>>>>>>>>>>>> access the site at all with
>>>>>>>>>>>> Secure Connection Failed
>>>>>>>>>>>> An error occurred during a connection to domain.tld:9443. SSL
>>>>>>>>>>>> peer
>>>>>>>>>>>> cannot
>>>>>>>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>>>>>
>>>>>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>>>>>
>>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> The problem is that your Tomcat container hosting the STS is not
>>>>>>>>>>>> asking
>>>>>>>>>>>>
>>>>>>>>>>>> for
>>>>>>>>>>>>
>>>>>>>>>>>>> client authentication. You can check this by using a web browser
>>>>>>>>>>>>> or
>>>>>>>>>>>>> curl
>>>>>>>>>>>>> to
>>>>>>>>>>>>> view the WSDL of the STS - if you can get it to work then the
>>>>>>>>>>>>> configuration
>>>>>>>>>>>>> is incorrect, as it should error on the browser not supplying a
>>>>>>>>>>>>> client
>>>>>>>>>>>>> cert.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> i spoke too soon.
>>>>>>>>>>>>>
>>>>>>>>>>>>> i am completely stuck with the same stack trace and no amount of
>>>>>>>>>>>>>
>>>>>>>>>>>>> reloading
>>>>>>>>>>>>>> the certificates is helping. is there any way to debug what
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> actual
>>>>>>>>>>>>>> problem is?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for
>>>>>>>>>>>>>> {
>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>> has
>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
>>>>>>>>>>>>>> model to
>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>> were
>>>>>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>> 427)
>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>> 328)
>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>> 281)
>>>>>>>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>> orImpl.invoke0(Native
>>>>>>>>>>>>>> Method)
>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>> .spel.ast.MethodReference.
>>>>>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>> .spel.ast.SpelNodeImpl.
>>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>>>>>> at org.springframework.binding.ex
>>>>>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>>>>>> stractAction.java:188)
>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>>>>>> List.java:154)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>> 3)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>>>>>> .java:107)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>>>>>> lowState.java:101)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>>>>>> at org.springframework.webflow.mv
>>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>> t.FrameworkServlet.doGet(
>>>>>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>> t.FrameworkServlet.service(
>>>>>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>>>>>> r.java:52)
>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.jav
>>>>>>>>>>>>>> a:113)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.jav
>>>>>>>>>>>>>> a:97)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.
>>>>>>>>>>>>>> java:87)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>>>>>> stValve.java:140)
>>>>>>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>>>>>> rtValve.java:80)
>>>>>>>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>>>>>> apter.java:342)
>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>>>>>> sor.java:245)
>>>>>>>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>>>>>> sor.java:65)
>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>> Runnable.run(StreamRunnable.
>>>>>>>>>>>>>> java:35)
>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>>>>>> Executor.java:1142)
>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>> is
>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the server
>>>>>>>>>>>>>> set to
>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>> java:255)
>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>>>>>>> Conduit.java:309)
>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flu
>>>>>>>>>>>>>> sh(UTF8Writer.java:100)
>>>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>>>>>> java:241)
>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>> java:253)
>>>>>>>>>>>>>> ... 155 more
>>>>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction -
>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>> in
>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks for your help Colm. I now have it working using the
>>>>>>>>>>>>>> production
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> certificate by following this example
>>>>>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in
>>>>>>>>>>>>>>> catalina
>>>>>>>>>>>>>>> base.
>>>>>>>>>>>>>>> this seems impractical in production as the certificates get
>>>>>>>>>>>>>>> reissued
>>>>>>>>>>>>>>> every
>>>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define the
>>>>>>>>>>>>>>> resource as
>>>>>>>>>>>>>>> being
>>>>>>>>>>>>>>> in catalina base?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is
>>>>>>>>>>>>>>> also
>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> sec:certStore that works with PEM files, but only for
>>>>>>>>>>>>>>> TrustStores I
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> think.
>>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool command to
>>>>>>>>>>>>>>>> import
>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old.
>>>>>>>>>>>>>>>> The
>>>>>>>>>>>>>>>> correct
>>>>>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem
>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> instead of a java keystore? where is the doumentation for
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I haven't used the APR connector. The following works for me
>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it working
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> first
>>>>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and keystore in
>>>>>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The truststore
>>>>>>>>>>>>>>>>>> should
>>>>>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then
>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat
>>>>>>>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I still
>>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>>>>>> maxThreads="150" SSLEnabled="true">
>>>>>>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>> <SSLHostConfig
>>>>>>>>>>>>>>>>>>> clientVerification="required">
>>>>>>>>>>>>>>>>>>> <Certificate
>>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr
>>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let
>>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this
>>>>>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>>>>>> <sec:keyManagers keyPassword="tompass">
>>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and
>>>>>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9]
>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor
>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing
>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the
>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9]
>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction -
>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't load the
>>>>>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W
>>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>>>>>> <ref bean="srv-fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>> <property name="protocol" value="
>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>>>>>> <property name="serviceDisplayName"
>>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>> <property name="serviceDescription"
>>>>>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>> <property name="tokenType" value="
>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>>>>>>>>>>>>>>> <property name="lifeTime" value="3600"
>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>> <property name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>> <property name="logoutEndpointConstraint
>>>>>>>>>>>>>>>>>>>>>> "
>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>>>>> <property name="claim" ref="claim_role"
>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>> <property name="optional" value="false"
>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas
>>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml
>>>>>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp
>>>>>>>>>>>>>>>>>>>>>>> and i
>>>>>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to
>>>>>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424
>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
>>>>>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433
>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>
>>>>>
>
Re: fediz production
Posted by Colm O hEigeartaigh <co...@apache.org>.
Your truststore in cxf-tls.xml must trust the certificate presented by the
STS. Also, it must contain a keystore with the private key of the IdP,
which in turn must be trusted by the STS.
Colm.
On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:
> Are the two keystores responsible for the trust between idp and sts are
> supposed to be
> stsrealm_a.jks and ststrust.jks
>
> it is just that the cert it is not trusting is the idp-ssl-key.jks
> (domain.tld) which makes sense if it is hitting domain.tls:9443/idp etc
>
> does this mean ststrust.jks should contain MyTCIDP.cer as well as
> MyTCRP.cer?
>
> On 25/10/2017 14:03, Colm O hEigeartaigh wrote:
>
>> You'll need to go through the output to figure out why the cert is not
>> trusted. If you generate some test certs + create a testcase somewhere I
>> will take a look.
>>
>> Colm.
>>
>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>
>> i get a load of stuff, but in the middle of the one before the error i get
>>> Warning: no suitable certificate found - continuing without client
>>> authentication
>>>
>>>
>>> On 25/10/2017 13:42, Matthew Broadhead wrote:
>>>
>>> ahhh...
>>>> -Djavax.net.debug=all
>>>>
>>>> On 25/10/2017 13:39, Matthew Broadhead wrote:
>>>>
>>>> How would I enable the debug? services/idp/src/main/webapp/W
>>>>> EB-INF/security-config.xml
>>>>> <security:debug/>?
>>>>>
>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>>>>
>>>>> If you change it to "required" does it fail? If so, you could try
>>>>>> running
>>>>>> the Tomcat IdP with Java SSL debugging enabled and it should tell you
>>>>>> why
>>>>>> the IdP can't connect to the STS.
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> Hi Colm,
>>>>>>
>>>>>>> I realise now that this html file was included in the
>>>>>>> examples/samplekeys
>>>>>>> directory in the code. but i was taking it from the internet.
>>>>>>>
>>>>>>> I am 100% using clientAuth="want" on my Tomcat connector but I am
>>>>>>> still
>>>>>>> getting the same error over and again. I can browse the wsdl without
>>>>>>> having to provide a client certificate. could you point me to the
>>>>>>> part of
>>>>>>> the idp-sts configuration which might be causing it to not ask for
>>>>>>> the
>>>>>>> keys
>>>>>>> properly? or is it definitely a tomcat server.xml issue?
>>>>>>>
>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>>>>
>>>>>>> You can see the HTML here:
>>>>>>>
>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>>>>> ateKeysREADME.html
>>>>>>>>
>>>>>>>> I'll update the webpage to point to github instead of SVN.
>>>>>>>>
>>>>>>>> Colm.
>>>>>>>>
>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>
>>>>>>>> Hi Colm
>>>>>>>>
>>>>>>>> Firstly is there somewhere to see these instructions correctly
>>>>>>>>> formatted
>>>>>>>>> in html?
>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>
>>>>>>>>> Secondly there is a massive difference between
>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>> and
>>>>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>>>>
>>>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to
>>>>>>>>> ststrust.jks.
>>>>>>>>>
>>>>>>>>> I have some more things to try now so I will let you know if I get
>>>>>>>>> further
>>>>>>>>>
>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>>>>
>>>>>>>>> Why not try the simple Connector configuration I gave earlier but
>>>>>>>>> with
>>>>>>>>>
>>>>>>>>> your
>>>>>>>>>> own keys?
>>>>>>>>>>
>>>>>>>>>> Colm.
>>>>>>>>>>
>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>
>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc
>>>>>>>>>> at-8.5-doc/config/http.html#
>>>>>>>>>>
>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>>>>
>>>>>>>>>>> clientAuth
>>>>>>>>>>> This is an alias for the certificateVerification attribute of the
>>>>>>>>>>> default
>>>>>>>>>>> SSLHostConfig element.
>>>>>>>>>>>
>>>>>>>>>>> then
>>>>>>>>>>> certificateVerification
>>>>>>>>>>> Set to required if you want the SSL stack to require a valid
>>>>>>>>>>> certificate
>>>>>>>>>>> chain from the client before accepting a connection. Set to
>>>>>>>>>>> optional if
>>>>>>>>>>> you
>>>>>>>>>>> want the SSL stack to request a client Certificate, but not fail
>>>>>>>>>>> if one
>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client
>>>>>>>>>>> certificates to
>>>>>>>>>>> be
>>>>>>>>>>> optional and you don't want Tomcat to check them against the list
>>>>>>>>>>> of
>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this option
>>>>>>>>>>> (OpenSSL
>>>>>>>>>>> does,
>>>>>>>>>>> JSSE does not) it is treated as if optional was specified. A none
>>>>>>>>>>> value
>>>>>>>>>>> (which is the default) will not require a certificate chain
>>>>>>>>>>> unless
>>>>>>>>>>> the
>>>>>>>>>>> client requests a resource protected by a security constraint
>>>>>>>>>>> that
>>>>>>>>>>> uses
>>>>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>>>>
>>>>>>>>>>> so i changed clientAuth="want" to clientAuth="required". now i
>>>>>>>>>>> cannot
>>>>>>>>>>> access the site at all with
>>>>>>>>>>> Secure Connection Failed
>>>>>>>>>>> An error occurred during a connection to domain.tld:9443. SSL
>>>>>>>>>>> peer
>>>>>>>>>>> cannot
>>>>>>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>>>>
>>>>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>>>>
>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>>>>
>>>>>>>>>>> The problem is that your Tomcat container hosting the STS is not
>>>>>>>>>>> asking
>>>>>>>>>>>
>>>>>>>>>>> for
>>>>>>>>>>>
>>>>>>>>>>>> client authentication. You can check this by using a web browser
>>>>>>>>>>>> or
>>>>>>>>>>>> curl
>>>>>>>>>>>> to
>>>>>>>>>>>> view the WSDL of the STS - if you can get it to work then the
>>>>>>>>>>>> configuration
>>>>>>>>>>>> is incorrect, as it should error on the browser not supplying a
>>>>>>>>>>>> client
>>>>>>>>>>>> cert.
>>>>>>>>>>>>
>>>>>>>>>>>> Colm.
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> i spoke too soon.
>>>>>>>>>>>>
>>>>>>>>>>>> i am completely stuck with the same stack trace and no amount of
>>>>>>>>>>>>
>>>>>>>>>>>> reloading
>>>>>>>>>>>>> the certificates is helping. is there any way to debug what
>>>>>>>>>>>>> the
>>>>>>>>>>>>> actual
>>>>>>>>>>>>> problem is?
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for
>>>>>>>>>>>>> {
>>>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>> has
>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
>>>>>>>>>>>>> model to
>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>> certificates
>>>>>>>>>>>>> were
>>>>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>> 518)
>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>> 427)
>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>> 328)
>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>> 281)
>>>>>>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>> orImpl.invoke0(Native
>>>>>>>>>>>>> Method)
>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>> .spel.ast.MethodReference.
>>>>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>> .spel.ast.SpelNodeImpl.
>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>>>>> at org.springframework.binding.ex
>>>>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>>>>> stractAction.java:188)
>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>>>>> List.java:154)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>> 3)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>>>>> .java:107)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>> 4)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>> 4)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>> 4)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>> 4)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>> 4)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>> 4)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>> 4)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>>>>> lowState.java:101)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>> 4)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>> 4)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>> 4)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>>>>> at org.springframework.webflow.mv
>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>> t.FrameworkServlet.doGet(
>>>>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>> t.FrameworkServlet.service(
>>>>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>>>>> r.java:52)
>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.jav
>>>>>>>>>>>>> a:113)
>>>>>>>>>>>>>
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.jav
>>>>>>>>>>>>> a:97)
>>>>>>>>>>>>>
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.
>>>>>>>>>>>>> java:87)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>>>>> stValve.java:140)
>>>>>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>>>>> rtValve.java:80)
>>>>>>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>>>>> apter.java:342)
>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>>>>> sor.java:245)
>>>>>>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>>>>> sor.java:65)
>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>> Runnable.run(StreamRunnable.
>>>>>>>>>>>>> java:35)
>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>>>>> Executor.java:1142)
>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>> is
>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the server
>>>>>>>>>>>>> set to
>>>>>>>>>>>>> ask
>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>> java:255)
>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>> ion:
>>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>>>>>> Conduit.java:309)
>>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flu
>>>>>>>>>>>>> sh(UTF8Writer.java:100)
>>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>>>>> java:241)
>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>> java:253)
>>>>>>>>>>>>> ... 155 more
>>>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction -
>>>>>>>>>>>>> Error
>>>>>>>>>>>>> in
>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks for your help Colm. I now have it working using the
>>>>>>>>>>>>> production
>>>>>>>>>>>>>
>>>>>>>>>>>>> certificate by following this example
>>>>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>>>>
>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in
>>>>>>>>>>>>>> catalina
>>>>>>>>>>>>>> base.
>>>>>>>>>>>>>> this seems impractical in production as the certificates get
>>>>>>>>>>>>>> reissued
>>>>>>>>>>>>>> every
>>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define the
>>>>>>>>>>>>>> resource as
>>>>>>>>>>>>>> being
>>>>>>>>>>>>>> in catalina base?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is
>>>>>>>>>>>>>> also
>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> sec:certStore that works with PEM files, but only for
>>>>>>>>>>>>>> TrustStores I
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> think.
>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool command to
>>>>>>>>>>>>>>> import
>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old.
>>>>>>>>>>>>>>> The
>>>>>>>>>>>>>>> correct
>>>>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem
>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> instead of a java keystore? where is the doumentation for
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I haven't used the APR connector. The following works for me
>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it working
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> first
>>>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and keystore in
>>>>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The truststore
>>>>>>>>>>>>>>>>> should
>>>>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then
>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat
>>>>>>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I still
>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>>>>> maxThreads="150" SSLEnabled="true">
>>>>>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>> <SSLHostConfig
>>>>>>>>>>>>>>>>>> clientVerification="required">
>>>>>>>>>>>>>>>>>> <Certificate
>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr
>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let
>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this
>>>>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>>>>> <sec:keyManagers keyPassword="tompass">
>>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and
>>>>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9]
>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor
>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing
>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the
>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9]
>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction -
>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't load the
>>>>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W
>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>>>>> <ref bean="srv-fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>> <property name="protocol" value="
>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>>>>> <property name="serviceDisplayName"
>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>> <property name="serviceDescription"
>>>>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>> <property name="tokenType" value="
>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>>>>>>>>>>>>>> <property name="lifeTime" value="3600"
>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>> <property name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>> <property name="logoutEndpointConstraint
>>>>>>>>>>>>>>>>>>>>> "
>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>>>> <property name="claim" ref="claim_role"
>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>> <property name="optional" value="false"
>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas
>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml
>>>>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp
>>>>>>>>>>>>>>>>>>>>>> and i
>>>>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to
>>>>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424
>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
>>>>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433
>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
Are the two keystores responsible for the trust between idp and sts are
supposed to be
stsrealm_a.jks and ststrust.jks
it is just that the cert it is not trusting is the idp-ssl-key.jks
(domain.tld) which makes sense if it is hitting domain.tls:9443/idp etc
does this mean ststrust.jks should contain MyTCIDP.cer as well as
MyTCRP.cer?
On 25/10/2017 14:03, Colm O hEigeartaigh wrote:
> You'll need to go through the output to figure out why the cert is not
> trusted. If you generate some test certs + create a testcase somewhere I
> will take a look.
>
> Colm.
>
> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> i get a load of stuff, but in the middle of the one before the error i get
>> Warning: no suitable certificate found - continuing without client
>> authentication
>>
>>
>> On 25/10/2017 13:42, Matthew Broadhead wrote:
>>
>>> ahhh...
>>> -Djavax.net.debug=all
>>>
>>> On 25/10/2017 13:39, Matthew Broadhead wrote:
>>>
>>>> How would I enable the debug? services/idp/src/main/webapp/WEB-INF/security-config.xml
>>>> <security:debug/>?
>>>>
>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>>>
>>>>> If you change it to "required" does it fail? If so, you could try
>>>>> running
>>>>> the Tomcat IdP with Java SSL debugging enabled and it should tell you
>>>>> why
>>>>> the IdP can't connect to the STS.
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>
>>>>> Hi Colm,
>>>>>> I realise now that this html file was included in the
>>>>>> examples/samplekeys
>>>>>> directory in the code. but i was taking it from the internet.
>>>>>>
>>>>>> I am 100% using clientAuth="want" on my Tomcat connector but I am still
>>>>>> getting the same error over and again. I can browse the wsdl without
>>>>>> having to provide a client certificate. could you point me to the
>>>>>> part of
>>>>>> the idp-sts configuration which might be causing it to not ask for the
>>>>>> keys
>>>>>> properly? or is it definitely a tomcat server.xml issue?
>>>>>>
>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>>>
>>>>>> You can see the HTML here:
>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>>>> ateKeysREADME.html
>>>>>>>
>>>>>>> I'll update the webpage to point to github instead of SVN.
>>>>>>>
>>>>>>> Colm.
>>>>>>>
>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>
>>>>>>> Hi Colm
>>>>>>>
>>>>>>>> Firstly is there somewhere to see these instructions correctly
>>>>>>>> formatted
>>>>>>>> in html?
>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>
>>>>>>>> Secondly there is a massive difference between
>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>> and
>>>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>>>
>>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to
>>>>>>>> ststrust.jks.
>>>>>>>>
>>>>>>>> I have some more things to try now so I will let you know if I get
>>>>>>>> further
>>>>>>>>
>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>>>
>>>>>>>> Why not try the simple Connector configuration I gave earlier but
>>>>>>>> with
>>>>>>>>
>>>>>>>>> your
>>>>>>>>> own keys?
>>>>>>>>>
>>>>>>>>> Colm.
>>>>>>>>>
>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>
>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc
>>>>>>>>> at-8.5-doc/config/http.html#
>>>>>>>>>
>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>>>> clientAuth
>>>>>>>>>> This is an alias for the certificateVerification attribute of the
>>>>>>>>>> default
>>>>>>>>>> SSLHostConfig element.
>>>>>>>>>>
>>>>>>>>>> then
>>>>>>>>>> certificateVerification
>>>>>>>>>> Set to required if you want the SSL stack to require a valid
>>>>>>>>>> certificate
>>>>>>>>>> chain from the client before accepting a connection. Set to
>>>>>>>>>> optional if
>>>>>>>>>> you
>>>>>>>>>> want the SSL stack to request a client Certificate, but not fail
>>>>>>>>>> if one
>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client
>>>>>>>>>> certificates to
>>>>>>>>>> be
>>>>>>>>>> optional and you don't want Tomcat to check them against the list
>>>>>>>>>> of
>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this option
>>>>>>>>>> (OpenSSL
>>>>>>>>>> does,
>>>>>>>>>> JSSE does not) it is treated as if optional was specified. A none
>>>>>>>>>> value
>>>>>>>>>> (which is the default) will not require a certificate chain unless
>>>>>>>>>> the
>>>>>>>>>> client requests a resource protected by a security constraint that
>>>>>>>>>> uses
>>>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>>>
>>>>>>>>>> so i changed clientAuth="want" to clientAuth="required". now i
>>>>>>>>>> cannot
>>>>>>>>>> access the site at all with
>>>>>>>>>> Secure Connection Failed
>>>>>>>>>> An error occurred during a connection to domain.tld:9443. SSL peer
>>>>>>>>>> cannot
>>>>>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>>>
>>>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>>>
>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>>>
>>>>>>>>>> The problem is that your Tomcat container hosting the STS is not
>>>>>>>>>> asking
>>>>>>>>>>
>>>>>>>>>> for
>>>>>>>>>>> client authentication. You can check this by using a web browser
>>>>>>>>>>> or
>>>>>>>>>>> curl
>>>>>>>>>>> to
>>>>>>>>>>> view the WSDL of the STS - if you can get it to work then the
>>>>>>>>>>> configuration
>>>>>>>>>>> is incorrect, as it should error on the browser not supplying a
>>>>>>>>>>> client
>>>>>>>>>>> cert.
>>>>>>>>>>>
>>>>>>>>>>> Colm.
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>
>>>>>>>>>>> i spoke too soon.
>>>>>>>>>>>
>>>>>>>>>>> i am completely stuck with the same stack trace and no amount of
>>>>>>>>>>>
>>>>>>>>>>>> reloading
>>>>>>>>>>>> the certificates is helping. is there any way to debug what the
>>>>>>>>>>>> actual
>>>>>>>>>>>> problem is?
>>>>>>>>>>>>
>>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>> has
>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
>>>>>>>>>>>> model to
>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>> certificates
>>>>>>>>>>>> were
>>>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>> 518)
>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>> 427)
>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>> 328)
>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>> 281)
>>>>>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>>>>>>>>>> Method)
>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>> .spel.ast.MethodReference.
>>>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>>>> at org.springframework.expression.spel.ast.SpelNodeImpl.
>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>>>> at org.springframework.binding.ex
>>>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>>>> stractAction.java:188)
>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>>>> List.java:154)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>> 3)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>> a:547)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>>>> .java:107)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>> 4)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>> a:547)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>> 4)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>> a:547)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>> 4)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>> 4)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>> 4)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>> 4)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>> 4)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>>>> lowState.java:101)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>> 4)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>> 4)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>> 4)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>>>> at org.springframework.webflow.mv
>>>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>> t.FrameworkServlet.doGet(
>>>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>> t.FrameworkServlet.service(
>>>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>>>> r.java:52)
>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
>>>>>>>>>>>>
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
>>>>>>>>>>>>
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>>>> stValve.java:140)
>>>>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>>>> rtValve.java:80)
>>>>>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>>>> apter.java:342)
>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>>>> sor.java:245)
>>>>>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>>>> sor.java:65)
>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>> Runnable.run(StreamRunnable.
>>>>>>>>>>>> java:35)
>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>>>> Executor.java:1142)
>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>> is
>>>>>>>>>>>> set, but no local certificates were negotiated. Is the server
>>>>>>>>>>>> set to
>>>>>>>>>>>> ask
>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>> java:255)
>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>> ion:
>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>>>>> Conduit.java:309)
>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>>>> java:241)
>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>> java:253)
>>>>>>>>>>>> ... 155 more
>>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error
>>>>>>>>>>>> in
>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks for your help Colm. I now have it working using the
>>>>>>>>>>>> production
>>>>>>>>>>>>
>>>>>>>>>>>> certificate by following this example
>>>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>>>
>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>>>
>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in
>>>>>>>>>>>>> catalina
>>>>>>>>>>>>> base.
>>>>>>>>>>>>> this seems impractical in production as the certificates get
>>>>>>>>>>>>> reissued
>>>>>>>>>>>>> every
>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define the
>>>>>>>>>>>>> resource as
>>>>>>>>>>>>> being
>>>>>>>>>>>>> in catalina base?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is
>>>>>>>>>>>>> also
>>>>>>>>>>>>> a
>>>>>>>>>>>>>
>>>>>>>>>>>>> sec:certStore that works with PEM files, but only for
>>>>>>>>>>>>> TrustStores I
>>>>>>>>>>>>>
>>>>>>>>>>>>>> think.
>>>>>>>>>>>>>> As a workaround you can just use the Java keytool command to
>>>>>>>>>>>>>> import
>>>>>>>>>>>>>> your
>>>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old. The
>>>>>>>>>>>>>> correct
>>>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem
>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> instead of a java keystore? where is the doumentation for
>>>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I haven't used the APR connector. The following works for me
>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it working
>>>>>>>>>>>>>>>> first
>>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and keystore in
>>>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The truststore should
>>>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then
>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat
>>>>>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I still
>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>>>> maxThreads="150" SSLEnabled="true">
>>>>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>> <SSLHostConfig clientVerification="required">
>>>>>>>>>>>>>>>>> <Certificate
>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this
>>>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>>>> <sec:keyManagers keyPassword="tompass">
>>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and
>>>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9]
>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor
>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing
>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the
>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates
>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9]
>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction -
>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't load the
>>>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>>>> <ref bean="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>> <property name="protocol" value="
>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>>>> <property name="serviceDisplayName"
>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>> <property name="serviceDescription"
>>>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>> <property name="tokenType" value="
>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>>>>>>>>>>>>> <property name="lifeTime" value="3600" />
>>>>>>>>>>>>>>>>>>>> <property name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>> <property name="logoutEndpointConstraint"
>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>>> <property name="claim" ref="claim_role" />
>>>>>>>>>>>>>>>>>>>> <property name="optional" value="false" />
>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas
>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml
>>>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp
>>>>>>>>>>>>>>>>>>>>> and i
>>>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to
>>>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
>>>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>
>>>>
>>>
>>>
>
Re: fediz production
Posted by Colm O hEigeartaigh <co...@apache.org>.
You'll need to go through the output to figure out why the cert is not
trusted. If you generate some test certs + create a testcase somewhere I
will take a look.
Colm.
On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:
> i get a load of stuff, but in the middle of the one before the error i get
> Warning: no suitable certificate found - continuing without client
> authentication
>
>
> On 25/10/2017 13:42, Matthew Broadhead wrote:
>
>> ahhh...
>> -Djavax.net.debug=all
>>
>> On 25/10/2017 13:39, Matthew Broadhead wrote:
>>
>>> How would I enable the debug? services/idp/src/main/webapp/WEB-INF/security-config.xml
>>> <security:debug/>?
>>>
>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>>
>>>> If you change it to "required" does it fail? If so, you could try
>>>> running
>>>> the Tomcat IdP with Java SSL debugging enabled and it should tell you
>>>> why
>>>> the IdP can't connect to the STS.
>>>>
>>>> Colm.
>>>>
>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>
>>>> Hi Colm,
>>>>>
>>>>> I realise now that this html file was included in the
>>>>> examples/samplekeys
>>>>> directory in the code. but i was taking it from the internet.
>>>>>
>>>>> I am 100% using clientAuth="want" on my Tomcat connector but I am still
>>>>> getting the same error over and again. I can browse the wsdl without
>>>>> having to provide a client certificate. could you point me to the
>>>>> part of
>>>>> the idp-sts configuration which might be causing it to not ask for the
>>>>> keys
>>>>> properly? or is it definitely a tomcat server.xml issue?
>>>>>
>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>>
>>>>> You can see the HTML here:
>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>>> ateKeysREADME.html
>>>>>>
>>>>>> I'll update the webpage to point to github instead of SVN.
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> Hi Colm
>>>>>>
>>>>>>> Firstly is there somewhere to see these instructions correctly
>>>>>>> formatted
>>>>>>> in html?
>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>
>>>>>>> Secondly there is a massive difference between
>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>> and
>>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>>
>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to
>>>>>>> ststrust.jks.
>>>>>>>
>>>>>>> I have some more things to try now so I will let you know if I get
>>>>>>> further
>>>>>>>
>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>>
>>>>>>> Why not try the simple Connector configuration I gave earlier but
>>>>>>> with
>>>>>>>
>>>>>>>> your
>>>>>>>> own keys?
>>>>>>>>
>>>>>>>> Colm.
>>>>>>>>
>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>
>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc
>>>>>>>> at-8.5-doc/config/http.html#
>>>>>>>>
>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>>> clientAuth
>>>>>>>>> This is an alias for the certificateVerification attribute of the
>>>>>>>>> default
>>>>>>>>> SSLHostConfig element.
>>>>>>>>>
>>>>>>>>> then
>>>>>>>>> certificateVerification
>>>>>>>>> Set to required if you want the SSL stack to require a valid
>>>>>>>>> certificate
>>>>>>>>> chain from the client before accepting a connection. Set to
>>>>>>>>> optional if
>>>>>>>>> you
>>>>>>>>> want the SSL stack to request a client Certificate, but not fail
>>>>>>>>> if one
>>>>>>>>> isn't presented. Set to optionalNoCA if you want client
>>>>>>>>> certificates to
>>>>>>>>> be
>>>>>>>>> optional and you don't want Tomcat to check them against the list
>>>>>>>>> of
>>>>>>>>> trusted CAs. If the TLS provider doesn't support this option
>>>>>>>>> (OpenSSL
>>>>>>>>> does,
>>>>>>>>> JSSE does not) it is treated as if optional was specified. A none
>>>>>>>>> value
>>>>>>>>> (which is the default) will not require a certificate chain unless
>>>>>>>>> the
>>>>>>>>> client requests a resource protected by a security constraint that
>>>>>>>>> uses
>>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>>
>>>>>>>>> so i changed clientAuth="want" to clientAuth="required". now i
>>>>>>>>> cannot
>>>>>>>>> access the site at all with
>>>>>>>>> Secure Connection Failed
>>>>>>>>> An error occurred during a connection to domain.tld:9443. SSL peer
>>>>>>>>> cannot
>>>>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>>
>>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>>
>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>>
>>>>>>>>> The problem is that your Tomcat container hosting the STS is not
>>>>>>>>> asking
>>>>>>>>>
>>>>>>>>> for
>>>>>>>>>> client authentication. You can check this by using a web browser
>>>>>>>>>> or
>>>>>>>>>> curl
>>>>>>>>>> to
>>>>>>>>>> view the WSDL of the STS - if you can get it to work then the
>>>>>>>>>> configuration
>>>>>>>>>> is incorrect, as it should error on the browser not supplying a
>>>>>>>>>> client
>>>>>>>>>> cert.
>>>>>>>>>>
>>>>>>>>>> Colm.
>>>>>>>>>>
>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>
>>>>>>>>>> i spoke too soon.
>>>>>>>>>>
>>>>>>>>>> i am completely stuck with the same stack trace and no amount of
>>>>>>>>>>
>>>>>>>>>>> reloading
>>>>>>>>>>> the certificates is helping. is there any way to debug what the
>>>>>>>>>>> actual
>>>>>>>>>>> problem is?
>>>>>>>>>>>
>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>>>> 2/}Issue
>>>>>>>>>>> has
>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
>>>>>>>>>>> model to
>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>> certificates
>>>>>>>>>>> were
>>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>> 518)
>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>> 427)
>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>> 328)
>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>> 281)
>>>>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>>>>>>>>> Method)
>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>> .spel.ast.MethodReference.
>>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>>> at org.springframework.expression.spel.ast.SpelNodeImpl.
>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>>> at org.springframework.binding.ex
>>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>>> stractAction.java:188)
>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>>> List.java:154)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>> 3)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>> tion.java:228)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>> a:547)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>>> .java:107)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>> 4)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>> tion.java:228)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>> a:547)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>> nState.java:105)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>> 4)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>> tion.java:228)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>> a:547)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>> nState.java:105)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>> 4)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>> tion.java:228)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>> 4)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>> tion.java:228)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>> 4)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>> tion.java:228)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>> 4)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>> tion.java:228)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>> 4)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>>> lowState.java:101)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>> 4)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>> tion.java:228)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>> 4)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>> tion.java:228)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>> 4)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>>> at org.springframework.webflow.mv
>>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>> t.FrameworkServlet.doGet(
>>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>> t.FrameworkServlet.service(
>>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>>> r.java:52)
>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
>>>>>>>>>>>
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
>>>>>>>>>>>
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>>> stValve.java:140)
>>>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>>> rtValve.java:80)
>>>>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>>> apter.java:342)
>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>>> sor.java:245)
>>>>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>>> sor.java:65)
>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>> Runnable.run(StreamRunnable.
>>>>>>>>>>> java:35)
>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>>> Executor.java:1142)
>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>> is
>>>>>>>>>>> set, but no local certificates were negotiated. Is the server
>>>>>>>>>>> set to
>>>>>>>>>>> ask
>>>>>>>>>>> for client authorization?
>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>> java:255)
>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>> ... 154 more
>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>> ion:
>>>>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>>>> Conduit.java:309)
>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>>> java:241)
>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>> java:253)
>>>>>>>>>>> ... 155 more
>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error
>>>>>>>>>>> in
>>>>>>>>>>> retrieving a token
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>>
>>>>>>>>>>> Thanks for your help Colm. I now have it working using the
>>>>>>>>>>> production
>>>>>>>>>>>
>>>>>>>>>>> certificate by following this example
>>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>>
>>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>>
>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in
>>>>>>>>>>>> catalina
>>>>>>>>>>>> base.
>>>>>>>>>>>> this seems impractical in production as the certificates get
>>>>>>>>>>>> reissued
>>>>>>>>>>>> every
>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define the
>>>>>>>>>>>> resource as
>>>>>>>>>>>> being
>>>>>>>>>>>> in catalina base?
>>>>>>>>>>>>
>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is
>>>>>>>>>>>> also
>>>>>>>>>>>> a
>>>>>>>>>>>>
>>>>>>>>>>>> sec:certStore that works with PEM files, but only for
>>>>>>>>>>>> TrustStores I
>>>>>>>>>>>>
>>>>>>>>>>>>> think.
>>>>>>>>>>>>> As a workaround you can just use the Java keytool command to
>>>>>>>>>>>>> import
>>>>>>>>>>>>> your
>>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>>
>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>
>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>
>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>
>>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>>
>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old. The
>>>>>>>>>>>>> correct
>>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>
>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>
>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem
>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>
>>>>>>>>>>>>> instead of a java keystore? where is the doumentation for
>>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I haven't used the APR connector. The following works for me
>>>>>>>>>>>>>> in
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> perhaps you could duplicate this config and get it working
>>>>>>>>>>>>>>> first
>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Yes you will need to specify the truststore and keystore in
>>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>>> communicate with the STS from the IdP. The truststore should
>>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then
>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat
>>>>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I still
>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>>> maxThreads="150" SSLEnabled="true">
>>>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>> <SSLHostConfig clientVerification="required">
>>>>>>>>>>>>>>>> <Certificate
>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this
>>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>>> <sec:keyManagers keyPassword="tompass">
>>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and
>>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9]
>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor
>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing
>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the
>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates
>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9]
>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction -
>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't load the
>>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>>> <ref bean="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>> <property name="protocol" value="
>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>>> <property name="serviceDisplayName"
>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>> <property name="serviceDescription"
>>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>> <property name="tokenType" value="
>>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>>>>>>>>>>>> <property name="lifeTime" value="3600" />
>>>>>>>>>>>>>>>>>>> <property name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>> <property name="logoutEndpointConstraint"
>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>> <property name="claim" ref="claim_role" />
>>>>>>>>>>>>>>>>>>> <property name="optional" value="false" />
>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas
>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml
>>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp
>>>>>>>>>>>>>>>>>>>> and i
>>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to
>>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
>>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
i get a load of stuff, but in the middle of the one before the error i get
Warning: no suitable certificate found - continuing without client
authentication
On 25/10/2017 13:42, Matthew Broadhead wrote:
> ahhh...
> -Djavax.net.debug=all
>
> On 25/10/2017 13:39, Matthew Broadhead wrote:
>> How would I enable the debug?
>> services/idp/src/main/webapp/WEB-INF/security-config.xml
>> <security:debug/>?
>>
>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>> If you change it to "required" does it fail? If so, you could try
>>> running
>>> the Tomcat IdP with Java SSL debugging enabled and it should tell
>>> you why
>>> the IdP can't connect to the STS.
>>>
>>> Colm.
>>>
>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>>> Hi Colm,
>>>>
>>>> I realise now that this html file was included in the
>>>> examples/samplekeys
>>>> directory in the code. but i was taking it from the internet.
>>>>
>>>> I am 100% using clientAuth="want" on my Tomcat connector but I am
>>>> still
>>>> getting the same error over and again. I can browse the wsdl without
>>>> having to provide a client certificate. could you point me to the
>>>> part of
>>>> the idp-sts configuration which might be causing it to not ask for
>>>> the keys
>>>> properly? or is it definitely a tomcat server.xml issue?
>>>>
>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>
>>>>> You can see the HTML here:
>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>> ateKeysREADME.html
>>>>>
>>>>> I'll update the webpage to point to github instead of SVN.
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>
>>>>> Hi Colm
>>>>>> Firstly is there somewhere to see these instructions correctly
>>>>>> formatted
>>>>>> in html?
>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>
>>>>>> Secondly there is a massive difference between
>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>> and
>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>
>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to
>>>>>> ststrust.jks.
>>>>>>
>>>>>> I have some more things to try now so I will let you know if I get
>>>>>> further
>>>>>>
>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>
>>>>>> Why not try the simple Connector configuration I gave earlier but
>>>>>> with
>>>>>>> your
>>>>>>> own keys?
>>>>>>>
>>>>>>> Colm.
>>>>>>>
>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>
>>>>>>> in Tomcat 8
>>>>>>> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#
>>>>>>>
>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>> clientAuth
>>>>>>>> This is an alias for the certificateVerification attribute of the
>>>>>>>> default
>>>>>>>> SSLHostConfig element.
>>>>>>>>
>>>>>>>> then
>>>>>>>> certificateVerification
>>>>>>>> Set to required if you want the SSL stack to require a valid
>>>>>>>> certificate
>>>>>>>> chain from the client before accepting a connection. Set to
>>>>>>>> optional if
>>>>>>>> you
>>>>>>>> want the SSL stack to request a client Certificate, but not
>>>>>>>> fail if one
>>>>>>>> isn't presented. Set to optionalNoCA if you want client
>>>>>>>> certificates to
>>>>>>>> be
>>>>>>>> optional and you don't want Tomcat to check them against the
>>>>>>>> list of
>>>>>>>> trusted CAs. If the TLS provider doesn't support this option
>>>>>>>> (OpenSSL
>>>>>>>> does,
>>>>>>>> JSSE does not) it is treated as if optional was specified. A
>>>>>>>> none value
>>>>>>>> (which is the default) will not require a certificate chain
>>>>>>>> unless the
>>>>>>>> client requests a resource protected by a security constraint
>>>>>>>> that uses
>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>
>>>>>>>> so i changed clientAuth="want" to clientAuth="required". now i
>>>>>>>> cannot
>>>>>>>> access the site at all with
>>>>>>>> Secure Connection Failed
>>>>>>>> An error occurred during a connection to domain.tld:9443. SSL peer
>>>>>>>> cannot
>>>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>
>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>
>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>
>>>>>>>> The problem is that your Tomcat container hosting the STS is
>>>>>>>> not asking
>>>>>>>>
>>>>>>>>> for
>>>>>>>>> client authentication. You can check this by using a web
>>>>>>>>> browser or
>>>>>>>>> curl
>>>>>>>>> to
>>>>>>>>> view the WSDL of the STS - if you can get it to work then the
>>>>>>>>> configuration
>>>>>>>>> is incorrect, as it should error on the browser not supplying
>>>>>>>>> a client
>>>>>>>>> cert.
>>>>>>>>>
>>>>>>>>> Colm.
>>>>>>>>>
>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>
>>>>>>>>> i spoke too soon.
>>>>>>>>>
>>>>>>>>> i am completely stuck with the same stack trace and no amount of
>>>>>>>>>> reloading
>>>>>>>>>> the certificates is helping. is there any way to debug what the
>>>>>>>>>> actual
>>>>>>>>>> problem is?
>>>>>>>>>>
>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
>>>>>>>>>>
>>>>>>>>>> has
>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
>>>>>>>>>> model to
>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>> certificates
>>>>>>>>>> were
>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>> 518)
>>>>>>>>>> at
>>>>>>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>>>>>> 427)
>>>>>>>>>> at
>>>>>>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>>>>>> 328)
>>>>>>>>>> at
>>>>>>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>>>>>> 281)
>>>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>>>>>>>> Method)
>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>>>>>>>> at org.springframework.expression
>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>> at org.springframework.expression
>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>> at
>>>>>>>>>> org.springframework.expression.spel.ast.MethodReference.
>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>> at org.springframework.expression
>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>> at org.springframework.expression
>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>> at org.springframework.expression.spel.ast.SpelNodeImpl.
>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>> at org.springframework.expression
>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>> at org.springframework.binding.ex
>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>> stractAction.java:188)
>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>> List.java:154)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>> 3)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>> tion.java:228)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>> a:547)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>> .java:107)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>> 4)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>> tion.java:228)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>> a:547)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>> nState.java:105)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>> 4)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>> tion.java:228)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>> a:547)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>> nState.java:105)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>> 4)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>> tion.java:228)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>> isionState.java:51)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>> 4)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>> tion.java:228)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>> isionState.java:51)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>> 4)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>> tion.java:228)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>> isionState.java:51)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>> 4)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>> tion.java:228)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>> isionState.java:51)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>> 4)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>> lowState.java:101)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>> 4)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>> tion.java:228)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>> isionState.java:51)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>> 4)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>> tion.java:228)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>> isionState.java:51)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>> 4)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>> at org.springframework.webflow.mv
>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>> at
>>>>>>>>>> org.springframework.web.servlet.FrameworkServlet.doGet(
>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>> at
>>>>>>>>>> org.springframework.web.servlet.FrameworkServlet.service(
>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>> r.java:52)
>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
>>>>>>>>>>
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
>>>>>>>>>>
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>> stValve.java:140)
>>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>> rtValve.java:80)
>>>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>> apter.java:342)
>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>> sor.java:245)
>>>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>> sor.java:65)
>>>>>>>>>> at
>>>>>>>>>> org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.
>>>>>>>>>> java:35)
>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>> Executor.java:1142)
>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>> RequireClientCertificate
>>>>>>>>>> is
>>>>>>>>>> set, but no local certificates were negotiated. Is the server
>>>>>>>>>> set to
>>>>>>>>>> ask
>>>>>>>>>> for client authorization?
>>>>>>>>>> at
>>>>>>>>>> com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>>>>>>>> java:255)
>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>> ... 154 more
>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>> ion:
>>>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>>> Conduit.java:309)
>>>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>> java:241)
>>>>>>>>>> at
>>>>>>>>>> com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>>>>>>>> java:253)
>>>>>>>>>> ... 155 more
>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction -
>>>>>>>>>> Error in
>>>>>>>>>> retrieving a token
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>
>>>>>>>>>> Thanks for your help Colm. I now have it working using the
>>>>>>>>>> production
>>>>>>>>>>
>>>>>>>>>> certificate by following this example
>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>
>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in
>>>>>>>>>>> catalina
>>>>>>>>>>> base.
>>>>>>>>>>> this seems impractical in production as the certificates get
>>>>>>>>>>> reissued
>>>>>>>>>>> every
>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define the
>>>>>>>>>>> resource as
>>>>>>>>>>> being
>>>>>>>>>>> in catalina base?
>>>>>>>>>>>
>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>
>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There
>>>>>>>>>>> is also
>>>>>>>>>>> a
>>>>>>>>>>>
>>>>>>>>>>> sec:certStore that works with PEM files, but only for
>>>>>>>>>>> TrustStores I
>>>>>>>>>>>> think.
>>>>>>>>>>>> As a workaround you can just use the Java keytool command
>>>>>>>>>>>> to import
>>>>>>>>>>>> your
>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>
>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>
>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>
>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>> but
>>>>>>>>>>>>>
>>>>>>>>>>>>> no
>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>
>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old.
>>>>>>>>>>>> The
>>>>>>>>>>>> correct
>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>
>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>
>>>>>>>>>>>> Colm.
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>
>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem
>>>>>>>>>>>> certificate
>>>>>>>>>>>>
>>>>>>>>>>>>> instead of a java keystore? where is the doumentation for
>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> I haven't used the APR connector. The following works for
>>>>>>>>>>>>> me in
>>>>>>>>>>>>> the
>>>>>>>>>>>>>
>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>
>>>>>>>>>>>>>> perhaps you could duplicate this config and get it
>>>>>>>>>>>>>> working first
>>>>>>>>>>>>>> before
>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Yes you will need to specify the truststore and keystore in
>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>> communicate with the STS from the IdP. The truststore should
>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then
>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat
>>>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I
>>>>>>>>>>>>>> still have
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>> maxThreads="150" SSLEnabled="true">
>>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>> <SSLHostConfig clientVerification="required">
>>>>>>>>>>>>>>> <Certificate
>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this
>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>> <sec:keyManagers keyPassword="tompass">
>>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and
>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9]
>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>> Interceptor for
>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing
>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the
>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>> certificates were
>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9]
>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction
>>>>>>>>>>>>>>>> - Error
>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't load the
>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084
>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085
>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090
>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091
>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092
>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094
>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095
>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5] INFO
>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>> <ref bean="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>> <property name="protocol" value="
>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>> <property name="serviceDisplayName"
>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>> <property name="serviceDescription"
>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>> <property name="tokenType" value="
>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>>>>>>>>>>> <property name="lifeTime" value="3600" />
>>>>>>>>>>>>>>>>>> <property name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>> <property name="logoutEndpointConstraint"
>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>> <property name="claim" ref="claim_role" />
>>>>>>>>>>>>>>>>>> <property name="optional" value="false" />
>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>>> webapps/fediz-idp/WEB-INF/classes/entities-realma.xml
>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.)
>>>>>>>>>>>>>>>>>>> domain.tld:9443/idp and i
>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to
>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424
>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8]
>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433
>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8]
>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>
>>>
>>
>>
>>
>
>
>
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
ahhh...
-Djavax.net.debug=all
On 25/10/2017 13:39, Matthew Broadhead wrote:
> How would I enable the debug?
> services/idp/src/main/webapp/WEB-INF/security-config.xml
> <security:debug/>?
>
> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>> If you change it to "required" does it fail? If so, you could try
>> running
>> the Tomcat IdP with Java SSL debugging enabled and it should tell you
>> why
>> the IdP can't connect to the STS.
>>
>> Colm.
>>
>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>
>>> Hi Colm,
>>>
>>> I realise now that this html file was included in the
>>> examples/samplekeys
>>> directory in the code. but i was taking it from the internet.
>>>
>>> I am 100% using clientAuth="want" on my Tomcat connector but I am still
>>> getting the same error over and again. I can browse the wsdl without
>>> having to provide a client certificate. could you point me to the
>>> part of
>>> the idp-sts configuration which might be causing it to not ask for
>>> the keys
>>> properly? or is it definitely a tomcat server.xml issue?
>>>
>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>
>>>> You can see the HTML here:
>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>> ateKeysREADME.html
>>>>
>>>> I'll update the webpage to point to github instead of SVN.
>>>>
>>>> Colm.
>>>>
>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>
>>>> Hi Colm
>>>>> Firstly is there somewhere to see these instructions correctly
>>>>> formatted
>>>>> in html?
>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>
>>>>> Secondly there is a massive difference between
>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>> and
>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>> (svn being the one linked from the main fediz pages)
>>>>>
>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to
>>>>> ststrust.jks.
>>>>>
>>>>> I have some more things to try now so I will let you know if I get
>>>>> further
>>>>>
>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>
>>>>> Why not try the simple Connector configuration I gave earlier but
>>>>> with
>>>>>> your
>>>>>> own keys?
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> in Tomcat 8
>>>>>> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#
>>>>>>
>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>> clientAuth
>>>>>>> This is an alias for the certificateVerification attribute of the
>>>>>>> default
>>>>>>> SSLHostConfig element.
>>>>>>>
>>>>>>> then
>>>>>>> certificateVerification
>>>>>>> Set to required if you want the SSL stack to require a valid
>>>>>>> certificate
>>>>>>> chain from the client before accepting a connection. Set to
>>>>>>> optional if
>>>>>>> you
>>>>>>> want the SSL stack to request a client Certificate, but not fail
>>>>>>> if one
>>>>>>> isn't presented. Set to optionalNoCA if you want client
>>>>>>> certificates to
>>>>>>> be
>>>>>>> optional and you don't want Tomcat to check them against the
>>>>>>> list of
>>>>>>> trusted CAs. If the TLS provider doesn't support this option
>>>>>>> (OpenSSL
>>>>>>> does,
>>>>>>> JSSE does not) it is treated as if optional was specified. A
>>>>>>> none value
>>>>>>> (which is the default) will not require a certificate chain
>>>>>>> unless the
>>>>>>> client requests a resource protected by a security constraint
>>>>>>> that uses
>>>>>>> CLIENT-CERT authentication.
>>>>>>>
>>>>>>> so i changed clientAuth="want" to clientAuth="required". now i
>>>>>>> cannot
>>>>>>> access the site at all with
>>>>>>> Secure Connection Failed
>>>>>>> An error occurred during a connection to domain.tld:9443. SSL peer
>>>>>>> cannot
>>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>>>>>>
>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>
>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>
>>>>>>> The problem is that your Tomcat container hosting the STS is not
>>>>>>> asking
>>>>>>>
>>>>>>>> for
>>>>>>>> client authentication. You can check this by using a web
>>>>>>>> browser or
>>>>>>>> curl
>>>>>>>> to
>>>>>>>> view the WSDL of the STS - if you can get it to work then the
>>>>>>>> configuration
>>>>>>>> is incorrect, as it should error on the browser not supplying a
>>>>>>>> client
>>>>>>>> cert.
>>>>>>>>
>>>>>>>> Colm.
>>>>>>>>
>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>
>>>>>>>> i spoke too soon.
>>>>>>>>
>>>>>>>> i am completely stuck with the same stack trace and no amount of
>>>>>>>>> reloading
>>>>>>>>> the certificates is helping. is there any way to debug what the
>>>>>>>>> actual
>>>>>>>>> problem is?
>>>>>>>>>
>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
>>>>>>>>>
>>>>>>>>> has
>>>>>>>>> thrown exception, unwinding now
>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
>>>>>>>>> model to
>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>> certificates
>>>>>>>>> were
>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>> 518)
>>>>>>>>> at
>>>>>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>>>>> 427)
>>>>>>>>> at
>>>>>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>>>>> 328)
>>>>>>>>> at
>>>>>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>>>>> 281)
>>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>>>>>>> Method)
>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>> ssorImpl.java:62)
>>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>>>>>>> at org.springframework.expression
>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>> at org.springframework.expression
>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>> at
>>>>>>>>> org.springframework.expression.spel.ast.MethodReference.
>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>> at org.springframework.expression
>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>> at org.springframework.expression
>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>> at org.springframework.expression.spel.ast.SpelNodeImpl.
>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>> at org.springframework.expression
>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>> at org.springframework.binding.ex
>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>> stractAction.java:188)
>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>> List.java:154)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>> 3)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>> tion.java:228)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>> SubflowState.java:116)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>> a:547)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>> .java:107)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>> 4)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>> tion.java:228)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>> a:547)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>> nState.java:105)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>> 4)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>> tion.java:228)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>> a:547)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>> nState.java:105)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>> 4)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>> tion.java:228)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>> isionState.java:51)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>> 4)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>> tion.java:228)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>> isionState.java:51)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>> 4)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>> tion.java:228)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>> isionState.java:51)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>> 4)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>> tion.java:228)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>> isionState.java:51)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>> 4)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>> lowState.java:101)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>> 4)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>> tion.java:228)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>> isionState.java:51)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>> 4)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>> tion.java:228)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>> isionState.java:51)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>> 4)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>> at org.springframework.webflow.mv
>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>> at org.springframework.web.servle
>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>> at org.springframework.web.servle
>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>> at org.springframework.web.servle
>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>> at
>>>>>>>>> org.springframework.web.servlet.FrameworkServlet.doGet(
>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>> at
>>>>>>>>> org.springframework.web.servlet.FrameworkServlet.service(
>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>> r.java:52)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
>>>>>>>>>
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>> at org.springframework.web.filter
>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>> ortFilter.java:74)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>> at org.springframework.security.w
>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>> at org.springframework.web.filter
>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>> at org.springframework.web.filter
>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>> at org.springframework.web.filter
>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>> at org.springframework.web.filter
>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>> dContextValve.java:96)
>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>> stValve.java:140)
>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>> rtValve.java:80)
>>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>> EngineValve.java:87)
>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>> apter.java:342)
>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>> Processor.service(StreamProces
>>>>>>>>> sor.java:245)
>>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>> cessorLight.java:66)
>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>> Processor.process(StreamProces
>>>>>>>>> sor.java:65)
>>>>>>>>> at
>>>>>>>>> org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.
>>>>>>>>> java:35)
>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>> Executor.java:1142)
>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>> lExecutor.java:617)
>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>> RequireClientCertificate
>>>>>>>>> is
>>>>>>>>> set, but no local certificates were negotiated. Is the server
>>>>>>>>> set to
>>>>>>>>> ask
>>>>>>>>> for client authorization?
>>>>>>>>> at
>>>>>>>>> com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>>>>>>> java:255)
>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>> ... 154 more
>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>> ion:
>>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>> Conduit.java:309)
>>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>> java:241)
>>>>>>>>> at
>>>>>>>>> com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>>>>>>> java:253)
>>>>>>>>> ... 155 more
>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction -
>>>>>>>>> Error in
>>>>>>>>> retrieving a token
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>
>>>>>>>>> Thanks for your help Colm. I now have it working using the
>>>>>>>>> production
>>>>>>>>>
>>>>>>>>> certificate by following this example
>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>
>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in
>>>>>>>>>> catalina
>>>>>>>>>> base.
>>>>>>>>>> this seems impractical in production as the certificates get
>>>>>>>>>> reissued
>>>>>>>>>> every
>>>>>>>>>> 6 months. is it possible for sec:keyStore to define the
>>>>>>>>>> resource as
>>>>>>>>>> being
>>>>>>>>>> in catalina base?
>>>>>>>>>>
>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>
>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There
>>>>>>>>>> is also
>>>>>>>>>> a
>>>>>>>>>>
>>>>>>>>>> sec:certStore that works with PEM files, but only for
>>>>>>>>>> TrustStores I
>>>>>>>>>>> think.
>>>>>>>>>>> As a workaround you can just use the Java keytool command to
>>>>>>>>>>> import
>>>>>>>>>>> your
>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>
>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>
>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>
>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>> but
>>>>>>>>>>>>
>>>>>>>>>>>> no
>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>
>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old. The
>>>>>>>>>>> correct
>>>>>>>>>>> version is on github:
>>>>>>>>>>>
>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>
>>>>>>>>>>> Colm.
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>
>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem
>>>>>>>>>>> certificate
>>>>>>>>>>>
>>>>>>>>>>>> instead of a java keystore? where is the doumentation for
>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>
>>>>>>>>>>>> Matt
>>>>>>>>>>>>
>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> I haven't used the APR connector. The following works for
>>>>>>>>>>>> me in
>>>>>>>>>>>> the
>>>>>>>>>>>>
>>>>>>>>>>>> tests,
>>>>>>>>>>>>
>>>>>>>>>>>>> perhaps you could duplicate this config and get it working
>>>>>>>>>>>>> first
>>>>>>>>>>>>> before
>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>
>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>
>>>>>>>>>>>>> Yes you will need to specify the truststore and keystore in
>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>> communicate with the STS from the IdP. The truststore should
>>>>>>>>>>>>> contain
>>>>>>>>>>>>> the
>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then
>>>>>>>>>>>>> keystore
>>>>>>>>>>>>> the
>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat
>>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>>> added
>>>>>>>>>>>>>
>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I still
>>>>>>>>>>>>> have
>>>>>>>>>>>>> the
>>>>>>>>>>>>>
>>>>>>>>>>>>> same
>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>> maxThreads="150" SSLEnabled="true">
>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>> />
>>>>>>>>>>>>>> <SSLHostConfig clientVerification="required">
>>>>>>>>>>>>>> <Certificate
>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this
>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>> <sec:keyManagers keyPassword="tompass">
>>>>>>>>>>>>>> <sec:keyStore type="jks"
>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and
>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor
>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the
>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>> certificates were
>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9]
>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction -
>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ok i now have a different error and it doesn't load the
>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5]
>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>> <ref bean="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>> <property name="protocol" value="
>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>> <property name="serviceDisplayName"
>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>> <property name="serviceDescription"
>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>> <property name="tokenType" value="
>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>>>>>>>>>> <property name="lifeTime" value="3600" />
>>>>>>>>>>>>>>>>> <property name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>> <property name="logoutEndpointConstraint"
>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>> <property name="claim" ref="claim_role" />
>>>>>>>>>>>>>>>>> <property name="optional" value="false" />
>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>> webapps/fediz-idp/WEB-INF/classes/entities-realma.xml
>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.)
>>>>>>>>>>>>>>>>>> domain.tld:9443/idp and i
>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to
>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8]
>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8]
>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>
>>
>
>
>
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
How would I enable the debug?
services/idp/src/main/webapp/WEB-INF/security-config.xml <security:debug/>?
On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
> If you change it to "required" does it fail? If so, you could try running
> the Tomcat IdP with Java SSL debugging enabled and it should tell you why
> the IdP can't connect to the STS.
>
> Colm.
>
> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> Hi Colm,
>>
>> I realise now that this html file was included in the examples/samplekeys
>> directory in the code. but i was taking it from the internet.
>>
>> I am 100% using clientAuth="want" on my Tomcat connector but I am still
>> getting the same error over and again. I can browse the wsdl without
>> having to provide a client certificate. could you point me to the part of
>> the idp-sts configuration which might be causing it to not ask for the keys
>> properly? or is it definitely a tomcat server.xml issue?
>>
>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>
>>> You can see the HTML here:
>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>> ateKeysREADME.html
>>>
>>> I'll update the webpage to point to github instead of SVN.
>>>
>>> Colm.
>>>
>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>> Hi Colm
>>>> Firstly is there somewhere to see these instructions correctly formatted
>>>> in html?
>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>> plekeys/HowToGenerateKeysREADME.html
>>>>
>>>> Secondly there is a massive difference between
>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>> plekeys/HowToGenerateKeysREADME.html
>>>> and
>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>> (svn being the one linked from the main fediz pages)
>>>>
>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to
>>>> ststrust.jks.
>>>>
>>>> I have some more things to try now so I will let you know if I get
>>>> further
>>>>
>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>
>>>> Why not try the simple Connector configuration I gave earlier but with
>>>>> your
>>>>> own keys?
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>
>>>>> in Tomcat 8 https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#
>>>>>
>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>> clientAuth
>>>>>> This is an alias for the certificateVerification attribute of the
>>>>>> default
>>>>>> SSLHostConfig element.
>>>>>>
>>>>>> then
>>>>>> certificateVerification
>>>>>> Set to required if you want the SSL stack to require a valid
>>>>>> certificate
>>>>>> chain from the client before accepting a connection. Set to optional if
>>>>>> you
>>>>>> want the SSL stack to request a client Certificate, but not fail if one
>>>>>> isn't presented. Set to optionalNoCA if you want client certificates to
>>>>>> be
>>>>>> optional and you don't want Tomcat to check them against the list of
>>>>>> trusted CAs. If the TLS provider doesn't support this option (OpenSSL
>>>>>> does,
>>>>>> JSSE does not) it is treated as if optional was specified. A none value
>>>>>> (which is the default) will not require a certificate chain unless the
>>>>>> client requests a resource protected by a security constraint that uses
>>>>>> CLIENT-CERT authentication.
>>>>>>
>>>>>> so i changed clientAuth="want" to clientAuth="required". now i cannot
>>>>>> access the site at all with
>>>>>> Secure Connection Failed
>>>>>> An error occurred during a connection to domain.tld:9443. SSL peer
>>>>>> cannot
>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>>>>>
>>>>>> maybe i should try using Tomcat 7?
>>>>>>
>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>
>>>>>> The problem is that your Tomcat container hosting the STS is not asking
>>>>>>
>>>>>>> for
>>>>>>> client authentication. You can check this by using a web browser or
>>>>>>> curl
>>>>>>> to
>>>>>>> view the WSDL of the STS - if you can get it to work then the
>>>>>>> configuration
>>>>>>> is incorrect, as it should error on the browser not supplying a client
>>>>>>> cert.
>>>>>>>
>>>>>>> Colm.
>>>>>>>
>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>
>>>>>>> i spoke too soon.
>>>>>>>
>>>>>>> i am completely stuck with the same stack trace and no amount of
>>>>>>>> reloading
>>>>>>>> the certificates is helping. is there any way to debug what the
>>>>>>>> actual
>>>>>>>> problem is?
>>>>>>>>
>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
>>>>>>>> has
>>>>>>>> thrown exception, unwinding now
>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>>>>>>>> stream: RequireClientCertificate is set, but no local certificates
>>>>>>>> were
>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>> InterceptorChain.java:308)
>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>> 518)
>>>>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>>>> 427)
>>>>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>>>> 328)
>>>>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>>>> 281)
>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>> tractSTSClient.java:861)
>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>> t(STSClientAction.java:296)
>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>>>>>> Method)
>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>> ssorImpl.java:62)
>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>>>>>> at org.springframework.expression
>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>> at org.springframework.expression
>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>> at org.springframework.expression.spel.ast.MethodReference.
>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>> at org.springframework.expression
>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>> at org.springframework.expression
>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>> at org.springframework.expression.spel.ast.SpelNodeImpl.
>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>> at org.springframework.expression
>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>> at org.springframework.binding.ex
>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>> at org.springframework.webflow.ac
>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>> EvaluateAction.java:75)
>>>>>>>> at org.springframework.webflow.ac
>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>> stractAction.java:188)
>>>>>>>> at org.springframework.webflow.ex
>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>> at org.springframework.webflow.ex
>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>> (ActionExecutor.java:51)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.ActionList.execute(Action
>>>>>>>> List.java:154)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 3)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.RequestControlContex
>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.TransitionableState.handl
>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>> SubflowState.java:116)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>> a:547)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.RequestControlContex
>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.RequestControlContex
>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>> .java:107)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.RequestControlContex
>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.TransitionableState.handl
>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>> a:547)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.RequestControlContex
>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>> nState.java:105)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.RequestControlContex
>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.TransitionableState.handl
>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>> a:547)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.RequestControlContex
>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>> nState.java:105)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>> isionState.java:51)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>> isionState.java:51)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>> isionState.java:51)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>> isionState.java:51)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.RequestControlContex
>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>> lowState.java:101)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>> isionState.java:51)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.Transition.execute(Transi
>>>>>>>> tion.java:228)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>> isionState.java:51)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.State.enter(State.java:19
>>>>>>>> 4)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>> at org.springframework.webflow.en
>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>> at org.springframework.webflow.ex
>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>> at org.springframework.webflow.mv
>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>> at org.springframework.web.servle
>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>> at org.springframework.web.servle
>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>> DispatcherServlet.java:901)
>>>>>>>> at org.springframework.web.servle
>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>> at org.springframework.web.servlet.FrameworkServlet.doGet(
>>>>>>>> FrameworkServlet.java:861)
>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>> at org.springframework.web.servlet.FrameworkServlet.service(
>>>>>>>> FrameworkServlet.java:846)
>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>> licationFilterChain.java:166)
>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>> r.java:52)
>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>> licationFilterChain.java:166)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.session.SessionManagementFi
>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>> dp.service.security.GrantedAut
>>>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>> nProcessingFilter.java:199)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.authentication.logout.Logou
>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.context.request.async.WebAs
>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>> at org.springframework.web.filter
>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.context.SecurityContextPers
>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>> ortFilter.java:74)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>> at org.springframework.security.w
>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>> ilterChainProxy.java:160)
>>>>>>>> at org.springframework.web.filter
>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>> at org.springframework.web.filter
>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>> licationFilterChain.java:166)
>>>>>>>> at org.springframework.web.filter
>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>> at org.springframework.web.filter
>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>> licationFilterChain.java:166)
>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>> dWrapperValve.java:198)
>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>> dContextValve.java:96)
>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>> stValve.java:140)
>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>> rtValve.java:80)
>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>> EngineValve.java:87)
>>>>>>>> at org.apache.catalina.connector.
>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>> apter.java:342)
>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>> Processor.service(StreamProces
>>>>>>>> sor.java:245)
>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>> essorLight.process(AbstractPro
>>>>>>>> cessorLight.java:66)
>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>> Processor.process(StreamProces
>>>>>>>> sor.java:65)
>>>>>>>> at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.
>>>>>>>> java:35)
>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>> Executor.java:1142)
>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>> lExecutor.java:617)
>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>> run(TaskThread.java:61)
>>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>> RequireClientCertificate
>>>>>>>> is
>>>>>>>> set, but no local certificates were negotiated. Is the server set to
>>>>>>>> ask
>>>>>>>> for client authorization?
>>>>>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>>>>>> java:255)
>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>> ... 154 more
>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>> ion:
>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>> Conduit.java:309)
>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>> java:241)
>>>>>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>>>>>> java:253)
>>>>>>>> ... 155 more
>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>>>>>>> retrieving a token
>>>>>>>>
>>>>>>>>
>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>
>>>>>>>> Thanks for your help Colm. I now have it working using the
>>>>>>>> production
>>>>>>>>
>>>>>>>> certificate by following this example https://stackoverflow.com/a/21
>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>
>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in catalina
>>>>>>>>> base.
>>>>>>>>> this seems impractical in production as the certificates get
>>>>>>>>> reissued
>>>>>>>>> every
>>>>>>>>> 6 months. is it possible for sec:keyStore to define the resource as
>>>>>>>>> being
>>>>>>>>> in catalina base?
>>>>>>>>>
>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>
>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is also
>>>>>>>>> a
>>>>>>>>>
>>>>>>>>> sec:certStore that works with PEM files, but only for TrustStores I
>>>>>>>>>> think.
>>>>>>>>>> As a workaround you can just use the Java keytool command to import
>>>>>>>>>> your
>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>
>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>
>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>
>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks
>>>>>>>>>>> but
>>>>>>>>>>>
>>>>>>>>>>> no
>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>
>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old. The
>>>>>>>>>> correct
>>>>>>>>>> version is on github:
>>>>>>>>>>
>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>
>>>>>>>>>> Colm.
>>>>>>>>>>
>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi Colm,
>>>>>>>>>>
>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem
>>>>>>>>>> certificate
>>>>>>>>>>
>>>>>>>>>>> instead of a java keystore? where is the doumentation for
>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>
>>>>>>>>>>> Matt
>>>>>>>>>>>
>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>
>>>>>>>>>>> I haven't used the APR connector. The following works for me in
>>>>>>>>>>> the
>>>>>>>>>>>
>>>>>>>>>>> tests,
>>>>>>>>>>>
>>>>>>>>>>>> perhaps you could duplicate this config and get it working first
>>>>>>>>>>>> before
>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>
>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>
>>>>>>>>>>>> Yes you will need to specify the truststore and keystore in
>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>> communicate with the STS from the IdP. The truststore should
>>>>>>>>>>>> contain
>>>>>>>>>>>> the
>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then
>>>>>>>>>>>> keystore
>>>>>>>>>>>> the
>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>
>>>>>>>>>>>> Colm.
>>>>>>>>>>>>
>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> i am using my own certificate with APR in the tomcat
>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>> added
>>>>>>>>>>>>
>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I still have
>>>>>>>>>>>> the
>>>>>>>>>>>>
>>>>>>>>>>>> same
>>>>>>>>>>>>> problem
>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>> maxThreads="150" SSLEnabled="true">
>>>>>>>>>>>>> <UpgradeProtocol className="org.apache.coyote.h
>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>> />
>>>>>>>>>>>>> <SSLHostConfig clientVerification="required">
>>>>>>>>>>>>> <Certificate certificateKeyFile="/etc/letse
>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc
>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this be the
>>>>>>>>>>>>> problem?
>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>>>> <sec:keyStore type="jks" password="ispass"
>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>> <sec:keyManagers keyPassword="tompass">
>>>>>>>>>>>>> <sec:keyStore type="jks" password="tompass"
>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and
>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>
>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for
>>>>>>>>>>>>>> {
>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>> has
>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
>>>>>>>>>>>>>> model
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>> were
>>>>>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>> is
>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the server
>>>>>>>>>>>>>> set
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error
>>>>>>>>>>>>>> in
>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ok i now have a different error and it doesn't load the login
>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida
>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>> <ref bean="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>> <property name="protocol" value="
>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>> <property name="serviceDisplayName"
>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>> <property name="serviceDescription" value="Web
>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>> <property name="tokenType" value="
>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>>>>>>>>> <property name="lifeTime" value="3600" />
>>>>>>>>>>>>>>>> <property name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>> <property name="logoutEndpointConstraint"
>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>> <property name="claim" ref="claim_role" />
>>>>>>>>>>>>>>>> <property name="optional" value="false" />
>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml
>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i
>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to
>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8]
>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8]
>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>
>
Re: fediz production
Posted by Colm O hEigeartaigh <co...@apache.org>.
If you change it to "required" does it fail? If so, you could try running
the Tomcat IdP with Java SSL debugging enabled and it should tell you why
the IdP can't connect to the STS.
Colm.
On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:
> Hi Colm,
>
> I realise now that this html file was included in the examples/samplekeys
> directory in the code. but i was taking it from the internet.
>
> I am 100% using clientAuth="want" on my Tomcat connector but I am still
> getting the same error over and again. I can browse the wsdl without
> having to provide a client certificate. could you point me to the part of
> the idp-sts configuration which might be causing it to not ask for the keys
> properly? or is it definitely a tomcat server.xml issue?
>
> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>
>> You can see the HTML here:
>> https://htmlpreview.github.io/?https://raw.githubusercontent
>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>> ateKeysREADME.html
>>
>> I'll update the webpage to point to github instead of SVN.
>>
>> Colm.
>>
>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>
>> Hi Colm
>>>
>>> Firstly is there somewhere to see these instructions correctly formatted
>>> in html?
>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>> plekeys/HowToGenerateKeysREADME.html
>>>
>>> Secondly there is a massive difference between
>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>> plekeys/HowToGenerateKeysREADME.html
>>> and
>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>>> keys/HowToGenerateKeysREADME.html?view=co
>>> (svn being the one linked from the main fediz pages)
>>>
>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to
>>> ststrust.jks.
>>>
>>> I have some more things to try now so I will let you know if I get
>>> further
>>>
>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>
>>> Why not try the simple Connector configuration I gave earlier but with
>>>> your
>>>> own keys?
>>>>
>>>> Colm.
>>>>
>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>
>>>> in Tomcat 8 https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#
>>>>
>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>> clientAuth
>>>>> This is an alias for the certificateVerification attribute of the
>>>>> default
>>>>> SSLHostConfig element.
>>>>>
>>>>> then
>>>>> certificateVerification
>>>>> Set to required if you want the SSL stack to require a valid
>>>>> certificate
>>>>> chain from the client before accepting a connection. Set to optional if
>>>>> you
>>>>> want the SSL stack to request a client Certificate, but not fail if one
>>>>> isn't presented. Set to optionalNoCA if you want client certificates to
>>>>> be
>>>>> optional and you don't want Tomcat to check them against the list of
>>>>> trusted CAs. If the TLS provider doesn't support this option (OpenSSL
>>>>> does,
>>>>> JSSE does not) it is treated as if optional was specified. A none value
>>>>> (which is the default) will not require a certificate chain unless the
>>>>> client requests a resource protected by a security constraint that uses
>>>>> CLIENT-CERT authentication.
>>>>>
>>>>> so i changed clientAuth="want" to clientAuth="required". now i cannot
>>>>> access the site at all with
>>>>> Secure Connection Failed
>>>>> An error occurred during a connection to domain.tld:9443. SSL peer
>>>>> cannot
>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>>>>
>>>>> maybe i should try using Tomcat 7?
>>>>>
>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>
>>>>> The problem is that your Tomcat container hosting the STS is not asking
>>>>>
>>>>>> for
>>>>>> client authentication. You can check this by using a web browser or
>>>>>> curl
>>>>>> to
>>>>>> view the WSDL of the STS - if you can get it to work then the
>>>>>> configuration
>>>>>> is incorrect, as it should error on the browser not supplying a client
>>>>>> cert.
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> i spoke too soon.
>>>>>>
>>>>>> i am completely stuck with the same stack trace and no amount of
>>>>>>> reloading
>>>>>>> the certificates is helping. is there any way to debug what the
>>>>>>> actual
>>>>>>> problem is?
>>>>>>>
>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
>>>>>>> has
>>>>>>> thrown exception, unwinding now
>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>>>>>>> stream: RequireClientCertificate is set, but no local certificates
>>>>>>> were
>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>> InterceptorChain.java:308)
>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>> 518)
>>>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>>> 427)
>>>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>>> 328)
>>>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>>> 281)
>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>> tractSTSClient.java:861)
>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>> dp.beans.STSClientAction.submi
>>>>>>> t(STSClientAction.java:296)
>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>>>>> Method)
>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>> ssorImpl.java:62)
>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>> thodAccessorImpl.java:43)
>>>>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>>>>> at org.springframework.expression
>>>>>>> .spel.support.ReflectiveMethod
>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>> at org.springframework.expression
>>>>>>> .spel.ast.MethodReference.getV
>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>> at org.springframework.expression.spel.ast.MethodReference.
>>>>>>> access$000(MethodReference.java:49)
>>>>>>> at org.springframework.expression
>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>> at org.springframework.expression
>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>> at org.springframework.expression.spel.ast.SpelNodeImpl.
>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>> at org.springframework.expression
>>>>>>> .spel.standard.SpelExpression.
>>>>>>> getValue(SpelExpression.java:297)
>>>>>>> at org.springframework.binding.ex
>>>>>>> pression.spel.SpringELExpressi
>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>> at org.springframework.webflow.ac
>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>> EvaluateAction.java:75)
>>>>>>> at org.springframework.webflow.ac
>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>> stractAction.java:188)
>>>>>>> at org.springframework.webflow.ex
>>>>>>> ecution.AnnotatedAction.execut
>>>>>>> e(AnnotatedAction.java:145)
>>>>>>> at org.springframework.webflow.ex
>>>>>>> ecution.ActionExecutor.execute
>>>>>>> (ActionExecutor.java:51)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.ActionList.execute(Action
>>>>>>> List.java:154)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.State.enter(State.java:19
>>>>>>> 3)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.Transition.execute(Transi
>>>>>>> tion.java:228)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.RequestControlContex
>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.TransitionableState.handl
>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.SubflowState.handleEvent(
>>>>>>> SubflowState.java:116)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>> a:547)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.RequestControlContex
>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.RequestControlContex
>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.EndState.doEnter(EndState
>>>>>>> .java:107)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.State.enter(State.java:19
>>>>>>> 4)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.Transition.execute(Transi
>>>>>>> tion.java:228)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.RequestControlContex
>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.TransitionableState.handl
>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>> a:547)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.RequestControlContex
>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>> nState.java:105)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.State.enter(State.java:19
>>>>>>> 4)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.Transition.execute(Transi
>>>>>>> tion.java:228)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.RequestControlContex
>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.TransitionableState.handl
>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>> a:547)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.RequestControlContex
>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>> nState.java:105)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.State.enter(State.java:19
>>>>>>> 4)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.Transition.execute(Transi
>>>>>>> tion.java:228)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>> isionState.java:51)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.State.enter(State.java:19
>>>>>>> 4)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.Transition.execute(Transi
>>>>>>> tion.java:228)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>> isionState.java:51)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.State.enter(State.java:19
>>>>>>> 4)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.Transition.execute(Transi
>>>>>>> tion.java:228)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>> isionState.java:51)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.State.enter(State.java:19
>>>>>>> 4)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.Transition.execute(Transi
>>>>>>> tion.java:228)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>> isionState.java:51)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.State.enter(State.java:19
>>>>>>> 4)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.RequestControlContex
>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>> lowState.java:101)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.State.enter(State.java:19
>>>>>>> 4)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.Transition.execute(Transi
>>>>>>> tion.java:228)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>> isionState.java:51)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.State.enter(State.java:19
>>>>>>> 4)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.Transition.execute(Transi
>>>>>>> tion.java:228)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>> isionState.java:51)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.State.enter(State.java:19
>>>>>>> 4)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>> at org.springframework.webflow.en
>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>> at org.springframework.webflow.ex
>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>> at org.springframework.webflow.mv
>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>> at org.springframework.web.servle
>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>> (DispatcherServlet.java:967)
>>>>>>> at org.springframework.web.servle
>>>>>>> t.DispatcherServlet.doService(
>>>>>>> DispatcherServlet.java:901)
>>>>>>> at org.springframework.web.servle
>>>>>>> t.FrameworkServlet.processRequ
>>>>>>> est(FrameworkServlet.java:970)
>>>>>>> at org.springframework.web.servlet.FrameworkServlet.doGet(
>>>>>>> FrameworkServlet.java:861)
>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>> .service(HttpServlet.java:635)
>>>>>>> at org.springframework.web.servlet.FrameworkServlet.service(
>>>>>>> FrameworkServlet.java:846)
>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>> .service(HttpServlet.java:742)
>>>>>>> at org.apache.catalina.core.Appli
>>>>>>> cationFilterChain.internalDoFi
>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>> at org.apache.catalina.core.Appli
>>>>>>> cationFilterChain.doFilter(App
>>>>>>> licationFilterChain.java:166)
>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>> r.java:52)
>>>>>>> at org.apache.catalina.core.Appli
>>>>>>> cationFilterChain.internalDoFi
>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>> at org.apache.catalina.core.Appli
>>>>>>> cationFilterChain.doFilter(App
>>>>>>> licationFilterChain.java:166)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.access.intercept.FilterSecu
>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.access.intercept.FilterSecu
>>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.access.ExceptionTranslation
>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.session.SessionManagementFi
>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.authentication.AnonymousAut
>>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>> dp.service.security.GrantedAut
>>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.servletapi.SecurityContextH
>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>> AwareRequestFilter.java:154)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.authentication.www.BasicAut
>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.authentication.AbstractAuth
>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>> nProcessingFilter.java:199)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.authentication.logout.Logou
>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.context.request.async.WebAs
>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>> erIntegrationFilter.java:50)
>>>>>>> at org.springframework.web.filter
>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.context.SecurityContextPers
>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>> ortFilter.java:74)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.access.channel.ChannelProce
>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>> at org.springframework.security.w
>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>> ilterChainProxy.java:160)
>>>>>>> at org.springframework.web.filter
>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>> at org.springframework.web.filter
>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>> at org.apache.catalina.core.Appli
>>>>>>> cationFilterChain.internalDoFi
>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>> at org.apache.catalina.core.Appli
>>>>>>> cationFilterChain.doFilter(App
>>>>>>> licationFilterChain.java:166)
>>>>>>> at org.springframework.web.filter
>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>> at org.springframework.web.filter
>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>> at org.apache.catalina.core.Appli
>>>>>>> cationFilterChain.internalDoFi
>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>> at org.apache.catalina.core.Appli
>>>>>>> cationFilterChain.doFilter(App
>>>>>>> licationFilterChain.java:166)
>>>>>>> at org.apache.catalina.core.Stand
>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>> dWrapperValve.java:198)
>>>>>>> at org.apache.catalina.core.Stand
>>>>>>> ardContextValve.invoke(Standar
>>>>>>> dContextValve.java:96)
>>>>>>> at org.apache.catalina.core.Stand
>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>> stValve.java:140)
>>>>>>> at org.apache.catalina.valves.Err
>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>> rtValve.java:80)
>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>> tractAccessLogValve.java:650)
>>>>>>> at org.apache.catalina.core.Stand
>>>>>>> ardEngineValve.invoke(Standard
>>>>>>> EngineValve.java:87)
>>>>>>> at org.apache.catalina.connector.
>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>> apter.java:342)
>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>> Processor.service(StreamProces
>>>>>>> sor.java:245)
>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>> essorLight.process(AbstractPro
>>>>>>> cessorLight.java:66)
>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>> Processor.process(StreamProces
>>>>>>> sor.java:65)
>>>>>>> at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.
>>>>>>> java:35)
>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>> Executor.java:1142)
>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>> lExecutor.java:617)
>>>>>>> at org.apache.tomcat.util.threads
>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>> run(TaskThread.java:61)
>>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>> RequireClientCertificate
>>>>>>> is
>>>>>>> set, but no local certificates were negotiated. Is the server set to
>>>>>>> ask
>>>>>>> for client authorization?
>>>>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>>>>> java:255)
>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>> ... 154 more
>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>> ion:
>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>> at org.apache.cxf.transport.http.
>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>> at org.apache.cxf.transport.http.
>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>> at org.apache.cxf.transport.http.
>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>> at org.apache.cxf.transport.http.
>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>> Conduit.java:309)
>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>> pedOutputStream.write(Abstract
>>>>>>> WrappedOutputStream.java:47)
>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>> sholdOutputStream.write(Abstra
>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>> java:241)
>>>>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>>>>> java:253)
>>>>>>> ... 155 more
>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>>>>>> retrieving a token
>>>>>>>
>>>>>>>
>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>
>>>>>>> Thanks for your help Colm. I now have it working using the
>>>>>>> production
>>>>>>>
>>>>>>> certificate by following this example https://stackoverflow.com/a/21
>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>
>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>>> idp-ssl-trust.jks
>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in catalina
>>>>>>>> base.
>>>>>>>> this seems impractical in production as the certificates get
>>>>>>>> reissued
>>>>>>>> every
>>>>>>>> 6 months. is it possible for sec:keyStore to define the resource as
>>>>>>>> being
>>>>>>>> in catalina base?
>>>>>>>>
>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>
>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is also
>>>>>>>> a
>>>>>>>>
>>>>>>>> sec:certStore that works with PEM files, but only for TrustStores I
>>>>>>>>> think.
>>>>>>>>> As a workaround you can just use the Java keytool command to import
>>>>>>>>> your
>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>
>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>
>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>
>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks
>>>>>>>>>> but
>>>>>>>>>>
>>>>>>>>>> no
>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>
>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old. The
>>>>>>>>> correct
>>>>>>>>> version is on github:
>>>>>>>>>
>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>
>>>>>>>>> Colm.
>>>>>>>>>
>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>
>>>>>>>>> Hi Colm,
>>>>>>>>>
>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem
>>>>>>>>> certificate
>>>>>>>>>
>>>>>>>>>> instead of a java keystore? where is the doumentation for
>>>>>>>>>> sec:keyStore?
>>>>>>>>>>
>>>>>>>>>> Matt
>>>>>>>>>>
>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>
>>>>>>>>>> I haven't used the APR connector. The following works for me in
>>>>>>>>>> the
>>>>>>>>>>
>>>>>>>>>> tests,
>>>>>>>>>>
>>>>>>>>>>> perhaps you could duplicate this config and get it working first
>>>>>>>>>>> before
>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>
>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>
>>>>>>>>>>> Yes you will need to specify the truststore and keystore in
>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>> communicate with the STS from the IdP. The truststore should
>>>>>>>>>>> contain
>>>>>>>>>>> the
>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then
>>>>>>>>>>> keystore
>>>>>>>>>>> the
>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>
>>>>>>>>>>> Colm.
>>>>>>>>>>>
>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>
>>>>>>>>>>> i am using my own certificate with APR in the tomcat
>>>>>>>>>>> server.xml. I
>>>>>>>>>>> added
>>>>>>>>>>>
>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I still have
>>>>>>>>>>> the
>>>>>>>>>>>
>>>>>>>>>>> same
>>>>>>>>>>>> problem
>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>> maxThreads="150" SSLEnabled="true">
>>>>>>>>>>>> <UpgradeProtocol className="org.apache.coyote.h
>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>> />
>>>>>>>>>>>> <SSLHostConfig clientVerification="required">
>>>>>>>>>>>> <Certificate certificateKeyFile="/etc/letse
>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>>>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc
>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>
>>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this be the
>>>>>>>>>>>> problem?
>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>>> <sec:keyStore type="jks" password="ispass"
>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>> <sec:keyManagers keyPassword="tompass">
>>>>>>>>>>>> <sec:keyStore type="jks" password="tompass"
>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and
>>>>>>>>>>>> restarting.
>>>>>>>>>>>>
>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>
>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for
>>>>>>>>>>>>> {
>>>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>> has
>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
>>>>>>>>>>>>> model
>>>>>>>>>>>>> to
>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>>> certificates
>>>>>>>>>>>>> were
>>>>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>> 518)
>>>>>>>>>>>>> ...
>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>> is
>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the server
>>>>>>>>>>>>> set
>>>>>>>>>>>>> to
>>>>>>>>>>>>> ask
>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>> :255)
>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>> ion:
>>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>> ...
>>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error
>>>>>>>>>>>>> in
>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> ok i now have a different error and it doesn't load the login
>>>>>>>>>>>>> screen
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida
>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> No
>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>> />
>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>> <ref bean="srv-fedizhelloworld" />
>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>> <property name="protocol" value="
>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>> <property name="serviceDisplayName"
>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>> <property name="serviceDescription" value="Web
>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>> <property name="tokenType" value="
>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>>>>>>>> <property name="lifeTime" value="3600" />
>>>>>>>>>>>>>>> <property name="passiveRequestorEndpoint
>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>> <property name="logoutEndpointConstraint"
>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>> <property name="claim" ref="claim_role" />
>>>>>>>>>>>>>>> <property name="optional" value="false" />
>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml
>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i
>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to
>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8]
>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8]
>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>
>>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
Hi Colm,
I realise now that this html file was included in the
examples/samplekeys directory in the code. but i was taking it from the
internet.
I am 100% using clientAuth="want" on my Tomcat connector but I am still
getting the same error over and again. I can browse the wsdl without
having to provide a client certificate. could you point me to the part
of the idp-sts configuration which might be causing it to not ask for
the keys properly? or is it definitely a tomcat server.xml issue?
On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
> You can see the HTML here:
> https://htmlpreview.github.io/?https://raw.githubusercontent.com/apache/cxf-fediz/master/examples/samplekeys/HowToGenerateKeysREADME.html
>
> I'll update the webpage to point to github instead of SVN.
>
> Colm.
>
> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> Hi Colm
>>
>> Firstly is there somewhere to see these instructions correctly formatted
>> in html?
>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>> plekeys/HowToGenerateKeysREADME.html
>>
>> Secondly there is a massive difference between
>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>> plekeys/HowToGenerateKeysREADME.html
>> and
>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>> keys/HowToGenerateKeysREADME.html?view=co
>> (svn being the one linked from the main fediz pages)
>>
>> On the SVN one it doesn't mention adding the MyTCRP.cer key to
>> ststrust.jks.
>>
>> I have some more things to try now so I will let you know if I get further
>>
>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>
>>> Why not try the simple Connector configuration I gave earlier but with
>>> your
>>> own keys?
>>>
>>> Colm.
>>>
>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>> in Tomcat 8 https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#
>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>> clientAuth
>>>> This is an alias for the certificateVerification attribute of the default
>>>> SSLHostConfig element.
>>>>
>>>> then
>>>> certificateVerification
>>>> Set to required if you want the SSL stack to require a valid certificate
>>>> chain from the client before accepting a connection. Set to optional if
>>>> you
>>>> want the SSL stack to request a client Certificate, but not fail if one
>>>> isn't presented. Set to optionalNoCA if you want client certificates to
>>>> be
>>>> optional and you don't want Tomcat to check them against the list of
>>>> trusted CAs. If the TLS provider doesn't support this option (OpenSSL
>>>> does,
>>>> JSSE does not) it is treated as if optional was specified. A none value
>>>> (which is the default) will not require a certificate chain unless the
>>>> client requests a resource protected by a security constraint that uses
>>>> CLIENT-CERT authentication.
>>>>
>>>> so i changed clientAuth="want" to clientAuth="required". now i cannot
>>>> access the site at all with
>>>> Secure Connection Failed
>>>> An error occurred during a connection to domain.tld:9443. SSL peer cannot
>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>>>
>>>> maybe i should try using Tomcat 7?
>>>>
>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>
>>>> The problem is that your Tomcat container hosting the STS is not asking
>>>>> for
>>>>> client authentication. You can check this by using a web browser or curl
>>>>> to
>>>>> view the WSDL of the STS - if you can get it to work then the
>>>>> configuration
>>>>> is incorrect, as it should error on the browser not supplying a client
>>>>> cert.
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>
>>>>> i spoke too soon.
>>>>>
>>>>>> i am completely stuck with the same stack trace and no amount of
>>>>>> reloading
>>>>>> the certificates is helping. is there any way to debug what the actual
>>>>>> problem is?
>>>>>>
>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
>>>>>> has
>>>>>> thrown exception, unwinding now
>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>>>>>> stream: RequireClientCertificate is set, but no local certificates were
>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>>>>>> InterceptorChain.java:308)
>>>>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:
>>>>>> 518)
>>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>> 427)
>>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>> 328)
>>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>>> 281)
>>>>>> at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(Abs
>>>>>> tractSTSClient.java:861)
>>>>>> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>> at org.apache.cxf.fediz.service.idp.beans.STSClientAction.submi
>>>>>> t(STSClientAction.java:296)
>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>>>>> ssorImpl.java:62)
>>>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>>>>> thodAccessorImpl.java:43)
>>>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>>>> at org.springframework.expression.spel.support.ReflectiveMethod
>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>> at org.springframework.expression.spel.ast.MethodReference.getV
>>>>>> alueInternal(MethodReference.java:129)
>>>>>> at org.springframework.expression.spel.ast.MethodReference.
>>>>>> access$000(MethodReference.java:49)
>>>>>> at org.springframework.expression.spel.ast.MethodReference$Meth
>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>> at org.springframework.expression.spel.ast.CompoundExpression.g
>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>> at org.springframework.expression.spel.ast.SpelNodeImpl.
>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>> at org.springframework.expression.spel.standard.SpelExpression.
>>>>>> getValue(SpelExpression.java:297)
>>>>>> at org.springframework.binding.expression.spel.SpringELExpressi
>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>> at org.springframework.webflow.action.EvaluateAction.doExecute(
>>>>>> EvaluateAction.java:75)
>>>>>> at org.springframework.webflow.action.AbstractAction.execute(Ab
>>>>>> stractAction.java:188)
>>>>>> at org.springframework.webflow.execution.AnnotatedAction.execut
>>>>>> e(AnnotatedAction.java:145)
>>>>>> at org.springframework.webflow.execution.ActionExecutor.execute
>>>>>> (ActionExecutor.java:51)
>>>>>> at org.springframework.webflow.engine.ActionList.execute(Action
>>>>>> List.java:154)
>>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>>> 3)
>>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>>> tion.java:228)
>>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>> at org.springframework.webflow.engine.TransitionableState.handl
>>>>>> eEvent(TransitionableState.java:116)
>>>>>> at org.springframework.webflow.engine.SubflowState.handleEvent(
>>>>>> SubflowState.java:116)
>>>>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
>>>>>> a:547)
>>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.en
>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>>>>>> at org.springframework.webflow.engine.EndState.doEnter(EndState
>>>>>> .java:107)
>>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>>> 4)
>>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>>> tion.java:228)
>>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>> at org.springframework.webflow.engine.TransitionableState.handl
>>>>>> eEvent(TransitionableState.java:116)
>>>>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
>>>>>> a:547)
>>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>> at org.springframework.webflow.engine.ActionState.doEnter(Actio
>>>>>> nState.java:105)
>>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>>> 4)
>>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>>> tion.java:228)
>>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>> at org.springframework.webflow.engine.TransitionableState.handl
>>>>>> eEvent(TransitionableState.java:116)
>>>>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
>>>>>> a:547)
>>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>> at org.springframework.webflow.engine.ActionState.doEnter(Actio
>>>>>> nState.java:105)
>>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>>> 4)
>>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>>> tion.java:228)
>>>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>>>> isionState.java:51)
>>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>>> 4)
>>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>>> tion.java:228)
>>>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>>>> isionState.java:51)
>>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>>> 4)
>>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>>> tion.java:228)
>>>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>>>> isionState.java:51)
>>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>>> 4)
>>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>>> tion.java:228)
>>>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>>>> isionState.java:51)
>>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>>> 4)
>>>>>> at org.springframework.webflow.engine.Flow.start(Flow.java:527)
>>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>>>>>> art(FlowExecutionImpl.java:368)
>>>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>> at org.springframework.webflow.engine.SubflowState.doEnter(Subf
>>>>>> lowState.java:101)
>>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>>> 4)
>>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>>> tion.java:228)
>>>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>>>> isionState.java:51)
>>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>>> 4)
>>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>>> tion.java:228)
>>>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>>>> isionState.java:51)
>>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>>> 4)
>>>>>> at org.springframework.webflow.engine.Flow.start(Flow.java:527)
>>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>>>>>> art(FlowExecutionImpl.java:368)
>>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>>>>>> art(FlowExecutionImpl.java:223)
>>>>>> at org.springframework.webflow.executor.FlowExecutorImpl.launch
>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>> at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.
>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>> at org.springframework.web.servlet.DispatcherServlet.doDispatch
>>>>>> (DispatcherServlet.java:967)
>>>>>> at org.springframework.web.servlet.DispatcherServlet.doService(
>>>>>> DispatcherServlet.java:901)
>>>>>> at org.springframework.web.servlet.FrameworkServlet.processRequ
>>>>>> est(FrameworkServlet.java:970)
>>>>>> at org.springframework.web.servlet.FrameworkServlet.doGet(
>>>>>> FrameworkServlet.java:861)
>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
>>>>>> at org.springframework.web.servlet.FrameworkServlet.service(
>>>>>> FrameworkServlet.java:846)
>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>>> licationFilterChain.java:166)
>>>>>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
>>>>>> r.java:52)
>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>>> licationFilterChain.java:166)
>>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>> at org.springframework.security.web.access.intercept.FilterSecu
>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>> at org.springframework.security.web.access.intercept.FilterSecu
>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>> at org.springframework.security.web.access.ExceptionTranslation
>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>> at org.springframework.security.web.session.SessionManagementFi
>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>> at org.springframework.security.web.authentication.AnonymousAut
>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
>>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>> at org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
>>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>> at org.springframework.security.web.servletapi.SecurityContextH
>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>> AwareRequestFilter.java:154)
>>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>> at org.springframework.security.web.savedrequest.RequestCacheAw
>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>> at org.springframework.security.web.authentication.www.BasicAut
>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>> at org.springframework.security.web.authentication.AbstractAuth
>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>> nProcessingFilter.java:199)
>>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>> at org.springframework.security.web.authentication.logout.Logou
>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>> at org.springframework.security.web.context.request.async.WebAs
>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>> erIntegrationFilter.java:50)
>>>>>> at org.springframework.web.filter.OncePerRequestFilter.doFilter
>>>>>> (OncePerRequestFilter.java:107)
>>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>> at org.springframework.security.web.context.SecurityContextPers
>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>> at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSP
>>>>>> ortFilter.java:74)
>>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>> at org.springframework.security.web.access.channel.ChannelProce
>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>> at org.springframework.security.web.FilterChainProxy.doFilterIn
>>>>>> ternal(FilterChainProxy.java:192)
>>>>>> at org.springframework.security.web.FilterChainProxy.doFilter(F
>>>>>> ilterChainProxy.java:160)
>>>>>> at org.springframework.web.filter.DelegatingFilterProxy.invokeD
>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>> at org.springframework.web.filter.DelegatingFilterProxy.doFilte
>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>>> licationFilterChain.java:166)
>>>>>> at org.springframework.web.filter.CharacterEncodingFilter.doFil
>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>> at org.springframework.web.filter.OncePerRequestFilter.doFilter
>>>>>> (OncePerRequestFilter.java:107)
>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>>> licationFilterChain.java:166)
>>>>>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar
>>>>>> dWrapperValve.java:198)
>>>>>> at org.apache.catalina.core.StandardContextValve.invoke(Standar
>>>>>> dContextValve.java:96)
>>>>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo
>>>>>> stValve.java:140)
>>>>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
>>>>>> rtValve.java:80)
>>>>>> at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs
>>>>>> tractAccessLogValve.java:650)
>>>>>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard
>>>>>> EngineValve.java:87)
>>>>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
>>>>>> apter.java:342)
>>>>>> at org.apache.coyote.http2.StreamProcessor.service(StreamProces
>>>>>> sor.java:245)
>>>>>> at org.apache.coyote.AbstractProcessorLight.process(AbstractPro
>>>>>> cessorLight.java:66)
>>>>>> at org.apache.coyote.http2.StreamProcessor.process(StreamProces
>>>>>> sor.java:65)
>>>>>> at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.
>>>>>> java:35)
>>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>>>> Executor.java:1142)
>>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>>>> lExecutor.java:617)
>>>>>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.
>>>>>> run(TaskThread.java:61)
>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate
>>>>>> is
>>>>>> set, but no local certificates were negotiated. Is the server set to
>>>>>> ask
>>>>>> for client authorization?
>>>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>>>> java:255)
>>>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>> ... 154 more
>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>> UntrustedURLConnectionIOExcept
>>>>>> ion:
>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>> at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLCo
>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>> Conduit.java:309)
>>>>>> at org.apache.cxf.io.AbstractWrappedOutputStream.write(Abstract
>>>>>> WrappedOutputStream.java:47)
>>>>>> at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(Abs
>>>>>> tractThresholdOutputStream.java:89)
>>>>>> at org.apache.cxf.io.AbstractThresholdOutputStream.write(Abstra
>>>>>> ctThresholdOutputStream.java:63)
>>>>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
>>>>>> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.
>>>>>> java:241)
>>>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>>>> java:253)
>>>>>> ... 155 more
>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>>>>> retrieving a token
>>>>>>
>>>>>>
>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>
>>>>>> Thanks for your help Colm. I now have it working using the production
>>>>>>
>>>>>>> certificate by following this example https://stackoverflow.com/a/21
>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>
>>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>>> idp-ssl-trust.jks
>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in catalina
>>>>>>> base.
>>>>>>> this seems impractical in production as the certificates get reissued
>>>>>>> every
>>>>>>> 6 months. is it possible for sec:keyStore to define the resource as
>>>>>>> being
>>>>>>> in catalina base?
>>>>>>>
>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>
>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is also a
>>>>>>>
>>>>>>>> sec:certStore that works with PEM files, but only for TrustStores I
>>>>>>>> think.
>>>>>>>> As a workaround you can just use the Java keytool command to import
>>>>>>>> your
>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>
>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>
>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks
>>>>>>>>> but
>>>>>>>>>
>>>>>>>> no
>>>>>>>> idp-ssl-key.jks.
>>>>>>>>
>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old. The
>>>>>>>> correct
>>>>>>>> version is on github:
>>>>>>>>
>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>
>>>>>>>> Colm.
>>>>>>>>
>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>
>>>>>>>> Hi Colm,
>>>>>>>>
>>>>>>>> is there any way for sec:keyStore to be pointed at a pem certificate
>>>>>>>>> instead of a java keystore? where is the doumentation for
>>>>>>>>> sec:keyStore?
>>>>>>>>>
>>>>>>>>> Matt
>>>>>>>>>
>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>
>>>>>>>>> I haven't used the APR connector. The following works for me in the
>>>>>>>>>
>>>>>>>>> tests,
>>>>>>>>>> perhaps you could duplicate this config and get it working first
>>>>>>>>>> before
>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>
>>>>>>>>>> <Connector port="9443"
>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>> maxThreads="150"
>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>
>>>>>>>>>> Yes you will need to specify the truststore and keystore in
>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>> communicate with the STS from the IdP. The truststore should
>>>>>>>>>> contain
>>>>>>>>>> the
>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then
>>>>>>>>>> keystore
>>>>>>>>>> the
>>>>>>>>>> private key of your IdP.
>>>>>>>>>>
>>>>>>>>>> Colm.
>>>>>>>>>>
>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>
>>>>>>>>>> i am using my own certificate with APR in the tomcat server.xml. I
>>>>>>>>>> added
>>>>>>>>>>
>>>>>>>>>> clientVerification="required" to SSLHostConfig but I still have the
>>>>>>>>>>
>>>>>>>>>>> same
>>>>>>>>>>> problem
>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>> maxThreads="150" SSLEnabled="true">
>>>>>>>>>>> <UpgradeProtocol className="org.apache.coyote.h
>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>> />
>>>>>>>>>>> <SSLHostConfig clientVerification="required">
>>>>>>>>>>> <Certificate certificateKeyFile="/etc/letse
>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc
>>>>>>>>>>> hain.pem"
>>>>>>>>>>> type="RSA" />
>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>> </Connector>
>>>>>>>>>>>
>>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this be the
>>>>>>>>>>> problem?
>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>>> <sec:keyStore type="jks" password="ispass"
>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>> <sec:keyManagers keyPassword="tompass">
>>>>>>>>>>> <sec:keyStore type="jks" password="tompass"
>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>
>>>>>>>>>>> ok...i fixed the last error by dropping the schema and restarting.
>>>>>>>>>>>
>>>>>>>>>>> but now i have this
>>>>>>>>>>>
>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>> has
>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
>>>>>>>>>>>> model
>>>>>>>>>>>> to
>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>>> certificates
>>>>>>>>>>>> were
>>>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>> 518)
>>>>>>>>>>>> ...
>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>> is
>>>>>>>>>>>> set, but no local certificates were negotiated. Is the server
>>>>>>>>>>>> set
>>>>>>>>>>>> to
>>>>>>>>>>>> ask
>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>> :255)
>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>> ion:
>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>> ...
>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error
>>>>>>>>>>>> in
>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> ok i now have a different error and it doesn't load the login
>>>>>>>>>>>> screen
>>>>>>>>>>>>
>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>>>>>
>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator
>>>>>>>>>>>>> -
>>>>>>>>>>>>> No
>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>
>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myreal
>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>> should have been
>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>> />
>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>> <ref bean="srv-fedizhelloworld" />
>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>> />
>>>>>>>>>>>>>> <property name="protocol" value="
>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>> <property name="serviceDisplayName"
>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>> />
>>>>>>>>>>>>>> <property name="serviceDescription" value="Web
>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>> />
>>>>>>>>>>>>>> <property name="tokenType" value="
>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>> .
>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>>>>>>> <property name="lifeTime" value="3600" />
>>>>>>>>>>>>>> <property name="passiveRequestorEndpoint
>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>> <property name="logoutEndpointConstraint"
>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>> <property name="claim" ref="claim_role" />
>>>>>>>>>>>>>> <property name="optional" value="false" />
>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml
>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i
>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to
>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken -
>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully
>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>
>
Re: fediz production
Posted by Colm O hEigeartaigh <co...@apache.org>.
You can see the HTML here:
https://htmlpreview.github.io/?https://raw.githubusercontent.com/apache/cxf-fediz/master/examples/samplekeys/HowToGenerateKeysREADME.html
I'll update the webpage to point to github instead of SVN.
Colm.
On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:
> Hi Colm
>
> Firstly is there somewhere to see these instructions correctly formatted
> in html?
> https://github.com/apache/cxf-fediz/blob/master/examples/sam
> plekeys/HowToGenerateKeysREADME.html
>
> Secondly there is a massive difference between
> https://github.com/apache/cxf-fediz/blob/master/examples/sam
> plekeys/HowToGenerateKeysREADME.html
> and
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
> keys/HowToGenerateKeysREADME.html?view=co
> (svn being the one linked from the main fediz pages)
>
> On the SVN one it doesn't mention adding the MyTCRP.cer key to
> ststrust.jks.
>
> I have some more things to try now so I will let you know if I get further
>
> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>
>> Why not try the simple Connector configuration I gave earlier but with
>> your
>> own keys?
>>
>> Colm.
>>
>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>
>> in Tomcat 8 https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#
>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>> clientAuth
>>> This is an alias for the certificateVerification attribute of the default
>>> SSLHostConfig element.
>>>
>>> then
>>> certificateVerification
>>> Set to required if you want the SSL stack to require a valid certificate
>>> chain from the client before accepting a connection. Set to optional if
>>> you
>>> want the SSL stack to request a client Certificate, but not fail if one
>>> isn't presented. Set to optionalNoCA if you want client certificates to
>>> be
>>> optional and you don't want Tomcat to check them against the list of
>>> trusted CAs. If the TLS provider doesn't support this option (OpenSSL
>>> does,
>>> JSSE does not) it is treated as if optional was specified. A none value
>>> (which is the default) will not require a certificate chain unless the
>>> client requests a resource protected by a security constraint that uses
>>> CLIENT-CERT authentication.
>>>
>>> so i changed clientAuth="want" to clientAuth="required". now i cannot
>>> access the site at all with
>>> Secure Connection Failed
>>> An error occurred during a connection to domain.tld:9443. SSL peer cannot
>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>>
>>> maybe i should try using Tomcat 7?
>>>
>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>
>>> The problem is that your Tomcat container hosting the STS is not asking
>>>> for
>>>> client authentication. You can check this by using a web browser or curl
>>>> to
>>>> view the WSDL of the STS - if you can get it to work then the
>>>> configuration
>>>> is incorrect, as it should error on the browser not supplying a client
>>>> cert.
>>>>
>>>> Colm.
>>>>
>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>
>>>> i spoke too soon.
>>>>
>>>>> i am completely stuck with the same stack trace and no amount of
>>>>> reloading
>>>>> the certificates is helping. is there any way to debug what the actual
>>>>> problem is?
>>>>>
>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
>>>>> has
>>>>> thrown exception, unwinding now
>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>>>>> stream: RequireClientCertificate is set, but no local certificates were
>>>>> negotiated. Is the server set to ask for client authorization?
>>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>>>>> InterceptorChain.java:308)
>>>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:
>>>>> 518)
>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>> 427)
>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>> 328)
>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
>>>>> 281)
>>>>> at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(Abs
>>>>> tractSTSClient.java:861)
>>>>> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>> at org.apache.cxf.fediz.service.idp.beans.STSClientAction.submi
>>>>> t(STSClientAction.java:296)
>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>>>> ssorImpl.java:62)
>>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>>>> thodAccessorImpl.java:43)
>>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>>> at org.springframework.expression.spel.support.ReflectiveMethod
>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>> at org.springframework.expression.spel.ast.MethodReference.getV
>>>>> alueInternal(MethodReference.java:129)
>>>>> at org.springframework.expression.spel.ast.MethodReference.
>>>>> access$000(MethodReference.java:49)
>>>>> at org.springframework.expression.spel.ast.MethodReference$Meth
>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>> at org.springframework.expression.spel.ast.CompoundExpression.g
>>>>> etValueInternal(CompoundExpression.java:88)
>>>>> at org.springframework.expression.spel.ast.SpelNodeImpl.
>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>> at org.springframework.expression.spel.standard.SpelExpression.
>>>>> getValue(SpelExpression.java:297)
>>>>> at org.springframework.binding.expression.spel.SpringELExpressi
>>>>> on.getValue(SpringELExpression.java:84)
>>>>> at org.springframework.webflow.action.EvaluateAction.doExecute(
>>>>> EvaluateAction.java:75)
>>>>> at org.springframework.webflow.action.AbstractAction.execute(Ab
>>>>> stractAction.java:188)
>>>>> at org.springframework.webflow.execution.AnnotatedAction.execut
>>>>> e(AnnotatedAction.java:145)
>>>>> at org.springframework.webflow.execution.ActionExecutor.execute
>>>>> (ActionExecutor.java:51)
>>>>> at org.springframework.webflow.engine.ActionList.execute(Action
>>>>> List.java:154)
>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>> 3)
>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>> tion.java:228)
>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>>>>> ecute(FlowExecutionImpl.java:395)
>>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>> at org.springframework.webflow.engine.TransitionableState.handl
>>>>> eEvent(TransitionableState.java:116)
>>>>> at org.springframework.webflow.engine.SubflowState.handleEvent(
>>>>> SubflowState.java:116)
>>>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
>>>>> a:547)
>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.en
>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>>>>> at org.springframework.webflow.engine.EndState.doEnter(EndState
>>>>> .java:107)
>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>> 4)
>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>> tion.java:228)
>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>>>>> ecute(FlowExecutionImpl.java:395)
>>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>> at org.springframework.webflow.engine.TransitionableState.handl
>>>>> eEvent(TransitionableState.java:116)
>>>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
>>>>> a:547)
>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>> at org.springframework.webflow.engine.ActionState.doEnter(Actio
>>>>> nState.java:105)
>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>> 4)
>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>> tion.java:228)
>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>>>>> ecute(FlowExecutionImpl.java:395)
>>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>> at org.springframework.webflow.engine.TransitionableState.handl
>>>>> eEvent(TransitionableState.java:116)
>>>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
>>>>> a:547)
>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>> at org.springframework.webflow.engine.ActionState.doEnter(Actio
>>>>> nState.java:105)
>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>> 4)
>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>> tion.java:228)
>>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>>> isionState.java:51)
>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>> 4)
>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>> tion.java:228)
>>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>>> isionState.java:51)
>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>> 4)
>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>> tion.java:228)
>>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>>> isionState.java:51)
>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>> 4)
>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>> tion.java:228)
>>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>>> isionState.java:51)
>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>> 4)
>>>>> at org.springframework.webflow.engine.Flow.start(Flow.java:527)
>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>>>>> art(FlowExecutionImpl.java:368)
>>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>> at org.springframework.webflow.engine.SubflowState.doEnter(Subf
>>>>> lowState.java:101)
>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>> 4)
>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>> tion.java:228)
>>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>>> isionState.java:51)
>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>> 4)
>>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>>> tion.java:228)
>>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>>> isionState.java:51)
>>>>> at org.springframework.webflow.engine.State.enter(State.java:19
>>>>> 4)
>>>>> at org.springframework.webflow.engine.Flow.start(Flow.java:527)
>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>>>>> art(FlowExecutionImpl.java:368)
>>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>>>>> art(FlowExecutionImpl.java:223)
>>>>> at org.springframework.webflow.executor.FlowExecutorImpl.launch
>>>>> Execution(FlowExecutorImpl.java:140)
>>>>> at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.
>>>>> handle(FlowHandlerAdapter.java:263)
>>>>> at org.springframework.web.servlet.DispatcherServlet.doDispatch
>>>>> (DispatcherServlet.java:967)
>>>>> at org.springframework.web.servlet.DispatcherServlet.doService(
>>>>> DispatcherServlet.java:901)
>>>>> at org.springframework.web.servlet.FrameworkServlet.processRequ
>>>>> est(FrameworkServlet.java:970)
>>>>> at org.springframework.web.servlet.FrameworkServlet.doGet(
>>>>> FrameworkServlet.java:861)
>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
>>>>> at org.springframework.web.servlet.FrameworkServlet.service(
>>>>> FrameworkServlet.java:846)
>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>> lter(ApplicationFilterChain.java:231)
>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>> licationFilterChain.java:166)
>>>>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
>>>>> r.java:52)
>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>> lter(ApplicationFilterChain.java:193)
>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>> licationFilterChain.java:166)
>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>> at org.springframework.security.web.access.intercept.FilterSecu
>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>> at org.springframework.security.web.access.intercept.FilterSecu
>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>> at org.springframework.security.web.access.ExceptionTranslation
>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>> at org.springframework.security.web.session.SessionManagementFi
>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>> at org.springframework.security.web.authentication.AnonymousAut
>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>> at org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>> at org.springframework.security.web.servletapi.SecurityContextH
>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>> AwareRequestFilter.java:154)
>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>> at org.springframework.security.web.savedrequest.RequestCacheAw
>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>> at org.springframework.security.web.authentication.www.BasicAut
>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>> at org.springframework.security.web.authentication.AbstractAuth
>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>> nProcessingFilter.java:199)
>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>> at org.springframework.security.web.authentication.logout.Logou
>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>> at org.springframework.security.web.context.request.async.WebAs
>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>> erIntegrationFilter.java:50)
>>>>> at org.springframework.web.filter.OncePerRequestFilter.doFilter
>>>>> (OncePerRequestFilter.java:107)
>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>> at org.springframework.security.web.context.SecurityContextPers
>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>> at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSP
>>>>> ortFilter.java:74)
>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>> at org.springframework.security.web.access.channel.ChannelProce
>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>> at org.springframework.security.web.FilterChainProxy.doFilterIn
>>>>> ternal(FilterChainProxy.java:192)
>>>>> at org.springframework.security.web.FilterChainProxy.doFilter(F
>>>>> ilterChainProxy.java:160)
>>>>> at org.springframework.web.filter.DelegatingFilterProxy.invokeD
>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>> at org.springframework.web.filter.DelegatingFilterProxy.doFilte
>>>>> r(DelegatingFilterProxy.java:262)
>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>> lter(ApplicationFilterChain.java:193)
>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>> licationFilterChain.java:166)
>>>>> at org.springframework.web.filter.CharacterEncodingFilter.doFil
>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>> at org.springframework.web.filter.OncePerRequestFilter.doFilter
>>>>> (OncePerRequestFilter.java:107)
>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>> lter(ApplicationFilterChain.java:193)
>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>> licationFilterChain.java:166)
>>>>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar
>>>>> dWrapperValve.java:198)
>>>>> at org.apache.catalina.core.StandardContextValve.invoke(Standar
>>>>> dContextValve.java:96)
>>>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo
>>>>> stValve.java:140)
>>>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
>>>>> rtValve.java:80)
>>>>> at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs
>>>>> tractAccessLogValve.java:650)
>>>>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard
>>>>> EngineValve.java:87)
>>>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
>>>>> apter.java:342)
>>>>> at org.apache.coyote.http2.StreamProcessor.service(StreamProces
>>>>> sor.java:245)
>>>>> at org.apache.coyote.AbstractProcessorLight.process(AbstractPro
>>>>> cessorLight.java:66)
>>>>> at org.apache.coyote.http2.StreamProcessor.process(StreamProces
>>>>> sor.java:65)
>>>>> at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.
>>>>> java:35)
>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>>> Executor.java:1142)
>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>>> lExecutor.java:617)
>>>>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.
>>>>> run(TaskThread.java:61)
>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate
>>>>> is
>>>>> set, but no local certificates were negotiated. Is the server set to
>>>>> ask
>>>>> for client authorization?
>>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>>> java:255)
>>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>> ... 154 more
>>>>> Caused by: org.apache.cxf.transport.http.
>>>>> UntrustedURLConnectionIOExcept
>>>>> ion:
>>>>> RequireClientCertificate is set, but no local certificates were
>>>>> negotiated. Is the server set to ask for client authorization?
>>>>> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>> at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLCo
>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>> Conduit.java:309)
>>>>> at org.apache.cxf.io.AbstractWrappedOutputStream.write(Abstract
>>>>> WrappedOutputStream.java:47)
>>>>> at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(Abs
>>>>> tractThresholdOutputStream.java:89)
>>>>> at org.apache.cxf.io.AbstractThresholdOutputStream.write(Abstra
>>>>> ctThresholdOutputStream.java:63)
>>>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
>>>>> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.
>>>>> java:241)
>>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>>> java:253)
>>>>> ... 155 more
>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>>>> retrieving a token
>>>>>
>>>>>
>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>
>>>>> Thanks for your help Colm. I now have it working using the production
>>>>>
>>>>>> certificate by following this example https://stackoverflow.com/a/21
>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>
>>>>>> but in the end i also had to copy idp-ssl-key.jks and
>>>>>> idp-ssl-trust.jks
>>>>>> into webapps/idp/WEB-INF/classes as well as having them in catalina
>>>>>> base.
>>>>>> this seems impractical in production as the certificates get reissued
>>>>>> every
>>>>>> 6 months. is it possible for sec:keyStore to define the resource as
>>>>>> being
>>>>>> in catalina base?
>>>>>>
>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>
>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is also a
>>>>>>
>>>>>>> sec:certStore that works with PEM files, but only for TrustStores I
>>>>>>> think.
>>>>>>> As a workaround you can just use the Java keytool command to import
>>>>>>> your
>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>
>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>
>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>
>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks
>>>>>>>> but
>>>>>>>>
>>>>>>> no
>>>>>>> idp-ssl-key.jks.
>>>>>>>
>>>>>>> SVN is not used any more by CXF or Fediz, that page is old. The
>>>>>>> correct
>>>>>>> version is on github:
>>>>>>>
>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>
>>>>>>> Colm.
>>>>>>>
>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>
>>>>>>> Hi Colm,
>>>>>>>
>>>>>>> is there any way for sec:keyStore to be pointed at a pem certificate
>>>>>>>> instead of a java keystore? where is the doumentation for
>>>>>>>> sec:keyStore?
>>>>>>>>
>>>>>>>> Matt
>>>>>>>>
>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>
>>>>>>>> I haven't used the APR connector. The following works for me in the
>>>>>>>>
>>>>>>>> tests,
>>>>>>>>> perhaps you could duplicate this config and get it working first
>>>>>>>>> before
>>>>>>>>> switching over to the APR connector:
>>>>>>>>>
>>>>>>>>> <Connector port="9443"
>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>> maxThreads="150"
>>>>>>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>>> keystorePass="tompass"
>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>
>>>>>>>>> Yes you will need to specify the truststore and keystore in
>>>>>>>>> cxf-tls.xml to
>>>>>>>>> communicate with the STS from the IdP. The truststore should
>>>>>>>>> contain
>>>>>>>>> the
>>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then
>>>>>>>>> keystore
>>>>>>>>> the
>>>>>>>>> private key of your IdP.
>>>>>>>>>
>>>>>>>>> Colm.
>>>>>>>>>
>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>
>>>>>>>>> i am using my own certificate with APR in the tomcat server.xml. I
>>>>>>>>> added
>>>>>>>>>
>>>>>>>>> clientVerification="required" to SSLHostConfig but I still have the
>>>>>>>>>
>>>>>>>>>> same
>>>>>>>>>> problem
>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>> maxThreads="150" SSLEnabled="true">
>>>>>>>>>> <UpgradeProtocol className="org.apache.coyote.h
>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>> />
>>>>>>>>>> <SSLHostConfig clientVerification="required">
>>>>>>>>>> <Certificate certificateKeyFile="/etc/letse
>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc
>>>>>>>>>> hain.pem"
>>>>>>>>>> type="RSA" />
>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>> </Connector>
>>>>>>>>>>
>>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this be the
>>>>>>>>>> problem?
>>>>>>>>>> How would I use production certificates?
>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>>> <sec:keyStore type="jks" password="ispass"
>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>> <sec:keyManagers keyPassword="tompass">
>>>>>>>>>> <sec:keyStore type="jks" password="tompass"
>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>> </http:conduit>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>
>>>>>>>>>> ok...i fixed the last error by dropping the schema and restarting.
>>>>>>>>>>
>>>>>>>>>> but now i have this
>>>>>>>>>>
>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>>>> 2/}Issue
>>>>>>>>>>> has
>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
>>>>>>>>>>> model
>>>>>>>>>>> to
>>>>>>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>>>>>>> certificates
>>>>>>>>>>> were
>>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>> 518)
>>>>>>>>>>> ...
>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>> is
>>>>>>>>>>> set, but no local certificates were negotiated. Is the server
>>>>>>>>>>> set
>>>>>>>>>>> to
>>>>>>>>>>> ask
>>>>>>>>>>> for client authorization?
>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>> :255)
>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>> ... 154 more
>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>> ion:
>>>>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>> ...
>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error
>>>>>>>>>>> in
>>>>>>>>>>> retrieving a token
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>
>>>>>>>>>>> ok i now have a different error and it doesn't load the login
>>>>>>>>>>> screen
>>>>>>>>>>>
>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>>>>
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator
>>>>>>>>>>>> -
>>>>>>>>>>>> No
>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>> helloworld
>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>
>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myreal
>>>>>>>>>>>> m.xml
>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>> should have been
>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>> />
>>>>>>>>>>>> according to original file
>>>>>>>>>>>>
>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>
>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>
>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>> ...
>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>> <ref bean="srv-fedizhelloworld" />
>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>> </property>
>>>>>>>>>>>>> ...
>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>
>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>> />
>>>>>>>>>>>>> <property name="protocol" value="
>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>> <property name="serviceDisplayName"
>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>> />
>>>>>>>>>>>>> <property name="serviceDescription" value="Web
>>>>>>>>>>>>> Application to
>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>> />
>>>>>>>>>>>>> <property name="tokenType" value="
>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>> .
>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>>>>>> <property name="lifeTime" value="3600" />
>>>>>>>>>>>>> <property name="passiveRequestorEndpoint
>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>> <property name="logoutEndpointConstraint"
>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>
>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>> <property name="claim" ref="claim_role" />
>>>>>>>>>>>>> <property name="optional" value="false" />
>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>
>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>>>>>>>>>>
>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml
>>>>>>>>>>>>>> with
>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i
>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>> correctly redirects to the login page and seems to
>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken -
>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully
>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida
>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
Hi Colm
Firstly is there somewhere to see these instructions correctly formatted
in html?
https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html
Secondly there is a massive difference between
https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html
and
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co
(svn being the one linked from the main fediz pages)
On the SVN one it doesn't mention adding the MyTCRP.cer key to ststrust.jks.
I have some more things to try now so I will let you know if I get further
On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
> Why not try the simple Connector configuration I gave earlier but with your
> own keys?
>
> Colm.
>
> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> in Tomcat 8 https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#
>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>> clientAuth
>> This is an alias for the certificateVerification attribute of the default
>> SSLHostConfig element.
>>
>> then
>> certificateVerification
>> Set to required if you want the SSL stack to require a valid certificate
>> chain from the client before accepting a connection. Set to optional if you
>> want the SSL stack to request a client Certificate, but not fail if one
>> isn't presented. Set to optionalNoCA if you want client certificates to be
>> optional and you don't want Tomcat to check them against the list of
>> trusted CAs. If the TLS provider doesn't support this option (OpenSSL does,
>> JSSE does not) it is treated as if optional was specified. A none value
>> (which is the default) will not require a certificate chain unless the
>> client requests a resource protected by a security constraint that uses
>> CLIENT-CERT authentication.
>>
>> so i changed clientAuth="want" to clientAuth="required". now i cannot
>> access the site at all with
>> Secure Connection Failed
>> An error occurred during a connection to domain.tld:9443. SSL peer cannot
>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>
>> maybe i should try using Tomcat 7?
>>
>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>
>>> The problem is that your Tomcat container hosting the STS is not asking
>>> for
>>> client authentication. You can check this by using a web browser or curl
>>> to
>>> view the WSDL of the STS - if you can get it to work then the
>>> configuration
>>> is incorrect, as it should error on the browser not supplying a client
>>> cert.
>>>
>>> Colm.
>>>
>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>> i spoke too soon.
>>>> i am completely stuck with the same stack trace and no amount of
>>>> reloading
>>>> the certificates is helping. is there any way to debug what the actual
>>>> problem is?
>>>>
>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has
>>>> thrown exception, unwinding now
>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>>>> stream: RequireClientCertificate is set, but no local certificates were
>>>> negotiated. Is the server set to ask for client authorization?
>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>>>> InterceptorChain.java:308)
>>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:427)
>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:328)
>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:281)
>>>> at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(Abs
>>>> tractSTSClient.java:861)
>>>> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
>>>> yTokenResponse(IdpSTSClient.java:47)
>>>> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
>>>> yTokenResponse(IdpSTSClient.java:42)
>>>> at org.apache.cxf.fediz.service.idp.beans.STSClientAction.submi
>>>> t(STSClientAction.java:296)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>>> ssorImpl.java:62)
>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>>> thodAccessorImpl.java:43)
>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>> at org.springframework.expression.spel.support.ReflectiveMethod
>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>> at org.springframework.expression.spel.ast.MethodReference.getV
>>>> alueInternal(MethodReference.java:129)
>>>> at org.springframework.expression.spel.ast.MethodReference.
>>>> access$000(MethodReference.java:49)
>>>> at org.springframework.expression.spel.ast.MethodReference$Meth
>>>> odValueRef.getValue(MethodReference.java:347)
>>>> at org.springframework.expression.spel.ast.CompoundExpression.g
>>>> etValueInternal(CompoundExpression.java:88)
>>>> at org.springframework.expression.spel.ast.SpelNodeImpl.
>>>> getTypedValue(SpelNodeImpl.java:131)
>>>> at org.springframework.expression.spel.standard.SpelExpression.
>>>> getValue(SpelExpression.java:297)
>>>> at org.springframework.binding.expression.spel.SpringELExpressi
>>>> on.getValue(SpringELExpression.java:84)
>>>> at org.springframework.webflow.action.EvaluateAction.doExecute(
>>>> EvaluateAction.java:75)
>>>> at org.springframework.webflow.action.AbstractAction.execute(Ab
>>>> stractAction.java:188)
>>>> at org.springframework.webflow.execution.AnnotatedAction.execut
>>>> e(AnnotatedAction.java:145)
>>>> at org.springframework.webflow.execution.ActionExecutor.execute
>>>> (ActionExecutor.java:51)
>>>> at org.springframework.webflow.engine.ActionList.execute(Action
>>>> List.java:154)
>>>> at org.springframework.webflow.engine.State.enter(State.java:193)
>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>>>> ecute(FlowExecutionImpl.java:395)
>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>> at org.springframework.webflow.engine.TransitionableState.handl
>>>> eEvent(TransitionableState.java:116)
>>>> at org.springframework.webflow.engine.SubflowState.handleEvent(
>>>> SubflowState.java:116)
>>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
>>>> a:547)
>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.en
>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>>>> at org.springframework.webflow.engine.EndState.doEnter(EndState
>>>> .java:107)
>>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>>>> ecute(FlowExecutionImpl.java:395)
>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>> at org.springframework.webflow.engine.TransitionableState.handl
>>>> eEvent(TransitionableState.java:116)
>>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
>>>> a:547)
>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>> at org.springframework.webflow.engine.ActionState.doEnter(Actio
>>>> nState.java:105)
>>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>>>> ecute(FlowExecutionImpl.java:395)
>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>> at org.springframework.webflow.engine.TransitionableState.handl
>>>> eEvent(TransitionableState.java:116)
>>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
>>>> a:547)
>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>> at org.springframework.webflow.engine.ActionState.doEnter(Actio
>>>> nState.java:105)
>>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>> isionState.java:51)
>>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>> isionState.java:51)
>>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>> isionState.java:51)
>>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>> isionState.java:51)
>>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>>> at org.springframework.webflow.engine.Flow.start(Flow.java:527)
>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>>>> art(FlowExecutionImpl.java:368)
>>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>> at org.springframework.webflow.engine.SubflowState.doEnter(Subf
>>>> lowState.java:101)
>>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>> isionState.java:51)
>>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>> isionState.java:51)
>>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>>> at org.springframework.webflow.engine.Flow.start(Flow.java:527)
>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>>>> art(FlowExecutionImpl.java:368)
>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>>>> art(FlowExecutionImpl.java:223)
>>>> at org.springframework.webflow.executor.FlowExecutorImpl.launch
>>>> Execution(FlowExecutorImpl.java:140)
>>>> at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.
>>>> handle(FlowHandlerAdapter.java:263)
>>>> at org.springframework.web.servlet.DispatcherServlet.doDispatch
>>>> (DispatcherServlet.java:967)
>>>> at org.springframework.web.servlet.DispatcherServlet.doService(
>>>> DispatcherServlet.java:901)
>>>> at org.springframework.web.servlet.FrameworkServlet.processRequ
>>>> est(FrameworkServlet.java:970)
>>>> at org.springframework.web.servlet.FrameworkServlet.doGet(
>>>> FrameworkServlet.java:861)
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
>>>> at org.springframework.web.servlet.FrameworkServlet.service(
>>>> FrameworkServlet.java:846)
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>> lter(ApplicationFilterChain.java:231)
>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>> licationFilterChain.java:166)
>>>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
>>>> r.java:52)
>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>> lter(ApplicationFilterChain.java:193)
>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>> licationFilterChain.java:166)
>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>> at org.springframework.security.web.access.intercept.FilterSecu
>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>> at org.springframework.security.web.access.intercept.FilterSecu
>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>> at org.springframework.security.web.access.ExceptionTranslation
>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>> at org.springframework.security.web.session.SessionManagementFi
>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>> at org.springframework.security.web.authentication.AnonymousAut
>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>> at org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>> at org.springframework.security.web.servletapi.SecurityContextH
>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>> AwareRequestFilter.java:154)
>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>> at org.springframework.security.web.savedrequest.RequestCacheAw
>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>> at org.springframework.security.web.authentication.www.BasicAut
>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>> at org.springframework.security.web.authentication.AbstractAuth
>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>> nProcessingFilter.java:199)
>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>> at org.springframework.security.web.authentication.logout.Logou
>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>> at org.springframework.security.web.context.request.async.WebAs
>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>> erIntegrationFilter.java:50)
>>>> at org.springframework.web.filter.OncePerRequestFilter.doFilter
>>>> (OncePerRequestFilter.java:107)
>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>> at org.springframework.security.web.context.SecurityContextPers
>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>> at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSP
>>>> ortFilter.java:74)
>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>> at org.springframework.security.web.access.channel.ChannelProce
>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>> at org.springframework.security.web.FilterChainProxy.doFilterIn
>>>> ternal(FilterChainProxy.java:192)
>>>> at org.springframework.security.web.FilterChainProxy.doFilter(F
>>>> ilterChainProxy.java:160)
>>>> at org.springframework.web.filter.DelegatingFilterProxy.invokeD
>>>> elegate(DelegatingFilterProxy.java:346)
>>>> at org.springframework.web.filter.DelegatingFilterProxy.doFilte
>>>> r(DelegatingFilterProxy.java:262)
>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>> lter(ApplicationFilterChain.java:193)
>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>> licationFilterChain.java:166)
>>>> at org.springframework.web.filter.CharacterEncodingFilter.doFil
>>>> terInternal(CharacterEncodingFilter.java:197)
>>>> at org.springframework.web.filter.OncePerRequestFilter.doFilter
>>>> (OncePerRequestFilter.java:107)
>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>> lter(ApplicationFilterChain.java:193)
>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>> licationFilterChain.java:166)
>>>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar
>>>> dWrapperValve.java:198)
>>>> at org.apache.catalina.core.StandardContextValve.invoke(Standar
>>>> dContextValve.java:96)
>>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo
>>>> stValve.java:140)
>>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
>>>> rtValve.java:80)
>>>> at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs
>>>> tractAccessLogValve.java:650)
>>>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard
>>>> EngineValve.java:87)
>>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
>>>> apter.java:342)
>>>> at org.apache.coyote.http2.StreamProcessor.service(StreamProces
>>>> sor.java:245)
>>>> at org.apache.coyote.AbstractProcessorLight.process(AbstractPro
>>>> cessorLight.java:66)
>>>> at org.apache.coyote.http2.StreamProcessor.process(StreamProces
>>>> sor.java:65)
>>>> at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.
>>>> java:35)
>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>> Executor.java:1142)
>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>> lExecutor.java:617)
>>>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.
>>>> run(TaskThread.java:61)
>>>> at java.lang.Thread.run(Thread.java:748)
>>>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is
>>>> set, but no local certificates were negotiated. Is the server set to ask
>>>> for client authorization?
>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>> java:255)
>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>> ... 154 more
>>>> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOExcept
>>>> ion:
>>>> RequireClientCertificate is set, but no local certificates were
>>>> negotiated. Is the server set to ask for client authorization?
>>>> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>> ttpsTokenInterceptorProvider.java:143)
>>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>> at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLCo
>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>> Conduit.java:309)
>>>> at org.apache.cxf.io.AbstractWrappedOutputStream.write(Abstract
>>>> WrappedOutputStream.java:47)
>>>> at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(Abs
>>>> tractThresholdOutputStream.java:89)
>>>> at org.apache.cxf.io.AbstractThresholdOutputStream.write(Abstra
>>>> ctThresholdOutputStream.java:63)
>>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
>>>> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.
>>>> java:241)
>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>> java:253)
>>>> ... 155 more
>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>>> retrieving a token
>>>>
>>>>
>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>
>>>> Thanks for your help Colm. I now have it working using the production
>>>>> certificate by following this example https://stackoverflow.com/a/21
>>>>> 41229/3052312 to export the pems into jks files.
>>>>>
>>>>> but in the end i also had to copy idp-ssl-key.jks and idp-ssl-trust.jks
>>>>> into webapps/idp/WEB-INF/classes as well as having them in catalina
>>>>> base.
>>>>> this seems impractical in production as the certificates get reissued
>>>>> every
>>>>> 6 months. is it possible for sec:keyStore to define the resource as
>>>>> being
>>>>> in catalina base?
>>>>>
>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>
>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is also a
>>>>>> sec:certStore that works with PEM files, but only for TrustStores I
>>>>>> think.
>>>>>> As a workaround you can just use the Java keytool command to import
>>>>>> your
>>>>>> PEM key/cert into a JKS keystore.
>>>>>>
>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>
>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>
>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but
>>>>>> no
>>>>>> idp-ssl-key.jks.
>>>>>>
>>>>>> SVN is not used any more by CXF or Fediz, that page is old. The correct
>>>>>> version is on github:
>>>>>>
>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> Hi Colm,
>>>>>>
>>>>>>> is there any way for sec:keyStore to be pointed at a pem certificate
>>>>>>> instead of a java keystore? where is the doumentation for
>>>>>>> sec:keyStore?
>>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>
>>>>>>> I haven't used the APR connector. The following works for me in the
>>>>>>>
>>>>>>>> tests,
>>>>>>>> perhaps you could duplicate this config and get it working first
>>>>>>>> before
>>>>>>>> switching over to the APR connector:
>>>>>>>>
>>>>>>>> <Connector port="9443"
>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>> maxThreads="150"
>>>>>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>> keystorePass="tompass"
>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>> truststorePass="ispass" />
>>>>>>>>
>>>>>>>> Yes you will need to specify the truststore and keystore in
>>>>>>>> cxf-tls.xml to
>>>>>>>> communicate with the STS from the IdP. The truststore should contain
>>>>>>>> the
>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then keystore
>>>>>>>> the
>>>>>>>> private key of your IdP.
>>>>>>>>
>>>>>>>> Colm.
>>>>>>>>
>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>
>>>>>>>> i am using my own certificate with APR in the tomcat server.xml. I
>>>>>>>> added
>>>>>>>>
>>>>>>>> clientVerification="required" to SSLHostConfig but I still have the
>>>>>>>>> same
>>>>>>>>> problem
>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>> maxThreads="150" SSLEnabled="true">
>>>>>>>>> <UpgradeProtocol className="org.apache.coyote.h
>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>> />
>>>>>>>>> <SSLHostConfig clientVerification="required">
>>>>>>>>> <Certificate certificateKeyFile="/etc/letse
>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc
>>>>>>>>> hain.pem"
>>>>>>>>> type="RSA" />
>>>>>>>>> </SSLHostConfig>
>>>>>>>>> </Connector>
>>>>>>>>>
>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this be the
>>>>>>>>> problem?
>>>>>>>>> How would I use production certificates?
>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>> <http:tlsClientParameters
>>>>>>>>> disableCNCheck="true">
>>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>>> <sec:keyStore type="jks" password="ispass"
>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>> </sec:trustManagers>
>>>>>>>>> <sec:keyManagers keyPassword="tompass">
>>>>>>>>> <sec:keyStore type="jks" password="tompass"
>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>> </http:conduit>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>
>>>>>>>>> ok...i fixed the last error by dropping the schema and restarting.
>>>>>>>>>
>>>>>>>>> but now i have this
>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>>> 2/}Issue
>>>>>>>>>> has
>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model
>>>>>>>>>> to
>>>>>>>>>> stream: RequireClientCertificate is set, but no local certificates
>>>>>>>>>> were
>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>> 518)
>>>>>>>>>> ...
>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>> RequireClientCertificate
>>>>>>>>>> is
>>>>>>>>>> set, but no local certificates were negotiated. Is the server set
>>>>>>>>>> to
>>>>>>>>>> ask
>>>>>>>>>> for client authorization?
>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>> :255)
>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>> ... 154 more
>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>> ion:
>>>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>> ...
>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>>>>>>>>> retrieving a token
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>
>>>>>>>>>> ok i now have a different error and it doesn't load the login
>>>>>>>>>> screen
>>>>>>>>>>
>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator -
>>>>>>>>>>> No
>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>
>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>> should have been
>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>> />
>>>>>>>>>>> according to original file
>>>>>>>>>>>
>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>
>>>>>>>>>>> Yes I have:
>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>> ...
>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>> <util:list>
>>>>>>>>>>>> <ref bean="srv-fedizhelloworld" />
>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>> </util:list>
>>>>>>>>>>>> </property>
>>>>>>>>>>>> ...
>>>>>>>>>>>> </bean>
>>>>>>>>>>>>
>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>> <property name="realm" value="urn:org:apache:cxf:fedi
>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>> />
>>>>>>>>>>>> <property name="protocol" value="
>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>> <property name="serviceDisplayName"
>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>> />
>>>>>>>>>>>> <property name="serviceDescription" value="Web
>>>>>>>>>>>> Application to
>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>> <property name="role" value="ApplicationServiceType"
>>>>>>>>>>>> />
>>>>>>>>>>>> <property name="tokenType" value="
>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>> .
>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>>>>> <property name="lifeTime" value="3600" />
>>>>>>>>>>>> <property name="passiveRequestorEndpointConstraint"
>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>> <property name="logoutEndpointConstraint"
>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>> </bean>
>>>>>>>>>>>>
>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>> <property name="application"
>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>> <property name="claim" ref="claim_role" />
>>>>>>>>>>>> <property name="optional" value="false" />
>>>>>>>>>>>> </bean>
>>>>>>>>>>>>
>>>>>>>>>>>> etc.
>>>>>>>>>>>>
>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>>>>>>>>>> instance in
>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with
>>>>>>>>>>>>> realm
>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>
>>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
>>>>>>>>>>>>>
>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet.
>>>>>>>>>>>>>> it
>>>>>>>>>>>>>> correctly redirects to the login page and seems to authenticate
>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken -
>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully
>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida
>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> No
>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>
Re: fediz production
Posted by Colm O hEigeartaigh <co...@apache.org>.
Why not try the simple Connector configuration I gave earlier but with your
own keys?
Colm.
On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:
> in Tomcat 8 https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#
> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
> clientAuth
> This is an alias for the certificateVerification attribute of the default
> SSLHostConfig element.
>
> then
> certificateVerification
> Set to required if you want the SSL stack to require a valid certificate
> chain from the client before accepting a connection. Set to optional if you
> want the SSL stack to request a client Certificate, but not fail if one
> isn't presented. Set to optionalNoCA if you want client certificates to be
> optional and you don't want Tomcat to check them against the list of
> trusted CAs. If the TLS provider doesn't support this option (OpenSSL does,
> JSSE does not) it is treated as if optional was specified. A none value
> (which is the default) will not require a certificate chain unless the
> client requests a resource protected by a security constraint that uses
> CLIENT-CERT authentication.
>
> so i changed clientAuth="want" to clientAuth="required". now i cannot
> access the site at all with
> Secure Connection Failed
> An error occurred during a connection to domain.tld:9443. SSL peer cannot
> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>
> maybe i should try using Tomcat 7?
>
> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>
>> The problem is that your Tomcat container hosting the STS is not asking
>> for
>> client authentication. You can check this by using a web browser or curl
>> to
>> view the WSDL of the STS - if you can get it to work then the
>> configuration
>> is incorrect, as it should error on the browser not supplying a client
>> cert.
>>
>> Colm.
>>
>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>
>> i spoke too soon.
>>>
>>> i am completely stuck with the same stack trace and no amount of
>>> reloading
>>> the certificates is helping. is there any way to debug what the actual
>>> problem is?
>>>
>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has
>>> thrown exception, unwinding now
>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>>> stream: RequireClientCertificate is set, but no local certificates were
>>> negotiated. Is the server set to ask for client authorization?
>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>>> InterceptorChain.java:308)
>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:427)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:328)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:281)
>>> at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(Abs
>>> tractSTSClient.java:861)
>>> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
>>> yTokenResponse(IdpSTSClient.java:47)
>>> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
>>> yTokenResponse(IdpSTSClient.java:42)
>>> at org.apache.cxf.fediz.service.idp.beans.STSClientAction.submi
>>> t(STSClientAction.java:296)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>> ssorImpl.java:62)
>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>> thodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at org.springframework.expression.spel.support.ReflectiveMethod
>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>> at org.springframework.expression.spel.ast.MethodReference.getV
>>> alueInternal(MethodReference.java:129)
>>> at org.springframework.expression.spel.ast.MethodReference.
>>> access$000(MethodReference.java:49)
>>> at org.springframework.expression.spel.ast.MethodReference$Meth
>>> odValueRef.getValue(MethodReference.java:347)
>>> at org.springframework.expression.spel.ast.CompoundExpression.g
>>> etValueInternal(CompoundExpression.java:88)
>>> at org.springframework.expression.spel.ast.SpelNodeImpl.
>>> getTypedValue(SpelNodeImpl.java:131)
>>> at org.springframework.expression.spel.standard.SpelExpression.
>>> getValue(SpelExpression.java:297)
>>> at org.springframework.binding.expression.spel.SpringELExpressi
>>> on.getValue(SpringELExpression.java:84)
>>> at org.springframework.webflow.action.EvaluateAction.doExecute(
>>> EvaluateAction.java:75)
>>> at org.springframework.webflow.action.AbstractAction.execute(Ab
>>> stractAction.java:188)
>>> at org.springframework.webflow.execution.AnnotatedAction.execut
>>> e(AnnotatedAction.java:145)
>>> at org.springframework.webflow.execution.ActionExecutor.execute
>>> (ActionExecutor.java:51)
>>> at org.springframework.webflow.engine.ActionList.execute(Action
>>> List.java:154)
>>> at org.springframework.webflow.engine.State.enter(State.java:193)
>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>> tion.java:228)
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>>> ecute(FlowExecutionImpl.java:395)
>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>> tImpl.execute(RequestControlContextImpl.java:214)
>>> at org.springframework.webflow.engine.TransitionableState.handl
>>> eEvent(TransitionableState.java:116)
>>> at org.springframework.webflow.engine.SubflowState.handleEvent(
>>> SubflowState.java:116)
>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
>>> a:547)
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>>> ndleEvent(FlowExecutionImpl.java:390)
>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.en
>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>>> at org.springframework.webflow.engine.EndState.doEnter(EndState
>>> .java:107)
>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>> tion.java:228)
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>>> ecute(FlowExecutionImpl.java:395)
>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>> tImpl.execute(RequestControlContextImpl.java:214)
>>> at org.springframework.webflow.engine.TransitionableState.handl
>>> eEvent(TransitionableState.java:116)
>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
>>> a:547)
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>>> ndleEvent(FlowExecutionImpl.java:390)
>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>> at org.springframework.webflow.engine.ActionState.doEnter(Actio
>>> nState.java:105)
>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>> tion.java:228)
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>>> ecute(FlowExecutionImpl.java:395)
>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>> tImpl.execute(RequestControlContextImpl.java:214)
>>> at org.springframework.webflow.engine.TransitionableState.handl
>>> eEvent(TransitionableState.java:116)
>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
>>> a:547)
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>>> ndleEvent(FlowExecutionImpl.java:390)
>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>> at org.springframework.webflow.engine.ActionState.doEnter(Actio
>>> nState.java:105)
>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>> tion.java:228)
>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>> isionState.java:51)
>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>> tion.java:228)
>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>> isionState.java:51)
>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>> tion.java:228)
>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>> isionState.java:51)
>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>> tion.java:228)
>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>> isionState.java:51)
>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>> at org.springframework.webflow.engine.Flow.start(Flow.java:527)
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>>> art(FlowExecutionImpl.java:368)
>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>> tImpl.start(RequestControlContextImpl.java:234)
>>> at org.springframework.webflow.engine.SubflowState.doEnter(Subf
>>> lowState.java:101)
>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>> tion.java:228)
>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>> isionState.java:51)
>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>> at org.springframework.webflow.engine.Transition.execute(Transi
>>> tion.java:228)
>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>> isionState.java:51)
>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>> at org.springframework.webflow.engine.Flow.start(Flow.java:527)
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>>> art(FlowExecutionImpl.java:368)
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>>> art(FlowExecutionImpl.java:223)
>>> at org.springframework.webflow.executor.FlowExecutorImpl.launch
>>> Execution(FlowExecutorImpl.java:140)
>>> at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.
>>> handle(FlowHandlerAdapter.java:263)
>>> at org.springframework.web.servlet.DispatcherServlet.doDispatch
>>> (DispatcherServlet.java:967)
>>> at org.springframework.web.servlet.DispatcherServlet.doService(
>>> DispatcherServlet.java:901)
>>> at org.springframework.web.servlet.FrameworkServlet.processRequ
>>> est(FrameworkServlet.java:970)
>>> at org.springframework.web.servlet.FrameworkServlet.doGet(
>>> FrameworkServlet.java:861)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
>>> at org.springframework.web.servlet.FrameworkServlet.service(
>>> FrameworkServlet.java:846)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>> lter(ApplicationFilterChain.java:231)
>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>> licationFilterChain.java:166)
>>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
>>> r.java:52)
>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>> lter(ApplicationFilterChain.java:193)
>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>> licationFilterChain.java:166)
>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>> terChain.doFilter(FilterChainProxy.java:330)
>>> at org.springframework.security.web.access.intercept.FilterSecu
>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>> at org.springframework.security.web.access.intercept.FilterSecu
>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>> terChain.doFilter(FilterChainProxy.java:342)
>>> at org.springframework.security.web.access.ExceptionTranslation
>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>> terChain.doFilter(FilterChainProxy.java:342)
>>> at org.springframework.security.web.session.SessionManagementFi
>>> lter.doFilter(SessionManagementFilter.java:103)
>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>> terChain.doFilter(FilterChainProxy.java:342)
>>> at org.springframework.security.web.authentication.AnonymousAut
>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>> terChain.doFilter(FilterChainProxy.java:342)
>>> at org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>> terChain.doFilter(FilterChainProxy.java:342)
>>> at org.springframework.security.web.servletapi.SecurityContextH
>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>> AwareRequestFilter.java:154)
>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>> terChain.doFilter(FilterChainProxy.java:342)
>>> at org.springframework.security.web.savedrequest.RequestCacheAw
>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>> terChain.doFilter(FilterChainProxy.java:342)
>>> at org.springframework.security.web.authentication.www.BasicAut
>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>> terChain.doFilter(FilterChainProxy.java:342)
>>> at org.springframework.security.web.authentication.AbstractAuth
>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>> nProcessingFilter.java:199)
>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>> terChain.doFilter(FilterChainProxy.java:342)
>>> at org.springframework.security.web.authentication.logout.Logou
>>> tFilter.doFilter(LogoutFilter.java:110)
>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>> terChain.doFilter(FilterChainProxy.java:342)
>>> at org.springframework.security.web.context.request.async.WebAs
>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>> erIntegrationFilter.java:50)
>>> at org.springframework.web.filter.OncePerRequestFilter.doFilter
>>> (OncePerRequestFilter.java:107)
>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>> terChain.doFilter(FilterChainProxy.java:342)
>>> at org.springframework.security.web.context.SecurityContextPers
>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>> terChain.doFilter(FilterChainProxy.java:342)
>>> at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSP
>>> ortFilter.java:74)
>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>> terChain.doFilter(FilterChainProxy.java:342)
>>> at org.springframework.security.web.access.channel.ChannelProce
>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>>> terChain.doFilter(FilterChainProxy.java:342)
>>> at org.springframework.security.web.FilterChainProxy.doFilterIn
>>> ternal(FilterChainProxy.java:192)
>>> at org.springframework.security.web.FilterChainProxy.doFilter(F
>>> ilterChainProxy.java:160)
>>> at org.springframework.web.filter.DelegatingFilterProxy.invokeD
>>> elegate(DelegatingFilterProxy.java:346)
>>> at org.springframework.web.filter.DelegatingFilterProxy.doFilte
>>> r(DelegatingFilterProxy.java:262)
>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>> lter(ApplicationFilterChain.java:193)
>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>> licationFilterChain.java:166)
>>> at org.springframework.web.filter.CharacterEncodingFilter.doFil
>>> terInternal(CharacterEncodingFilter.java:197)
>>> at org.springframework.web.filter.OncePerRequestFilter.doFilter
>>> (OncePerRequestFilter.java:107)
>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>> lter(ApplicationFilterChain.java:193)
>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>> licationFilterChain.java:166)
>>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar
>>> dWrapperValve.java:198)
>>> at org.apache.catalina.core.StandardContextValve.invoke(Standar
>>> dContextValve.java:96)
>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo
>>> stValve.java:140)
>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
>>> rtValve.java:80)
>>> at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs
>>> tractAccessLogValve.java:650)
>>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard
>>> EngineValve.java:87)
>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
>>> apter.java:342)
>>> at org.apache.coyote.http2.StreamProcessor.service(StreamProces
>>> sor.java:245)
>>> at org.apache.coyote.AbstractProcessorLight.process(AbstractPro
>>> cessorLight.java:66)
>>> at org.apache.coyote.http2.StreamProcessor.process(StreamProces
>>> sor.java:65)
>>> at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.
>>> java:35)
>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.
>>> run(TaskThread.java:61)
>>> at java.lang.Thread.run(Thread.java:748)
>>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is
>>> set, but no local certificates were negotiated. Is the server set to ask
>>> for client authorization?
>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>> java:255)
>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>> ... 154 more
>>> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOExcept
>>> ion:
>>> RequireClientCertificate is set, but no local certificates were
>>> negotiated. Is the server set to ask for client authorization?
>>> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>> ttpsTokenInterceptorProvider.java:143)
>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>> m.onFirstWrite(HTTPConduit.java:1293)
>>> at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLCo
>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>> Conduit.java:309)
>>> at org.apache.cxf.io.AbstractWrappedOutputStream.write(Abstract
>>> WrappedOutputStream.java:47)
>>> at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(Abs
>>> tractThresholdOutputStream.java:89)
>>> at org.apache.cxf.io.AbstractThresholdOutputStream.write(Abstra
>>> ctThresholdOutputStream.java:63)
>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
>>> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.
>>> java:241)
>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>> java:253)
>>> ... 155 more
>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>> retrieving a token
>>>
>>>
>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>
>>> Thanks for your help Colm. I now have it working using the production
>>>> certificate by following this example https://stackoverflow.com/a/21
>>>> 41229/3052312 to export the pems into jks files.
>>>>
>>>> but in the end i also had to copy idp-ssl-key.jks and idp-ssl-trust.jks
>>>> into webapps/idp/WEB-INF/classes as well as having them in catalina
>>>> base.
>>>> this seems impractical in production as the certificates get reissued
>>>> every
>>>> 6 months. is it possible for sec:keyStore to define the resource as
>>>> being
>>>> in catalina base?
>>>>
>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>
>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is also a
>>>>> sec:certStore that works with PEM files, but only for TrustStores I
>>>>> think.
>>>>> As a workaround you can just use the Java keytool command to import
>>>>> your
>>>>> PEM key/cert into a JKS keystore.
>>>>>
>>>>> this document http://svn.apache.org/viewvc/c
>>>>>
>>>>>> xf/fediz/trunk/examples/sample
>>>>>>
>>>>>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but
>>>>> no
>>>>> idp-ssl-key.jks.
>>>>>
>>>>> SVN is not used any more by CXF or Fediz, that page is old. The correct
>>>>> version is on github:
>>>>>
>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>
>>>>> Hi Colm,
>>>>>
>>>>>> is there any way for sec:keyStore to be pointed at a pem certificate
>>>>>> instead of a java keystore? where is the doumentation for
>>>>>> sec:keyStore?
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>
>>>>>> I haven't used the APR connector. The following works for me in the
>>>>>>
>>>>>>> tests,
>>>>>>> perhaps you could duplicate this config and get it working first
>>>>>>> before
>>>>>>> switching over to the APR connector:
>>>>>>>
>>>>>>> <Connector port="9443"
>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>> maxThreads="150"
>>>>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>> keystorePass="tompass"
>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>> truststorePass="ispass" />
>>>>>>>
>>>>>>> Yes you will need to specify the truststore and keystore in
>>>>>>> cxf-tls.xml to
>>>>>>> communicate with the STS from the IdP. The truststore should contain
>>>>>>> the
>>>>>>> issuing cert of the Tomcat instance hosting your STS + then keystore
>>>>>>> the
>>>>>>> private key of your IdP.
>>>>>>>
>>>>>>> Colm.
>>>>>>>
>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>
>>>>>>> i am using my own certificate with APR in the tomcat server.xml. I
>>>>>>> added
>>>>>>>
>>>>>>> clientVerification="required" to SSLHostConfig but I still have the
>>>>>>>> same
>>>>>>>> problem
>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>> maxThreads="150" SSLEnabled="true">
>>>>>>>> <UpgradeProtocol className="org.apache.coyote.h
>>>>>>>> ttp2.Http2Protocol"
>>>>>>>> />
>>>>>>>> <SSLHostConfig clientVerification="required">
>>>>>>>> <Certificate certificateKeyFile="/etc/letse
>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc
>>>>>>>> hain.pem"
>>>>>>>> type="RSA" />
>>>>>>>> </SSLHostConfig>
>>>>>>>> </Connector>
>>>>>>>>
>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this be the
>>>>>>>> problem?
>>>>>>>> How would I use production certificates?
>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>> <http:tlsClientParameters
>>>>>>>> disableCNCheck="true">
>>>>>>>> <!-- <sec:trustManagers>
>>>>>>>> <sec:keyStore type="jks" password="ispass"
>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>> </sec:trustManagers>
>>>>>>>> <sec:keyManagers keyPassword="tompass">
>>>>>>>> <sec:keyStore type="jks" password="tompass"
>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>> </sec:keyManagers> -->
>>>>>>>> </http:tlsClientParameters>
>>>>>>>> </http:conduit>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>
>>>>>>>> ok...i fixed the last error by dropping the schema and restarting.
>>>>>>>>
>>>>>>>> but now i have this
>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>> 2/}Issue
>>>>>>>>> has
>>>>>>>>> thrown exception, unwinding now
>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model
>>>>>>>>> to
>>>>>>>>> stream: RequireClientCertificate is set, but no local certificates
>>>>>>>>> were
>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>> 518)
>>>>>>>>> ...
>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>> RequireClientCertificate
>>>>>>>>> is
>>>>>>>>> set, but no local certificates were negotiated. Is the server set
>>>>>>>>> to
>>>>>>>>> ask
>>>>>>>>> for client authorization?
>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>> :255)
>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>> ... 154 more
>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>> ion:
>>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>> ...
>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>>>>>>>> retrieving a token
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>
>>>>>>>>> ok i now have a different error and it doesn't load the login
>>>>>>>>> screen
>>>>>>>>>
>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator -
>>>>>>>>>> No
>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>> horityEntitlements
>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>> horityEntitlements
>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>> horityEntitlements
>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>> horityEntitlements
>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>> horityEntitlements
>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>> horityEntitlements
>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>> horityEntitlements
>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>> horityEntitlements
>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>> horityEntitlements
>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>
>>>>>>>>>> the previous one was caused by
>>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>> should have been
>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>> />
>>>>>>>>>> according to original file
>>>>>>>>>>
>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>
>>>>>>>>>> Hi Colm,
>>>>>>>>>>
>>>>>>>>>> Yes I have:
>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>> ...
>>>>>>>>>>> <property name="applications">
>>>>>>>>>>> <util:list>
>>>>>>>>>>> <ref bean="srv-fedizhelloworld" />
>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>> </util:list>
>>>>>>>>>>> </property>
>>>>>>>>>>> ...
>>>>>>>>>>> </bean>
>>>>>>>>>>>
>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>> <property name="realm" value="urn:org:apache:cxf:fedi
>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>> />
>>>>>>>>>>> <property name="protocol" value="
>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>> <property name="serviceDisplayName"
>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>> />
>>>>>>>>>>> <property name="serviceDescription" value="Web
>>>>>>>>>>> Application to
>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>> <property name="role" value="ApplicationServiceType"
>>>>>>>>>>> />
>>>>>>>>>>> <property name="tokenType" value="
>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>> .
>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>>>> <property name="lifeTime" value="3600" />
>>>>>>>>>>> <property name="passiveRequestorEndpointConstraint"
>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>> <property name="logoutEndpointConstraint"
>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>> </bean>
>>>>>>>>>>>
>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>> <property name="application"
>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>> <property name="claim" ref="claim_role" />
>>>>>>>>>>> <property name="optional" value="false" />
>>>>>>>>>>> </bean>
>>>>>>>>>>>
>>>>>>>>>>> etc.
>>>>>>>>>>>
>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>
>>>>>>>>>>> Do you have an
>>>>>>>>>>>
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>>>>>>>>> instance in
>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with
>>>>>>>>>>>> realm
>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>
>>>>>>>>>>>> Colm.
>>>>>>>>>>>>
>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
>>>>>>>>>>>>
>>>>>>>>>>>>> trying to
>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet.
>>>>>>>>>>>>> it
>>>>>>>>>>>>> correctly redirects to the login page and seems to authenticate
>>>>>>>>>>>>> ok
>>>>>>>>>>>>>
>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken -
>>>>>>>>>>>>> Token
>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully
>>>>>>>>>>>>> cached.
>>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida
>>>>>>>>>>>>> tor
>>>>>>>>>>>>> -
>>>>>>>>>>>>> No
>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>
>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
in Tomcat 8
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2
it says
clientAuth
This is an alias for the certificateVerification attribute of the
default SSLHostConfig element.
then
certificateVerification
Set to required if you want the SSL stack to require a valid certificate
chain from the client before accepting a connection. Set to optional if
you want the SSL stack to request a client Certificate, but not fail if
one isn't presented. Set to optionalNoCA if you want client certificates
to be optional and you don't want Tomcat to check them against the list
of trusted CAs. If the TLS provider doesn't support this option (OpenSSL
does, JSSE does not) it is treated as if optional was specified. A none
value (which is the default) will not require a certificate chain unless
the client requests a resource protected by a security constraint that
uses CLIENT-CERT authentication.
so i changed clientAuth="want" to clientAuth="required". now i cannot
access the site at all with
Secure Connection Failed
An error occurred during a connection to domain.tld:9443. SSL peer
cannot verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
maybe i should try using Tomcat 7?
On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
> The problem is that your Tomcat container hosting the STS is not asking for
> client authentication. You can check this by using a web browser or curl to
> view the WSDL of the STS - if you can get it to work then the configuration
> is incorrect, as it should error on the browser not supplying a client cert.
>
> Colm.
>
> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> i spoke too soon.
>>
>> i am completely stuck with the same stack trace and no amount of reloading
>> the certificates is helping. is there any way to debug what the actual
>> problem is?
>>
>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has
>> thrown exception, unwinding now
>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>> stream: RequireClientCertificate is set, but no local certificates were
>> negotiated. Is the server set to ask for client authorization?
>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>> InterceptorChain.java:308)
>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:427)
>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:328)
>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:281)
>> at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(Abs
>> tractSTSClient.java:861)
>> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
>> yTokenResponse(IdpSTSClient.java:47)
>> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
>> yTokenResponse(IdpSTSClient.java:42)
>> at org.apache.cxf.fediz.service.idp.beans.STSClientAction.submi
>> t(STSClientAction.java:296)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.springframework.expression.spel.support.ReflectiveMethod
>> Executor.execute(ReflectiveMethodExecutor.java:113)
>> at org.springframework.expression.spel.ast.MethodReference.getV
>> alueInternal(MethodReference.java:129)
>> at org.springframework.expression.spel.ast.MethodReference.
>> access$000(MethodReference.java:49)
>> at org.springframework.expression.spel.ast.MethodReference$Meth
>> odValueRef.getValue(MethodReference.java:347)
>> at org.springframework.expression.spel.ast.CompoundExpression.g
>> etValueInternal(CompoundExpression.java:88)
>> at org.springframework.expression.spel.ast.SpelNodeImpl.
>> getTypedValue(SpelNodeImpl.java:131)
>> at org.springframework.expression.spel.standard.SpelExpression.
>> getValue(SpelExpression.java:297)
>> at org.springframework.binding.expression.spel.SpringELExpressi
>> on.getValue(SpringELExpression.java:84)
>> at org.springframework.webflow.action.EvaluateAction.doExecute(
>> EvaluateAction.java:75)
>> at org.springframework.webflow.action.AbstractAction.execute(Ab
>> stractAction.java:188)
>> at org.springframework.webflow.execution.AnnotatedAction.execut
>> e(AnnotatedAction.java:145)
>> at org.springframework.webflow.execution.ActionExecutor.execute
>> (ActionExecutor.java:51)
>> at org.springframework.webflow.engine.ActionList.execute(Action
>> List.java:154)
>> at org.springframework.webflow.engine.State.enter(State.java:193)
>> at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>> ecute(FlowExecutionImpl.java:395)
>> at org.springframework.webflow.engine.impl.RequestControlContex
>> tImpl.execute(RequestControlContextImpl.java:214)
>> at org.springframework.webflow.engine.TransitionableState.handl
>> eEvent(TransitionableState.java:116)
>> at org.springframework.webflow.engine.SubflowState.handleEvent(
>> SubflowState.java:116)
>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>> ndleEvent(FlowExecutionImpl.java:390)
>> at org.springframework.webflow.engine.impl.RequestControlContex
>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.en
>> dActiveFlowSession(FlowExecutionImpl.java:414)
>> at org.springframework.webflow.engine.impl.RequestControlContex
>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>> at org.springframework.webflow.engine.EndState.doEnter(EndState
>> .java:107)
>> at org.springframework.webflow.engine.State.enter(State.java:194)
>> at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>> ecute(FlowExecutionImpl.java:395)
>> at org.springframework.webflow.engine.impl.RequestControlContex
>> tImpl.execute(RequestControlContextImpl.java:214)
>> at org.springframework.webflow.engine.TransitionableState.handl
>> eEvent(TransitionableState.java:116)
>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>> ndleEvent(FlowExecutionImpl.java:390)
>> at org.springframework.webflow.engine.impl.RequestControlContex
>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>> at org.springframework.webflow.engine.ActionState.doEnter(Actio
>> nState.java:105)
>> at org.springframework.webflow.engine.State.enter(State.java:194)
>> at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>> ecute(FlowExecutionImpl.java:395)
>> at org.springframework.webflow.engine.impl.RequestControlContex
>> tImpl.execute(RequestControlContextImpl.java:214)
>> at org.springframework.webflow.engine.TransitionableState.handl
>> eEvent(TransitionableState.java:116)
>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>> ndleEvent(FlowExecutionImpl.java:390)
>> at org.springframework.webflow.engine.impl.RequestControlContex
>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>> at org.springframework.webflow.engine.ActionState.doEnter(Actio
>> nState.java:105)
>> at org.springframework.webflow.engine.State.enter(State.java:194)
>> at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>> isionState.java:51)
>> at org.springframework.webflow.engine.State.enter(State.java:194)
>> at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>> isionState.java:51)
>> at org.springframework.webflow.engine.State.enter(State.java:194)
>> at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>> isionState.java:51)
>> at org.springframework.webflow.engine.State.enter(State.java:194)
>> at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>> isionState.java:51)
>> at org.springframework.webflow.engine.State.enter(State.java:194)
>> at org.springframework.webflow.engine.Flow.start(Flow.java:527)
>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>> art(FlowExecutionImpl.java:368)
>> at org.springframework.webflow.engine.impl.RequestControlContex
>> tImpl.start(RequestControlContextImpl.java:234)
>> at org.springframework.webflow.engine.SubflowState.doEnter(Subf
>> lowState.java:101)
>> at org.springframework.webflow.engine.State.enter(State.java:194)
>> at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>> isionState.java:51)
>> at org.springframework.webflow.engine.State.enter(State.java:194)
>> at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>> isionState.java:51)
>> at org.springframework.webflow.engine.State.enter(State.java:194)
>> at org.springframework.webflow.engine.Flow.start(Flow.java:527)
>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>> art(FlowExecutionImpl.java:368)
>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>> art(FlowExecutionImpl.java:223)
>> at org.springframework.webflow.executor.FlowExecutorImpl.launch
>> Execution(FlowExecutorImpl.java:140)
>> at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.
>> handle(FlowHandlerAdapter.java:263)
>> at org.springframework.web.servlet.DispatcherServlet.doDispatch
>> (DispatcherServlet.java:967)
>> at org.springframework.web.servlet.DispatcherServlet.doService(
>> DispatcherServlet.java:901)
>> at org.springframework.web.servlet.FrameworkServlet.processRequ
>> est(FrameworkServlet.java:970)
>> at org.springframework.web.servlet.FrameworkServlet.doGet(
>> FrameworkServlet.java:861)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
>> at org.springframework.web.servlet.FrameworkServlet.service(
>> FrameworkServlet.java:846)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:231)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:166)
>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
>> r.java:52)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:193)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:166)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:330)
>> at org.springframework.security.web.access.intercept.FilterSecu
>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>> at org.springframework.security.web.access.intercept.FilterSecu
>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>> at org.springframework.security.web.access.ExceptionTranslation
>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>> at org.springframework.security.web.session.SessionManagementFi
>> lter.doFilter(SessionManagementFilter.java:103)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>> at org.springframework.security.web.authentication.AnonymousAut
>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>> at org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>> at org.springframework.security.web.servletapi.SecurityContextH
>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>> AwareRequestFilter.java:154)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>> at org.springframework.security.web.savedrequest.RequestCacheAw
>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>> at org.springframework.security.web.authentication.www.BasicAut
>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>> at org.springframework.security.web.authentication.AbstractAuth
>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>> nProcessingFilter.java:199)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>> at org.springframework.security.web.authentication.logout.Logou
>> tFilter.doFilter(LogoutFilter.java:110)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>> at org.springframework.security.web.context.request.async.WebAs
>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>> erIntegrationFilter.java:50)
>> at org.springframework.web.filter.OncePerRequestFilter.doFilter
>> (OncePerRequestFilter.java:107)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>> at org.springframework.security.web.context.SecurityContextPers
>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>> at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSP
>> ortFilter.java:74)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>> at org.springframework.security.web.access.channel.ChannelProce
>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>> at org.springframework.security.web.FilterChainProxy.doFilterIn
>> ternal(FilterChainProxy.java:192)
>> at org.springframework.security.web.FilterChainProxy.doFilter(F
>> ilterChainProxy.java:160)
>> at org.springframework.web.filter.DelegatingFilterProxy.invokeD
>> elegate(DelegatingFilterProxy.java:346)
>> at org.springframework.web.filter.DelegatingFilterProxy.doFilte
>> r(DelegatingFilterProxy.java:262)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:193)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:166)
>> at org.springframework.web.filter.CharacterEncodingFilter.doFil
>> terInternal(CharacterEncodingFilter.java:197)
>> at org.springframework.web.filter.OncePerRequestFilter.doFilter
>> (OncePerRequestFilter.java:107)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:193)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:166)
>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar
>> dWrapperValve.java:198)
>> at org.apache.catalina.core.StandardContextValve.invoke(Standar
>> dContextValve.java:96)
>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo
>> stValve.java:140)
>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
>> rtValve.java:80)
>> at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs
>> tractAccessLogValve.java:650)
>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard
>> EngineValve.java:87)
>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
>> apter.java:342)
>> at org.apache.coyote.http2.StreamProcessor.service(StreamProces
>> sor.java:245)
>> at org.apache.coyote.AbstractProcessorLight.process(AbstractPro
>> cessorLight.java:66)
>> at org.apache.coyote.http2.StreamProcessor.process(StreamProces
>> sor.java:65)
>> at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.java:35)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.
>> run(TaskThread.java:61)
>> at java.lang.Thread.run(Thread.java:748)
>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is
>> set, but no local certificates were negotiated. Is the server set to ask
>> for client authorization?
>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255)
>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>> ... 154 more
>> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
>> RequireClientCertificate is set, but no local certificates were
>> negotiated. Is the server set to ask for client authorization?
>> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>> ttpsTokenInterceptorProvider.java:143)
>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>> m.makeTrustDecision(HTTPConduit.java:1780)
>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>> m.onFirstWrite(HTTPConduit.java:1293)
>> at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLCo
>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>> Conduit.java:309)
>> at org.apache.cxf.io.AbstractWrappedOutputStream.write(Abstract
>> WrappedOutputStream.java:47)
>> at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(Abs
>> tractThresholdOutputStream.java:89)
>> at org.apache.cxf.io.AbstractThresholdOutputStream.write(Abstra
>> ctThresholdOutputStream.java:63)
>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
>> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.
>> java:241)
>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:253)
>> ... 155 more
>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>> retrieving a token
>>
>>
>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>
>>> Thanks for your help Colm. I now have it working using the production
>>> certificate by following this example https://stackoverflow.com/a/21
>>> 41229/3052312 to export the pems into jks files.
>>>
>>> but in the end i also had to copy idp-ssl-key.jks and idp-ssl-trust.jks
>>> into webapps/idp/WEB-INF/classes as well as having them in catalina base.
>>> this seems impractical in production as the certificates get reissued every
>>> 6 months. is it possible for sec:keyStore to define the resource as being
>>> in catalina base?
>>>
>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>
>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is also a
>>>> sec:certStore that works with PEM files, but only for TrustStores I
>>>> think.
>>>> As a workaround you can just use the Java keytool command to import your
>>>> PEM key/cert into a JKS keystore.
>>>>
>>>> this document http://svn.apache.org/viewvc/c
>>>>> xf/fediz/trunk/examples/sample
>>>>>
>>>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but no
>>>> idp-ssl-key.jks.
>>>>
>>>> SVN is not used any more by CXF or Fediz, that page is old. The correct
>>>> version is on github:
>>>>
>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>> plekeys/HowToGenerateKeysREADME.html
>>>>
>>>> Colm.
>>>>
>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>
>>>> Hi Colm,
>>>>> is there any way for sec:keyStore to be pointed at a pem certificate
>>>>> instead of a java keystore? where is the doumentation for sec:keyStore?
>>>>>
>>>>> Matt
>>>>>
>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>
>>>>> I haven't used the APR connector. The following works for me in the
>>>>>> tests,
>>>>>> perhaps you could duplicate this config and get it working first before
>>>>>> switching over to the APR connector:
>>>>>>
>>>>>> <Connector port="9443"
>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
>>>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass"
>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>> truststorePass="ispass" />
>>>>>>
>>>>>> Yes you will need to specify the truststore and keystore in
>>>>>> cxf-tls.xml to
>>>>>> communicate with the STS from the IdP. The truststore should contain
>>>>>> the
>>>>>> issuing cert of the Tomcat instance hosting your STS + then keystore
>>>>>> the
>>>>>> private key of your IdP.
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> i am using my own certificate with APR in the tomcat server.xml. I
>>>>>> added
>>>>>>
>>>>>>> clientVerification="required" to SSLHostConfig but I still have the
>>>>>>> same
>>>>>>> problem
>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>> tp11.Http11AprProtocol"
>>>>>>> maxThreads="150" SSLEnabled="true">
>>>>>>> <UpgradeProtocol className="org.apache.coyote.h
>>>>>>> ttp2.Http2Protocol"
>>>>>>> />
>>>>>>> <SSLHostConfig clientVerification="required">
>>>>>>> <Certificate certificateKeyFile="/etc/letse
>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
>>>>>>> type="RSA" />
>>>>>>> </SSLHostConfig>
>>>>>>> </Connector>
>>>>>>>
>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this be the
>>>>>>> problem?
>>>>>>> How would I use production certificates?
>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>> <http:tlsClientParameters
>>>>>>> disableCNCheck="true">
>>>>>>> <!-- <sec:trustManagers>
>>>>>>> <sec:keyStore type="jks" password="ispass"
>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>> </sec:trustManagers>
>>>>>>> <sec:keyManagers keyPassword="tompass">
>>>>>>> <sec:keyStore type="jks" password="tompass"
>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>> </sec:keyManagers> -->
>>>>>>> </http:tlsClientParameters>
>>>>>>> </http:conduit>
>>>>>>>
>>>>>>>
>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>
>>>>>>> ok...i fixed the last error by dropping the schema and restarting.
>>>>>>>
>>>>>>>> but now i have this
>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
>>>>>>>> has
>>>>>>>> thrown exception, unwinding now
>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>>>>>>>> stream: RequireClientCertificate is set, but no local certificates
>>>>>>>> were
>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>> InterceptorChain.java:308)
>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>> 518)
>>>>>>>> ...
>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>> RequireClientCertificate
>>>>>>>> is
>>>>>>>> set, but no local certificates were negotiated. Is the server set to
>>>>>>>> ask
>>>>>>>> for client authorization?
>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>> :255)
>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>> ... 154 more
>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>> ion:
>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>> ...
>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>>>>>>> retrieving a token
>>>>>>>>
>>>>>>>>
>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>
>>>>>>>> ok i now have a different error and it doesn't load the login screen
>>>>>>>>
>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator -
>>>>>>>>> No
>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>
>>>>>>>>> the previous one was caused by
>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>> should have been
>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>> />
>>>>>>>>> according to original file
>>>>>>>>>
>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>
>>>>>>>>> Hi Colm,
>>>>>>>>>
>>>>>>>>>> Yes I have:
>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>> ...
>>>>>>>>>> <property name="applications">
>>>>>>>>>> <util:list>
>>>>>>>>>> <ref bean="srv-fedizhelloworld" />
>>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>> </util:list>
>>>>>>>>>> </property>
>>>>>>>>>> ...
>>>>>>>>>> </bean>
>>>>>>>>>>
>>>>>>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>> <property name="realm" value="urn:org:apache:cxf:fedi
>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>> />
>>>>>>>>>> <property name="protocol" value="http://docs.oasis-open.
>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>> <property name="serviceDisplayName"
>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>> />
>>>>>>>>>> <property name="serviceDescription" value="Web
>>>>>>>>>> Application to
>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>> <property name="role" value="ApplicationServiceType" />
>>>>>>>>>> <property name="tokenType" value="http://docs.oasis-open
>>>>>>>>>> .
>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>>> <property name="lifeTime" value="3600" />
>>>>>>>>>> <property name="passiveRequestorEndpointConstraint"
>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>> <property name="logoutEndpointConstraint"
>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>> </bean>
>>>>>>>>>>
>>>>>>>>>> <bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat
>>>>>>>>>> ionClaimEntity">
>>>>>>>>>> <property name="application" ref="srv-fedizhelloworld" />
>>>>>>>>>> <property name="claim" ref="claim_role" />
>>>>>>>>>> <property name="optional" value="false" />
>>>>>>>>>> </bean>
>>>>>>>>>>
>>>>>>>>>> etc.
>>>>>>>>>>
>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>
>>>>>>>>>> Do you have an
>>>>>>>>>>
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>>>>>>>> instance in
>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with
>>>>>>>>>>> realm
>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>
>>>>>>>>>>> Colm.
>>>>>>>>>>>
>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
>>>>>>>>>>>> trying to
>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
>>>>>>>>>>>> correctly redirects to the login page and seems to authenticate
>>>>>>>>>>>> ok
>>>>>>>>>>>>
>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken -
>>>>>>>>>>>> Token
>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully
>>>>>>>>>>>> cached.
>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator
>>>>>>>>>>>> -
>>>>>>>>>>>> No
>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>> helloworld
>>>>>>>>>>>>
>>>>>>>>>>>> Matthew
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>
Re: fediz production
Posted by Colm O hEigeartaigh <co...@apache.org>.
The problem is that your Tomcat container hosting the STS is not asking for
client authentication. You can check this by using a web browser or curl to
view the WSDL of the STS - if you can get it to work then the configuration
is incorrect, as it should error on the browser not supplying a client cert.
Colm.
On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:
> i spoke too soon.
>
> i am completely stuck with the same stack trace and no amount of reloading
> the certificates is helping. is there any way to debug what the actual
> problem is?
>
> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has
> thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
> stream: RequireClientCertificate is set, but no local certificates were
> negotiated. Is the server set to ask for client authorization?
> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
> InterceptorChain.java:308)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:427)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:328)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:281)
> at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(Abs
> tractSTSClient.java:861)
> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
> yTokenResponse(IdpSTSClient.java:47)
> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
> yTokenResponse(IdpSTSClient.java:42)
> at org.apache.cxf.fediz.service.idp.beans.STSClientAction.submi
> t(STSClientAction.java:296)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
> ssorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
> thodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.springframework.expression.spel.support.ReflectiveMethod
> Executor.execute(ReflectiveMethodExecutor.java:113)
> at org.springframework.expression.spel.ast.MethodReference.getV
> alueInternal(MethodReference.java:129)
> at org.springframework.expression.spel.ast.MethodReference.
> access$000(MethodReference.java:49)
> at org.springframework.expression.spel.ast.MethodReference$Meth
> odValueRef.getValue(MethodReference.java:347)
> at org.springframework.expression.spel.ast.CompoundExpression.g
> etValueInternal(CompoundExpression.java:88)
> at org.springframework.expression.spel.ast.SpelNodeImpl.
> getTypedValue(SpelNodeImpl.java:131)
> at org.springframework.expression.spel.standard.SpelExpression.
> getValue(SpelExpression.java:297)
> at org.springframework.binding.expression.spel.SpringELExpressi
> on.getValue(SpringELExpression.java:84)
> at org.springframework.webflow.action.EvaluateAction.doExecute(
> EvaluateAction.java:75)
> at org.springframework.webflow.action.AbstractAction.execute(Ab
> stractAction.java:188)
> at org.springframework.webflow.execution.AnnotatedAction.execut
> e(AnnotatedAction.java:145)
> at org.springframework.webflow.execution.ActionExecutor.execute
> (ActionExecutor.java:51)
> at org.springframework.webflow.engine.ActionList.execute(Action
> List.java:154)
> at org.springframework.webflow.engine.State.enter(State.java:193)
> at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
> ecute(FlowExecutionImpl.java:395)
> at org.springframework.webflow.engine.impl.RequestControlContex
> tImpl.execute(RequestControlContextImpl.java:214)
> at org.springframework.webflow.engine.TransitionableState.handl
> eEvent(TransitionableState.java:116)
> at org.springframework.webflow.engine.SubflowState.handleEvent(
> SubflowState.java:116)
> at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
> ndleEvent(FlowExecutionImpl.java:390)
> at org.springframework.webflow.engine.impl.RequestControlContex
> tImpl.handleEvent(RequestControlContextImpl.java:210)
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.en
> dActiveFlowSession(FlowExecutionImpl.java:414)
> at org.springframework.webflow.engine.impl.RequestControlContex
> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
> at org.springframework.webflow.engine.EndState.doEnter(EndState
> .java:107)
> at org.springframework.webflow.engine.State.enter(State.java:194)
> at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
> ecute(FlowExecutionImpl.java:395)
> at org.springframework.webflow.engine.impl.RequestControlContex
> tImpl.execute(RequestControlContextImpl.java:214)
> at org.springframework.webflow.engine.TransitionableState.handl
> eEvent(TransitionableState.java:116)
> at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
> ndleEvent(FlowExecutionImpl.java:390)
> at org.springframework.webflow.engine.impl.RequestControlContex
> tImpl.handleEvent(RequestControlContextImpl.java:210)
> at org.springframework.webflow.engine.ActionState.doEnter(Actio
> nState.java:105)
> at org.springframework.webflow.engine.State.enter(State.java:194)
> at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
> ecute(FlowExecutionImpl.java:395)
> at org.springframework.webflow.engine.impl.RequestControlContex
> tImpl.execute(RequestControlContextImpl.java:214)
> at org.springframework.webflow.engine.TransitionableState.handl
> eEvent(TransitionableState.java:116)
> at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
> ndleEvent(FlowExecutionImpl.java:390)
> at org.springframework.webflow.engine.impl.RequestControlContex
> tImpl.handleEvent(RequestControlContextImpl.java:210)
> at org.springframework.webflow.engine.ActionState.doEnter(Actio
> nState.java:105)
> at org.springframework.webflow.engine.State.enter(State.java:194)
> at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
> isionState.java:51)
> at org.springframework.webflow.engine.State.enter(State.java:194)
> at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
> isionState.java:51)
> at org.springframework.webflow.engine.State.enter(State.java:194)
> at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
> isionState.java:51)
> at org.springframework.webflow.engine.State.enter(State.java:194)
> at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
> isionState.java:51)
> at org.springframework.webflow.engine.State.enter(State.java:194)
> at org.springframework.webflow.engine.Flow.start(Flow.java:527)
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
> art(FlowExecutionImpl.java:368)
> at org.springframework.webflow.engine.impl.RequestControlContex
> tImpl.start(RequestControlContextImpl.java:234)
> at org.springframework.webflow.engine.SubflowState.doEnter(Subf
> lowState.java:101)
> at org.springframework.webflow.engine.State.enter(State.java:194)
> at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
> isionState.java:51)
> at org.springframework.webflow.engine.State.enter(State.java:194)
> at org.springframework.webflow.engine.Transition.execute(Transi
> tion.java:228)
> at org.springframework.webflow.engine.DecisionState.doEnter(Dec
> isionState.java:51)
> at org.springframework.webflow.engine.State.enter(State.java:194)
> at org.springframework.webflow.engine.Flow.start(Flow.java:527)
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
> art(FlowExecutionImpl.java:368)
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
> art(FlowExecutionImpl.java:223)
> at org.springframework.webflow.executor.FlowExecutorImpl.launch
> Execution(FlowExecutorImpl.java:140)
> at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.
> handle(FlowHandlerAdapter.java:263)
> at org.springframework.web.servlet.DispatcherServlet.doDispatch
> (DispatcherServlet.java:967)
> at org.springframework.web.servlet.DispatcherServlet.doService(
> DispatcherServlet.java:901)
> at org.springframework.web.servlet.FrameworkServlet.processRequ
> est(FrameworkServlet.java:970)
> at org.springframework.web.servlet.FrameworkServlet.doGet(
> FrameworkServlet.java:861)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
> at org.springframework.web.servlet.FrameworkServlet.service(
> FrameworkServlet.java:846)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
> lter(ApplicationFilterChain.java:231)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
> licationFilterChain.java:166)
> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
> r.java:52)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
> lter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
> licationFilterChain.java:166)
> at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:330)
> at org.springframework.security.web.access.intercept.FilterSecu
> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
> at org.springframework.security.web.access.intercept.FilterSecu
> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
> at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.access.ExceptionTranslation
> Filter.doFilter(ExceptionTranslationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.session.SessionManagementFi
> lter.doFilter(SessionManagementFilter.java:103)
> at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AnonymousAut
> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
> at org.apache.cxf.fediz.service.idp.service.security.GrantedAut
> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
> at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.servletapi.SecurityContextH
> olderAwareRequestFilter.doFilter(SecurityContextHolder
> AwareRequestFilter.java:154)
> at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.savedrequest.RequestCacheAw
> areFilter.doFilter(RequestCacheAwareFilter.java:45)
> at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.www.BasicAut
> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
> at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AbstractAuth
> enticationProcessingFilter.doFilter(AbstractAuthenticatio
> nProcessingFilter.java:199)
> at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.logout.Logou
> tFilter.doFilter(LogoutFilter.java:110)
> at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.request.async.WebAs
> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
> erIntegrationFilter.java:50)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter
> (OncePerRequestFilter.java:107)
> at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPers
> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
> at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSP
> ortFilter.java:74)
> at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.access.channel.ChannelProce
> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
> at org.springframework.security.web.FilterChainProxy$VirtualFil
> terChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterIn
> ternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(F
> ilterChainProxy.java:160)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeD
> elegate(DelegatingFilterProxy.java:346)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilte
> r(DelegatingFilterProxy.java:262)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
> lter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
> licationFilterChain.java:166)
> at org.springframework.web.filter.CharacterEncodingFilter.doFil
> terInternal(CharacterEncodingFilter.java:197)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter
> (OncePerRequestFilter.java:107)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
> lter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
> licationFilterChain.java:166)
> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar
> dWrapperValve.java:198)
> at org.apache.catalina.core.StandardContextValve.invoke(Standar
> dContextValve.java:96)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo
> stValve.java:140)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
> rtValve.java:80)
> at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs
> tractAccessLogValve.java:650)
> at org.apache.catalina.core.StandardEngineValve.invoke(Standard
> EngineValve.java:87)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
> apter.java:342)
> at org.apache.coyote.http2.StreamProcessor.service(StreamProces
> sor.java:245)
> at org.apache.coyote.AbstractProcessorLight.process(AbstractPro
> cessorLight.java:66)
> at org.apache.coyote.http2.StreamProcessor.process(StreamProces
> sor.java:65)
> at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.java:35)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
> Executor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
> lExecutor.java:617)
> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.
> run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is
> set, but no local certificates were negotiated. Is the server set to ask
> for client authorization?
> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255)
> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
> ... 154 more
> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
> RequireClientCertificate is set, but no local certificates were
> negotiated. Is the server set to ask for client authorization?
> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
> ttpsTokenInterceptorProvider.java:143)
> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
> m.makeTrustDecision(HTTPConduit.java:1780)
> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
> m.onFirstWrite(HTTPConduit.java:1293)
> at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLCo
> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
> Conduit.java:309)
> at org.apache.cxf.io.AbstractWrappedOutputStream.write(Abstract
> WrappedOutputStream.java:47)
> at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(Abs
> tractThresholdOutputStream.java:89)
> at org.apache.cxf.io.AbstractThresholdOutputStream.write(Abstra
> ctThresholdOutputStream.java:63)
> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.
> java:241)
> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:253)
> ... 155 more
> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
> retrieving a token
>
>
> On 23/10/2017 19:41, Matthew Broadhead wrote:
>
>> Thanks for your help Colm. I now have it working using the production
>> certificate by following this example https://stackoverflow.com/a/21
>> 41229/3052312 to export the pems into jks files.
>>
>> but in the end i also had to copy idp-ssl-key.jks and idp-ssl-trust.jks
>> into webapps/idp/WEB-INF/classes as well as having them in catalina base.
>> this seems impractical in production as the certificates get reissued every
>> 6 months. is it possible for sec:keyStore to define the resource as being
>> in catalina base?
>>
>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>
>>> sec:keyStore supports either JKS or PKCS12 keystores. There is also a
>>> sec:certStore that works with PEM files, but only for TrustStores I
>>> think.
>>> As a workaround you can just use the Java keytool command to import your
>>> PEM key/cert into a JKS keystore.
>>>
>>> this document http://svn.apache.org/viewvc/c
>>>> xf/fediz/trunk/examples/sample
>>>>
>>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but no
>>> idp-ssl-key.jks.
>>>
>>> SVN is not used any more by CXF or Fediz, that page is old. The correct
>>> version is on github:
>>>
>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>> plekeys/HowToGenerateKeysREADME.html
>>>
>>> Colm.
>>>
>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>> Hi Colm,
>>>>
>>>> is there any way for sec:keyStore to be pointed at a pem certificate
>>>> instead of a java keystore? where is the doumentation for sec:keyStore?
>>>>
>>>> Matt
>>>>
>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>
>>>> I haven't used the APR connector. The following works for me in the
>>>>> tests,
>>>>> perhaps you could duplicate this config and get it working first before
>>>>> switching over to the APR connector:
>>>>>
>>>>> <Connector port="9443"
>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
>>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass"
>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>> truststorePass="ispass" />
>>>>>
>>>>> Yes you will need to specify the truststore and keystore in
>>>>> cxf-tls.xml to
>>>>> communicate with the STS from the IdP. The truststore should contain
>>>>> the
>>>>> issuing cert of the Tomcat instance hosting your STS + then keystore
>>>>> the
>>>>> private key of your IdP.
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>
>>>>> i am using my own certificate with APR in the tomcat server.xml. I
>>>>> added
>>>>>
>>>>>> clientVerification="required" to SSLHostConfig but I still have the
>>>>>> same
>>>>>> problem
>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>> tp11.Http11AprProtocol"
>>>>>> maxThreads="150" SSLEnabled="true">
>>>>>> <UpgradeProtocol className="org.apache.coyote.h
>>>>>> ttp2.Http2Protocol"
>>>>>> />
>>>>>> <SSLHostConfig clientVerification="required">
>>>>>> <Certificate certificateKeyFile="/etc/letse
>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
>>>>>> type="RSA" />
>>>>>> </SSLHostConfig>
>>>>>> </Connector>
>>>>>>
>>>>>> I commented the trustManagers and keyManagers in
>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this be the
>>>>>> problem?
>>>>>> How would I use production certificates?
>>>>>> <http:conduit name="*.http-conduit">
>>>>>> <http:tlsClientParameters
>>>>>> disableCNCheck="true">
>>>>>> <!-- <sec:trustManagers>
>>>>>> <sec:keyStore type="jks" password="ispass"
>>>>>> resource="idp-ssl-trust.jks" />
>>>>>> </sec:trustManagers>
>>>>>> <sec:keyManagers keyPassword="tompass">
>>>>>> <sec:keyStore type="jks" password="tompass"
>>>>>> resource="idp-ssl-key.jks"/>
>>>>>> </sec:keyManagers> -->
>>>>>> </http:tlsClientParameters>
>>>>>> </http:conduit>
>>>>>>
>>>>>>
>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>
>>>>>> ok...i fixed the last error by dropping the schema and restarting.
>>>>>>
>>>>>>> but now i have this
>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
>>>>>>> has
>>>>>>> thrown exception, unwinding now
>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>>>>>>> stream: RequireClientCertificate is set, but no local certificates
>>>>>>> were
>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>> InterceptorChain.java:308)
>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>> 518)
>>>>>>> ...
>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>> RequireClientCertificate
>>>>>>> is
>>>>>>> set, but no local certificates were negotiated. Is the server set to
>>>>>>> ask
>>>>>>> for client authorization?
>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>> :255)
>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>> ... 154 more
>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>> ion:
>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>> at org.apache.cxf.transport.http.
>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>> at org.apache.cxf.transport.http.
>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>> ...
>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>>>>>> retrieving a token
>>>>>>>
>>>>>>>
>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>
>>>>>>> ok i now have a different error and it doesn't load the login screen
>>>>>>>
>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator -
>>>>>>>> No
>>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>> horityEntitlements
>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>
>>>>>>>> the previous one was caused by
>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>> should have been
>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>> />
>>>>>>>> according to original file
>>>>>>>>
>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>
>>>>>>>> Hi Colm,
>>>>>>>>
>>>>>>>>> Yes I have:
>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>> ...
>>>>>>>>> <property name="applications">
>>>>>>>>> <util:list>
>>>>>>>>> <ref bean="srv-fedizhelloworld" />
>>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>> </util:list>
>>>>>>>>> </property>
>>>>>>>>> ...
>>>>>>>>> </bean>
>>>>>>>>>
>>>>>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>> <property name="realm" value="urn:org:apache:cxf:fedi
>>>>>>>>> z:fedizhelloworld"
>>>>>>>>> />
>>>>>>>>> <property name="protocol" value="http://docs.oasis-open.
>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>> <property name="serviceDisplayName"
>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>> />
>>>>>>>>> <property name="serviceDescription" value="Web
>>>>>>>>> Application to
>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>> <property name="role" value="ApplicationServiceType" />
>>>>>>>>> <property name="tokenType" value="http://docs.oasis-open
>>>>>>>>> .
>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>> <property name="lifeTime" value="3600" />
>>>>>>>>> <property name="passiveRequestorEndpointConstraint"
>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>> <property name="logoutEndpointConstraint"
>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>> </bean>
>>>>>>>>>
>>>>>>>>> <bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat
>>>>>>>>> ionClaimEntity">
>>>>>>>>> <property name="application" ref="srv-fedizhelloworld" />
>>>>>>>>> <property name="claim" ref="claim_role" />
>>>>>>>>> <property name="optional" value="false" />
>>>>>>>>> </bean>
>>>>>>>>>
>>>>>>>>> etc.
>>>>>>>>>
>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>
>>>>>>>>> Do you have an
>>>>>>>>>
>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>>>>>>> instance in
>>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with
>>>>>>>>>> realm
>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>
>>>>>>>>>> Colm.
>>>>>>>>>>
>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
>>>>>>>>>>> trying to
>>>>>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
>>>>>>>>>>> correctly redirects to the login page and seems to authenticate
>>>>>>>>>>> ok
>>>>>>>>>>>
>>>>>>>>>>> but then i get the following error
>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken -
>>>>>>>>>>> Token
>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully
>>>>>>>>>>> cached.
>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator
>>>>>>>>>>> -
>>>>>>>>>>> No
>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>> helloworld
>>>>>>>>>>>
>>>>>>>>>>> Matthew
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
i spoke too soon.
i am completely stuck with the same stack trace and no amount of
reloading the certificates is helping. is there any way to debug what
the actual problem is?
2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
stream: RequireClientCertificate is set, but no local certificates were
negotiated. Is the server set to ask for client authorization?
at
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
at
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:427)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:328)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:281)
at
org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:861)
at
org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurityTokenResponse(IdpSTSClient.java:47)
at
org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurityTokenResponse(IdpSTSClient.java:42)
at
org.apache.cxf.fediz.service.idp.beans.STSClientAction.submit(STSClientAction.java:296)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.springframework.expression.spel.support.ReflectiveMethodExecutor.execute(ReflectiveMethodExecutor.java:113)
at
org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:129)
at
org.springframework.expression.spel.ast.MethodReference.access$000(MethodReference.java:49)
at
org.springframework.expression.spel.ast.MethodReference$MethodValueRef.getValue(MethodReference.java:347)
at
org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:88)
at
org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:131)
at
org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:297)
at
org.springframework.binding.expression.spel.SpringELExpression.getValue(SpringELExpression.java:84)
at
org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:75)
at
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
at
org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)
at
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
at
org.springframework.webflow.engine.ActionList.execute(ActionList.java:154)
at org.springframework.webflow.engine.State.enter(State.java:193)
at
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
at
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
at
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)
at
org.springframework.webflow.engine.SubflowState.handleEvent(SubflowState.java:116)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)
at
org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.endActiveFlowSession(FlowExecutionImpl.java:414)
at
org.springframework.webflow.engine.impl.RequestControlContextImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
at
org.springframework.webflow.engine.EndState.doEnter(EndState.java:107)
at org.springframework.webflow.engine.State.enter(State.java:194)
at
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
at
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
at
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)
at
org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)
at
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105)
at org.springframework.webflow.engine.State.enter(State.java:194)
at
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
at
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
at
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)
at
org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)
at
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105)
at org.springframework.webflow.engine.State.enter(State.java:194)
at
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
at
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
at
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
at
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
at
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Flow.start(Flow.java:527)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)
at
org.springframework.webflow.engine.impl.RequestControlContextImpl.start(RequestControlContextImpl.java:234)
at
org.springframework.webflow.engine.SubflowState.doEnter(SubflowState.java:101)
at org.springframework.webflow.engine.State.enter(State.java:194)
at
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
at
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
at
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Flow.start(Flow.java:527)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223)
at
org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)
at
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:263)
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
at
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:74)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:144)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at
org.apache.coyote.http2.StreamProcessor.service(StreamProcessor.java:245)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at
org.apache.coyote.http2.StreamProcessor.process(StreamProcessor.java:65)
at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.java:35)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is
set, but no local certificates were negotiated. Is the server set to
ask for client authorization?
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255)
at
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
... 154 more
Caused by:
org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
RequireClientCertificate is set, but no local certificates were
negotiated. Is the server set to ask for client authorization?
at
org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:143)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.makeTrustDecision(HTTPConduit.java:1780)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1323)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1293)
at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:309)
at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
at
org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(AbstractThresholdOutputStream.java:89)
at
org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:63)
at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
at
com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:241)
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:253)
... 155 more
2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
retrieving a token
On 23/10/2017 19:41, Matthew Broadhead wrote:
> Thanks for your help Colm. I now have it working using the production
> certificate by following this example
> https://stackoverflow.com/a/2141229/3052312 to export the pems into
> jks files.
>
> but in the end i also had to copy idp-ssl-key.jks and
> idp-ssl-trust.jks into webapps/idp/WEB-INF/classes as well as having
> them in catalina base. this seems impractical in production as the
> certificates get reissued every 6 months. is it possible for
> sec:keyStore to define the resource as being in catalina base?
>
> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>> sec:keyStore supports either JKS or PKCS12 keystores. There is also a
>> sec:certStore that works with PEM files, but only for TrustStores I
>> think.
>> As a workaround you can just use the Java keytool command to import your
>> PEM key/cert into a JKS keystore.
>>
>>> this document
>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but no
>> idp-ssl-key.jks.
>>
>> SVN is not used any more by CXF or Fediz, that page is old. The correct
>> version is on github:
>>
>> https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html
>>
>>
>> Colm.
>>
>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>
>>> Hi Colm,
>>>
>>> is there any way for sec:keyStore to be pointed at a pem certificate
>>> instead of a java keystore? where is the doumentation for
>>> sec:keyStore?
>>>
>>> Matt
>>>
>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>
>>>> I haven't used the APR connector. The following works for me in the
>>>> tests,
>>>> perhaps you could duplicate this config and get it working first
>>>> before
>>>> switching over to the APR connector:
>>>>
>>>> <Connector port="9443"
>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>> keystorePass="tompass"
>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>> truststorePass="ispass" />
>>>>
>>>> Yes you will need to specify the truststore and keystore in
>>>> cxf-tls.xml to
>>>> communicate with the STS from the IdP. The truststore should
>>>> contain the
>>>> issuing cert of the Tomcat instance hosting your STS + then
>>>> keystore the
>>>> private key of your IdP.
>>>>
>>>> Colm.
>>>>
>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>
>>>> i am using my own certificate with APR in the tomcat server.xml. I
>>>> added
>>>>> clientVerification="required" to SSLHostConfig but I still have
>>>>> the same
>>>>> problem
>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>> tp11.Http11AprProtocol"
>>>>> maxThreads="150" SSLEnabled="true">
>>>>> <UpgradeProtocol className="org.apache.coyote.h
>>>>> ttp2.Http2Protocol"
>>>>> />
>>>>> <SSLHostConfig clientVerification="required">
>>>>> <Certificate certificateKeyFile="/etc/letse
>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
>>>>> type="RSA" />
>>>>> </SSLHostConfig>
>>>>> </Connector>
>>>>>
>>>>> I commented the trustManagers and keyManagers in
>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this be the
>>>>> problem?
>>>>> How would I use production certificates?
>>>>> <http:conduit name="*.http-conduit">
>>>>> <http:tlsClientParameters
>>>>> disableCNCheck="true">
>>>>> <!-- <sec:trustManagers>
>>>>> <sec:keyStore type="jks" password="ispass"
>>>>> resource="idp-ssl-trust.jks" />
>>>>> </sec:trustManagers>
>>>>> <sec:keyManagers keyPassword="tompass">
>>>>> <sec:keyStore type="jks" password="tompass"
>>>>> resource="idp-ssl-key.jks"/>
>>>>> </sec:keyManagers> -->
>>>>> </http:tlsClientParameters>
>>>>> </http:conduit>
>>>>>
>>>>>
>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>
>>>>> ok...i fixed the last error by dropping the schema and restarting.
>>>>>> but now i have this
>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
>>>>>> has
>>>>>> thrown exception, unwinding now
>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>>>>>> stream: RequireClientCertificate is set, but no local
>>>>>> certificates were
>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>> at
>>>>>> org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>> at
>>>>>> org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>> at
>>>>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>>>>>> InterceptorChain.java:308)
>>>>>> at
>>>>>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:
>>>>>> 518)
>>>>>> ...
>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>> RequireClientCertificate
>>>>>> is
>>>>>> set, but no local certificates were negotiated. Is the server
>>>>>> set to
>>>>>> ask
>>>>>> for client authorization?
>>>>>> at
>>>>>> com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java
>>>>>> :255)
>>>>>> at
>>>>>> org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>> ... 154 more
>>>>>> Caused by:
>>>>>> org.apache.cxf.transport.http.UntrustedURLConnectionIOExcept
>>>>>> ion:
>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>> negotiated. Is the server set to ask for client authorization?
>>>>>> at
>>>>>> org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>> at
>>>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>> at
>>>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>> ...
>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>>>>> retrieving a token
>>>>>>
>>>>>>
>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>
>>>>>> ok i now have a different error and it doesn't load the login screen
>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator
>>>>>>> - No
>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Role 'IDP_READ' not found
>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Role 'IDP_LIST' not found
>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>> horityEntitlements
>>>>>>> - Enriched AuthenticationToken added
>>>>>>>
>>>>>>> the previous one was caused by
>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>> should have been
>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>> p-sts/REALMMYREALM"
>>>>>>> />
>>>>>>> according to original file
>>>>>>>
>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>
>>>>>>> Hi Colm,
>>>>>>>> Yes I have:
>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>> ...
>>>>>>>> <property name="applications">
>>>>>>>> <util:list>
>>>>>>>> <ref bean="srv-fedizhelloworld" />
>>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>>> </util:list>
>>>>>>>> </property>
>>>>>>>> ...
>>>>>>>> </bean>
>>>>>>>>
>>>>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>> <property name="realm" value="urn:org:apache:cxf:fedi
>>>>>>>> z:fedizhelloworld"
>>>>>>>> />
>>>>>>>> <property name="protocol" value="http://docs.oasis-open.
>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>> <property name="serviceDisplayName"
>>>>>>>> value="Fedizhelloworld"
>>>>>>>> />
>>>>>>>> <property name="serviceDescription" value="Web
>>>>>>>> Application to
>>>>>>>> illustrate WS-Federation" />
>>>>>>>> <property name="role" value="ApplicationServiceType" />
>>>>>>>> <property name="tokenType"
>>>>>>>> value="http://docs.oasis-open.
>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>> <property name="lifeTime" value="3600" />
>>>>>>>> <property name="passiveRequestorEndpointConstraint"
>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>> <property name="logoutEndpointConstraint"
>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>> </bean>
>>>>>>>>
>>>>>>>> <bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat
>>>>>>>> ionClaimEntity">
>>>>>>>> <property name="application"
>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>> <property name="claim" ref="claim_role" />
>>>>>>>> <property name="optional" value="false" />
>>>>>>>> </bean>
>>>>>>>>
>>>>>>>> etc.
>>>>>>>>
>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>
>>>>>>>> Do you have an
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>>>>>> instance in
>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with
>>>>>>>>> realm
>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>
>>>>>>>>> Colm.
>>>>>>>>>
>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
>>>>>>>>>> trying to
>>>>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
>>>>>>>>>> correctly redirects to the login page and seems to
>>>>>>>>>> authenticate ok
>>>>>>>>>>
>>>>>>>>>> but then i get the following error
>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken -
>>>>>>>>>> Token
>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully
>>>>>>>>>> cached.
>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator
>>>>>>>>>> -
>>>>>>>>>> No
>>>>>>>>>> service config found for
>>>>>>>>>> urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>>>>>
>>>>>>>>>> Matthew
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>
>
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
Thanks for your help Colm. I now have it working using the production
certificate by following this example
https://stackoverflow.com/a/2141229/3052312 to export the pems into jks
files.
but in the end i also had to copy idp-ssl-key.jks and idp-ssl-trust.jks
into webapps/idp/WEB-INF/classes as well as having them in catalina
base. this seems impractical in production as the certificates get
reissued every 6 months. is it possible for sec:keyStore to define the
resource as being in catalina base?
On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
> sec:keyStore supports either JKS or PKCS12 keystores. There is also a
> sec:certStore that works with PEM files, but only for TrustStores I think.
> As a workaround you can just use the Java keytool command to import your
> PEM key/cert into a JKS keystore.
>
>> this document http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but no
> idp-ssl-key.jks.
>
> SVN is not used any more by CXF or Fediz, that page is old. The correct
> version is on github:
>
> https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html
>
> Colm.
>
> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> Hi Colm,
>>
>> is there any way for sec:keyStore to be pointed at a pem certificate
>> instead of a java keystore? where is the doumentation for sec:keyStore?
>>
>> Matt
>>
>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>
>>> I haven't used the APR connector. The following works for me in the tests,
>>> perhaps you could duplicate this config and get it working first before
>>> switching over to the APR connector:
>>>
>>> <Connector port="9443"
>>> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass"
>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>> truststorePass="ispass" />
>>>
>>> Yes you will need to specify the truststore and keystore in cxf-tls.xml to
>>> communicate with the STS from the IdP. The truststore should contain the
>>> issuing cert of the Tomcat instance hosting your STS + then keystore the
>>> private key of your IdP.
>>>
>>> Colm.
>>>
>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>> i am using my own certificate with APR in the tomcat server.xml. I added
>>>> clientVerification="required" to SSLHostConfig but I still have the same
>>>> problem
>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>> tp11.Http11AprProtocol"
>>>> maxThreads="150" SSLEnabled="true">
>>>> <UpgradeProtocol className="org.apache.coyote.h
>>>> ttp2.Http2Protocol"
>>>> />
>>>> <SSLHostConfig clientVerification="required">
>>>> <Certificate certificateKeyFile="/etc/letse
>>>> ncrypt/live/domain.tld/privkey.pem"
>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
>>>> type="RSA" />
>>>> </SSLHostConfig>
>>>> </Connector>
>>>>
>>>> I commented the trustManagers and keyManagers in
>>>> services/idp/src/main/resources/cxf-tls.xml. Could this be the problem?
>>>> How would I use production certificates?
>>>> <http:conduit name="*.http-conduit">
>>>> <http:tlsClientParameters
>>>> disableCNCheck="true">
>>>> <!-- <sec:trustManagers>
>>>> <sec:keyStore type="jks" password="ispass"
>>>> resource="idp-ssl-trust.jks" />
>>>> </sec:trustManagers>
>>>> <sec:keyManagers keyPassword="tompass">
>>>> <sec:keyStore type="jks" password="tompass"
>>>> resource="idp-ssl-key.jks"/>
>>>> </sec:keyManagers> -->
>>>> </http:tlsClientParameters>
>>>> </http:conduit>
>>>>
>>>>
>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>
>>>> ok...i fixed the last error by dropping the schema and restarting.
>>>>> but now i have this
>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
>>>>> has
>>>>> thrown exception, unwinding now
>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>>>>> stream: RequireClientCertificate is set, but no local certificates were
>>>>> negotiated. Is the server set to ask for client authorization?
>>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>>>>> InterceptorChain.java:308)
>>>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:
>>>>> 518)
>>>>> ...
>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate
>>>>> is
>>>>> set, but no local certificates were negotiated. Is the server set to
>>>>> ask
>>>>> for client authorization?
>>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java
>>>>> :255)
>>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>> ... 154 more
>>>>> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOExcept
>>>>> ion:
>>>>> RequireClientCertificate is set, but no local certificates were
>>>>> negotiated. Is the server set to ask for client authorization?
>>>>> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>> ...
>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>>>> retrieving a token
>>>>>
>>>>>
>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>
>>>>> ok i now have a different error and it doesn't load the login screen
>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>> horityEntitlements
>>>>>> - Role 'CLAIM_LIST' not found
>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>> horityEntitlements
>>>>>> - Role 'IDP_READ' not found
>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>> horityEntitlements
>>>>>> - Role 'IDP_LIST' not found
>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>> horityEntitlements
>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>> horityEntitlements
>>>>>> - Role 'CLAIM_READ' not found
>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>> horityEntitlements
>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>> horityEntitlements
>>>>>> - Role 'APPLICATION_READ' not found
>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>> horityEntitlements
>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>> horityEntitlements
>>>>>> - Enriched AuthenticationToken added
>>>>>>
>>>>>> the previous one was caused by
>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>> /idp-sts/REALMMYREALM" />
>>>>>> should have been
>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>> p-sts/REALMMYREALM"
>>>>>> />
>>>>>> according to original file
>>>>>>
>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>
>>>>>> Hi Colm,
>>>>>>> Yes I have:
>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>> ...
>>>>>>> <property name="applications">
>>>>>>> <util:list>
>>>>>>> <ref bean="srv-fedizhelloworld" />
>>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>>> </util:list>
>>>>>>> </property>
>>>>>>> ...
>>>>>>> </bean>
>>>>>>>
>>>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>> <property name="realm" value="urn:org:apache:cxf:fedi
>>>>>>> z:fedizhelloworld"
>>>>>>> />
>>>>>>> <property name="protocol" value="http://docs.oasis-open.
>>>>>>> org/wsfed/federation/200706" />
>>>>>>> <property name="serviceDisplayName" value="Fedizhelloworld"
>>>>>>> />
>>>>>>> <property name="serviceDescription" value="Web Application to
>>>>>>> illustrate WS-Federation" />
>>>>>>> <property name="role" value="ApplicationServiceType" />
>>>>>>> <property name="tokenType" value="http://docs.oasis-open.
>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>> <property name="lifeTime" value="3600" />
>>>>>>> <property name="passiveRequestorEndpointConstraint"
>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>> <property name="logoutEndpointConstraint"
>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>> </bean>
>>>>>>>
>>>>>>> <bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat
>>>>>>> ionClaimEntity">
>>>>>>> <property name="application" ref="srv-fedizhelloworld" />
>>>>>>> <property name="claim" ref="claim_role" />
>>>>>>> <property name="optional" value="false" />
>>>>>>> </bean>
>>>>>>>
>>>>>>> etc.
>>>>>>>
>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>
>>>>>>> Do you have an
>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>>>>> instance in
>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with
>>>>>>>> realm
>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>
>>>>>>>> Colm.
>>>>>>>>
>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
>>>>>>>>> trying to
>>>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
>>>>>>>>> correctly redirects to the login page and seems to authenticate ok
>>>>>>>>>
>>>>>>>>> but then i get the following error
>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - Token
>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully cached.
>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator -
>>>>>>>>> No
>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>>>>
>>>>>>>>> Matthew
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>
Re: fediz production
Posted by Colm O hEigeartaigh <co...@apache.org>.
sec:keyStore supports either JKS or PKCS12 keystores. There is also a
sec:certStore that works with PEM files, but only for TrustStores I think.
As a workaround you can just use the Java keytool command to import your
PEM key/cert into a JKS keystore.
> this document http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but no
idp-ssl-key.jks.
SVN is not used any more by CXF or Fediz, that page is old. The correct
version is on github:
https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html
Colm.
On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:
> Hi Colm,
>
> is there any way for sec:keyStore to be pointed at a pem certificate
> instead of a java keystore? where is the doumentation for sec:keyStore?
>
> Matt
>
> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>
>> I haven't used the APR connector. The following works for me in the tests,
>> perhaps you could duplicate this config and get it working first before
>> switching over to the APR connector:
>>
>> <Connector port="9443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass"
>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>> truststorePass="ispass" />
>>
>> Yes you will need to specify the truststore and keystore in cxf-tls.xml to
>> communicate with the STS from the IdP. The truststore should contain the
>> issuing cert of the Tomcat instance hosting your STS + then keystore the
>> private key of your IdP.
>>
>> Colm.
>>
>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>
>> i am using my own certificate with APR in the tomcat server.xml. I added
>>> clientVerification="required" to SSLHostConfig but I still have the same
>>> problem
>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>> tp11.Http11AprProtocol"
>>> maxThreads="150" SSLEnabled="true">
>>> <UpgradeProtocol className="org.apache.coyote.h
>>> ttp2.Http2Protocol"
>>> />
>>> <SSLHostConfig clientVerification="required">
>>> <Certificate certificateKeyFile="/etc/letse
>>> ncrypt/live/domain.tld/privkey.pem"
>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
>>> type="RSA" />
>>> </SSLHostConfig>
>>> </Connector>
>>>
>>> I commented the trustManagers and keyManagers in
>>> services/idp/src/main/resources/cxf-tls.xml. Could this be the problem?
>>> How would I use production certificates?
>>> <http:conduit name="*.http-conduit">
>>> <http:tlsClientParameters
>>> disableCNCheck="true">
>>> <!-- <sec:trustManagers>
>>> <sec:keyStore type="jks" password="ispass"
>>> resource="idp-ssl-trust.jks" />
>>> </sec:trustManagers>
>>> <sec:keyManagers keyPassword="tompass">
>>> <sec:keyStore type="jks" password="tompass"
>>> resource="idp-ssl-key.jks"/>
>>> </sec:keyManagers> -->
>>> </http:tlsClientParameters>
>>> </http:conduit>
>>>
>>>
>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>
>>> ok...i fixed the last error by dropping the schema and restarting.
>>>> but now i have this
>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
>>>> has
>>>> thrown exception, unwinding now
>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>>>> stream: RequireClientCertificate is set, but no local certificates were
>>>> negotiated. Is the server set to ask for client authorization?
>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>>>> InterceptorChain.java:308)
>>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:
>>>> 518)
>>>> ...
>>>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate
>>>> is
>>>> set, but no local certificates were negotiated. Is the server set to
>>>> ask
>>>> for client authorization?
>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java
>>>> :255)
>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>> ... 154 more
>>>> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOExcept
>>>> ion:
>>>> RequireClientCertificate is set, but no local certificates were
>>>> negotiated. Is the server set to ask for client authorization?
>>>> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>> ttpsTokenInterceptorProvider.java:143)
>>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>> ...
>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>>> retrieving a token
>>>>
>>>>
>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>
>>>> ok i now have a different error and it doesn't load the login screen
>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>> horityEntitlements
>>>>> - Role 'CLAIM_LIST' not found
>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>> horityEntitlements
>>>>> - Role 'IDP_READ' not found
>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>> horityEntitlements
>>>>> - Role 'IDP_LIST' not found
>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>> horityEntitlements
>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>> horityEntitlements
>>>>> - Role 'CLAIM_READ' not found
>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>> horityEntitlements
>>>>> - Role 'APPLICATION_LIST' not found
>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>> horityEntitlements
>>>>> - Role 'APPLICATION_READ' not found
>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>> horityEntitlements
>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>> horityEntitlements
>>>>> - Enriched AuthenticationToken added
>>>>>
>>>>> the previous one was caused by
>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>> /idp-sts/REALMMYREALM" />
>>>>> should have been
>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>> p-sts/REALMMYREALM"
>>>>> />
>>>>> according to original file
>>>>>
>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>
>>>>> Hi Colm,
>>>>>>
>>>>>> Yes I have:
>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>> ...
>>>>>> <property name="applications">
>>>>>> <util:list>
>>>>>> <ref bean="srv-fedizhelloworld" />
>>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>>> </util:list>
>>>>>> </property>
>>>>>> ...
>>>>>> </bean>
>>>>>>
>>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>> <property name="realm" value="urn:org:apache:cxf:fedi
>>>>>> z:fedizhelloworld"
>>>>>> />
>>>>>> <property name="protocol" value="http://docs.oasis-open.
>>>>>> org/wsfed/federation/200706" />
>>>>>> <property name="serviceDisplayName" value="Fedizhelloworld"
>>>>>> />
>>>>>> <property name="serviceDescription" value="Web Application to
>>>>>> illustrate WS-Federation" />
>>>>>> <property name="role" value="ApplicationServiceType" />
>>>>>> <property name="tokenType" value="http://docs.oasis-open.
>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>> <property name="lifeTime" value="3600" />
>>>>>> <property name="passiveRequestorEndpointConstraint"
>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>> <property name="logoutEndpointConstraint"
>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>> </bean>
>>>>>>
>>>>>> <bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat
>>>>>> ionClaimEntity">
>>>>>> <property name="application" ref="srv-fedizhelloworld" />
>>>>>> <property name="claim" ref="claim_role" />
>>>>>> <property name="optional" value="false" />
>>>>>> </bean>
>>>>>>
>>>>>> etc.
>>>>>>
>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>
>>>>>> Do you have an
>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>>>> instance in
>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with
>>>>>>> realm
>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>
>>>>>>> Colm.
>>>>>>>
>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
>>>>>>>> trying to
>>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
>>>>>>>> correctly redirects to the login page and seems to authenticate ok
>>>>>>>>
>>>>>>>> but then i get the following error
>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - Token
>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully cached.
>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator -
>>>>>>>> No
>>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>>>
>>>>>>>> Matthew
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
Hi Colm,
is there any way for sec:keyStore to be pointed at a pem certificate
instead of a java keystore? where is the doumentation for sec:keyStore?
Matt
On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
> I haven't used the APR connector. The following works for me in the tests,
> perhaps you could duplicate this config and get it working first before
> switching over to the APR connector:
>
> <Connector port="9443"
> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass"
> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
> truststorePass="ispass" />
>
> Yes you will need to specify the truststore and keystore in cxf-tls.xml to
> communicate with the STS from the IdP. The truststore should contain the
> issuing cert of the Tomcat instance hosting your STS + then keystore the
> private key of your IdP.
>
> Colm.
>
> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> i am using my own certificate with APR in the tomcat server.xml. I added
>> clientVerification="required" to SSLHostConfig but I still have the same
>> problem
>> <Connector port="9443" protocol="org.apache.coyote.ht
>> tp11.Http11AprProtocol"
>> maxThreads="150" SSLEnabled="true">
>> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
>> />
>> <SSLHostConfig clientVerification="required">
>> <Certificate certificateKeyFile="/etc/letse
>> ncrypt/live/domain.tld/privkey.pem"
>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
>> type="RSA" />
>> </SSLHostConfig>
>> </Connector>
>>
>> I commented the trustManagers and keyManagers in
>> services/idp/src/main/resources/cxf-tls.xml. Could this be the problem?
>> How would I use production certificates?
>> <http:conduit name="*.http-conduit">
>> <http:tlsClientParameters
>> disableCNCheck="true">
>> <!-- <sec:trustManagers>
>> <sec:keyStore type="jks" password="ispass"
>> resource="idp-ssl-trust.jks" />
>> </sec:trustManagers>
>> <sec:keyManagers keyPassword="tompass">
>> <sec:keyStore type="jks" password="tompass"
>> resource="idp-ssl-key.jks"/>
>> </sec:keyManagers> -->
>> </http:tlsClientParameters>
>> </http:conduit>
>>
>>
>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>
>>> ok...i fixed the last error by dropping the schema and restarting.
>>> but now i have this
>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has
>>> thrown exception, unwinding now
>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>>> stream: RequireClientCertificate is set, but no local certificates were
>>> negotiated. Is the server set to ask for client authorization?
>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>>> InterceptorChain.java:308)
>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
>>> ...
>>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is
>>> set, but no local certificates were negotiated. Is the server set to ask
>>> for client authorization?
>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255)
>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>> ... 154 more
>>> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
>>> RequireClientCertificate is set, but no local certificates were
>>> negotiated. Is the server set to ask for client authorization?
>>> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>> ttpsTokenInterceptorProvider.java:143)
>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>> ...
>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>> retrieving a token
>>>
>>>
>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>
>>>> ok i now have a different error and it doesn't load the login screen
>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'CLAIM_LIST' not found
>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'IDP_READ' not found
>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'IDP_LIST' not found
>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'CLAIM_READ' not found
>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'APPLICATION_LIST' not found
>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'APPLICATION_READ' not found
>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'TRUSTEDIDP_READ' not found
>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Enriched AuthenticationToken added
>>>>
>>>> the previous one was caused by
>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>> /idp-sts/REALMMYREALM" />
>>>> should have been
>>>> <property name="stsUrl" value="https://domain.tld:0/idp-sts/REALMMYREALM"
>>>> />
>>>> according to original file
>>>>
>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>
>>>>> Hi Colm,
>>>>>
>>>>> Yes I have:
>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>> ...
>>>>> <property name="applications">
>>>>> <util:list>
>>>>> <ref bean="srv-fedizhelloworld" />
>>>>> <!-- <ref bean="srv-oidc" /> -->
>>>>> </util:list>
>>>>> </property>
>>>>> ...
>>>>> </bean>
>>>>>
>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>> <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld"
>>>>> />
>>>>> <property name="protocol" value="http://docs.oasis-open.
>>>>> org/wsfed/federation/200706" />
>>>>> <property name="serviceDisplayName" value="Fedizhelloworld" />
>>>>> <property name="serviceDescription" value="Web Application to
>>>>> illustrate WS-Federation" />
>>>>> <property name="role" value="ApplicationServiceType" />
>>>>> <property name="tokenType" value="http://docs.oasis-open.
>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>> <property name="lifeTime" value="3600" />
>>>>> <property name="passiveRequestorEndpointConstraint"
>>>>> value="https://localhost:?(\d)*/.*" />
>>>>> <property name="logoutEndpointConstraint"
>>>>> value="https://localhost:?(\d)*/.*" />
>>>>> </bean>
>>>>>
>>>>> <bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat
>>>>> ionClaimEntity">
>>>>> <property name="application" ref="srv-fedizhelloworld" />
>>>>> <property name="claim" ref="claim_role" />
>>>>> <property name="optional" value="false" />
>>>>> </bean>
>>>>>
>>>>> etc.
>>>>>
>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>
>>>>>> Do you have an
>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>>> instance in
>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with realm
>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
>>>>>>> trying to
>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
>>>>>>> correctly redirects to the login page and seems to authenticate ok
>>>>>>>
>>>>>>> but then i get the following error
>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - Token
>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully cached.
>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>>
>>>>>>> Matthew
>>>>>>>
>>>>>>>
>>>>>>
>
Re: fediz production
Posted by Colm O hEigeartaigh <co...@apache.org>.
I haven't used the APR connector. The following works for me in the tests,
perhaps you could duplicate this config and get it working first before
switching over to the APR connector:
<Connector port="9443"
protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass"
keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
truststorePass="ispass" />
Yes you will need to specify the truststore and keystore in cxf-tls.xml to
communicate with the STS from the IdP. The truststore should contain the
issuing cert of the Tomcat instance hosting your STS + then keystore the
private key of your IdP.
Colm.
On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:
> i am using my own certificate with APR in the tomcat server.xml. I added
> clientVerification="required" to SSLHostConfig but I still have the same
> problem
> <Connector port="9443" protocol="org.apache.coyote.ht
> tp11.Http11AprProtocol"
> maxThreads="150" SSLEnabled="true">
> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
> />
> <SSLHostConfig clientVerification="required">
> <Certificate certificateKeyFile="/etc/letse
> ncrypt/live/domain.tld/privkey.pem"
> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
>
> I commented the trustManagers and keyManagers in
> services/idp/src/main/resources/cxf-tls.xml. Could this be the problem?
> How would I use production certificates?
> <http:conduit name="*.http-conduit">
> <http:tlsClientParameters
> disableCNCheck="true">
> <!-- <sec:trustManagers>
> <sec:keyStore type="jks" password="ispass"
> resource="idp-ssl-trust.jks" />
> </sec:trustManagers>
> <sec:keyManagers keyPassword="tompass">
> <sec:keyStore type="jks" password="tompass"
> resource="idp-ssl-key.jks"/>
> </sec:keyManagers> -->
> </http:tlsClientParameters>
> </http:conduit>
>
>
> On 22/10/2017 00:38, Matthew Broadhead wrote:
>
>> ok...i fixed the last error by dropping the schema and restarting.
>> but now i have this
>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has
>> thrown exception, unwinding now
>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>> stream: RequireClientCertificate is set, but no local certificates were
>> negotiated. Is the server set to ask for client authorization?
>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>> InterceptorChain.java:308)
>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
>> ...
>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is
>> set, but no local certificates were negotiated. Is the server set to ask
>> for client authorization?
>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255)
>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>> ... 154 more
>> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
>> RequireClientCertificate is set, but no local certificates were
>> negotiated. Is the server set to ask for client authorization?
>> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>> ttpsTokenInterceptorProvider.java:143)
>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>> m.makeTrustDecision(HTTPConduit.java:1780)
>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>> ...
>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>> retrieving a token
>>
>>
>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>
>>> ok i now have a different error and it doesn't load the login screen
>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Role 'CLAIM_LIST' not found
>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Role 'IDP_READ' not found
>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Role 'IDP_LIST' not found
>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Role 'TRUSTEDIDP_LIST' not found
>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Role 'CLAIM_READ' not found
>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Role 'APPLICATION_LIST' not found
>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Role 'APPLICATION_READ' not found
>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Role 'TRUSTEDIDP_READ' not found
>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Enriched AuthenticationToken added
>>>
>>> the previous one was caused by
>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>>> <property name="stsUrl" value="https://domain.tld:9443
>>> /idp-sts/REALMMYREALM" />
>>> should have been
>>> <property name="stsUrl" value="https://domain.tld:0/idp-sts/REALMMYREALM"
>>> />
>>> according to original file
>>>
>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>
>>>> Hi Colm,
>>>>
>>>> Yes I have:
>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>> rvice.idp.service.jpa.IdpEntity">
>>>> ...
>>>> <property name="applications">
>>>> <util:list>
>>>> <ref bean="srv-fedizhelloworld" />
>>>> <!-- <ref bean="srv-oidc" /> -->
>>>> </util:list>
>>>> </property>
>>>> ...
>>>> </bean>
>>>>
>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>> <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld"
>>>> />
>>>> <property name="protocol" value="http://docs.oasis-open.
>>>> org/wsfed/federation/200706" />
>>>> <property name="serviceDisplayName" value="Fedizhelloworld" />
>>>> <property name="serviceDescription" value="Web Application to
>>>> illustrate WS-Federation" />
>>>> <property name="role" value="ApplicationServiceType" />
>>>> <property name="tokenType" value="http://docs.oasis-open.
>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>> <property name="lifeTime" value="3600" />
>>>> <property name="passiveRequestorEndpointConstraint"
>>>> value="https://localhost:?(\d)*/.*" />
>>>> <property name="logoutEndpointConstraint"
>>>> value="https://localhost:?(\d)*/.*" />
>>>> </bean>
>>>>
>>>> <bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat
>>>> ionClaimEntity">
>>>> <property name="application" ref="srv-fedizhelloworld" />
>>>> <property name="claim" ref="claim_role" />
>>>> <property name="optional" value="false" />
>>>> </bean>
>>>>
>>>> etc.
>>>>
>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>
>>>>> Do you have an
>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>> instance in
>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with realm
>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>
>>>>> Hi,
>>>>>>
>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
>>>>>> trying to
>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
>>>>>> correctly redirects to the login page and seems to authenticate ok
>>>>>>
>>>>>> but then i get the following error
>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - Token
>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully cached.
>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>
>>>>>> Matthew
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
i am using my own certificate with APR in the tomcat server.xml. I
added clientVerification="required" to SSLHostConfig but I still have
the same problem
<Connector port="9443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true">
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig clientVerification="required">
<Certificate
certificateKeyFile="/etc/letsencrypt/live/domain.tld/privkey.pem"
certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
I commented the trustManagers and keyManagers in
services/idp/src/main/resources/cxf-tls.xml. Could this be the
problem? How would I use production certificates?
<http:conduit name="*.http-conduit">
<http:tlsClientParameters
disableCNCheck="true">
<!-- <sec:trustManagers>
<sec:keyStore type="jks" password="ispass"
resource="idp-ssl-trust.jks" />
</sec:trustManagers>
<sec:keyManagers keyPassword="tompass">
<sec:keyStore type="jks" password="tompass"
resource="idp-ssl-key.jks"/>
</sec:keyManagers> -->
</http:tlsClientParameters>
</http:conduit>
On 22/10/2017 00:38, Matthew Broadhead wrote:
> ok...i fixed the last error by dropping the schema and restarting.
> but now i have this
> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for
> {http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
> has thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
> stream: RequireClientCertificate is set, but no local certificates
> were negotiated. Is the server set to ask for client authorization?
> at
> org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
> at
> org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
> ...
> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate
> is set, but no local certificates were negotiated. Is the server set
> to ask for client authorization?
> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255)
> at
> org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
> ... 154 more
> Caused by:
> org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
> RequireClientCertificate is set, but no local certificates were
> negotiated. Is the server set to ask for client authorization?
> at
> org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:143)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.makeTrustDecision(HTTPConduit.java:1780)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1323)
> ...
> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
> retrieving a token
>
>
> On 20/10/2017 23:05, Matthew Broadhead wrote:
>> ok i now have a different error and it doesn't load the login screen
>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>> - Role 'CLAIM_LIST' not found
>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>> - Role 'IDP_READ' not found
>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>> - Role 'IDP_LIST' not found
>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>> - Role 'TRUSTEDIDP_LIST' not found
>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>> - Role 'CLAIM_READ' not found
>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>> - Role 'APPLICATION_LIST' not found
>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>> - Role 'APPLICATION_READ' not found
>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>> - Role 'TRUSTEDIDP_READ' not found
>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>> - Enriched AuthenticationToken added
>>
>> the previous one was caused by
>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>> <property name="stsUrl"
>> value="https://domain.tld:9443/idp-sts/REALMMYREALM" />
>> should have been
>> <property name="stsUrl"
>> value="https://domain.tld:0/idp-sts/REALMMYREALM" />
>> according to original file
>>
>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>> Hi Colm,
>>>
>>> Yes I have:
>>> <bean id="idp-realmXYZ"
>>> class="org.apache.cxf.fediz.service.idp.service.jpa.IdpEntity">
>>> ...
>>> <property name="applications">
>>> <util:list>
>>> <ref bean="srv-fedizhelloworld" />
>>> <!-- <ref bean="srv-oidc" /> -->
>>> </util:list>
>>> </property>
>>> ...
>>> </bean>
>>>
>>> <bean id="srv-fedizhelloworld"
>>> class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
>>> <property name="realm"
>>> value="urn:org:apache:cxf:fediz:fedizhelloworld" />
>>> <property name="protocol"
>>> value="http://docs.oasis-open.org/wsfed/federation/200706" />
>>> <property name="serviceDisplayName" value="Fedizhelloworld" />
>>> <property name="serviceDescription" value="Web Application
>>> to illustrate WS-Federation" />
>>> <property name="role" value="ApplicationServiceType" />
>>> <property name="tokenType"
>>> value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
>>> />
>>> <property name="lifeTime" value="3600" />
>>> <property name="passiveRequestorEndpointConstraint"
>>> value="https://localhost:?(\d)*/.*" />
>>> <property name="logoutEndpointConstraint"
>>> value="https://localhost:?(\d)*/.*" />
>>> </bean>
>>>
>>> <bean
>>> class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
>>> <property name="application" ref="srv-fedizhelloworld" />
>>> <property name="claim" ref="claim_role" />
>>> <property name="optional" value="false" />
>>> </bean>
>>>
>>> etc.
>>>
>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>> Do you have an
>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>> instance in
>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with realm
>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>
>>>> Colm.
>>>>
>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
>>>>> trying to
>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
>>>>> correctly redirects to the login page and seems to authenticate ok
>>>>>
>>>>> but then i get the following error
>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - Token
>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully cached.
>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>
>>>>> Matthew
>>>>>
>>>>
>>>>
>>>
>>
>
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
ok...i fixed the last error by dropping the schema and restarting.
but now i have this
2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
stream: RequireClientCertificate is set, but no local certificates were
negotiated. Is the server set to ask for client authorization?
at
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
at
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
...
Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is
set, but no local certificates were negotiated. Is the server set to
ask for client authorization?
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255)
at
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
... 154 more
Caused by:
org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
RequireClientCertificate is set, but no local certificates were
negotiated. Is the server set to ask for client authorization?
at
org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:143)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.makeTrustDecision(HTTPConduit.java:1780)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1323)
...
2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
retrieving a token
On 20/10/2017 23:05, Matthew Broadhead wrote:
> ok i now have a different error and it doesn't load the login screen
> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
> - Role 'CLAIM_LIST' not found
> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
> - Role 'IDP_READ' not found
> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
> - Role 'IDP_LIST' not found
> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
> - Role 'TRUSTEDIDP_LIST' not found
> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
> - Role 'CLAIM_READ' not found
> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
> - Role 'APPLICATION_LIST' not found
> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
> - Role 'APPLICATION_READ' not found
> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
> - Role 'TRUSTEDIDP_READ' not found
> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
> - Enriched AuthenticationToken added
>
> the previous one was caused by
> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
> <property name="stsUrl"
> value="https://domain.tld:9443/idp-sts/REALMMYREALM" />
> should have been
> <property name="stsUrl"
> value="https://domain.tld:0/idp-sts/REALMMYREALM" />
> according to original file
>
> On 20/10/2017 18:27, Matthew Broadhead wrote:
>> Hi Colm,
>>
>> Yes I have:
>> <bean id="idp-realmXYZ"
>> class="org.apache.cxf.fediz.service.idp.service.jpa.IdpEntity">
>> ...
>> <property name="applications">
>> <util:list>
>> <ref bean="srv-fedizhelloworld" />
>> <!-- <ref bean="srv-oidc" /> -->
>> </util:list>
>> </property>
>> ...
>> </bean>
>>
>> <bean id="srv-fedizhelloworld"
>> class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
>> <property name="realm"
>> value="urn:org:apache:cxf:fediz:fedizhelloworld" />
>> <property name="protocol"
>> value="http://docs.oasis-open.org/wsfed/federation/200706" />
>> <property name="serviceDisplayName" value="Fedizhelloworld" />
>> <property name="serviceDescription" value="Web Application to
>> illustrate WS-Federation" />
>> <property name="role" value="ApplicationServiceType" />
>> <property name="tokenType"
>> value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
>> />
>> <property name="lifeTime" value="3600" />
>> <property name="passiveRequestorEndpointConstraint"
>> value="https://localhost:?(\d)*/.*" />
>> <property name="logoutEndpointConstraint"
>> value="https://localhost:?(\d)*/.*" />
>> </bean>
>>
>> <bean
>> class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
>> <property name="application" ref="srv-fedizhelloworld" />
>> <property name="claim" ref="claim_role" />
>> <property name="optional" value="false" />
>> </bean>
>>
>> etc.
>>
>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>> Do you have an
>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>> instance in
>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with realm
>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>
>>> Colm.
>>>
>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>>> Hi,
>>>>
>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
>>>> trying to
>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
>>>> correctly redirects to the login page and seems to authenticate ok
>>>>
>>>> but then i get the following error
>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - Token
>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully cached.
>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>
>>>> Matthew
>>>>
>>>
>>>
>>
>
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
ok i now have a different error and it doesn't load the login screen
2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
service config found for urn:org:apache:cxf:fediz:fedizhelloworld
2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
- Role 'CLAIM_LIST' not found
2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
- Role 'IDP_READ' not found
2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
- Role 'IDP_LIST' not found
2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
- Role 'TRUSTEDIDP_LIST' not found
2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
- Role 'CLAIM_READ' not found
2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
- Role 'APPLICATION_LIST' not found
2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
- Role 'APPLICATION_READ' not found
2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
- Role 'TRUSTEDIDP_READ' not found
2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
- Enriched AuthenticationToken added
the previous one was caused by
services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
<property name="stsUrl"
value="https://domain.tld:9443/idp-sts/REALMMYREALM" />
should have been
<property name="stsUrl" value="https://domain.tld:0/idp-sts/REALMMYREALM" />
according to original file
On 20/10/2017 18:27, Matthew Broadhead wrote:
> Hi Colm,
>
> Yes I have:
> <bean id="idp-realmXYZ"
> class="org.apache.cxf.fediz.service.idp.service.jpa.IdpEntity">
> ...
> <property name="applications">
> <util:list>
> <ref bean="srv-fedizhelloworld" />
> <!-- <ref bean="srv-oidc" /> -->
> </util:list>
> </property>
> ...
> </bean>
>
> <bean id="srv-fedizhelloworld"
> class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
> <property name="realm"
> value="urn:org:apache:cxf:fediz:fedizhelloworld" />
> <property name="protocol"
> value="http://docs.oasis-open.org/wsfed/federation/200706" />
> <property name="serviceDisplayName" value="Fedizhelloworld" />
> <property name="serviceDescription" value="Web Application to
> illustrate WS-Federation" />
> <property name="role" value="ApplicationServiceType" />
> <property name="tokenType"
> value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
> />
> <property name="lifeTime" value="3600" />
> <property name="passiveRequestorEndpointConstraint"
> value="https://localhost:?(\d)*/.*" />
> <property name="logoutEndpointConstraint"
> value="https://localhost:?(\d)*/.*" />
> </bean>
>
> <bean
> class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
> <property name="application" ref="srv-fedizhelloworld" />
> <property name="claim" ref="claim_role" />
> <property name="optional" value="false" />
> </bean>
>
> etc.
>
> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>> Do you have an
>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>> instance in
>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with realm
>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>
>> Colm.
>>
>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>
>>> Hi,
>>>
>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
>>> trying to
>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
>>> correctly redirects to the login page and seems to authenticate ok
>>>
>>> but then i get the following error
>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - Token
>>> [IDP_TOKEN=<something>] for realm [<something>] successfully cached.
>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>
>>> Matthew
>>>
>>
>>
>
Re: fediz production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
Hi Colm,
Yes I have:
<bean id="idp-realmXYZ"
class="org.apache.cxf.fediz.service.idp.service.jpa.IdpEntity">
...
<property name="applications">
<util:list>
<ref bean="srv-fedizhelloworld" />
<!-- <ref bean="srv-oidc" /> -->
</util:list>
</property>
...
</bean>
<bean id="srv-fedizhelloworld"
class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
<property name="realm"
value="urn:org:apache:cxf:fediz:fedizhelloworld" />
<property name="protocol"
value="http://docs.oasis-open.org/wsfed/federation/200706" />
<property name="serviceDisplayName" value="Fedizhelloworld" />
<property name="serviceDescription" value="Web Application to
illustrate WS-Federation" />
<property name="role" value="ApplicationServiceType" />
<property name="tokenType"
value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
<property name="lifeTime" value="3600" />
<property name="passiveRequestorEndpointConstraint"
value="https://localhost:?(\d)*/.*" />
<property name="logoutEndpointConstraint"
value="https://localhost:?(\d)*/.*" />
</bean>
<bean
class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
<property name="application" ref="srv-fedizhelloworld" />
<property name="claim" ref="claim_role" />
<property name="optional" value="false" />
</bean>
etc.
On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
> Do you have an
> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity instance in
> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with realm
> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>
> Colm.
>
> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> Hi,
>>
>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am trying to
>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
>> correctly redirects to the login page and seems to authenticate ok
>>
>> but then i get the following error
>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - Token
>> [IDP_TOKEN=<something>] for realm [<something>] successfully cached.
>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>
>> Matthew
>>
>
>
Re: fediz production
Posted by Colm O hEigeartaigh <co...@apache.org>.
Do you have an
org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity instance in
your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with realm
"urn:org:apache:cxf:fediz:fedizhelloworld"?
Colm.
On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:
> Hi,
>
> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am trying to
> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
> correctly redirects to the login page and seems to authenticate ok
>
> but then i get the following error
> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - Token
> [IDP_TOKEN=<something>] for realm [<something>] successfully cached.
> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>
> Matthew
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com