You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Ioannis Samartzis <io...@gmail.com> on 2014/09/16 20:31:00 UTC
Use Fediz with LDAP
Hello.
I have been using apache cxf fediz for some time now and I have managed to
get the examples working
and authorize sample users with the file implementation. Now I want to use
the LDAP implementation.
So I have an LDAP server with a Users OU that has all my sample users
(posix accounts, bob,alice,etc).
I have followed all the instructions from the
https://cxf.apache.org/fediz-idp-11.html but when I start
my servers (IDP/STS + RP) in localhost it prompts for authorization but
never accepts my users.
I have also removed RealmB, as I didn't need it as per instructions here
<http://cxf.547215.n5.nabble.com/Question-about-CXF-Fediz-1-1-0-and-certificates-td5737010.html>
In https://localhost:9443/fediz-idp-sts I see the 2 WSDLs here
1)https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl
2)https://localhost:9443/fediz-idp-sts/STSServiceTransportUT?wsdl
1)Do you have any idea what could be wrong?
2)I am not sure if I should give admin or normal user to LdapContextSource..
Thanks a lot in advance!
Ioannis Samartzis
Here are some files and logs that could be helpful:
*jaas.config*
MyLDAP {
> com.sun.security.auth.module.LdapLoginModule REQUIRED
> userProvider="ldap://localhost:389/OU=Users,DC=ldap,DC=fediz"
> authIdentity="cn={USERNAME},OU=Users,DC=ldap,DC=fediz"
> useSSL=false
> debug=true;
> };
>
* ldap.xml*
<?xml version="1.0" encoding="UTF-8"?>
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="
> http://www.springframework.org/schema/util"
> xmlns:jaxws="http://cxf.apache.org/jaxws"
> xsi:schemaLocation="
> http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> http://www.springframework.org/schema/util
> http://www.springframework.org/schema/util/spring-util-2.0.xsd
> http://cxf.apache.org/jaxws
> http://cxf.apache.org/schemas/jaxws.xsd">
>
> <util:list id="claimHandlerList">
> <ref bean="userClaimsHandler" />
> <ref bean="groupClaimsHandler" />
> </util:list>
>
> <bean id="contextSource"
> class="org.springframework.ldap.core.support.LdapContextSource">
> <property name="url" value="ldap://localhost:389/" />
> <property name="userDn" value="cn=admin,dc=ldap,dc=fediz" />
> <property name="password" value="myPass" />
> </bean>
>
> <bean id="ldapTemplate"
> class="org.springframework.ldap.core.LdapTemplate">
> <constructor-arg ref="contextSource" />
> </bean>
>
> <util:map id="claimsToLdapAttributeMapping">
> <entry key="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
> value="givenName" />
> <entry key="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
> value="sn" />
> <entry key="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
> value="mail" />
> <!-- <entry key="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country"
> value="c" />
> <entry key="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode"
> value="postalCode" />
> <entry key="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress"
> value="postalAddress" />
> <entry key="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality"
> value="town" />
> <entry key="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince"
> value="st" />
> <entry key="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender"
> value="gender" />
> <entry key="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth"
> value="dateofbirth" />
> -->
> <entry key="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
> value="member" />
> </util:map>
>
> <bean id="userClaimsHandler"
> class="org.apache.cxf.sts.claims.LdapClaimsHandler">
> <property name="ldapTemplate" ref="ldapTemplate" />
> <property name="claimsLdapAttributeMapping"
> ref="claimsToLdapAttributeMapping" />
> <property name="userBaseDN" value="ou=Users,dc=ldap,dc=fediz" />
> <property name="userNameAttribute" value="uid" />
> </bean>
>
> <util:map id="appliesToScopeMapping">
> <entry key="urn:org:apache:cxf:fediz:fedizhelloworld"
> value="Example" />
> </util:map>
>
> <bean id="groupClaimsHandler"
> class="org.apache.cxf.sts.claims.LdapGroupClaimsHandler">
> <property name="ldapTemplate" ref="ldapTemplate" />
> <property name="userBaseDN" value="ou=Users,dc=ldap,dc=fediz" />
> <property name="groupBaseDN" value="ou=groups,dc=fediz,dc=org"
> />
> <property name="appliesToScopeMapping" ref="appliesToScopeMapping"
> />
> <property name="userNameAttribute" value="uid" />
> </bean>
>
> <bean
> class="org.apache.ws.security.validate.JAASUsernameTokenValidator"
> id="jaasUTValidator">
> <property name="contextName" value="MyLDAP"/>
> </bean>
>
> <jaxws:endpoint id="transportSTSUT"
> endpointName="ns1:TransportUT_Port"
> serviceName="ns1:SecurityTokenService"
> xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
> wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
> address="/STSServiceTransportUT"
> implementor="#transportSTSProviderBean">
>
> <jaxws:properties>
> <entry key="ws-security.ut.validator"
> value-ref="jaasUTValidator"/>
> </jaxws:properties>
> </jaxws:endpoint>
>
> </beans>
>
And the endpoint part of *cxf-transport.xml*:
[...]
>
<import resource="ldap.xml" />
>
[...]
>
<jaxws:endpoint id="transportSTSRealmA"
> implementor="#transportSTSProviderBean"
> address="/REALMA/STSServiceTransportUT"
> wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
> xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
> serviceName="ns1:SecurityTokenService"
> endpointName="ns1:Transport_Port">
> <jaxws:properties>
> </jaxws:properties>
> </jaxws:endpoint>
>
*Apache tomcat with IDP/STS output:*
INFO: Server startup in 21891 ms
> 2014-09-16 21:22:07,921 [http-bio-9443-exec-3] INFO
> org.apache.cxf.fediz.service.idp.STSPortFilter -
> STSAuthenticationProvider.wsdlLocation set to
> https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl
> 2014-09-16 21:22:08,209 [http-bio-9443-exec-3] INFO
> org.springframework.web.context.support.GenericWebApplicationContext -
> Refreshing Flow ApplicationContext [federation]: startup date [Tue Sep 16
> 21:22:08 EEST 2014]; parent: WebApplicationContext for namespace
> 'idp-servlet'
> 2014-09-16 21:22:08,212 [http-bio-9443-exec-3] INFO
> org.springframework.beans.factory.support.DefaultListableBeanFactory -
> Pre-instantiating singletons in
> org.springframework.beans.factory.support.DefaultListableBeanFactory@693eac60:
> defining beans
> [org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,org.springframework.context.annotation.ConfigurationClassPostProcessor.importAwareProcessor];
> parent:
> org.springframework.beans.factory.support.DefaultListableBeanFactory@6544f498
> 2014-09-16 21:22:08,430 [http-bio-9443-exec-3] INFO
> org.springframework.web.context.support.GenericWebApplicationContext -
> Refreshing Flow ApplicationContext [signinRequest]: startup date [Tue Sep
> 16 21:22:08 EEST 2014]; parent: WebApplicationContext for namespace
> 'idp-servlet'
> 2014-09-16 21:22:08,457 [http-bio-9443-exec-3] INFO
> org.springframework.beans.factory.support.DefaultListableBeanFactory -
> Pre-instantiating singletons in
> org.springframework.beans.factory.support.DefaultListableBeanFactory@29733df7:
> defining beans
> [org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,org.springframework.context.annotation.ConfigurationClassPostProcessor.importAwareProcessor];
> parent:
> org.springframework.beans.factory.support.DefaultListableBeanFactory@6544f498
> 2014-09-16 21:22:08,531 [http-bio-9443-exec-3] INFO
> org.apache.cxf.fediz.service.idp.beans.ProcessHRDSExpressionAction - HRDS
> is null (Mock).
> 2014-09-16 21:22:22,004 [http-bio-9443-exec-5] INFO
> org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Inbound
> Message
> ----------------------------
> ID: 1
> Address:
> https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl
> Http-Method: GET
> Content-Type: text/xml
> Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
> content-type=[text/xml], host=[localhost:9443], pragma=[no-cache],
> user-agent=[Apache CXF 2.7.11]}
> --------------------------------------
> 2014-09-16 21:22:22,523 [http-bio-9443-exec-7] INFO
> org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Inbound
> Message
> ----------------------------
> ID: 2
> Address:
> https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl=ws-trust-1.4.wsdl
> Http-Method: GET
> Content-Type: text/xml
> Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
> content-type=[text/xml], host=[localhost:9443], pragma=[no-cache],
> user-agent=[Apache CXF 2.7.11]}
> --------------------------------------
> 2014-09-16 21:22:22,912 [http-bio-9443-exec-4] WARN
> org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl - No assertion
> builder for type {
> http://www.w3.org/2006/05/addressing/wsdl}UsingAddressing registered.
> 2014-09-16 21:22:23,003 [http-bio-9443-exec-4] WARN
> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
> has thrown exception, unwinding now
> java.lang.IllegalArgumentException: URI is not absolute
> at java.net.URI.toURL(URI.java:1095)
> at
> org.apache.cxf.transport.http.URLConnectionHTTPConduit.createConnection(URLConnectionHTTPConduit.java:92)
> at
> org.apache.cxf.transport.http.URLConnectionHTTPConduit.setupConnection(URLConnectionHTTPConduit.java:103)
> at
> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:477)
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:570)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:479)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335)
> at
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:782)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
> at
> org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAuthenticationProvider.java:117)
> at
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
> at
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:65)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
> 2014-09-16 21:22:23,056 [http-bio-9443-exec-4] INFO
> org.apache.cxf.fediz.service.idp.STSAuthenticationProvider - Failed to
> authenticate user 'Bob'
> java.lang.IllegalArgumentException: URI is not absolute
> at java.net.URI.toURL(URI.java:1095)
> at
> org.apache.cxf.transport.http.URLConnectionHTTPConduit.createConnection(URLConnectionHTTPConduit.java:92)
> at
> org.apache.cxf.transport.http.URLConnectionHTTPConduit.setupConnection(URLConnectionHTTPConduit.java:103)
> at
> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:477)
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:570)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:479)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335)
> at
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:782)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
> at
> org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAuthenticationProvider.java:117)
> at
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
> at
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:65)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
> 2014-09-16 21:22:29,058 [http-bio-9443-exec-9] WARN
> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
> has thrown exception, unwinding now
> java.lang.IllegalArgumentException: URI is not absolute
> at java.net.URI.toURL(URI.java:1095)
> at
> org.apache.cxf.transport.http.URLConnectionHTTPConduit.createConnection(URLConnectionHTTPConduit.java:92)
> at
> org.apache.cxf.transport.http.URLConnectionHTTPConduit.setupConnection(URLConnectionHTTPConduit.java:103)
> at
> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:477)
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:570)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:479)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335)
> at
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:782)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
> at
> org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAuthenticationProvider.java:117)
> at
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
> at
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:65)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
> 2014-09-16 21:22:29,059 [http-bio-9443-exec-9] INFO
> org.apache.cxf.fediz.service.idp.STSAuthenticationProvider - Failed to
> authenticate user 'bob'
> java.lang.IllegalArgumentException: URI is not absolute
> at java.net.URI.toURL(URI.java:1095)
> at
> org.apache.cxf.transport.http.URLConnectionHTTPConduit.createConnection(URLConnectionHTTPConduit.java:92)
> at
> org.apache.cxf.transport.http.URLConnectionHTTPConduit.setupConnection(URLConnectionHTTPConduit.java:103)
> at
> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:477)
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:570)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:479)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335)
> at
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:782)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
> at
> org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAuthenticationProvider.java:117)
> at
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
> at
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:65)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
>
Re: Use Fediz with LDAP
Posted by GiannisSam <io...@gmail.com>.
Hello.
I finally solved the problem. I used in LDAP groups "user" and "admin"
instead of "User" and "Admin" and I got access denied all together. Stupid
mistake, although still not sure why exactly my request was denied all
together.
After all I get logged in with LDAP users and with roles being drained from
LDAP groups. So it works perfectly now.
Now I will continue with attaching other web services on that IDP and see
how that works out.
Ioannis Samartzis
--
View this message in context: http://cxf.547215.n5.nabble.com/Use-Fediz-with-LDAP-tp5748800p5749378.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Use Fediz with LDAP
Posted by GiannisSam <io...@gmail.com>.
Hello.
So I kind of solved my problem myself. After all using one realm (REALMA), 2
endpoints are needed:
1) address="/REALMA/STSServiceTransportUT" in ldap.xml and jaasUTValidator
2) address="/REALMA/STSServiceTransport" in cxf-transport
So now my LDAP users are getting authenticated along with their claims and
with their "role" from LDAP groups.
I see all that correctly in tomcat output, tokens getting created and
everything but my RP application is giving me "HTTP Status 403 - Access to
the requested resource has been denied".. That application is working with
file based authentication and I cant understand why now it does not since
authentication is successful and all claims are passed correctly.
Any insight would be really great.
Here is the IDP-tomcat output:
INFO: Server startup in 21982 ms
2014-10-01 01:40:15,461 [http-bio-9443-exec-1] INFO
org.apache.cxf.fediz.service.idp.STSPortFilter -
STSAuthenticationProvider.wsdlLocation set to
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl
2014-10-01 01:40:15,789 [http-bio-9443-exec-1] INFO
org.springframework.web.context.support.GenericWebApplicationContext -
Refreshing Flow ApplicationContext [federation]: startup date [Wed Oct 01
01:40:15 EEST 2014]; parent: WebApplicationContext for namespace
'idp-servlet'
2014-10-01 01:40:15,792 [http-bio-9443-exec-1] INFO
org.springframework.beans.factory.support.DefaultListableBeanFactory -
Pre-instantiating singletons in
org.springframework.beans.factory.support.DefaultListableBeanFactory@6834cd6a:
defining beans
[org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,org.springframework.context.annotation.ConfigurationClassPostProcessor.importAwareProcessor];
parent:
org.springframework.beans.factory.support.DefaultListableBeanFactory@2a2e2155
2014-10-01 01:40:16,025 [http-bio-9443-exec-1] INFO
org.springframework.web.context.support.GenericWebApplicationContext -
Refreshing Flow ApplicationContext [signinRequest]: startup date [Wed Oct 01
01:40:16 EEST 2014]; parent: WebApplicationContext for namespace
'idp-servlet'
2014-10-01 01:40:16,031 [http-bio-9443-exec-1] INFO
org.springframework.beans.factory.support.DefaultListableBeanFactory -
Pre-instantiating singletons in
org.springframework.beans.factory.support.DefaultListableBeanFactory@3d1d1a49:
defining beans
[org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,org.springframework.context.annotation.ConfigurationClassPostProcessor.importAwareProcessor];
parent:
org.springframework.beans.factory.support.DefaultListableBeanFactory@2a2e2155
2014-10-01 01:40:16,101 [http-bio-9443-exec-1] INFO
org.apache.cxf.fediz.service.idp.beans.ProcessHRDSExpressionAction - HRDS
is null (Mock).
2014-10-01 01:40:24,896 [http-bio-9443-exec-3] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS - Inbound
Message
----------------------------
ID: 1
Address:
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl
Http-Method: GET
Content-Type: text/xml
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
content-type=[text/xml], host=[localhost:9443], pragma=[no-cache],
user-agent=[Apache CXF 2.7.11]}
--------------------------------------
2014-10-01 01:40:25,371 [http-bio-9443-exec-5] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS - Inbound
Message
----------------------------
ID: 2
Address:
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl=ws-trust-1.4.wsdl
Http-Method: GET
Content-Type: text/xml
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
content-type=[text/xml], host=[localhost:9443], pragma=[no-cache],
user-agent=[Apache CXF 2.7.11]}
--------------------------------------
2014-10-01 01:40:25,802 [http-bio-9443-exec-2] WARN
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl - No assertion
builder for type {http://www.w3.org/2006/05/addressing/wsdl}UsingAddressing
registered.
2014-10-01 01:40:26,496 [http-bio-9443-exec-2] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS -
Outbound Message
---------------------------
ID: 1
Address: https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml
Headers: {Accept=[*/*],
SOAPAction=["http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1"><wsse:UsernameToken
wsu:Id="UsernameToken-D4D2167BDFF08F2B2C14121168264901"><wsse:Username>alice</wsse:Username><wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">ecila</wsse:Password></wsse:UsernameToken></wsse:Security></SOAP-ENV:Header><soap:Body><wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:fediz:idp</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType><wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType><wst:Renewing/></wst:RequestSecurityToken></soap:Body></soap:Envelope>
--------------------------------------
2014-10-01 01:40:26,549 [http-bio-9443-exec-7] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS - Inbound
Message
----------------------------
ID: 3
Address: https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml; charset=UTF-8
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
Content-Length=[1333], content-type=[text/xml; charset=UTF-8],
host=[localhost:9443], pragma=[no-cache],
SOAPAction=["http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"],
user-agent=[Apache CXF 2.7.11]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1"><wsse:UsernameToken
wsu:Id="UsernameToken-D4D2167BDFF08F2B2C14121168264901"><wsse:Username>alice</wsse:Username><wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">ecila</wsse:Password></wsse:UsernameToken></wsse:Security></SOAP-ENV:Header><soap:Body><wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:fediz:idp</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType><wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType><wst:Renewing/></wst:RequestSecurityToken></soap:Body></soap:Envelope>
--------------------------------------
[LdapLoginModule] authentication-only mode; SSL disabled
[LdapLoginModule] user provider:
ldap://localhost:389/ou=Users,dc=ldap,dc=fediz
[LdapLoginModule] attempting to authenticate user: alice
[LdapLoginModule] authentication succeeded
[LdapLoginModule] added LdapPrincipal "cn=alice,ou=Users,dc=ldap,dc=fediz"
to Subject
[LdapLoginModule] added UserPrincipal "alice" to Subject
2014-10-01 01:40:28,705 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Parsing RequestSecurityToken
2014-10-01 01:40:28,732 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Found AppliesTo element
2014-10-01 01:40:28,732 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Found TokenType:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
2014-10-01 01:40:28,732 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Found KeyType:
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
2014-10-01 01:40:28,745 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Found Renewing token
2014-10-01 01:40:28,745 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Received Context attribute: null
2014-10-01 01:40:28,745 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Parsing AppliesTo element
2014-10-01 01:40:28,745 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found EndpointReference
element
2014-10-01 01:40:28,745 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found address element
2014-10-01 01:40:28,746 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - The AppliesTo address that
has been received is: urn:fediz:idp
2014-10-01 01:40:28,761 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.service.StaticService - Address urn:fediz:idp matches
with pattern .*
2014-10-01 01:40:28,763 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Handling token of
type:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
2014-10-01 01:40:28,774 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.DefaultSubjectProvider - Creating new
subject with principal name: alice
2014-10-01 01:40:31,690 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - SAMLRealm signature
keystore used
2014-10-01 01:40:31,690 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Signature alias is
null so using default alias: realma
2014-10-01 01:40:31,691 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Creating SAML Token
2014-10-01 01:40:31,691 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Signing SAML Token
2014-10-01 01:40:31,910 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.TokenIssueOperation - Encrypting Issued Token:
false
2014-10-01 01:40:31,912 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Token lifetime creation:
2014-09-30T22:40:31.661Z
2014-10-01 01:40:31,912 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Token lifetime expiration:
2014-09-30T23:00:31.661Z
2014-10-01 01:40:31,913 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.event.map.MapEventLogger - 10/1/14 1:40:31
AM;SUCCESS;3339ms;127.0.0.1;59826;Issue;https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT;REALMA;alice;<null>;<null>;<null>;<null>;<null>;http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0;urn:fediz:idp;<null>;<null>;<null>;<null>;
2014-10-01 01:40:32,171 [http-bio-9443-exec-7] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS -
Outbound Message
---------------------------
ID: 3
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml
Headers: {}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ns2="http://www.w3.org/2005/08/addressing"
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802"><RequestSecurityTokenResponse><TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType><RequestedSecurityToken><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_4C3D3D7257E6DF71B714121168315051"
IssueInstant="2014-09-30T22:40:31.620Z" Version="2.0"
xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_4C3D3D7257E6DF71B714121168315051"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>DhIjb9vI/mOQb+v8LV6johTHltk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Az/yTFieY3qVzBSOt+tiSepaf2pOttbWqDRw1+lQNG2Bb5nOWIk1AwS1K9gZ0pKKawC/DYqXPTJ6gtt/7twkk7zwXAtET2a94WEN2XlahlP2v8Qij/N611kgTPNoSz57rEGcXj8hDfKeK1684fR7EB6bXEpw+mD9z7Ne49SxU13ke/LDLXL+izJR2MVcapBoHHVd7xlZjyu43ClWQ/auqRm48m5RTsqyRN/xPYhL/cfemETNhrwY7Gnr/btLqPxvO34CZ1/sJqX8MlyU5umZ8+7aCGcOZHM3javwDqBEvtiP4ETsbIK+pIABs2gNROLxAbqeYkyfbVuw5RsGI0FRsQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts">alice</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-30T22:40:31.661Z"
NotOnOrAfter="2014-09-30T23:00:31.661Z"><saml2:AudienceRestriction><saml2:Audience>urn:fediz:idp</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions></saml2:Assertion></RequestedSecurityToken><RequestedAttachedReference><ns4:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns4:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_4C3D3D7257E6DF71B714121168315051</ns4:KeyIdentifier></ns4:SecurityTokenReference></RequestedAttachedReference><RequestedUnattachedReference><ns4:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns4:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_4C3D3D7257E6DF71B714121168315051</ns4:KeyIdentifier></ns4:SecurityTokenReference></RequestedUnattachedReference><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:fediz:idp</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><Lifetime><ns3:Created>2014-09-30T22:40:31.661Z</ns3:Created><ns3:Expires>2014-09-30T23:00:31.661Z</ns3:Expires></Lifetime></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></soap:Body></soap:Envelope>
--------------------------------------
2014-10-01 01:40:32,181 [http-bio-9443-exec-2] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS - Inbound
Message
----------------------------
ID: 1
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {content-type=[text/xml;charset=UTF-8], Date=[Tue, 30 Sep 2014
22:40:32 GMT], Server=[Apache-Coyote/1.1], transfer-encoding=[chunked]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ns2="http://www.w3.org/2005/08/addressing"
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802"><RequestSecurityTokenResponse><TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType><RequestedSecurityToken><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_4C3D3D7257E6DF71B714121168315051"
IssueInstant="2014-09-30T22:40:31.620Z" Version="2.0"
xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_4C3D3D7257E6DF71B714121168315051"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>DhIjb9vI/mOQb+v8LV6johTHltk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Az/yTFieY3qVzBSOt+tiSepaf2pOttbWqDRw1+lQNG2Bb5nOWIk1AwS1K9gZ0pKKawC/DYqXPTJ6gtt/7twkk7zwXAtET2a94WEN2XlahlP2v8Qij/N611kgTPNoSz57rEGcXj8hDfKeK1684fR7EB6bXEpw+mD9z7Ne49SxU13ke/LDLXL+izJR2MVcapBoHHVd7xlZjyu43ClWQ/auqRm48m5RTsqyRN/xPYhL/cfemETNhrwY7Gnr/btLqPxvO34CZ1/sJqX8MlyU5umZ8+7aCGcOZHM3javwDqBEvtiP4ETsbIK+pIABs2gNROLxAbqeYkyfbVuw5RsGI0FRsQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts">alice</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-30T22:40:31.661Z"
NotOnOrAfter="2014-09-30T23:00:31.661Z"><saml2:AudienceRestriction><saml2:Audience>urn:fediz:idp</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions></saml2:Assertion></RequestedSecurityToken><RequestedAttachedReference><ns4:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns4:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_4C3D3D7257E6DF71B714121168315051</ns4:KeyIdentifier></ns4:SecurityTokenReference></RequestedAttachedReference><RequestedUnattachedReference><ns4:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns4:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_4C3D3D7257E6DF71B714121168315051</ns4:KeyIdentifier></ns4:SecurityTokenReference></RequestedUnattachedReference><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:fediz:idp</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><Lifetime><ns3:Created>2014-09-30T22:40:31.661Z</ns3:Created><ns3:Expires>2014-09-30T23:00:31.661Z</ns3:Expires></Lifetime></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></soap:Body></soap:Envelope>
--------------------------------------
2014-10-01 01:40:32,320 [http-bio-9443-exec-2] INFO
org.apache.cxf.fediz.service.idp.beans.ProcessHRDSExpressionAction - HRDS
is null (Mock).
2014-10-01 01:40:32,322 [http-bio-9443-exec-2] INFO
org.apache.cxf.fediz.service.idp.beans.CacheTokenForWauthAction - Token
[IDP_TOKEN=_4C3D3D7257E6DF71B714121168315051] for realm
[urn:org:apache:cxf:fediz:idp:realm-A] successfully cached.
2014-10-01 01:40:32,330 [http-bio-9443-exec-2] INFO
org.apache.cxf.fediz.service.idp.beans.STSClientAction - STS WSDL URL
updated to
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport?wsdl
2014-10-01 01:40:32,410 [http-bio-9443-exec-9] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Inbound
Message
----------------------------
ID: 4
Address:
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport?wsdl
Http-Method: GET
Content-Type: text/xml
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
content-type=[text/xml], host=[localhost:9443], pragma=[no-cache],
user-agent=[Apache CXF 2.7.11]}
--------------------------------------
2014-10-01 01:40:32,636 [http-bio-9443-exec-1] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Inbound
Message
----------------------------
ID: 5
Address:
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport?wsdl=ws-trust-1.4.wsdl
Http-Method: GET
Content-Type: text/xml
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
content-type=[text/xml], host=[localhost:9443], pragma=[no-cache],
user-agent=[Apache CXF 2.7.11]}
--------------------------------------
2014-10-01 01:40:32,811 [http-bio-9443-exec-2] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Outbound
Message
---------------------------
ID: 2
Address: https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml
Headers: {Accept=[*/*],
SOAPAction=["http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:org:apache:cxf:fediz:storage</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:Claims
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Optional="true"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"/></wst:Claims><wst:OnBehalfOf><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_4C3D3D7257E6DF71B714121168315051"
IssueInstant="2014-09-30T22:40:31.620Z" Version="2.0"
xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_4C3D3D7257E6DF71B714121168315051"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>DhIjb9vI/mOQb+v8LV6johTHltk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Az/yTFieY3qVzBSOt+tiSepaf2pOttbWqDRw1+lQNG2Bb5nOWIk1AwS1K9gZ0pKKawC/DYqXPTJ6gtt/7twkk7zwXAtET2a94WEN2XlahlP2v8Qij/N611kgTPNoSz57rEGcXj8hDfKeK1684fR7EB6bXEpw+mD9z7Ne49SxU13ke/LDLXL+izJR2MVcapBoHHVd7xlZjyu43ClWQ/auqRm48m5RTsqyRN/xPYhL/cfemETNhrwY7Gnr/btLqPxvO34CZ1/sJqX8MlyU5umZ8+7aCGcOZHM3javwDqBEvtiP4ETsbIK+pIABs2gNROLxAbqeYkyfbVuw5RsGI0FRsQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts">alice</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-30T22:40:31.661Z"
NotOnOrAfter="2014-09-30T23:00:31.661Z"><saml2:AudienceRestriction><saml2:Audience>urn:fediz:idp</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions></saml2:Assertion></wst:OnBehalfOf><wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType><wst:Lifetime
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Created>2014-09-30T22:40:32.723Z</wsu:Created><wsu:Expires>2014-09-30T23:40:32.723Z</wsu:Expires></wst:Lifetime><wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType><wst:Renewing/></wst:RequestSecurityToken></soap:Body></soap:Envelope>
--------------------------------------
2014-10-01 01:40:32,812 [http-bio-9443-exec-5] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Inbound
Message
----------------------------
ID: 6
Address: https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml; charset=UTF-8
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
content-type=[text/xml; charset=UTF-8], host=[localhost:9443],
pragma=[no-cache],
SOAPAction=["http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"],
transfer-encoding=[chunked], user-agent=[Apache CXF 2.7.11]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:org:apache:cxf:fediz:storage</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:Claims
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Optional="true"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"/></wst:Claims><wst:OnBehalfOf><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_4C3D3D7257E6DF71B714121168315051"
IssueInstant="2014-09-30T22:40:31.620Z" Version="2.0"
xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_4C3D3D7257E6DF71B714121168315051"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>DhIjb9vI/mOQb+v8LV6johTHltk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Az/yTFieY3qVzBSOt+tiSepaf2pOttbWqDRw1+lQNG2Bb5nOWIk1AwS1K9gZ0pKKawC/DYqXPTJ6gtt/7twkk7zwXAtET2a94WEN2XlahlP2v8Qij/N611kgTPNoSz57rEGcXj8hDfKeK1684fR7EB6bXEpw+mD9z7Ne49SxU13ke/LDLXL+izJR2MVcapBoHHVd7xlZjyu43ClWQ/auqRm48m5RTsqyRN/xPYhL/cfemETNhrwY7Gnr/btLqPxvO34CZ1/sJqX8MlyU5umZ8+7aCGcOZHM3javwDqBEvtiP4ETsbIK+pIABs2gNROLxAbqeYkyfbVuw5RsGI0FRsQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts">alice</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-30T22:40:31.661Z"
NotOnOrAfter="2014-09-30T23:00:31.661Z"><saml2:AudienceRestriction><saml2:Audience>urn:fediz:idp</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions></saml2:Assertion></wst:OnBehalfOf><wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType><wst:Lifetime
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Created>2014-09-30T22:40:32.723Z</wsu:Created><wsu:Expires>2014-09-30T23:40:32.723Z</wsu:Expires></wst:Lifetime><wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType><wst:Renewing/></wst:RequestSecurityToken></soap:Body></soap:Envelope>
--------------------------------------
2014-10-01 01:40:32,834 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Parsing RequestSecurityToken
2014-10-01 01:40:32,834 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Found AppliesTo element
2014-10-01 01:40:32,873 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Found Primary Claims token
2014-10-01 01:40:32,875 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.ReceivedToken - Found ValidateTarget element:
Assertion
2014-10-01 01:40:32,875 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Found OnBehalfOf token
2014-10-01 01:40:32,875 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Found TokenType:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.Lifetime - Found created value:
2014-09-30T22:40:32.723Z
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.Lifetime - Found expires value:
2014-09-30T23:40:32.723Z
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Found Lifetime element
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Found KeyType:
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Found Renewing token
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Received Context attribute: null
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Parsing AppliesTo element
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found EndpointReference
element
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found address element
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - The AppliesTo address that
has been received is: urn:org:apache:cxf:fediz:storage
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.service.StaticService - Address
urn:org:apache:cxf:fediz:storage matches with pattern .*
2014-10-01 01:40:32,877 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.token.validator.SAMLTokenValidator - Validating SAML
Token
2014-10-01 01:40:32,982 [http-bio-9443-exec-5] WARN
org.apache.ws.security.validate.SignatureTrustValidator - No Subject DN
Certificate Constraints were defined. This could be a security issue
2014-10-01 01:40:32,994 [http-bio-9443-exec-5] INFO
org.apache.cxf.fediz.service.sts.realms.SamlRealmCodec - Realm parsed in
certificate: REALMA
2014-10-01 01:40:33,047 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Parsing AppliesTo element
2014-10-01 01:40:33,047 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found EndpointReference
element
2014-10-01 01:40:33,047 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found address element
2014-10-01 01:40:33,049 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Handling token of
type:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
2014-10-01 01:40:34,491 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.claims.LdapGroupClaimsHandler - DN for
(cn=cn=alice,ou=Users,dc=ldap,dc=fediz) found:
cn=alice,ou=Users,dc=ldap,dc=fediz
2014-10-01 01:40:34,496 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.claims.LdapGroupClaimsHandler - Groups for user 'alice':
[user]
2014-10-01 01:40:34,496 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.claims.LdapGroupClaimsHandler - AppliesTo matchs with
scope: Storage
2014-10-01 01:40:34,496 [http-bio-9443-exec-5] INFO
org.apache.cxf.sts.claims.LdapGroupClaimsHandler - Filtered groups: [user]
2014-10-01 01:40:34,497 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider -
AttributeStatementsorg.apache.ws.security.saml.ext.bean.AttributeStatementBean@889ee2ereturned
by AttributeStatementProvider
org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider
2014-10-01 01:40:34,497 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.token.provider.DefaultSubjectProvider - Creating new
subject with principal name: alice
2014-10-01 01:40:34,502 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - SAMLRealm signature
keystore used
2014-10-01 01:40:34,502 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Signature alias is
null so using default alias: realma
2014-10-01 01:40:34,502 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Creating SAML Token
2014-10-01 01:40:34,502 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Signing SAML Token
2014-10-01 01:40:34,520 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.TokenIssueOperation - Encrypting Issued Token:
false
2014-10-01 01:40:34,520 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Token lifetime creation:
2014-09-30T22:40:32.723Z
2014-10-01 01:40:34,520 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Token lifetime expiration:
2014-09-30T23:40:32.723Z
2014-10-01 01:40:34,521 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.event.map.MapEventLogger - 10/1/14 1:40:34
AM;SUCCESS;1686ms;127.0.0.1;59831;Issue;https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport;REALMA;<null>;alice;<null>;<null>;<null>;<null>;http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0;urn:org:apache:cxf:fediz:storage;[http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role];<null>;<null>;<null>;
2014-10-01 01:40:34,531 [http-bio-9443-exec-5] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Outbound
Message
---------------------------
ID: 6
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml
Headers: {}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ns2="http://www.w3.org/2005/08/addressing"
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802"><RequestSecurityTokenResponse><TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType><RequestedSecurityToken><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_4C3D3D7257E6DF71B714121168344982"
IssueInstant="2014-09-30T22:40:34.498Z" Version="2.0"
xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_4C3D3D7257E6DF71B714121168344982"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>91uIcJic2hx5JQm3V+R3kGc5c2Y=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>YYrfZlfkwrDKS1nFBe8z8/ThCcCtefo+NRxNCJdYq0FpdFUoscZuLDtFQTr3q66TgN/Nj5FHF9pVvL54Azijv6Ontj1ucNcInk3XlUwJhk+StrgrlHLNYpknWUWotDIz6zAICupxLEu4xZcwFWj1fg1WDnrNDF14x85FERAuJyDWAycz+KoTfYbg8eGd3RkNvtQ74m5DQEXR7MJtu3+SPLC9m4lm0KAeBqRWGEjDbiw64CTOaIVjyB6rrSzNu5CZpYLb1vX1hnC2ADNzPyiPVE+bALgaJIN6WVRdpH5Fl6quVHzkGv/Gk5ZNuxGtzPnPN7UGsv6tuRe8grVkz8fkqA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts">alice</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-30T22:40:32.723Z"
NotOnOrAfter="2014-09-30T23:40:32.723Z"><saml2:AudienceRestriction><saml2:Audience>urn:org:apache:cxf:fediz:storage</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AttributeStatement><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">alice</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">alice</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">alice@ldap.fediz</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">user</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></RequestedSecurityToken><RequestedAttachedReference><ns4:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns4:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_4C3D3D7257E6DF71B714121168344982</ns4:KeyIdentifier></ns4:SecurityTokenReference></RequestedAttachedReference><RequestedUnattachedReference><ns4:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns4:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_4C3D3D7257E6DF71B714121168344982</ns4:KeyIdentifier></ns4:SecurityTokenReference></RequestedUnattachedReference><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:org:apache:cxf:fediz:storage</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><Lifetime><ns3:Created>2014-09-30T22:40:32.723Z</ns3:Created><ns3:Expires>2014-09-30T23:40:32.723Z</ns3:Expires></Lifetime></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></soap:Body></soap:Envelope>
--------------------------------------
2014-10-01 01:40:34,534 [http-bio-9443-exec-2] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Inbound
Message
----------------------------
ID: 2
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {content-type=[text/xml;charset=UTF-8], Date=[Tue, 30 Sep 2014
22:40:34 GMT], Server=[Apache-Coyote/1.1], transfer-encoding=[chunked]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ns2="http://www.w3.org/2005/08/addressing"
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802"><RequestSecurityTokenResponse><TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType><RequestedSecurityToken><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_4C3D3D7257E6DF71B714121168344982"
IssueInstant="2014-09-30T22:40:34.498Z" Version="2.0"
xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_4C3D3D7257E6DF71B714121168344982"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>91uIcJic2hx5JQm3V+R3kGc5c2Y=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>YYrfZlfkwrDKS1nFBe8z8/ThCcCtefo+NRxNCJdYq0FpdFUoscZuLDtFQTr3q66TgN/Nj5FHF9pVvL54Azijv6Ontj1ucNcInk3XlUwJhk+StrgrlHLNYpknWUWotDIz6zAICupxLEu4xZcwFWj1fg1WDnrNDF14x85FERAuJyDWAycz+KoTfYbg8eGd3RkNvtQ74m5DQEXR7MJtu3+SPLC9m4lm0KAeBqRWGEjDbiw64CTOaIVjyB6rrSzNu5CZpYLb1vX1hnC2ADNzPyiPVE+bALgaJIN6WVRdpH5Fl6quVHzkGv/Gk5ZNuxGtzPnPN7UGsv6tuRe8grVkz8fkqA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts">alice</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-30T22:40:32.723Z"
NotOnOrAfter="2014-09-30T23:40:32.723Z"><saml2:AudienceRestriction><saml2:Audience>urn:org:apache:cxf:fediz:storage</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AttributeStatement><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">alice</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">alice</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">alice@ldap.fediz</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">user</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></RequestedSecurityToken><RequestedAttachedReference><ns4:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns4:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_4C3D3D7257E6DF71B714121168344982</ns4:KeyIdentifier></ns4:SecurityTokenReference></RequestedAttachedReference><RequestedUnattachedReference><ns4:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns4:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_4C3D3D7257E6DF71B714121168344982</ns4:KeyIdentifier></ns4:SecurityTokenReference></RequestedUnattachedReference><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:org:apache:cxf:fediz:storage</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><Lifetime><ns3:Created>2014-09-30T22:40:32.723Z</ns3:Created><ns3:Expires>2014-09-30T23:40:32.723Z</ns3:Expires></Lifetime></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></soap:Body></soap:Envelope>
--------------------------------------
2014-10-01 01:40:36,286 [http-bio-9443-exec-2] INFO
org.apache.cxf.fediz.service.idp.beans.STSClientAction -
[RP_TOKEN=_4C3D3D7257E6DF71B714121168344982] successfully created for realm
[urn:org:apache:cxf:fediz:storage] on behalf of
[IDP_TOKEN=_4C3D3D7257E6DF71B714121168315051]
--
View this message in context: http://cxf.547215.n5.nabble.com/Use-Fediz-with-LDAP-tp5748800p5749361.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Use Fediz with LDAP
Posted by GiannisSam <io...@gmail.com>.
I solved the problem. It seems I had to totally delete the endpoints from the
cxf-transport.xml file and keep only the one in ldap.xml that uses the
"jaasUTValidator". That hasn't been so clear to me from the documentation..
Anyways, now my user is getting authenticated from LDAP but the process
isn't moving further and in the IDP Server log I get the bellow messages:
(Any ideas on what might be the problem would be deeply appreciated)
------------------------------------
[LdapLoginModule] authentication-only mode; SSL disabled
[LdapLoginModule] user provider:
ldap://localhost:389/ou=Users,dc=ldap,dc=fediz
[LdapLoginModule] attempting to authenticate user: bob
[LdapLoginModule] authentication succeeded
[LdapLoginModule] added LdapPrincipal "cn=bob,ou=Users,dc=ldap,dc=fediz"
to Subject
[LdapLoginModule] added UserPrincipal "bob" to Subject
2014-09-30 01:36:03,495 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Parsing RequestSecurityToken
2014-09-30 01:36:03,500 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Found AppliesTo element
2014-09-30 01:36:03,500 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Found TokenType:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
2014-09-30 01:36:03,500 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Found KeyType:
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
2014-09-30 01:36:03,501 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Found Renewing token
2014-09-30 01:36:03,501 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Received Context attribute: null
2014-09-30 01:36:03,501 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Parsing AppliesTo element
2014-09-30 01:36:03,502 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found EndpointReference
element
2014-09-30 01:36:03,502 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found address element
2014-09-30 01:36:03,502 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - The AppliesTo address that
has been received is: urn:fediz:idp
2014-09-30 01:36:03,503 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.service.StaticService - Address urn:fediz:idp matches
with pattern .*
2014-09-30 01:36:03,503 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Handling token of
type:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
2014-09-30 01:36:03,505 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.DefaultSubjectProvider - Creating new
subject with principal name: bob
2014-09-30 01:36:05,128 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - SAMLRealm signature
keystore used
2014-09-30 01:36:05,128 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Signature alias is
null so using default alias: realma
2014-09-30 01:36:05,129 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Creating SAML Token
2014-09-30 01:36:05,129 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Signing SAML Token
2014-09-30 01:36:05,249 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.TokenIssueOperation - Encrypting Issued Token:
false
2014-09-30 01:36:05,251 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Token lifetime creation:
2014-09-29T22:36:05.114Z
2014-09-30 01:36:05,251 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Token lifetime expiration:
2014-09-29T22:56:05.114Z
2014-09-30 01:36:05,252 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.event.map.MapEventLogger - 9/30/14 1:36:05
AM;SUCCESS;1814ms;127.0.0.1;58074;Issue;https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT;REALMA;bob;<null>;<null>;<null>;<null>;<null>;http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0;urn:fediz:idp;<null>;<null>;<null>;<null>;
2014-09-30 01:36:05,351 [http-bio-9443-exec-7] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS -
Outbound Message
[...]
2014-09-30 01:36:05,453 [http-bio-9443-exec-2] INFO
org.apache.cxf.fediz.service.idp.beans.ProcessHRDSExpressionAction - HRDS
is null (Mock).
2014-09-30 01:36:05,456 [http-bio-9443-exec-2] INFO
org.apache.cxf.fediz.service.idp.beans.CacheTokenForWauthAction - Token
[IDP_TOKEN=_3AE8B363924DC7A4C114120301649871] for realm
[urn:org:apache:cxf:fediz:idp:realm-A] successfully cached.
2014-09-30 01:36:05,462 [http-bio-9443-exec-2] INFO
org.apache.cxf.fediz.service.idp.beans.STSClientAction - STS WSDL URL
updated to
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport?wsdl
2014-09-30 01:36:05,501 [http-bio-9443-exec-9] WARN
org.apache.cxf.transport.servlet.ServletController - Can't find the the
request for
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport's Observer
2014-09-30 01:36:05,644 [http-bio-9443-exec-7] WARN
org.apache.cxf.transport.servlet.ServletController - Can't find the the
request for
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport's Observer
--
View this message in context: http://cxf.547215.n5.nabble.com/Use-Fediz-with-LDAP-tp5748800p5749343.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Use Fediz with LDAP
Posted by GiannisSam <io...@gmail.com>.
I have tried various tests myself. I have the impression that the problem is
in my implementation of openLDAP. Could you give some instructions for
proper setup of LDAP server so that claims are properly mapped?
And especially the
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
value="member"
attribute how should be formatted in the LDAP server. I couldn’t find some
helpful guide for that.
Thank you,
I. Samartzis
--
View this message in context: http://cxf.547215.n5.nabble.com/Use-Fediz-with-LDAP-tp5748800p5749333.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Use Fediz with LDAP
Posted by Colm O hEigeartaigh <co...@apache.org>.
This appears to be the error:
java.lang.IllegalArgumentException: URI is not absolute
> at java.net.URI.toURL(URI.java:1095)
> at
>
org.apache.cxf.transport.http.URLConnectionHTTPConduit.createConnection(URLConnectionHTTPConduit.java:92)
I'm not sure what could be causing that. Could you turn logging on to DEBUG
and attach it here? If there is nothing obvious there, then would it be
possible to create a test-case that shows the error?
Colm.
On Tue, Sep 16, 2014 at 7:31 PM, Ioannis Samartzis <
ioannis.samartzis@gmail.com> wrote:
> Hello.
>
> I have been using apache cxf fediz for some time now and I have managed to
> get the examples working
> and authorize sample users with the file implementation. Now I want to use
> the LDAP implementation.
> So I have an LDAP server with a Users OU that has all my sample users
> (posix accounts, bob,alice,etc).
> I have followed all the instructions from the
> https://cxf.apache.org/fediz-idp-11.html but when I start
> my servers (IDP/STS + RP) in localhost it prompts for authorization but
> never accepts my users.
> I have also removed RealmB, as I didn't need it as per instructions here
> <
> http://cxf.547215.n5.nabble.com/Question-about-CXF-Fediz-1-1-0-and-certificates-td5737010.html
> >
>
> In https://localhost:9443/fediz-idp-sts I see the 2 WSDLs here
> 1)https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl
> 2)https://localhost:9443/fediz-idp-sts/STSServiceTransportUT?wsdl
>
> 1)Do you have any idea what could be wrong?
> 2)I am not sure if I should give admin or normal user to
> LdapContextSource..
>
> Thanks a lot in advance!
> Ioannis Samartzis
>
> Here are some files and logs that could be helpful:
>
> *jaas.config*
>
> MyLDAP {
> > com.sun.security.auth.module.LdapLoginModule REQUIRED
> > userProvider="ldap://localhost:389/OU=Users,DC=ldap,DC=fediz"
> > authIdentity="cn={USERNAME},OU=Users,DC=ldap,DC=fediz"
> > useSSL=false
> > debug=true;
> > };
> >
>
> * ldap.xml*
>
> <?xml version="1.0" encoding="UTF-8"?>
> > <beans xmlns="http://www.springframework.org/schema/beans"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="
> > http://www.springframework.org/schema/util"
> > xmlns:jaxws="http://cxf.apache.org/jaxws"
> > xsi:schemaLocation="
> > http://www.springframework.org/schema/beans
> > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> > http://www.springframework.org/schema/util
> > http://www.springframework.org/schema/util/spring-util-2.0.xsd
> > http://cxf.apache.org/jaxws
> > http://cxf.apache.org/schemas/jaxws.xsd">
> >
> > <util:list id="claimHandlerList">
> > <ref bean="userClaimsHandler" />
> > <ref bean="groupClaimsHandler" />
> > </util:list>
> >
> > <bean id="contextSource"
> > class="org.springframework.ldap.core.support.LdapContextSource">
> > <property name="url" value="ldap://localhost:389/" />
> > <property name="userDn" value="cn=admin,dc=ldap,dc=fediz" />
> > <property name="password" value="myPass" />
> > </bean>
> >
> > <bean id="ldapTemplate"
> > class="org.springframework.ldap.core.LdapTemplate">
> > <constructor-arg ref="contextSource" />
> > </bean>
> >
> > <util:map id="claimsToLdapAttributeMapping">
> > <entry key="
> > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
> > value="givenName" />
> > <entry key="
> > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
> > value="sn" />
> > <entry key="
> > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
> > value="mail" />
> > <!-- <entry key="
> > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country"
> > value="c" />
> > <entry key="
> > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode"
> > value="postalCode" />
> > <entry key="
> > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress"
> > value="postalAddress" />
> > <entry key="
> > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality"
> > value="town" />
> > <entry key="
> > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince"
> > value="st" />
> > <entry key="
> > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender"
> > value="gender" />
> > <entry key="
> > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth"
> > value="dateofbirth" />
> > -->
> > <entry key="
> > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
> > value="member" />
> > </util:map>
> >
> > <bean id="userClaimsHandler"
> > class="org.apache.cxf.sts.claims.LdapClaimsHandler">
> > <property name="ldapTemplate" ref="ldapTemplate" />
> > <property name="claimsLdapAttributeMapping"
> > ref="claimsToLdapAttributeMapping" />
> > <property name="userBaseDN" value="ou=Users,dc=ldap,dc=fediz" />
> > <property name="userNameAttribute" value="uid" />
> > </bean>
> >
> > <util:map id="appliesToScopeMapping">
> > <entry key="urn:org:apache:cxf:fediz:fedizhelloworld"
> > value="Example" />
> > </util:map>
> >
> > <bean id="groupClaimsHandler"
> > class="org.apache.cxf.sts.claims.LdapGroupClaimsHandler">
> > <property name="ldapTemplate" ref="ldapTemplate" />
> > <property name="userBaseDN" value="ou=Users,dc=ldap,dc=fediz" />
> > <property name="groupBaseDN" value="ou=groups,dc=fediz,dc=org"
> > />
> > <property name="appliesToScopeMapping"
> ref="appliesToScopeMapping"
> > />
> > <property name="userNameAttribute" value="uid" />
> > </bean>
> >
> > <bean
> > class="org.apache.ws.security.validate.JAASUsernameTokenValidator"
> > id="jaasUTValidator">
> > <property name="contextName" value="MyLDAP"/>
> > </bean>
> >
> > <jaxws:endpoint id="transportSTSUT"
> > endpointName="ns1:TransportUT_Port"
> > serviceName="ns1:SecurityTokenService"
> > xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
> > wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
> > address="/STSServiceTransportUT"
> > implementor="#transportSTSProviderBean">
> >
> > <jaxws:properties>
> > <entry key="ws-security.ut.validator"
> > value-ref="jaasUTValidator"/>
> > </jaxws:properties>
> > </jaxws:endpoint>
> >
> > </beans>
> >
>
> And the endpoint part of *cxf-transport.xml*:
>
>
> [...]
> >
> <import resource="ldap.xml" />
> >
> [...]
> >
> <jaxws:endpoint id="transportSTSRealmA"
> > implementor="#transportSTSProviderBean"
> > address="/REALMA/STSServiceTransportUT"
> > wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
> > xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
> > serviceName="ns1:SecurityTokenService"
> > endpointName="ns1:Transport_Port">
> > <jaxws:properties>
> > </jaxws:properties>
> > </jaxws:endpoint>
> >
>
> *Apache tomcat with IDP/STS output:*
>
>
> INFO: Server startup in 21891 ms
> > 2014-09-16 21:22:07,921 [http-bio-9443-exec-3] INFO
> > org.apache.cxf.fediz.service.idp.STSPortFilter -
> > STSAuthenticationProvider.wsdlLocation set to
> > https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl
> > 2014-09-16 21:22:08,209 [http-bio-9443-exec-3] INFO
> > org.springframework.web.context.support.GenericWebApplicationContext -
> > Refreshing Flow ApplicationContext [federation]: startup date [Tue Sep 16
> > 21:22:08 EEST 2014]; parent: WebApplicationContext for namespace
> > 'idp-servlet'
> > 2014-09-16 21:22:08,212 [http-bio-9443-exec-3] INFO
> > org.springframework.beans.factory.support.DefaultListableBeanFactory -
> > Pre-instantiating singletons in
> >
> org.springframework.beans.factory.support.DefaultListableBeanFactory@693eac60
> :
> > defining beans
> >
> [org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,org.springframework.context.annotation.ConfigurationClassPostProcessor.importAwareProcessor];
> > parent:
> >
> org.springframework.beans.factory.support.DefaultListableBeanFactory@6544f498
> > 2014-09-16 21:22:08,430 [http-bio-9443-exec-3] INFO
> > org.springframework.web.context.support.GenericWebApplicationContext -
> > Refreshing Flow ApplicationContext [signinRequest]: startup date [Tue Sep
> > 16 21:22:08 EEST 2014]; parent: WebApplicationContext for namespace
> > 'idp-servlet'
> > 2014-09-16 21:22:08,457 [http-bio-9443-exec-3] INFO
> > org.springframework.beans.factory.support.DefaultListableBeanFactory -
> > Pre-instantiating singletons in
> >
> org.springframework.beans.factory.support.DefaultListableBeanFactory@29733df7
> :
> > defining beans
> >
> [org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,org.springframework.context.annotation.ConfigurationClassPostProcessor.importAwareProcessor];
> > parent:
> >
> org.springframework.beans.factory.support.DefaultListableBeanFactory@6544f498
> > 2014-09-16 21:22:08,531 [http-bio-9443-exec-3] INFO
> > org.apache.cxf.fediz.service.idp.beans.ProcessHRDSExpressionAction -
> HRDS
> > is null (Mock).
> > 2014-09-16 21:22:22,004 [http-bio-9443-exec-5] INFO
> > org.apache.cxf.services.SecurityTokenService.Transport_Port.STS -
> Inbound
> > Message
> > ----------------------------
> > ID: 1
> > Address:
> > https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl
> > Http-Method: GET
> > Content-Type: text/xml
> > Headers: {Accept=[*/*], cache-control=[no-cache],
> connection=[keep-alive],
> > content-type=[text/xml], host=[localhost:9443], pragma=[no-cache],
> > user-agent=[Apache CXF 2.7.11]}
> > --------------------------------------
> > 2014-09-16 21:22:22,523 [http-bio-9443-exec-7] INFO
> > org.apache.cxf.services.SecurityTokenService.Transport_Port.STS -
> Inbound
> > Message
> > ----------------------------
> > ID: 2
> > Address:
> >
> https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl=ws-trust-1.4.wsdl
> > Http-Method: GET
> > Content-Type: text/xml
> > Headers: {Accept=[*/*], cache-control=[no-cache],
> connection=[keep-alive],
> > content-type=[text/xml], host=[localhost:9443], pragma=[no-cache],
> > user-agent=[Apache CXF 2.7.11]}
> > --------------------------------------
> > 2014-09-16 21:22:22,912 [http-bio-9443-exec-4] WARN
> > org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl - No assertion
> > builder for type {
> > http://www.w3.org/2006/05/addressing/wsdl}UsingAddressing registered.
> > 2014-09-16 21:22:23,003 [http-bio-9443-exec-4] WARN
> > org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
> >
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
> > has thrown exception, unwinding now
> > java.lang.IllegalArgumentException: URI is not absolute
> > at java.net.URI.toURL(URI.java:1095)
> > at
> >
> org.apache.cxf.transport.http.URLConnectionHTTPConduit.createConnection(URLConnectionHTTPConduit.java:92)
> > at
> >
> org.apache.cxf.transport.http.URLConnectionHTTPConduit.setupConnection(URLConnectionHTTPConduit.java:103)
> > at
> > org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:477)
> > at
> >
> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46)
> > at
> >
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:570)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:479)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335)
> > at
> >
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:782)
> > at
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
> > at
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
> > at
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
> > at
> >
> org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAuthenticationProvider.java:117)
> > at
> >
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> > at
> >
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
> > at
> >
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168)
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> > at
> >
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> > at
> >
> org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:65)
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> > at
> >
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> > at
> >
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> > at
> >
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
> > at
> >
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> > at
> >
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
> > at
> >
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
> > at
> >
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> > at
> >
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> > at
> > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
> > at
> >
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> > at
> >
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> > at
> >
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
> > at
> >
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
> > at
> >
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > at
> >
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> > at java.lang.Thread.run(Thread.java:745)
> > 2014-09-16 21:22:23,056 [http-bio-9443-exec-4] INFO
> > org.apache.cxf.fediz.service.idp.STSAuthenticationProvider - Failed to
> > authenticate user 'Bob'
> > java.lang.IllegalArgumentException: URI is not absolute
> > at java.net.URI.toURL(URI.java:1095)
> > at
> >
> org.apache.cxf.transport.http.URLConnectionHTTPConduit.createConnection(URLConnectionHTTPConduit.java:92)
> > at
> >
> org.apache.cxf.transport.http.URLConnectionHTTPConduit.setupConnection(URLConnectionHTTPConduit.java:103)
> > at
> > org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:477)
> > at
> >
> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46)
> > at
> >
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:570)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:479)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335)
> > at
> >
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:782)
> > at
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
> > at
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
> > at
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
> > at
> >
> org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAuthenticationProvider.java:117)
> > at
> >
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> > at
> >
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
> > at
> >
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168)
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> > at
> >
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> > at
> >
> org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:65)
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> > at
> >
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> > at
> >
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> > at
> >
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
> > at
> >
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> > at
> >
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
> > at
> >
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
> > at
> >
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> > at
> >
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> > at
> > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
> > at
> >
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> > at
> >
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> > at
> >
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
> > at
> >
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
> > at
> >
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > at
> >
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> > at java.lang.Thread.run(Thread.java:745)
> > 2014-09-16 21:22:29,058 [http-bio-9443-exec-9] WARN
> > org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
> >
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
> > has thrown exception, unwinding now
> > java.lang.IllegalArgumentException: URI is not absolute
> > at java.net.URI.toURL(URI.java:1095)
> > at
> >
> org.apache.cxf.transport.http.URLConnectionHTTPConduit.createConnection(URLConnectionHTTPConduit.java:92)
> > at
> >
> org.apache.cxf.transport.http.URLConnectionHTTPConduit.setupConnection(URLConnectionHTTPConduit.java:103)
> > at
> > org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:477)
> > at
> >
> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46)
> > at
> >
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:570)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:479)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335)
> > at
> >
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:782)
> > at
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
> > at
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
> > at
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
> > at
> >
> org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAuthenticationProvider.java:117)
> > at
> >
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> > at
> >
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
> > at
> >
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168)
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> > at
> >
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> > at
> >
> org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:65)
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> > at
> >
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> > at
> >
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> > at
> >
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
> > at
> >
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> > at
> >
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
> > at
> >
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
> > at
> >
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> > at
> >
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> > at
> > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
> > at
> >
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> > at
> >
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> > at
> >
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
> > at
> >
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
> > at
> >
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > at
> >
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> > at java.lang.Thread.run(Thread.java:745)
> > 2014-09-16 21:22:29,059 [http-bio-9443-exec-9] INFO
> > org.apache.cxf.fediz.service.idp.STSAuthenticationProvider - Failed to
> > authenticate user 'bob'
> > java.lang.IllegalArgumentException: URI is not absolute
> > at java.net.URI.toURL(URI.java:1095)
> > at
> >
> org.apache.cxf.transport.http.URLConnectionHTTPConduit.createConnection(URLConnectionHTTPConduit.java:92)
> > at
> >
> org.apache.cxf.transport.http.URLConnectionHTTPConduit.setupConnection(URLConnectionHTTPConduit.java:103)
> > at
> > org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:477)
> > at
> >
> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46)
> > at
> >
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:570)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:479)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335)
> > at
> >
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:782)
> > at
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
> > at
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
> > at
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
> > at
> >
> org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAuthenticationProvider.java:117)
> > at
> >
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> > at
> >
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
> > at
> >
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168)
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> > at
> >
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> > at
> >
> org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:65)
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> > at
> >
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> > at
> >
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> > at
> >
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
> > at
> >
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> > at
> >
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
> > at
> >
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
> > at
> >
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> > at
> >
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> > at
> > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
> > at
> >
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> > at
> >
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> > at
> >
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
> > at
> >
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
> > at
> >
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > at
> >
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> > at java.lang.Thread.run(Thread.java:745)
> >
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com