You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Matthew Broadhead <ma...@nbmlaw.co.uk> on 2017/11/14 17:41:29 UTC
Re: fediz production
Hmmm...just saw this today
http://janbernhardt.blogspot.com.es/2015/12/fediz-with-openid-connect-support-and_14.html.
That looks more like a better solution. Now I understand what you mean
about WS-Fed. But I still couldn't access the Idp without it asking for
a certificate. Although it was working fine once the certificate dialog
was dismissed
On 31/10/2017 20:35, Sergey Beryozkin wrote:
> Hi Matthew
>
> Thanks for the feedback. Finally I get a chance to contribute to this
> thread :-).
> Putting aside the fact KeyCloak is a high quality project, I'd like to
> say the fact you could not figure out how to set up the keys is not
> sufficient to conclude Fediz is not ready for use in production. I'm
> not sure you if were referring to the WS-Fed or not.
>
> FYI, Fediz OIDC is currently is in production. The actual number is
> small. And the team behind one of this productions put a lot of effort
> into getting it in. I agree and I believe we all do, a major effort is
> needed to push it to the next level, which is really making it very
> straightforward for the users to get started with it fast.
>
> Thanks, Sergey
> On 31/10/17 16:55, Matthew Broadhead wrote:
>> Thanks Colm,
>>
>> I really appreciate the time you took to respond to my emails. I
>> spent a lot of time trying to get Fediz to work. I also submitted a
>> couple of PRs on github.
>>
>> But in the end I have moved to keycloak. It is a much more mature
>> project and has an installation program and a web interface. I had
>> it fully working in under 2 hours!
>>
>> Fediz could move to the next level if it could be:
>> - simply installed standalone without any configuration whatsover
>> - reside behind apache httpd for ssl certificates rather than using
>> tomcat connector
>> - all configuration done in a web interface and stored in the
>> database rather than "spring" configuration files
>>
>> I would be happy to offer some time towards helping achieve that goal
>> but at the moment I don't think Fediz is ready for use in production.
>>
>> Cheers,
>> Matthew
>>
>> On 31/10/2017 11:50, Colm O hEigeartaigh wrote:
>>> Are you using the same Tomcat instance for the IdP and the STS? Or
>>> is the
>>> Tomcat IdP instance set to ask for client authentication? Failing
>>> that, I
>>> don't have any more ideas - I need to see a test-case to help any
>>> further.
>>>
>>> Colm.
>>>
>>> On Mon, Oct 30, 2017 at 8:35 AM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>>> hi Colm,
>>>>
>>>> Sorry to keep bothering you with this issue.
>>>>
>>>> It is still prompting me for a certificate when redirecting to the
>>>> idp. I
>>>> have checked line by line the differences between the original code
>>>> and my
>>>> production code and cannot see any major difference. i have tried
>>>> with the
>>>> production certificate and with a custom generated certificate but
>>>> both are
>>>> the same.
>>>>
>>>> Is there anything else I can try for debugging?
>>>>
>>>> Matthew
>>>>
>>>> On 26/10/2017 14:58, Matthew Broadhead wrote:
>>>>
>>>>> comments below
>>>>>
>>>>> On 26/10/2017 13:46, Colm O hEigeartaigh wrote:
>>>>>
>>>>>> Are you using Java 9? If so please try with Java 8 instead. The
>>>>>> warnings
>>>>>> should be harmless, however I haven't tested Fediz with Java 9.
>>>>>>
>>>>> i am using openjdk 1.8.0.151
>>>>>
>>>>>> "when i first connect with fedizhelloworld it pops up a box
>>>>>> asking for a
>>>>>> certificate." - can you reproduce this with a test-case? It
>>>>>> sounds as if
>>>>>> you are not using the "up" endpoint of the IdP but instead the
>>>>>> client
>>>>>> cert
>>>>>> endpoint?
>>>>>>
>>>>> my fediz_config.xml has
>>>>> <issuer>https://domain.tld:9443/idp/federation</issuer>
>>>>>
>>>>> security-up-config.xml is the same as the example except with the
>>>>> endpoints changed from localhost:9443 to domain.tld:9443
>>>>>
>>>>> if it is not related to that can you tell me where i should be
>>>>> looking
>>>>> for the endpoint config?
>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Thu, Oct 26, 2017 at 12:06 PM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> Hi Colm,
>>>>>>> I am not sure that would be very easy to provide a test case?
>>>>>>> Everything
>>>>>>> was working fine on localhost with the test certificates.
>>>>>>>
>>>>>>> Testing on production is completely different using letsencrypt
>>>>>>> certs
>>>>>>> and
>>>>>>> having to change lots of configuration files in the code? You
>>>>>>> would be
>>>>>>> welcome to look directly at my setup although you are probably
>>>>>>> busy?
>>>>>>>
>>>>>>> It looks as though the idpcert in the ststrust.jks is not being
>>>>>>> properly
>>>>>>> sent and trusted by the idp during handshake? i am converting
>>>>>>> it using
>>>>>>> openssl to pkcs12 and then importing it into a jks. then i
>>>>>>> export the
>>>>>>> cert. is it possible the chain is being dropped?
>>>>>>> openssl pkcs12 -export -in ${cert}fullchain.pem -inkey
>>>>>>> ${cert}privkey.pem
>>>>>>> -out ${p12} -name mytomidpkey -password pass:tompass
>>>>>>> keytool -importkeystore -deststorepass tompass -destkeypass tompass
>>>>>>> -destkeystore ${idpKey} -srckeystore ${p12} -srcstoretype PKCS12
>>>>>>> -srcstorepass tompass -alias mytomidpkey
>>>>>>> keytool -keystore ${idpKey} -storepass tompass -export -alias
>>>>>>> mytomidpkey
>>>>>>> -file ${idpCert}
>>>>>>>
>>>>>>> also i get a lot of these warnings when creating keystores.
>>>>>>> should i be
>>>>>>> changing everything to use pkcs12?
>>>>>>> Warning:
>>>>>>> The JKS keystore uses a proprietary format. It is recommended to
>>>>>>> migrate
>>>>>>> to PKCS12 which is an industry standard format using
>>>>>>>
>>>>>>> Matthew
>>>>>>>
>>>>>>> On 26/10/2017 10:43, Colm O hEigeartaigh wrote:
>>>>>>>
>>>>>>> Could you create a test-case and upload it to github somewhere +
>>>>>>> I will
>>>>>>>> take a look?
>>>>>>>>
>>>>>>>> Colm.
>>>>>>>>
>>>>>>>> On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead <
>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>
>>>>>>>> Thanks for pointing me in the right direction.
>>>>>>>>
>>>>>>>>> basically what the documentation lacks is that the
>>>>>>>>> ststrust.jks must
>>>>>>>>> contain MyTCIDP.cer, i.e.
>>>>>>>>> keytool -import -trustcacerts -keystore ststrust.jks -storepass
>>>>>>>>> storepass
>>>>>>>>> -alias idpcert -file MyTCIDP.cer -noprompt
>>>>>>>>> i looked through the original ststrust.jks and it contained
>>>>>>>>> the alias
>>>>>>>>> idpcert which confirmed the suspicion
>>>>>>>>>
>>>>>>>>> the other problem was that the cipher of the letsencrypt
>>>>>>>>> certificate
>>>>>>>>> was
>>>>>>>>> not supported by java so i had to enable apr for openssl support.
>>>>>>>>> -Djavax.net.debug=all helped to debug that.
>>>>>>>>>
>>>>>>>>> but i still have some strange problems. when i first connect
>>>>>>>>> with
>>>>>>>>> fedizhelloworld it pops up a box asking for a certificate.
>>>>>>>>> and also
>>>>>>>>> if i
>>>>>>>>> leave it logged in for a while and then try to logout chrome
>>>>>>>>> tells me
>>>>>>>>> This site can’t provide a secure connection
>>>>>>>>> ERR_SSL_PROTOCOL_ERROR
>>>>>>>>>
>>>>>>>>> On 25/10/2017 14:28, Colm O hEigeartaigh wrote:
>>>>>>>>>
>>>>>>>>> Your truststore in cxf-tls.xml must trust the certificate
>>>>>>>>> presented by
>>>>>>>>>
>>>>>>>>>> the
>>>>>>>>>> STS. Also, it must contain a keystore with the private key of
>>>>>>>>>> the
>>>>>>>>>> IdP,
>>>>>>>>>> which in turn must be trusted by the STS.
>>>>>>>>>>
>>>>>>>>>> Colm.
>>>>>>>>>>
>>>>>>>>>> On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>
>>>>>>>>>> Are the two keystores responsible for the trust between idp
>>>>>>>>>> and sts
>>>>>>>>>> are
>>>>>>>>>>
>>>>>>>>>> supposed to be
>>>>>>>>>>> stsrealm_a.jks and ststrust.jks
>>>>>>>>>>>
>>>>>>>>>>> it is just that the cert it is not trusting is the
>>>>>>>>>>> idp-ssl-key.jks
>>>>>>>>>>> (domain.tld) which makes sense if it is hitting
>>>>>>>>>>> domain.tls:9443/idp
>>>>>>>>>>> etc
>>>>>>>>>>>
>>>>>>>>>>> does this mean ststrust.jks should contain MyTCIDP.cer as
>>>>>>>>>>> well as
>>>>>>>>>>> MyTCRP.cer?
>>>>>>>>>>>
>>>>>>>>>>> On 25/10/2017 14:03, Colm O hEigeartaigh wrote:
>>>>>>>>>>>
>>>>>>>>>>> You'll need to go through the output to figure out why the
>>>>>>>>>>> cert is
>>>>>>>>>>> not
>>>>>>>>>>>
>>>>>>>>>>> trusted. If you generate some test certs + create a testcase
>>>>>>>>>>>> somewhere I
>>>>>>>>>>>> will take a look.
>>>>>>>>>>>>
>>>>>>>>>>>> Colm.
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> i get a load of stuff, but in the middle of the one before the
>>>>>>>>>>>> error i
>>>>>>>>>>>> get
>>>>>>>>>>>>
>>>>>>>>>>>> Warning: no suitable certificate found - continuing without
>>>>>>>>>>>> client
>>>>>>>>>>>>
>>>>>>>>>>>>> authentication
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 25/10/2017 13:42, Matthew Broadhead wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> ahhh...
>>>>>>>>>>>>>
>>>>>>>>>>>>> -Djavax.net.debug=all
>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 25/10/2017 13:39, Matthew Broadhead wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> How would I enable the debug? services/idp/src/main/webapp/W
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> EB-INF/security-config.xml
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> <security:debug/>?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If you change it to "required" does it fail? If so, you
>>>>>>>>>>>>>>> could
>>>>>>>>>>>>>>> try
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> running
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> the Tomcat IdP with Java SSL debugging enabled and it
>>>>>>>>>>>>>>>> should
>>>>>>>>>>>>>>>> tell
>>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>> why
>>>>>>>>>>>>>>>> the IdP can't connect to the STS.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I realise now that this html file was included in the
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> examples/samplekeys
>>>>>>>>>>>>>>>>> directory in the code. but i was taking it from the
>>>>>>>>>>>>>>>>> internet.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I am 100% using clientAuth="want" on my Tomcat
>>>>>>>>>>>>>>>>> connector but
>>>>>>>>>>>>>>>>> I am
>>>>>>>>>>>>>>>>> still
>>>>>>>>>>>>>>>>> getting the same error over and again. I can browse
>>>>>>>>>>>>>>>>> the wsdl
>>>>>>>>>>>>>>>>> without
>>>>>>>>>>>>>>>>> having to provide a client certificate. could you
>>>>>>>>>>>>>>>>> point me to
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> part of
>>>>>>>>>>>>>>>>> the idp-sts configuration which might be causing it to
>>>>>>>>>>>>>>>>> not ask
>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> keys
>>>>>>>>>>>>>>>>> properly? or is it definitely a tomcat server.xml issue?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> You can see the HTML here:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> ateKeysREADME.html
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I'll update the webpage to point to github instead of
>>>>>>>>>>>>>>>>>> SVN.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hi Colm
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Firstly is there somewhere to see these instructions
>>>>>>>>>>>>>>>>>> correctly
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> formatted
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> in html?
>>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Secondly there is a massive difference between
>>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>>>> http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co
>>>>>>>>>>>>>>>>>>> (svn being the one linked from the main fediz pages)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On the SVN one it doesn't mention adding the
>>>>>>>>>>>>>>>>>>> MyTCRP.cer key
>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>> ststrust.jks.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I have some more things to try now so I will let you
>>>>>>>>>>>>>>>>>>> know
>>>>>>>>>>>>>>>>>>> if I
>>>>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>>>>> further
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Why not try the simple Connector configuration I gave
>>>>>>>>>>>>>>>>>>> earlier
>>>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> own keys?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc
>>>>>>>>>>>>>>>>>>>> at-8.5-doc/config/http.html#
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> clientAuth
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> This is an alias for the certificateVerification
>>>>>>>>>>>>>>>>>>>> attribute
>>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>> default
>>>>>>>>>>>>>>>>>>>>> SSLHostConfig element.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>>>> certificateVerification
>>>>>>>>>>>>>>>>>>>>> Set to required if you want the SSL stack to
>>>>>>>>>>>>>>>>>>>>> require a
>>>>>>>>>>>>>>>>>>>>> valid
>>>>>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>>>>> chain from the client before accepting a
>>>>>>>>>>>>>>>>>>>>> connection. Set
>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>> optional if
>>>>>>>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>>>>>>> want the SSL stack to request a client
>>>>>>>>>>>>>>>>>>>>> Certificate, but
>>>>>>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>>>>>> fail
>>>>>>>>>>>>>>>>>>>>> if one
>>>>>>>>>>>>>>>>>>>>> isn't presented. Set to optionalNoCA if you want
>>>>>>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>>>>>>> certificates to
>>>>>>>>>>>>>>>>>>>>> be
>>>>>>>>>>>>>>>>>>>>> optional and you don't want Tomcat to check them
>>>>>>>>>>>>>>>>>>>>> against
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>> list
>>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this
>>>>>>>>>>>>>>>>>>>>> option
>>>>>>>>>>>>>>>>>>>>> (OpenSSL
>>>>>>>>>>>>>>>>>>>>> does,
>>>>>>>>>>>>>>>>>>>>> JSSE does not) it is treated as if optional was
>>>>>>>>>>>>>>>>>>>>> specified. A
>>>>>>>>>>>>>>>>>>>>> none
>>>>>>>>>>>>>>>>>>>>> value
>>>>>>>>>>>>>>>>>>>>> (which is the default) will not require a certificate
>>>>>>>>>>>>>>>>>>>>> chain
>>>>>>>>>>>>>>>>>>>>> unless
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>> client requests a resource protected by a security
>>>>>>>>>>>>>>>>>>>>> constraint
>>>>>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>>>>>>> uses
>>>>>>>>>>>>>>>>>>>>> CLIENT-CERT authentication.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> so i changed clientAuth="want" to
>>>>>>>>>>>>>>>>>>>>> clientAuth="required".
>>>>>>>>>>>>>>>>>>>>> now
>>>>>>>>>>>>>>>>>>>>> i
>>>>>>>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>>>>>>>> access the site at all with
>>>>>>>>>>>>>>>>>>>>> Secure Connection Failed
>>>>>>>>>>>>>>>>>>>>> An error occurred during a connection to
>>>>>>>>>>>>>>>>>>>>> domain.tld:9443.
>>>>>>>>>>>>>>>>>>>>> SSL
>>>>>>>>>>>>>>>>>>>>> peer
>>>>>>>>>>>>>>>>>>>>> cannot
>>>>>>>>>>>>>>>>>>>>> verify your certificate. Error code:
>>>>>>>>>>>>>>>>>>>>> SSL_ERROR_BAD_CERT_ALERT
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> maybe i should try using Tomcat 7?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> The problem is that your Tomcat container hosting
>>>>>>>>>>>>>>>>>>>>> the STS
>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>>>>>> asking
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> client authentication. You can check this by using
>>>>>>>>>>>>>>>>>>>>> a web
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> browser
>>>>>>>>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>>>>>>>>> curl
>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>> view the WSDL of the STS - if you can get it to
>>>>>>>>>>>>>>>>>>>>>> work then
>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>> configuration
>>>>>>>>>>>>>>>>>>>>>> is incorrect, as it should error on the browser not
>>>>>>>>>>>>>>>>>>>>>> supplying
>>>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>>>>>>>> cert.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew
>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> i spoke too soon.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> i am completely stuck with the same stack trace
>>>>>>>>>>>>>>>>>>>>>> and no
>>>>>>>>>>>>>>>>>>>>>> amount
>>>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> reloading
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> the certificates is helping. is there any way to
>>>>>>>>>>>>>>>>>>>>>> debug
>>>>>>>>>>>>>>>>>>>>>> what
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>> actual
>>>>>>>>>>>>>>>>>>>>>>> problem is?
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,155
>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem
>>>>>>>>>>>>>>>>>>>>>>> writing
>>>>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>>>>> model to
>>>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no
>>>>>>>>>>>>>>>>>>>>>>> local
>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>> 427)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>> 328)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>> Impl.invoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>> 281)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.tru
>>>>>>>>>>>>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs
>>>>>>>>>>>>>>>>>>>>>>> tractSTSClient.java:861)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit
>>>>>>>>>>>>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction.submi
>>>>>>>>>>>>>>>>>>>>>>> t(STSClientAction.java:296)
>>>>>>>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>>>>>>>> orImpl.invoke0(Native
>>>>>>>>>>>>>>>>>>>>>>> Method)
>>>>>>>>>>>>>>>>>>>>>>> at sun.reflect.NativeMethodAccess
>>>>>>>>>>>>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce
>>>>>>>>>>>>>>>>>>>>>>> ssorImpl.java:62)
>>>>>>>>>>>>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc
>>>>>>>>>>>>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe
>>>>>>>>>>>>>>>>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>>>>>>>>>>>>>>>>> at java.lang.reflect.Method.invok
>>>>>>>>>>>>>>>>>>>>>>> e(Method.java:498)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>>> .spel.support.ReflectiveMethod
>>>>>>>>>>>>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.getV
>>>>>>>>>>>>>>>>>>>>>>> alueInternal(MethodReference.java:129)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference.
>>>>>>>>>>>>>>>>>>>>>>> access$000(MethodReference.java:49)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>>> .spel.ast.MethodReference$Meth
>>>>>>>>>>>>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>>> .spel.ast.CompoundExpression.g
>>>>>>>>>>>>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>>> .spel.ast.SpelNodeImpl.
>>>>>>>>>>>>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.expression
>>>>>>>>>>>>>>>>>>>>>>> .spel.standard.SpelExpression.
>>>>>>>>>>>>>>>>>>>>>>> getValue(SpelExpression.java:297)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.binding.ex
>>>>>>>>>>>>>>>>>>>>>>> pression.spel.SpringELExpressi
>>>>>>>>>>>>>>>>>>>>>>> on.getValue(SpringELExpression.java:84)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>>>>>>>> tion.EvaluateAction.doExecute(
>>>>>>>>>>>>>>>>>>>>>>> EvaluateAction.java:75)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ac
>>>>>>>>>>>>>>>>>>>>>>> tion.AbstractAction.execute(Ab
>>>>>>>>>>>>>>>>>>>>>>> stractAction.java:188)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>>>>>> ecution.AnnotatedAction.execut
>>>>>>>>>>>>>>>>>>>>>>> e(AnnotatedAction.java:145)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>>>>>> ecution.ActionExecutor.execute
>>>>>>>>>>>>>>>>>>>>>>> (ActionExecutor.java:51)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.ActionList.execute(Action
>>>>>>>>>>>>>>>>>>>>>>> List.java:154)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 3)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.SubflowState.handleEvent(
>>>>>>>>>>>>>>>>>>>>>>> SubflowState.java:116)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en
>>>>>>>>>>>>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> 238)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.EndState.doEnter(EndState
>>>>>>>>>>>>>>>>>>>>>>> .java:107)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex
>>>>>>>>>>>>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.TransitionableState.handl
>>>>>>>>>>>>>>>>>>>>>>> eEvent(TransitionableState.java:116)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav
>>>>>>>>>>>>>>>>>>>>>>> a:547)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha
>>>>>>>>>>>>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.ActionState.doEnter(Actio
>>>>>>>>>>>>>>>>>>>>>>> nState.java:105)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.RequestControlContex
>>>>>>>>>>>>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.SubflowState.doEnter(Subf
>>>>>>>>>>>>>>>>>>>>>>> lowState.java:101)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Transition.execute(Transi
>>>>>>>>>>>>>>>>>>>>>>> tion.java:228)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.DecisionState.doEnter(Dec
>>>>>>>>>>>>>>>>>>>>>>> isionState.java:51)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.State.enter(State.java:19
>>>>>>>>>>>>>>>>>>>>>>> 4)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.Flow.start(Flow.java:527)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:368)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.en
>>>>>>>>>>>>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st
>>>>>>>>>>>>>>>>>>>>>>> art(FlowExecutionImpl.java:223)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.ex
>>>>>>>>>>>>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch
>>>>>>>>>>>>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.webflow.mv
>>>>>>>>>>>>>>>>>>>>>>> c.servlet.FlowHandlerAdapter.
>>>>>>>>>>>>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doDispatch
>>>>>>>>>>>>>>>>>>>>>>> (DispatcherServlet.java:967)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>>>> t.DispatcherServlet.doService(
>>>>>>>>>>>>>>>>>>>>>>> DispatcherServlet.java:901)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.processRequ
>>>>>>>>>>>>>>>>>>>>>>> est(FrameworkServlet.java:970)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.doGet(
>>>>>>>>>>>>>>>>>>>>>>> FrameworkServlet.java:861)
>>>>>>>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:635)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.servle
>>>>>>>>>>>>>>>>>>>>>>> t.FrameworkServlet.service(
>>>>>>>>>>>>>>>>>>>>>>> FrameworkServlet.java:846)
>>>>>>>>>>>>>>>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>>>>>>>>>>>>>>>> .service(HttpServlet.java:742)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:231)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>>>>>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte
>>>>>>>>>>>>>>>>>>>>>>> r.java:52)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.access.intercept.FilterSecu
>>>>>>>>>>>>>>>>>>>>>>> rityInterceptor.doFilter(Filte
>>>>>>>>>>>>>>>>>>>>>>> rSecurityInterceptor.java:84)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.access.ExceptionTranslation
>>>>>>>>>>>>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.session.SessionManagementFi
>>>>>>>>>>>>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.authentication.AnonymousAut
>>>>>>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(Ano
>>>>>>>>>>>>>>>>>>>>>>> nymousAuthenticationFilter.jav
>>>>>>>>>>>>>>>>>>>>>>> a:113)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements.doFilter(Gr
>>>>>>>>>>>>>>>>>>>>>>> antedAuthorityEntitlements.jav
>>>>>>>>>>>>>>>>>>>>>>> a:97)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.servletapi.SecurityContextH
>>>>>>>>>>>>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> AwareRequestFilter.java:154)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.savedrequest.RequestCacheAw
>>>>>>>>>>>>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.authentication.www.BasicAut
>>>>>>>>>>>>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> 150)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.authentication.AbstractAuth
>>>>>>>>>>>>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> nProcessingFilter.java:199)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.authentication.logout.Logou
>>>>>>>>>>>>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.context.request.async.WebAs
>>>>>>>>>>>>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> erIntegrationFilter.java:50)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.context.SecurityContextPers
>>>>>>>>>>>>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> java:87)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP
>>>>>>>>>>>>>>>>>>>>>>> ortFilter.java:74)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.access.channel.ChannelProce
>>>>>>>>>>>>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil
>>>>>>>>>>>>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn
>>>>>>>>>>>>>>>>>>>>>>> ternal(FilterChainProxy.java:192)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.security.w
>>>>>>>>>>>>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F
>>>>>>>>>>>>>>>>>>>>>>> ilterChainProxy.java:160)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.invokeD
>>>>>>>>>>>>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>>>> .DelegatingFilterProxy.doFilte
>>>>>>>>>>>>>>>>>>>>>>> r(DelegatingFilterProxy.java:262)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>>>> .CharacterEncodingFilter.doFil
>>>>>>>>>>>>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>>>>>>>>>>>>>>>>>>>> at org.springframework.web.filter
>>>>>>>>>>>>>>>>>>>>>>> .OncePerRequestFilter.doFilter
>>>>>>>>>>>>>>>>>>>>>>> (OncePerRequestFilter.java:107)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.internalDoFi
>>>>>>>>>>>>>>>>>>>>>>> lter(ApplicationFilterChain.java:193)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>>>>>>>>>>>>>>>> cationFilterChain.doFilter(App
>>>>>>>>>>>>>>>>>>>>>>> licationFilterChain.java:166)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>>>>> ardWrapperValve.invoke(Standar
>>>>>>>>>>>>>>>>>>>>>>> dWrapperValve.java:198)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>>>>> ardContextValve.invoke(Standar
>>>>>>>>>>>>>>>>>>>>>>> dContextValve.java:96)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>>>>> ardHostValve.invoke(StandardHo
>>>>>>>>>>>>>>>>>>>>>>> stValve.java:140)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>>>>>>>>>>>>>>>> orReportValve.invoke(ErrorRepo
>>>>>>>>>>>>>>>>>>>>>>> rtValve.java:80)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.valves.Abs
>>>>>>>>>>>>>>>>>>>>>>> tractAccessLogValve.invoke(Abs
>>>>>>>>>>>>>>>>>>>>>>> tractAccessLogValve.java:650)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>>>>>>>>>>>>>>>> ardEngineValve.invoke(Standard
>>>>>>>>>>>>>>>>>>>>>>> EngineValve.java:87)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>>>>>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd
>>>>>>>>>>>>>>>>>>>>>>> apter.java:342)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>>>>>> Processor.service(StreamProces
>>>>>>>>>>>>>>>>>>>>>>> sor.java:245)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.AbstractProc
>>>>>>>>>>>>>>>>>>>>>>> essorLight.process(AbstractPro
>>>>>>>>>>>>>>>>>>>>>>> cessorLight.java:66)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>>>>>> Processor.process(StreamProces
>>>>>>>>>>>>>>>>>>>>>>> sor.java:65)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.coyote.http2.Stream
>>>>>>>>>>>>>>>>>>>>>>> Runnable.run(StreamRunnable.
>>>>>>>>>>>>>>>>>>>>>>> java:35)
>>>>>>>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>>>>>>>> lExecutor.runWorker(ThreadPool
>>>>>>>>>>>>>>>>>>>>>>> Executor.java:1142)
>>>>>>>>>>>>>>>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>>>>>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo
>>>>>>>>>>>>>>>>>>>>>>> lExecutor.java:617)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>>>>>>>>>>>>>>>> .TaskThread$WrappingRunnable.
>>>>>>>>>>>>>>>>>>>>>>> run(TaskThread.java:61)
>>>>>>>>>>>>>>>>>>>>>>> at
>>>>>>>>>>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:748)
>>>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated.
>>>>>>>>>>>>>>>>>>>>>>> Is the
>>>>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>>>>> set to
>>>>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>>>>>>>> java:255)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client
>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo
>>>>>>>>>>>>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Conduit.java:309)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap
>>>>>>>>>>>>>>>>>>>>>>> pedOutputStream.write(Abstract
>>>>>>>>>>>>>>>>>>>>>>> WrappedOutputStream.java:47)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs
>>>>>>>>>>>>>>>>>>>>>>> tractThresholdOutputStream.java:89)
>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre
>>>>>>>>>>>>>>>>>>>>>>> sholdOutputStream.write(Abstra
>>>>>>>>>>>>>>>>>>>>>>> ctThresholdOutputStream.java:63)
>>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flu
>>>>>>>>>>>>>>>>>>>>>>> sh(UTF8Writer.java:100)
>>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr
>>>>>>>>>>>>>>>>>>>>>>> iter.flush(BufferingXmlWriter.
>>>>>>>>>>>>>>>>>>>>>>> java:241)
>>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.
>>>>>>>>>>>>>>>>>>>>>>> java:253)
>>>>>>>>>>>>>>>>>>>>>>> ... 155 more
>>>>>>>>>>>>>>>>>>>>>>> 2017-10-24 12:55:58,158
>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2]
>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Thanks for your help Colm. I now have it
>>>>>>>>>>>>>>>>>>>>>>> working using
>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>> production
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> certificate by following this example
>>>>>>>>>>>>>>>>>>>>>>> https://stackoverflow.com/a/21
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> 41229/3052312 to export the pems into jks files.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> but in the end i also had to copy
>>>>>>>>>>>>>>>>>>>>>>> idp-ssl-key.jks and
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> idp-ssl-trust.jks
>>>>>>>>>>>>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having
>>>>>>>>>>>>>>>>>>>>>>>> them in
>>>>>>>>>>>>>>>>>>>>>>>> catalina
>>>>>>>>>>>>>>>>>>>>>>>> base.
>>>>>>>>>>>>>>>>>>>>>>>> this seems impractical in production as the
>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>>>>>>>>>> reissued
>>>>>>>>>>>>>>>>>>>>>>>> every
>>>>>>>>>>>>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to
>>>>>>>>>>>>>>>>>>>>>>>> define
>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>> resource as
>>>>>>>>>>>>>>>>>>>>>>>> being
>>>>>>>>>>>>>>>>>>>>>>>> in catalina base?
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12
>>>>>>>>>>>>>>>>>>>>>>>> keystores.
>>>>>>>>>>>>>>>>>>>>>>>> There
>>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>>> also
>>>>>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> sec:certStore that works with PEM files, but
>>>>>>>>>>>>>>>>>>>>>>>> only for
>>>>>>>>>>>>>>>>>>>>>>>> TrustStores I
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> think.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> As a workaround you can just use the Java keytool
>>>>>>>>>>>>>>>>>>>>>>>> command
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>> import
>>>>>>>>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>>>>>>>>> PEM key/cert into a JKS keystore.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> idp-ssl-server.jks
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> idp-ssl-key.jks.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz,
>>>>>>>>>>>>>>>>>>>>>>>>>> that page
>>>>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> old.
>>>>>>>>>>>>>>>>>>>>>>>>> The
>>>>>>>>>>>>>>>>>>>>>>>>> correct
>>>>>>>>>>>>>>>>>>>>>>>>> version is on github:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/cxf-
>>>>>>>>>>>>>>>>>>>>>>>>> fediz/blob/master/examples/sam
>>>>>>>>>>>>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew
>>>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> is there any way for sec:keyStore to be
>>>>>>>>>>>>>>>>>>>>>>>>> pointed at a
>>>>>>>>>>>>>>>>>>>>>>>>> pem
>>>>>>>>>>>>>>>>>>>>>>>>> certificate
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> instead of a java keystore? where is the
>>>>>>>>>>>>>>>>>>>>>>>>> doumentation
>>>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> sec:keyStore?
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> I haven't used the APR connector. The
>>>>>>>>>>>>>>>>>>>>>>>>>> following works
>>>>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>>>>> me
>>>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> tests,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> perhaps you could duplicate this config and
>>>>>>>>>>>>>>>>>>>>>>>>>> get it
>>>>>>>>>>>>>>>>>>>>>>>>>> working
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> first
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>>>>>>>>>>>>>> switching over to the APR connector:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443"
>>>>>>>>>>>>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true"
>>>>>>>>>>>>>>>>>>>>>>>>>>> clientAuth="want"
>>>>>>>>>>>>>>>>>>>>>>>>>>> sslProtocol="TLS"
>>>>>>>>>>>>>>>>>>>>>>>>>>> keystoreFile="idp-ssl-key.jks"
>>>>>>>>>>>>>>>>>>>>>>>>>>> keystorePass="tompass"
>>>>>>>>>>>>>>>>>>>>>>>>>>> keyPass="tompass"
>>>>>>>>>>>>>>>>>>>>>>>>>>> truststoreFile="idp-ssl-trust.
>>>>>>>>>>>>>>>>>>>>>>>>>>> jks"
>>>>>>>>>>>>>>>>>>>>>>>>>>> truststorePass="ispass" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and
>>>>>>>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>>>>> cxf-tls.xml to
>>>>>>>>>>>>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The
>>>>>>>>>>>>>>>>>>>>>>>>>>> truststore
>>>>>>>>>>>>>>>>>>>>>>>>>>> should
>>>>>>>>>>>>>>>>>>>>>>>>>>> contain
>>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting
>>>>>>>>>>>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>>>>>>>>>>>> STS +
>>>>>>>>>>>>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>>>>>>>>>> keystore
>>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>> private key of your IdP.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> i am using my own certificate with APR in
>>>>>>>>>>>>>>>>>>>>>>>>>>> the tomcat
>>>>>>>>>>>>>>>>>>>>>>>>>>> server.xml. I
>>>>>>>>>>>>>>>>>>>>>>>>>>> added
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required" to
>>>>>>>>>>>>>>>>>>>>>>>>>>> SSLHostConfig but I
>>>>>>>>>>>>>>>>>>>>>>>>>>> still
>>>>>>>>>>>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> same
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> problem
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> <Connector port="9443" protocol="
>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.coyote.ht
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> maxThreads="150"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> SSLEnabled="true">
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <UpgradeProtocol
>>>>>>>>>>>>>>>>>>>>>>>>>>>> className="org.apache.coyote.h
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <SSLHostConfig
>>>>>>>>>>>>>>>>>>>>>>>>>>>> clientVerification="required">
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <Certificate
>>>>>>>>>>>>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let
>>>>>>>>>>>>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> hain.pem"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> type="RSA" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </SSLHostConfig>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </Connector>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> I commented the trustManagers and
>>>>>>>>>>>>>>>>>>>>>>>>>>>> keyManagers in
>>>>>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml.
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Could
>>>>>>>>>>>>>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>>>>>>>>>>>>>> be the
>>>>>>>>>>>>>>>>>>>>>>>>>>>> problem?
>>>>>>>>>>>>>>>>>>>>>>>>>>>> How would I use production certificates?
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <http:tlsClientParameters
>>>>>>>>>>>>>>>>>>>>>>>>>>>> disableCNCheck="true">
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <!--
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore
>>>>>>>>>>>>>>>>>>>>>>>>>>>> type="jks"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> password="ispass"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </sec:trustManagers>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyManagers
>>>>>>>>>>>>>>>>>>>>>>>>>>>> keyPassword="tompass">
>>>>>>>>>>>>>>>>>>>>>>>>>>>> <sec:keyStore
>>>>>>>>>>>>>>>>>>>>>>>>>>>> type="jks"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> password="tompass"
>>>>>>>>>>>>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </sec:keyManagers> -->
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </http:tlsClientParameters>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> </http:conduit>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the
>>>>>>>>>>>>>>>>>>>>>>>>>>>> schema
>>>>>>>>>>>>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>>>>>>>>>>>>> restarting.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> but now i have this
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541
>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain -
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Interceptor
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> {
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws-
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2/}Issue
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> has
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Problem
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> writing
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> SAAJ
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> but no
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> local
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 518)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> set, but no local certificates were
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> negotiated.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Is
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ask
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> for client authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> :255)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ... 154 more
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ion:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> certificates
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> were
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> client
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> authorization?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-9
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.STSClientAction
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Error
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> retrieving a token
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ok i now have a different error and it
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> doesn't
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> load
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> login
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> screen
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-2
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ERROR
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> horityEntitlements
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> m.xml
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:9443
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> should have been
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> https://domain.tld:0/id
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> according to original file
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Yes I have:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="applications">
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <util:list>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <ref
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> bean="srv-fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <!-- <ref
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> bean="srv-oidc" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -->
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </util:list>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </property>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="realm"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="protocol"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDisplayName"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="serviceDescription"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="Web
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Application to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="role"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="tokenType"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="lifeTime"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="3600"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="passiveRequestorEndpoint
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Constraint"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="logoutEndpointConstraint
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> "
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="application"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property name="claim"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ref="claim_role"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <property
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> name="optional"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> value="false"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> />
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> </bean>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ty
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> instance in
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> realm
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Broadhead <
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain.tld:9443/idp
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> am
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> seems
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> authenticate
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> INFO
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [<something>]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> WARN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> service config found for
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>
>>