You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Federico Tello Gentile <fg...@lifia.info.unlp.edu.ar> on 2013/07/12 21:29:36 UTC
Running Fediz Spring example webapp
Hi.
I've been trying to run the Fediz Spring example webapp. I want to
trigger a login when accessing
https://localhost:8443/fedizhelloworld/secure/test.html
I all I get is a NullPointerException. *I'd appreciate any help you can
give me.*
Here's what I've done:
- Checked out the code from https://svn.apache.org/repos/asf/cxf/fediz/trunk
- Installed a fresh Tomcat 7.0.42 in /home/user/apache-tomcat-7.0.42
- Copied tomcat-idp.jks inside /home/user/apache-tomcat-7.0.42
- Edited server.xml
<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/home/user/apache-tomcat-7.0.42/tomcat-idp.jks"
keystorePass="tompass"
clientAuth="false" sslProtocol="TLS" />
- Deployed fediz-idp and fediz-idp-sts wars there.
I see "Hello world" when accessing
https://localhost:9443/fediz-idp/
and accessing
https://localhost:9443/fediz-idp/federation
triggers a basic authentication user and password prompt.
I have a different Tomcat for the webapp "Fediz Example: SpringWebapp"
CATALINA_HOME is /home/user/apache-tomcat-7.0.34
CATALINA_BASE is /home/user/.netbeans/7.3/apache-tomcat-7.0.34.0_base
- I copied tomcat-rp.jks to /home/user/apache-tomcat-7.0.34
- Set up ssl
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/home/user/apache-tomcat-7.0.34/tomcat-rp.jks"
keystorePass="tompass" />
- I copied the file
fediz/examples/springWebapp/src/main/config/fediz_config.xml to
/home/user/.netbeans/7.3/apache-tomcat-7.0.34.0_base/conf
(Renaming it to Fediz_config.xml)
There's also a similarly named file
fediz/examples/springWebapp/src/main/webapp/WEB-INF/fediz_config.xml
which has different contents, but I did not copy as I guessed it is used
by the application and not the tomcat's valve.
- I added a context.xml file in
fediz/examples/springWebapp/src/main/webapp/META-INF/context.xml
with this contents
<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path="/fedizhelloworld">
<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
configFile="conf/Fediz_config.xml" />
</Context>
Copied all the jar files from the zip file
fediz/plugins/tomcat/targetfediz-tomcat-1.1.0-SNAPSHOT-zip-with-dependencies.zip
in /home/user/apache-tomcat-7.0.34/lib
- deployed the Fediz Example: SpringWebapp war
When I go to https://localhost:8443/fedizhelloworld/ I see the hello
world message. But If I try to access anything under /secure I don't get
any login attempt.
https://localhost:8443/fedizhelloworld/secure/manager/
redirects me to
https://localhost:9443/fediz-idp/?wa=wsignin1.0&wreply=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2Fj_spring_fediz_security_check&wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld&wct=2013-07-12T19%3A07%3A24.682Z
And I see a hello world there, but no log in prompt.
https://localhost:8443/fedizhelloworld/secure/
gives me no redirection and a NullPointerException
java.lang.NullPointerException
org.apache.cxf.fediz.core.servlet.FederationFilter.doFilter(FederationFilter.java:57)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
RE: Running Fediz Spring example webapp
Posted by Oliver Wulff <ow...@talend.com>.
Hi there
>>>
Apparently the SSL certificate used for HTTPS is the same self-signed
certificate in the Federation metadata XML (the exported certificate
from the browser has the same text as the FederationMetadata.xml XML
portion).
>>>
Well, this is very uncommon. Certificates can be used for different usages (attribute key usage) like digital signature, server authentication, etc.
I assume this is a test infrastructure but still in this scenario, different certificates should be used as the CN of a certificate used for SSL (server authentication) should contain the DNS name of the server. The certificate (the private key concretely) used to sign the SAML assertion should be highly protected.
>>>
<issuer subject=".*CN=186.33.232.65.*"
certificateValidation="ChainTrust"
name="WIN-6LS98RP43K9" />
>>>
Import the certificate within metadata file into the stsstore.jks and configure certificateValidation to "PeerTrust". You don't have to configure the subject.
If you want to configure the subject it should look like (regular expression):
subject=".*CN=WIN-6LS98RP43K9.*"
HTH
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Federico Tello Gentile [fgentile@lifia.info.unlp.edu.ar]
Sent: 26 July 2013 15:40
To: users@cxf.apache.org; Oliver Wulff
Subject: Re: Running Fediz Spring example webapp
El 22/07/13 08:34, Oliver Wulff escribió:>
> No, the certificate you see as part of the SSL handshake is different.
>
> You see the IDP certificate here:
> https://186.33.232.65/FederationMetadata/2007-06/FederationMetadata.xml
>
> RoleDescriptor->KeyDescriptor->KeyInfo->X509Data
>
>
Apparently the SSL certificate used for HTTPS is the same self-signed
certificate in the Federation metadata XML (the exported certificate
from the browser has the same text as the FederationMetadata.xml XML
portion).
I have imported it in my stsstore.jks creating a text file with the XML
portion.
Keytool shows this as well as other keys.
----
keytool -list -keystore stsstore.jks -storepass stsspass
myidpkey, 23/07/2013, trustedCertEntry,
Huella Digital de Certificado (SHA1):
0A:A0:F2:34:99:92:92:CF:6C:3F:09:99:5F:33:CD:FD:2A:DC:ED:53
----
(SHA1 matches the one shown by the browser.)
I'm getting HTTP 401 - Authentication Failed: Security token issuer not
trusted
So I looked at fediz_config.xml
<trustedIssuers>
<issuer subject=".*CN=www.sts.com.*"
certificateValidation="ChainTrust"
name="DoubleItSTSIssuer" />
</trustedIssuers>
Do I have to change that? And how can I find out the info from the
certificate? The IDP is using a self-signed certificate.
So the issuer common name (CN) is "WIN-6LS98RP43K9", the certificate is
issued to the same CN "WIN-6LS98RP43K9".
The documentation seems to be clear
There are two ways to configure a trusted issuer (IDP). Either you
configure the subject name and the CA(s) who signed the certificate of
the IDP (certificateValidation=ChainTrust) or you configure the
certificate of the IDP and the CA(s) who signed it
(certificateValidation=PeerTrust)
I just don't know enough about certificates.
I tried
<issuer subject="WIN-6LS98RP43K9"
certificateValidation="ChainTrust"
name="WIN-6LS98RP43K9" />
and
<issuer subject=".*CN=186.33.232.65.*"
certificateValidation="ChainTrust"
name="WIN-6LS98RP43K9" />
but I'm not sure what I'm doing.
Thanks for any help.
Re: Running Fediz Spring example webapp
Posted by Federico Tello Gentile <fg...@lifia.info.unlp.edu.ar>.
El 22/07/13 08:34, Oliver Wulff escribió:>
> No, the certificate you see as part of the SSL handshake is different.
>
> You see the IDP certificate here:
> https://186.33.232.65/FederationMetadata/2007-06/FederationMetadata.xml
>
> RoleDescriptor->KeyDescriptor->KeyInfo->X509Data
>
>
Apparently the SSL certificate used for HTTPS is the same self-signed
certificate in the Federation metadata XML (the exported certificate
from the browser has the same text as the FederationMetadata.xml XML
portion).
I have imported it in my stsstore.jks creating a text file with the XML
portion.
Keytool shows this as well as other keys.
----
keytool -list -keystore stsstore.jks -storepass stsspass
myidpkey, 23/07/2013, trustedCertEntry,
Huella Digital de Certificado (SHA1):
0A:A0:F2:34:99:92:92:CF:6C:3F:09:99:5F:33:CD:FD:2A:DC:ED:53
----
(SHA1 matches the one shown by the browser.)
I'm getting HTTP 401 - Authentication Failed: Security token issuer not
trusted
So I looked at fediz_config.xml
<trustedIssuers>
<issuer subject=".*CN=www.sts.com.*"
certificateValidation="ChainTrust"
name="DoubleItSTSIssuer" />
</trustedIssuers>
Do I have to change that? And how can I find out the info from the
certificate? The IDP is using a self-signed certificate.
So the issuer common name (CN) is "WIN-6LS98RP43K9", the certificate is
issued to the same CN "WIN-6LS98RP43K9".
The documentation seems to be clear
There are two ways to configure a trusted issuer (IDP). Either you
configure the subject name and the CA(s) who signed the certificate of
the IDP (certificateValidation=ChainTrust) or you configure the
certificate of the IDP and the CA(s) who signed it
(certificateValidation=PeerTrust)
I just don't know enough about certificates.
I tried
<issuer subject="WIN-6LS98RP43K9"
certificateValidation="ChainTrust"
name="WIN-6LS98RP43K9" />
and
<issuer subject=".*CN=186.33.232.65.*"
certificateValidation="ChainTrust"
name="WIN-6LS98RP43K9" />
but I'm not sure what I'm doing.
Thanks for any help.
RE: Running Fediz Spring example webapp
Posted by Oliver Wulff <ow...@talend.com>.
>>>
If those 2 are the only stores I have to manage from my application,
then reading the keystore documentation I think what I have to do is:
- import the IDP key (from the active directory) in the stsstore.jks
>>>
That's correct. See below how to import that.
>>
Because the example already has the other 2 step done from the beggining:
- export the key from stsstore.jks into MySTS.cer
- import the MySTS.cer into tomcat-rp.jks
So I need to get the IDP key. Would it the the public key I can export
from the browser when accessing the identity server I want to
authenticate to?
>>>
No, the certificate you see as part of the SSL handshake is different.
You see the IDP certificate here:
https://186.33.232.65/FederationMetadata/2007-06/FederationMetadata.xml
RoleDescriptor->KeyDescriptor->KeyInfo->X509Data
HTH
Oli
________________________________________
From: Federico Tello Gentile [fgentile@lifia.info.unlp.edu.ar]
Sent: 19 July 2013 16:44
To: users@cxf.apache.org
Cc: Oliver Wulff
Subject: Re: Running Fediz Spring example webapp
El 15/07/13 12:14, Oliver Wulff escribió:
> Please update the issuer url to the following (WEB-INF/fediz_config.xml, I'll delete the one in src/main/config)
> https://localhost:9443/fediz-idp/federation
Thanks for your help. I made great progress. I have my own application
authenticating against the a Tomcat running Fediz IDP-STS.
My question now is about the certificates on the relaying party side (my
application).
I'm now using the example's keystores and certificates. In the
CATALINA_HOME of my application's Tomcat 7 I have "tomcat-rp.jks" which
is used to set up HTTPS connector and inside my application's WAR I have
"stsstore.jks" which is referenced in my application's
WEB-INF/fediz_config.xml like this
<certificateStores>
<trustManager>
<keyStore file="stsstore.jks" password="stsspass" type="JKS" />
</trustManager>
</certificateStores>
I'm a bit confused as the documentation
[http://cxf.apache.org/fediz-configuration.html] says
- certificateStores
- Trusted certificate store
- Required
"The list of keystores (JKS, PEM) includes at least the certificate of
the Certificate Authorities (CA) which signed the certificate which is
used to sign the SAML token.
If the file location is not fully qualified it needs to be relative to
the Container home directory"
Right now that file is not relative to the container. So maybe the doc
is outdated?
I want to authenticate to a different identity server (I think this one
is based on ActiveDirectory).
If those 2 are the only stores I have to manage from my application,
then reading the keystore documentation I think what I have to do is:
- import the IDP key (from the active directory) in the stsstore.jks
Because the example already has the other 2 step done from the beggining:
- export the key from stsstore.jks into MySTS.cer
- import the MySTS.cer into tomcat-rp.jks
So I need to get the IDP key. Would it the the public key I can export
from the browser when accessing the identity server I want to
authenticate to?
https://186.33.232.65/
I may be confused because I'm new to the WS-Federation protocol. Any
help is appreciated.
Thanks.
Re: Running Fediz Spring example webapp
Posted by Federico Tello Gentile <fg...@lifia.info.unlp.edu.ar>.
El 15/07/13 12:14, Oliver Wulff escribió:
> Please update the issuer url to the following (WEB-INF/fediz_config.xml, I'll delete the one in src/main/config)
> https://localhost:9443/fediz-idp/federation
Thanks for your help. I made great progress. I have my own application
authenticating against the a Tomcat running Fediz IDP-STS.
My question now is about the certificates on the relaying party side (my
application).
I'm now using the example's keystores and certificates. In the
CATALINA_HOME of my application's Tomcat 7 I have "tomcat-rp.jks" which
is used to set up HTTPS connector and inside my application's WAR I have
"stsstore.jks" which is referenced in my application's
WEB-INF/fediz_config.xml like this
<certificateStores>
<trustManager>
<keyStore file="stsstore.jks" password="stsspass" type="JKS" />
</trustManager>
</certificateStores>
I'm a bit confused as the documentation
[http://cxf.apache.org/fediz-configuration.html] says
- certificateStores
- Trusted certificate store
- Required
"The list of keystores (JKS, PEM) includes at least the certificate of
the Certificate Authorities (CA) which signed the certificate which is
used to sign the SAML token.
If the file location is not fully qualified it needs to be relative to
the Container home directory"
Right now that file is not relative to the container. So maybe the doc
is outdated?
I want to authenticate to a different identity server (I think this one
is based on ActiveDirectory).
If those 2 are the only stores I have to manage from my application,
then reading the keystore documentation I think what I have to do is:
- import the IDP key (from the active directory) in the stsstore.jks
Because the example already has the other 2 step done from the beggining:
- export the key from stsstore.jks into MySTS.cer
- import the MySTS.cer into tomcat-rp.jks
So I need to get the IDP key. Would it the the public key I can export
from the browser when accessing the identity server I want to
authenticate to?
https://186.33.232.65/
I may be confused because I'm new to the WS-Federation protocol. Any
help is appreciated.
Thanks.
RE: Running Fediz Spring example webapp
Posted by Oliver Wulff <ow...@talend.com>.
>>>
What I need is a way to log out so when I'm requested my username and
password again I can choose a different one. I also want to be able to
log out and still use my application as an anonymous user. My app lets
me do lots of things but it shows me less data than to an authenticated
user in that case.
>>>
At the time where you logout from your application and access URL which do not require authentication, this should work.
>>>
If the single sign out is a just fediz implementation limitation, but
there's a way to log out from other implementations, then it's ok.
>>>
It's a limitation now in fediz.
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Federico Tello Gentile [fgentile@lifia.info.unlp.edu.ar]
Sent: 16 July 2013 20:37
To: users@cxf.apache.org
Subject: Re: Running Fediz Spring example webapp
El 16/07/13 15:12, Oliver Wulff escribió:
> What is your expectation of a logout? If you don't have an IDP
> component and instead authenticate against LDAP directly within
> Tomcat, you'll loose your application http session and all data
> stored in the application session is gone. When you access the
> application again, you're promted to enter username/password again
> and a new application session is created. The purpose of single sign
> on is that you got a session with the IDP and a session with each
> application which you accessed since the login with the IDP. If you
> "logout" from the application, the application session is gone, but
> not the session with the IDP. There is also the concept of single
> logout but this means that you logout from all the applications which
> are accessed after the IDP session is created. Is this the
> functionality you're looking for?
>
> Thanks
My long term goal is to change the CAS authetication in my app with
WS-Federation authentication.
I guess there isn't single sign out support yet.
https://issues.apache.org/jira/browse/FEDIZ-19
What I need is a way to log out so when I'm requested my username and
password again I can choose a different one. I also want to be able to
log out and still use my application as an anonymous user. My app lets
me do lots of things but it shows me less data than to an authenticated
user in that case.
I don't think I'll be using Tomcat as the identity server. (There's an
active directory here [https://186.33.232.65/] that I have to point to
eventually).
If the single sign out is a just fediz implementation limitation, but
there's a way to log out from other implementations, then it's ok.
Re: Running Fediz Spring example webapp
Posted by Federico Tello Gentile <fg...@lifia.info.unlp.edu.ar>.
El 16/07/13 15:12, Oliver Wulff escribió:
> What is your expectation of a logout? If you don't have an IDP
> component and instead authenticate against LDAP directly within
> Tomcat, you'll loose your application http session and all data
> stored in the application session is gone. When you access the
> application again, you're promted to enter username/password again
> and a new application session is created. The purpose of single sign
> on is that you got a session with the IDP and a session with each
> application which you accessed since the login with the IDP. If you
> "logout" from the application, the application session is gone, but
> not the session with the IDP. There is also the concept of single
> logout but this means that you logout from all the applications which
> are accessed after the IDP session is created. Is this the
> functionality you're looking for?
>
> Thanks
My long term goal is to change the CAS authetication in my app with
WS-Federation authentication.
I guess there isn't single sign out support yet.
https://issues.apache.org/jira/browse/FEDIZ-19
What I need is a way to log out so when I'm requested my username and
password again I can choose a different one. I also want to be able to
log out and still use my application as an anonymous user. My app lets
me do lots of things but it shows me less data than to an authenticated
user in that case.
I don't think I'll be using Tomcat as the identity server. (There's an
active directory here [https://186.33.232.65/] that I have to point to
eventually).
If the single sign out is a just fediz implementation limitation, but
there's a way to log out from other implementations, then it's ok.
RE: Running Fediz Spring example webapp
Posted by Oliver Wulff <ow...@talend.com>.
What is your expectation of a logout?
If you don't have an IDP component and instead authenticate against LDAP directly within Tomcat, you'll loose your application http session and all data stored in the application session is gone. When you access the application again, you're promted to enter username/password again and a new application session is created. The purpose of single sign on is that you got a session with the IDP and a session with each application which you accessed since the login with the IDP. If you "logout" from the application, the application session is gone, but not the session with the IDP.
There is also the concept of single logout but this means that you logout from all the applications which are accessed after the IDP session is created. Is this the functionality you're looking for?
Thanks
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Federico Tello Gentile [fgentile@lifia.info.unlp.edu.ar]
Sent: 16 July 2013 20:00
To: users@cxf.apache.org
Subject: Re: Running Fediz Spring example webapp
El 15/07/13 12:14, Oliver Wulff escribió:
> You don't have to deploy the plugins for tomcat as you use spring security to enforce authentication.
> Please update the issuer url to the following (WEB-INF/fediz_config.xml, I'll delete the one in src/main/config)
> https://localhost:9443/fediz-idp/federation
Thanks for the help.
I got the login to work. Apparently you don't need to set up any Tomcat
valve for this example.
So now I'm trying to understand the example a bit more.
Is it correct that logout is not supported in the example as is?
There's a Jira
https://issues.apache.org/jira/browse/FEDIZ-28
explaining to set up a logout filter, but the class
org.apache.cxf.fediz.service.idp.LogoutFilter is not in fediz-idp
classpath or anywhere I can find it.
it is not in svn either.
cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/LogoutFilter.java
Does not seem to exist... in
https://svn.apache.org/repos/asf/cxf/fediz/trunk
Re: Running Fediz Spring example webapp
Posted by Federico Tello Gentile <fg...@lifia.info.unlp.edu.ar>.
El 15/07/13 12:14, Oliver Wulff escribió:
> You don't have to deploy the plugins for tomcat as you use spring security to enforce authentication.
> Please update the issuer url to the following (WEB-INF/fediz_config.xml, I'll delete the one in src/main/config)
> https://localhost:9443/fediz-idp/federation
Thanks for the help.
I got the login to work. Apparently you don't need to set up any Tomcat
valve for this example.
So now I'm trying to understand the example a bit more.
Is it correct that logout is not supported in the example as is?
There's a Jira
https://issues.apache.org/jira/browse/FEDIZ-28
explaining to set up a logout filter, but the class
org.apache.cxf.fediz.service.idp.LogoutFilter is not in fediz-idp
classpath or anywhere I can find it.
it is not in svn either.
cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/LogoutFilter.java
Does not seem to exist... in
https://svn.apache.org/repos/asf/cxf/fediz/trunk
RE: Running Fediz Spring example webapp
Posted by Oliver Wulff <ow...@talend.com>.
Hi
>>>
- I added a context.xml file in
fediz/examples/springWebapp/src/main/webapp/META-INF/context.xml
with this contents
<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path="/fedizhelloworld">
<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
configFile="conf/Fediz_config.xml" />
</Context>
Copied all the jar files from the zip file
fediz/plugins/tomcat/targetfediz-tomcat-1.1.0-SNAPSHOT-zip-with-dependencies.zip
>>>
You don't have to deploy the plugins for tomcat as you use spring security to enforce authentication.
>>>
https://localhost:9443/fediz-idp/?wa=wsignin1.0&wreply=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2Fj_spring_fediz_security_check&wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld&wct=2013-07-12T19%3A07%3A24.682Z
>>>
Please update the issuer url to the following (WEB-INF/fediz_config.xml, I'll delete the one in src/main/config)
https://localhost:9443/fediz-idp/federation
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Federico Tello Gentile [fgentile@lifia.info.unlp.edu.ar]
Sent: 12 July 2013 21:29
To: users@cxf.apache.org
Subject: Running Fediz Spring example webapp
Hi.
I've been trying to run the Fediz Spring example webapp. I want to
trigger a login when accessing
https://localhost:8443/fedizhelloworld/secure/test.html
I all I get is a NullPointerException. *I'd appreciate any help you can
give me.*
Here's what I've done:
- Checked out the code from https://svn.apache.org/repos/asf/cxf/fediz/trunk
- Installed a fresh Tomcat 7.0.42 in /home/user/apache-tomcat-7.0.42
- Copied tomcat-idp.jks inside /home/user/apache-tomcat-7.0.42
- Edited server.xml
<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/home/user/apache-tomcat-7.0.42/tomcat-idp.jks"
keystorePass="tompass"
clientAuth="false" sslProtocol="TLS" />
- Deployed fediz-idp and fediz-idp-sts wars there.
I see "Hello world" when accessing
https://localhost:9443/fediz-idp/
and accessing
https://localhost:9443/fediz-idp/federation
triggers a basic authentication user and password prompt.
I have a different Tomcat for the webapp "Fediz Example: SpringWebapp"
CATALINA_HOME is /home/user/apache-tomcat-7.0.34
CATALINA_BASE is /home/user/.netbeans/7.3/apache-tomcat-7.0.34.0_base
- I copied tomcat-rp.jks to /home/user/apache-tomcat-7.0.34
- Set up ssl
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/home/user/apache-tomcat-7.0.34/tomcat-rp.jks"
keystorePass="tompass" />
- I copied the file
fediz/examples/springWebapp/src/main/config/fediz_config.xml to
/home/user/.netbeans/7.3/apache-tomcat-7.0.34.0_base/conf
(Renaming it to Fediz_config.xml)
There's also a similarly named file
fediz/examples/springWebapp/src/main/webapp/WEB-INF/fediz_config.xml
which has different contents, but I did not copy as I guessed it is used
by the application and not the tomcat's valve.
- I added a context.xml file in
fediz/examples/springWebapp/src/main/webapp/META-INF/context.xml
with this contents
<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path="/fedizhelloworld">
<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
configFile="conf/Fediz_config.xml" />
</Context>
Copied all the jar files from the zip file
fediz/plugins/tomcat/targetfediz-tomcat-1.1.0-SNAPSHOT-zip-with-dependencies.zip
in /home/user/apache-tomcat-7.0.34/lib
- deployed the Fediz Example: SpringWebapp war
When I go to https://localhost:8443/fedizhelloworld/ I see the hello
world message. But If I try to access anything under /secure I don't get
any login attempt.
https://localhost:8443/fedizhelloworld/secure/manager/
redirects me to
https://localhost:9443/fediz-idp/?wa=wsignin1.0&wreply=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2Fj_spring_fediz_security_check&wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld&wct=2013-07-12T19%3A07%3A24.682Z
And I see a hello world there, but no log in prompt.
https://localhost:8443/fedizhelloworld/secure/
gives me no redirection and a NullPointerException
java.lang.NullPointerException
org.apache.cxf.fediz.core.servlet.FederationFilter.doFilter(FederationFilter.java:57)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)