Is the client successfully invoking on the STS? In other words, is this error occurring when the client is sending a message to the STS or to the WSP?
Colm. On Fri, Jun 1, 2012 at 6:30 PM, Gina Choi <[email protected]> wrote: > To make it clear here is what I have so far. > > 1. WSP: SymmetricBinding, ProtectionToken is IssuedToken > 2. STS: endpoint: > > https://strts01.ams.dev/adfs/services/trust/13/usernamemixed > > Following policy is used. > > <wsp:Policy wsu:Id="UserNameWSTrustBinding_IWSTrust13Async2_policy"> > <wsp:ExactlyOne> > <wsp:All> > <sp:TransportBinding xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > > <sp:TransportToken> > <wsp:Policy> > <sp:HttpsToken> > <wsp:Policy /> > </sp:HttpsToken> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > </wsp:Policy> > </sp:TransportBinding> > <sp:SignedEncryptedSupportingTokens xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > > <sp:UsernameToken sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:WssUsernameToken10 /> > </wsp:Policy> > </sp:UsernameToken> > </wsp:Policy> > </sp:SignedEncryptedSupportingTokens> > <sp:EndorsingSupportingTokens xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:KeyValueToken sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never > " > wsp:Optional="true"> > <wsp:Policy/> > </sp:KeyValueToken> > <sp:SignedParts> > <sp:Header Name="To" > Namespace="http://www.w3.org/2005/08/addressing"; /> > </sp:SignedParts> > </wsp:Policy> > </sp:EndorsingSupportingTokens> > <sp:Wss11 xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > > <sp:MustSupportRefKeyIdentifier /> > <sp:MustSupportRefIssuerSerial /> > <sp:MustSupportRefThumbprint /> > <sp:MustSupportRefEncryptedKey /> > </wsp:Policy> > </sp:Wss11> > <sp:Trust13 xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > > <sp:MustSupportIssuedTokens /> > <sp:RequireClientEntropy /> > <sp:RequireServerEntropy /> > </wsp:Policy> > </sp:Trust13> > <wsaw:UsingAddressing /> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > 3. WSC > Following is client configuration. > > <jaxws:client name="{ > http://www.example.org/contract/DoubleIt}DoubleItPort"; > createdFromAPI="true"> > <jaxws:properties> > <entry key="ws-security.sts.client"> > <bean class="org.apache.cxf.ws.security.trust.STSClient"> > <constructor-arg ref="cxf"/> > <property name="wsdlLocation" value="adfs_new_simple.wsdl"/> > <property name="serviceName" value="{ > http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService > "/> > <property name="endpointName" value="{ > http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}UserNameWSTrustBinding_IWSTrust13Async2 > "/> > <property name="properties"> > <map> > <entry key="ws-security.username" value="gchoi"/> > > <entry key="ws-security.callback-handler" > value="client.ClientCallbackHandler"/> > <entry key="ws-security.encryption.properties" > value="clientKeystore.properties"/> > <entry key="ws-security.encryption.username" value="mystskey"/> > </map> > </property> > </bean> > </entry> > </jaxws:properties> > </jaxws:client> > </beans> > > I am getting following exception when I execute client. > > WARNING: Interceptor for { > http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService#{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}Trust13IssueAsynchas > thrown exception, unwinding now > org.apache.cxf.interceptor.Fault > at > org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:153) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:159) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:89) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:532) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320) > at > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:722) > at > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:602) > at > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:594) > at > org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.getTokenFromSTS(IssuedTokenInterceptorProvider.java:404) > at > org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:188) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:532) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320) > at > org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:89) > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134) > at $Proxy25.doubleIt(Unknown Source) > at client.WSClient.doubleIt(WSClient.java:18) > at client.WSClient.main(WSClient.java:11) > Caused by: java.lang.NullPointerException > at > org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.doIssuedTokenSignature(TransportBindingHandler.java:429) > at > org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingToken(TransportBindingHandler.java:283) > at > org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingSupportingTokens(TransportBindingHandler.java:240) > at > org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:147) > ... 22 more > Jun 1, 2012 1:12:51 PM org.apache.cxf.phase.PhaseInterceptorChain > doDefaultLogging > > > On Fri, Jun 1, 2012 at 1:06 PM, Gina Choi <[email protected]> wrote: > >> Hi Colm, >> >> <<< >> The client needs to configure the HTTP conduit with the keystore that >> contains the certificate of the STS, e.g.: >> >>> >> Forgot to ask you. ADFS exposes three different certificates - Service >> communications, Token-decrypting and Token-singing, but most of the time I >> had to deal with decrypting and signing cert. Which of the STS certificate >> do I need to have in client keystore? >> >> On Fri, Jun 1, 2012 at 12:52 PM, Gina Choi <[email protected]> wrote: >> >>> <<< >>> The following policy (KeyValueToken) is not supported, but you could >>> remove it as it is optional and see if that works: >>> >>> >>> Per Oliver advise, after I added an empty <wsp:Policy />element as a >>> child of <sp:KeyValueToken>, I don't receive anymore compaining. >>> >>> <<< >>> The client needs to configure the HTTP conduit with the keystore that >>> contains the certificate of the STS, e.g.: >>> <http:conduit name="https://localhost:.*";> >>> <http:tlsClientParameters disableCNCheck="true"> >>> <sec:trustManagers> >>> <sec:keyStore type="jks" password="cspass" >>> resource="clientstore.jks"/> >>> </sec:trustManagers> >>> </http:tlsClientParameters> >>> </http:conduit> >>> >>> >>> Afer added following to my client configuration, now I am getting new >>> exception. By the way, with ADFS, I have to use https. >>> >>> <http:conduit name="https://strts01.ams.dev.*";> >>> >>> <http:tlsClientParameters disableCNCheck="true"> >>> <sec:trustManagers> >>> <sec:keyStore type="jks" password="cspass" >>> resource="clientstore.jks"/> >>> </sec:trustManagers> >>> </http:tlsClientParameters> >>> </http:conduit> >>> >>> >>> Jun 1, 2012 12:47:33 PM org.apache.cxf.bus.spring.SpringBusFactory >>> createApplicationContext >>> WARNING: Initial attempt to create application context was unsuccessful. >>> org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: >>> Line 57 in XML document from class path resource [cxf.xml] is invalid; >>> nested exception is org.xml.sax.SAXParseException: The prefix "http" for >>> element "http:conduit" is not bo >>> . >>> at >>> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:396) >>> at >>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.doLoadBeanDefinitions(ControlledValidationXmlBeanDefinitionReader.java:115) >>> at >>> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:334) >>> at >>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.internalLoadBeanDefinitions(ControlledValidationXmlBeanDefinitionReader.java:154) >>> at >>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.access$000(ControlledValidationXmlBeanDefinitionReader.java:66) >>> at >>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader$1.run(ControlledValidationXmlBeanDefinitionReader.java:141) >>> at >>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader$1.run(ControlledValidationXmlBeanDefinitionReader.java:140) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at >>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.loadBeanDefinitions(ControlledValidationXmlBeanDefinitionReader.java:139) >>> at >>> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:302) >>> at >>> org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:143) >>> at >>> org.springframework.context.support.AbstractXmlApplicationContext.loadBeanDefinitions(AbstractXmlApplicationContext.java:122) >>> at >>> org.apache.cxf.bus.spring.BusApplicationContext.loadBeanDefinitions(BusApplicationContext.java:309) >>> at >>> org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:130) >>> at >>> org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:467) >>> at >>> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:397) >>> at >>> org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:101) >>> at >>> org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:100) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at >>> org.apache.cxf.bus.spring.BusApplicationContext.<init>(BusApplicationContext.java:99) >>> at >>> org.apache.cxf.bus.spring.SpringBusFactory.createApplicationContext(SpringBusFactory.java:130) >>> at >>> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:121) >>> at >>> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:95) >>> at >>> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:69) >>> at >>> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:58) >>> at org.apache.cxf.BusFactory.getDefaultBus(BusFactory.java:99) >>> at org.apache.cxf.BusFactory.createThreadBus(BusFactory.java:165) >>> at >>> org.apache.cxf.BusFactory.getThreadDefaultBus(BusFactory.java:155) >>> at >>> org.apache.cxf.BusFactory.getThreadDefaultBus(BusFactory.java:140) >>> at >>> org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:96) >>> at javax.xml.ws.Service.<init>(Service.java:92) >>> at >>> org.example.contract.doubleit.DoubleItService.<init>(DoubleItService.java:47) >>> at client.WSClient.main(WSClient.java:8) >>> >>> >>> On Fri, Jun 1, 2012 at 12:13 PM, Colm O hEigeartaigh < >>> [email protected]> wrote: >>> >>>> >>>> The client needs to configure the HTTP conduit with the keystore that >>>> contains the certificate of the STS, e.g.: >>>> >>>> <http:conduit name="https://localhost:.*";> >>>> <http:tlsClientParameters disableCNCheck="true"> >>>> <sec:trustManagers> >>>> <sec:keyStore type="jks" password="cspass" >>>> resource="clientstore.jks"/> >>>> </sec:trustManagers> >>>> </http:tlsClientParameters> >>>> </http:conduit> >>>> >>>> What NPE are you getting? The following policy (KeyValueToken) is not >>>> supported, but you could remove it as it is optional and see if that works: >>>> >>>> >>>> <sp:EndorsingSupportingTokens xmlns:sp=" >>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >>>> <wsp:Policy> >>>> <sp:KeyValueToken sp:IncludeToken=" >>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never >>>> " >>>> wsp:Optional="true"> >>>> <wsp:Policy /> >>>> </sp:KeyValueToken> >>>> <sp:SignedParts> >>>> <sp:Header Name="To" >>>> Namespace="http://www.w3.org/2005/08/addressing"; /> >>>> </sp:SignedParts> >>>> </wsp:Policy> >>>> </sp: >>>> EndorsingSupportingTokens> >>>> >>>> Colm. >>>> >>> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
