The NPE you were seeing is now fixed on trunk, if you want to test with the latest CXF 2.6.2-SNAPSHOT code. You will need to make sure that the WSC has a keystore with a private key to support the KeyValueToken policy.
Colm. On Tue, Jun 5, 2012 at 10:14 AM, Colm O hEigeartaigh <[email protected]>wrote: > > Is the client successfully invoking on the STS? In other words, is this > error occurring when the client is sending a message to the STS or to the > WSP? > > Colm. > > > On Fri, Jun 1, 2012 at 6:30 PM, Gina Choi <[email protected]> wrote: > >> To make it clear here is what I have so far. >> >> 1. WSP: SymmetricBinding, ProtectionToken is IssuedToken >> 2. STS: endpoint: >> >> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed >> >> Following policy is used. >> >> <wsp:Policy wsu:Id="UserNameWSTrustBinding_IWSTrust13Async2_policy"> >> <wsp:ExactlyOne> >> <wsp:All> >> <sp:TransportBinding xmlns:sp=" >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >> <wsp:Policy> >> >> <sp:TransportToken> >> <wsp:Policy> >> <sp:HttpsToken> >> <wsp:Policy /> >> </sp:HttpsToken> >> </wsp:Policy> >> </sp:TransportToken> >> <sp:AlgorithmSuite> >> <wsp:Policy> >> <sp:Basic256 /> >> </wsp:Policy> >> </sp:AlgorithmSuite> >> <sp:Layout> >> <wsp:Policy> >> <sp:Strict /> >> </wsp:Policy> >> </sp:Layout> >> <sp:IncludeTimestamp /> >> </wsp:Policy> >> </sp:TransportBinding> >> <sp:SignedEncryptedSupportingTokens xmlns:sp=" >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >> <wsp:Policy> >> >> <sp:UsernameToken sp:IncludeToken=" >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient >> "> >> <wsp:Policy> >> <sp:WssUsernameToken10 /> >> </wsp:Policy> >> </sp:UsernameToken> >> </wsp:Policy> >> </sp:SignedEncryptedSupportingTokens> >> <sp:EndorsingSupportingTokens xmlns:sp=" >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >> <wsp:Policy> >> <sp:KeyValueToken sp:IncludeToken=" >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never >> " >> wsp:Optional="true"> >> <wsp:Policy/> >> </sp:KeyValueToken> >> <sp:SignedParts> >> <sp:Header Name="To" >> Namespace="http://www.w3.org/2005/08/addressing"; /> >> </sp:SignedParts> >> </wsp:Policy> >> </sp:EndorsingSupportingTokens> >> <sp:Wss11 xmlns:sp=" >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >> <wsp:Policy> >> >> <sp:MustSupportRefKeyIdentifier /> >> <sp:MustSupportRefIssuerSerial /> >> <sp:MustSupportRefThumbprint /> >> <sp:MustSupportRefEncryptedKey /> >> </wsp:Policy> >> </sp:Wss11> >> <sp:Trust13 xmlns:sp=" >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >> <wsp:Policy> >> >> <sp:MustSupportIssuedTokens /> >> <sp:RequireClientEntropy /> >> <sp:RequireServerEntropy /> >> </wsp:Policy> >> </sp:Trust13> >> <wsaw:UsingAddressing /> >> </wsp:All> >> </wsp:ExactlyOne> >> </wsp:Policy> >> >> 3. WSC >> Following is client configuration. >> >> <jaxws:client name="{ >> http://www.example.org/contract/DoubleIt}DoubleItPort"; >> createdFromAPI="true"> >> <jaxws:properties> >> <entry key="ws-security.sts.client"> >> <bean class="org.apache.cxf.ws.security.trust.STSClient"> >> <constructor-arg ref="cxf"/> >> <property name="wsdlLocation" value="adfs_new_simple.wsdl"/> >> <property name="serviceName" value="{ >> http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService >> "/> >> <property name="endpointName" value="{ >> http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}UserNameWSTrustBinding_IWSTrust13Async2 >> "/> >> <property name="properties"> >> <map> >> <entry key="ws-security.username" value="gchoi"/> >> >> <entry key="ws-security.callback-handler" >> value="client.ClientCallbackHandler"/> >> <entry key="ws-security.encryption.properties" >> value="clientKeystore.properties"/> >> <entry key="ws-security.encryption.username" value="mystskey"/> >> </map> >> </property> >> </bean> >> </entry> >> </jaxws:properties> >> </jaxws:client> >> </beans> >> >> I am getting following exception when I execute client. >> >> WARNING: Interceptor for { >> http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService#{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}Trust13IssueAsynchas >> thrown exception, unwinding now >> org.apache.cxf.interceptor.Fault >> at >> org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:153) >> at >> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:159) >> at >> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:89) >> at >> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) >> at >> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:532) >> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464) >> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367) >> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320) >> at >> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:722) >> at >> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:602) >> at >> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:594) >> at >> org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.getTokenFromSTS(IssuedTokenInterceptorProvider.java:404) >> at >> org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:188) >> at >> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) >> at >> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:532) >> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464) >> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367) >> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320) >> at >> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:89) >> at >> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134) >> at $Proxy25.doubleIt(Unknown Source) >> at client.WSClient.doubleIt(WSClient.java:18) >> at client.WSClient.main(WSClient.java:11) >> Caused by: java.lang.NullPointerException >> at >> org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.doIssuedTokenSignature(TransportBindingHandler.java:429) >> at >> org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingToken(TransportBindingHandler.java:283) >> at >> org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingSupportingTokens(TransportBindingHandler.java:240) >> at >> org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:147) >> ... 22 more >> Jun 1, 2012 1:12:51 PM org.apache.cxf.phase.PhaseInterceptorChain >> doDefaultLogging >> >> >> On Fri, Jun 1, 2012 at 1:06 PM, Gina Choi <[email protected]> wrote: >> >>> Hi Colm, >>> >>> <<< >>> The client needs to configure the HTTP conduit with the keystore that >>> contains the certificate of the STS, e.g.: >>> >>> >>> Forgot to ask you. ADFS exposes three different certificates - Service >>> communications, Token-decrypting and Token-singing, but most of the time I >>> had to deal with decrypting and signing cert. Which of the STS certificate >>> do I need to have in client keystore? >>> >>> On Fri, Jun 1, 2012 at 12:52 PM, Gina Choi <[email protected]> wrote: >>> >>>> <<< >>>> The following policy (KeyValueToken) is not supported, but you could >>>> remove it as it is optional and see if that works: >>>> >>> >>>> Per Oliver advise, after I added an empty <wsp:Policy />element as a >>>> child of <sp:KeyValueToken>, I don't receive anymore compaining. >>>> >>>> <<< >>>> The client needs to configure the HTTP conduit with the keystore that >>>> contains the certificate of the STS, e.g.: >>>> <http:conduit name="https://localhost:.*";> >>>> <http:tlsClientParameters disableCNCheck="true"> >>>> <sec:trustManagers> >>>> <sec:keyStore type="jks" password="cspass" >>>> resource="clientstore.jks"/> >>>> </sec:trustManagers> >>>> </http:tlsClientParameters> >>>> </http:conduit> >>>> >>> >>>> Afer added following to my client configuration, now I am getting new >>>> exception. By the way, with ADFS, I have to use https. >>>> >>>> <http:conduit name="https://strts01.ams.dev.*";> >>>> >>>> <http:tlsClientParameters disableCNCheck="true"> >>>> <sec:trustManagers> >>>> <sec:keyStore type="jks" password="cspass" >>>> resource="clientstore.jks"/> >>>> </sec:trustManagers> >>>> </http:tlsClientParameters> >>>> </http:conduit> >>>> >>>> >>>> Jun 1, 2012 12:47:33 PM org.apache.cxf.bus.spring.SpringBusFactory >>>> createApplicationContext >>>> WARNING: Initial attempt to create application context was unsuccessful. >>>> org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: >>>> Line 57 in XML document from class path resource [cxf.xml] is invalid; >>>> nested exception is org.xml.sax.SAXParseException: The prefix "http" for >>>> element "http:conduit" is not bo >>>> . >>>> at >>>> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:396) >>>> at >>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.doLoadBeanDefinitions(ControlledValidationXmlBeanDefinitionReader.java:115) >>>> at >>>> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:334) >>>> at >>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.internalLoadBeanDefinitions(ControlledValidationXmlBeanDefinitionReader.java:154) >>>> at >>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.access$000(ControlledValidationXmlBeanDefinitionReader.java:66) >>>> at >>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader$1.run(ControlledValidationXmlBeanDefinitionReader.java:141) >>>> at >>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader$1.run(ControlledValidationXmlBeanDefinitionReader.java:140) >>>> at java.security.AccessController.doPrivileged(Native Method) >>>> at >>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.loadBeanDefinitions(ControlledValidationXmlBeanDefinitionReader.java:139) >>>> at >>>> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:302) >>>> at >>>> org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:143) >>>> at >>>> org.springframework.context.support.AbstractXmlApplicationContext.loadBeanDefinitions(AbstractXmlApplicationContext.java:122) >>>> at >>>> org.apache.cxf.bus.spring.BusApplicationContext.loadBeanDefinitions(BusApplicationContext.java:309) >>>> at >>>> org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:130) >>>> at >>>> org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:467) >>>> at >>>> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:397) >>>> at >>>> org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:101) >>>> at >>>> org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:100) >>>> at java.security.AccessController.doPrivileged(Native Method) >>>> at >>>> org.apache.cxf.bus.spring.BusApplicationContext.<init>(BusApplicationContext.java:99) >>>> at >>>> org.apache.cxf.bus.spring.SpringBusFactory.createApplicationContext(SpringBusFactory.java:130) >>>> at >>>> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:121) >>>> at >>>> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:95) >>>> at >>>> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:69) >>>> at >>>> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:58) >>>> at org.apache.cxf.BusFactory.getDefaultBus(BusFactory.java:99) >>>> at >>>> org.apache.cxf.BusFactory.createThreadBus(BusFactory.java:165) >>>> at >>>> org.apache.cxf.BusFactory.getThreadDefaultBus(BusFactory.java:155) >>>> at >>>> org.apache.cxf.BusFactory.getThreadDefaultBus(BusFactory.java:140) >>>> at >>>> org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:96) >>>> at javax.xml.ws.Service.<init>(Service.java:92) >>>> at >>>> org.example.contract.doubleit.DoubleItService.<init>(DoubleItService.java:47) >>>> at client.WSClient.main(WSClient.java:8) >>>> >>>> >>>> On Fri, Jun 1, 2012 at 12:13 PM, Colm O hEigeartaigh < >>>> [email protected]> wrote: >>>> >>>>> >>>>> The client needs to configure the HTTP conduit with the keystore that >>>>> contains the certificate of the STS, e.g.: >>>>> >>>>> <http:conduit name="https://localhost:.*";> >>>>> <http:tlsClientParameters disableCNCheck="true"> >>>>> <sec:trustManagers> >>>>> <sec:keyStore type="jks" password="cspass" >>>>> resource="clientstore.jks"/> >>>>> </sec:trustManagers> >>>>> </http:tlsClientParameters> >>>>> </http:conduit> >>>>> >>>>> What NPE are you getting? The following policy (KeyValueToken) is not >>>>> supported, but you could remove it as it is optional and see if that >>>>> works: >>>>> >>>>> >>>>> <sp:EndorsingSupportingTokens xmlns:sp=" >>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >>>>> <wsp:Policy> >>>>> <sp:KeyValueToken sp:IncludeToken=" >>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never >>>>> " >>>>> wsp:Optional="true"> >>>>> <wsp:Policy /> >>>>> </sp:KeyValueToken> >>>>> <sp:SignedParts> >>>>> <sp:Header Name="To" >>>>> Namespace="http://www.w3.org/2005/08/addressing"; /> >>>>> </sp:SignedParts> >>>>> </wsp:Policy> >>>>> </sp: >>>>> EndorsingSupportingTokens> >>>>> >>>>> Colm. >>>>> >>>> >>> >> > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
