Hi Colm, Thanks for the quick fix. I am planning to check it once your fix reflected to 2.6.2-SNAPSHOT.
Gina On Tue, Jun 5, 2012 at 7:14 AM, Colm O hEigeartaigh <[email protected]>wrote: > > The NPE you were seeing is now fixed on trunk, if you want to test with > the latest CXF 2.6.2-SNAPSHOT code. You will need to make sure that the WSC > has a keystore with a private key to support the KeyValueToken policy. > > Colm. > > > > > On Tue, Jun 5, 2012 at 10:14 AM, Colm O hEigeartaigh > <[email protected]>wrote: > >> >> Is the client successfully invoking on the STS? In other words, is this >> error occurring when the client is sending a message to the STS or to the >> WSP? >> >> Colm. >> >> >> On Fri, Jun 1, 2012 at 6:30 PM, Gina Choi <[email protected]> wrote: >> >>> To make it clear here is what I have so far. >>> >>> 1. WSP: SymmetricBinding, ProtectionToken is IssuedToken >>> 2. STS: endpoint: >>> >>> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed >>> >>> Following policy is used. >>> >>> <wsp:Policy wsu:Id="UserNameWSTrustBinding_IWSTrust13Async2_policy"> >>> <wsp:ExactlyOne> >>> <wsp:All> >>> <sp:TransportBinding xmlns:sp=" >>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >>> <wsp:Policy> >>> >>> <sp:TransportToken> >>> <wsp:Policy> >>> <sp:HttpsToken> >>> <wsp:Policy /> >>> </sp:HttpsToken> >>> </wsp:Policy> >>> </sp:TransportToken> >>> <sp:AlgorithmSuite> >>> <wsp:Policy> >>> <sp:Basic256 /> >>> </wsp:Policy> >>> </sp:AlgorithmSuite> >>> <sp:Layout> >>> <wsp:Policy> >>> <sp:Strict /> >>> </wsp:Policy> >>> </sp:Layout> >>> <sp:IncludeTimestamp /> >>> </wsp:Policy> >>> </sp:TransportBinding> >>> <sp:SignedEncryptedSupportingTokens xmlns:sp=" >>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >>> <wsp:Policy> >>> >>> <sp:UsernameToken sp:IncludeToken=" >>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient >>> "> >>> <wsp:Policy> >>> <sp:WssUsernameToken10 /> >>> </wsp:Policy> >>> </sp:UsernameToken> >>> </wsp:Policy> >>> </sp:SignedEncryptedSupportingTokens> >>> <sp:EndorsingSupportingTokens xmlns:sp=" >>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >>> <wsp:Policy> >>> <sp:KeyValueToken sp:IncludeToken=" >>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never >>> " >>> wsp:Optional="true"> >>> <wsp:Policy/> >>> </sp:KeyValueToken> >>> <sp:SignedParts> >>> <sp:Header Name="To" >>> Namespace="http://www.w3.org/2005/08/addressing"; /> >>> </sp:SignedParts> >>> </wsp:Policy> >>> </sp:EndorsingSupportingTokens> >>> <sp:Wss11 xmlns:sp=" >>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >>> <wsp:Policy> >>> >>> <sp:MustSupportRefKeyIdentifier /> >>> <sp:MustSupportRefIssuerSerial /> >>> <sp:MustSupportRefThumbprint /> >>> <sp:MustSupportRefEncryptedKey /> >>> </wsp:Policy> >>> </sp:Wss11> >>> <sp:Trust13 xmlns:sp=" >>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >>> <wsp:Policy> >>> >>> <sp:MustSupportIssuedTokens /> >>> <sp:RequireClientEntropy /> >>> <sp:RequireServerEntropy /> >>> </wsp:Policy> >>> </sp:Trust13> >>> <wsaw:UsingAddressing /> >>> </wsp:All> >>> </wsp:ExactlyOne> >>> </wsp:Policy> >>> >>> 3. WSC >>> Following is client configuration. >>> >>> <jaxws:client name="{ >>> http://www.example.org/contract/DoubleIt}DoubleItPort"; >>> createdFromAPI="true"> >>> <jaxws:properties> >>> <entry key="ws-security.sts.client"> >>> <bean class="org.apache.cxf.ws.security.trust.STSClient"> >>> <constructor-arg ref="cxf"/> >>> <property name="wsdlLocation" value="adfs_new_simple.wsdl"/> >>> <property name="serviceName" value="{ >>> http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService >>> "/> >>> <property name="endpointName" value="{ >>> http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}UserNameWSTrustBinding_IWSTrust13Async2 >>> "/> >>> <property name="properties"> >>> <map> >>> <entry key="ws-security.username" value="gchoi"/> >>> >>> <entry key="ws-security.callback-handler" >>> value="client.ClientCallbackHandler"/> >>> <entry key="ws-security.encryption.properties" >>> value="clientKeystore.properties"/> >>> <entry key="ws-security.encryption.username" value="mystskey"/> >>> </map> >>> </property> >>> </bean> >>> </entry> >>> </jaxws:properties> >>> </jaxws:client> >>> </beans> >>> >>> I am getting following exception when I execute client. >>> >>> WARNING: Interceptor for { >>> http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService#{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}Trust13IssueAsynchas >>> thrown exception, unwinding now >>> org.apache.cxf.interceptor.Fault >>> at >>> org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:153) >>> at >>> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:159) >>> at >>> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:89) >>> at >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) >>> at >>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:532) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320) >>> at >>> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:722) >>> at >>> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:602) >>> at >>> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:594) >>> at >>> org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.getTokenFromSTS(IssuedTokenInterceptorProvider.java:404) >>> at >>> org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:188) >>> at >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) >>> at >>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:532) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320) >>> at >>> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:89) >>> at >>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134) >>> at $Proxy25.doubleIt(Unknown Source) >>> at client.WSClient.doubleIt(WSClient.java:18) >>> at client.WSClient.main(WSClient.java:11) >>> Caused by: java.lang.NullPointerException >>> at >>> org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.doIssuedTokenSignature(TransportBindingHandler.java:429) >>> at >>> org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingToken(TransportBindingHandler.java:283) >>> at >>> org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingSupportingTokens(TransportBindingHandler.java:240) >>> at >>> org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:147) >>> ... 22 more >>> Jun 1, 2012 1:12:51 PM org.apache.cxf.phase.PhaseInterceptorChain >>> doDefaultLogging >>> >>> >>> On Fri, Jun 1, 2012 at 1:06 PM, Gina Choi <[email protected]> wrote: >>> >>>> Hi Colm, >>>> >>>> <<< >>>> The client needs to configure the HTTP conduit with the keystore that >>>> contains the certificate of the STS, e.g.: >>>> >>> >>>> Forgot to ask you. ADFS exposes three different certificates - Service >>>> communications, Token-decrypting and Token-singing, but most of the time I >>>> had to deal with decrypting and signing cert. Which of the STS certificate >>>> do I need to have in client keystore? >>>> >>>> On Fri, Jun 1, 2012 at 12:52 PM, Gina Choi <[email protected]>wrote: >>>> >>>>> <<< >>>>> The following policy (KeyValueToken) is not supported, but you could >>>>> remove it as it is optional and see if that works: >>>>> >>> >>>>> Per Oliver advise, after I added an empty <wsp:Policy />element as a >>>>> child of <sp:KeyValueToken>, I don't receive anymore compaining. >>>>> >>>>> <<< >>>>> The client needs to configure the HTTP conduit with the keystore that >>>>> contains the certificate of the STS, e.g.: >>>>> <http:conduit name="https://localhost:.*";> >>>>> <http:tlsClientParameters disableCNCheck="true"> >>>>> <sec:trustManagers> >>>>> <sec:keyStore type="jks" password="cspass" >>>>> resource="clientstore.jks"/> >>>>> </sec:trustManagers> >>>>> </http:tlsClientParameters> >>>>> </http:conduit> >>>>> >>> >>>>> Afer added following to my client configuration, now I am getting new >>>>> exception. By the way, with ADFS, I have to use https. >>>>> >>>>> <http:conduit name="https://strts01.ams.dev.*";> >>>>> >>>>> <http:tlsClientParameters disableCNCheck="true"> >>>>> <sec:trustManagers> >>>>> <sec:keyStore type="jks" password="cspass" >>>>> resource="clientstore.jks"/> >>>>> </sec:trustManagers> >>>>> </http:tlsClientParameters> >>>>> </http:conduit> >>>>> >>>>> >>>>> Jun 1, 2012 12:47:33 PM org.apache.cxf.bus.spring.SpringBusFactory >>>>> createApplicationContext >>>>> WARNING: Initial attempt to create application context was >>>>> unsuccessful. >>>>> org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: >>>>> Line 57 in XML document from class path resource [cxf.xml] is invalid; >>>>> nested exception is org.xml.sax.SAXParseException: The prefix "http" for >>>>> element "http:conduit" is not bo >>>>> . >>>>> at >>>>> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:396) >>>>> at >>>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.doLoadBeanDefinitions(ControlledValidationXmlBeanDefinitionReader.java:115) >>>>> at >>>>> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:334) >>>>> at >>>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.internalLoadBeanDefinitions(ControlledValidationXmlBeanDefinitionReader.java:154) >>>>> at >>>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.access$000(ControlledValidationXmlBeanDefinitionReader.java:66) >>>>> at >>>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader$1.run(ControlledValidationXmlBeanDefinitionReader.java:141) >>>>> at >>>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader$1.run(ControlledValidationXmlBeanDefinitionReader.java:140) >>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>> at >>>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.loadBeanDefinitions(ControlledValidationXmlBeanDefinitionReader.java:139) >>>>> at >>>>> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:302) >>>>> at >>>>> org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:143) >>>>> at >>>>> org.springframework.context.support.AbstractXmlApplicationContext.loadBeanDefinitions(AbstractXmlApplicationContext.java:122) >>>>> at >>>>> org.apache.cxf.bus.spring.BusApplicationContext.loadBeanDefinitions(BusApplicationContext.java:309) >>>>> at >>>>> org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:130) >>>>> at >>>>> org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:467) >>>>> at >>>>> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:397) >>>>> at >>>>> org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:101) >>>>> at >>>>> org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:100) >>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>> at >>>>> org.apache.cxf.bus.spring.BusApplicationContext.<init>(BusApplicationContext.java:99) >>>>> at >>>>> org.apache.cxf.bus.spring.SpringBusFactory.createApplicationContext(SpringBusFactory.java:130) >>>>> at >>>>> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:121) >>>>> at >>>>> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:95) >>>>> at >>>>> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:69) >>>>> at >>>>> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:58) >>>>> at org.apache.cxf.BusFactory.getDefaultBus(BusFactory.java:99) >>>>> at >>>>> org.apache.cxf.BusFactory.createThreadBus(BusFactory.java:165) >>>>> at >>>>> org.apache.cxf.BusFactory.getThreadDefaultBus(BusFactory.java:155) >>>>> at >>>>> org.apache.cxf.BusFactory.getThreadDefaultBus(BusFactory.java:140) >>>>> at >>>>> org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:96) >>>>> at javax.xml.ws.Service.<init>(Service.java:92) >>>>> at >>>>> org.example.contract.doubleit.DoubleItService.<init>(DoubleItService.java:47) >>>>> at client.WSClient.main(WSClient.java:8) >>>>> >>>>> >>>>> On Fri, Jun 1, 2012 at 12:13 PM, Colm O hEigeartaigh < >>>>> [email protected]> wrote: >>>>> >>>>>> >>>>>> The client needs to configure the HTTP conduit with the keystore that >>>>>> contains the certificate of the STS, e.g.: >>>>>> >>>>>> <http:conduit name="https://localhost:.*";> >>>>>> <http:tlsClientParameters disableCNCheck="true"> >>>>>> <sec:trustManagers> >>>>>> <sec:keyStore type="jks" password="cspass" >>>>>> resource="clientstore.jks"/> >>>>>> </sec:trustManagers> >>>>>> </http:tlsClientParameters> >>>>>> </http:conduit> >>>>>> >>>>>> What NPE are you getting? The following policy (KeyValueToken) is not >>>>>> supported, but you could remove it as it is optional and see if that >>>>>> works: >>>>>> >>>>>> >>>>>> <sp:EndorsingSupportingTokens xmlns:sp=" >>>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >>>>>> <wsp:Policy> >>>>>> <sp:KeyValueToken sp:IncludeToken=" >>>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never >>>>>> " >>>>>> wsp:Optional="true"> >>>>>> <wsp:Policy /> >>>>>> </sp:KeyValueToken> >>>>>> <sp:SignedParts> >>>>>> <sp:Header Name="To" >>>>>> Namespace="http://www.w3.org/2005/08/addressing"; /> >>>>>> </sp:SignedParts> >>>>>> </wsp:Policy> >>>>>> </sp: >>>>>> EndorsingSupportingTokens> >>>>>> >>>>>> Colm. >>>>>> >>>>> >>>> >>> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> >> > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > >
