Hi Glen I am beginner in this SAML settup, probabily also impatient. But I already tried to follow your document three times and I still didn't make it work. Could you help me of this?
Regards, Hua JIe On Mon, Aug 13, 2012 at 10:46 AM, Glen Mazza <[email protected]> wrote: > On 08/12/2012 09:42 PM, 杨华杰 wrote: > >> Hi Glen >> >> Thanks for your patient. It's very details. But currently I don't know >> which step is wrong. >> > > The step where you're not using a different Tomcat instance to host the > IDP compared to the one hosting the RP applications, as given in the > directions. Also, that you're not going sequentially as I recommended > below, and testing at each point before proceeding on to the next step. > Doing it all at once and saying "it doesn't work" doesn't help you when > you need to retrace back to try to figure out what is going wrong. (Why > deploy the RP apps if you haven't first checked the IDP STS works, for > example.) > > > I can access the web service through http and https. >> That's why I want to ask a working tomcat, at least I can make it >> works. I >> also think one tomcat setup is also much easier for beginners. >> > > Well, maybe someone else can provide you a single Tomcat setup. Sorry, I > see a single Tomcat setup as easier only for those beginners who don't care > to learn anything (necessary keystore/truststore relationships between apps > and between servlet containers, required setup of relying party Tomcat > instance, Tomcat IDP instance), and doing more harm than good in learning a > distributed deployment and understanding the deployment requirements for > each portion. > > > > >> >> I have one question here, is the https mandatory, I don't need security >> like that. >> > > Yes, so the usernames and passwords sent are secure, possibly other > reasons as well. Even with HTTP alone, you will still need message-layer > encryption for the SAML tokens being sent, requiring application keystores > at least. > > > > I just want to make it work first. >> > > Well, if you would just follow the instructions given below and on the > website, you'll get it to "work first" pretty rapidly (and learn a lot in > the process.) > > Regards, > Glen > > > Thank you again for your >> time, really appreciate. >> >> >> Regards, >> Hua Jie >> >> On Sun, Aug 12, 2012 at 11:25 PM, Glen Mazza <[email protected]> wrote: >> >> Hi Hua Jie, >>> >>> I don't have a one-Tomcat solution, I'm not sure how useful such a setup >>> would be. Our Fediz samples use a two-Tomcat setup (three for the more >>> advanced wsClientWebapp sample) in order to try to mimic an actual >>> production environment. I'd recommend following the documentation >>> closely, >>> using the two or three Tomcat setup as it suggests, and make sure it >>> works, >>> then look at reducing the number of Tomcats if you wish. >>> >>> Sending you a working Tomcat is not going to help you, a web page that >>> just says "Hello World!" is useless. Rather, it's working through the >>> sample and getting it to work on your machine that is the important >>> point. >>> >>> I've requested Fediz 1.0.1--which has much better READMEs and clearer >>> keystore configuration rules--to be released. In the meantime, I'd >>> recommend: >>> >>> 1.) Downloading and building (mvn clean install) the trunk branch of >>> Fediz >>> instead of using the Fediz 1.0 distribution: >>> http://cxf.apache.org/fediz.* >>> *html#Fediz-Building >>> <http://cxf.apache.org/fediz.**html#Fediz-Building<http://cxf.apache.org/fediz.html#Fediz-Building> >>> >. >>> >>> Follow the READMEs in the trunk versions instead. >>> >>> 2.) First get the IDP / IDP STS instance working on Tomcat #1 using these >>> instructions: >>> http://cxf.apache.org/fediz-****idp.html<http://cxf.apache.org/fediz-**idp.html> >>> <http://cxf.apache.**org/fediz-idp.html<http://cxf.apache.org/fediz-idp.html> >>> >. >>> >>> Don't do anything else until you can view the STS WSDL at >>> http://localhost:9080/****fedizidpsts/STSService?wsdl<http://localhost:9080/**fedizidpsts/STSService?wsdl> >>> <ht**tp://localhost:9080/**fedizidpsts/STSService?wsdl<http://localhost:9080/fedizidpsts/STSService?wsdl>>as >>> stated on that page. If you can't view the WSDL, nothing else will work. >>> >>> >>> 3.) Next, configure Tomcat #2 as the Relying Party instance: >>> http://cxf.apache.org/fediz-****tomcat.html<http://cxf.apache.org/fediz-**tomcat.html> >>> <http://cxf.apache.**org/fediz-tomcat.html<http://cxf.apache.org/fediz-tomcat.html> >>> >. >>> >>> For running the samples, all you need to do are the Installation and >>> HTTPS >>> Configuration parts at the top. >>> >>> 4.) Next, deploy the simpleWebapp sample on Tomcat #2 and make sure the >>> sample works--follow that sample's README. >>> >>> 5.) Next, run the wsclientWebapp sample--you'll need to create a third >>> Tomcat instance to run the web service provider--follow the >>> wsclientWebapp >>> sample README for full instructions. >>> >>> If you can get to step #5, you're in good shape with Fediz (just make >>> sure >>> for production you use your own keystores and not the sample ones >>> provided.) >>> >>> Regards, >>> Glen >>> >>> >>> >>> >>> On 08/12/2012 03:40 AM, 杨华杰 wrote: >>> >>> Hi >>>> >>>> Anyone have a idea about this >>>> >>>> Regards, >>>> Hua JIe >>>> >>>> On Tue, Aug 7, 2012 at 10:56 AM, 杨华杰 <[email protected]> wrote: >>>> >>>> Hi >>>> >>>>> >>>>> I followed the readme to configure the example.(but I configure the >>>>> example and the IDP in the same tomcat) >>>>> >>>>> I am able to view the web service. >>>>> >>>>> But when I access the link >>>>> https://localhost:8443/****fedizhelloworld/secure/****fedservlet<https://localhost:8443/**fedizhelloworld/secure/**fedservlet> >>>>> <https://localhost:**8443/fedizhelloworld/secure/**fedservlet<https://localhost:8443/fedizhelloworld/secure/fedservlet> >>>>> > >>>>> >>>>> >>>>> I always get this error >>>>> >>>>> WARNING: Unexpected error forwarding to login page >>>>> java.lang.NullPointerException >>>>> at >>>>> org.apache.catalina.****authenticator.****FormAuthenticator.** >>>>> forwardToLoginPage(****FormAuthenticator.java:322) >>>>> at >>>>> org.apache.catalina.****authenticator.****FormAuthenticator.**** >>>>> authenticate(* >>>>> *FormAuthenticator.java:245) >>>>> at >>>>> org.apache.catalina.****authenticator.****AuthenticatorBase.invoke(** >>>>> AuthenticatorBase.java:528) >>>>> at >>>>> org.apache.cxf.fediz.tomcat.****FederationAuthenticator.****invoke(** >>>>> FederationAuthenticator.java:****180) >>>>> at >>>>> org.apache.catalina.core.****StandardHostValve.invoke(** >>>>> StandardHostValve.java:127) >>>>> at >>>>> org.apache.catalina.valves.****ErrorReportValve.invoke(** >>>>> ErrorReportValve.java:102) >>>>> at >>>>> org.apache.catalina.core.****StandardEngineValve.invoke(** >>>>> StandardEngineValve.java:109) >>>>> at >>>>> org.apache.catalina.connector.****CoyoteAdapter.service(** >>>>> CoyoteAdapter.java:291) >>>>> at >>>>> org.apache.coyote.http11.****Http11Processor.process(** >>>>> Http11Processor.java:859) >>>>> at >>>>> org.apache.coyote.http11.****Http11Protocol$**** >>>>> Http11ConnectionHandler.** >>>>> process(Http11Protocol.java:****602) >>>>> at org.apache.tomcat.util.net.****JIoEndpoint$Worker.run(** >>>>> JIoEndpoint.java:489) >>>>> at java.lang.Thread.run(Thread.****java:662) >>>>> >>>>> Aug 6, 2012 10:01:37 PM >>>>> org.apache.catalina.****authenticator.****FormAuthenticator >>>>> >>>>> forwardToLoginPage >>>>> WARNING: Unexpected error forwarding to login page >>>>> >>>>> >>>>> >>>>> Can someone send me a working tomcat and send it to me? It will be much >>>>> easier to explore the example. >>>>> >>>>> This is the first time to post questions on the mail list. Yesterday I >>>>> file a bug to the jira >>>>> >>>>> >>>>> >>>>> Regards, >>>>> Prince >>>>> >>>>> >>>>> >
