Hi Glen I make it works. I found there is no key file in the apache-fediz-1.0.0.zip file.
Most difficulties is the port no and which tomcat instances should I deploy the war files. Thank you for your help Regards, Hua JIe On Wed, Aug 15, 2012 at 9:37 AM, 杨华杰 <[email protected]> wrote: > Thank you Glen, it's good to hear that. > > I will try again of the configuration this weekend. > > > On Wed, Aug 15, 2012 at 12:10 AM, Glen Mazza <[email protected]> wrote: > >> Gina, another CXF user, said she was able to get Fediz to work with ADFS ( >> http://cxf.547215.n5.nabble.**com/template/NamlServlet.jtp?** >> macro=search_page&node=547215&**query=gina+fediz+adfs&days=0<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=search_page&node=547215&query=gina+fediz+adfs&days=0>), >> but I have not tested this myself. >> >> Glen >> >> >> On 08/13/2012 11:38 PM, 杨华杰 wrote: >> >>> Hi Glen >>> >>> Here is the authentication that sharepoint support: >>> http://technet.microsoft.com/**en-us/library/cc262350.aspx#**section1<http://technet.microsoft.com/en-us/library/cc262350.aspx#section1> >>> >>> >>> Regards, >>> Hua JIe >>> On Tue, Aug 14, 2012 at 9:51 AM, 杨华杰 <[email protected]> wrote: >>> >>> Hi Glen >>>> >>>> Thanks for your follow up. I didn't do #1, I download the binary file >>>> directly. >>>> >>>> I will download 1.0.1 and try again. By the way, did you try to make >>>> fediz >>>> working with sharepoint authentication? Sharepoint support claimed >>>> authentication, saml 1.x. I am appreciate if your time. Thank you >>>> again. >>>> >>>> Regards, >>>> Hua JIe >>>> >>>> >>>> On Tue, Aug 14, 2012 at 5:12 AM, Glen Mazza <[email protected]> wrote: >>>> >>>> Hi Hua Jie, I think the samples hardcode specific port numbers >>>>> (following >>>>> the instructions), assuming the two or three Tomcat instance setup, so >>>>> if >>>>> you try to put all on one Tomcat alone, you might have to go through >>>>> each >>>>> of the apps to make sure all the port numbers were updated. (Also, I >>>>> haven't tested yet, but the Fediz plugin that needs to be installed on >>>>> Tomcat-RP might conflict with the Fediz IDP & STS if you put them on >>>>> the >>>>> same Tomcat instance.) >>>>> >>>>> I'm glad #2 works for you, but did you do #1 below? The keystores and >>>>> example READMEs, again, have been *radically* improved in the trunk >>>>> version. The sample keystores and trust relationships are not defined >>>>> in >>>>> 1.0 as they are in 1.0.1 >>>>> (http://svn.apache.org/viewvc/****<http://svn.apache.org/viewvc/**> >>>>> cxf/fediz/trunk/examples/****samplekeys/**** >>>>> HowToGenerateKeysREADME.html?**** >>>>> view=co<http://svn.apache.org/**viewvc/cxf/fediz/trunk/** >>>>> examples/samplekeys/**HowToGenerateKeysREADME.html?**view=co<http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co> >>>>> >) >>>>> >>>>> <-- You see, much of the important information in the last two columns >>>>> are >>>>> lost when you try a one-Tomcat solution. >>>>> >>>>> Regards, >>>>> Glen >>>>> >>>>> >>>>> >>>>> On 08/12/2012 11:19 PM, 杨华杰 wrote: >>>>> >>>>> Hi Glen >>>>>> >>>>>> Why I insist to get a working copy of tomcat(maybe 2 tomcats) is: I >>>>>> will >>>>>> learn more from the example if it is working. >>>>>> >>>>>> >>>>>> I do see the wsdl from >>>>>> http://localhost:8080/fediz-****idp-sts-1.0.0/STSService?wsdl<http://localhost:8080/fediz-**idp-sts-1.0.0/STSService?wsdl> >>>>>> <**http://localhost:8080/fediz-**idp-sts-1.0.0/STSService?wsdl<http://localhost:8080/fediz-idp-sts-1.0.0/STSService?wsdl> >>>>>> > >>>>>> >>>>>> >>>>>> I don't know which step I did wrong. The only tip I have is the error >>>>>> message from the page and log. >>>>>> >>>>>> >>>>>> Regards, >>>>>> Hua JIe >>>>>> >>>>>> On Mon, Aug 13, 2012 at 11:07 AM, 杨华杰 <[email protected]> wrote: >>>>>> >>>>>> Hi Glen >>>>>> >>>>>>> I am beginner in this SAML settup, probabily also impatient. But I >>>>>>> already >>>>>>> tried to follow your document three times and I still didn't make it >>>>>>> work. >>>>>>> Could you help me of this? >>>>>>> >>>>>>> Regards, >>>>>>> Hua JIe >>>>>>> >>>>>>> On Mon, Aug 13, 2012 at 10:46 AM, Glen Mazza <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>> On 08/12/2012 09:42 PM, 杨华杰 wrote: >>>>>>> >>>>>>>> Hi Glen >>>>>>>> >>>>>>>>> Thanks for your patient. It's very details. But currently I don't >>>>>>>>> know >>>>>>>>> which step is wrong. >>>>>>>>> >>>>>>>>> The step where you're not using a different Tomcat instance to >>>>>>>>> host >>>>>>>>> >>>>>>>> the >>>>>>>> IDP compared to the one hosting the RP applications, as given in the >>>>>>>> directions. Also, that you're not going sequentially as I >>>>>>>> recommended >>>>>>>> below, and testing at each point before proceeding on to the next >>>>>>>> step. >>>>>>>> Doing it all at once and saying "it doesn't work" doesn't help >>>>>>>> you >>>>>>>> when >>>>>>>> you need to retrace back to try to figure out what is going wrong. >>>>>>>> (Why >>>>>>>> deploy the RP apps if you haven't first checked the IDP STS works, >>>>>>>> for >>>>>>>> example.) >>>>>>>> >>>>>>>> >>>>>>>> I can access the web service through http and https. >>>>>>>> >>>>>>>> That's why I want to ask a working tomcat, at least I can make >>>>>>>>> it >>>>>>>>> works. I >>>>>>>>> also think one tomcat setup is also much easier for beginners. >>>>>>>>> >>>>>>>>> Well, maybe someone else can provide you a single Tomcat setup. >>>>>>>>> >>>>>>>> Sorry, I >>>>>>>> see a single Tomcat setup as easier only for those beginners who >>>>>>>> don't >>>>>>>> care >>>>>>>> to learn anything (necessary keystore/truststore relationships >>>>>>>> between >>>>>>>> apps >>>>>>>> and between servlet containers, required setup of relying party >>>>>>>> Tomcat >>>>>>>> instance, Tomcat IDP instance), and doing more harm than good in >>>>>>>> learning a >>>>>>>> distributed deployment and understanding the deployment requirements >>>>>>>> for >>>>>>>> each portion. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> I have one question here, is the https mandatory, I don't need >>>>>>>> >>>>>>>>> security >>>>>>>>> like that. >>>>>>>>> >>>>>>>>> Yes, so the usernames and passwords sent are secure, possibly >>>>>>>>> other >>>>>>>>> >>>>>>>> reasons as well. Even with HTTP alone, you will still need >>>>>>>> message-layer >>>>>>>> encryption for the SAML tokens being sent, requiring application >>>>>>>> keystores >>>>>>>> at least. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> I just want to make it work first. >>>>>>>> Well, if you would just follow the instructions given below and on >>>>>>>> the >>>>>>>> website, you'll get it to "work first" pretty rapidly (and learn a >>>>>>>> lot >>>>>>>> in >>>>>>>> the process.) >>>>>>>> >>>>>>>> Regards, >>>>>>>> Glen >>>>>>>> >>>>>>>> >>>>>>>> Thank you again for your >>>>>>>> >>>>>>>> time, really appreciate. >>>>>>>>> >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Hua Jie >>>>>>>>> >>>>>>>>> On Sun, Aug 12, 2012 at 11:25 PM, Glen Mazza <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Hi Hua Jie, >>>>>>>>> >>>>>>>>> I don't have a one-Tomcat solution, I'm not sure how useful such a >>>>>>>>>> setup >>>>>>>>>> would be. Our Fediz samples use a two-Tomcat setup (three for the >>>>>>>>>> more >>>>>>>>>> advanced wsClientWebapp sample) in order to try to mimic an actual >>>>>>>>>> production environment. I'd recommend following the documentation >>>>>>>>>> closely, >>>>>>>>>> using the two or three Tomcat setup as it suggests, and make sure >>>>>>>>>> it >>>>>>>>>> works, >>>>>>>>>> then look at reducing the number of Tomcats if you wish. >>>>>>>>>> >>>>>>>>>> Sending you a working Tomcat is not going to help you, a web page >>>>>>>>>> that >>>>>>>>>> just says "Hello World!" is useless. Rather, it's working through >>>>>>>>>> the >>>>>>>>>> sample and getting it to work on your machine that is the >>>>>>>>>> important >>>>>>>>>> point. >>>>>>>>>> >>>>>>>>>> I've requested Fediz 1.0.1--which has much better READMEs and >>>>>>>>>> clearer >>>>>>>>>> keystore configuration rules--to be released. In the meantime, >>>>>>>>>> I'd >>>>>>>>>> recommend: >>>>>>>>>> >>>>>>>>>> 1.) Downloading and building (mvn clean install) the trunk branch >>>>>>>>>> of >>>>>>>>>> Fediz >>>>>>>>>> instead of using the Fediz 1.0 distribution: >>>>>>>>>> http://cxf.apache.org/fediz.* >>>>>>>>>> *html#Fediz-Building >>>>>>>>>> <http://cxf.apache.org/fediz.*****<http://cxf.apache.org/fediz.***> >>>>>>>>>> *html#Fediz-Building<http://**cxf.apache.org/fediz.**html#** >>>>>>>>>> Fediz-Building<http://cxf.apache.org/fediz.**html#Fediz-Building> >>>>>>>>>> > >>>>>>>>>> <http://**cxf.apache.org/**fediz.html#**Fediz-Building<http://cxf.apache.org/fediz.html#**Fediz-Building> >>>>>>>>>> <ht**tp://cxf.apache.org/fediz.**html#Fediz-Building<http://cxf.apache.org/fediz.html#Fediz-Building> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>> . >>>>>>>>>> Follow the READMEs in the trunk versions instead. >>>>>>>>>> >>>>>>>>>> 2.) First get the IDP / IDP STS instance working on Tomcat #1 >>>>>>>>>> using >>>>>>>>>> these >>>>>>>>>> instructions: >>>>>>>>>> http://cxf.apache.org/fediz-********idp.html<http://cxf.apache.org/fediz-******idp.html> >>>>>>>>>> <http://cxf.**apache.org/fediz-****idp.html<http://cxf.apache.org/fediz-****idp.html> >>>>>>>>>> > >>>>>>>>>> <http://cxf.apache.**org/**fediz-**idp.html<http://cxf.** >>>>>>>>>> apache.org/fediz-**idp.html<http://cxf.apache.org/fediz-**idp.html> >>>>>>>>>> > >>>>>>>>>> <http://cxf.apache.**org/****fediz-idp.html<http://cxf.** >>>>>>>>>> apache.org/fediz-idp.html >>>>>>>>>> <http://cxf.apache.org/fediz-**idp.html<http://cxf.apache.org/fediz-idp.html> >>>>>>>>>> >> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> . >>>>>>>>>> Don't do anything else until you can view the STS WSDL at >>>>>>>>>> http://localhost:9080/********fedizidpsts/STSService?wsdl<http://localhost:9080/******fedizidpsts/STSService?wsdl> >>>>>>>>>> <ht**tp://localhost:9080/******fedizidpsts/STSService?wsdl<http://localhost:9080/****fedizidpsts/STSService?wsdl> >>>>>>>>>> > >>>>>>>>>> <ht**tp://localhost:9080/******fedizidpsts/STSService?wsdl<ht** >>>>>>>>>> tp://localhost:9080/****fedizidpsts/STSService?wsdl<http://localhost:9080/**fedizidpsts/STSService?wsdl> >>>>>>>>>> > >>>>>>>>>> <ht**tp://localhost:9080/******fedizidpsts/STSService?wsdl<** >>>>>>>>>> ht** >>>>>>>>>> >>>>>>>>>> tp://localhost:9080/****fedizidpsts/STSService?wsdl<ht** >>>>>>>>>> tp://localhost:9080/**fedizidpsts/STSService?wsdl<http://localhost:9080/fedizidpsts/STSService?wsdl> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>>> **as >>>>>>>>>>>> >>>>>>>>>>> stated on that page. If you can't view the WSDL, nothing else >>>>>>>>>> will >>>>>>>>>> work. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 3.) Next, configure Tomcat #2 as the Relying Party instance: >>>>>>>>>> http://cxf.apache.org/fediz-********tomcat.html<http://cxf.apache.org/fediz-******tomcat.html> >>>>>>>>>> <http://cxf.**apache.org/fediz-****tomcat.**html<http://cxf.apache.org/fediz-****tomcat.html> >>>>>>>>>> > >>>>>>>>>> <http://cxf.**apache.org/**fediz-**tomcat.html<http://apache.org/fediz-**tomcat.html> >>>>>>>>>> <http://**cxf.apache.org/fediz-**tomcat.**html<http://cxf.apache.org/fediz-**tomcat.html> >>>>>>>>>> > >>>>>>>>>> **> >>>>>>>>>> <http://cxf.apache.**org/****fediz-tomcat.html<http://cxf.**** >>>>>>>>>> apache.org/fediz-tomcat.html<h**ttp://cxf.apache.org/fediz-** >>>>>>>>>> tomcat.html <http://cxf.apache.org/fediz-tomcat.html>> >>>>>>>>>> >>>>>>>>>> . >>>>>>>>>> For running the samples, all you need to do are the >>>>>>>>>> Installation >>>>>>>>>> and >>>>>>>>>> HTTPS >>>>>>>>>> Configuration parts at the top. >>>>>>>>>> >>>>>>>>>> 4.) Next, deploy the simpleWebapp sample on Tomcat #2 and make >>>>>>>>>> sure >>>>>>>>>> the >>>>>>>>>> sample works--follow that sample's README. >>>>>>>>>> >>>>>>>>>> 5.) Next, run the wsclientWebapp sample--you'll need to create a >>>>>>>>>> third >>>>>>>>>> Tomcat instance to run the web service provider--follow the >>>>>>>>>> wsclientWebapp >>>>>>>>>> sample README for full instructions. >>>>>>>>>> >>>>>>>>>> If you can get to step #5, you're in good shape with Fediz (just >>>>>>>>>> make >>>>>>>>>> sure >>>>>>>>>> for production you use your own keystores and not the sample ones >>>>>>>>>> provided.) >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Glen >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 08/12/2012 03:40 AM, 杨华杰 wrote: >>>>>>>>>> >>>>>>>>>> Hi >>>>>>>>>> >>>>>>>>>> Anyone have a idea about this >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> Hua JIe >>>>>>>>>>> >>>>>>>>>>> On Tue, Aug 7, 2012 at 10:56 AM, 杨华杰 <[email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>> Hi >>>>>>>>>>> >>>>>>>>>>> I followed the readme to configure the example.(but I >>>>>>>>>>> configure the >>>>>>>>>>> >>>>>>>>>>>> example and the IDP in the same tomcat) >>>>>>>>>>>> >>>>>>>>>>>> I am able to view the web service. >>>>>>>>>>>> >>>>>>>>>>>> But when I access the link >>>>>>>>>>>> https://localhost:8443/********fedizhelloworld/secure/******<https://localhost:8443/******fedizhelloworld/secure/******> >>>>>>>>>>>> fedservlet<https://localhost:**8443/****fedizhelloworld/** >>>>>>>>>>>> secure/****fedservlet<https://localhost:8443/****fedizhelloworld/secure/****fedservlet> >>>>>>>>>>>> > >>>>>>>>>>>> <https://localhost:**8443/****fedizhelloworld/secure/****** >>>>>>>>>>>> fedservlet<https://localhost:**8443/**fedizhelloworld/secure/** >>>>>>>>>>>> **fedservlet<https://localhost:8443/**fedizhelloworld/secure/**fedservlet> >>>>>>>>>>>> > >>>>>>>>>>>> <https://localhost:**8443/****fedizhelloworld/secure/****** >>>>>>>>>>>> fedservlet< >>>>>>>>>>>> >>>>>>>>>>>> https://localhost:**8443/**fedizhelloworld/secure/**** >>>>>>>>>>>> fedservlet<https://localhost:**8443/fedizhelloworld/secure/** >>>>>>>>>>>> fedservlet<https://localhost:8443/fedizhelloworld/secure/fedservlet> >>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>>> I always get this error >>>>>>>>>>>> >>>>>>>>>>>> WARNING: Unexpected error forwarding to login page >>>>>>>>>>>> java.lang.NullPointerException >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.********authenticator.******** >>>>>>>>>>>> FormAuthenticator.** >>>>>>>>>>>> forwardToLoginPage(********FormAuthenticator.java:322) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.********authenticator.****** >>>>>>>>>>>> FormAuthenticator.**** >>>>>>>>>>>> authenticate(* >>>>>>>>>>>> *FormAuthenticator.java:245) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.********authenticator.****** >>>>>>>>>>>> AuthenticatorBase.invoke(** >>>>>>>>>>>> AuthenticatorBase.java:528) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.cxf.fediz.tomcat.********FederationAuthenticator.*** >>>>>>>>>>>> ***** >>>>>>>>>>>> invoke(** >>>>>>>>>>>> FederationAuthenticator.java:********180) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.core.********StandardHostValve.invoke(** >>>>>>>>>>>> StandardHostValve.java:127) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.valves.********ErrorReportValve.invoke(** >>>>>>>>>>>> ErrorReportValve.java:102) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.core.********StandardEngineValve.invoke(** >>>>>>>>>>>> StandardEngineValve.java:109) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.connector.********CoyoteAdapter.service(** >>>>>>>>>>>> CoyoteAdapter.java:291) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.coyote.http11.********Http11Processor.process(** >>>>>>>>>>>> Http11Processor.java:859) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.coyote.http11.********Http11Protocol$**** >>>>>>>>>>>> Http11ConnectionHandler.** >>>>>>>>>>>> process(Http11Protocol.java:********602) >>>>>>>>>>>> at org.apache.tomcat.util.net.********JIoEndpoint$Worker.run(** >>>>>>>>>>>> JIoEndpoint.java:489) >>>>>>>>>>>> at java.lang.Thread.run(Thread.********java:662) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Aug 6, 2012 10:01:37 PM >>>>>>>>>>>> org.apache.catalina.********authenticator.******** >>>>>>>>>>>> FormAuthenticator >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> forwardToLoginPage >>>>>>>>>>>> WARNING: Unexpected error forwarding to login page >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Can someone send me a working tomcat and send it to me? It will >>>>>>>>>>>> be >>>>>>>>>>>> much >>>>>>>>>>>> easier to explore the example. >>>>>>>>>>>> >>>>>>>>>>>> This is the first time to post questions on the mail list. >>>>>>>>>>>> Yesterday I >>>>>>>>>>>> file a bug to the jira >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Regards, >>>>>>>>>>>> Prince >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >> >
