Hi Glen I have another question:
I see the tag saml2 in this page https://localhost:8443/fedizhelloworld/secure/fedservlet But I saw fediz support saml 1.x in the introduce page, how should I verify the SAML 1.x token. I am new to this. Regards, Hua JIe On Wed, Aug 15, 2012 at 5:07 PM, 杨华杰 <[email protected]> wrote: > Hi Glen > > I make it works. I found there is no key file in > the apache-fediz-1.0.0.zip file. > > Most difficulties is the port no and which tomcat instances should I > deploy the war files. > > Thank you for your help > > Regards, > Hua JIe > > > On Wed, Aug 15, 2012 at 9:37 AM, 杨华杰 <[email protected]> wrote: > >> Thank you Glen, it's good to hear that. >> >> I will try again of the configuration this weekend. >> >> >> On Wed, Aug 15, 2012 at 12:10 AM, Glen Mazza <[email protected]> wrote: >> >>> Gina, another CXF user, said she was able to get Fediz to work with ADFS >>> (http://cxf.547215.n5.nabble.**com/template/NamlServlet.jtp?** >>> macro=search_page&node=547215&**query=gina+fediz+adfs&days=0<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=search_page&node=547215&query=gina+fediz+adfs&days=0>), >>> but I have not tested this myself. >>> >>> Glen >>> >>> >>> On 08/13/2012 11:38 PM, 杨华杰 wrote: >>> >>>> Hi Glen >>>> >>>> Here is the authentication that sharepoint support: >>>> http://technet.microsoft.com/**en-us/library/cc262350.aspx#**section1<http://technet.microsoft.com/en-us/library/cc262350.aspx#section1> >>>> >>>> >>>> Regards, >>>> Hua JIe >>>> On Tue, Aug 14, 2012 at 9:51 AM, 杨华杰 <[email protected]> wrote: >>>> >>>> Hi Glen >>>>> >>>>> Thanks for your follow up. I didn't do #1, I download the binary file >>>>> directly. >>>>> >>>>> I will download 1.0.1 and try again. By the way, did you try to make >>>>> fediz >>>>> working with sharepoint authentication? Sharepoint support claimed >>>>> authentication, saml 1.x. I am appreciate if your time. Thank you >>>>> again. >>>>> >>>>> Regards, >>>>> Hua JIe >>>>> >>>>> >>>>> On Tue, Aug 14, 2012 at 5:12 AM, Glen Mazza <[email protected]> wrote: >>>>> >>>>> Hi Hua Jie, I think the samples hardcode specific port numbers >>>>>> (following >>>>>> the instructions), assuming the two or three Tomcat instance setup, >>>>>> so if >>>>>> you try to put all on one Tomcat alone, you might have to go through >>>>>> each >>>>>> of the apps to make sure all the port numbers were updated. (Also, I >>>>>> haven't tested yet, but the Fediz plugin that needs to be installed on >>>>>> Tomcat-RP might conflict with the Fediz IDP & STS if you put them on >>>>>> the >>>>>> same Tomcat instance.) >>>>>> >>>>>> I'm glad #2 works for you, but did you do #1 below? The keystores and >>>>>> example READMEs, again, have been *radically* improved in the trunk >>>>>> version. The sample keystores and trust relationships are not >>>>>> defined in >>>>>> 1.0 as they are in 1.0.1 >>>>>> (http://svn.apache.org/viewvc/****<http://svn.apache.org/viewvc/**> >>>>>> cxf/fediz/trunk/examples/****samplekeys/**** >>>>>> HowToGenerateKeysREADME.html?**** >>>>>> view=co<http://svn.apache.org/**viewvc/cxf/fediz/trunk/** >>>>>> examples/samplekeys/**HowToGenerateKeysREADME.html?**view=co<http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co> >>>>>> >) >>>>>> >>>>>> <-- You see, much of the important information in the last two >>>>>> columns are >>>>>> lost when you try a one-Tomcat solution. >>>>>> >>>>>> Regards, >>>>>> Glen >>>>>> >>>>>> >>>>>> >>>>>> On 08/12/2012 11:19 PM, 杨华杰 wrote: >>>>>> >>>>>> Hi Glen >>>>>>> >>>>>>> Why I insist to get a working copy of tomcat(maybe 2 tomcats) is: I >>>>>>> will >>>>>>> learn more from the example if it is working. >>>>>>> >>>>>>> >>>>>>> I do see the wsdl from >>>>>>> http://localhost:8080/fediz-****idp-sts-1.0.0/STSService?wsdl<http://localhost:8080/fediz-**idp-sts-1.0.0/STSService?wsdl> >>>>>>> <**http://localhost:8080/fediz-**idp-sts-1.0.0/STSService?wsdl<http://localhost:8080/fediz-idp-sts-1.0.0/STSService?wsdl> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> I don't know which step I did wrong. The only tip I have is the error >>>>>>> message from the page and log. >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> Hua JIe >>>>>>> >>>>>>> On Mon, Aug 13, 2012 at 11:07 AM, 杨华杰 <[email protected]> wrote: >>>>>>> >>>>>>> Hi Glen >>>>>>> >>>>>>>> I am beginner in this SAML settup, probabily also impatient. But I >>>>>>>> already >>>>>>>> tried to follow your document three times and I still didn't make it >>>>>>>> work. >>>>>>>> Could you help me of this? >>>>>>>> >>>>>>>> Regards, >>>>>>>> Hua JIe >>>>>>>> >>>>>>>> On Mon, Aug 13, 2012 at 10:46 AM, Glen Mazza <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>> On 08/12/2012 09:42 PM, 杨华杰 wrote: >>>>>>>> >>>>>>>>> Hi Glen >>>>>>>>> >>>>>>>>>> Thanks for your patient. It's very details. But currently I don't >>>>>>>>>> know >>>>>>>>>> which step is wrong. >>>>>>>>>> >>>>>>>>>> The step where you're not using a different Tomcat instance to >>>>>>>>>> host >>>>>>>>>> >>>>>>>>> the >>>>>>>>> IDP compared to the one hosting the RP applications, as given in >>>>>>>>> the >>>>>>>>> directions. Also, that you're not going sequentially as I >>>>>>>>> recommended >>>>>>>>> below, and testing at each point before proceeding on to the next >>>>>>>>> step. >>>>>>>>> Doing it all at once and saying "it doesn't work" doesn't help >>>>>>>>> you >>>>>>>>> when >>>>>>>>> you need to retrace back to try to figure out what is going wrong. >>>>>>>>> (Why >>>>>>>>> deploy the RP apps if you haven't first checked the IDP STS works, >>>>>>>>> for >>>>>>>>> example.) >>>>>>>>> >>>>>>>>> >>>>>>>>> I can access the web service through http and https. >>>>>>>>> >>>>>>>>> That's why I want to ask a working tomcat, at least I can >>>>>>>>>> make it >>>>>>>>>> works. I >>>>>>>>>> also think one tomcat setup is also much easier for beginners. >>>>>>>>>> >>>>>>>>>> Well, maybe someone else can provide you a single Tomcat setup. >>>>>>>>>> >>>>>>>>> Sorry, I >>>>>>>>> see a single Tomcat setup as easier only for those beginners who >>>>>>>>> don't >>>>>>>>> care >>>>>>>>> to learn anything (necessary keystore/truststore relationships >>>>>>>>> between >>>>>>>>> apps >>>>>>>>> and between servlet containers, required setup of relying party >>>>>>>>> Tomcat >>>>>>>>> instance, Tomcat IDP instance), and doing more harm than good in >>>>>>>>> learning a >>>>>>>>> distributed deployment and understanding the deployment >>>>>>>>> requirements >>>>>>>>> for >>>>>>>>> each portion. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> I have one question here, is the https mandatory, I don't need >>>>>>>>> >>>>>>>>>> security >>>>>>>>>> like that. >>>>>>>>>> >>>>>>>>>> Yes, so the usernames and passwords sent are secure, possibly >>>>>>>>>> other >>>>>>>>>> >>>>>>>>> reasons as well. Even with HTTP alone, you will still need >>>>>>>>> message-layer >>>>>>>>> encryption for the SAML tokens being sent, requiring application >>>>>>>>> keystores >>>>>>>>> at least. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> I just want to make it work first. >>>>>>>>> Well, if you would just follow the instructions given below and on >>>>>>>>> the >>>>>>>>> website, you'll get it to "work first" pretty rapidly (and learn a >>>>>>>>> lot >>>>>>>>> in >>>>>>>>> the process.) >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Glen >>>>>>>>> >>>>>>>>> >>>>>>>>> Thank you again for your >>>>>>>>> >>>>>>>>> time, really appreciate. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Hua Jie >>>>>>>>>> >>>>>>>>>> On Sun, Aug 12, 2012 at 11:25 PM, Glen Mazza <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Hi Hua Jie, >>>>>>>>>> >>>>>>>>>> I don't have a one-Tomcat solution, I'm not sure how useful such >>>>>>>>>>> a >>>>>>>>>>> setup >>>>>>>>>>> would be. Our Fediz samples use a two-Tomcat setup (three for >>>>>>>>>>> the >>>>>>>>>>> more >>>>>>>>>>> advanced wsClientWebapp sample) in order to try to mimic an >>>>>>>>>>> actual >>>>>>>>>>> production environment. I'd recommend following the >>>>>>>>>>> documentation >>>>>>>>>>> closely, >>>>>>>>>>> using the two or three Tomcat setup as it suggests, and make >>>>>>>>>>> sure it >>>>>>>>>>> works, >>>>>>>>>>> then look at reducing the number of Tomcats if you wish. >>>>>>>>>>> >>>>>>>>>>> Sending you a working Tomcat is not going to help you, a web page >>>>>>>>>>> that >>>>>>>>>>> just says "Hello World!" is useless. Rather, it's working >>>>>>>>>>> through >>>>>>>>>>> the >>>>>>>>>>> sample and getting it to work on your machine that is the >>>>>>>>>>> important >>>>>>>>>>> point. >>>>>>>>>>> >>>>>>>>>>> I've requested Fediz 1.0.1--which has much better READMEs and >>>>>>>>>>> clearer >>>>>>>>>>> keystore configuration rules--to be released. In the meantime, >>>>>>>>>>> I'd >>>>>>>>>>> recommend: >>>>>>>>>>> >>>>>>>>>>> 1.) Downloading and building (mvn clean install) the trunk >>>>>>>>>>> branch of >>>>>>>>>>> Fediz >>>>>>>>>>> instead of using the Fediz 1.0 distribution: >>>>>>>>>>> http://cxf.apache.org/fediz.* >>>>>>>>>>> *html#Fediz-Building >>>>>>>>>>> <http://cxf.apache.org/fediz.*****<http://cxf.apache.org/fediz.***> >>>>>>>>>>> *html#Fediz-Building<http://**cxf.apache.org/fediz.**html#** >>>>>>>>>>> Fediz-Building<http://cxf.apache.org/fediz.**html#Fediz-Building> >>>>>>>>>>> > >>>>>>>>>>> <http://**cxf.apache.org/**fediz.html#**Fediz-Building<http://cxf.apache.org/fediz.html#**Fediz-Building> >>>>>>>>>>> <ht**tp://cxf.apache.org/fediz.**html#Fediz-Building<http://cxf.apache.org/fediz.html#Fediz-Building> >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>>> . >>>>>>>>>>> Follow the READMEs in the trunk versions instead. >>>>>>>>>>> >>>>>>>>>>> 2.) First get the IDP / IDP STS instance working on Tomcat #1 >>>>>>>>>>> using >>>>>>>>>>> these >>>>>>>>>>> instructions: >>>>>>>>>>> http://cxf.apache.org/fediz-********idp.html<http://cxf.apache.org/fediz-******idp.html> >>>>>>>>>>> <http://cxf.**apache.org/fediz-****idp.html<http://cxf.apache.org/fediz-****idp.html> >>>>>>>>>>> > >>>>>>>>>>> <http://cxf.apache.**org/**fediz-**idp.html<http://cxf.** >>>>>>>>>>> apache.org/fediz-**idp.html<http://cxf.apache.org/fediz-**idp.html> >>>>>>>>>>> > >>>>>>>>>>> <http://cxf.apache.**org/****fediz-idp.html<http://cxf.** >>>>>>>>>>> apache.org/fediz-idp.html <http://cxf.apache.org/fediz-** >>>>>>>>>>> idp.html <http://cxf.apache.org/fediz-idp.html>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> . >>>>>>>>>>> Don't do anything else until you can view the STS WSDL at >>>>>>>>>>> http://localhost:9080/********fedizidpsts/STSService?wsdl<http://localhost:9080/******fedizidpsts/STSService?wsdl> >>>>>>>>>>> <ht**tp://localhost:9080/******fedizidpsts/STSService?wsdl<http://localhost:9080/****fedizidpsts/STSService?wsdl> >>>>>>>>>>> > >>>>>>>>>>> <ht**tp://localhost:9080/******fedizidpsts/STSService?wsdl<ht** >>>>>>>>>>> tp://localhost:9080/****fedizidpsts/STSService?wsdl<http://localhost:9080/**fedizidpsts/STSService?wsdl> >>>>>>>>>>> > >>>>>>>>>>> <ht**tp://localhost:9080/******fedizidpsts/STSService?wsdl<** >>>>>>>>>>> ht** >>>>>>>>>>> >>>>>>>>>>> tp://localhost:9080/****fedizidpsts/STSService?wsdl<ht** >>>>>>>>>>> tp://localhost:9080/**fedizidpsts/STSService?wsdl<http://localhost:9080/fedizidpsts/STSService?wsdl> >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>>>> **as >>>>>>>>>>>>> >>>>>>>>>>>> stated on that page. If you can't view the WSDL, nothing else >>>>>>>>>>> will >>>>>>>>>>> work. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 3.) Next, configure Tomcat #2 as the Relying Party instance: >>>>>>>>>>> http://cxf.apache.org/fediz-********tomcat.html<http://cxf.apache.org/fediz-******tomcat.html> >>>>>>>>>>> <http://cxf.**apache.org/fediz-****tomcat.**html<http://cxf.apache.org/fediz-****tomcat.html> >>>>>>>>>>> > >>>>>>>>>>> <http://cxf.**apache.org/**fediz-**tomcat.html<http://apache.org/fediz-**tomcat.html> >>>>>>>>>>> <http://**cxf.apache.org/fediz-**tomcat.**html<http://cxf.apache.org/fediz-**tomcat.html> >>>>>>>>>>> > >>>>>>>>>>> **> >>>>>>>>>>> <http://cxf.apache.**org/****fediz-tomcat.html<http://cxf.**** >>>>>>>>>>> apache.org/fediz-tomcat.html<h**ttp://cxf.apache.org/fediz-** >>>>>>>>>>> tomcat.html <http://cxf.apache.org/fediz-tomcat.html>> >>>>>>>>>>> >>>>>>>>>>> . >>>>>>>>>>> For running the samples, all you need to do are the >>>>>>>>>>> Installation >>>>>>>>>>> and >>>>>>>>>>> HTTPS >>>>>>>>>>> Configuration parts at the top. >>>>>>>>>>> >>>>>>>>>>> 4.) Next, deploy the simpleWebapp sample on Tomcat #2 and make >>>>>>>>>>> sure >>>>>>>>>>> the >>>>>>>>>>> sample works--follow that sample's README. >>>>>>>>>>> >>>>>>>>>>> 5.) Next, run the wsclientWebapp sample--you'll need to create a >>>>>>>>>>> third >>>>>>>>>>> Tomcat instance to run the web service provider--follow the >>>>>>>>>>> wsclientWebapp >>>>>>>>>>> sample README for full instructions. >>>>>>>>>>> >>>>>>>>>>> If you can get to step #5, you're in good shape with Fediz (just >>>>>>>>>>> make >>>>>>>>>>> sure >>>>>>>>>>> for production you use your own keystores and not the sample ones >>>>>>>>>>> provided.) >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> Glen >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 08/12/2012 03:40 AM, 杨华杰 wrote: >>>>>>>>>>> >>>>>>>>>>> Hi >>>>>>>>>>> >>>>>>>>>>> Anyone have a idea about this >>>>>>>>>>>> >>>>>>>>>>>> Regards, >>>>>>>>>>>> Hua JIe >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Aug 7, 2012 at 10:56 AM, 杨华杰 <[email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi >>>>>>>>>>>> >>>>>>>>>>>> I followed the readme to configure the example.(but I >>>>>>>>>>>> configure the >>>>>>>>>>>> >>>>>>>>>>>>> example and the IDP in the same tomcat) >>>>>>>>>>>>> >>>>>>>>>>>>> I am able to view the web service. >>>>>>>>>>>>> >>>>>>>>>>>>> But when I access the link >>>>>>>>>>>>> https://localhost:8443/********fedizhelloworld/secure/******<https://localhost:8443/******fedizhelloworld/secure/******> >>>>>>>>>>>>> fedservlet<https://localhost:**8443/****fedizhelloworld/** >>>>>>>>>>>>> secure/****fedservlet<https://localhost:8443/****fedizhelloworld/secure/****fedservlet> >>>>>>>>>>>>> > >>>>>>>>>>>>> <https://localhost:**8443/****fedizhelloworld/secure/****** >>>>>>>>>>>>> fedservlet<https://localhost:**8443/**fedizhelloworld/secure/* >>>>>>>>>>>>> ***fedservlet<https://localhost:8443/**fedizhelloworld/secure/**fedservlet> >>>>>>>>>>>>> > >>>>>>>>>>>>> <https://localhost:**8443/****fedizhelloworld/secure/****** >>>>>>>>>>>>> fedservlet< >>>>>>>>>>>>> >>>>>>>>>>>>> https://localhost:**8443/**fedizhelloworld/secure/**** >>>>>>>>>>>>> fedservlet<https://localhost:**8443/fedizhelloworld/secure/** >>>>>>>>>>>>> fedservlet<https://localhost:8443/fedizhelloworld/secure/fedservlet> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>> I always get this error >>>>>>>>>>>>> >>>>>>>>>>>>> WARNING: Unexpected error forwarding to login page >>>>>>>>>>>>> java.lang.NullPointerException >>>>>>>>>>>>> at >>>>>>>>>>>>> org.apache.catalina.********authenticator.******** >>>>>>>>>>>>> FormAuthenticator.** >>>>>>>>>>>>> forwardToLoginPage(********FormAuthenticator.java:322) >>>>>>>>>>>>> at >>>>>>>>>>>>> org.apache.catalina.********authenticator.****** >>>>>>>>>>>>> FormAuthenticator.**** >>>>>>>>>>>>> authenticate(* >>>>>>>>>>>>> *FormAuthenticator.java:245) >>>>>>>>>>>>> at >>>>>>>>>>>>> org.apache.catalina.********authenticator.****** >>>>>>>>>>>>> AuthenticatorBase.invoke(** >>>>>>>>>>>>> AuthenticatorBase.java:528) >>>>>>>>>>>>> at >>>>>>>>>>>>> org.apache.cxf.fediz.tomcat.********FederationAuthenticator.** >>>>>>>>>>>>> ****** >>>>>>>>>>>>> invoke(** >>>>>>>>>>>>> FederationAuthenticator.java:********180) >>>>>>>>>>>>> at >>>>>>>>>>>>> org.apache.catalina.core.********StandardHostValve.invoke(** >>>>>>>>>>>>> StandardHostValve.java:127) >>>>>>>>>>>>> at >>>>>>>>>>>>> org.apache.catalina.valves.********ErrorReportValve.invoke(** >>>>>>>>>>>>> ErrorReportValve.java:102) >>>>>>>>>>>>> at >>>>>>>>>>>>> org.apache.catalina.core.********StandardEngineValve.invoke(** >>>>>>>>>>>>> StandardEngineValve.java:109) >>>>>>>>>>>>> at >>>>>>>>>>>>> org.apache.catalina.connector.********CoyoteAdapter.service(** >>>>>>>>>>>>> CoyoteAdapter.java:291) >>>>>>>>>>>>> at >>>>>>>>>>>>> org.apache.coyote.http11.********Http11Processor.process(** >>>>>>>>>>>>> Http11Processor.java:859) >>>>>>>>>>>>> at >>>>>>>>>>>>> org.apache.coyote.http11.********Http11Protocol$**** >>>>>>>>>>>>> Http11ConnectionHandler.** >>>>>>>>>>>>> process(Http11Protocol.java:********602) >>>>>>>>>>>>> at org.apache.tomcat.util.net.***** >>>>>>>>>>>>> ***JIoEndpoint$Worker.run(** >>>>>>>>>>>>> JIoEndpoint.java:489) >>>>>>>>>>>>> at java.lang.Thread.run(Thread.********java:662) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Aug 6, 2012 10:01:37 PM >>>>>>>>>>>>> org.apache.catalina.********authenticator.******** >>>>>>>>>>>>> FormAuthenticator >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> forwardToLoginPage >>>>>>>>>>>>> WARNING: Unexpected error forwarding to login page >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Can someone send me a working tomcat and send it to me? It >>>>>>>>>>>>> will be >>>>>>>>>>>>> much >>>>>>>>>>>>> easier to explore the example. >>>>>>>>>>>>> >>>>>>>>>>>>> This is the first time to post questions on the mail list. >>>>>>>>>>>>> Yesterday I >>>>>>>>>>>>> file a bug to the jira >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Regards, >>>>>>>>>>>>> Prince >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>> >> >
