Hi Joel, What does your "org.apache.cxf.sts.StaticSTSProperties" configuration look like in the STS configuration? Here you should have a "callbackHandlerClass" property to retrieve the private key password, a "signaturePropertiesFile" pointing to a Crypto properties file and a "signatureUsername" pointing to the keystore alias to use for signing issued tokens.
First I would check that the entries in your Crypto properties file are correct. Then I'd check that you have a CallbackHandler implementation returning the right private key password for the given alias. Colm. On Thu, Nov 28, 2013 at 10:04 PM, tazouxme <[email protected]> wrote: > Hi all, > > I am currently writting my own Identity Provider using Fediz. I added a > very > basic JDBC layer to store users and claims in database. > The redirection from the RP to the IDP works fine ! But when the IdP call > the STS, I have this problem. > > > 2013-11-28 22:58:05,644 [http-bio-9443-exec-10] WARN > org.apache.cxf.sts.operation.TokenIssueOperation - > org.apache.cxf.ws.security.sts.provider.STSException: The specified request > failed > at > > org.apache.cxf.sts.token.provider.SAMLTokenProvider.createToken(SAMLTokenProvider.java:201) > at > > org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle(TokenIssueOperation.java:205) > at > > org.apache.cxf.sts.operation.TokenIssueOperation.issue(TokenIssueOperation.java:83) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at > > org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider.invoke(SecurityTokenServiceProvider.java:236) > at > > org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider.invoke(SecurityTokenServiceProvider.java:69) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at > > org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180) > at > > org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) > at > > org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.invoke(AbstractJAXWSMethodInvoker.java:178) > at > org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:68) > at > > org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:75) > at > > org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57) > at java.util.concurrent.Executors$RunnableAdapter.call(Unknown > Source) > at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) > at java.util.concurrent.FutureTask.run(Unknown Source) > at > > org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37) > at > > org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:106) > at > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) > at > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > at > > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239) > at > > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248) > at > > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222) > at > > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) > at > > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167) > at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) > at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) > at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262) > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) > at > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) > at > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > at > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) > at > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) > at > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) > at > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) > at > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > at > > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041) > at > > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603) > at > > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown > Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown > Source) > at java.lang.Thread.run(Unknown Source) > Caused by: org.apache.ws.security.WSSecurityException: General security > error (The private key for the supplied alias does not exist in the > keystore) > at > > org.apache.ws.security.saml.ext.AssertionWrapper.signAssertion(AssertionWrapper.java:495) > at > > org.apache.cxf.sts.token.provider.SAMLTokenProvider.createSamlToken(SAMLTokenProvider.java:399) > at > > org.apache.cxf.sts.token.provider.SAMLTokenProvider.createToken(SAMLTokenProvider.java:127) > ... 53 more > Caused by: org.apache.ws.security.WSSecurityException: General security > error (The private key for the supplied alias does not exist in the > keystore) > at > > org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:725) > at > > org.apache.ws.security.saml.ext.AssertionWrapper.signAssertion(AssertionWrapper.java:493) > ... 55 more > Caused by: java.security.UnrecoverableKeyException: Cannot recover key > at sun.security.provider.KeyProtector.recover(Unknown Source) > at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source) > at sun.security.provider.JavaKeyStore$JKS.engineGetKey(Unknown > Source) > at java.security.KeyStore.getKey(Unknown Source) > at > > org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:711) > ... 56 more > > > *This creates a SoapFault, and on the IdP I have finally this error thrown* > > > 2013-11-28 22:58:05,649 [http-bio-9443-exec-8] WARN > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor - Request does not > contain Security header, but it's a fault. > 2013-11-28 22:58:05,651 [http-bio-9443-exec-8] INFO > com.openfootball.security.idp.STSAuthenticationProvider - Failed to > authenticate user 'taz' > org.apache.cxf.binding.soap.SoapFault: The specified request failed > at > > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:84) > at > > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:51) > at > > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:40) > at > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) > at > > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113) > at > > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69) > at > > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34) > at > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) > at > org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:835) > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1606) > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1502) > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1309) > at > > org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50) > at > org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:223) > at > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) > at > org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627) > at > > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) > at > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330) > at > > org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:759) > at > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62) > at > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56) > at > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52) > at > > com.openfootball.security.idp.STSAuthenticationProvider.authenticate(STSAuthenticationProvider.java:106) > at > > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) > at > > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) > at > > org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94) > at > > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > com.openfootball.security.idp.STSPortFilter.doFilter(STSPortFilter.java:65) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) > at > > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) > at > > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) > at > > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) > at > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > at > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) > at > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) > at > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) > at > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > at > > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041) > at > > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603) > at > > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown > Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown > Source) > at java.lang.Thread.run(Unknown Source) > > > All certificates were created following the process on webpage > > http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1538770&view=co > > I don't know how to solve this issue. > Can anyone help me ? > > Thank you very much :) > Regards, > Joel > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/CXF-Fediz-problem-on-STS-Client-call-from-IDP-tp5737199.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
