I'm using 2.7.14.
My feeling is that the server configuration is not correct. I'm
following the example at:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts-pop.xml?view=markup
I noticed though that I cannot configure a "claimsManager" as in the
example, I get a XML parsing error on the client side.
Could you have a look at my server configuration, maybe you see
something I overlooked:
Thanks a million.
Laci
<!--
-->
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:cxf="http://cxf.apache.org/core";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xmlns:test="http://www.curabill.ch/services/solvency";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:util="http://www.springframework.org/schema/util";
xmlns:context="http://www.springframework.org/schema/context";
xsi:schemaLocation="
http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-2.0.xsd";>
<!-- -->
<cxf:bus>
<cxf:features>
<cxf:logging />
</cxf:features>
</cxf:bus>
<!---->
<context:property-placeholder
location="file:/home/sts/security/stsKeystore.properties"
ignore-resource-not-found="false" ignore-unresolvable="true"/>
<!-- Configuratino for username / password Token validation -->
<bean id="utSTSProviderBean"
class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider">
<property name="issueOperation" ref="utIssueDelegate" />
<property name="validateOperation" ref="utValidateDelegate" />
<property name="renewOperation" ref="utRenewDelegate"/>
</bean>
<bean id="utIssueDelegate"
class="org.apache.cxf.sts.operation.TokenIssueOperation">
<property name="tokenProviders" ref="utSamlTokenProvider" />
<property name="services" ref="utService" />
<property name="stsProperties" ref="utSTSProperties" />
<property name="tokenStore" ref="defaultTokenStore"/>
</bean>
<bean id="utValidateDelegate"
class="org.apache.cxf.sts.operation.TokenValidateOperation">
<property name="tokenProviders" ref="utSamlTokenProvider" />
<property name="tokenValidators" ref="utSamlTokenValidator" />
<property name="stsProperties" ref="utSTSProperties" />
<property name="tokenStore" ref="defaultTokenStore"/>
</bean>
<bean id="utRenewDelegate"
class="org.apache.cxf.sts.operation.TokenRenewOperation">
<property name="tokenRenewers" ref="utTokenRenewers"/>
<property name="tokenValidators" ref="utTokenValidators"/>
<property name="stsProperties" ref="utSTSProperties"/>
<property name="tokenStore" ref="defaultTokenStore"/>
</bean>
<bean id="defaultTokenStore"
class="org.apache.cxf.sts.cache.DefaultInMemoryTokenStore">
</bean>
<util:list id="utTokenValidators">
<ref bean="utSamlTokenValidator"/>
</util:list>
<util:list id="utTokenRenewers">
<ref bean="transportSamlTokenRenewer"/>
</util:list>
<bean id="transportSamlTokenRenewer"
class="org.apache.cxf.sts.token.renewer.SAMLTokenRenewer">
<!-- <property name="verifyProofOfPossession" value="false"/> -->
<property name="allowRenewalAfterExpiry" value="true"/>
<property name="conditionsProvider"
ref="utSamlConditionsProvider"/>
</bean>
<bean id="utSamlTokenProvider"
class="org.apache.cxf.sts.token.provider.SAMLTokenProvider">
<property name="attributeStatementProviders"
ref="utRoleAttributeProvider"/>
<property name="conditionsProvider"
ref="utSamlConditionsProvider"/>
</bean>
<bean id="utSamlConditionsProvider"
class="org.apache.cxf.sts.token.provider.DefaultConditionsProvider">
<property name="lifetime" value="${token.lifetime}"/>
<property name="acceptClientLifetime" value="true"/>
</bean>
<bean id="utSamlTokenValidator"
class="org.apache.cxf.sts.token.validator.SAMLTokenValidator">
</bean>
<bean id="utRoleAttributeProvider"
class="ch.curabill.msp.services.sts.UTRoleAttributeProvider">
<property name="authorizationListPath"
value="/home/sts/security/authorizationList.properties" />
</bean>
<import resource="file:/home/sts/security/stsUTServiceList.xml"/>
<bean id="utService" class="org.apache.cxf.sts.service.StaticService">
<property name="endpoints" ref="utEndpoints" />
</bean>
<import resource="file:/home/sts/security/passwords.xml"/>
<bean id="upCallbackHandler"
class="ch.curabill.msp.services.sts.STSCallbackHandler">
<property name="passwords" ref="passwords" />
<property name="keyStorePropPath"
value="/home/sts/security/stsKeystore.properties" />
</bean>
<bean id="utSTSProperties"
class="org.apache.cxf.sts.StaticSTSProperties">
<property name="signaturePropertiesFile"
value="file:/home/sts/security/stsKeystore.properties" />
<property name="signatureUsername" value="${key.sts.name.alias}" />
<property name="callbackHandlerClass"
value="ch.curabill.msp.services.sts.STSCallbackHandler" />
<property name="issuer" value="STSIssuer" />
<property name="encryptionCryptoProperties"
value="file:/home/sts/security/stsKeystore.properties" />
<property name="encryptionUsername"
value="${key.service.name.alias}" />
</bean>
<jaxws:endpoint id="UTSTS" implementor="#utSTSProviderBean"
address="/UT"
wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/";
serviceName="ns1:SecurityTokenService" endpointName="ns1:UT_Port">
<jaxws:properties>
<entry key="ws-security.callback-handler"
value-ref="upCallbackHandler" />
<entry key="ws-security.signature.properties"
value="file:/home/sts/security/stsKeystore.properties" />
<entry key="ws-security.signature.username"
value="${key.sts.name.alias}" />
</jaxws:properties>
</jaxws:endpoint>
</beans>
On 28.01.2015 11:30, Colm O hEigeartaigh wrote:
What version of CXF is your client using? Try with the latest version of
2.7.x if you aren't already. Failing that, try enabling debug logging to
see what is going wrong.
Colm.
On Wed, Jan 28, 2015 at 7:58 AM, Laci Gaspar <[email protected]> wrote:
Yes, you're right, the Renew operation was not configured. I did that and
now the token seems to get renewed.
Unfortunately I get another exception now, and I don't know if that is
related to the previous problem.
I configured the token lifetime to 20 seconds.
After 5 minutes I get the following exception in the client. There is no
exception in the sts log:
Jan 28, 2015 8:51:06 AM org.apache.cxf.ws.addressing.soap.MAPCodec
restoreExchange
Warnung: Response message does not contain WS-Addressing properties. Not
correlating response.
Jan 28, 2015 8:51:06 AM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
Warnung: Request does not contain Security header, but it's a fault.
Jan 28, 2015 8:51:06 AM org.apache.cxf.ws.addressing.ContextUtils
retrieveMAPs
Warnung: WS-Addressing - failed to retrieve Message Addressing Properties
from context
javax.xml.ws.soap.SOAPFaultException: General security error (SAML token
security failure)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(
JaxWsClientProxy.java:158)
at com.sun.proxy.$Proxy42.submitInvoice(Unknown Source)
at ch.curabill.msp.service.invoicedelivery.client.
InvoiceDeliveryClient.submitDocument(InvoiceDeliveryClient.java:216)
at ch.curabill.msp.service.invoicedelivery.client.
InvoiceDeliveryClient.main(InvoiceDeliveryClient.java:138)
Caused by: org.apache.cxf.binding.soap.SoapFault: General security error
(SAML token security failure)
at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.
unmarshalFault(Soap11FaultInInterceptor.java:84)
at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.
handleMessage(Soap11FaultInInterceptor.java:51)
at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.
handleMessage(Soap11FaultInInterceptor.java:40)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
PhaseInterceptorChain.java:272)
at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObs
erver.onMessage(AbstractFaultChainInitiatorObserver.java:113)
at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.
handleMessage(CheckFaultInterceptor.java:69)
at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.
handleMessage(CheckFaultInterceptor.java:34)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:849)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.
handleResponseInternal(HTTPConduit.java:1626)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.
handleResponse(HTTPConduit.java:1515)
at org.apache.cxf.transport.http.HTTPConduit$
WrappedOutputStream.close(HTTPConduit.java:1318)
at org.apache.cxf.transport.AbstractConduit.close(
AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.
java:632)
at org.apache.cxf.interceptor.MessageSenderInterceptor$
MessageSenderEndingInterceptor.handleMessage(
MessageSenderInterceptor.java:62)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:572)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:481)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(
JaxWsClientProxy.java:136)
... 3 more
thanks,
Laci
On 27.01.2015 17:30, Colm O hEigeartaigh wrote:
Ok well the error here is that the STS you are using does not support
Renew, or it is not configured. The CXF client will then fall back to
getting a new token via "issue".
Colm.
On Tue, Jan 27, 2015 at 4:09 PM, Laci Gaspar <[email protected]> wrote:
I rebuilt the sts with cxf 2.7.14 and I get this: (I am sending a
directory full of files to a server)
Every time the token expires there is an Error in the log, but no
exception is thrown:
Jan 27, 2015 5:03:23 PM org.apache.cxf.ws.security.policy.interceptors.
IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor renewToken
Warnung: Error renewing a token
org.apache.cxf.binding.soap.SoapFault: Implementation for this operation
not found.
at org.apache.cxf.binding.soap.interceptor.
Soap11FaultInInterceptor.
unmarshalFault(Soap11FaultInInterceptor.java:84)
at org.apache.cxf.binding.soap.interceptor.
Soap11FaultInInterceptor.
handleMessage(Soap11FaultInInterceptor.java:51)
at org.apache.cxf.binding.soap.interceptor.
Soap11FaultInInterceptor.
handleMessage(Soap11FaultInInterceptor.java:40)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
PhaseInterceptorChain.java:272)
at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObs
erver.onMessage(AbstractFaultChainInitiatorObserver.java:113)
at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.
handleMessage(CheckFaultInterceptor.java:69)
at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.
handleMessage(CheckFaultInterceptor.java:34)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.onMessage(
ClientImpl.java:849)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.
handleResponseInternal(HTTPConduit.java:1626)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.
handleResponse(HTTPConduit.java:1515)
at org.apache.cxf.transport.http.HTTPConduit$
WrappedOutputStream.close(HTTPConduit.java:1318)
at org.apache.cxf.transport.AbstractConduit.close(
AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.
java:632)
at org.apache.cxf.interceptor.MessageSenderInterceptor$
MessageSenderEndingInterceptor.handleMessage(
MessageSenderInterceptor.java:62)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:572)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:481)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335)
at org.apache.cxf.ws.security.trust.AbstractSTSClient.renew(
AbstractSTSClient.java:1066)
at org.apache.cxf.ws.security.trust.STSClient.
renewSecurityToken(STSClient.java:82)
at org.apache.cxf.ws.security.policy.interceptors.
IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.renewToken(
IssuedTokenInterceptorProvider.java:439)
at org.apache.cxf.ws.security.policy.interceptors.
IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(
IssuedTokenInterceptorProvider.java:156)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:572)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:481)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335)
at org.apache.cxf.frontend.ClientProxy.invokeSync(
ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(
JaxWsClientProxy.java:136)
at com.sun.proxy.$Proxy42.submitInvoice(Unknown Source)
at ch.curabill.msp.service.invoicedelivery.client.
InvoiceDeliveryClient.submitDocument(InvoiceDeliveryClient.java:216)
at ch.curabill.msp.service.invoicedelivery.client.
InvoiceDeliveryClient.main(InvoiceDeliveryClient.java:138)
but then before all files are sent I get an exception:
Jan 27, 2015 5:04:23 PM org.apache.cxf.ws.addressing.soap.MAPCodec
restoreExchange
Warnung: Response message does not contain WS-Addressing properties. Not
correlating response.
Jan 27, 2015 5:04:23 PM org.apache.cxf.ws.security.
wss4j.WSS4JInInterceptor
handleMessage
Warnung: Request does not contain Security header, but it's a fault.
Jan 27, 2015 5:04:23 PM org.apache.cxf.ws.addressing.ContextUtils
retrieveMAPs
Warnung: WS-Addressing - failed to retrieve Message Addressing Properties
from context
javax.xml.ws.soap.SOAPFaultException: General security error (SAML token
security failure)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(
JaxWsClientProxy.java:158)
at com.sun.proxy.$Proxy42.submitInvoice(Unknown Source)
at ch.curabill.msp.service.invoicedelivery.client.
InvoiceDeliveryClient.submitDocument(InvoiceDeliveryClient.java:216)
at ch.curabill.msp.service.invoicedelivery.client.
InvoiceDeliveryClient.main(InvoiceDeliveryClient.java:138)
Caused by: org.apache.cxf.binding.soap.SoapFault: General security error
(SAML token security failure)
at org.apache.cxf.binding.soap.interceptor.
Soap11FaultInInterceptor.
unmarshalFault(Soap11FaultInInterceptor.java:84)
at org.apache.cxf.binding.soap.interceptor.
Soap11FaultInInterceptor.
handleMessage(Soap11FaultInInterceptor.java:51)
at org.apache.cxf.binding.soap.interceptor.
Soap11FaultInInterceptor.
handleMessage(Soap11FaultInInterceptor.java:40)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
PhaseInterceptorChain.java:272)
at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObs
erver.onMessage(AbstractFaultChainInitiatorObserver.java:113)
at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.
handleMessage(CheckFaultInterceptor.java:69)
at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.
handleMessage(CheckFaultInterceptor.java:34)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.onMessage(
ClientImpl.java:849)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.
handleResponseInternal(HTTPConduit.java:1626)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.
handleResponse(HTTPConduit.java:1515)
at org.apache.cxf.transport.http.HTTPConduit$
WrappedOutputStream.close(HTTPConduit.java:1318)
at org.apache.cxf.transport.AbstractConduit.close(
AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.
java:632)
at org.apache.cxf.interceptor.MessageSenderInterceptor$
MessageSenderEndingInterceptor.handleMessage(
MessageSenderInterceptor.java:62)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:572)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:481)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335)
at org.apache.cxf.frontend.ClientProxy.invokeSync(
ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(
JaxWsClientProxy.java:136)
... 3 more
Any idea?
Thanks
Laci
On 27.01.2015 16:45, Colm O hEigeartaigh wrote:
Token renewing is, or should be, supported. However, maybe there is some
other issue that is causing the problem.
Colm.
On Tue, Jan 27, 2015 at 3:37 PM, Laci Gaspar <[email protected]> wrote:
Thanks for your quick answer, Colm.
Are you saying, that with a more recent version of CXF the token should
be
renewed automatically?
Thanks,
Laci
On 27.01.2015 16:34, Colm O hEigeartaigh wrote:
Could you try with a more recent version of CXF? There have been a
bunch
of
issues fixed in relation to renewing tokens since the 2.7.7 release.
Colm.
On Tue, Jan 27, 2015 at 3:26 PM, Laci Gaspar <[email protected]>
wrote:
Hi
We are using an sts (cxf 2.7.7) to issue saml 2 tokens for our
webservices.
Our WS Clients are instantiated by spring. Something like this:
SpringBusFactory bf = new SpringBusFactory();
URL busFile = new ClassPathResource("wssec-
client.xml").getURL();
Bus bus = bf.createBus(busFile.toString());
SpringBusFactory.setDefaultBus(bus);
SpringBusFactory.setThreadDefaultBus(bus);
Service service = Service.create(wsdlURL, SERVICE_NAME);
while (true) {
Greeter port = service.getPort(PORT_NAME,
Greeter.class);
}
After the token expires I receive an exception calling the WS. Can
anybody
please help me with how I renew the token after it expires?
Any help is most appreciated.
Thanks,
Laci
