Hi Joel, since Fediz 1.2.x the STS requires a client SSL certificate (from the IDP) for the transport endpoint.
Your exception looks like that this could be the root cause for your trouble: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target You can take a look on my blog for how to setup your tomcat container to enable client certificate SSL connections: http://janbernhardt.blogspot.de/2015/01/single-logout-with-fediz-ws-federation.html I would recommend to you to use the idp key- and truststore from tomcat/webapps/fediz-idp/WEB-INF/classes/idp-ssl-*.jks for your tomcat SSL server settings. Kind regards Jan -- Jan Bernhardt Talend Community Coder http://coders.talend.com Visit my Blog https://janbernhardt.blogspot.de > -----Ursprüngliche Nachricht----- > Von: tazouxme [mailto:[email protected]] > Gesendet: Donnerstag, 20. August 2015 23:49 > An: [email protected] > Betreff: [CXF Fediz] > org.apache.cxf.service.factory.ServiceConstructionException: Failed to create > service. > > Hello, > > Using Fediz 1.2.1, I try to authenticate a user from springWebapp sample to > IDP. > The popup asking for credentials appears correctly. > > Then, after entering the credentials, the STS side throws this Exception: > > org.apache.cxf.service.factory.ServiceConstructionException: Failed to create > service. > at > org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:8 > 7) > at > org.apache.cxf.ws.security.trust.AbstractSTSClient.createClient(AbstractSTSClie > nt.java:646) > at > org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java: > 728) > at > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java: > 61) > at > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java: > 55) > at > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java: > 51) > at > com.tazouxme.security.saml.idp.authentication.provider.STSUPAuthenticationP > rovider.handleUsernamePassword(STSUPAuthenticationProvider.java:74) > at > com.tazouxme.security.saml.idp.authentication.provider.STSUPAuthenticationP > rovider.authenticate(STSUPAuthenticationProvider.java:59) > at > org.springframework.security.authentication.ProviderManager.authenticate(Pr > oviderManager.java:167) > at > org.springframework.security.authentication.ProviderManager.authenticate(Pr > oviderManager.java:192) > at > org.springframework.security.web.authentication.www.BasicAuthenticationFilt > er.doFilterInternal(BasicAuthenticationFilter.java:177) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequest > Filter.java:107) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter( > FilterChainProxy.java:330) > at > org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(L > ogoutFilter.java:120) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter( > FilterChainProxy.java:330) > at > org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java > :96) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequest > Filter.java:107) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter( > FilterChainProxy.java:330) > at > org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal( > HeaderWriterFilter.java:64) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequest > Filter.java:107) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter( > FilterChainProxy.java:330) > at > org.springframework.security.web.context.request.async.WebAsyncManagerIn > tegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequest > Filter.java:107) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter( > FilterChainProxy.java:330) > at > org.springframework.security.web.context.SecurityContextPersistenceFilter.do > Filter(SecurityContextPersistenceFilter.java:91) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter( > FilterChainProxy.java:330) > at > com.tazouxme.security.saml.idp.STSPortFilter.doFilter(STSPortFilter.java:56) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter( > FilterChainProxy.java:330) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChain > Proxy.java:213) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.j > ava:176) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(Delegati > ngFilterProxy.java:346) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterP > roxy.java:262) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilte > rChain.java:239) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.j > ava:206) > at > org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(Chara > cterEncodingFilter.java:85) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequest > Filter.java:107) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilte > rChain.java:239) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.j > ava:206) > at > org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.doFilte > rInternal(OpenSessionInViewFilter.java:151) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequest > Filter.java:107) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilte > rChain.java:239) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.j > ava:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv > e.java:219) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.j > ava:106) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase > .java:502) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:14 > 2) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) > at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogV > alve.java:610) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.jav > a:88) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Pro > cessor.java:1091) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Abstr > actProtocol.java:668) > at > org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.proce > ss(Http11NioProtocol.java:223) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.j > ava:1517) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java > :1474) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown > Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown > Source) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThrea > d.java:61) > at java.lang.Thread.run(Unknown Source) Caused by: > javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: > Problem parsing > 'https://localhost:10443/tazouxme-security-saml- > sts/TAZOUXME/STSServiceTransportUT?wsdl'.: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at > com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2198 > ) > at > com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2390) > at > com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2422) > at > org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.j > ava:231) > at > org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.ja > va:163) > at > org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:8 > 5) > ... 58 more > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Unknown Source) > at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) > at sun.security.ssl.Handshaker.fatalSE(Unknown Source) > at sun.security.ssl.Handshaker.fatalSE(Unknown Source) > at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) > at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) > at sun.security.ssl.Handshaker.processLoop(Unknown Source) > at sun.security.ssl.Handshaker.process_record(Unknown Source) > at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown > Source) > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) > at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown > Source) > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Un > known > Source) > at > sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown > Source) > at > sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown > Source) > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknow > n > Source) > at > com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntit > y(Unknown > Source) > at > com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVe > rsion(Unknown > Source) > at > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unkno > wn > Source) > at > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unkno > wn > Source) > at > com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown > Source) > at > com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown > Source) > at > com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown > Source) > at > com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2188 > ) > ... 63 more > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(Unknown Source) > at sun.security.validator.PKIXValidator.engineValidate(Unknown > Source) > at sun.security.validator.Validator.validate(Unknown Source) > at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown > Source) > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) > ... 84 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown > Source) > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown > Source) > at java.security.cert.CertPathBuilder.build(Unknown Source) > ... 90 more > > Then the popup for credentials appears again. > What am I doing wrong? > Bad JKS or something else? > > Thanks a lot for your help! :) > Joël > > > > -- > View this message in context: http://cxf.547215.n5.nabble.com/CXF-Fediz-org- > apache-cxf-service-factory-ServiceConstructionException-Failed-to-create- > service-tp5760324.html > Sent from the cxf-user mailing list archive at Nabble.com.
