1 2 3 4 Previous Next 57 Replies Latest reply on Jun 9, 2010 10:51 AM by sguilhen Go to original post
      • 30. Re: Classcast exception while executing WSTrustClientTest
        rashmirajappa

        This thread contains all the details on the purpose of the changes. To make it simple for you there was a minor issue wrt parsing of the SOAP request which was fixed.

         

        "Also for me to create our tokens all I need to do is input the security information into the keystore and run it against the test. Now how to I get that into my service. After getting the saml response, do I place that into our soap header?"

         

        PicketlinkSTS takes care of constructing the SAML response and sending it. If you configure the keystore in picketlink-sts.xml, Picketlink will use it to sign the SAML assertion that has be generated by the TokenProvider(this is the class where SAML assertion has to be created). I'm not certain what you mean by your service?

         

        "think we are trying to create a token and place it within our soap to send across. Is this possible??"

        Yes, i think that is the purpose of PicketLinkSTS I'm able to do it

         

        regards,

        Rashmi

        • 31. Re: Classcast exception while executing WSTrustClientTest
          morrowjl

          Ok, so do I need to go get the new snapshot jar if I was passing the client test already?

           

          By "service", I mean we are trying to communicate with new ____ an it requires saml authentication to gain access.

           

          I can be asking a really silly question right here but where is SOAP request that we are parsing? I don't see it in the WAR.

           

          So let me see if i am breaking this down right for us:

          1. I am going to need to update our WSDL for the SAML sections
          2. Update our SOAP request to use the STS and give the endpoint where I need it to go.

           

           

          What my team is trying to accomplish

          We have a web service which creates a SOAP request and sends it to a endpoint. I guess I am trying to figure out how to send that request to the STS which will then parse it and apply the response and send it one to the endpoint?

          • 32. Re: Classcast exception while executing WSTrustClientTest
            rashmirajappa

            Anil,

             

            I imported the keystore keys using

             

            C:\Java\jdk1.6.0_01\bin>keytool.exe -importkeystore  -srckeystore E:\PicketLinkS
            rc\sts_keystore.jks -destkeystore sts_keystore.jks -srcstoretype JKS -deststoret
            ype JKS -srcstorepass testpass -deststorepass testpass
            Entry for alias service2 successfully imported.
            Entry for alias service1 successfully imported.
            Enter key password for <sts>
            Entry for alias sts successfully imported.
            Import command completed:  3 entries successfully imported, 0 entries failed or
            cancelled

             

             

             

            All the keys were successfully imported.

            Still WSTrustClient gives the same output:

             

            Is assertion valid? false

             

            Pl help.

             

            regards,

            Rashmi

            • 33. Re: Classcast exception while executing WSTrustClientTest
              morrowjl

              I tried using the SNAPSHOT jar and that gave me a error so I have rolled back to using the CR3 original. Error recieved was

               

              Eclipse console output

               

              10:39:31,004 ERROR [SOAPFaultHelperJAXWS] SOAP request exception
              java.lang.RuntimeException: Request Security Token node not found
                  at org.picketlink.identity.federation.core.wstrust.WSTrustJAXBFactory.parseRequestSecurityToken(WSTrustJAXBFactory.java:141)
                  at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:82)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                  at java.lang.reflect.Method.invoke(Unknown Source)
                  at org.jboss.wsf.container.jboss50.invocation.InvocationHandlerJSE.invoke(InvocationHandlerJSE.java:108)
                  at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:222)
                  at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:474)
                  at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:295)
                  at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:205)
                  at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:131)
                  at org.jboss.wsf.common.servlet.AbstractEndpointServlet.service(AbstractEndpointServlet.java:85)
                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
                  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
                  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                  at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
                  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
                  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
                  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
                  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525)
                  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
                  at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
                  at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
                  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                  at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
                  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
                  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
                  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
                  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
                  at java.lang.Thread.run(Unknown Source)

               

               

              This is the trace from the Junit test

               

              javax.xml.ws.soap.SOAPFaultException: Request Security Token node not found
                  at com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(Unknown Source)
                  at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(Unknown Source)
                  at com.sun.xml.internal.ws.client.dispatch.DispatchImpl.doInvoke(Unknown Source)
                  at com.sun.xml.internal.ws.client.dispatch.DispatchImpl.invoke(Unknown Source)
                  at org.picketlink.identity.federation.core.wstrust.STSClient.issueToken(STSClient.java:151)
                  at org.picketlink.identity.federation.core.wstrust.STSClient.issueToken(STSClient.java:128)
                  at org.picketlink.identity.federation.api.wstrust.WSTrustClient.issueToken(WSTrustClient.java:81)
                  at test.WSTrustClientTest.testSTS(WSTrustClientTest.java:65)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                  at java.lang.reflect.Method.invoke(Unknown Source)
                  at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:44)
                  at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
                  at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:41)
                  at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)
                  at org.junit.runners.BlockJUnit4ClassRunner.runNotIgnored(BlockJUnit4ClassRunner.java:79)
                  at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:71)
                  at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:49)
                  at org.junit.runners.ParentRunner$3.run(ParentRunner.java:193)
                  at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:52)
                  at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:191)
                  at org.junit.runners.ParentRunner.access$000(ParentRunner.java:42)
                  at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:184)
                  at org.junit.runners.ParentRunner.run(ParentRunner.java:236)
                  at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:46)
                  at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
                  at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
                  at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
                  at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
                  at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)

              • 34. Re: Classcast exception while executing WSTrustClientTest
                sguilhen

                Jamere,

                 

                make sure you have replaced the picketlink-fed.jar for the snapshot on both client and server side. That is, your eclipse app should be using the snapshot when creating the request, and the STS should be using the same snapshot when handling the request. So you need to ensure that your picketlink-sts.war contains the snapshot or that the snapshot has replaced the picketlink-fed.jar in server/xxx/lib/ (if that's where you placed it).

                 

                Stefan

                • 35. Re: Classcast exception while executing WSTrustClientTest
                  morrowjl

                  Oh man...thanks didnt do that second step. Also did you see my above concerns

                  • 36. Re: Classcast exception while executing WSTrustClientTest
                    sguilhen

                    Rashmi,

                     

                    can you please inspect the WS-Trust response message and see what the validation reason is? The STSClient only tells us the validation has failed, but we need to check the validation reason to make sure this is a XML signature problem.

                    • 37. Re: Classcast exception while executing WSTrustClientTest
                      morrowjl

                      My client is still validating true and I am using the snapshot. What issue is everyone having?

                      • 38. Re: Classcast exception while executing WSTrustClientTest
                        sguilhen

                        Hi Jamere,

                         

                        if I understood you correctly, you have a service which requires SAML authentication. So you probably have a Policy to describe this requirement.

                         

                        Ideally, things should happen as follows: a request is sent to the service endpoint. The request is then validated against the configured policy and if a SAML assertion is not found in the SOAP headers, the service runtime sends a message back to the request initiator. This message tells the initiator to first obtain a token from the STS and then retry (the message may contain the STS URL, explicitly telling the initiator to obtain a token from the specified STS). The initiator sends a WS-Trust request to the STS, obtains the assertion, includes it in the SOAP message, and sends it to the service endpoint. This time the policy requirements of your service should be met and the request should reach the service.

                         

                        Now how exactly this is done depends on the WS runtime being used. I haven't tried myself to build this scenario so I really don't know if the existing runtimes are capable of handling this transparently or if it is up to you to catch the error sent by the service runtime when the policy requirements are not met and call the STS yourself - most probably this is what you will have to do.

                         

                        Stefan

                        • 39. Re: Classcast exception while executing WSTrustClientTest
                          morrowjl

                          So i have a question Stefan,

                           

                          We know what it takes to get access into client. It requires a x.509 cert which we have been given. So could we just import our cert into the keystore that is read by the picketlink-sts.xml?

                          • 40. Re: Classcast exception while executing WSTrustClientTest
                            rashmirajappa

                            Stefan,

                             

                            Changed the debug level to TRACE.

                            Pl find attached the log file which has the WSTrust response and the SAML XML.

                             

                            regards,

                            Rashmi

                            • 41. Re: Classcast exception while executing WSTrustClientTest
                              morrowjl

                              Hey Stephan,

                               

                              Where is the request that the client is using coming from? Is there a way to store the cert into the STS and send the SOAP request with the wssecurity header with username/password to the STS and then the cert is then applied and the token is generated? Once all that is done the STS sends the message on to the endpoint?

                               

                              OR

                               

                              Do we have to create our cert and add it to the keystore that is used by the picketlink-sts.xml file. If we do this is it possible to take the assertion created and add it to the request and continue to send it to the endpoint?

                              • 42. Re: Classcast exception while executing WSTrustClientTest
                                sguilhen

                                Jamere,

                                 

                                I'm not sure I understand what you need to do with the X.509 certificate. The STS implements the main component of the WS-Trust specification and as such it receives requests and dispatches responses according to the WS-Trust protocol. This means the STS will not forward any SOAP request to an endpoint. It is up to the STS client to retrieve the token from the response, add it to the appropriate SOAP header and send the SOAP request to the endpoint.

                                • 43. Re: Classcast exception while executing WSTrustClientTest
                                  morrowjl

                                  We have that part figured out. What I dont understand is where is the  username token that Rashmi used on page 1 coming from and how did he get in into the STS.

                                   

                                  I have attached his file. Where did he get it from and how did he pass it to the STS?

                                  • 44. Re: Classcast exception while executing WSTrustClientTest
                                    rashmirajappa

                                    Stefan,

                                     

                                    Pl give me some pointers on what could possibly be wrong due to which i'm getting "Is Assertion Valid? false"

                                     

                                    regards,

                                    Rashmi