7 Replies Latest reply on Sep 6, 2011 1:06 PM by tcesposito

PicketLink STS on Tomcat 6. Is it working?

mrbeanbg Jul 26, 2010 8:29 AM

Hello All!

I had tried to install the PicketLink STS on Tomcat 6. I am also having a client which should request token (from STS) and later on validate that.
I was trying to run the client and eventually build prove of concept, but I am having the following problems:

Problem number one - GET request to the PicketLink STS - http://localhost:8080/picketlink-sts/PicketLinkSTS/ - this is causing the following exception:

exception

javax.servlet.ServletException: Class org.picketlink.identity.federation.core.wstrust.PicketLinkSTS is not a Servlet
     org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563)
     org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
     org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
     org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:861)
     org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
     org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1584)
     java.lang.Thread.run(Thread.java:619)

root cause

java.lang.ClassCastException: org.picketlink.identity.federation.core.wstrust.PicketLinkSTS cannot be cast to javax.servlet.Servlet
     org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563)
     org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
     org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
     org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:861)
     org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
     org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1584)
     java.lang.Thread.run(Thread.java:619)

Indeed, as far as I checked the org.picketlink.identity.federation.core.wstrust.PicketLinkSTS do not extend/implement the HttpServlet, nor either the Servlet class. This is also true for all "parent" classes of org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.

Problem number two - POST request form the Client - this is causing the following exception

SEVERE: Allocate exception for servlet PicketLinkSTS
java.lang.ClassCastException: org.picketlink.identity.federation.core.wstrust.PicketLinkSTS cannot be cast to javax.servlet.Servlet
     at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1116)
     at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:809)
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:129)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
     at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:861)
     at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
     at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1584)
     at java.lang.Thread.run(Thread.java:619)

Here is the actual SOAP request:

POST /picketlink-sts/PicketLinkSTS HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction: ""
User-Agent: Axis2
Authorization: Basic dG9tY2F0OnRvbWNhdA==
Host: 127.0.0.1:8079
Transfer-Encoding: chunked

338
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><ns4:RequestSecurityToken xmlns:ns4="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ns2="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns="http://www.w3.org/2005/08/addressing" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns5="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns6="http://www.w3.org/2000/09/xmldsig#" Context="context"><ns4:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</ns4:TokenType><ns4:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</ns4:RequestType></ns4:RequestSecurityToken></soapenv:Body></soapenv:Envelope>
0

My questions are if I am missing something, or if I am doing something wrong? Can PicketLink STS be deployed on Tomcat 6 at all or PicketLinks STS is working only with JBossAS?

1. Re: PicketLink STS on Tomcat 6. Is it working?

anil.saldhana Jul 26, 2010 1:17 PM (in response to mrbeanbg)

The STS requires a JBossWS stack which is in JBAS only.
Actions
2. Re: PicketLink STS on Tomcat 6. Is it working?

mrbeanbg Jul 26, 2010 3:02 PM (in response to anil.saldhana)

Anil, thank you very much!
Actions
3. Re: PicketLink STS on Tomcat 6. Is it working?

anil.saldhana Jul 26, 2010 3:06 PM (in response to mrbeanbg)

Let me correct myself.

We have tried to keep the PL STS to be a JAX-WS service. There is really no dependence on JBossWS except that we have not tried or tested with another jax-ws solution.

So in an ideal world, it should be possible to use the STS with a different JAX-WS stack. We have not figured out or tried it on say Tomcat.

But, if you do try out with success, do tell us (and maybe a wiki article on how you did it).
Actions
4. Re: PicketLink STS on Tomcat 6. Is it working?

mrbeanbg Jul 26, 2010 3:26 PM (in response to anil.saldhana)

I am currently building the "proove of concept" using JBossAS, once this is done I will get back to Tomcat.

I will gladly share everything in regard to deploying PicketLinkSTS on Tomcat!
Actions
5. Re: PicketLink STS on Tomcat 6. Is it working?

tcesposito Sep 6, 2011 1:15 AM (in response to anil.saldhana)
Has the PicketLinkSTS been tested with JBoss AS 7.0.1? I have the sales.war and employee.war examples working, have stood up several of my own web services that are working, and am now trying to get the WSTrustClient working using your sample code ...

{code}    public void testSTS() throws Exception {         // create a WSTrustClient instance.         WSTrustClient client = new WSTrustClient("PicketLinkSTS", "PicketLinkSTSPort",                 "http://localhost:8080/picketlink-sts/PicketLinkSTS",                 new SecurityInfo("admin", "admin"));         // issue a SAML assertion using the client API.         Element assertion = null;         try {             assertion = client.issueToken(SAMLUtil.SAML2_TOKEN_TYPE);         } catch (WSTrustException wse) {             System.out.println("Unable to issue assertion: " + wse.getMessage());             wse.printStackTrace();             System.exit(1);         }         // print the assertion for demonstration purposes.         System.out.println("\nSuccessfully issued a standard SAMLV2.0 Assertion!");         printAssertion(assertion);         // validate the received SAML assertion.         try {             System.out.println("\n\nIs assertion valid? " + client.validateToken(assertion));         } catch (WSTrustException wse) {             System.out.println("\n\nFailed to validate SAMLV2.0 Assertion: " + wse.getMessage());             wse.printStackTrace();         }     }{code}

When I run this code, I get the same error described above about the PicketLinkSTS not being castable to Servlet. Is extra setup required for JBoss AS 7? I'm using the default setups that come with JBoss AS 7.0.1.

00:41:13,322 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/picketlink-sts]] (http--127.0.0.1-8080-2) Marking servlet PicketLinkSTS as unavailable
00:41:13,323 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/picketlink-sts].[PicketLinkSTS]] (http--127.0.0.1-8080-2) Allocate exception for servlet PicketLinkSTS: java.lang.ClassCastException: org.picketlink.identity.federation.core.wstrust.PicketLinkSTS cannot be cast to javax.servlet.Servlet
    at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1156) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
    at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:952) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:188) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
    at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:139) [jboss-as-web-7.0.1.Final.jar:7.0.1.Final]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:480) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
    at org.jboss.as.web.NamingValve.invoke(NamingValve.java:57) [jboss-as-web-7.0.1.Final.jar:7.0.1.Final]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:154) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:667) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:952) [jbossweb-7.0.1.Final.jar:7.0.1.Final]
    at java.lang.Thread.run(Thread.java:722) [:1.7.0]
Actions
6. Re: PicketLink STS on Tomcat 6. Is it working?

jaikiran Sep 6, 2011 1:32 AM (in response to tcesposito)

Are you sure you are using the "everything" distribution and the standalone-preview.xml in that:

./standalone.sh -server-config=standalone-preview.xml
Actions
7. Re: PicketLink STS on Tomcat 6. Is it working?

tcesposito Sep 6, 2011 1:06 PM (in response to jaikiran)
I'm using standalone.xml, but I believe I got everything copied from standalone-preview.xml that is required. I added the messaging and webservices modules, so jacorb is the only module not included. I'm not sure if I was missing everything. I did attach my configuration file.

As a sanity check, I did make a few tweaks to the standalone-preview.xml configuration file, ran with it, and got the same error.

standalone.xml 22.8 KB
Actions

Go to original post