-
1. Re: SAML WS and PicketLinkSTS
pbalachandran Jul 15, 2013 6:22 PM (in response to pbalachandran)Can someone please share information around PicketLinkSTS and SAML contract first Web Services - I was hoping the PicketLinkSTS leads (Anil or Alessio) would reply to this.
Thank you.
-
2. Re: SAML WS and PicketLinkSTS
asoldano Jul 22, 2013 8:18 AM (in response to pbalachandran)As you possibly already noticed, there's some documentation on this topic at https://docs.jboss.org/author/display/JBWS/WS-Trust+and+STS#WS-TrustandSTS-PicketLinkSTS (but you'd need to move to at least AS 7.2.0, EAP 6.1.0 or WFLY8).
The wsdl policies you define for both the endpoint service and the sts control the WS-Trust exchange. In the example at the link above the STS endpoint is secured with WS-Security using symmetric binding encryption plus username token for authentication. The target endpoint uses asymmetric binding encryption with the initiator token to be issued by the referenced STS.
You might want to download the jbossws testsuite and give it a try, the WS-Trust scenario in the doc above is included in the testsuite.
-
3. Re: SAML WS and PicketLinkSTS
pbalachandran Jul 22, 2013 12:32 PM (in response to asoldano)Alessio:
Thank you for the reply - I have the following questions with respect to your example (https://docs.jboss.org/author/display/JBWS/WS-Trust+and+STS#WS-TrustandSTS-PicketLinkSTS).
a. EAP 6.1 does not have PicketLink bundled with it - so when I run the PicketLink quickstart installer, it fails(the picketlink module is mising in the distro).
b. With the example that you reference in the above article, can I get it to work without having to create an "extended" STS like you have - meaning can I get it to work with quickstart STS WAR?
c. Can you point me to the jbossws testsuite download link?
Can you share a link to the actual code you reference in the above example (link)?
Thank you.
-
4. Re: SAML WS and PicketLinkSTS
pbalachandran Jul 22, 2013 5:38 PM (in response to pbalachandran)Alessio:
I retooled my setup to mimic your example (including the Custom STS extending PicketLinkSTS) - all on JBoss 7.1.1.Final. I think I got a little further but ended up with this exception "Cannot Encrypt" - please see attached. I think the STS is having issues encrypting the token being requested by the client, but I am stumped.
Overview of the setup:
CustomPicketLinkSTS
* Custom STS Webservice that extends the PicketLinkSTS class - similar to your example
* stsKeystore.jks - contains a trust entry for SecurityService and Client
* picketlinks-sts.xml
* WSDL that defines UsernameToken, along with encryption and signing
* web.xml
* jboss-web.xml that uses realm based authentication (UserA/PassA) similar to Alice/Clarinet in your example
SecurityService
* Simple "Hello" service that requires a SAML token to be invoked
* WSDL specifies the meta exchange tag that points to the above STS
* serviceKeystore.jks - contains trust entry for Client
Java Client
* Standalone Java Client - same as your client
* clientKeystore.jks - contains trust entry for SecureService and Custom STS
Any suggestions are much appreciated.
Thank you.
-
STS-SecurityServiceError.txt.zip 789 bytes
-
-
5. Re: SAML WS and PicketLinkSTS
pbalachandran Jul 22, 2013 8:40 PM (in response to pbalachandran)Alessio:
I figured out the earlier "Cannot Encrypt Data" error - it had to with my JDK lacking the JCE unlimited strength policy jars.
Now I get the below exception, even though I have the users.properties bundled in the PicketLinkSTS.war that has the UserA and password I am using. Further the jboss configuration file (standalone-full-ha.xml) has the security domain I am referencing inside jboss-web.xml defined.
javax.xml.ws.soap.SOAPFaultException: Failed Authentication : Subject has not been created, Authentication failed, principal= UserA
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:155)
at com.sun.proxy.$Proxy25.sayHello(Unknown Source)
at com.corelogic.ws.client.SecurityServiceClient.testSecurityService(SecurityServiceClient.java:45)
at com.corelogic.ws.client.SecurityServiceClient.main(SecurityServiceClient.java:55)
Caused by: org.apache.cxf.binding.soap.SoapFault: Failed Authentication : Subject has not been created, Authentication failed, principal= UserA
Thank you.
-
6. Re: SAML WS and PicketLinkSTS
pbalachandran Jul 23, 2013 2:36 PM (in response to pbalachandran)Alessio:
Appologize for bothering you!
I got past the earlier error (Subject has not been created) as well, but now I get some form of parse error (with the PicketLinkSTS class) - please see highlighted.
Any help is much appreciated.
Thank you.
Caused by: javax.xml.ws.WebServiceException: PLFED000110: Security Token Service Exception
at org.picketlink.identity.federation.PicketLinkLoggerImpl.stsWSError(PicketLinkLoggerImpl.java:646) [picketlink-jbas7-2.1.6.Final.jar:2.1.6.Final]
at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:131) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]
at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:70) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_21]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_21]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_21]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_21]
at org.jboss.ws.common.invocation.AbstractInvocationHandlerJSE.invoke(AbstractInvocationHandlerJSE.java:111)
at org.jboss.wsf.stack.cxf.JBossWSInvoker._invokeInternal(JBossWSInvoker.java:181)
... 34 more
Caused by: ParsingException [location=null]org.picketlink.identity.federation.core.exceptions.ParsingException: PL00071: Parser: Expected text value:token type
at org.picketlink.identity.federation.core.parsers.wst.WSTRequestSecurityTokenParser.parse(WSTRequestSecurityTokenParser.java:127) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]
at org.picketlink.identity.federation.core.parsers.wst.WSTrustParser.parse(WSTrustParser.java:58) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]
at org.picketlink.identity.federation.core.parsers.AbstractParser.parse(AbstractParser.java:86) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]
at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:129) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]
-
7. Re: SAML WS and PicketLinkSTS
asoldano Jul 24, 2013 4:18 AM (in response to pbalachandran)Hi Pradeep,
I'm glad you got past the other integration issues.
The error you're getting now looks like a PicketLink specific one. Hopefully someone from PicketLink team can help.
Alessio
-
8. Re: SAML WS and PicketLinkSTS
pbalachandran Jul 24, 2013 4:10 PM (in response to asoldano)Thank you Alessio. Can you tell me what versions of JBoss and PicketLink version were you using for your POC. Also is there a link to you code?
-
9. Re: SAML WS and PicketLinkSTS
asoldano Jul 25, 2013 8:38 AM (in response to pbalachandran)Hi Pradeep,
as previously said, the jbossws testsuite has the sample. You can either download the sources at http://www.jboss.org/jbossws/downloads or svn checkout them from http://anonsvn.jboss.org/repos/jbossws/stack/cxf/tags/
If you check e.g. the latest tag, see [1][2][3].
Use picketlink version 2.1.7.Final.
[3] http://anonsvn.jboss.org/repos/jbossws/stack/cxf/tags/jbossws-cxf-4.2.0.CR1/modules/testsuite/cxf-tests/scripts/cxf-samples-jars-jaxws.xml (the build script, look for picketlink)
-
10. Re: SAML WS and PicketLinkSTS
pbalachandran Jul 25, 2013 12:14 PM (in response to asoldano)Aleesio:
Thank you so much for the reply.
I tried your test suites with my setup and I get the exact same error - missing "tokenType" value. I also ran it with PicketLinkSTS 2.1.7 jars, and the outcome was the same.
On one of the testcases (where you use the .it suffix) I get a SAAJ error - java.lang.NoClassDefFoundError: org/apache/cxf/ws/mex/MetadataExchange. Not sure why.
In any case I haven't received any answers from the PicketLink team, but I truly appreciate you taking the time to help.
..pradeep
-
11. Re: SAML WS and PicketLinkSTS
anil.saldhana Jul 31, 2013 12:34 PM (in response to pbalachandran)Pradeep Balachandran wrote:
Alessio:
Appologize for bothering you!
I got past the earlier error (Subject has not been created) as well, but now I get some form of parse error (with the PicketLinkSTS class) - please see highlighted.
Any help is much appreciated.
Thank you.
Caused by: javax.xml.ws.WebServiceException: PLFED000110: Security Token Service Exception
at org.picketlink.identity.federation.PicketLinkLoggerImpl.stsWSError(PicketLinkLoggerImpl.java:646) [picketlink-jbas7-2.1.6.Final.jar:2.1.6.Final]
at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:131) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]
at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:70) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_21]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_21]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_21]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_21]
at org.jboss.ws.common.invocation.AbstractInvocationHandlerJSE.invoke(AbstractInvocationHandlerJSE.java:111)
at org.jboss.wsf.stack.cxf.JBossWSInvoker._invokeInternal(JBossWSInvoker.java:181)
... 34 more
Caused by: ParsingException [location=null]org.picketlink.identity.federation.core.exceptions.ParsingException: PL00071: Parser: Expected text value:token type
at org.picketlink.identity.federation.core.parsers.wst.WSTRequestSecurityTokenParser.parse(WSTRequestSecurityTokenParser.java:127) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]
at org.picketlink.identity.federation.core.parsers.wst.WSTrustParser.parse(WSTrustParser.java:58) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]
at org.picketlink.identity.federation.core.parsers.AbstractParser.parse(AbstractParser.java:86) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]
at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:129) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]
Create a JIRA issue at https://issues.jboss.org/browse/PLINK and attach the xml payload that the STS is failing to parse.
-
12. Re: SAML WS and PicketLinkSTS
pbalachandran Aug 1, 2013 2:28 PM (in response to anil.saldhana)Anil:
I am not sure yet, if this warrants a JIRA ticket. Please see attached payload and let me know if you can tell what is going on. Further this what I am deploying to.
Environment:
JBoss 7.1.1-Final
Apache CXF - 2.6.6
PicketLink - 2.1.7
I tried JBoss 7.2.0 as well, but with that setup it does not issue the token (it appears to be issuing a token with JBoss 7.1.1.Final) but results in the same error (Parser: Expected text value: token type).
Thank you.
-
payload.xml 13.3 KB
-
-
13. Re: SAML WS and PicketLinkSTS
anil.saldhana Aug 1, 2013 2:48 PM (in response to pbalachandran)The STS is expecting a RST of WS-Trust. The payload does not have it. I feel that this is beyond the capabilities of PicketLink STS. There is WS Secure Conversation payload shown.
-
14. Re: SAML WS and PicketLinkSTS
pbalachandran Aug 1, 2013 3:04 PM (in response to anil.saldhana)1 of 1 people found this helpfulAnil:
Thank you for your reply. Request Security Token (using meta exchange) is not part of my usecase, WS Secure conversation is though. That said, I was simply trying to get Alessio's example (above) working, but without luck. In any case does PicketLinkSTS support the following and if so, could you provide me a sample.
Usecase
Secure Webservice - expects SAML Assertion, and requires payload be signed and encrypted
PicketLinkSTS - expects Username Token authentication to issue or validate token, and requires payload be signed and encrypted
a. Client calls PicketLinkSTS, supplying a username token along with a signed and encrypted payload
b. PicketLinkSTS issues a SAML token
c. Client then calls Secure Webservice, embedding the SAML token, but also signing and encrypting the payload
d. Secure Webservice calls PicketLinkSTS to validate the token.
e. Client is able to call a method on the Secure Webservice's endpoint
Can you provide test cases/code samples for the above usecase?
Appreciate your suggestions.
Thank you.