Can someone please share information around PicketLinkSTS and SAML contract first Web Services - I was hoping the PicketLinkSTS leads (Anil or Alessio) would reply to this.

Thank you.

Alessio:

Thank you for the reply - I have the following questions with respect to your example (https://docs.jboss.org/author/display/JBWS/WS-Trust+and+STS#WS-TrustandSTS-PicketLinkSTS).

a. EAP 6.1 does not have PicketLink bundled with it - so when I run the PicketLink quickstart installer, it fails(the picketlink module is mising in the distro).

b. With the example that you reference in the above article, can I get it to work without having to create an "extended" STS like you have - meaning can I get it to work with quickstart STS WAR?

c. Can you point me to the jbossws testsuite download link?

Can you share a link to the actual code you reference in the above example (link)?

Thank you.

Alessio:

I retooled my setup to mimic your example (including the Custom STS extending PicketLinkSTS) - all on JBoss 7.1.1.Final.  I think I got a little further but ended up with this exception "Cannot Encrypt" - please see attached.  I think the STS is having issues encrypting the token being requested by the client, but I am stumped.

Overview of the setup:

CustomPicketLinkSTS

* Custom STS Webservice that extends the PicketLinkSTS class - similar to your example

* stsKeystore.jks - contains a trust entry for SecurityService and Client

* picketlinks-sts.xml

* WSDL that defines UsernameToken, along with encryption and signing

* web.xml

* jboss-web.xml that uses realm based authentication (UserA/PassA) similar to Alice/Clarinet in your example

SecurityService

* Simple "Hello" service that requires a SAML token to be invoked

* WSDL specifies the meta exchange tag that points to the above STS

* serviceKeystore.jks - contains trust entry for Client

Java Client

* Standalone Java Client - same as your client

* clientKeystore.jks - contains trust entry for SecureService and Custom STS

Any suggestions are much appreciated.

Thank you.

Alessio:

I figured out the earlier "Cannot Encrypt Data" error - it had to with my JDK lacking the JCE unlimited strength policy jars.

Now I get the below exception, even though I have the users.properties bundled in the PicketLinkSTS.war that has the UserA and password I am using.  Further the jboss configuration file (standalone-full-ha.xml) has the security domain I am referencing inside jboss-web.xml defined.

javax.xml.ws.soap.SOAPFaultException: Failed Authentication : Subject has not been created, Authentication failed, principal= UserA

    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:155)

    at com.sun.proxy.$Proxy25.sayHello(Unknown Source)

    at com.corelogic.ws.client.SecurityServiceClient.testSecurityService(SecurityServiceClient.java:45)

    at com.corelogic.ws.client.SecurityServiceClient.main(SecurityServiceClient.java:55)

Caused by: org.apache.cxf.binding.soap.SoapFault: Failed Authentication : Subject has not been created, Authentication failed, principal= UserA

Thank you.

Alessio:

Appologize for bothering you!

I got past the earlier error (Subject has not been created) as well, but now I get some form of parse error (with the PicketLinkSTS class) - please see highlighted.

Any help is much appreciated.

Thank you.

Caused by: javax.xml.ws.WebServiceException: PLFED000110: Security Token Service Exception

    at org.picketlink.identity.federation.PicketLinkLoggerImpl.stsWSError(PicketLinkLoggerImpl.java:646) [picketlink-jbas7-2.1.6.Final.jar:2.1.6.Final]

    at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:131) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

    at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:70) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_21]

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_21]

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_21]

    at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_21]

    at org.jboss.ws.common.invocation.AbstractInvocationHandlerJSE.invoke(AbstractInvocationHandlerJSE.java:111)

    at org.jboss.wsf.stack.cxf.JBossWSInvoker._invokeInternal(JBossWSInvoker.java:181)

    ... 34 more

Caused by: ParsingException [location=null]org.picketlink.identity.federation.core.exceptions.ParsingException: PL00071: Parser: Expected text value:token type

    at org.picketlink.identity.federation.core.parsers.wst.WSTRequestSecurityTokenParser.parse(WSTRequestSecurityTokenParser.java:127) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

    at org.picketlink.identity.federation.core.parsers.wst.WSTrustParser.parse(WSTrustParser.java:58) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

    at org.picketlink.identity.federation.core.parsers.AbstractParser.parse(AbstractParser.java:86) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

    at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:129) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

Thank you Alessio.  Can you tell me what versions of JBoss and PicketLink version were you using for your POC.  Also is there a link to you code?

Aleesio:

Thank you so much for the reply.

I tried your test suites with my setup and I get the exact same error - missing "tokenType" value.  I also ran it with PicketLinkSTS 2.1.7 jars, and the outcome was the same.

On one of the testcases (where you use the .it suffix) I get a SAAJ error - java.lang.NoClassDefFoundError: org/apache/cxf/ws/mex/MetadataExchange.  Not sure why.

In any case I haven't received any answers from the PicketLink team, but I truly appreciate you taking the time to help.

..pradeep

Anil:

I am not sure yet, if this warrants a JIRA ticket.  Please see attached payload and let me know if you can tell what is going on.  Further this what I am deploying to.

Environment:

JBoss 7.1.1-Final

Apache CXF - 2.6.6

PicketLink - 2.1.7

I tried JBoss 7.2.0 as well, but with that setup it does not issue the token (it appears to be issuing a token with JBoss 7.1.1.Final) but results in the same error (Parser: Expected text value: token type).

Thank you.

Anil:

Thank you for your reply.  Request Security Token (using meta exchange) is not part of my usecase, WS Secure conversation is though.  That said, I was simply trying to get Alessio's example (above) working, but without luck.  In any case does PicketLinkSTS support the following and if so, could you provide me a sample.

Usecase

Secure Webservice - expects SAML Assertion, and requires payload be signed and encrypted

PicketLinkSTS - expects Username Token authentication to issue or validate token, and requires payload be signed and encrypted

a. Client calls PicketLinkSTS, supplying a username token along with a signed and encrypted payload

b. PicketLinkSTS issues a SAML token

c. Client then calls Secure Webservice, embedding the SAML token, but also signing and encrypting the payload

d. Secure Webservice calls PicketLinkSTS to validate the token.

e. Client is able to call a method on the Secure Webservice's endpoint

Can you provide test cases/code samples for the above usecase?

Appreciate your suggestions.

Thank you.