-
1. Re: Securing a switchyard rest-bind application
kcbabo Nov 9, 2013 9:42 AM (in response to d.synchronized)Take a look at the policy-security* examples in the demos section of the quickstarts:
https://github.com/jboss-switchyard/quickstarts/tree/master/demos
Quite a few examples of using security policy with SOAP there. Securing a REST endpoint is a matter of configuring the underlying listener in standalone.xml to use SSL. Information on that can be found in the AS 7 documentation. For example:
SSL setup guide - JBoss AS 7.2 - Project Documentation Editor
-
2. Re: Securing a switchyard rest-bind application
d.synchronized Nov 10, 2013 6:21 AM (in response to kcbabo)Hi Keith ,
Thanks for your reply,I tried with a quickstart security-policy-xaml project configured it according to the instructions,
Steps followed to configure it,
1.created a tomcat.jks file,
2.configured https,
3.configured security-domains ,
4.place sts.war in deployments,
5.copied property file into the configurations
6.Deployed project and ran WorkServiceMain class with required arguments,
but whenever i run the above mentioned class,i get the following error,
11:04:05,920 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http-localhost-127.0.0.1-8443-1) Application {urn:switchyard-quickstart-demo:policy-security-saml:0.1.0}WorkService#{urn:switchyard-quickstart-demo:policy-security-saml:0.1.0}doWork has thrown exception, unwinding now: org.apache.cxf.interceptor.Fault: Required policies have not been provided: clientAuthentication
at org.jboss.wsf.stack.cxf.JBossWSInvoker.createFault(JBossWSInvoker.java:246)
at org.jboss.wsf.stack.cxf.JBossWSInvoker._invokeInternal(JBossWSInvoker.java:201)
at org.jboss.wsf.stack.cxf.JBossWSInvoker.invoke(JBossWSInvoker.java:127)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439) [rt.jar:1.6.0_43]
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) [rt.jar:1.6.0_43]
at java.util.concurrent.FutureTask.run(FutureTask.java:138) [rt.jar:1.6.0_43]
at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:106)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:207)
at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:91)
at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:169)
at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:185)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)
at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.0.3.GA.jar:2.0.3.GA]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_43]
Caused by: org.switchyard.exception.SwitchYardException: Required policies have not been provided: clientAuthentication
at org.switchyard.component.soap.InboundHandler.invoke(InboundHandler.java:223) [switchyard-component-soap-0.6.0.Final.jar:0.6.0.Final]
at org.switchyard.component.soap.endpoint.BaseWebService.invoke(BaseWebService.java:113) [switchyard-component-soap-0.6.0.Final.jar:0.6.0.Final]
at org.switchyard.component.soap.endpoint.BaseWebService.invoke(BaseWebService.java:43) [switchyard-component-soap-0.6.0.Final.jar:0.6.0.Final]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_43]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_43]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_43]
at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_43]
at org.jboss.ws.common.invocation.AbstractInvocationHandlerJSE.invoke(AbstractInvocationHandlerJSE.java:111)
at org.jboss.wsf.stack.cxf.JBossWSInvoker._invokeInternal(JBossWSInvoker.java:181)
... 31 more
When i was debugging the WorkServiceMain class ,i found that assertions were coming as assertion:saml null ,well i dont know what that signifies but in the end i was not able to invoke the soap endpoint,Since assertion are the main thing handling the client authentication,Am i missing something in configurations?
Regards ,
d.synchronized
-
3. Re: Securing a switchyard rest-bind application
dward Nov 11, 2013 9:59 AM (in response to d.synchronized)Did you add the required security section to your switchyard.xml file, including the STSTokenCallbackHandler? Aside, what version of SwitchYard are you using?
-
4. Re: Securing a switchyard rest-bind application
d.synchronized Nov 13, 2013 3:48 AM (in response to dward)Hi David ,
I am using switchyard version 1.0.0.Final and yes it has STSTokenCallbackhandler already configured,
This is what it looks like
<securities>
<security callbackHandler="org.switchyard.security.jboss.callback.handler.STSTokenCallbackHandler" securityDomain="saml-validate-token"/>
</securities>
This has been added to the domain tags,I have configured this project from the quickstarts,Still not able to solve the error.
Thanks for your help in advance
d.synchronized
-
5. Re: Securing a switchyard rest-bind application
d.synchronized Nov 13, 2013 4:43 AM (in response to d.synchronized)If i run the test class WokService Main Class,then in the method getAssertion() where it is asking the picketLink-sts for the assertions ,
WSTrustClient client = new WSTrustClient("PicketLinkSTS", "PicketLinkSTSPort",
"http://localhost:8080/picketlink-sts/PicketLinkSTS", new SecurityInfo("admin", "admin"));
//Element assertion = client.issueTokenForEndpoint("urn:switchyard-quickstart-demo:policy-security-saml:0.1.0");
Element assertion = client.issueToken(SAMLUtil.SAML2_TOKEN_TYPE);
while the assertions are coming like [saml:Assertion: null] that means no authentication data i suppose?
Do i need to give you some other informations apart from this? as i am using one of the project from the quickstarts ,and i have not done any changes to it
Regards,
-
6. Re: Securing a switchyard rest-bind application
dward Nov 13, 2013 9:57 AM (in response to d.synchronized)[saml:Assertion: null] is how the default toString() method outputs xml element nodes. It doesn't mean it is null. The fact that you see that means that there is, in fact, an Assertion element.
Please let me see your entire target/classes/META-INF/switchyard.xml file.
-
7. Re: Securing a switchyard rest-bind application
d.synchronized Nov 13, 2013 10:13 AM (in response to dward)Hi David ,
Here i am attaching my switchyard.xml file
and i am using a switchyard server which was configured for the switchyard version 0.6.0.FInal ,I dont think that can cause any problem?,except from the version my security subsystem is properly configured.
Thanks for you help in advance,
d.synchronized@gmail.com-
switchyard.xml 3.3 KB
-
-
8. Re: Securing a switchyard rest-bind application
dward Nov 13, 2013 10:59 AM (in response to d.synchronized)Yes, that would be a problem. I think this is quite possibly the cause for your problems in the other threads you've posted. You said above you're using SwitchYard 1.0.0.Final, but now you just told me you're targeting a server configured with 0.6.0.Final. That's not gonna work. You should align your versions properly.
-
9. Re: Securing a switchyard rest-bind application
d.synchronized Nov 13, 2013 12:08 PM (in response to dward)Hi David,
Thanks for your help man,i configured all the version in a proper order and the error is gone and in the mean while i got to learn about a few configuration topics as well ,how this sts- thing is working
Cheers
d.synchronized
-
10. Re: Securing a switchyard rest-bind application
dward Nov 13, 2013 1:08 PM (in response to d.synchronized)Glad to hear it!