-
15. Re: SAML WS and PicketLinkSTS
Anil,
afaiu from the payload above, the user is basically using WS-Security to protect the message sent to the STS. The request is indeed a RST, but it's encrypted. The handling of the WS-Security layer is up to JBossWS/CXF. So my gut feeling is that the STS endpoint (internally implemented using PicketLink) that the user is using is not properly configured (CXF annotations, policies in the wsdl, etc.)
Pradeep, have you tried the sample in JBossWS testsuite?
Btw, JBossWS-CXF also supports WS-SecureConversation.
-
16. Re: SAML WS and PicketLinkSTS
Alessio:
I am trying to implement exactly what you did in this article (https://docs.jboss.org/author/display/JBWS/WS-Trust+and+STS), in the PicketLink section. If it worked for you, it ought to work for me as well, but it is not. Aside from a misconfiguration and CXF and JBoss versions, I don't see what other issues that may prevent this from happening.
You seemed to have used RST, with WS-Security (encryption & signing), which is what I am trying to do as well. I have attached the WSDL and Custom PicketLink STS as well. I tried the same setup using Apache CXF STS as well (the other half of your article), and I get the same parser error.
-
17. Re: SAML WS and PicketLinkSTS
Folks, sorry for the late reply. My feeling is that here we have a request with a token that is somehow not understood by PicketLink, so I agree with Anil when he sais to create a jira with the message that PicketLink is failing to process with the previously mentioned parse issue. Now, the point is that the message being sent is encrypted, so the user need to get the plain version. I suggest to enabled soap message logging (Advanced User Guide - JBoss Web Services - Project Documentation Editor ) and possibly also turn on DEBUG level logging for the org.apache.cxf and org.apache.ws.security categories in the AS configuration. Then look at the logs and get the decrypted version of the soap message, which should be printed by a cxf interceptor before the invocation reaches the PicketLink endpoint.
-
18. Re: SAML WS and PicketLinkSTS
Alessio:
I am trying to get this to work again! I got a little further this time, but I am starting to get these messages and I am not sure what to make of them.
**********************************************************************************************************************************************************************************************
Message1:
Caused by: java.lang.RuntimeException: PLFED000010: Error obtaining public key for service: http://10.137.8.81:8081/SecurityService
at org.picketlink.identity.federation.PicketLinkLoggerImpl.stsPublicKeyError(PicketLinkLoggerImpl.java:685) [picketlink-jbas7-2.1.7.Final.jar:2.1.7.Final]
at org.picketlink.identity.federation.core.wstrust.PicketLinkSTSConfiguration.getServiceProviderPublicKey(PicketLinkSTSConfiguration.java:310) [picketlink-core-2.1.7.Final.jar:2
Notes:
a. This message is misleading because I am able to use the STS's password and look inside the STS Keystore - it shows that the service key is available.
b. Not sure why he is complaining.
Message2:
Caused by: java.lang.IllegalStateException: PLFED000058: KeyStoreKeyManager : Domain Alias missing for : http://10.137.8.81:8081/SecurityService
at org.picketlink.identity.federation.PicketLinkLoggerImpl.keyStoreMissingDomainAlias(PicketLinkLoggerImpl.java:183) [picketlink-jbas7-2.1.7.Final.jar:2.1.7.Final]
at org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:196) [picketlink-core-2.1.7.Final.jar:2.1.7.Final]
at org.picketlink.identity.federation.core.wstrust.PicketLinkSTSConfiguration.getServiceProviderPublicKey(PicketLinkSTSConfiguration.java:307) [picketlink-core-2.1.7.Final.jar:2.1
Notes:
a. Not sure what to make of this one - it may have something to do with the <ValidatingAlias> tag inside the picketlink-sts.xml. I have the following line
<ValidatingAlias Key="http://10.137.8.81:8081/SecurityService/securityService" Value="myservicekey"/>
**********************************************************************************************************************************************************************************************
Could you also tell me what versions of these components I should be using
* Apache CXF Version
* PicketLink Version
* JBoss Version
Thank you.
-
19. Re: SAML WS and PicketLinkSTS
Alessio:
I am trying to get this to work again! I got a little further this time.
I finally figured out why the PicketLinkSTS wasn't issuing a token. It appears that <ValidatingAlias Key="http://10.137.8.81:8081/SecurityService" Value="myservicekey"/> should stop short of specifying the actual endpoint (aka service name) of the secure service - in my case it would be "http://10.137.8.81:8081/SecurityService/securityService". When I just give the domain name it works, because PicketLinkSTSConfiguration class is searching for a key that "excludes" the actual service name.
However, once the token is issued by PicketLinkSTS, the Secure Service fails on validation (even though the stack says warning).
16:02:07,493 WARNING [org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor] (http--10.137.8.81-8081-1) : org.apache.ws.security.WSSecurityException: General security error (Unable to load class org.apache.ws.security.validate.SamlAssertionValidator)
at org.apache.ws.security.WSSConfig.getValidator(WSSConfig.java:765) [wss4j-1.6.5.jar:1.6.5]
at org.apache.ws.security.handler.RequestData.getValidator(RequestData.java:451) [wss4j-1.6.5.jar:1.6.5]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor$CXFRequestData.getValidator(WSS4JInInterceptor.java:692) [cxf-rt-ws-security-2.4.6.jar:2.4.6]
at org.apache.ws.security.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:51) [wss4j-1.6.5.jar:1.6.5]
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:397) [wss4j-1.6.5.jar:1.6.5]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:249) [cxf-rt-ws-security-2.4.6.jar:2.4.6]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:85) [cxf-rt-ws-security-2.4.6.jar:2.4.6]
Please see attached for entire stacktrace. I think I am close and any suggestions from you is appreciated, as always.
Thank you.
-
20. Re: SAML WS and PicketLinkSTS
1 of 1 people found this helpfulPradeep,
the relevant part of the exception is java.lang.NoClassDefFoundError: org/opensaml/xml/validation/ValidationException . The version of JBoss AS you're using is likely missing the opensaml libraries. As mentioned in one of the my initial comments in this thread, you need at least JBossWS 4.1.x. So either choose a JBoss AS version already shipping it, or install it by running the jbossws binary distribution build (in that case, download JBossWS from JBossWS Downloads - Latest (4.x) - JBoss Community and check the supported target containers at JBossWS - Supported Target Containers ).
-
21. Re: SAML WS and PicketLinkSTS
Alessio:
I did see the NoClassDefFoundError and also saw that OpenSAML wasn't installed on the JBoss version I am using (which is JBoss AS 7.1.1.Final). The JBossWS version that ships with JBoss AS7.1.1.Final appears to be 4.0.2.GA. I must have overlooked your point on JBossWS 4.1.x or higher from the earlier post - apologize. I will try installing the latest JBossWS version by hand and see if I can get through (hopefully last) error!
Appreciate your feedback.
..pradeep
-
22. Re: SAML WS and PicketLinkSTS
Alessio:
Per your suggestion, I moved my deployments to EAP 6.1.0, but now I run into an ehCache problem! I think it is trying to cache the SAML Token and it fails without ehcache libraries. Do I need to manually install ehCache now for EAP 6.1?
javax.xml.ws.soap.SOAPFaultException: Response was of unexpected text/html ContentType. Incoming portion of HTML stream: <html><head><title>JBoss Web/7.2.0.Final-redhat-1 - JBWEB000064: Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>JBWEB000065: HTTP Status 500 - JBWEB000248: Servlet execution threw an exception</h1><HR size="1" noshade="noshade"><p><b>JBWEB000309: type</b> JBWEB000066: Exception report</p><p><b>JBWEB000068: message</b> <u>JBWEB000248: Servlet execution threw an exception</u></p><p><b>JBWEB000069: description</b> <u>JBWEB000145: The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>JBWEB000070: exception</b> <pre>javax.servlet.ServletException: JBWEB000248: Servlet execution threw an exception
</pre></p><p><b>JBWEB000071: root cause</b> <pre>java.lang.NoClassDefFoundError: net/sf/ehcache/Ehcache
org.apache.cxf.ws.security.cache.EHCacheReplayCacheFactory.newReplayCache(EHCacheReplayCacheFactory.java:34)
org.apache.cxf.ws.security.wss4j.WSS4JUtils.getReplayCache(WSS4JUtils.java:79)
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.getReplayCache(WSS4JInInterceptor.java:747)
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:250)
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:96)
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237)
org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:95)
org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:156)
org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:225)
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:145)
javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)
org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140)
javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
-
23. Re: SAML WS and PicketLinkSTS
Alessio:
I finally got it to work on JBoss AS 7.1.1.Final, with a tremendous amount of feedback from you!
Notes:
a. JBoss AS7.1.1.Final - WORKS
I added opensaml libraries to JBoss AS 7.1.1.Final and referenced them in a couple of places (I essentially did what EAP 6.1 was doing)
- org/apache/ws/security
- org/apache/cxf
b. JBoss EAP 6.1 - DOES NOT WORK
Even though the opensaml libraries already exist, I am getting ehCache issues (please see prior post for stacktrace)
Please comment on item b when you get a chance.
Thank you.
-
24. Re: SAML WS and PicketLinkSTS
Hi Pradeep,
regarding (b), the root cause is basically https://issues.apache.org/jira/browse/CXF-4991 . I believe you might have the ehcache libs available somewhere and CXF is erroneously thinking it can use them because of the CXF-4991 bug. The bug is fixed in Apache CXF 2.6.8, which is included in EAP 6.1.1.
Alternatively, you can manually create an EHCache jboss module and set proper dependencies on it in the org.apache.cxf / org.apache.cxf.impl modules.
-
-
26. Re: SAML WS and PicketLinkSTS
Thank you Alessio.
I have a few followup questions:
a. How do I go about just calling the PicketLinkSTS (that has signing and encryption enabled), plus JBoss domain authentication configured, to retrieve a token. Essentially I want to take the Custom PicketLinkSTS you created, and simply have him issue a token.
Notes:
* I created a service that simply asks for a token from the STS and I am unable to "populate" everything the STS wants in the AbstractRequestSecurityTokenType (which is the input to the STS).
* Is there a WSTrustClient like class that can be used to provide the basic authentication (SecurityInfo) plus the certificate information.
* I am trying something like this to call the STS directly, but haven't had much luck (please see attached).
b. Why doesn't PicketLinkSTS not expose other methods that are usually associated with an STS - validate, renew, cancel etc.
Thank you.
..pradeep
-
27. Re: SAML WS and PicketLinkSTS
The PicketLinkSTS (as well as my org.jboss.test.ws.jaxws.samples.wsse.policy.trust.PicketLinkSTService extending it) are jaxws endpoints, you can treat them as any other ws endpoints. That means you can generate a corresponding jaxws client (using wsconsume tool, for instance) and use it to invoke any STS exposed operation. If the STS endpoint uses WS-SecurityPolicy (which is the case of my PicketLinkSTService), you need of course to provide proper wssecurity properties when doing the invocation (just as with any other ws-security policy enabled endpoint).
The WSTrustClient from PicketLink codebase might not work out of the box with my PicketLinkSTService because it's most likely not able to deal with WS-Security Policy and would need to be enhanced; directly building up a jaxws client for the sts endpoint is probably the way to go in this case.
As to why the PicketLinkSTS does not support validate, renew, cancel, etc., I don't really know what is actually implemented and what is not, someone from PicketLink project (Anil?) should know this.
-
28. Re: SAML WS and PicketLinkSTS
Alessio:
Thank you again for all the feedback. I was able to call the "CustomPicketLinkSTS" using a cxf.xml based STSClient and it relays back the SAML Assertion - it is very similar to what you did with WSTrustTest.java (where you programatically embedded the STSClient), only that all the values come from a configuration file.
The thing I don't understand is that with your version (WSTrustTest.java) the SAML token was NOT returned in the response from the SecureService, but when I use the STSClient via the cxf.xml, I see the SAML Assertion.
Thank you.
..pradeep balachandran