1 2 Previous Next 28 Replies Latest reply on Nov 14, 2013 2:51 PM by Pradeep Balachandran

    SAML WS and PicketLinkSTS

    Pradeep Balachandran Newbie

      I have a reasonable understanding of PicketLinkSTS and I have been able to install it and get a standalone Java client to interact with the STS to issue and validate a SAML token.  However I haven't found any examples on how

      to write a standalone contract first SAML secured Webservice (where the WSDL will show the SAML policy) to do the following (under JBoss 7.1.1.Final):

       

      Write and deploy a SAML secured WS that knows how to interact with PicketLinkSTS to validate a SAML token

           a. Client calls the PicketLinkSTS to obtain a SAML assertion

           b. Client then calls the SAML secured WS with the assertion obtained from the STS

           c. The SAML secured WS, validates the token against the STS and services the client's request.

       

      I have seen some articles, but nothing that gives sufficient details.  Any help/information is appreciated.

       

      Thank you.

       

      ..pradeep balachandran

        • 1. Re: SAML WS and PicketLinkSTS
          Pradeep Balachandran Newbie

          Can someone please share information around PicketLinkSTS and SAML contract first Web Services - I was hoping the PicketLinkSTS leads (Anil or Alessio) would reply to this.

           

          Thank you.

          • 2. Re: SAML WS and PicketLinkSTS
            Alessio Soldano Master

            As you possibly already noticed, there's some documentation on this topic at https://docs.jboss.org/author/display/JBWS/WS-Trust+and+STS#WS-TrustandSTS-PicketLinkSTS (but you'd need to move to at least AS 7.2.0, EAP 6.1.0 or WFLY8).

            The wsdl policies you define for both the endpoint service and the sts control the WS-Trust exchange. In the example at the link above the STS endpoint is secured with WS-Security using symmetric binding encryption plus username token for authentication. The target endpoint uses asymmetric binding encryption with the initiator token to be issued by the referenced STS.

            You might want to download the jbossws testsuite and give it a try, the WS-Trust scenario in the doc above is included in the testsuite.

            • 3. Re: SAML WS and PicketLinkSTS
              Pradeep Balachandran Newbie

              Alessio:

               

              Thank you for the reply - I have the following questions with respect to your example (https://docs.jboss.org/author/display/JBWS/WS-Trust+and+STS#WS-TrustandSTS-PicketLinkSTS).

               

              a. EAP 6.1 does not have PicketLink bundled with it - so when I run the PicketLink quickstart installer, it fails(the picketlink module is mising in the distro).

              b. With the example that you reference in the above article, can I get it to work without having to create an "extended" STS like you have - meaning can I get it to work with quickstart STS WAR?

              c. Can you point me to the jbossws testsuite download link?

               

              Can you share a link to the actual code you reference in the above example (link)?

               

              Thank you.

              • 4. Re: SAML WS and PicketLinkSTS
                Pradeep Balachandran Newbie

                Alessio:

                 

                I retooled my setup to mimic your example (including the Custom STS extending PicketLinkSTS) - all on JBoss 7.1.1.Final.  I think I got a little further but ended up with this exception "Cannot Encrypt" - please see attached.  I think the STS is having issues encrypting the token being requested by the client, but I am stumped.

                 

                Overview of the setup:

                 

                CustomPicketLinkSTS

                 

                * Custom STS Webservice that extends the PicketLinkSTS class - similar to your example

                * stsKeystore.jks - contains a trust entry for SecurityService and Client

                * picketlinks-sts.xml

                * WSDL that defines UsernameToken, along with encryption and signing

                * web.xml

                * jboss-web.xml that uses realm based authentication (UserA/PassA) similar to Alice/Clarinet in your example

                 

                SecurityService


                * Simple "Hello" service that requires a SAML token to be invoked

                * WSDL specifies the meta exchange tag that points to the above STS

                * serviceKeystore.jks - contains trust entry for Client

                 

                Java Client

                 

                * Standalone Java Client - same as your client

                * clientKeystore.jks - contains trust entry for SecureService and Custom STS

                 

                Any suggestions are much appreciated.

                 

                Thank you.

                • 5. Re: SAML WS and PicketLinkSTS
                  Pradeep Balachandran Newbie

                  Alessio:

                   

                  I figured out the earlier "Cannot Encrypt Data" error - it had to with my JDK lacking the JCE unlimited strength policy jars.

                   

                  Now I get the below exception, even though I have the users.properties bundled in the PicketLinkSTS.war that has the UserA and password I am using.  Further the jboss configuration file (standalone-full-ha.xml) has the security domain I am referencing inside jboss-web.xml defined.

                   

                  javax.xml.ws.soap.SOAPFaultException: Failed Authentication : Subject has not been created, Authentication failed, principal= UserA

                      at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:155)

                      at com.sun.proxy.$Proxy25.sayHello(Unknown Source)

                      at com.corelogic.ws.client.SecurityServiceClient.testSecurityService(SecurityServiceClient.java:45)

                      at com.corelogic.ws.client.SecurityServiceClient.main(SecurityServiceClient.java:55)

                  Caused by: org.apache.cxf.binding.soap.SoapFault: Failed Authentication : Subject has not been created, Authentication failed, principal= UserA

                   

                  Thank you.

                  • 6. Re: SAML WS and PicketLinkSTS
                    Pradeep Balachandran Newbie

                    Alessio:

                     

                    Appologize for bothering you!

                     

                    I got past the earlier error (Subject has not been created) as well, but now I get some form of parse error (with the PicketLinkSTS class) - please see highlighted.

                     

                    Any help is much appreciated.

                     

                    Thank you.

                     

                    Caused by: javax.xml.ws.WebServiceException: PLFED000110: Security Token Service Exception

                        at org.picketlink.identity.federation.PicketLinkLoggerImpl.stsWSError(PicketLinkLoggerImpl.java:646) [picketlink-jbas7-2.1.6.Final.jar:2.1.6.Final]

                        at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:131) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

                        at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:70) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

                        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_21]

                        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_21]

                        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_21]

                        at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_21]

                        at org.jboss.ws.common.invocation.AbstractInvocationHandlerJSE.invoke(AbstractInvocationHandlerJSE.java:111)

                        at org.jboss.wsf.stack.cxf.JBossWSInvoker._invokeInternal(JBossWSInvoker.java:181)

                        ... 34 more

                    Caused by: ParsingException [location=null]org.picketlink.identity.federation.core.exceptions.ParsingException: PL00071: Parser: Expected text value:token type

                        at org.picketlink.identity.federation.core.parsers.wst.WSTRequestSecurityTokenParser.parse(WSTRequestSecurityTokenParser.java:127) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

                        at org.picketlink.identity.federation.core.parsers.wst.WSTrustParser.parse(WSTrustParser.java:58) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

                        at org.picketlink.identity.federation.core.parsers.AbstractParser.parse(AbstractParser.java:86) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

                        at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:129) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

                    • 7. Re: SAML WS and PicketLinkSTS
                      Alessio Soldano Master

                      Hi Pradeep,

                      I'm glad you got past the other integration issues.

                      The error you're getting now looks like a PicketLink specific one. Hopefully someone from PicketLink team can help.

                       

                      Alessio

                      • 8. Re: SAML WS and PicketLinkSTS
                        Pradeep Balachandran Newbie

                        Thank you Alessio.  Can you tell me what versions of JBoss and PicketLink version were you using for your POC.  Also is there a link to you code?

                        • 10. Re: SAML WS and PicketLinkSTS
                          Pradeep Balachandran Newbie

                          Aleesio:

                           

                          Thank you so much for the reply.

                           

                          I tried your test suites with my setup and I get the exact same error - missing "tokenType" value.  I also ran it with PicketLinkSTS 2.1.7 jars, and the outcome was the same.

                           

                          On one of the testcases (where you use the .it suffix) I get a SAAJ error - java.lang.NoClassDefFoundError: org/apache/cxf/ws/mex/MetadataExchange.  Not sure why.

                           

                          In any case I haven't received any answers from the PicketLink team, but I truly appreciate you taking the time to help.

                           

                          ..pradeep

                          • 11. Re: SAML WS and PicketLinkSTS
                            Anil Saldanha Master

                            Pradeep Balachandran wrote:

                             

                            Alessio:

                             

                            Appologize for bothering you!

                             

                            I got past the earlier error (Subject has not been created) as well, but now I get some form of parse error (with the PicketLinkSTS class) - please see highlighted.

                             

                            Any help is much appreciated.

                             

                            Thank you.

                             

                            Caused by: javax.xml.ws.WebServiceException: PLFED000110: Security Token Service Exception

                                at org.picketlink.identity.federation.PicketLinkLoggerImpl.stsWSError(PicketLinkLoggerImpl.java:646) [picketlink-jbas7-2.1.6.Final.jar:2.1.6.Final]

                                at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:131) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

                                at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:70) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

                                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_21]

                                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_21]

                                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_21]

                                at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_21]

                                at org.jboss.ws.common.invocation.AbstractInvocationHandlerJSE.invoke(AbstractInvocationHandlerJSE.java:111)

                                at org.jboss.wsf.stack.cxf.JBossWSInvoker._invokeInternal(JBossWSInvoker.java:181)

                                ... 34 more

                            Caused by: ParsingException [location=null]org.picketlink.identity.federation.core.exceptions.ParsingException: PL00071: Parser: Expected text value:token type

                                at org.picketlink.identity.federation.core.parsers.wst.WSTRequestSecurityTokenParser.parse(WSTRequestSecurityTokenParser.java:127) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

                                at org.picketlink.identity.federation.core.parsers.wst.WSTrustParser.parse(WSTrustParser.java:58) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

                                at org.picketlink.identity.federation.core.parsers.AbstractParser.parse(AbstractParser.java:86) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

                                at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(PicketLinkSTS.java:129) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]

                            Create a JIRA issue at https://issues.jboss.org/browse/PLINK  and attach the xml payload that the STS is failing to parse.

                            • 12. Re: SAML WS and PicketLinkSTS
                              Pradeep Balachandran Newbie

                              Anil:

                               

                              I am not sure yet, if this warrants a JIRA ticket.  Please see attached payload and let me know if you can tell what is going on.  Further this what I am deploying to.

                               

                              Environment:

                               

                              JBoss 7.1.1-Final

                              Apache CXF - 2.6.6

                              PicketLink - 2.1.7

                               

                              I tried JBoss 7.2.0 as well, but with that setup it does not issue the token (it appears to be issuing a token with JBoss 7.1.1.Final) but results in the same error (Parser: Expected text value: token type).

                               

                              Thank you.

                              • 13. Re: SAML WS and PicketLinkSTS
                                Anil Saldanha Master

                                The STS is expecting a RST of WS-Trust.  The payload does not have it.  I feel that this is beyond the capabilities of PicketLink STS. There is WS Secure Conversation payload shown.

                                • 14. Re: SAML WS and PicketLinkSTS
                                  Pradeep Balachandran Newbie

                                  Anil:

                                   

                                  Thank you for your reply.  Request Security Token (using meta exchange) is not part of my usecase, WS Secure conversation is though.  That said, I was simply trying to get Alessio's example (above) working, but without luck.  In any case does PicketLinkSTS support the following and if so, could you provide me a sample.

                                   

                                   

                                  Usecase

                                   

                                  Secure Webservice - expects SAML Assertion, and requires payload be signed and encrypted

                                  PicketLinkSTS - expects Username Token authentication to issue or validate token, and requires payload be signed and encrypted

                                   

                                  a. Client calls PicketLinkSTS, supplying a username token along with a signed and encrypted payload

                                  b. PicketLinkSTS issues a SAML token

                                  c. Client then calls Secure Webservice, embedding the SAML token, but also signing and encrypting the payload

                                  d. Secure Webservice calls PicketLinkSTS to validate the token.

                                  e. Client is able to call a method on the Secure Webservice's endpoint

                                   

                                  Can you provide test cases/code samples for the above usecase?

                                   

                                  Appreciate your suggestions.

                                   

                                  Thank you.

                                  1 of 1 people found this helpful
                                  1 2 Previous Next