STS issued token example in tutorial fails

glassfishrobot commented 17 years ago

The STS issued token example in Chapter 6 of the WSIT tutorial does not work. The client fails with

Container-auth: wss: Error securing request javax.xml.ws.soap.SOAPFaultException: java.lang.UnsupportedOperationException

I followed the procedure in http://swpubs.sfbay/writing/wsit/drafts/M4/SecurityProfiles14.html#wp142952

Configuration:

Windows 2000 with JDK 1.5.0_11
WSIT nightly April 5th (trunk) also fails with Apr 1st build with different error – Policy for service could not be obtained
GF b41 beta2 with modifed domain.xml to have -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as
copyv3 run on default GF key stores
NB IDE 5.5.1 RC1
NB wsit tooling plugin 2.32 and 2.24 extenstion module

GF server logs shows

--[HTTP request]--|#]

[#|2007-04-06T14:56:37.421-0400|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=18;_ThreadName=httpSSLWorkerThread-8080-1;| Accept: text/html, image/gif, image/jpeg, *; q=.2, /**; q=.2|#]

[#|2007-04-06T14:56:37.437-0400|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=18;_ThreadName=httpSSLWorkerThread-8080-1;| <soap-env:Envelope xmlns:soap-env='http://schemas.xmlsoap.org/soap/envelope/' xmlns:wsa='http://www.w3.org/2005/08/addressing'>http://schemas.xmlsoap.org/ws/2004/09/transfer/Get</wsa:Action>http://localhost:8080/MySTSProject/SecurityTokenService</wsa:To>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address></wsa:ReplyTo>uuid:778b135f-3fdf-44b2-b53e-ebaab7441e40</wsa:MessageID></soap-env:Header></soap-env:Envelope>|#]

[#|2007-04-06T14:56:37.437-0400|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=18;_ThreadName=httpSSLWorkerThread-8080-1;|--------------------|#]

true |#] [#|2007-04-06T14:56:37.468-0400|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=18;_ThreadName=httpSSLWorkerThread-8080-1;|--------------------|#] [#|2007-04-06T14:56:37.609-0400|INFO|sun-appserver9.1|javax.enterprise.resource.webservices.jaxws.wspolicy|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8080-0;|WSP1049: Loaded WSIT configuration from file: [file:/C:/Sun/netbeans/apr_07/CalculatorServletClient/build/web/WEB-INF/classes/META-INF/wsit-client.xml](file:/C:/Sun/netbeans/apr_07/CalculatorServletClient/build/web/WEB-INF/classes/META-INF/wsit-client.xml)|#] [#|2007-04-06T14:56:37.625-0400|WARNING|sun-appserver9.1|javax.enterprise.resource.webservices.jaxws.wspolicy|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8080-0;_RequestID=4746ae5f-e656-438c-8488-2d0ef84526d3;|WSP0075: Policy assertion " {http://www.w3.org/2005/08/addressing} UsingAddressing" was evaluated as "UNKNOWN".|#] [#|2007-04-06T14:56:37.625-0400|WARNING|sun-appserver9.1|javax.enterprise.resource.webservices.jaxws.wspolicy|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8080-0;_RequestID=4746ae5f-e656-438c-8488-2d0ef84526d3;|WSP0019: Suboptimal policy alternative selected on the client side with fitness "PARTIALLY_SUPPORTED".|#] [#|2007-04-06T14:56:39.234-0400|SEVERE|sun-appserver9.1|com.sun.xml.wss.logging.impl.opt.signature|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8080-0;_RequestID=4746ae5f-e656-438c-8488-2d0ef84526d3;|WSS1701: Sign operation failed. java.lang.UnsupportedOperationException at com.sun.xml.stream.buffer.stax.StreamWriterBufferCreator.getProperty(StreamWriterBufferCreator.java:63) at com.sun.xml.ws.streaming.XMLStreamWriterUtil.getOutputStream(XMLStreamWriterUtil.java:63) at com.sun.xml.ws.message.jaxb.JAXBMessage.writePayloadTo(JAXBMessage.java:294) at com.sun.xml.ws.security.opt.impl.message.SOAPBody.writePayload(SOAPBody.java:109) at com.sun.xml.ws.security.opt.impl.message.SOAPBody.cachePayLoad(SOAPBody.java:171) at com.sun.xml.ws.security.opt.impl.dsig.SignedMessagePart.writeTo(SignedMessagePart.java:129) at com.sun.xml.ws.security.opt.impl.crypto.JAXBDataImpl.writeTo(JAXBDataImpl.java:103) at com.sun.xml.ws.security.opt.crypto.dsig.Exc14nCanonicalizer.transform(Exc14nCanonicalizer.java:167) at com.sun.xml.ws.security.opt.crypto.dsig.Transform.transform(Transform.java:160) at com.sun.xml.ws.security.opt.crypto.dsig.Reference.transform(Reference.java:169) at com.sun.xml.ws.security.opt.crypto.dsig.Reference.digest(Reference.java:110) at com.sun.xml.ws.security.opt.crypto.dsig.Signature.sign(Signature.java:200) at com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor.sign(SignatureProcessor.java:105) at com.sun.xml.wss.impl.filter.SignatureFilter.sign(SignatureFilter.java:450) at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:412) at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:79) at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:249) at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:172) at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:133) at com.sun.xml.wss.jaxws.impl.SecurityPipeBase.secureOutboundMessage(SecurityPipeBase.java:351) at com.sun.xml.wss.jaxws.impl.SecurityClientPipe.process(SecurityClientPipe.java:159) at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:79) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:559) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:518) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:503) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:400) at com.sun.xml.ws.client.Stub.process(Stub.java:235) at com.sun.xml.ws.client.dispatch.DispatchImpl.doInvoke(DispatchImpl.java:167) at com.sun.xml.ws.client.dispatch.DispatchImpl.invoke(DispatchImpl.java:193) at com.sun.xml.ws.security.trust.impl.TrustPluginImpl.invokeRST(TrustPluginImpl.java:347) at com.sun.xml.ws.security.trust.impl.TrustPluginImpl.process(TrustPluginImpl.java:218) at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.invokeTrustPlugin(WSITClientAuthContext.java:611) at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:202) at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:181) at com.sun.enterprise.webservice.ClientSecurityPipe.process(ClientSecurityPipe.java:125) at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:79) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:559) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:518) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:503) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:400) at com.sun.xml.ws.client.Stub.process(Stub.java:235) at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:120) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:230) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:210) at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:103) at $Proxy93.add(Unknown Source) at org.me.calculator.client.ClientServlet.processRequest(ClientServlet.java:47) at org.me.calculator.client.ClientServlet.doGet(ClientServlet.java:67) at javax.servlet.http.HttpServlet.service(HttpServlet.java:705) at javax.servlet.http.HttpServlet.service(HttpServlet.java:818) at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:398) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:277) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:258) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:189) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:611) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:564) at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:81) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:193) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:611) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:558) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1067) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:137) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:611) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:558) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1067) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:255) at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:618) at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:549) at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:790) at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:326) at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:248) at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:199) at com.sun.enterprise.web.portunif.PortUnificationPipeline$PUTask.doTask(PortUnificationPipeline.java:348) at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:252) at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:93) | #] | [#|2007-04-06T14:56:39.390-0400|SEVERE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8080-0;_RequestID=4746ae5f-e656-438c-8488-2d0ef84526d3;|SEC2004: Container-auth: wss: Error securing request javax.xml.ws.soap.SOAPFaultException: java.lang.UnsupportedOperationException at com.sun.xml.wss.jaxws.impl.SecurityPipeBase.getSOAPFaultException(SecurityPipeBase.java:575) at com.sun.xml.wss.jaxws.impl.SecurityPipeBase.secureOutboundMessage(SecurityPipeBase.java:358) at com.sun.xml.wss.jaxws.impl.SecurityClientPipe.process(SecurityClientPipe.java:159) at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:79) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:559) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:518) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:503) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:400) at com.sun.xml.ws.client.Stub.process(Stub.java:235) at com.sun.xml.ws.client.dispatch.DispatchImpl.doInvoke(DispatchImpl.java:167) at com.sun.xml.ws.client.dispatch.DispatchImpl.invoke(DispatchImpl.java:193) at com.sun.xml.ws.security.trust.impl.TrustPluginImpl.invokeRST(TrustPluginImpl.java:347) at com.sun.xml.ws.security.trust.impl.TrustPluginImpl.process(TrustPluginImpl.java:218) at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.invokeTrustPlugin(WSITClientAuthContext.java:611) at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:202) at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:181) at com.sun.enterprise.webservice.ClientSecurityPipe.process(ClientSecurityPipe.java:125) at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:79) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:559) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:518) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:503) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:400) at com.sun.xml.ws.client.Stub.process(Stub.java:235) at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:120) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:230) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:210) at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:103) at $Proxy93.add(Unknown Source) at org.me.calculator.client.ClientServlet.processRequest(ClientServlet.java:47) at org.me.calculator.client.ClientServlet.doGet(ClientServlet.java:67) at javax.servlet.http.HttpServlet.service(HttpServlet.java:705) at javax.servlet.http.HttpServlet.service(HttpServlet.java:818) at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:398) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:277) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:258) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:189) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:611) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:564) at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:81) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:193) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:611) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:558) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1067) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:137) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:611) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:558) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1067) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:255) at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:618) at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:549) at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:790) at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:326) at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:248) at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:199) at com.sun.enterprise.web.portunif.PortUnificationPipeline$PUTask.doTask(PortUnificationPipeline.java:348) at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:252) at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:93) | #] | #### Environment Operating System: All Platform: All #### Affected Versions [current]

glassfishrobot commented 17 years ago

Reported by tamiro@java.net

glassfishrobot commented 17 years ago

tamiro@java.net said: Created an attachment (id=347) STS project

glassfishrobot commented 17 years ago

tamiro@java.net said: Created an attachment (id=348) calculator project with STS enabled

glassfishrobot commented 17 years ago

tamiro@java.net said: Created an attachment (id=349) client project for STS secured service

glassfishrobot commented 17 years ago

venu@java.net said: This is a duplicate of issue 502.Can you please verify.

glassfishrobot commented 17 years ago

tamiro@java.net said: Created an attachment (id=351) server log showing policy could not be obtained errror

glassfishrobot commented 17 years ago

tamiro@java.net said: After watching Manveen Kaur's screen cast,

http://javaweb.sfbay.sun.com/~mk125090/screencast/trust-final.html

I think the STS example in Chapter 6 of the tutorial may be missing some important pieces. It doesn't mention the "local" STS at all. In the steps, for configuring the Service STS, the tutorial doesn't say to configure the Issuer Address and Issuer Metadata address as the screencast does. Also, the screen cast uses Mutual Certificates mechanism with the client, whereas the tutorial uses Username Authentication.

Shouldn't the screencast and the STS Issued Token example in the tutorial be equivalent?

Is this a doc bug?

glassfishrobot commented 17 years ago

shyam_rao@java.net said: Tom, use GF b41a beta2 to run this sample. I tried a servlet sample for which i filed an issue# 512, is passing.

glassfishrobot commented 17 years ago

tamiro@java.net said: With Shyam's help, I finally got this example to work. It requires you to 1. Use GF beta2 41a 2. Make sure the key size specified for the STS and the Calculator Service match

Somehow I got into a situation where the STS was set for 128bit and the Calculator was using 256bit.

It is possible that the default NB tooling applies for an STS created via the wizzard differs from the default for a web service added to a web app. I'll have to investigate.

To make sure our users are successfull with the STS Issue Token example, the doc should reiterate at the beginning of the example: Some of the algorithm suite settings require that Unlimited StrengthEncryption be configured in the Java Runtime Environment (JRE), particularly the algorithm suites that use 256 bit encryption. Instructions for downloading and configuring unlimited strength encryption can be found at the following URLS: http://java.sun.com/products/jce/javase.html http://java.sun.com/javase/downloads/index_jdk5.jsp#docs

The doc should also tell the user to make sure the key size matches for the STS server and the Calculator service, by going to the Configure button for the security mechanism on the Edit Web Service Attributes UI and checking the options.

glassfishrobot commented 17 years ago

venu@java.net said: This is a duplicate of #502. Debbie says she has fixed the docs issue too. I am marking this bug as fixed. Please verify.

glassfishrobot commented 17 years ago

tamiro@java.net said: The doc at http://swpubs.sfbay/writing/wsit/drafts/M4/ doesn't have the fix yet. So I'm reopening.

glassfishrobot commented 17 years ago

tamiro@java.net said: Debbie fixed doc by adding step to select 128 bit size key for both STS and Calc service.

glassfishrobot commented 17 years ago

tamiro@java.net said: Verified.

glassfishrobot commented 17 years ago

kumarjayanti@java.net said: Fixed in WSIT 1.0

glassfishrobot commented 17 years ago

File: CaculatorApplication.zip Attached By: tamiro@java.net

glassfishrobot commented 17 years ago

File: CalculatorServletClient.zip Attached By: tamiro@java.net

glassfishrobot commented 17 years ago

File: MySTSProject.zip Attached By: tamiro@java.net

glassfishrobot commented 17 years ago

File: server.log Attached By: tamiro@java.net

glassfishrobot commented 17 years ago

Was assigned to venu@java.net

glassfishrobot commented 7 years ago

This issue was imported from java.net JIRA WSIT-514

glassfishrobot commented 16 years ago

Marked as fixed on Tuesday, July 22nd 2008, 10:37:23 am

javaee / metro-wsit

STS issued token example in tutorial fails #514