Skip to main content

Federated Scenario: Policy Assertion Problem

37 replies [Last post]
gsogol
Offline
Joined: 2008-02-27

This forum has been real good in helping me get my Federated scenraio working with a .NET STS and Service. I've solved all my certificate issues but I'm getting the following now when running my jUnit test.

ANY IDEA? Is it something to do with "SslContextToken"? PLEASE HELP!!!

WARNING: SP0100: Policy assertion Assertion[com.sun.xml.ws.policy.sourcemodel.DefaultPolicyAssertionCreator$DefaultPolicyAssertion] {
assertion data {
namespace = 'http://schemas.microsoft.com/ws/2005/07/securitypolicy'
prefix = 'mssp'
local name = 'SslContextToken'
value = 'null'
optional = 'false'
ignorable = 'false'
attributes {
name = 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy:IncludeToken', value = 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient'
}
}
no parameters
nested policy {
namespace version = 'v1_5'
id = 'null'
name = 'null'
vocabulary {
1. entry = 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy:RequireDerivedKeys'
}
assertion set {
Assertion[com.sun.xml.ws.policy.sourcemodel.DefaultPolicyAssertionCreator$DefaultPolicyAssertion] {
assertion data {
namespace = 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'
prefix = 'sp'
local name = 'RequireDerivedKeys'
value = 'null'
optional = 'false'
ignorable = 'false'
no attributes
}
no parameters
no nested policy
}
}
}
} is not supported under Token assertion.
------------- ---------------- ---------------
Testcase: testReadSomething(mscc.ws.crudserviceclient.tests.CrudServiceClientTest): Caused an ERROR
null
java.lang.NullPointerException
at com.sun.xml.ws.security.impl.policyconv.BindingProcessor.addPrimaryTargets(BindingProcessor.java:189)

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
gsogol
Offline
Joined: 2008-02-27

Good news! That did it. It's working now. Thanks for your hard work and thanks to everyone else who commented. Keep up the good work!

gsogol
Offline
Joined: 2008-02-27

Ok, I have the RequestSecurityTokenResponse xml from when .Net client initiates the call and when Java inititiates the service call. The .Net client works, the metro/java client does not.

Attached are the two RSTR xmls. I also posted the RST xml files.

BEGGING FOR SOMEONE TO HELP! I am now able to print any message we need.

gsogol
Offline
Joined: 2008-02-27

I put a lot of traces in and they don't get past me parsing the RequestSecurityToken. Attached is the request from java and .Net. The .Net one works. Anyone understand these?

gsogol
Offline
Joined: 2008-02-27

The MS's wsdl is completely different than mine. If I could get my hands on their source code, then I could compare settings-wise. Otherwise, I think I'll start digging myself a grave. I can't figure out just by looking at the wsdl to see how I need to change my settings or anything else.

shyam_rao
Offline
Joined: 2006-05-05

> Totally agree on the SC topic. Ive set it to false but my wsdl does not change. I still
> see the SC node. I did it on both sts and the service piece. I ve seen a post where
> someone says you have to create a custombinding to disable SC. This is frustrating.

I looked into the your attached trace file and see client sends a MEX request to MS STS to get the sts wsdl. STS wsdl is present in the MEX response, but i don't see SecureConversation assertion in this wsdl (but X509Token is present). So, Secureconversation is not enabled for STS as per the Mex response. May be due to some problem, your sts wsdl is not getting refreshed in the browser.

I am attaching the Mex request/response taken from your trace file :

========= MEX request to STS endpoint ========================



http://schemas.xmlsoap.org/ws/2004/09/transfer/Get
http://vhv000020.saxonmtg.com/TokenIssuer/STSService.svc/Mex
http://www.w3.org/2005/08/addressing/anonymous
uuid:778b135f-3fdf-44b2-b53e-ebaab7441e40


========== MEX Response with STS wsdl =========================



http://schemas.xmlsoap.org/ws/2004/09/transfer/GetResponse










































































































































http://vhv000020.saxonmtg.com/TokenIssuer/STSService.svc



MIIB6jCCAVOgAwIBAgIQOaoS8HG8lLlAShkAAjbUHzANBgkqhkiG9w0BAQQFADAQMQ4wDAYDVQQDEwVJUEtleTAeFw0wNjA2MTIyMzQ0NTRaFw0zOTEyMzEyMzU5NTlaMBAxDjAMBgNVBAMTBUlQS2V5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9RUA1ExIplZMFrgbOiWXQaV9jJMs14cw5aishefFZzmcthoTA52xAxa8NK1zdLc+EscuJdq96DLFpPH3ErqRYn62Xt04gmCqkuPWSBjnhvvSkGOvnEe/iFS4wx9hvDgFW63u09iuDfIume7ZQlOUjSi8eoGxoIQOPjoo2GsitOwIDAQABo0UwQzBBBgNVHQEEOjA4gBBqScVMHMzqBaY6PE70ZOtroRIwEDEOMAwGA1UEAxMFSVBLZXmCEDmqEvBxvJS5QEoZAAI21B8wDQYJKoZIhvcNAQEEBQADgYEANsAW9Cr2/N2/eD1EsiJxzn0aSdmjSSQVKx81vWIcd8enxul6nzgdrrJ86IZCRjTmMfQUF+jtRO+QQoR31//ObOrcWL8Tvn1FqHHqfauYrCsgMiu93DevTBRVpk3UUckeLzR1c0K5rMOba9XCRyh/aqie2VTM6+HPjP7LiFjqac0=



















gsogol
Offline
Joined: 2008-02-27

Another recap:
1. Still "Empty Key" exception
2. STS has SecureConversation off
3. Service has it on. Let me know if I have to disable it here as well.

I personally feel that this has something to do with certificates and how I have them installed. I imported the 2 certs into my truststore. I also see that the generated (both on sts and service references) I have the certificate's public key encoded under nodes. I used to have the keystore populated (I get the same error even then), but now I just have the truststore populated as I just need the certs. In fact, I don't even understand why I need the truststore sonce the generated stub has the encoded certificate keys. My .Net client, just has the encoded value and does not point to any cert store.

PLEASE CONTINUE TO HELP! I realize everyone is busy. I can even do a webex or attach my entire solution incl. the Java client if anyone wants.

shyam_rao
Offline
Joined: 2006-05-05

> Another recap:
> 1. Still "Empty Key" exception

Can you paste the stack trace here ?

> 2. STS has SecureConversation off
> 3. Service has it on. Let me know if I have to disable it here as well.

Its upto your requirement to enable/disable it for the Service. Can you paste the service wsdl here ?

We do have trust tests (with SecureConversation + IssuedToken in service wsdl) and they all pass with daily nightly runs. We also successfully test with MS endpoint (http://131.107.72.15/Security_Federation_FederatedService_Indigo/Symmetr...) for "Scenario_6_IssuedTokenForCertificateSecureConversation_MutualCertificate11_policy" scenarios.

gsogol
Offline
Joined: 2008-02-27

Attached are the sts and service wsdl files.

I will tro to see the Microsoft's wsdl and see how it's different. Even though I thought I had the certificates right, could you comment on how you imported MS's certificates into the truststore. Any detailed steps. I wonder if it's still somehow related to that.

Here is the full stack trace:
------------- Standard Error -----------------
Apr 3, 2008 10:15:28 AM [com.sun.xml.ws.policy.jaxws.PolicyConfigParser] parse
INFO: WSP1049: Loaded WSIT configuration from file: file:/C:/workspace/MSCC.WS.CrudServiceClient/build/classes/META-INF/wsit-client.xml
Apr 3, 2008 10:15:29 AM [com.sun.xml.ws.policy.jaxws.PolicyConfigParser] parse
INFO: WSP1049: Loaded WSIT configuration from file: file:/C:/workspace/MSCC.WS.CrudServiceClient/build/classes/META-INF/wsit-client.xml
Apr 3, 2008 10:15:31 AM com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor sign
SEVERE: WSS1701: Sign operation failed.
java.lang.IllegalArgumentException: Empty key
at javax.crypto.spec.SecretKeySpec.(DashoA13*..)
at com.sun.xml.ws.security.opt.impl.keyinfo.IssuedTokenBuilder.process(IssuedTokenBuilder.java:82)
at com.sun.xml.ws.security.opt.impl.keyinfo.DerivedKeyTokenBuilder.process(DerivedKeyTokenBuilder.java:126)
at com.sun.xml.ws.security.opt.impl.dsig.TokenProcessor.process(TokenProcessor.java:167)
at com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor.sign(SignatureProcessor.java:93)
at com.sun.xml.wss.impl.filter.SignatureFilter.sign(SignatureFilter.java:521)
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:483)
at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:79)
at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:251)
at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:172)
at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:133)
at com.sun.xml.wss.jaxws.impl.SecurityPipeBase.secureOutboundMessage(SecurityPipeBase.java:394)
at com.sun.xml.wss.jaxws.impl.SecurityClientPipe.process(SecurityClientPipe.java:196)
at com.sun.xml.ws.security.secconv.WSSCPlugin.sendRequest(WSSCPlugin.java:298)
at com.sun.xml.ws.security.secconv.WSSCPlugin.process(WSSCPlugin.java:198)
at com.sun.xml.wss.jaxws.impl.SecurityClientPipe.invokeSCPlugin(SecurityClientPipe.java:291)
at com.sun.xml.wss.jaxws.impl.SecurityClientPipe.process(SecurityClientPipe.java:165)
at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
at com.sun.xml.ws.client.Stub.process(Stub.java:248)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
at $Proxy43.readSomething(Unknown Source)
at mscc.ws.crudservice.tests.CrudServiceTest.testReadSomething(CrudServiceTest.java:40)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.junit.internal.runners.TestMethodRunner.executeMethodBody(TestMethodRunner.java:99)
at org.junit.internal.runners.TestMethodRunner.runUnprotected(TestMethodRunner.java:81)
at org.junit.internal.runners.BeforeAndAfterRunner.runProtected(BeforeAndAfterRunner.java:34)
at org.junit.internal.runners.TestMethodRunner.runMethod(TestMethodRunner.java:75)
at org.junit.internal.runners.TestMethodRunner.run(TestMethodRunner.java:45)
at org.junit.internal.runners.TestClassMethodsRunner.invokeTestMethod(TestClassMethodsRunner.java:71)
at org.junit.internal.runners.TestClassMethodsRunner.run(TestClassMethodsRunner.java:35)
at org.junit.internal.runners.TestClassRunner$1.runUnprotected(TestClassRunner.java:42)
at org.junit.internal.runners.BeforeAndAfterRunner.runProtected(BeforeAndAfterRunner.java:34)
at org.junit.internal.runners.TestClassRunner.run(TestClassRunner.java:52)
at junit.framework.JUnit4TestAdapter.run(JUnit4TestAdapter.java:32)
at org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.run(JUnitTestRunner.java:421)
at org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.launch(JUnitTestRunner.java:912)
at org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.main(JUnitTestRunner.java:766)
------------- ---------------- ---------------
Testcase: testReadSomething(mscc.ws.crudservice.tests.CrudServiceTest): Caused an ERROR
java.lang.IllegalArgumentException: Empty key
javax.xml.ws.soap.SOAPFaultException: java.lang.IllegalArgumentException: Empty key
at com.sun.xml.wss.jaxws.impl.SecurityPipeBase.getSOAPFaultException(SecurityPipeBase.java:640)
at com.sun.xml.wss.jaxws.impl.SecurityPipeBase.secureOutboundMessage(SecurityPipeBase.java:401)
at com.sun.xml.wss.jaxws.impl.SecurityClientPipe.process(SecurityClientPipe.java:196)
at com.sun.xml.ws.security.secconv.WSSCPlugin.sendRequest(WSSCPlugin.java:298)
at com.sun.xml.ws.security.secconv.WSSCPlugin.process(WSSCPlugin.java:198)
at com.sun.xml.wss.jaxws.impl.SecurityClientPipe.invokeSCPlugin(SecurityClientPipe.java:291)
at com.sun.xml.wss.jaxws.impl.SecurityClientPipe.process(SecurityClientPipe.java:165)
at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
at com.sun.xml.ws.client.Stub.process(Stub.java:248)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
at $Proxy43.readSomething(Unknown Source)
at mscc.ws.crudservice.tests.CrudServiceTest.testReadSomething(CrudServiceTest.java:40)

jdg6688
Offline
Joined: 2005-11-02

Hi,

The wsdls looks fine. The error comes up when the client calls the service.

So the client to the STS calls is already passed.

It more sounds to me that the proof key is missing in the STS response.

Could you print out the STS response in the plain form and post it.

Not sure how to do it on the STS side with WCF.

On the client side, you may

get more debug messages on client, change your JDK's (${JAVA_HOME}/jre/lib/logging.properties) level from INFO to FINE / FINER / FINEST.
java.util.logging.ConsoleHandler.level = FINEST

#You can also selectively set the value of individual loggers as:
javax.enterprise.resource.xml.webservices.security.trust.level=FINER
javax.enterprise.resource.xml.webservices.security.secconv.level=FINER

Thye find out the message RequestSecurityTokenResponse.

Thanks!

Jiandong

gsogol
Offline
Joined: 2008-02-27

I think you are right that it has something to do with the proof key. I will do some more logging on my side. Adding Finest to Console did nothing. I retarted NB and recreated the client, but I just see the INFO logs.

jdg6688
Offline
Joined: 2005-11-02

which build of Metro/WSIT are you using? 1.1 or the current build.

Please try with the currently Metro nightly build:

This problem shoudle be gone with this. This will be release as Metro 1.2 very soon.

Thanks!

Jiandong

jdg6688
Offline
Joined: 2005-11-02

Here is the nightly for Metro 1.2:

https://metro.dev.java.net/servlets/ProjectDocumentList?folderID=8717&ex...

With this one, if no proof key in the RSTR, we will use the client entropy for the key.

Please try and let us know if it works.

gsogol
Offline
Joined: 2008-02-27

I downloaded the nightly and get a slightly different message but the inner is still the Empty Key message.

Apr 4, 2008 10:22:12 AM com.sun.xml.wss.jaxws.impl.SecurityClientPipe process
SEVERE: WSSPIPE0024: Error in Securing Outbound Message.
com.sun.xml.wss.impl.WssSoapFaultException: java.lang.IllegalArgumentException: Empty key
at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:322)
at com.sun.xml.wss.jaxws.impl.SecurityPipeBase.secureOutboundMessage(SecurityPipeBase.java:397)

I will try to get the RSTR xml. In the mean time, is there any MS source code that I can download that you test against? Specific one?

jdg6688
Offline
Joined: 2005-11-02

Are you still using secureconversation for STS calls?

If this is the case, there may be issue with WSIT.

Can you post your updated STS wsdl again?

Thanks!

gsogol
Offline
Joined: 2008-02-27

Yes I do. I don't know how to remove that :(

[b]My sts's wsdl:[/b]


-
-
-
-
-
-
-
-
-
-

-
-
-









-


-
-
-
-
-
-







-
-



-
-








-
-
-
-





-
-






-
-











-
-



-
-








-
-






-
-









-
-
-
-









-





-
-
-
-









-





-
-



-


-


-
-




-


-

-



-





-
-

-
http://vhv000020.saxonmtg.com/TokenIssuer/STSService.svc
-
-
-
MIIB6jCCAVOgAwIBAgIQOaoS8HG8lLlAShkAAjbUHzANBgkqhkiG9w0BAQQFADAQMQ4wDAYDVQQDEwVJUEtleTAeFw0wNjA2MTIyMzQ0NTRaFw0zOTEyMzEyMzU5NTlaMBAxDjAMBgNVBAMTBUlQS2V5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9RUA1ExIplZMFrgbOiWXQaV9jJMs14cw5aishefFZzmcthoTA52xAxa8NK1zdLc+EscuJdq96DLFpPH3ErqRYn62Xt04gmCqkuPWSBjnhvvSkGOvnEe/iFS4wx9hvDgFW63u09iuDfIume7ZQlOUjSi8eoGxoIQOPjoo2GsitOwIDAQABo0UwQzBBBgNVHQEEOjA4gBBqScVMHMzqBaY6PE70ZOtroRIwEDEOMAwGA1UEAxMFSVBLZXmCEDmqEvBxvJS5QEoZAAI21B8wDQYJKoZIhvcNAQEEBQADgYEANsAW9Cr2/N2/eD1EsiJxzn0aSdmjSSQVKx81vWIcd8enxul6nzgdrrJ86IZCRjTmMfQUF+jtRO+QQoR31//ObOrcWL8Tvn1FqHHqfauYrCsgMiu93DevTBRVpk3UUckeLzR1c0K5rMOba9XCRyh/aqie2VTM6+HPjP7LiFjqac0=






gsogol
Offline
Joined: 2008-02-27

Attached is the image of STS's properties.

on the .Net side, the STS's servicecredentials are:

membershipProviderName="SqlMembershipProvider" /> x509FindType="FindBySubjectName"
storeLocation="LocalMachine"
storeName="My" />

I will try the diagnostics. But Clemens, how do you not use client certificates? I'd like not to. Is it something I have to do on the .NET side?

gsogol
Offline
Joined: 2008-02-27

Just to recap:
1) Getting empty key. Will try to disable secureconversation. Can someone see if it's actually a problem?
2) Clemens asked to do some tracing. I've attached the trace file in the previous post. I noticed in one of the trace messages: No Action header was found with namespace 'http://www.w3.org/2005/08/addressing' for the given message.

Jiandong Guo

We may have an issue with secureconversation with STS calls.
We will do some test and get back. On the other hand it is not necessary
to use secureconversation here since you have just one message exchnage.

Sc is efficient is you have multiple messages exchanges for an application.

metro@javadesktop.org wrote:

>Just to recap:
>1) Getting empty key. Will try to disable secureconversation. Can someone see if it's actually a problem?
>2) Clemens asked to do some tracing. I've attached the trace file in the previous post. I noticed in one of the trace messages: No Action header was found with namespace 'http://www.w3.org/2005/08/addressing' for the given message.
>[Message sent by forum member 'gsogol' (gsogol)]
>
>http://forums.java.net/jive/thread.jspa?messageID=267425
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Clemens Vasters

Turn SC off by setting 'establishSecurityContext' to 'false'. It's 'true' by default.

http://msdn2.microsoft.com/en-us/library/ms731346.aspx

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Wednesday, April 02, 2008 4:27 PM
To: users@metro.dev.java.net
Subject: Re: Federated Scenario: Policy Assertion Problem

We may have an issue with secureconversation with STS calls.
We will do some test and get back. On the other hand it is not necessary
to use secureconversation here since you have just one message exchnage.

Sc is efficient is you have multiple messages exchanges for an application.

metro@javadesktop.org wrote:

>Just to recap:
>1) Getting empty key. Will try to disable secureconversation. Can someone see if it's actually a problem?
>2) Clemens asked to do some tracing. I've attached the trace file in the previous post. I noticed in one of the trace messages: No Action header was found with namespace 'http://www.w3.org/2005/08/addressing' for the given message.
>[Message sent by forum member 'gsogol' (gsogol)]
>
>http://forums.java.net/jive/thread.jspa?messageID=267425
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

gsogol
Offline
Joined: 2008-02-27

Totally agree on the SC topic. Ive set it to false but my wsdl does not change. I still see the SC node. I did it on both sts and the service piece. Ive seen a post where someone says you have to create a custombinding to disable SC. This is frustrating.

Clemens Vasters

On the service this won't do you any good. I assume you are using WSFederationHttpBinding on the service and turning off SC for that indeed requires building a custom binding. I actually gave you a link to that earlier.

I'm surprised that turning off the establishSecurityContext setting for the STS didn't work for you; are you sure you looked at a fresh copy of the WSDL and at the right endpoint?

Hang in there ;)
Clemens

-----Original Message-----
From: metro@javadesktop.org [mailto:metro@javadesktop.org]
Sent: Wednesday, April 02, 2008 5:23 PM
To: users@metro.dev.java.net
Subject: Re: RE: Federated Scenario: Policy Assertion Problem

Totally agree on the SC topic. Ive set it to false but my wsdl does not change. I still see the SC node. I did it on both sts and the service piece. Ive seen a post where someone says you have to create a custombinding to disable SC. This is frustrating.
[Message sent by forum member 'gsogol' (gsogol)]

http://forums.java.net/jive/thread.jspa?messageID=267439

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

gsogol
Offline
Joined: 2008-02-27

I still get the java.lang.IllegalArgumentException: Empty key
at javax.crypto.spec.SecretKeySpec.(DashoA13*..)

My sts's keystore is disabled. I wonder if that's why I get this message

Clemens Vasters

You need to add the exported public-key cert of the STS service's identity (a private-key certificate referenced in the serviceCredentials behavior [1]) into the truststore on the Metro side and set its alias in the Metro configuration for the STS reference.

[1] http://msdn2.microsoft.com/en-us/library/ms751516.aspx

-----Original Message-----
From: metro@javadesktop.org [mailto:metro@javadesktop.org]
Sent: Wednesday, April 02, 2008 12:09 PM
To: users@metro.dev.java.net
Subject: Re: RE: Federated Scenario: Policy Assertion Problem

I've recreated my sts client and don't get any key issues anymore. Once I set the negotiateServiceCredentials to false, the STS's keystore is disabled and when running my client I now get:

javax.xml.ws.soap.SOAPFaultException: An error occurred when verifying security for the message.
[Message sent by forum member 'gsogol' (gsogol)]

http://forums.java.net/jive/thread.jspa?messageID=267391

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

gsogol
Offline
Joined: 2008-02-27

Which I did. I've imported my 2 certs and also my two .pfx (private keys) into my keystore and truststore. .Net client works but metro client does not. The sts just has the truststore enabled and I've set all the properties including the right alias. I've also set the keystore and the truststore on the service reference as well. STS's keystore is disabled once I set the parameter you mentioned to false.

Clemens Vasters

The private keys shouldn't have any business being on the client unless you were using client certification authentication.

What I would do is to enable tracing on the WCF side (use SvcConfigEditor.exe an your .NET STS's config if you can't figure out the magic dance to get that right; I never can) and then look for the exact warning message you are finding when you look at the resulting App_tracelog.svclog file that'll appear in your project directory after one run. The tool to look at those trace files is SvcTraceViewer.exe. There'll be yellow stuff (and maybe red stuff); those are the warnings/errors to look for.

The trace normally gives you a very good clue on what the WCF stack didn't like about the request. The error messages that go over the wire are intentionally cloaking the details.

Clemens

-----Original Message-----
From: metro@javadesktop.org [mailto:metro@javadesktop.org]
Sent: Wednesday, April 02, 2008 1:48 PM
To: users@metro.dev.java.net
Subject: Re: RE: RE: Federated Scenario: Policy Assertion Problem

Which I did. I've imported my 2 certs and also my two .pfx (private keys) into my keystore and truststore. .Net client works but metro client does not. The sts just has the truststore enabled and I've set all the properties including the right alias. I've also set the keystore and the truststore on the service reference as well. STS's keystore is disabled once I set the parameter you mentioned to false.
[Message sent by forum member 'gsogol' (gsogol)]

http://forums.java.net/jive/thread.jspa?messageID=267399

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

gsogol
Offline
Joined: 2008-02-27

Clemens, attached is my trace log.

Clemens Vasters

On the WCF (STS) side you need to set negotiateServiceCredential=false [1] to avoid the in-channel SSL handshake Jiandong mentions in (1). The same is true if the service is built on WCF. In turn, this will require you to have the STS's (and the service's) certificate on the client, but that's the default for Metro, anyways.

[1] http://msdn2.microsoft.com/en-us/library/ms731376.aspx

Clemens

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Wednesday, April 02, 2008 8:57 AM
To: users@metro.dev.java.net
Subject: Re: Federated Scenario: Policy Assertion Problem

1. The mssp:SslContextToken is microsoft specific which involves some
private protocol for now.
Can you turn it off.

2. In general you don't use secure conversation with STS call. It is
just one shot request and response.
You should change the

sp:SecureConversationToken to sp:X509Token for example

metro@javadesktop.org wrote:

>WSDL of STS:
>
>
>-
>-
>-
>-
>-
>-
>-
>-
>-
>-
>
>-
>-
>-
>
>
>
>
>
>
>
>
>

>-
>
>

>-
>-
>-
>-
>-
>-
>
>

>

>

>

>-
>-
>
>

>

>-
>-
>
>

>

>
>
>
>

>

>-
>-
>-
>-
>
>

>

>

>

>-
>-
>
>
>
>
>

>

>-
>-
>
>
>
>

>

>

>

>

>

>

>

>-
>-
>
>

>

>-
>-
>
>

>

>
>
>
>

>

>-
>-
>
>
>
>
>

>

>-
>-
>
>
>
>

>

>
>

>

>

>-
>-
>-
>-
>
>
>
>
>
>
>
>
>

>-
>
>

>

>

>

>-
>-
>-
>-
>
>
>
>
>
>
>
>
>

>-
>
>

>

>

>

>-
>-
>
>

>

>-
>
>

>-
>
>

>-
>-
>
>
>

>

>-
>
>
>-
>
>-
>
>
>

>-
>
>
>

>

>

>-
>-
>
>-
> http://vhv000020.saxonmtg.com/TokenIssuer/STSService.svc
>-
>-
>-
> MIIB6jCCAVOgAwIBAgIQOaoS8HG8lLlAShkAAjbUHzANBgkqhkiG9w0BAQQFADAQMQ4wDAYDVQQDEwVJUEtleTAeFw0wNjA2MTIyMzQ0NTRaFw0zOTEyMzEyMzU5NTlaMBAxDjAMBgNVBAMTBUlQS2V5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9RUA1ExIplZMFrgbOiWXQaV9jJMs14cw5aishefFZzmcthoTA52xAxa8NK1zdLc+EscuJdq96DLFpPH3ErqRYn62Xt04gmCqkuPWSBjnhvvSkGOvnEe/iFS4wx9hvDgFW63u09iuDfIume7ZQlOUjSi8eoGxoIQOPjoo2GsitOwIDAQABo0UwQzBBBgNVHQEEOjA4gBBqScVMHMzqBaY6PE70ZOtroRIwEDEOMAwGA1UEAxMFSVBLZXmCEDmqEvBxvJS5QEoZAAI21B8wDQYJKoZIhvcNAQEEBQADgYEANsAW9Cr2/N2/eD1EsiJxzn0aSdmjSSQVKx81vWIcd8enxul6nzgdrrJ86IZCRjTmMfQUF+jtRO+QQoR31//ObOrcWL8Tvn1FqHHqfauYrCsgMiu93DevTBRVpk3UUckeLzR1c0K5rMOba9XCRyh/aqie2VTM6+HPjP7LiFjqac0=
>

>

>

>

>

>

>

>[Message sent by forum member 'gsogol' (gsogol)]
>
>http://forums.java.net/jive/thread.jspa?messageID=267345
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

gsogol
Offline
Joined: 2008-02-27

Ok, I set the it to false and got a different exception.

SEVERE: WSS0217: An Error occurred using Callback Handler handle() Method.
javax.security.auth.callback.UnsupportedCallbackException: Username Handler Not Configured

__________________________________________________
Here is my client code:

mscc.ws.crudserviceclient.CrudService service = new mscc.ws.crudserviceclient.CrudService();
mscc.ws.crudserviceclient.ICrudService port = service.getWSFederationHttpBindingICrudService();

BindingProvider portBP = (BindingProvider) port;
portBP.getRequestContext().put("username", "uid");
portBP.getRequestContext().put("password", "pwd");
java.lang.String result = port.readSomething();
_______________________________________________

I refreshed my two clients (STS and service) and now the STS's keystore is disabled. Do I have to change my authentication credentials from static to dynamic. They're both set ast Static and I'm passing my credentials runtime.

_______________________________________________

When entering static username and password (which I don't want) I get:
SEVERE: WSS1906: Invalid key provided for encryption/decryption.
java.security.InvalidKeyException: Illegal key size or default parameters
at javax.crypto.Cipher.a(DashoA13*..)

So I downloaded the unlimited polciy (jce) and got:

SEVERE: WSS1701: Sign operation failed.
java.lang.IllegalArgumentException: Empty key
at javax.crypto.spec.SecretKeySpec.(DashoA13*..)

gsogol
Offline
Joined: 2008-02-27

WSDL of STS:


-
-
-
-
-
-
-
-
-
-

-
-
-









-


-
-
-
-
-
-





-
-



-
-








-
-
-
-





-
-






-
-











-
-



-
-








-
-






-
-









-
-
-
-









-





-
-
-
-









-





-
-



-


-


-
-




-


-

-



-





-
-

-
http://vhv000020.saxonmtg.com/TokenIssuer/STSService.svc
-
-
-
MIIB6jCCAVOgAwIBAgIQOaoS8HG8lLlAShkAAjbUHzANBgkqhkiG9w0BAQQFADAQMQ4wDAYDVQQDEwVJUEtleTAeFw0wNjA2MTIyMzQ0NTRaFw0zOTEyMzEyMzU5NTlaMBAxDjAMBgNVBAMTBUlQS2V5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9RUA1ExIplZMFrgbOiWXQaV9jJMs14cw5aishefFZzmcthoTA52xAxa8NK1zdLc+EscuJdq96DLFpPH3ErqRYn62Xt04gmCqkuPWSBjnhvvSkGOvnEe/iFS4wx9hvDgFW63u09iuDfIume7ZQlOUjSi8eoGxoIQOPjoo2GsitOwIDAQABo0UwQzBBBgNVHQEEOjA4gBBqScVMHMzqBaY6PE70ZOtroRIwEDEOMAwGA1UEAxMFSVBLZXmCEDmqEvBxvJS5QEoZAAI21B8wDQYJKoZIhvcNAQEEBQADgYEANsAW9Cr2/N2/eD1EsiJxzn0aSdmjSSQVKx81vWIcd8enxul6nzgdrrJ86IZCRjTmMfQUF+jtRO+QQoR31//ObOrcWL8Tvn1FqHHqfauYrCsgMiu93DevTBRVpk3UUckeLzR1c0K5rMOba9XCRyh/aqie2VTM6+HPjP7LiFjqac0=






Jiandong Guo

1. The mssp:SslContextToken is microsoft specific which involves some
private protocol for now.
Can you turn it off.

2. In general you don't use secure conversation with STS call. It is
just one shot request and response.
You should change the

sp:SecureConversationToken to sp:X509Token for example

metro@javadesktop.org wrote:

>WSDL of STS:
>
>
>-
>-
>-
>-
>-
>-
>-
>-
>-
>-
>
>-
>-
>-
>
>
>
>
>
>
>
>
>

>-
>
>

>-
>-
>-
>-
>-
>-
>
>

>

>

>

>-
>-
>
>

>

>-
>-
>
>

>

>
>
>
>

>

>-
>-
>-
>-
>
>

>

>

>

>-
>-
>
>
>
>
>

>

>-
>-
>
>
>
>

>

>

>

>

>

>

>

>-
>-
>
>

>

>-
>-
>
>

>

>
>
>
>

>

>-
>-
>
>
>
>
>

>

>-
>-
>
>
>
>

>

>
>

>

>

>-
>-
>-
>-
>
>
>
>
>
>
>
>
>

>-
>
>

>

>

>

>-
>-
>-
>-
>
>
>
>
>
>
>
>
>

>-
>
>

>

>

>

>-
>-
>
>

>

>-
>
>

>-
>
>

>-
>-
>
>
>

>

>-
>
>
>-
>
>-
>
>
>

>-
>
>
>

>

>

>-
>-
>
>-
> http://vhv000020.saxonmtg.com/TokenIssuer/STSService.svc
>-
>-
>-
> MIIB6jCCAVOgAwIBAgIQOaoS8HG8lLlAShkAAjbUHzANBgkqhkiG9w0BAQQFADAQMQ4wDAYDVQQDEwVJUEtleTAeFw0wNjA2MTIyMzQ0NTRaFw0zOTEyMzEyMzU5NTlaMBAxDjAMBgNVBAMTBUlQS2V5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9RUA1ExIplZMFrgbOiWXQaV9jJMs14cw5aishefFZzmcthoTA52xAxa8NK1zdLc+EscuJdq96DLFpPH3ErqRYn62Xt04gmCqkuPWSBjnhvvSkGOvnEe/iFS4wx9hvDgFW63u09iuDfIume7ZQlOUjSi8eoGxoIQOPjoo2GsitOwIDAQABo0UwQzBBBgNVHQEEOjA4gBBqScVMHMzqBaY6PE70ZOtroRIwEDEOMAwGA1UEAxMFSVBLZXmCEDmqEvBxvJS5QEoZAAI21B8wDQYJKoZIhvcNAQEEBQADgYEANsAW9Cr2/N2/eD1EsiJxzn0aSdmjSSQVKx81vWIcd8enxul6nzgdrrJ86IZCRjTmMfQUF+jtRO+QQoR31//ObOrcWL8Tvn1FqHHqfauYrCsgMiu93DevTBRVpk3UUckeLzR1c0K5rMOba9XCRyh/aqie2VTM6+HPjP7LiFjqac0=
>

>

>

>

>

>

>

>[Message sent by forum member 'gsogol' (gsogol)]
>
>http://forums.java.net/jive/thread.jspa?messageID=267345
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

gsogol
Offline
Joined: 2008-02-27

n/a

gsogol
Offline
Joined: 2008-02-27

Please see my new attached RSTR and RST (RequestSecurityToken||Response) xml files. Please help!

gsogol
Offline
Joined: 2008-02-27

I don't see any differences between the Java and the .Net RSTR besides some unique identifiers. Can someone confirm if the RSTR can be received by metro? If it looks ok, what are my next steps?

Jiandong Guo

metro@javadesktop.org wrote:

>I don't see any differences between the Java and the .Net RSTR besides some unique identifiers. Can someone confirm if the RSTR can be received by metro? If it looks ok, what are my next steps?
>[Message sent by forum member 'gsogol' (gsogol)]
>
>http://forums.java.net/jive/thread.jspa?messageID=267806
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
The RSTR looks fine. Not sure yet what is wrong. Will get back.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

gsogol
Offline
Joined: 2008-02-27

Thanks, I'll be awaiting some feedback. I'm taking my laptop home so if anyone's got anything I can try things over the weekend.

ALSO, IS ANYONE LOOKING FOR SOME CONTRACT WORK IN CHICAGO TO GET THIS RESOLVED? NO JOKE.

Otherwise, I'm slowly digging myself a grave with this stuff. If not, please, please provide me some feedback.

jdg6688
Offline
Joined: 2005-11-02

Ok, trying to dig you out.

The issue is that we are expecting a KeySize in the RSTR inthe case of ComputeKey, but it is not there in your case.

Anyway, I made a change so that if no KeySize is available in RSTR then we use the KeySize in the RST to compuet the secret key.

Please try with the nightly build this Sunday morning after 10 am.

Or you can build the jars from CVS.

Interop is always more than the specs.

Regards,

Jiandong

gsogol
Offline
Joined: 2008-02-27

Good to know. I will try this Sun morning. I'm hoping once we get past this one...sigh...we won't open up another can of worms. So I'm cautiously optimistic. Thanks for putting a fix in that hopefully will work.