Skip to main content

STS issued token sample

32 replies [Last post]
Anonymous

Hello all,

I have been trying and trying to get a working sample of WSIT using a
secured service using an STS issued token to work with absolutely no luck.

I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just plain
doesn't work..it has dialogs and tabs/options that are for some other
version(earlier?) of netbeans and things just do not work.

What I would REALLY like to do is get a sample running using hand coded
configurations rather than relying on the Netbeans/glassfish integration so
I can understand more what is involved. As it is now, when something goes
wrong with the Netbeans IDE wizards, I have no idea how to work around it.

My end goal is to run an STS secured webservice using WSIT inside tomcat 6.
It would be fine if the STS were in Glassfish for now, but the service that
is secured needs to run inside tomcat and a standard command line client for
that in java.

Does anyone have a working sample similar to this or could point me to a
good resource for doing this? I am quite frustrated, as every tutorial I
have come across is targetted at running all inside Netbeans wizards and
with a servlet client that runs inside the same glassfish instance as the
STS and the secured service. This is not ideal for seeing how things
work.since it uses built in development keystores/trusttores etc(the same
one for client and service which is not realistic in an environment where
the client and server are on different machines among other things).

Any guidance greatly appreciated..

Thanks,

Chris

[att1.html]

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Chris Richmond

Jiandong,

Part of my confusion comes from the fact that the
certs/keystores/truststores for the sample are all kept within one location
on one physical machine for the sample, so its difficult for a beginner(at
least for me) to tell what is needed where and why. Does that make sense?

Thanks,

Chris

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Tuesday, January 06, 2009 6:54 PM
To: users@metro.dev.java.net
Subject: Re: STS issued token sample

Yes, it is encrypted selectively. You can configure to encrypt which
part of the message.

Thanks!

Jiandong

Chris Richmond wrote:
> So are the messages using the current implementation being encrypted
between
> the client and the server? Or is it only encrypted if I use SSL?
>
> Thanks,
>
> Chris
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Tuesday, January 06, 2009 12:10 PM
> To: users@metro.dev.java.net
> Subject: Re: STS issued token sample
>
>
>
>> Do you have any references on how you crated the bob and alice certs for
>>
> the
>
>> server and client and how to utilize a new cert for this imlementation?
>>
> Is
>
>> there a turorial on createing the certes and placing them in the proper
>> places and updating the stores appropriately?
>>
> You may find in any of the Java security tutorials on managing
> certificates with KeyStores.
>
>> I am also not 100% clean on
>> exactly what the x509 cert is doing?
>>
>
> 1. The client use the service certificate to secure the message to the
> service.
> 2. The client use the STS cert to secure the messages to the STS. You
> may configure to use SSL for security as well.
> 3. The STS use the service cert to encrypt the proof key in the issued
> token or the issued token itself targeted for the service.
>
> Thanks!
>
> Jiandong
>
>
>> Is that only to encrypt the STS token
>> or is it doing more? Could it be configured to encrypt all messages to
>>
> the
>
>> actual services(regular impl service mainly, STS could be using SSL
>> perhaps?)
>>
>> Thanks again,
>>
>> Chris
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> Sent: Monday, January 05, 2009 11:13 AM
>> To: users@metro.dev.java.net
>> Cc: Fabian Ritzmann
>> Subject: Re: STS issued token sample
>>
>> Ok, in this case you can always stop the service and change the policy.
>> But the policy must be attached or referenced
>> in the wsdl to be effective.
>>
>> For example, you may have your front WSDL with business logic (has
>> Service and portType, e.g.
>>
>>
>
http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...
>
>> .svc?wsdl)
>> This wsdl in turn imports a back end WSDL with binding and policy
>> referenced there (e.g
>>
>>
>
http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...
>
>> .svc?wsdl=wsdl0).
>>
>> Is this something work for you?
>>
>> Thanks!
>>
>> Jiandong
>>
>>
>> CC Fabian for more insight on this.
>>
>> Thanks!
>>
>> Jiandong
>>
>>
>> Chris Richmond wrote:
>>
>>
>>> Jiandong,
>>>
>>> Keep in mind I do not need to be able to reconfigure on the fly.
>>>
> Stopping
>
>>> the service and deploying configuration files or stopping the server and
>>> removing them is perfectly acceptable to me. I just mean that I could
>>> deploy artifacts/config files without having to change my basic service
>>>
>>>
>> code
>>
>>
>>> is all. That link seems to mention on the fly reconfiguration without
>>> losing any messages, which is not a requirement. Does you answer still
>>> stand?
>>>
>>> Thanks,
>>>
>>> Chris
>>>
>>> -----Original Message-----
>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>> Sent: Monday, January 05, 2009 10:23 AM
>>> To: users@metro.dev.java.net
>>> Subject: Re: STS issued token sample
>>>
>>> Unfortunately, this is not the case currently.
>>>
>>> See
>>>
>>>
>>>
>
http://wikis.glassfish.org/metro/Wiki.jsp?page=DynamicReconfigurationOne...
>
>>
>>
>>> r
>>>
>>> Thanks!
>>>
>>> Jiandong
>>>
>>>
>>> Chris Richmond wrote:
>>>
>>>
>>>
>>>> Jiandong,
>>>>
>>>> It was my understanding that one feature of the WSIT toolkit is that
you
>>>> could take an existing JAX-WS service and as long as the proper
>>>>
> libraries
>
>>>> are in place on the tomcat server, you could simply place additional
>>>> .xml files in certain directories and the WSIT toolkit would
>>>>
>>>>
>>>>
>>> inject
>>>
>>>
>>>
>>>> these WSDL elemenents into the document as the server generated it on
>>>>
> the
>
>>>> fly...that way you could have an unsecured service by ommitting those
>>>>
> xml
>
>>>> files, or make them present and make the service secure? Am I way off
>>>>
>>>>
>>>>
>>> base
>>>
>>>
>>>
>>>> on my understanding?
>>>>
>>>> Thanks,
>>>>
>>>> Chris
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>> Sent: Saturday, January 03, 2009 8:43 AM
>>>> To: users@metro.dev.java.net
>>>> Subject: Re: STS issued token sample
>>>>
>>>> Hi Chris,
>>>>
>>>> Great!
>>>>
>>>> It is in my to do to provide a detailed description of the sample.
>>>> Before that, here is a quick description of what is going.
>>>>
>>>> There are three parties in the sample: service,sts, client.
>>>> Each party has configuration(policy) in the WSDL or wsdl like file
>>>>
>>>>
>>>>
>>> (client.
>>>
>>>
>>>
>>>> 1. service:
>>>> Check /src/fs/etc/service/PingService.wsdl. There are two types of
>>>>
>>>>
>>>>
>>> polices:
>>>
>>>
>>>
>>>> public ones to cominicate to the other parties and private ones
>>>> (Keystore, TrustStore) for local configuration.
>>>>
>>>> In the policy
>>>>
>>>>
>>>>
>>>> * There is a
>>>> under with >>>> indicate
>>>> that the X509 certificate of the service is used to protect the
>>>>
> messages
>
>>>> from the client to the service.
>>>>
>>>> * There is an indicating
>>>> that an issued token from an STS
>>>> is required for the client to acess the service.
>>>>
>>>> * >>>> >>>> >>>> particular case,
>>>> only the certificate of the STS is needed in the Truststore.
>>>>
>>>> You may have your own key store and trust store and configure them with
>>>> these two policy assertions.
>>>>
>>>> 2. sts: /src/fs/etc/sts/sts.wsdl
>>>>
>>>> In the policy
>>>>
>>>>
>>>>
>>>> * There is a
>>>> under with >>>> indicate
>>>> that the X509 certificate of the service is used to protect the
>>>>
> messages
>
>>>> from the client to the sts.
>>>>
>>>> * There is a >>>>
> indicating
>
>>>> that username/password is required from the
>>>> client to authenticate to the STS.
>>>>
>>>> *
>>>> >>>> >>>> >>>> particular case,
>>>> only the certificate of all the trusted services are needed in the
>>>> Truststore.
>>>>
>>>> Note that STS should maitain different key store and trust store from
>>>>
> the
>
>>>> service.
>>>>
>>>> *
>>>> >>>> xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
>>>> >>>>
>>>>
>> name="usernameValidator"
>>
>>
>>>> classname="common.SampleUsernamePasswordValidator"/>
>>>>
>>>>
>>>> to plugin the custom class for validating the username/password of the
>>>>
>>>>
>>>>
>>> the
>>>
>>>
>>>
>>>> clients.
>>>>
>>>> For this sample, we hard coded the username/password in the
>>>>
>>>>
>> implementation
>>
>>
>>>> class /src/common/SampleUsernamePasswordValidator.java
>>>> You may just modify it to add for example chris/chris. In reality, you
>>>>
>>>>
>> can
>>
>>
>>>> have an validatior class connecting to a user data store, etc.
>>>>
>>>>
>>>> 3. client:
>>>>
>>>> client configuration is here src/fs/etc/client-config/wsit-client.xml.
>>>> It contains client key store and truststore information as well the
>>>>
>>>>
>>>>
>>> callback
>>>
>>>
>>>
>>>> class for the username/password:
>>>>
>>>> src/common/SampleUsernamePasswordCallbackHandler.java
>>>>
>>>> Note that you need to configure the client to the service and to the
STS
>>>> seperately
>>>> in wsit-client.xml.
>>>>
>>>> Jiandong
>>>>
>>>>
>>>>
>>>> Chris Richmond wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Jiandong,
>>>>>
>>>>> Success!
>>>>>
>>>>> I was finally able to run the sample in Tomcat6.0.18 and it returns
>>>>>
> the
>
>>>>> account balance and outputs Company A, Department B on the server
side.
>>>>>
>>>>>
>>>>>
>>> I
>>>
>>>
>>>
>>>>> tried both alice/alice and bob/bob.
>>>>>
>>>>>
>>>>> Now the real questions begin of figuring out how exactly this thing
is
>>>>> working and how I integrate it into my own servers/clients.
>>>>>
>>>>> What was done to create those certificates on the server and to set
>>>>>
>>>>>
>> those
>>
>>
>>>>> user credentials? That's one big area I don't understand.
>>>>> Keystores/truststores, etc.
>>>>>
>>>>> It is my understanding for METRO using an STS service such as this
>>>>>
>>>>>
>>>>>
>>> example
>>>
>>>
>>>
>>>>> that a truststore and keystore are both needed on the server as well
as
>>>>>
>>>>>
>>>>>
>>> by
>>>
>>>
>>>
>>>>> the client?
>>>>>
>>>>> How are these stores generated/maintained and how are users certs
>>>>>
>>>>>
>>>>>
>>> maintaied
>>>
>>>
>>>
>>>>> in this example?
>>>>>
>>>>> For example, if I wanted to add a new user chris/chris to access this
>>>>> service, what would be the steps on the server/client for starters?
>>>>>
>>>>> Thanks so much for your help..I've made more progress in the last 2
>>>>>
> days
>
>>>>> than in the previous 2 weeks.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Chris
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>> Sent: Wednesday, December 31, 2008 11:20 PM
>>>>> To: users@metro.dev.java.net
>>>>> Subject: Re: STS issued token sample
>>>>>
>>>>> Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
>>>>>
>>>>> for installing Metro on tomcat 6.*.
>>>>>
>>>>> Also modified the file etc\common-targets-tomcat.xml
>>>>>
>>>>>
>>>>>
>>>>>
>
>
>>
>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> m
>>>>
>>>>
>>>>
>>>>
>>>>> on-targets-tomcat.xml?rev=1.6&view=log>
>>>>> for the Metro jars in tomcat.
>>>>>
>>>>>
>>>>>
>>>>> Chris Richmond wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Yes..I'm using tomcat 6.0.18
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>> Sent: Wednesday, December 31, 2008 2:52 PM
>>>>>> To: users@metro.dev.java.net
>>>>>> Subject: Re: STS issued token sample
>>>>>>
>>>>>> Ah, this sample is set up for tomcat 5.* with the classpath:
>>>>>>
>>>>>>
location="${tomcat.home}/shared/lib/webservices-rt.jar"/>
>>>>>>
>>>>>> location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>>>>>>
>>>>>> location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>>>>>>
>>>>>> Are you using tomcat 6.*?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Chris Richmond wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Ok..I have done that installation process. But I still get the
>>>>>>>
> errors
>
>>>>>>>
>>>>>>>
>>>>>>>
>>> I
>>>
>>>
>>>
>>>>>>> mentioned when I run the ant run-sample.
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>>> Sent: Wednesday, December 31, 2008 2:09 PM
>>>>>>> To: users@metro.dev.java.net
>>>>>>> Subject: Re: STS issued token sample
>>>>>>>
>>>>>>> Follow the steps in [1]
>>>>>>>
>>>>>>> in the end
>>>>>>>
>>>>>>> [1]
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>
https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>
>>
>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> T
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> _Download_Build_Install.html
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Chris Richmond wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> '.. 1. Follow the steps in [1] to download, build and install WSIT
>>>>>>>>
> in
>
>>>>>>>> Glassfish or Tomcat..."
>>>>>>>>
>>>>>>>> What does this mean from the readme? It says follow the steps in
>>>>>>>>
>>>>>>>>
>> step
>>
>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>> 1
>>>
>>>
>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> and
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> that *IS* step 1???
>>>>>>>>
>>>>>>>> Where is the step 1 it refers to?
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Chris
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>>>> Sent: Wednesday, December 31, 2008 12:00 PM
>>>>>>>> To: users@metro.dev.java.net
>>>>>>>> Subject: Re: STS issued token sample
>>>>>>>>
>>>>>>>> Hi Chris,
>>>>>>>>
>>>>>>>> We have a bundled ws-trust sample:
>>>>>>>>
>>>>>>>>
https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>>>>>>>
>>>>>>>> Let us know if you need any help on it.
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>>
>>>>>>>> Jiandong
>>>>>>>>
>>>>>>>>
>>>>>>>> Chris Richmond wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hello all,
>>>>>>>>>
>>>>>>>>> I have been trying and trying to get a working sample of WSIT
using
>>>>>>>>>
>>>>>>>>>
>> a
>>
>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>> secured service using an STS issued token to work with absolutely
>>>>>>>>>
> no
>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>> luck.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>>>>>>> plain doesn't work..it has dialogs and tabs/options that are for
>>>>>>>>>
>>>>>>>>>
>> some
>>
>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>> other version(earlier?) of netbeans and things just do not work.
>>>>>>>>>
>>>>>>>>> What I would REALLY like to do is get a sample running using hand
>>>>>>>>> coded configurations rather than relying on the Netbeans/glassfish

>>>>>>>>> integration so I can understand more what is involved. As it is
>>>>>>>>>
> now,
>
>>>>>>>>>
>>>>>>>>>
>>
>>
>>>>>>>>> when something goes wrong with the Netbeans IDE wizards, I have no

>>>>>>>>> idea how to work around it.
>>>>>>>>>
>>>>>>>>> My end goal is to run an STS secured webservice using WSIT inside
>>>>>>>>> tomcat 6. It would be fine if the STS were in Glassfish for now,
>>>>>>>>>
> but
>
>>>>>>>>>
>>>>>>>>>
>>
>>
>>>>>>>>> the service that is secured needs to run inside tomcat and a
>>>>>>>>>
>>>>>>>>>
>> standard
>>
>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>> command line client for that in java.
>>>>>>>>>
>>>>>>>>> Does anyone have a working sample similar to this or could point
me
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>> to
>>>
>>>
>>>
>>>>>>>>> a good resource for doing this? I am quite frustrated, as every
>>>>>>>>> tutorial I have come across is targetted at running all inside
>>>>>>>>> Netbeans wizards and with a servlet client that runs inside the
>>>>>>>>>
> same
>
>>>>>>>>>
>>>>>>>>>
>>
>>
>>>>>>>>> glassfish instance as the STS and the secured service. This is not

>>>>>>>>> ideal for seeing how things work.since it uses built in
development
>>>>>>>>>
>
>
>>>>>>>>> keystores/trusttores etc(the same one for client and service which
>>>>>>>>>
>>>>>>>>>
>> is
>>
>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>> not realistic in an environment where the client and server are on

>>>>>>>>> different machines among other things).
>>>>>>>>>
>>>>>>>>> Any guidance greatly appreciated..
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> Chris
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
> ---------------------------------------------------------------------
>
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
> ---------------------------------------------------------------------
>
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Jiandong Guo

As talked about, these are configured separately for the service, STS
and client in different files:
service wsdl, sts wsdl and wsit-client.xml. So they can be set up in
different places.

Thanks!

Jiandong

Chris Richmond wrote:
> Jiandong,
>
> Part of my confusion comes from the fact that the
> certs/keystores/truststores for the sample are all kept within one location
> on one physical machine for the sample, so its difficult for a beginner(at
> least for me) to tell what is needed where and why. Does that make sense?
>
> Thanks,
>
> Chris
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Tuesday, January 06, 2009 6:54 PM
> To: users@metro.dev.java.net
> Subject: Re: STS issued token sample
>
> Yes, it is encrypted selectively. You can configure to encrypt which
> part of the message.
>
> Thanks!
>
> Jiandong
>
>
> Chris Richmond wrote:
>
>> So are the messages using the current implementation being encrypted
>>
> between
>
>> the client and the server? Or is it only encrypted if I use SSL?
>>
>> Thanks,
>>
>> Chris
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> Sent: Tuesday, January 06, 2009 12:10 PM
>> To: users@metro.dev.java.net
>> Subject: Re: STS issued token sample
>>
>>
>>
>>
>>> Do you have any references on how you crated the bob and alice certs for
>>>
>>>
>> the
>>
>>
>>> server and client and how to utilize a new cert for this imlementation?
>>>
>>>
>> Is
>>
>>
>>> there a turorial on createing the certes and placing them in the proper
>>> places and updating the stores appropriately?
>>>
>>>
>> You may find in any of the Java security tutorials on managing
>> certificates with KeyStores.
>>
>>
>>> I am also not 100% clean on
>>> exactly what the x509 cert is doing?
>>>
>>>
>> 1. The client use the service certificate to secure the message to the
>> service.
>> 2. The client use the STS cert to secure the messages to the STS. You
>> may configure to use SSL for security as well.
>> 3. The STS use the service cert to encrypt the proof key in the issued
>> token or the issued token itself targeted for the service.
>>
>> Thanks!
>>
>> Jiandong
>>
>>
>>
>>> Is that only to encrypt the STS token
>>> or is it doing more? Could it be configured to encrypt all messages to
>>>
>>>
>> the
>>
>>
>>> actual services(regular impl service mainly, STS could be using SSL
>>> perhaps?)
>>>
>>> Thanks again,
>>>
>>> Chris
>>>
>>> -----Original Message-----
>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>> Sent: Monday, January 05, 2009 11:13 AM
>>> To: users@metro.dev.java.net
>>> Cc: Fabian Ritzmann
>>> Subject: Re: STS issued token sample
>>>
>>> Ok, in this case you can always stop the service and change the policy.
>>> But the policy must be attached or referenced
>>> in the wsdl to be effective.
>>>
>>> For example, you may have your front WSDL with business logic (has
>>> Service and portType, e.g.
>>>
>>>
>>>
> http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...
>
>>
>>
>>> .svc?wsdl)
>>> This wsdl in turn imports a back end WSDL with binding and policy
>>> referenced there (e.g
>>>
>>>
>>>
> http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...
>
>>
>>
>>> .svc?wsdl=wsdl0).
>>>
>>> Is this something work for you?
>>>
>>> Thanks!
>>>
>>> Jiandong
>>>
>>>
>>> CC Fabian for more insight on this.
>>>
>>> Thanks!
>>>
>>> Jiandong
>>>
>>>
>>> Chris Richmond wrote:
>>>
>>>
>>>
>>>> Jiandong,
>>>>
>>>> Keep in mind I do not need to be able to reconfigure on the fly.
>>>>
>>>>
>> Stopping
>>
>>
>>>> the service and deploying configuration files or stopping the server and
>>>> removing them is perfectly acceptable to me. I just mean that I could
>>>> deploy artifacts/config files without having to change my basic service
>>>>
>>>>
>>>>
>>> code
>>>
>>>
>>>
>>>> is all. That link seems to mention on the fly reconfiguration without
>>>> losing any messages, which is not a requirement. Does you answer still
>>>> stand?
>>>>
>>>> Thanks,
>>>>
>>>> Chris
>>>>
>>>> -----Original Message-----
>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>> Sent: Monday, January 05, 2009 10:23 AM
>>>> To: users@metro.dev.java.net
>>>> Subject: Re: STS issued token sample
>>>>
>>>> Unfortunately, this is not the case currently.
>>>>
>>>> See
>>>>
>>>>
>>>>
>>>>
> http://wikis.glassfish.org/metro/Wiki.jsp?page=DynamicReconfigurationOne...
>
>>
>>
>>>
>>>
>>>
>>>> r
>>>>
>>>> Thanks!
>>>>
>>>> Jiandong
>>>>
>>>>
>>>> Chris Richmond wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> Jiandong,
>>>>>
>>>>> It was my understanding that one feature of the WSIT toolkit is that
>>>>>
> you
>
>>>>> could take an existing JAX-WS service and as long as the proper
>>>>>
>>>>>
>> libraries
>>
>>
>>>>> are in place on the tomcat server, you could simply place additional
>>>>> .xml files in certain directories and the WSIT toolkit would
>>>>>
>>>>>
>>>>>
>>>>>
>>>> inject
>>>>
>>>>
>>>>
>>>>
>>>>> these WSDL elemenents into the document as the server generated it on
>>>>>
>>>>>
>> the
>>
>>
>>>>> fly...that way you could have an unsecured service by ommitting those
>>>>>
>>>>>
>> xml
>>
>>
>>>>> files, or make them present and make the service secure? Am I way off
>>>>>
>>>>>
>>>>>
>>>>>
>>>> base
>>>>
>>>>
>>>>
>>>>
>>>>> on my understanding?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Chris
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>> Sent: Saturday, January 03, 2009 8:43 AM
>>>>> To: users@metro.dev.java.net
>>>>> Subject: Re: STS issued token sample
>>>>>
>>>>> Hi Chris,
>>>>>
>>>>> Great!
>>>>>
>>>>> It is in my to do to provide a detailed description of the sample.
>>>>> Before that, here is a quick description of what is going.
>>>>>
>>>>> There are three parties in the sample: service,sts, client.
>>>>> Each party has configuration(policy) in the WSDL or wsdl like file
>>>>>
>>>>>
>>>>>
>>>>>
>>>> (client.
>>>>
>>>>
>>>>
>>>>
>>>>> 1. service:
>>>>> Check /src/fs/etc/service/PingService.wsdl. There are two types of
>>>>>
>>>>>
>>>>>
>>>>>
>>>> polices:
>>>>
>>>>
>>>>
>>>>
>>>>> public ones to cominicate to the other parties and private ones
>>>>> (Keystore, TrustStore) for local configuration.
>>>>>
>>>>> In the policy
>>>>>
>>>>>
>>>>>
>>>>> * There is a
>>>>> under with >>>>> indicate
>>>>> that the X509 certificate of the service is used to protect the
>>>>>
>>>>>
>> messages
>>
>>
>>>>> from the client to the service.
>>>>>
>>>>> * There is an >>>>>
> indicating
>
>>>>> that an issued token from an STS
>>>>> is required for the client to acess the service.
>>>>>
>>>>> * >>>>> >>>>> >>>>> particular case,
>>>>> only the certificate of the STS is needed in the Truststore.
>>>>>
>>>>> You may have your own key store and trust store and configure them with
>>>>> these two policy assertions.
>>>>>
>>>>> 2. sts: /src/fs/etc/sts/sts.wsdl
>>>>>
>>>>> In the policy
>>>>>
>>>>>
>>>>>
>>>>> * There is a
>>>>> under with >>>>> indicate
>>>>> that the X509 certificate of the service is used to protect the
>>>>>
>>>>>
>> messages
>>
>>
>>>>> from the client to the sts.
>>>>>
>>>>> * There is a >>>>>
>>>>>
>> indicating
>>
>>
>>>>> that username/password is required from the
>>>>> client to authenticate to the STS.
>>>>>
>>>>> *
>>>>> >>>>> >>>>> >>>>> particular case,
>>>>> only the certificate of all the trusted services are needed in the
>>>>> Truststore.
>>>>>
>>>>> Note that STS should maitain different key store and trust store from
>>>>>
>>>>>
>> the
>>
>>
>>>>> service.
>>>>>
>>>>> *
>>>>> >>>>> xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
>>>>> >>>>>
>>>>>
>>>>>
>>> name="usernameValidator"
>>>
>>>
>>>
>>>>> classname="common.SampleUsernamePasswordValidator"/>
>>>>>
>>>>>
>>>>> to plugin the custom class for validating the username/password of the
>>>>>
>>>>>
>>>>>
>>>>>
>>>> the
>>>>
>>>>
>>>>
>>>>
>>>>> clients.
>>>>>
>>>>> For this sample, we hard coded the username/password in the
>>>>>
>>>>>
>>>>>
>>> implementation
>>>
>>>
>>>
>>>>> class /src/common/SampleUsernamePasswordValidator.java
>>>>> You may just modify it to add for example chris/chris. In reality, you
>>>>>
>>>>>
>>>>>
>>> can
>>>
>>>
>>>
>>>>> have an validatior class connecting to a user data store, etc.
>>>>>
>>>>>
>>>>> 3. client:
>>>>>
>>>>> client configuration is here src/fs/etc/client-config/wsit-client.xml.
>>>>> It contains client key store and truststore information as well the
>>>>>
>>>>>
>>>>>
>>>>>
>>>> callback
>>>>
>>>>
>>>>
>>>>
>>>>> class for the username/password:
>>>>>
>>>>> src/common/SampleUsernamePasswordCallbackHandler.java
>>>>>
>>>>> Note that you need to configure the client to the service and to the
>>>>>
> STS
>
>>>>> seperately
>>>>> in wsit-client.xml.
>>>>>
>>>>> Jiandong
>>>>>
>>>>>
>>>>>
>>>>> Chris Richmond wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Jiandong,
>>>>>>
>>>>>> Success!
>>>>>>
>>>>>> I was finally able to run the sample in Tomcat6.0.18 and it returns
>>>>>>
>>>>>>
>> the
>>
>>
>>>>>> account balance and outputs Company A, Department B on the server
>>>>>>
> side.
>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>> I
>>>>
>>>>
>>>>
>>>>
>>>>>> tried both alice/alice and bob/bob.
>>>>>>
>>>>>>
>>>>>> Now the real questions begin of figuring out how exactly this thing
>>>>>>
> is
>
>>>>>> working and how I integrate it into my own servers/clients.
>>>>>>
>>>>>> What was done to create those certificates on the server and to set
>>>>>>
>>>>>>
>>>>>>
>>> those
>>>
>>>
>>>
>>>>>> user credentials? That's one big area I don't understand.
>>>>>> Keystores/truststores, etc.
>>>>>>
>>>>>> It is my understanding for METRO using an STS service such as this
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>> example
>>>>
>>>>
>>>>
>>>>
>>>>>> that a truststore and keystore are both needed on the server as well
>>>>>>
> as
>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>> by
>>>>
>>>>
>>>>
>>>>
>>>>>> the client?
>>>>>>
>>>>>> How are these stores generated/maintained and how are users certs
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>> maintaied
>>>>
>>>>
>>>>
>>>>
>>>>>> in this example?
>>>>>>
>>>>>> For example, if I wanted to add a new user chris/chris to access this
>>>>>> service, what would be the steps on the server/client for starters?
>>>>>>
>>>>>> Thanks so much for your help..I've made more progress in the last 2
>>>>>>
>>>>>>
>> days
>>
>>
>>>>>> than in the previous 2 weeks.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Chris
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>> Sent: Wednesday, December 31, 2008 11:20 PM
>>>>>> To: users@metro.dev.java.net
>>>>>> Subject: Re: STS issued token sample
>>>>>>
>>>>>> Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
>>>>>>
>>>>>> for installing Metro on tomcat 6.*.
>>>>>>
>>>>>> Also modified the file etc\common-targets-tomcat.xml
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
> >
>>
>>
>>>
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> m
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> on-targets-tomcat.xml?rev=1.6&view=log>
>>>>>> for the Metro jars in tomcat.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Chris Richmond wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Yes..I'm using tomcat 6.0.18
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>>> Sent: Wednesday, December 31, 2008 2:52 PM
>>>>>>> To: users@metro.dev.java.net
>>>>>>> Subject: Re: STS issued token sample
>>>>>>>
>>>>>>> Ah, this sample is set up for tomcat 5.* with the classpath:
>>>>>>>
>>>>>>>
>>>>>>>
> location="${tomcat.home}/shared/lib/webservices-rt.jar"/>
>
>>>>>>>
>>>>>>> location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>>>>>>>
>>>>>>> location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>>>>>>>
>>>>>>> Are you using tomcat 6.*?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Chris Richmond wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Ok..I have done that installation process. But I still get the
>>>>>>>>
>>>>>>>>
>> errors
>>
>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>> I
>>>>
>>>>
>>>>
>>>>
>>>>>>>> mentioned when I run the ant run-sample.
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>>>> Sent: Wednesday, December 31, 2008 2:09 PM
>>>>>>>> To: users@metro.dev.java.net
>>>>>>>> Subject: Re: STS issued token sample
>>>>>>>>
>>>>>>>> Follow the steps in [1]
>>>>>>>>
>>>>>>>> in the end
>>>>>>>>
>>>>>>>> [1]
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
> https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>
>>
>>
>>>
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> T
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> _Download_Build_Install.html
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Chris Richmond wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> '.. 1. Follow the steps in [1] to download, build and install WSIT
>>>>>>>>>
>>>>>>>>>
>> in
>>
>>
>>>>>>>>> Glassfish or Tomcat..."
>>>>>>>>>
>>>>>>>>> What does this mean from the readme? It says follow the steps in
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>> step
>>>
>>>
>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>> 1
>>>>
>>>>
>>>>
>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> and
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> that *IS* step 1???
>>>>>>>>>
>>>>>>>>> Where is the step 1 it refers to?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> Chris
>>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>>>>> Sent: Wednesday, December 31, 2008 12:00 PM
>>>>>>>>> To: users@metro.dev.java.net
>>>>>>>>> Subject: Re: STS issued token sample
>>>>>>>>>
>>>>>>>>> Hi Chris,
>>>>>>>>>
>>>>>>>>> We have a bundled ws-trust sample:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
> https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>
>>>>>>>>> Let us know if you need any help on it.
>>>>>>>>>
>>>>>>>>> Thanks!
>>>>>>>>>
>>>>>>>>> Jiandong
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Chris Richmond wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hello all,
>>>>>>>>>>
>>>>>>>>>> I have been trying and trying to get a working sample of WSIT
>>>>>>>>>>
> using
>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>> a
>>>
>>>
>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>>>>> secured service using an STS issued token to work with absolutely
>>>>>>>>>>
>>>>>>>>>>
>> no
>>
>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> luck.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>>>>>>>> plain doesn't work..it has dialogs and tabs/options that are for
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>> some
>>>
>>>
>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>>>>> other version(earlier?) of netbeans and things just do not work.
>>>>>>>>>>
>>>>>>>>>> What I would REALLY like to do is get a sample running using hand
>>>>>>>>>> coded configurations rather than relying on the Netbeans/glassfish
>>>>>>>>>>
>
>
>>>>>>>>>> integration so I can understand more what is involved. As it is
>>>>>>>>>>
>>>>>>>>>>
>> now,
>>
>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>>> when something goes wrong with the Netbeans IDE wizards, I have no
>>>>>>>>>>
>
>
>>>>>>>>>> idea how to work around it.
>>>>>>>>>>
>>>>>>>>>> My end goal is to run an STS secured webservice using WSIT inside
>>>>>>>>>> tomcat 6. It would be fine if the STS were in Glassfish for now,
>>>>>>>>>>
>>>>>>>>>>
>> but
>>
>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>>> the service that is secured needs to run inside tomcat and a
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>> standard
>>>
>>>
>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>>>>> command line client for that in java.
>>>>>>>>>>
>>>>>>>>>> Does anyone have a working sample similar to this or could point
>>>>>>>>>>
> me
>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>> to
>>>>
>>>>
>>>>
>>>>
>>>>>>>>>> a good resource for doing this? I am quite frustrated, as every
>>>>>>>>>> tutorial I have come across is targetted at running all inside
>>>>>>>>>> Netbeans wizards and with a servlet client that runs inside the
>>>>>>>>>>
>>>>>>>>>>
>> same
>>
>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>>> glassfish instance as the STS and the secured service. This is not
>>>>>>>>>>
>
>
>>>>>>>>>> ideal for seeing how things work.since it uses built in
>>>>>>>>>>
> development
>
>>>>>>>>>>
>>>>>>>>>>
>>
>>
>>>>>>>>>> keystores/trusttores etc(the same one for client and service which
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>> is
>>>
>>>
>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>>>>> not realistic in an environment where the client and server are on
>>>>>>>>>>
>
>
>>>>>>>>>> different machines among other things).
>>>>>>>>>>
>>>>>>>>>> Any guidance greatly appreciated..
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>>
>>>>>>>>>> Chris
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>> ---------------------------------------------------------------------
>>
>>
>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>> ---------------------------------------------------------------------
>>
>>
>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
> ---------------------------------------------------------------------
>
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
> ---------------------------------------------------------------------
>
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Fabian Ritzmann

Hi,

Just keep in mind that the server config file has a very specific name
- wsit-.xml. That is the
only file that will be loaded. If you stop and restart your service
that file will need to be replaced entirely if you want to change the
configuration. Also note that if the web service is bundled with a
WSDL file in WEB-INF/wsdl, the wsit config file will not be read at
all and only the policies included in the WSDL will take effect.

Fabian

On 5. Jan 2009, at 23:12, Jiandong Guo wrote:

> Ok, in this case you can always stop the service and change the
> policy. But the policy must be attached or referenced
> in the wsdl to be effective.
>
> For example, you may have your front WSDL with business logic (has
> Service and portType, e.g. http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...)
> This wsdl in turn imports a back end WSDL with binding and policy
> referenced there (e.g http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...)
> .
>
> Is this something work for you?
>
> Thanks!
>
> Jiandong
>
>
> CC Fabian for more insight on this.
>
> Thanks!
>
> Jiandong
>
>
> Chris Richmond wrote:
>> Jiandong,
>>
>> Keep in mind I do not need to be able to reconfigure on the fly.
>> Stopping
>> the service and deploying configuration files or stopping the
>> server and
>> removing them is perfectly acceptable to me. I just mean that I
>> could
>> deploy artifacts/config files without having to change my basic
>> service code
>> is all. That link seems to mention on the fly reconfiguration
>> without
>> losing any messages, which is not a requirement. Does you answer
>> still
>> stand?
>>
>> Thanks,
>>
>> Chris
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM] Sent:
>> Monday, January 05, 2009 10:23 AM
>> To: users@metro.dev.java.net
>> Subject: Re: STS issued token sample
>>
>> Unfortunately, this is not the case currently.
>>
>> See http://wikis.glassfish.org/metro/Wiki.jsp?page=DynamicReconfigurationOne...
>> r
>>
>> Thanks!
>>
>> Jiandong
>>
>>
>> Chris Richmond wrote:
>>
>>> Jiandong,
>>>
>>> It was my understanding that one feature of the WSIT toolkit is
>>> that you
>>> could take an existing JAX-WS service and as long as the proper
>>> libraries
>>> are in place on the tomcat server, you could simply place additional
>>> .xml files in certain directories and the WSIT toolkit would
>>>
>> inject
>>
>>> these WSDL elemenents into the document as the server generated it
>>> on the
>>> fly...that way you could have an unsecured service by ommitting
>>> those xml
>>> files, or make them present and make the service secure? Am I way
>>> off
>>>
>> base
>>
>>> on my understanding?
>>>
>>> Thanks,
>>>
>>> Chris
>>>
>>>
>>> -----Original Message-----
>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM] Sent:
>>> Saturday, January 03, 2009 8:43 AM
>>> To: users@metro.dev.java.net
>>> Subject: Re: STS issued token sample
>>>
>>> Hi Chris,
>>>
>>> Great!
>>>
>>> It is in my to do to provide a detailed description of the sample.
>>> Before that, here is a quick description of what is going.
>>>
>>> There are three parties in the sample: service,sts, client.
>>> Each party has configuration(policy) in the WSDL or wsdl like file
>>>
>> (client.
>>
>>> 1. service:
>>> Check /src/fs/etc/service/PingService.wsdl. There are two types of
>>>
>> polices:
>>
>>> public ones to cominicate to the other parties and private ones
>>> (Keystore, TrustStore) for local configuration.
>>>
>>> In the policy
>>>
>>>
>>>
>>> * There is a under with
>>> >>> indicate that the X509 certificate of the service is used to
>>> protect the messages
>>> from the client to the service.
>>>
>>> * There is an >>> indicating
>>> that an issued token from an STS is required for the client to
>>> acess the service.
>>>
>>> * >>> >>> service. >>> parties. In this
>>> particular case,
>>> only the certificate of the STS is needed in the Truststore.
>>>
>>> You may have your own key store and trust store and configure them
>>> with
>>> these two policy assertions.
>>>
>>> 2. sts: /src/fs/etc/sts/sts.wsdl
>>>
>>> In the policy
>>>
>>>
>>> * There is a under with
>>> >>> indicate that the X509 certificate of the service is used to
>>> protect the messages
>>> from the client to the sts.
>>>
>>> * There is a >>> indicating
>>> that username/password is required from the client to authenticate
>>> to the STS.
>>>
>>> * >>> >>> >>> this
>>> particular case,
>>> only the certificate of all the trusted services are needed in the
>>> Truststore.
>>>
>>> Note that STS should maitain different key store and trust store
>>> from the
>>> service.
>>>
>>> * >>> xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
>>> >>> name="usernameValidator"
>>> classname="common.SampleUsernamePasswordValidator"/
>>> >
>>>
>>> to plugin the custom class for validating the username/password
>>> of the
>>>
>> the
>>
>>> clients.
>>>
>>> For this sample, we hard coded the username/password in the
>>> implementation
>>> class /src/common/SampleUsernamePasswordValidator.java
>>> You may just modify it to add for example chris/chris. In reality,
>>> you can
>>> have an validatior class connecting to a user data store, etc.
>>>
>>>
>>> 3. client:
>>>
>>> client configuration is here src/fs/etc/client-config/wsit-
>>> client.xml. It contains client key store and truststore
>>> information as well the
>>>
>> callback
>>
>>> class for the username/password:
>>>
>>> src/common/SampleUsernamePasswordCallbackHandler.java
>>>
>>> Note that you need to configure the client to the service and to
>>> the STS
>>> seperately
>>> in wsit-client.xml.
>>>
>>> Jiandong
>>>
>>>
>>>
>>> Chris Richmond wrote:
>>>
>>>
>>>> Jiandong,
>>>>
>>>> Success!
>>>>
>>>> I was finally able to run the sample in Tomcat6.0.18 and it
>>>> returns the
>>>> account balance and outputs Company A, Department B on the server
>>>> side.
>>>>
>> I
>>
>>>> tried both alice/alice and bob/bob.
>>>>
>>>> Now the real questions begin of figuring out how exactly this
>>>> thing is
>>>> working and how I integrate it into my own servers/clients.
>>>>
>>>> What was done to create those certificates on the server and to
>>>> set those
>>>> user credentials? That's one big area I don't understand.
>>>> Keystores/truststores, etc.
>>>> It is my understanding for METRO using an STS service such as this
>>>>
>> example
>>
>>>> that a truststore and keystore are both needed on the server as
>>>> well as
>>>>
>> by
>>
>>>> the client?
>>>>
>>>> How are these stores generated/maintained and how are users certs
>>>>
>> maintaied
>>
>>>> in this example?
>>>> For example, if I wanted to add a new user chris/chris to access
>>>> this
>>>> service, what would be the steps on the server/client for starters?
>>>>
>>>> Thanks so much for your help..I've made more progress in the last
>>>> 2 days
>>>> than in the previous 2 weeks.
>>>>
>>>> Thanks,
>>>>
>>>> Chris
>>>>
>>>> -----Original Message-----
>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM] Sent:
>>>> Wednesday, December 31, 2008 11:20 PM
>>>> To: users@metro.dev.java.net
>>>> Subject: Re: STS issued token sample
>>>>
>>>> Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
>>>>
>>>> for installing Metro on tomcat 6.*.
>>>>
>>>> Also modified the file etc\common-targets-tomcat.xml
>>>>
>> >>
>>>>
>>> m
>>>
>>>> on-targets-tomcat.xml?rev=1.6&view=log>
>>>> for the Metro jars in tomcat.
>>>>
>>>>
>>>>
>>>> Chris Richmond wrote:
>>>>
>>>>
>>>>> Yes..I'm using tomcat 6.0.18
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM] Sent:
>>>>> Wednesday, December 31, 2008 2:52 PM
>>>>> To: users@metro.dev.java.net
>>>>> Subject: Re: STS issued token sample
>>>>>
>>>>> Ah, this sample is set up for tomcat 5.* with the classpath:
>>>>>
>>>>>

>>>>>
>>>>> location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>>>>>
>>>>> location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>>>>>
>>>>>
>>>>>
>>>> location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>>>>
>>>>
>>>>>
>>>>> location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>>>>>
>>>>> Are you using tomcat 6.*?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Chris Richmond wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Ok..I have done that installation process. But I still get the
>>>>>> errors
>>>>>>
>> I
>>
>>>>>> mentioned when I run the ant run-sample.
>>>>>> -----Original Message-----
>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM] Sent:
>>>>>> Wednesday, December 31, 2008 2:09 PM
>>>>>> To: users@metro.dev.java.net
>>>>>> Subject: Re: STS issued token sample
>>>>>>
>>>>>> Follow the steps in [1]
>>>>>>
>>>>>> in the end
>>>>>> [1]
>>>>>>
>>>>>>
>>>>>>
>> https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>>
>>>>
>>>>
>>>>>>
>>>>>>
>>>>> T
>>>>>
>>>>>
>>>>>> _Download_Build_Install.html
>>>>>>
>>>>>>
>>>>>>
>>>>>> Chris Richmond wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> '.. 1. Follow the steps in [1] to download, build and install
>>>>>>> WSIT in
>>>>>>> Glassfish or Tomcat..."
>>>>>>>
>>>>>>> What does this mean from the readme? It says follow the steps
>>>>>>> in step
>>>>>>>
>> 1
>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> and
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> that *IS* step 1???
>>>>>>>
>>>>>>> Where is the step 1 it refers to?
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Chris
>>>>>>>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Chris Richmond

Jiandong,

When the sample is running it outputs all of the received HTTP traffic ot
the console, but I cannot locate where the code is that is actually
outputtting it all. Can you tell me where it is being done?

Thanks,
Chris

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Saturday, January 03, 2009 8:43 AM
To: users@metro.dev.java.net
Subject: Re: STS issued token sample

Hi Chris,

Great!

It is in my to do to provide a detailed description of the sample.
Before that, here is a quick description of what is going.

There are three parties in the sample: service,sts, client.
Each party has configuration(policy) in the WSDL or wsdl like file (client.

1. service:
Check /src/fs/etc/service/PingService.wsdl. There are two types of polices:
public ones to cominicate to the other parties and private ones
(Keystore, TrustStore) for local configuration.

In the policy

* There is a
under with indicate
that the X509 certificate of the service is used to protect the messages
from the client to the service.

* There is an that an issued token from an STS
is required for the client to acess the service.

* particular case,
only the certificate of the STS is needed in the Truststore.

You may have your own key store and trust store and configure them with
these two policy assertions.

2. sts: /src/fs/etc/sts/sts.wsdl

In the policy

* There is a
under with indicate
that the X509 certificate of the service is used to protect the messages
from the client to the sts.

* There is a that username/password is required from the
client to authenticate to the STS.

*
particular case,
only the certificate of all the trusted services are needed in the
Truststore.

Note that STS should maitain different key store and trust store from the
service.

*
xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
classname="common.SampleUsernamePasswordValidator"/>

to plugin the custom class for validating the username/password of the the
clients.

For this sample, we hard coded the username/password in the implementation
class /src/common/SampleUsernamePasswordValidator.java
You may just modify it to add for example chris/chris. In reality, you can
have an validatior class connecting to a user data store, etc.

3. client:

client configuration is here src/fs/etc/client-config/wsit-client.xml.
It contains client key store and truststore information as well the callback
class for the username/password:

src/common/SampleUsernamePasswordCallbackHandler.java

Note that you need to configure the client to the service and to the STS
seperately
in wsit-client.xml.

Jiandong

Chris Richmond wrote:

>Jiandong,
>
>Success!
>
>I was finally able to run the sample in Tomcat6.0.18 and it returns the
>account balance and outputs Company A, Department B on the server side. I
>tried both alice/alice and bob/bob.
>
>
>Now the real questions begin of figuring out how exactly this thing is
>working and how I integrate it into my own servers/clients.
>
>What was done to create those certificates on the server and to set those
>user credentials? That's one big area I don't understand.
>Keystores/truststores, etc.
>
>It is my understanding for METRO using an STS service such as this example
>that a truststore and keystore are both needed on the server as well as by
>the client?
>
>How are these stores generated/maintained and how are users certs maintaied
>in this example?
>
>For example, if I wanted to add a new user chris/chris to access this
>service, what would be the steps on the server/client for starters?
>
>Thanks so much for your help..I've made more progress in the last 2 days
>than in the previous 2 weeks.
>
>Thanks,
>
>Chris
>
>-----Original Message-----
>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>Sent: Wednesday, December 31, 2008 11:20 PM
>To: users@metro.dev.java.net
>Subject: Re: STS issued token sample
>
>Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
>
>for installing Metro on tomcat 6.*.
>
>Also modified the file etc\common-targets-tomcat.xml
> m
>on-targets-tomcat.xml?rev=1.6&view=log>
>for the Metro jars in tomcat.
>
>
>
>Chris Richmond wrote:
>
>
>>Yes..I'm using tomcat 6.0.18
>>
>>-----Original Message-----
>>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>Sent: Wednesday, December 31, 2008 2:52 PM
>>To: users@metro.dev.java.net
>>Subject: Re: STS issued token sample
>>
>>Ah, this sample is set up for tomcat 5.* with the classpath:
>>
>>
>>
>>location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>>
>>location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>>
>>
>>
>location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>
>
>>
>>location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>>
>>Are you using tomcat 6.*?
>>
>>
>>
>>
>>
>>
>>Chris Richmond wrote:
>>
>>
>>
>>
>>>Ok..I have done that installation process. But I still get the errors I
>>>mentioned when I run the ant run-sample.
>>>
>>>-----Original Message-----
>>>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>Sent: Wednesday, December 31, 2008 2:09 PM
>>>To: users@metro.dev.java.net
>>>Subject: Re: STS issued token sample
>>>
>>>Follow the steps in [1]
>>>
>>>in the end
>>>
>>>[1]
>>>
>>>
>>>
>https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>
>
>>>
>>>
>>>
>>T
>>
>>
>>
>>>_Download_Build_Install.html
>>>
>>>
>>>
>>>Chris Richmond wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>>'.. 1. Follow the steps in [1] to download, build and install WSIT in
>>>>Glassfish or Tomcat..."
>>>>
>>>>What does this mean from the readme? It says follow the steps in step 1
>>>>
>>>>
>>>>
>>>>
>>>>
>>>and
>>>
>>>
>>>
>>>
>>>
>>>>that *IS* step 1???
>>>>
>>>>Where is the step 1 it refers to?
>>>>
>>>>
>>>>Thanks,
>>>>
>>>>Chris
>>>>
>>>>-----Original Message-----
>>>>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>Sent: Wednesday, December 31, 2008 12:00 PM
>>>>To: users@metro.dev.java.net
>>>>Subject: Re: STS issued token sample
>>>>
>>>>Hi Chris,
>>>>
>>>>We have a bundled ws-trust sample:
>>>>
>>>>https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>>>
>>>>Let us know if you need any help on it.
>>>>
>>>>Thanks!
>>>>
>>>>Jiandong
>>>>
>>>>
>>>>Chris Richmond wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Hello all,
>>>>>
>>>>>I have been trying and trying to get a working sample of WSIT using a
>>>>>secured service using an STS issued token to work with absolutely no
>>>>>
>>>>>
>>>>>
>>luck.
>>
>>
>>
>>>>>I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>>>plain doesn't work..it has dialogs and tabs/options that are for some
>>>>>other version(earlier?) of netbeans and things just do not work.
>>>>>
>>>>>What I would REALLY like to do is get a sample running using hand
>>>>>coded configurations rather than relying on the Netbeans/glassfish
>>>>>integration so I can understand more what is involved. As it is now,
>>>>>when something goes wrong with the Netbeans IDE wizards, I have no
>>>>>idea how to work around it.
>>>>>
>>>>>My end goal is to run an STS secured webservice using WSIT inside
>>>>>tomcat 6. It would be fine if the STS were in Glassfish for now, but
>>>>>the service that is secured needs to run inside tomcat and a standard
>>>>>command line client for that in java.
>>>>>
>>>>>Does anyone have a working sample similar to this or could point me to
>>>>>a good resource for doing this? I am quite frustrated, as every
>>>>>tutorial I have come across is targetted at running all inside
>>>>>Netbeans wizards and with a servlet client that runs inside the same
>>>>>glassfish instance as the STS and the secured service. This is not
>>>>>ideal for seeing how things work.since it uses built in development
>>>>>keystores/trusttores etc(the same one for client and service which is
>>>>>not realistic in an environment where the client and server are on
>>>>>different machines among other things).
>>>>>
>>>>>Any guidance greatly appreciated..
>>>>>
>>>>>
>>>>>Thanks,
>>>>>
>>>>>Chris
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Jiandong Guo

in etc\targets.xml, key="com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump"
value="true"/> in the run-tc target.

Thanks!

Jiandong

Chris Richmond wrote:
> Jiandong,
>
> When the sample is running it outputs all of the received HTTP traffic ot
> the console, but I cannot locate where the code is that is actually
> outputtting it all. Can you tell me where it is being done?
>
> Thanks,
> Chris
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Saturday, January 03, 2009 8:43 AM
> To: users@metro.dev.java.net
> Subject: Re: STS issued token sample
>
> Hi Chris,
>
> Great!
>
> It is in my to do to provide a detailed description of the sample.
> Before that, here is a quick description of what is going.
>
> There are three parties in the sample: service,sts, client.
> Each party has configuration(policy) in the WSDL or wsdl like file (client.
>
> 1. service:
> Check /src/fs/etc/service/PingService.wsdl. There are two types of polices:
> public ones to cominicate to the other parties and private ones
> (Keystore, TrustStore) for local configuration.
>
> In the policy
>
>
>
> * There is a
> under with > indicate
> that the X509 certificate of the service is used to protect the messages
> from the client to the service.
>
> * There is an > that an issued token from an STS
> is required for the client to acess the service.
>
> * > > > particular case,
> only the certificate of the STS is needed in the Truststore.
>
> You may have your own key store and trust store and configure them with
> these two policy assertions.
>
> 2. sts: /src/fs/etc/sts/sts.wsdl
>
> In the policy
>
>
>
> * There is a
> under with > indicate
> that the X509 certificate of the service is used to protect the messages
> from the client to the sts.
>
> * There is a > that username/password is required from the
> client to authenticate to the STS.
>
> *
> > > > particular case,
> only the certificate of all the trusted services are needed in the
> Truststore.
>
> Note that STS should maitain different key store and trust store from the
> service.
>
> *
> > xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
> > classname="common.SampleUsernamePasswordValidator"/>
>
>
> to plugin the custom class for validating the username/password of the the
> clients.
>
> For this sample, we hard coded the username/password in the implementation
> class /src/common/SampleUsernamePasswordValidator.java
> You may just modify it to add for example chris/chris. In reality, you can
> have an validatior class connecting to a user data store, etc.
>
>
> 3. client:
>
> client configuration is here src/fs/etc/client-config/wsit-client.xml.
> It contains client key store and truststore information as well the callback
> class for the username/password:
>
> src/common/SampleUsernamePasswordCallbackHandler.java
>
> Note that you need to configure the client to the service and to the STS
> seperately
> in wsit-client.xml.
>
> Jiandong
>
>
>
> Chris Richmond wrote:
>
>
>> Jiandong,
>>
>> Success!
>>
>> I was finally able to run the sample in Tomcat6.0.18 and it returns the
>> account balance and outputs Company A, Department B on the server side. I
>> tried both alice/alice and bob/bob.
>>
>>
>> Now the real questions begin of figuring out how exactly this thing is
>> working and how I integrate it into my own servers/clients.
>>
>> What was done to create those certificates on the server and to set those
>> user credentials? That's one big area I don't understand.
>> Keystores/truststores, etc.
>>
>> It is my understanding for METRO using an STS service such as this example
>> that a truststore and keystore are both needed on the server as well as by
>> the client?
>>
>> How are these stores generated/maintained and how are users certs maintaied
>> in this example?
>>
>> For example, if I wanted to add a new user chris/chris to access this
>> service, what would be the steps on the server/client for starters?
>>
>> Thanks so much for your help..I've made more progress in the last 2 days
>> than in the previous 2 weeks.
>>
>> Thanks,
>>
>> Chris
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> Sent: Wednesday, December 31, 2008 11:20 PM
>> To: users@metro.dev.java.net
>> Subject: Re: STS issued token sample
>>
>> Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
>>
>> for installing Metro on tomcat 6.*.
>>
>> Also modified the file etc\common-targets-tomcat.xml
>> >>
> m
>
>> on-targets-tomcat.xml?rev=1.6&view=log>
>> for the Metro jars in tomcat.
>>
>>
>>
>> Chris Richmond wrote:
>>
>>
>>
>>> Yes..I'm using tomcat 6.0.18
>>>
>>> -----Original Message-----
>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>> Sent: Wednesday, December 31, 2008 2:52 PM
>>> To: users@metro.dev.java.net
>>> Subject: Re: STS issued token sample
>>>
>>> Ah, this sample is set up for tomcat 5.* with the classpath:
>>>
>>>
>>>
>>> location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>>>
>>> location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>>>
>>>
>>>
>>>
>> location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>>
>>
>>
>>>
>>> location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>>>
>>> Are you using tomcat 6.*?
>>>
>>>
>>>
>>>
>>>
>>>
>>> Chris Richmond wrote:
>>>
>>>
>>>
>>>
>>>
>>>> Ok..I have done that installation process. But I still get the errors I
>>>> mentioned when I run the ant run-sample.
>>>>
>>>> -----Original Message-----
>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>> Sent: Wednesday, December 31, 2008 2:09 PM
>>>> To: users@metro.dev.java.net
>>>> Subject: Re: STS issued token sample
>>>>
>>>> Follow the steps in [1]
>>>>
>>>> in the end
>>>>
>>>> [1]
>>>>
>>>>
>>>>
>>>>
>> https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>>
>>
>>
>>>>
>>>>
>>>>
>>>>
>>> T
>>>
>>>
>>>
>>>
>>>> _Download_Build_Install.html
>>>>
>>>>
>>>>
>>>> Chris Richmond wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> '.. 1. Follow the steps in [1] to download, build and install WSIT in
>>>>> Glassfish or Tomcat..."
>>>>>
>>>>> What does this mean from the readme? It says follow the steps in step 1
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> and
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> that *IS* step 1???
>>>>>
>>>>> Where is the step 1 it refers to?
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Chris
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>> Sent: Wednesday, December 31, 2008 12:00 PM
>>>>> To: users@metro.dev.java.net
>>>>> Subject: Re: STS issued token sample
>>>>>
>>>>> Hi Chris,
>>>>>
>>>>> We have a bundled ws-trust sample:
>>>>>
>>>>> https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>>>>
>>>>> Let us know if you need any help on it.
>>>>>
>>>>> Thanks!
>>>>>
>>>>> Jiandong
>>>>>
>>>>>
>>>>> Chris Richmond wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Hello all,
>>>>>>
>>>>>> I have been trying and trying to get a working sample of WSIT using a
>>>>>> secured service using an STS issued token to work with absolutely no
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>> luck.
>>>
>>>
>>>
>>>
>>>>>> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>>>> plain doesn't work..it has dialogs and tabs/options that are for some
>>>>>> other version(earlier?) of netbeans and things just do not work.
>>>>>>
>>>>>> What I would REALLY like to do is get a sample running using hand
>>>>>> coded configurations rather than relying on the Netbeans/glassfish
>>>>>> integration so I can understand more what is involved. As it is now,
>>>>>> when something goes wrong with the Netbeans IDE wizards, I have no
>>>>>> idea how to work around it.
>>>>>>
>>>>>> My end goal is to run an STS secured webservice using WSIT inside
>>>>>> tomcat 6. It would be fine if the STS were in Glassfish for now, but
>>>>>> the service that is secured needs to run inside tomcat and a standard
>>>>>> command line client for that in java.
>>>>>>
>>>>>> Does anyone have a working sample similar to this or could point me to
>>>>>> a good resource for doing this? I am quite frustrated, as every
>>>>>> tutorial I have come across is targetted at running all inside
>>>>>> Netbeans wizards and with a servlet client that runs inside the same
>>>>>> glassfish instance as the STS and the secured service. This is not
>>>>>> ideal for seeing how things work.since it uses built in development
>>>>>> keystores/trusttores etc(the same one for client and service which is
>>>>>> not realistic in an environment where the client and server are on
>>>>>> different machines among other things).
>>>>>>
>>>>>> Any guidance greatly appreciated..
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Chris
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Chris Richmond

Jiandong,

Success!

I was finally able to run the sample in Tomcat6.0.18 and it returns the
account balance and outputs Company A, Department B on the server side. I
tried both alice/alice and bob/bob.

Now the real questions begin of figuring out how exactly this thing is
working and how I integrate it into my own servers/clients.

What was done to create those certificates on the server and to set those
user credentials? That's one big area I don't understand.
Keystores/truststores, etc.

It is my understanding for METRO using an STS service such as this example
that a truststore and keystore are both needed on the server as well as by
the client?

How are these stores generated/maintained and how are users certs maintaied
in this example?

For example, if I wanted to add a new user chris/chris to access this
service, what would be the steps on the server/client for starters?

Thanks so much for your help..I've made more progress in the last 2 days
than in the previous 2 weeks.

Thanks,

Chris

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Wednesday, December 31, 2008 11:20 PM
To: users@metro.dev.java.net
Subject: Re: STS issued token sample

Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x

for installing Metro on tomcat 6.*.

Also modified the file etc\common-targets-tomcat.xml
on-targets-tomcat.xml?rev=1.6&view=log>
for the Metro jars in tomcat.

Chris Richmond wrote:
> Yes..I'm using tomcat 6.0.18
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Wednesday, December 31, 2008 2:52 PM
> To: users@metro.dev.java.net
> Subject: Re: STS issued token sample
>
> Ah, this sample is set up for tomcat 5.* with the classpath:
>
>
>
> location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>
> location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>
location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>
> location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>
> Are you using tomcat 6.*?
>
>
>
>
>
>
> Chris Richmond wrote:
>
>
>> Ok..I have done that installation process. But I still get the errors I
>> mentioned when I run the ant run-sample.
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> Sent: Wednesday, December 31, 2008 2:09 PM
>> To: users@metro.dev.java.net
>> Subject: Re: STS issued token sample
>>
>> Follow the steps in [1]
>>
>> in the end
>>
>> [1]
>>
https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>>
> T
>
>> _Download_Build_Install.html
>>
>>
>>
>> Chris Richmond wrote:
>>
>>
>>
>>
>>> '.. 1. Follow the steps in [1] to download, build and install WSIT in
>>> Glassfish or Tomcat..."
>>>
>>> What does this mean from the readme? It says follow the steps in step 1
>>>
>>>
>>>
>> and
>>
>>
>>
>>> that *IS* step 1???
>>>
>>> Where is the step 1 it refers to?
>>>
>>>
>>> Thanks,
>>>
>>> Chris
>>>
>>> -----Original Message-----
>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>> Sent: Wednesday, December 31, 2008 12:00 PM
>>> To: users@metro.dev.java.net
>>> Subject: Re: STS issued token sample
>>>
>>> Hi Chris,
>>>
>>> We have a bundled ws-trust sample:
>>>
>>> https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>>
>>> Let us know if you need any help on it.
>>>
>>> Thanks!
>>>
>>> Jiandong
>>>
>>>
>>> Chris Richmond wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>> Hello all,
>>>>
>>>> I have been trying and trying to get a working sample of WSIT using a
>>>> secured service using an STS issued token to work with absolutely no
>>>>
> luck.
>
>>>> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>> plain doesn't work..it has dialogs and tabs/options that are for some
>>>> other version(earlier?) of netbeans and things just do not work.
>>>>
>>>> What I would REALLY like to do is get a sample running using hand
>>>> coded configurations rather than relying on the Netbeans/glassfish
>>>> integration so I can understand more what is involved. As it is now,
>>>> when something goes wrong with the Netbeans IDE wizards, I have no
>>>> idea how to work around it.
>>>>
>>>> My end goal is to run an STS secured webservice using WSIT inside
>>>> tomcat 6. It would be fine if the STS were in Glassfish for now, but
>>>> the service that is secured needs to run inside tomcat and a standard
>>>> command line client for that in java.
>>>>
>>>> Does anyone have a working sample similar to this or could point me to
>>>> a good resource for doing this? I am quite frustrated, as every
>>>> tutorial I have come across is targetted at running all inside
>>>> Netbeans wizards and with a servlet client that runs inside the same
>>>> glassfish instance as the STS and the secured service. This is not
>>>> ideal for seeing how things work.since it uses built in development
>>>> keystores/trusttores etc(the same one for client and service which is
>>>> not realistic in an environment where the client and server are on
>>>> different machines among other things).
>>>>
>>>> Any guidance greatly appreciated..
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Chris
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Jiandong Guo

Hi Chris,

Great!

It is in my to do to provide a detailed description of the sample.
Before that, here is a quick description of what is going.

There are three parties in the sample: service,sts, client.
Each party has configuration(policy) in the WSDL or wsdl like file (client.

1. service:
Check /src/fs/etc/service/PingService.wsdl. There are two types of polices:
public ones to cominicate to the other parties and private ones
(Keystore, TrustStore) for local configuration.

In the policy

* There is a
under with that the X509 certificate of the service is used to protect the messages from the client to the service.

* There is an is required for the client to acess the service.

* only the certificate of the STS is needed in the Truststore.

You may have your own key store and trust store and configure them with these two policy assertions.

2. sts: /src/fs/etc/sts/sts.wsdl

In the policy

* There is a
under with that the X509 certificate of the service is used to protect the messages from the client to the sts.

* There is a client to authenticate to the STS.

*
only the certificate of all the trusted services are needed in the Truststore.

Note that STS should maitain different key store and trust store from the service.

*


to plugin the custom class for validating the username/password of the the clients.

For this sample, we hard coded the username/password in the implementation class /src/common/SampleUsernamePasswordValidator.java
You may just modify it to add for example chris/chris. In reality, you can have an validatior class connecting to a user data store, etc.

3. client:

client configuration is here src/fs/etc/client-config/wsit-client.xml.
It contains client key store and truststore information as well the callback class for the username/password:

src/common/SampleUsernamePasswordCallbackHandler.java

Note that you need to configure the client to the service and to the STS seperately
in wsit-client.xml.

Jiandong

Chris Richmond wrote:

>Jiandong,
>
>Success!
>
>I was finally able to run the sample in Tomcat6.0.18 and it returns the
>account balance and outputs Company A, Department B on the server side. I
>tried both alice/alice and bob/bob.
>
>
>Now the real questions begin of figuring out how exactly this thing is
>working and how I integrate it into my own servers/clients.
>
>What was done to create those certificates on the server and to set those
>user credentials? That's one big area I don't understand.
>Keystores/truststores, etc.
>
>It is my understanding for METRO using an STS service such as this example
>that a truststore and keystore are both needed on the server as well as by
>the client?
>
>How are these stores generated/maintained and how are users certs maintaied
>in this example?
>
>For example, if I wanted to add a new user chris/chris to access this
>service, what would be the steps on the server/client for starters?
>
>Thanks so much for your help..I've made more progress in the last 2 days
>than in the previous 2 weeks.
>
>Thanks,
>
>Chris
>
>-----Original Message-----
>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>Sent: Wednesday, December 31, 2008 11:20 PM
>To: users@metro.dev.java.net
>Subject: Re: STS issued token sample
>
>Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
>
>for installing Metro on tomcat 6.*.
>
>Also modified the file etc\common-targets-tomcat.xml
> >on-targets-tomcat.xml?rev=1.6&view=log>
>for the Metro jars in tomcat.
>
>
>
>Chris Richmond wrote:
>
>
>>Yes..I'm using tomcat 6.0.18
>>
>>-----Original Message-----
>>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>Sent: Wednesday, December 31, 2008 2:52 PM
>>To: users@metro.dev.java.net
>>Subject: Re: STS issued token sample
>>
>>Ah, this sample is set up for tomcat 5.* with the classpath:
>>
>>
>>
>>location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>>
>>location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>>
>>
>>
>location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>
>
>>
>>location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>>
>>Are you using tomcat 6.*?
>>
>>
>>
>>
>>
>>
>>Chris Richmond wrote:
>>
>>
>>
>>
>>>Ok..I have done that installation process. But I still get the errors I
>>>mentioned when I run the ant run-sample.
>>>
>>>-----Original Message-----
>>>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>Sent: Wednesday, December 31, 2008 2:09 PM
>>>To: users@metro.dev.java.net
>>>Subject: Re: STS issued token sample
>>>
>>>Follow the steps in [1]
>>>
>>>in the end
>>>
>>>[1]
>>>
>>>
>>>
>https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>
>
>>>
>>>
>>>
>>T
>>
>>
>>
>>>_Download_Build_Install.html
>>>
>>>
>>>
>>>Chris Richmond wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>>'.. 1. Follow the steps in [1] to download, build and install WSIT in
>>>>Glassfish or Tomcat..."
>>>>
>>>>What does this mean from the readme? It says follow the steps in step 1
>>>>
>>>>
>>>>
>>>>
>>>>
>>>and
>>>
>>>
>>>
>>>
>>>
>>>>that *IS* step 1???
>>>>
>>>>Where is the step 1 it refers to?
>>>>
>>>>
>>>>Thanks,
>>>>
>>>>Chris
>>>>
>>>>-----Original Message-----
>>>>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>Sent: Wednesday, December 31, 2008 12:00 PM
>>>>To: users@metro.dev.java.net
>>>>Subject: Re: STS issued token sample
>>>>
>>>>Hi Chris,
>>>>
>>>>We have a bundled ws-trust sample:
>>>>
>>>>https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>>>
>>>>Let us know if you need any help on it.
>>>>
>>>>Thanks!
>>>>
>>>>Jiandong
>>>>
>>>>
>>>>Chris Richmond wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Hello all,
>>>>>
>>>>>I have been trying and trying to get a working sample of WSIT using a
>>>>>secured service using an STS issued token to work with absolutely no
>>>>>
>>>>>
>>>>>
>>luck.
>>
>>
>>
>>>>>I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>>>plain doesn't work..it has dialogs and tabs/options that are for some
>>>>>other version(earlier?) of netbeans and things just do not work.
>>>>>
>>>>>What I would REALLY like to do is get a sample running using hand
>>>>>coded configurations rather than relying on the Netbeans/glassfish
>>>>>integration so I can understand more what is involved. As it is now,
>>>>>when something goes wrong with the Netbeans IDE wizards, I have no
>>>>>idea how to work around it.
>>>>>
>>>>>My end goal is to run an STS secured webservice using WSIT inside
>>>>>tomcat 6. It would be fine if the STS were in Glassfish for now, but
>>>>>the service that is secured needs to run inside tomcat and a standard
>>>>>command line client for that in java.
>>>>>
>>>>>Does anyone have a working sample similar to this or could point me to
>>>>>a good resource for doing this? I am quite frustrated, as every
>>>>>tutorial I have come across is targetted at running all inside
>>>>>Netbeans wizards and with a servlet client that runs inside the same
>>>>>glassfish instance as the STS and the secured service. This is not
>>>>>ideal for seeing how things work.since it uses built in development
>>>>>keystores/trusttores etc(the same one for client and service which is
>>>>>not realistic in an environment where the client and server are on
>>>>>different machines among other things).
>>>>>
>>>>>Any guidance greatly appreciated..
>>>>>
>>>>>
>>>>>Thanks,
>>>>>
>>>>>Chris
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Chris Richmond

Jiandong,

It was my understanding that one feature of the WSIT toolkit is that you
could take an existing JAX-WS service and as long as the proper libraries
are in place on the tomcat server, you could simply place additional
.xml files in certain directories and the WSIT toolkit would inject
these WSDL elemenents into the document as the server generated it on the
fly...that way you could have an unsecured service by ommitting those xml
files, or make them present and make the service secure? Am I way off base
on my understanding?

Thanks,

Chris

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Saturday, January 03, 2009 8:43 AM
To: users@metro.dev.java.net
Subject: Re: STS issued token sample

Hi Chris,

Great!

It is in my to do to provide a detailed description of the sample.
Before that, here is a quick description of what is going.

There are three parties in the sample: service,sts, client.
Each party has configuration(policy) in the WSDL or wsdl like file (client.

1. service:
Check /src/fs/etc/service/PingService.wsdl. There are two types of polices:
public ones to cominicate to the other parties and private ones
(Keystore, TrustStore) for local configuration.

In the policy

* There is a
under with indicate
that the X509 certificate of the service is used to protect the messages
from the client to the service.

* There is an that an issued token from an STS
is required for the client to acess the service.

* particular case,
only the certificate of the STS is needed in the Truststore.

You may have your own key store and trust store and configure them with
these two policy assertions.

2. sts: /src/fs/etc/sts/sts.wsdl

In the policy

* There is a
under with indicate
that the X509 certificate of the service is used to protect the messages
from the client to the sts.

* There is a that username/password is required from the
client to authenticate to the STS.

*
particular case,
only the certificate of all the trusted services are needed in the
Truststore.

Note that STS should maitain different key store and trust store from the
service.

*
xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
classname="common.SampleUsernamePasswordValidator"/>

to plugin the custom class for validating the username/password of the the
clients.

For this sample, we hard coded the username/password in the implementation
class /src/common/SampleUsernamePasswordValidator.java
You may just modify it to add for example chris/chris. In reality, you can
have an validatior class connecting to a user data store, etc.

3. client:

client configuration is here src/fs/etc/client-config/wsit-client.xml.
It contains client key store and truststore information as well the callback
class for the username/password:

src/common/SampleUsernamePasswordCallbackHandler.java

Note that you need to configure the client to the service and to the STS
seperately
in wsit-client.xml.

Jiandong

Chris Richmond wrote:

>Jiandong,
>
>Success!
>
>I was finally able to run the sample in Tomcat6.0.18 and it returns the
>account balance and outputs Company A, Department B on the server side. I
>tried both alice/alice and bob/bob.
>
>
>Now the real questions begin of figuring out how exactly this thing is
>working and how I integrate it into my own servers/clients.
>
>What was done to create those certificates on the server and to set those
>user credentials? That's one big area I don't understand.
>Keystores/truststores, etc.
>
>It is my understanding for METRO using an STS service such as this example
>that a truststore and keystore are both needed on the server as well as by
>the client?
>
>How are these stores generated/maintained and how are users certs maintaied
>in this example?
>
>For example, if I wanted to add a new user chris/chris to access this
>service, what would be the steps on the server/client for starters?
>
>Thanks so much for your help..I've made more progress in the last 2 days
>than in the previous 2 weeks.
>
>Thanks,
>
>Chris
>
>-----Original Message-----
>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>Sent: Wednesday, December 31, 2008 11:20 PM
>To: users@metro.dev.java.net
>Subject: Re: STS issued token sample
>
>Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
>
>for installing Metro on tomcat 6.*.
>
>Also modified the file etc\common-targets-tomcat.xml
> m
>on-targets-tomcat.xml?rev=1.6&view=log>
>for the Metro jars in tomcat.
>
>
>
>Chris Richmond wrote:
>
>
>>Yes..I'm using tomcat 6.0.18
>>
>>-----Original Message-----
>>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>Sent: Wednesday, December 31, 2008 2:52 PM
>>To: users@metro.dev.java.net
>>Subject: Re: STS issued token sample
>>
>>Ah, this sample is set up for tomcat 5.* with the classpath:
>>
>>
>>
>>location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>>
>>location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>>
>>
>>
>location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>
>
>>
>>location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>>
>>Are you using tomcat 6.*?
>>
>>
>>
>>
>>
>>
>>Chris Richmond wrote:
>>
>>
>>
>>
>>>Ok..I have done that installation process. But I still get the errors I
>>>mentioned when I run the ant run-sample.
>>>
>>>-----Original Message-----
>>>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>Sent: Wednesday, December 31, 2008 2:09 PM
>>>To: users@metro.dev.java.net
>>>Subject: Re: STS issued token sample
>>>
>>>Follow the steps in [1]
>>>
>>>in the end
>>>
>>>[1]
>>>
>>>
>>>
>https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>
>
>>>
>>>
>>>
>>T
>>
>>
>>
>>>_Download_Build_Install.html
>>>
>>>
>>>
>>>Chris Richmond wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>>'.. 1. Follow the steps in [1] to download, build and install WSIT in
>>>>Glassfish or Tomcat..."
>>>>
>>>>What does this mean from the readme? It says follow the steps in step 1
>>>>
>>>>
>>>>
>>>>
>>>>
>>>and
>>>
>>>
>>>
>>>
>>>
>>>>that *IS* step 1???
>>>>
>>>>Where is the step 1 it refers to?
>>>>
>>>>
>>>>Thanks,
>>>>
>>>>Chris
>>>>
>>>>-----Original Message-----
>>>>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>Sent: Wednesday, December 31, 2008 12:00 PM
>>>>To: users@metro.dev.java.net
>>>>Subject: Re: STS issued token sample
>>>>
>>>>Hi Chris,
>>>>
>>>>We have a bundled ws-trust sample:
>>>>
>>>>https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>>>
>>>>Let us know if you need any help on it.
>>>>
>>>>Thanks!
>>>>
>>>>Jiandong
>>>>
>>>>
>>>>Chris Richmond wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Hello all,
>>>>>
>>>>>I have been trying and trying to get a working sample of WSIT using a
>>>>>secured service using an STS issued token to work with absolutely no
>>>>>
>>>>>
>>>>>
>>luck.
>>
>>
>>
>>>>>I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>>>plain doesn't work..it has dialogs and tabs/options that are for some
>>>>>other version(earlier?) of netbeans and things just do not work.
>>>>>
>>>>>What I would REALLY like to do is get a sample running using hand
>>>>>coded configurations rather than relying on the Netbeans/glassfish
>>>>>integration so I can understand more what is involved. As it is now,
>>>>>when something goes wrong with the Netbeans IDE wizards, I have no
>>>>>idea how to work around it.
>>>>>
>>>>>My end goal is to run an STS secured webservice using WSIT inside
>>>>>tomcat 6. It would be fine if the STS were in Glassfish for now, but
>>>>>the service that is secured needs to run inside tomcat and a standard
>>>>>command line client for that in java.
>>>>>
>>>>>Does anyone have a working sample similar to this or could point me to
>>>>>a good resource for doing this? I am quite frustrated, as every
>>>>>tutorial I have come across is targetted at running all inside
>>>>>Netbeans wizards and with a servlet client that runs inside the same
>>>>>glassfish instance as the STS and the secured service. This is not
>>>>>ideal for seeing how things work.since it uses built in development
>>>>>keystores/trusttores etc(the same one for client and service which is
>>>>>not realistic in an environment where the client and server are on
>>>>>different machines among other things).
>>>>>
>>>>>Any guidance greatly appreciated..
>>>>>
>>>>>
>>>>>Thanks,
>>>>>
>>>>>Chris
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Jiandong Guo

Unfortunately, this is not the case currently.

See
http://wikis.glassfish.org/metro/Wiki.jsp?page=DynamicReconfigurationOne...

Thanks!

Jiandong

Chris Richmond wrote:
> Jiandong,
>
> It was my understanding that one feature of the WSIT toolkit is that you
> could take an existing JAX-WS service and as long as the proper libraries
> are in place on the tomcat server, you could simply place additional
> .xml files in certain directories and the WSIT toolkit would inject
> these WSDL elemenents into the document as the server generated it on the
> fly...that way you could have an unsecured service by ommitting those xml
> files, or make them present and make the service secure? Am I way off base
> on my understanding?
>
> Thanks,
>
> Chris
>
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Saturday, January 03, 2009 8:43 AM
> To: users@metro.dev.java.net
> Subject: Re: STS issued token sample
>
> Hi Chris,
>
> Great!
>
> It is in my to do to provide a detailed description of the sample.
> Before that, here is a quick description of what is going.
>
> There are three parties in the sample: service,sts, client.
> Each party has configuration(policy) in the WSDL or wsdl like file (client.
>
> 1. service:
> Check /src/fs/etc/service/PingService.wsdl. There are two types of polices:
> public ones to cominicate to the other parties and private ones
> (Keystore, TrustStore) for local configuration.
>
> In the policy
>
>
>
> * There is a
> under with > indicate
> that the X509 certificate of the service is used to protect the messages
> from the client to the service.
>
> * There is an > that an issued token from an STS
> is required for the client to acess the service.
>
> * > > > particular case,
> only the certificate of the STS is needed in the Truststore.
>
> You may have your own key store and trust store and configure them with
> these two policy assertions.
>
> 2. sts: /src/fs/etc/sts/sts.wsdl
>
> In the policy
>
>
>
> * There is a
> under with > indicate
> that the X509 certificate of the service is used to protect the messages
> from the client to the sts.
>
> * There is a > that username/password is required from the
> client to authenticate to the STS.
>
> *
> > > > particular case,
> only the certificate of all the trusted services are needed in the
> Truststore.
>
> Note that STS should maitain different key store and trust store from the
> service.
>
> *
> > xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
> > classname="common.SampleUsernamePasswordValidator"/>
>
>
> to plugin the custom class for validating the username/password of the the
> clients.
>
> For this sample, we hard coded the username/password in the implementation
> class /src/common/SampleUsernamePasswordValidator.java
> You may just modify it to add for example chris/chris. In reality, you can
> have an validatior class connecting to a user data store, etc.
>
>
> 3. client:
>
> client configuration is here src/fs/etc/client-config/wsit-client.xml.
> It contains client key store and truststore information as well the callback
> class for the username/password:
>
> src/common/SampleUsernamePasswordCallbackHandler.java
>
> Note that you need to configure the client to the service and to the STS
> seperately
> in wsit-client.xml.
>
> Jiandong
>
>
>
> Chris Richmond wrote:
>
>
>> Jiandong,
>>
>> Success!
>>
>> I was finally able to run the sample in Tomcat6.0.18 and it returns the
>> account balance and outputs Company A, Department B on the server side. I
>> tried both alice/alice and bob/bob.
>>
>>
>> Now the real questions begin of figuring out how exactly this thing is
>> working and how I integrate it into my own servers/clients.
>>
>> What was done to create those certificates on the server and to set those
>> user credentials? That's one big area I don't understand.
>> Keystores/truststores, etc.
>>
>> It is my understanding for METRO using an STS service such as this example
>> that a truststore and keystore are both needed on the server as well as by
>> the client?
>>
>> How are these stores generated/maintained and how are users certs maintaied
>> in this example?
>>
>> For example, if I wanted to add a new user chris/chris to access this
>> service, what would be the steps on the server/client for starters?
>>
>> Thanks so much for your help..I've made more progress in the last 2 days
>> than in the previous 2 weeks.
>>
>> Thanks,
>>
>> Chris
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> Sent: Wednesday, December 31, 2008 11:20 PM
>> To: users@metro.dev.java.net
>> Subject: Re: STS issued token sample
>>
>> Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
>>
>> for installing Metro on tomcat 6.*.
>>
>> Also modified the file etc\common-targets-tomcat.xml
>> >>
> m
>
>> on-targets-tomcat.xml?rev=1.6&view=log>
>> for the Metro jars in tomcat.
>>
>>
>>
>> Chris Richmond wrote:
>>
>>
>>
>>> Yes..I'm using tomcat 6.0.18
>>>
>>> -----Original Message-----
>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>> Sent: Wednesday, December 31, 2008 2:52 PM
>>> To: users@metro.dev.java.net
>>> Subject: Re: STS issued token sample
>>>
>>> Ah, this sample is set up for tomcat 5.* with the classpath:
>>>
>>>
>>>
>>> location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>>>
>>> location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>>>
>>>
>>>
>>>
>> location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>>
>>
>>
>>>
>>> location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>>>
>>> Are you using tomcat 6.*?
>>>
>>>
>>>
>>>
>>>
>>>
>>> Chris Richmond wrote:
>>>
>>>
>>>
>>>
>>>
>>>> Ok..I have done that installation process. But I still get the errors I
>>>> mentioned when I run the ant run-sample.
>>>>
>>>> -----Original Message-----
>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>> Sent: Wednesday, December 31, 2008 2:09 PM
>>>> To: users@metro.dev.java.net
>>>> Subject: Re: STS issued token sample
>>>>
>>>> Follow the steps in [1]
>>>>
>>>> in the end
>>>>
>>>> [1]
>>>>
>>>>
>>>>
>>>>
>> https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>>
>>
>>
>>>>
>>>>
>>>>
>>>>
>>> T
>>>
>>>
>>>
>>>
>>>> _Download_Build_Install.html
>>>>
>>>>
>>>>
>>>> Chris Richmond wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> '.. 1. Follow the steps in [1] to download, build and install WSIT in
>>>>> Glassfish or Tomcat..."
>>>>>
>>>>> What does this mean from the readme? It says follow the steps in step 1
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> and
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> that *IS* step 1???
>>>>>
>>>>> Where is the step 1 it refers to?
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Chris
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>> Sent: Wednesday, December 31, 2008 12:00 PM
>>>>> To: users@metro.dev.java.net
>>>>> Subject: Re: STS issued token sample
>>>>>
>>>>> Hi Chris,
>>>>>
>>>>> We have a bundled ws-trust sample:
>>>>>
>>>>> https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>>>>
>>>>> Let us know if you need any help on it.
>>>>>
>>>>> Thanks!
>>>>>
>>>>> Jiandong
>>>>>
>>>>>
>>>>> Chris Richmond wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Hello all,
>>>>>>
>>>>>> I have been trying and trying to get a working sample of WSIT using a
>>>>>> secured service using an STS issued token to work with absolutely no
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>> luck.
>>>
>>>
>>>
>>>
>>>>>> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>>>> plain doesn't work..it has dialogs and tabs/options that are for some
>>>>>> other version(earlier?) of netbeans and things just do not work.
>>>>>>
>>>>>> What I would REALLY like to do is get a sample running using hand
>>>>>> coded configurations rather than relying on the Netbeans/glassfish
>>>>>> integration so I can understand more what is involved. As it is now,
>>>>>> when something goes wrong with the Netbeans IDE wizards, I have no
>>>>>> idea how to work around it.
>>>>>>
>>>>>> My end goal is to run an STS secured webservice using WSIT inside
>>>>>> tomcat 6. It would be fine if the STS were in Glassfish for now, but
>>>>>> the service that is secured needs to run inside tomcat and a standard
>>>>>> command line client for that in java.
>>>>>>
>>>>>> Does anyone have a working sample similar to this or could point me to
>>>>>> a good resource for doing this? I am quite frustrated, as every
>>>>>> tutorial I have come across is targetted at running all inside
>>>>>> Netbeans wizards and with a servlet client that runs inside the same
>>>>>> glassfish instance as the STS and the secured service. This is not
>>>>>> ideal for seeing how things work.since it uses built in development
>>>>>> keystores/trusttores etc(the same one for client and service which is
>>>>>> not realistic in an environment where the client and server are on
>>>>>> different machines among other things).
>>>>>>
>>>>>> Any guidance greatly appreciated..
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Chris
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Chris Richmond

Jiandong,

Keep in mind I do not need to be able to reconfigure on the fly. Stopping
the service and deploying configuration files or stopping the server and
removing them is perfectly acceptable to me. I just mean that I could
deploy artifacts/config files without having to change my basic service code
is all. That link seems to mention on the fly reconfiguration without
losing any messages, which is not a requirement. Does you answer still
stand?

Thanks,

Chris

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Monday, January 05, 2009 10:23 AM
To: users@metro.dev.java.net
Subject: Re: STS issued token sample

Unfortunately, this is not the case currently.

See
http://wikis.glassfish.org/metro/Wiki.jsp?page=DynamicReconfigurationOne...
r

Thanks!

Jiandong

Chris Richmond wrote:
> Jiandong,
>
> It was my understanding that one feature of the WSIT toolkit is that you
> could take an existing JAX-WS service and as long as the proper libraries
> are in place on the tomcat server, you could simply place additional
> .xml files in certain directories and the WSIT toolkit would
inject
> these WSDL elemenents into the document as the server generated it on the
> fly...that way you could have an unsecured service by ommitting those xml
> files, or make them present and make the service secure? Am I way off
base
> on my understanding?
>
> Thanks,
>
> Chris
>
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Saturday, January 03, 2009 8:43 AM
> To: users@metro.dev.java.net
> Subject: Re: STS issued token sample
>
> Hi Chris,
>
> Great!
>
> It is in my to do to provide a detailed description of the sample.
> Before that, here is a quick description of what is going.
>
> There are three parties in the sample: service,sts, client.
> Each party has configuration(policy) in the WSDL or wsdl like file
(client.
>
> 1. service:
> Check /src/fs/etc/service/PingService.wsdl. There are two types of
polices:
> public ones to cominicate to the other parties and private ones
> (Keystore, TrustStore) for local configuration.
>
> In the policy
>
>
>
> * There is a
> under with > indicate
> that the X509 certificate of the service is used to protect the messages
> from the client to the service.
>
> * There is an > that an issued token from an STS
> is required for the client to acess the service.
>
> * > > > particular case,
> only the certificate of the STS is needed in the Truststore.
>
> You may have your own key store and trust store and configure them with
> these two policy assertions.
>
> 2. sts: /src/fs/etc/sts/sts.wsdl
>
> In the policy
>
>
>
> * There is a
> under with > indicate
> that the X509 certificate of the service is used to protect the messages
> from the client to the sts.
>
> * There is a > that username/password is required from the
> client to authenticate to the STS.
>
> *
> > > > particular case,
> only the certificate of all the trusted services are needed in the
> Truststore.
>
> Note that STS should maitain different key store and trust store from the
> service.
>
> *
> > xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
> > classname="common.SampleUsernamePasswordValidator"/>
>
>
> to plugin the custom class for validating the username/password of the
the
> clients.
>
> For this sample, we hard coded the username/password in the implementation
> class /src/common/SampleUsernamePasswordValidator.java
> You may just modify it to add for example chris/chris. In reality, you can
> have an validatior class connecting to a user data store, etc.
>
>
> 3. client:
>
> client configuration is here src/fs/etc/client-config/wsit-client.xml.
> It contains client key store and truststore information as well the
callback
> class for the username/password:
>
> src/common/SampleUsernamePasswordCallbackHandler.java
>
> Note that you need to configure the client to the service and to the STS
> seperately
> in wsit-client.xml.
>
> Jiandong
>
>
>
> Chris Richmond wrote:
>
>
>> Jiandong,
>>
>> Success!
>>
>> I was finally able to run the sample in Tomcat6.0.18 and it returns the
>> account balance and outputs Company A, Department B on the server side.
I
>> tried both alice/alice and bob/bob.
>>
>>
>> Now the real questions begin of figuring out how exactly this thing is
>> working and how I integrate it into my own servers/clients.
>>
>> What was done to create those certificates on the server and to set those
>> user credentials? That's one big area I don't understand.
>> Keystores/truststores, etc.
>>
>> It is my understanding for METRO using an STS service such as this
example
>> that a truststore and keystore are both needed on the server as well as
by
>> the client?
>>
>> How are these stores generated/maintained and how are users certs
maintaied
>> in this example?
>>
>> For example, if I wanted to add a new user chris/chris to access this
>> service, what would be the steps on the server/client for starters?
>>
>> Thanks so much for your help..I've made more progress in the last 2 days
>> than in the previous 2 weeks.
>>
>> Thanks,
>>
>> Chris
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> Sent: Wednesday, December 31, 2008 11:20 PM
>> To: users@metro.dev.java.net
>> Subject: Re: STS issued token sample
>>
>> Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
>>
>> for installing Metro on tomcat 6.*.
>>
>> Also modified the file etc\common-targets-tomcat.xml
>>
>>
> m
>
>> on-targets-tomcat.xml?rev=1.6&view=log>
>> for the Metro jars in tomcat.
>>
>>
>>
>> Chris Richmond wrote:
>>
>>
>>
>>> Yes..I'm using tomcat 6.0.18
>>>
>>> -----Original Message-----
>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>> Sent: Wednesday, December 31, 2008 2:52 PM
>>> To: users@metro.dev.java.net
>>> Subject: Re: STS issued token sample
>>>
>>> Ah, this sample is set up for tomcat 5.* with the classpath:
>>>
>>>
>>>
>>> location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>>>
>>> location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>>>
>>>
>>>
>>>
>> location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>>
>>
>>
>>>
>>> location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>>>
>>> Are you using tomcat 6.*?
>>>
>>>
>>>
>>>
>>>
>>>
>>> Chris Richmond wrote:
>>>
>>>
>>>
>>>
>>>
>>>> Ok..I have done that installation process. But I still get the errors
I
>>>> mentioned when I run the ant run-sample.
>>>>
>>>> -----Original Message-----
>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>> Sent: Wednesday, December 31, 2008 2:09 PM
>>>> To: users@metro.dev.java.net
>>>> Subject: Re: STS issued token sample
>>>>
>>>> Follow the steps in [1]
>>>>
>>>> in the end
>>>>
>>>> [1]
>>>>
>>>>
>>>>
>>>>
>>
https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>>
>>
>>
>>>>
>>>>
>>>>
>>>>
>>> T
>>>
>>>
>>>
>>>
>>>> _Download_Build_Install.html
>>>>
>>>>
>>>>
>>>> Chris Richmond wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> '.. 1. Follow the steps in [1] to download, build and install WSIT in
>>>>> Glassfish or Tomcat..."
>>>>>
>>>>> What does this mean from the readme? It says follow the steps in step
1
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> and
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> that *IS* step 1???
>>>>>
>>>>> Where is the step 1 it refers to?
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Chris
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>> Sent: Wednesday, December 31, 2008 12:00 PM
>>>>> To: users@metro.dev.java.net
>>>>> Subject: Re: STS issued token sample
>>>>>
>>>>> Hi Chris,
>>>>>
>>>>> We have a bundled ws-trust sample:
>>>>>
>>>>> https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>>>>
>>>>> Let us know if you need any help on it.
>>>>>
>>>>> Thanks!
>>>>>
>>>>> Jiandong
>>>>>
>>>>>
>>>>> Chris Richmond wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Hello all,
>>>>>>
>>>>>> I have been trying and trying to get a working sample of WSIT using a

>>>>>> secured service using an STS issued token to work with absolutely no
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>> luck.
>>>
>>>
>>>
>>>
>>>>>> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>>>> plain doesn't work..it has dialogs and tabs/options that are for some

>>>>>> other version(earlier?) of netbeans and things just do not work.
>>>>>>
>>>>>> What I would REALLY like to do is get a sample running using hand
>>>>>> coded configurations rather than relying on the Netbeans/glassfish
>>>>>> integration so I can understand more what is involved. As it is now,
>>>>>> when something goes wrong with the Netbeans IDE wizards, I have no
>>>>>> idea how to work around it.
>>>>>>
>>>>>> My end goal is to run an STS secured webservice using WSIT inside
>>>>>> tomcat 6. It would be fine if the STS were in Glassfish for now, but
>>>>>> the service that is secured needs to run inside tomcat and a standard

>>>>>> command line client for that in java.
>>>>>>
>>>>>> Does anyone have a working sample similar to this or could point me
to
>>>>>> a good resource for doing this? I am quite frustrated, as every
>>>>>> tutorial I have come across is targetted at running all inside
>>>>>> Netbeans wizards and with a servlet client that runs inside the same
>>>>>> glassfish instance as the STS and the secured service. This is not
>>>>>> ideal for seeing how things work.since it uses built in development
>>>>>> keystores/trusttores etc(the same one for client and service which is

>>>>>> not realistic in an environment where the client and server are on
>>>>>> different machines among other things).
>>>>>>
>>>>>> Any guidance greatly appreciated..
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Chris
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Jiandong Guo

Ok, in this case you can always stop the service and change the policy.
But the policy must be attached or referenced
in the wsdl to be effective.

For example, you may have your front WSDL with business logic (has
Service and portType, e.g.
http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...)
This wsdl in turn imports a back end WSDL with binding and policy
referenced there (e.g
http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...).

Is this something work for you?

Thanks!

Jiandong

CC Fabian for more insight on this.

Thanks!

Jiandong

Chris Richmond wrote:
> Jiandong,
>
> Keep in mind I do not need to be able to reconfigure on the fly. Stopping
> the service and deploying configuration files or stopping the server and
> removing them is perfectly acceptable to me. I just mean that I could
> deploy artifacts/config files without having to change my basic service code
> is all. That link seems to mention on the fly reconfiguration without
> losing any messages, which is not a requirement. Does you answer still
> stand?
>
> Thanks,
>
> Chris
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Monday, January 05, 2009 10:23 AM
> To: users@metro.dev.java.net
> Subject: Re: STS issued token sample
>
> Unfortunately, this is not the case currently.
>
> See
> http://wikis.glassfish.org/metro/Wiki.jsp?page=DynamicReconfigurationOne...
> r
>
> Thanks!
>
> Jiandong
>
>
> Chris Richmond wrote:
>
>> Jiandong,
>>
>> It was my understanding that one feature of the WSIT toolkit is that you
>> could take an existing JAX-WS service and as long as the proper libraries
>> are in place on the tomcat server, you could simply place additional
>> .xml files in certain directories and the WSIT toolkit would
>>
> inject
>
>> these WSDL elemenents into the document as the server generated it on the
>> fly...that way you could have an unsecured service by ommitting those xml
>> files, or make them present and make the service secure? Am I way off
>>
> base
>
>> on my understanding?
>>
>> Thanks,
>>
>> Chris
>>
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> Sent: Saturday, January 03, 2009 8:43 AM
>> To: users@metro.dev.java.net
>> Subject: Re: STS issued token sample
>>
>> Hi Chris,
>>
>> Great!
>>
>> It is in my to do to provide a detailed description of the sample.
>> Before that, here is a quick description of what is going.
>>
>> There are three parties in the sample: service,sts, client.
>> Each party has configuration(policy) in the WSDL or wsdl like file
>>
> (client.
>
>> 1. service:
>> Check /src/fs/etc/service/PingService.wsdl. There are two types of
>>
> polices:
>
>> public ones to cominicate to the other parties and private ones
>> (Keystore, TrustStore) for local configuration.
>>
>> In the policy
>>
>>
>>
>> * There is a
>> under with >> indicate
>> that the X509 certificate of the service is used to protect the messages
>> from the client to the service.
>>
>> * There is an >> that an issued token from an STS
>> is required for the client to acess the service.
>>
>> * >> >> >> particular case,
>> only the certificate of the STS is needed in the Truststore.
>>
>> You may have your own key store and trust store and configure them with
>> these two policy assertions.
>>
>> 2. sts: /src/fs/etc/sts/sts.wsdl
>>
>> In the policy
>>
>>
>>
>> * There is a
>> under with >> indicate
>> that the X509 certificate of the service is used to protect the messages
>> from the client to the sts.
>>
>> * There is a >> that username/password is required from the
>> client to authenticate to the STS.
>>
>> *
>> >> >> >> particular case,
>> only the certificate of all the trusted services are needed in the
>> Truststore.
>>
>> Note that STS should maitain different key store and trust store from the
>> service.
>>
>> *
>> >> xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
>> >> classname="common.SampleUsernamePasswordValidator"/>
>>
>>
>> to plugin the custom class for validating the username/password of the
>>
> the
>
>> clients.
>>
>> For this sample, we hard coded the username/password in the implementation
>> class /src/common/SampleUsernamePasswordValidator.java
>> You may just modify it to add for example chris/chris. In reality, you can
>> have an validatior class connecting to a user data store, etc.
>>
>>
>> 3. client:
>>
>> client configuration is here src/fs/etc/client-config/wsit-client.xml.
>> It contains client key store and truststore information as well the
>>
> callback
>
>> class for the username/password:
>>
>> src/common/SampleUsernamePasswordCallbackHandler.java
>>
>> Note that you need to configure the client to the service and to the STS
>> seperately
>> in wsit-client.xml.
>>
>> Jiandong
>>
>>
>>
>> Chris Richmond wrote:
>>
>>
>>
>>> Jiandong,
>>>
>>> Success!
>>>
>>> I was finally able to run the sample in Tomcat6.0.18 and it returns the
>>> account balance and outputs Company A, Department B on the server side.
>>>
> I
>
>>> tried both alice/alice and bob/bob.
>>>
>>>
>>> Now the real questions begin of figuring out how exactly this thing is
>>> working and how I integrate it into my own servers/clients.
>>>
>>> What was done to create those certificates on the server and to set those
>>> user credentials? That's one big area I don't understand.
>>> Keystores/truststores, etc.
>>>
>>> It is my understanding for METRO using an STS service such as this
>>>
> example
>
>>> that a truststore and keystore are both needed on the server as well as
>>>
> by
>
>>> the client?
>>>
>>> How are these stores generated/maintained and how are users certs
>>>
> maintaied
>
>>> in this example?
>>>
>>> For example, if I wanted to add a new user chris/chris to access this
>>> service, what would be the steps on the server/client for starters?
>>>
>>> Thanks so much for your help..I've made more progress in the last 2 days
>>> than in the previous 2 weeks.
>>>
>>> Thanks,
>>>
>>> Chris
>>>
>>> -----Original Message-----
>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>> Sent: Wednesday, December 31, 2008 11:20 PM
>>> To: users@metro.dev.java.net
>>> Subject: Re: STS issued token sample
>>>
>>> Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
>>>
>>> for installing Metro on tomcat 6.*.
>>>
>>> Also modified the file etc\common-targets-tomcat.xml
>>>
>>>
> >
>>>
>>>
>> m
>>
>>
>>> on-targets-tomcat.xml?rev=1.6&view=log>
>>> for the Metro jars in tomcat.
>>>
>>>
>>>
>>> Chris Richmond wrote:
>>>
>>>
>>>
>>>
>>>> Yes..I'm using tomcat 6.0.18
>>>>
>>>> -----Original Message-----
>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>> Sent: Wednesday, December 31, 2008 2:52 PM
>>>> To: users@metro.dev.java.net
>>>> Subject: Re: STS issued token sample
>>>>
>>>> Ah, this sample is set up for tomcat 5.* with the classpath:
>>>>
>>>>
>>>>
>>>> location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>>>>
>>>> location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>>>>
>>>>
>>>>
>>>>
>>>>
>>> location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>>>
>>>
>>>
>>>
>>>>
>>>> location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>>>>
>>>> Are you using tomcat 6.*?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Chris Richmond wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Ok..I have done that installation process. But I still get the errors
>>>>>
> I
>
>>>>> mentioned when I run the ant run-sample.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>> Sent: Wednesday, December 31, 2008 2:09 PM
>>>>> To: users@metro.dev.java.net
>>>>> Subject: Re: STS issued token sample
>>>>>
>>>>> Follow the steps in [1]
>>>>>
>>>>> in the end
>>>>>
>>>>> [1]
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
> https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>
>>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> T
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> _Download_Build_Install.html
>>>>>
>>>>>
>>>>>
>>>>> Chris Richmond wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> '.. 1. Follow the steps in [1] to download, build and install WSIT in
>>>>>> Glassfish or Tomcat..."
>>>>>>
>>>>>> What does this mean from the readme? It says follow the steps in step
>>>>>>
> 1
>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> and
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> that *IS* step 1???
>>>>>>
>>>>>> Where is the step 1 it refers to?
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Chris
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>> Sent: Wednesday, December 31, 2008 12:00 PM
>>>>>> To: users@metro.dev.java.net
>>>>>> Subject: Re: STS issued token sample
>>>>>>
>>>>>> Hi Chris,
>>>>>>
>>>>>> We have a bundled ws-trust sample:
>>>>>>
>>>>>> https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>>>>>
>>>>>> Let us know if you need any help on it.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> Jiandong
>>>>>>
>>>>>>
>>>>>> Chris Richmond wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Hello all,
>>>>>>>
>>>>>>> I have been trying and trying to get a working sample of WSIT using a
>>>>>>>
>
>
>>>>>>> secured service using an STS issued token to work with absolutely no
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>> luck.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>>>>> plain doesn't work..it has dialogs and tabs/options that are for some
>>>>>>>
>
>
>>>>>>> other version(earlier?) of netbeans and things just do not work.
>>>>>>>
>>>>>>> What I would REALLY like to do is get a sample running using hand
>>>>>>> coded configurations rather than relying on the Netbeans/glassfish
>>>>>>> integration so I can understand more what is involved. As it is now,
>>>>>>> when something goes wrong with the Netbeans IDE wizards, I have no
>>>>>>> idea how to work around it.
>>>>>>>
>>>>>>> My end goal is to run an STS secured webservice using WSIT inside
>>>>>>> tomcat 6. It would be fine if the STS were in Glassfish for now, but
>>>>>>> the service that is secured needs to run inside tomcat and a standard
>>>>>>>
>
>
>>>>>>> command line client for that in java.
>>>>>>>
>>>>>>> Does anyone have a working sample similar to this or could point me
>>>>>>>
> to
>
>>>>>>> a good resource for doing this? I am quite frustrated, as every
>>>>>>> tutorial I have come across is targetted at running all inside
>>>>>>> Netbeans wizards and with a servlet client that runs inside the same
>>>>>>> glassfish instance as the STS and the secured service. This is not
>>>>>>> ideal for seeing how things work.since it uses built in development
>>>>>>> keystores/trusttores etc(the same one for client and service which is
>>>>>>>
>
>
>>>>>>> not realistic in an environment where the client and server are on
>>>>>>> different machines among other things).
>>>>>>>
>>>>>>> Any guidance greatly appreciated..
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Chris
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Chris Richmond

Jiandong?

Yes...this might work, I'll have to explore the possiblity. Anything that
could keep me from having 2 server side and 2 client side code bases(one for
secured and one for insecure) is all I am really looking for.

Also,

Do you have any references on how you crated the bob and alice certs for the
server and client and how to utilize a new cert for this imlementation? Is
there a turorial on createing the certes and placing them in the proper
places and updating the stores appropriately? I am also not 100% clean on
exactly what the x509 cert is doing? Is that only to encrypt the STS token
or is it doing more? Could it be configured to encrypt all messages to the
actual services(regular impl service mainly, STS could be using SSL
perhaps?)

Thanks again,

Chris

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Monday, January 05, 2009 11:13 AM
To: users@metro.dev.java.net
Cc: Fabian Ritzmann
Subject: Re: STS issued token sample

Ok, in this case you can always stop the service and change the policy.
But the policy must be attached or referenced
in the wsdl to be effective.

For example, you may have your front WSDL with business logic (has
Service and portType, e.g.
http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...
.svc?wsdl)
This wsdl in turn imports a back end WSDL with binding and policy
referenced there (e.g
http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...
.svc?wsdl=wsdl0).

Is this something work for you?

Thanks!

Jiandong

CC Fabian for more insight on this.

Thanks!

Jiandong

Chris Richmond wrote:
> Jiandong,
>
> Keep in mind I do not need to be able to reconfigure on the fly. Stopping
> the service and deploying configuration files or stopping the server and
> removing them is perfectly acceptable to me. I just mean that I could
> deploy artifacts/config files without having to change my basic service
code
> is all. That link seems to mention on the fly reconfiguration without
> losing any messages, which is not a requirement. Does you answer still
> stand?
>
> Thanks,
>
> Chris
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Monday, January 05, 2009 10:23 AM
> To: users@metro.dev.java.net
> Subject: Re: STS issued token sample
>
> Unfortunately, this is not the case currently.
>
> See
>
http://wikis.glassfish.org/metro/Wiki.jsp?page=DynamicReconfigurationOne...
> r
>
> Thanks!
>
> Jiandong
>
>
> Chris Richmond wrote:
>
>> Jiandong,
>>
>> It was my understanding that one feature of the WSIT toolkit is that you
>> could take an existing JAX-WS service and as long as the proper libraries
>> are in place on the tomcat server, you could simply place additional
>> .xml files in certain directories and the WSIT toolkit would
>>
> inject
>
>> these WSDL elemenents into the document as the server generated it on the
>> fly...that way you could have an unsecured service by ommitting those xml
>> files, or make them present and make the service secure? Am I way off
>>
> base
>
>> on my understanding?
>>
>> Thanks,
>>
>> Chris
>>
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> Sent: Saturday, January 03, 2009 8:43 AM
>> To: users@metro.dev.java.net
>> Subject: Re: STS issued token sample
>>
>> Hi Chris,
>>
>> Great!
>>
>> It is in my to do to provide a detailed description of the sample.
>> Before that, here is a quick description of what is going.
>>
>> There are three parties in the sample: service,sts, client.
>> Each party has configuration(policy) in the WSDL or wsdl like file
>>
> (client.
>
>> 1. service:
>> Check /src/fs/etc/service/PingService.wsdl. There are two types of
>>
> polices:
>
>> public ones to cominicate to the other parties and private ones
>> (Keystore, TrustStore) for local configuration.
>>
>> In the policy
>>
>>
>>
>> * There is a
>> under with >> indicate
>> that the X509 certificate of the service is used to protect the messages
>> from the client to the service.
>>
>> * There is an >> that an issued token from an STS
>> is required for the client to acess the service.
>>
>> * >> >> >> particular case,
>> only the certificate of the STS is needed in the Truststore.
>>
>> You may have your own key store and trust store and configure them with
>> these two policy assertions.
>>
>> 2. sts: /src/fs/etc/sts/sts.wsdl
>>
>> In the policy
>>
>>
>>
>> * There is a
>> under with >> indicate
>> that the X509 certificate of the service is used to protect the messages
>> from the client to the sts.
>>
>> * There is a >> that username/password is required from the
>> client to authenticate to the STS.
>>
>> *
>> >> >> >> particular case,
>> only the certificate of all the trusted services are needed in the
>> Truststore.
>>
>> Note that STS should maitain different key store and trust store from the
>> service.
>>
>> *
>> >> xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
>> name="usernameValidator"
>> classname="common.SampleUsernamePasswordValidator"/>
>>
>>
>> to plugin the custom class for validating the username/password of the
>>
> the
>
>> clients.
>>
>> For this sample, we hard coded the username/password in the
implementation
>> class /src/common/SampleUsernamePasswordValidator.java
>> You may just modify it to add for example chris/chris. In reality, you
can
>> have an validatior class connecting to a user data store, etc.
>>
>>
>> 3. client:
>>
>> client configuration is here src/fs/etc/client-config/wsit-client.xml.
>> It contains client key store and truststore information as well the
>>
> callback
>
>> class for the username/password:
>>
>> src/common/SampleUsernamePasswordCallbackHandler.java
>>
>> Note that you need to configure the client to the service and to the STS
>> seperately
>> in wsit-client.xml.
>>
>> Jiandong
>>
>>
>>
>> Chris Richmond wrote:
>>
>>
>>
>>> Jiandong,
>>>
>>> Success!
>>>
>>> I was finally able to run the sample in Tomcat6.0.18 and it returns the
>>> account balance and outputs Company A, Department B on the server side.
>>>
> I
>
>>> tried both alice/alice and bob/bob.
>>>
>>>
>>> Now the real questions begin of figuring out how exactly this thing is
>>> working and how I integrate it into my own servers/clients.
>>>
>>> What was done to create those certificates on the server and to set
those
>>> user credentials? That's one big area I don't understand.
>>> Keystores/truststores, etc.
>>>
>>> It is my understanding for METRO using an STS service such as this
>>>
> example
>
>>> that a truststore and keystore are both needed on the server as well as
>>>
> by
>
>>> the client?
>>>
>>> How are these stores generated/maintained and how are users certs
>>>
> maintaied
>
>>> in this example?
>>>
>>> For example, if I wanted to add a new user chris/chris to access this
>>> service, what would be the steps on the server/client for starters?
>>>
>>> Thanks so much for your help..I've made more progress in the last 2 days
>>> than in the previous 2 weeks.
>>>
>>> Thanks,
>>>
>>> Chris
>>>
>>> -----Original Message-----
>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>> Sent: Wednesday, December 31, 2008 11:20 PM
>>> To: users@metro.dev.java.net
>>> Subject: Re: STS issued token sample
>>>
>>> Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
>>>
>>> for installing Metro on tomcat 6.*.
>>>
>>> Also modified the file etc\common-targets-tomcat.xml
>>>
>>>
>
>
>>>
>>>
>> m
>>
>>
>>> on-targets-tomcat.xml?rev=1.6&view=log>
>>> for the Metro jars in tomcat.
>>>
>>>
>>>
>>> Chris Richmond wrote:
>>>
>>>
>>>
>>>
>>>> Yes..I'm using tomcat 6.0.18
>>>>
>>>> -----Original Message-----
>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>> Sent: Wednesday, December 31, 2008 2:52 PM
>>>> To: users@metro.dev.java.net
>>>> Subject: Re: STS issued token sample
>>>>
>>>> Ah, this sample is set up for tomcat 5.* with the classpath:
>>>>
>>>>
>>>>
>>>> location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>>>>
>>>> location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>>>>
>>>>
>>>>
>>>>
>>>>
>>> location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>>>
>>>
>>>
>>>
>>>>
>>>> location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>>>>
>>>> Are you using tomcat 6.*?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Chris Richmond wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Ok..I have done that installation process. But I still get the errors
>>>>>
> I
>
>>>>> mentioned when I run the ant run-sample.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>> Sent: Wednesday, December 31, 2008 2:09 PM
>>>>> To: users@metro.dev.java.net
>>>>> Subject: Re: STS issued token sample
>>>>>
>>>>> Follow the steps in [1]
>>>>>
>>>>> in the end
>>>>>
>>>>> [1]
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>
https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>
>>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> T
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> _Download_Build_Install.html
>>>>>
>>>>>
>>>>>
>>>>> Chris Richmond wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> '.. 1. Follow the steps in [1] to download, build and install WSIT in
>>>>>> Glassfish or Tomcat..."
>>>>>>
>>>>>> What does this mean from the readme? It says follow the steps in
step
>>>>>>
> 1
>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> and
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> that *IS* step 1???
>>>>>>
>>>>>> Where is the step 1 it refers to?
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Chris
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>> Sent: Wednesday, December 31, 2008 12:00 PM
>>>>>> To: users@metro.dev.java.net
>>>>>> Subject: Re: STS issued token sample
>>>>>>
>>>>>> Hi Chris,
>>>>>>
>>>>>> We have a bundled ws-trust sample:
>>>>>>
>>>>>> https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>>>>>
>>>>>> Let us know if you need any help on it.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> Jiandong
>>>>>>
>>>>>>
>>>>>> Chris Richmond wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Hello all,
>>>>>>>
>>>>>>> I have been trying and trying to get a working sample of WSIT using
a
>>>>>>>
>
>
>>>>>>> secured service using an STS issued token to work with absolutely no
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>> luck.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>>>>> plain doesn't work..it has dialogs and tabs/options that are for
some
>>>>>>>
>
>
>>>>>>> other version(earlier?) of netbeans and things just do not work.
>>>>>>>
>>>>>>> What I would REALLY like to do is get a sample running using hand
>>>>>>> coded configurations rather than relying on the Netbeans/glassfish
>>>>>>> integration so I can understand more what is involved. As it is now,

>>>>>>> when something goes wrong with the Netbeans IDE wizards, I have no
>>>>>>> idea how to work around it.
>>>>>>>
>>>>>>> My end goal is to run an STS secured webservice using WSIT inside
>>>>>>> tomcat 6. It would be fine if the STS were in Glassfish for now, but

>>>>>>> the service that is secured needs to run inside tomcat and a
standard
>>>>>>>
>
>
>>>>>>> command line client for that in java.
>>>>>>>
>>>>>>> Does anyone have a working sample similar to this or could point me
>>>>>>>
> to
>
>>>>>>> a good resource for doing this? I am quite frustrated, as every
>>>>>>> tutorial I have come across is targetted at running all inside
>>>>>>> Netbeans wizards and with a servlet client that runs inside the same

>>>>>>> glassfish instance as the STS and the secured service. This is not
>>>>>>> ideal for seeing how things work.since it uses built in development
>>>>>>> keystores/trusttores etc(the same one for client and service which
is
>>>>>>>
>
>
>>>>>>> not realistic in an environment where the client and server are on
>>>>>>> different machines among other things).
>>>>>>>
>>>>>>> Any guidance greatly appreciated..
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Chris
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Jiandong Guo

> Do you have any references on how you crated the bob and alice certs for the
> server and client and how to utilize a new cert for this imlementation? Is
> there a turorial on createing the certes and placing them in the proper
> places and updating the stores appropriately?
You may find in any of the Java security tutorials on managing
certificates with KeyStores.
> I am also not 100% clean on
> exactly what the x509 cert is doing?

1. The client use the service certificate to secure the message to the
service.
2. The client use the STS cert to secure the messages to the STS. You
may configure to use SSL for security as well.
3. The STS use the service cert to encrypt the proof key in the issued
token or the issued token itself targeted for the service.

Thanks!

Jiandong

> Is that only to encrypt the STS token
> or is it doing more? Could it be configured to encrypt all messages to the
> actual services(regular impl service mainly, STS could be using SSL
> perhaps?)
>
> Thanks again,
>
> Chris
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Monday, January 05, 2009 11:13 AM
> To: users@metro.dev.java.net
> Cc: Fabian Ritzmann
> Subject: Re: STS issued token sample
>
> Ok, in this case you can always stop the service and change the policy.
> But the policy must be attached or referenced
> in the wsdl to be effective.
>
> For example, you may have your front WSDL with business logic (has
> Service and portType, e.g.
> http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...
> .svc?wsdl)
> This wsdl in turn imports a back end WSDL with binding and policy
> referenced there (e.g
> http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...
> .svc?wsdl=wsdl0).
>
> Is this something work for you?
>
> Thanks!
>
> Jiandong
>
>
> CC Fabian for more insight on this.
>
> Thanks!
>
> Jiandong
>
>
> Chris Richmond wrote:
>
>> Jiandong,
>>
>> Keep in mind I do not need to be able to reconfigure on the fly. Stopping
>> the service and deploying configuration files or stopping the server and
>> removing them is perfectly acceptable to me. I just mean that I could
>> deploy artifacts/config files without having to change my basic service
>>
> code
>
>> is all. That link seems to mention on the fly reconfiguration without
>> losing any messages, which is not a requirement. Does you answer still
>> stand?
>>
>> Thanks,
>>
>> Chris
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> Sent: Monday, January 05, 2009 10:23 AM
>> To: users@metro.dev.java.net
>> Subject: Re: STS issued token sample
>>
>> Unfortunately, this is not the case currently.
>>
>> See
>>
>>
> http://wikis.glassfish.org/metro/Wiki.jsp?page=DynamicReconfigurationOne...
>
>> r
>>
>> Thanks!
>>
>> Jiandong
>>
>>
>> Chris Richmond wrote:
>>
>>
>>> Jiandong,
>>>
>>> It was my understanding that one feature of the WSIT toolkit is that you
>>> could take an existing JAX-WS service and as long as the proper libraries
>>> are in place on the tomcat server, you could simply place additional
>>> .xml files in certain directories and the WSIT toolkit would
>>>
>>>
>> inject
>>
>>
>>> these WSDL elemenents into the document as the server generated it on the
>>> fly...that way you could have an unsecured service by ommitting those xml
>>> files, or make them present and make the service secure? Am I way off
>>>
>>>
>> base
>>
>>
>>> on my understanding?
>>>
>>> Thanks,
>>>
>>> Chris
>>>
>>>
>>> -----Original Message-----
>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>> Sent: Saturday, January 03, 2009 8:43 AM
>>> To: users@metro.dev.java.net
>>> Subject: Re: STS issued token sample
>>>
>>> Hi Chris,
>>>
>>> Great!
>>>
>>> It is in my to do to provide a detailed description of the sample.
>>> Before that, here is a quick description of what is going.
>>>
>>> There are three parties in the sample: service,sts, client.
>>> Each party has configuration(policy) in the WSDL or wsdl like file
>>>
>>>
>> (client.
>>
>>
>>> 1. service:
>>> Check /src/fs/etc/service/PingService.wsdl. There are two types of
>>>
>>>
>> polices:
>>
>>
>>> public ones to cominicate to the other parties and private ones
>>> (Keystore, TrustStore) for local configuration.
>>>
>>> In the policy
>>>
>>>
>>>
>>> * There is a
>>> under with >>> indicate
>>> that the X509 certificate of the service is used to protect the messages
>>> from the client to the service.
>>>
>>> * There is an >>> that an issued token from an STS
>>> is required for the client to acess the service.
>>>
>>> * >>> >>> >>> particular case,
>>> only the certificate of the STS is needed in the Truststore.
>>>
>>> You may have your own key store and trust store and configure them with
>>> these two policy assertions.
>>>
>>> 2. sts: /src/fs/etc/sts/sts.wsdl
>>>
>>> In the policy
>>>
>>>
>>>
>>> * There is a
>>> under with >>> indicate
>>> that the X509 certificate of the service is used to protect the messages
>>> from the client to the sts.
>>>
>>> * There is a >>> that username/password is required from the
>>> client to authenticate to the STS.
>>>
>>> *
>>> >>> >>> >>> particular case,
>>> only the certificate of all the trusted services are needed in the
>>> Truststore.
>>>
>>> Note that STS should maitain different key store and trust store from the
>>> service.
>>>
>>> *
>>> >>> xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
>>> >>>
> name="usernameValidator"
>
>>> classname="common.SampleUsernamePasswordValidator"/>
>>>
>>>
>>> to plugin the custom class for validating the username/password of the
>>>
>>>
>> the
>>
>>
>>> clients.
>>>
>>> For this sample, we hard coded the username/password in the
>>>
> implementation
>
>>> class /src/common/SampleUsernamePasswordValidator.java
>>> You may just modify it to add for example chris/chris. In reality, you
>>>
> can
>
>>> have an validatior class connecting to a user data store, etc.
>>>
>>>
>>> 3. client:
>>>
>>> client configuration is here src/fs/etc/client-config/wsit-client.xml.
>>> It contains client key store and truststore information as well the
>>>
>>>
>> callback
>>
>>
>>> class for the username/password:
>>>
>>> src/common/SampleUsernamePasswordCallbackHandler.java
>>>
>>> Note that you need to configure the client to the service and to the STS
>>> seperately
>>> in wsit-client.xml.
>>>
>>> Jiandong
>>>
>>>
>>>
>>> Chris Richmond wrote:
>>>
>>>
>>>
>>>
>>>> Jiandong,
>>>>
>>>> Success!
>>>>
>>>> I was finally able to run the sample in Tomcat6.0.18 and it returns the
>>>> account balance and outputs Company A, Department B on the server side.
>>>>
>>>>
>> I
>>
>>
>>>> tried both alice/alice and bob/bob.
>>>>
>>>>
>>>> Now the real questions begin of figuring out how exactly this thing is
>>>> working and how I integrate it into my own servers/clients.
>>>>
>>>> What was done to create those certificates on the server and to set
>>>>
> those
>
>>>> user credentials? That's one big area I don't understand.
>>>> Keystores/truststores, etc.
>>>>
>>>> It is my understanding for METRO using an STS service such as this
>>>>
>>>>
>> example
>>
>>
>>>> that a truststore and keystore are both needed on the server as well as
>>>>
>>>>
>> by
>>
>>
>>>> the client?
>>>>
>>>> How are these stores generated/maintained and how are users certs
>>>>
>>>>
>> maintaied
>>
>>
>>>> in this example?
>>>>
>>>> For example, if I wanted to add a new user chris/chris to access this
>>>> service, what would be the steps on the server/client for starters?
>>>>
>>>> Thanks so much for your help..I've made more progress in the last 2 days
>>>> than in the previous 2 weeks.
>>>>
>>>> Thanks,
>>>>
>>>> Chris
>>>>
>>>> -----Original Message-----
>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>> Sent: Wednesday, December 31, 2008 11:20 PM
>>>> To: users@metro.dev.java.net
>>>> Subject: Re: STS issued token sample
>>>>
>>>> Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
>>>>
>>>> for installing Metro on tomcat 6.*.
>>>>
>>>> Also modified the file etc\common-targets-tomcat.xml
>>>>
>>>>
>>>>
> >
>>
>>
>>>>
>>>>
>>>>
>>> m
>>>
>>>
>>>
>>>> on-targets-tomcat.xml?rev=1.6&view=log>
>>>> for the Metro jars in tomcat.
>>>>
>>>>
>>>>
>>>> Chris Richmond wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Yes..I'm using tomcat 6.0.18
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>> Sent: Wednesday, December 31, 2008 2:52 PM
>>>>> To: users@metro.dev.java.net
>>>>> Subject: Re: STS issued token sample
>>>>>
>>>>> Ah, this sample is set up for tomcat 5.* with the classpath:
>>>>>
>>>>>
>>>>>
>>>>> location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>>>>>
>>>>> location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>> location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>>>>>
>>>>> Are you using tomcat 6.*?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Chris Richmond wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Ok..I have done that installation process. But I still get the errors
>>>>>>
>>>>>>
>> I
>>
>>
>>>>>> mentioned when I run the ant run-sample.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>> Sent: Wednesday, December 31, 2008 2:09 PM
>>>>>> To: users@metro.dev.java.net
>>>>>> Subject: Re: STS issued token sample
>>>>>>
>>>>>> Follow the steps in [1]
>>>>>>
>>>>>> in the end
>>>>>>
>>>>>> [1]
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
> https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>
>>
>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> T
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> _Download_Build_Install.html
>>>>>>
>>>>>>
>>>>>>
>>>>>> Chris Richmond wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> '.. 1. Follow the steps in [1] to download, build and install WSIT in
>>>>>>> Glassfish or Tomcat..."
>>>>>>>
>>>>>>> What does this mean from the readme? It says follow the steps in
>>>>>>>
> step
>
>>>>>>>
>>>>>>>
>> 1
>>
>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> and
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> that *IS* step 1???
>>>>>>>
>>>>>>> Where is the step 1 it refers to?
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Chris
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>>> Sent: Wednesday, December 31, 2008 12:00 PM
>>>>>>> To: users@metro.dev.java.net
>>>>>>> Subject: Re: STS issued token sample
>>>>>>>
>>>>>>> Hi Chris,
>>>>>>>
>>>>>>> We have a bundled ws-trust sample:
>>>>>>>
>>>>>>> https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>>>>>>
>>>>>>> Let us know if you need any help on it.
>>>>>>>
>>>>>>> Thanks!
>>>>>>>
>>>>>>> Jiandong
>>>>>>>
>>>>>>>
>>>>>>> Chris Richmond wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hello all,
>>>>>>>>
>>>>>>>> I have been trying and trying to get a working sample of WSIT using
>>>>>>>>
> a
>
>>>>>>>>
>>>>>>>>
>>
>>
>>>>>>>> secured service using an STS issued token to work with absolutely no
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>> luck.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>>>>>> plain doesn't work..it has dialogs and tabs/options that are for
>>>>>>>>
> some
>
>>>>>>>>
>>>>>>>>
>>
>>
>>>>>>>> other version(earlier?) of netbeans and things just do not work.
>>>>>>>>
>>>>>>>> What I would REALLY like to do is get a sample running using hand
>>>>>>>> coded configurations rather than relying on the Netbeans/glassfish
>>>>>>>> integration so I can understand more what is involved. As it is now,
>>>>>>>>
>
>
>>>>>>>> when something goes wrong with the Netbeans IDE wizards, I have no
>>>>>>>> idea how to work around it.
>>>>>>>>
>>>>>>>> My end goal is to run an STS secured webservice using WSIT inside
>>>>>>>> tomcat 6. It would be fine if the STS were in Glassfish for now, but
>>>>>>>>
>
>
>>>>>>>> the service that is secured needs to run inside tomcat and a
>>>>>>>>
> standard
>
>>>>>>>>
>>>>>>>>
>>
>>
>>>>>>>> command line client for that in java.
>>>>>>>>
>>>>>>>> Does anyone have a working sample similar to this or could point me
>>>>>>>>
>>>>>>>>
>> to
>>
>>
>>>>>>>> a good resource for doing this? I am quite frustrated, as every
>>>>>>>> tutorial I have come across is targetted at running all inside
>>>>>>>> Netbeans wizards and with a servlet client that runs inside the same
>>>>>>>>
>
>
>>>>>>>> glassfish instance as the STS and the secured service. This is not
>>>>>>>> ideal for seeing how things work.since it uses built in development
>>>>>>>> keystores/trusttores etc(the same one for client and service which
>>>>>>>>
> is
>
>>>>>>>>
>>>>>>>>
>>
>>
>>>>>>>> not realistic in an environment where the client and server are on
>>>>>>>> different machines among other things).
>>>>>>>>
>>>>>>>> Any guidance greatly appreciated..
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Chris
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Chris Richmond

So are the messages using the current implementation being encrypted between
the client and the server? Or is it only encrypted if I use SSL?

Thanks,

Chris

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Tuesday, January 06, 2009 12:10 PM
To: users@metro.dev.java.net
Subject: Re: STS issued token sample

> Do you have any references on how you crated the bob and alice certs for
the
> server and client and how to utilize a new cert for this imlementation?
Is
> there a turorial on createing the certes and placing them in the proper
> places and updating the stores appropriately?
You may find in any of the Java security tutorials on managing
certificates with KeyStores.
> I am also not 100% clean on
> exactly what the x509 cert is doing?

1. The client use the service certificate to secure the message to the
service.
2. The client use the STS cert to secure the messages to the STS. You
may configure to use SSL for security as well.
3. The STS use the service cert to encrypt the proof key in the issued
token or the issued token itself targeted for the service.

Thanks!

Jiandong

> Is that only to encrypt the STS token
> or is it doing more? Could it be configured to encrypt all messages to
the
> actual services(regular impl service mainly, STS could be using SSL
> perhaps?)
>
> Thanks again,
>
> Chris
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Monday, January 05, 2009 11:13 AM
> To: users@metro.dev.java.net
> Cc: Fabian Ritzmann
> Subject: Re: STS issued token sample
>
> Ok, in this case you can always stop the service and change the policy.
> But the policy must be attached or referenced
> in the wsdl to be effective.
>
> For example, you may have your front WSDL with business logic (has
> Service and portType, e.g.
>
http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...
> .svc?wsdl)
> This wsdl in turn imports a back end WSDL with binding and policy
> referenced there (e.g
>
http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...
> .svc?wsdl=wsdl0).
>
> Is this something work for you?
>
> Thanks!
>
> Jiandong
>
>
> CC Fabian for more insight on this.
>
> Thanks!
>
> Jiandong
>
>
> Chris Richmond wrote:
>
>> Jiandong,
>>
>> Keep in mind I do not need to be able to reconfigure on the fly.
Stopping
>> the service and deploying configuration files or stopping the server and
>> removing them is perfectly acceptable to me. I just mean that I could
>> deploy artifacts/config files without having to change my basic service
>>
> code
>
>> is all. That link seems to mention on the fly reconfiguration without
>> losing any messages, which is not a requirement. Does you answer still
>> stand?
>>
>> Thanks,
>>
>> Chris
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> Sent: Monday, January 05, 2009 10:23 AM
>> To: users@metro.dev.java.net
>> Subject: Re: STS issued token sample
>>
>> Unfortunately, this is not the case currently.
>>
>> See
>>
>>
>
http://wikis.glassfish.org/metro/Wiki.jsp?page=DynamicReconfigurationOne...
>
>> r
>>
>> Thanks!
>>
>> Jiandong
>>
>>
>> Chris Richmond wrote:
>>
>>
>>> Jiandong,
>>>
>>> It was my understanding that one feature of the WSIT toolkit is that you
>>> could take an existing JAX-WS service and as long as the proper
libraries
>>> are in place on the tomcat server, you could simply place additional
>>> .xml files in certain directories and the WSIT toolkit would
>>>
>>>
>> inject
>>
>>
>>> these WSDL elemenents into the document as the server generated it on
the
>>> fly...that way you could have an unsecured service by ommitting those
xml
>>> files, or make them present and make the service secure? Am I way off
>>>
>>>
>> base
>>
>>
>>> on my understanding?
>>>
>>> Thanks,
>>>
>>> Chris
>>>
>>>
>>> -----Original Message-----
>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>> Sent: Saturday, January 03, 2009 8:43 AM
>>> To: users@metro.dev.java.net
>>> Subject: Re: STS issued token sample
>>>
>>> Hi Chris,
>>>
>>> Great!
>>>
>>> It is in my to do to provide a detailed description of the sample.
>>> Before that, here is a quick description of what is going.
>>>
>>> There are three parties in the sample: service,sts, client.
>>> Each party has configuration(policy) in the WSDL or wsdl like file
>>>
>>>
>> (client.
>>
>>
>>> 1. service:
>>> Check /src/fs/etc/service/PingService.wsdl. There are two types of
>>>
>>>
>> polices:
>>
>>
>>> public ones to cominicate to the other parties and private ones
>>> (Keystore, TrustStore) for local configuration.
>>>
>>> In the policy
>>>
>>>
>>>
>>> * There is a
>>> under with >>> indicate
>>> that the X509 certificate of the service is used to protect the
messages
>>> from the client to the service.
>>>
>>> * There is an >>> that an issued token from an STS
>>> is required for the client to acess the service.
>>>
>>> * >>> >>> >>> particular case,
>>> only the certificate of the STS is needed in the Truststore.
>>>
>>> You may have your own key store and trust store and configure them with
>>> these two policy assertions.
>>>
>>> 2. sts: /src/fs/etc/sts/sts.wsdl
>>>
>>> In the policy
>>>
>>>
>>>
>>> * There is a
>>> under with >>> indicate
>>> that the X509 certificate of the service is used to protect the
messages
>>> from the client to the sts.
>>>
>>> * There is a indicating
>>> that username/password is required from the
>>> client to authenticate to the STS.
>>>
>>> *
>>> >>> >>> >>> particular case,
>>> only the certificate of all the trusted services are needed in the
>>> Truststore.
>>>
>>> Note that STS should maitain different key store and trust store from
the
>>> service.
>>>
>>> *
>>> >>> xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
>>> >>>
> name="usernameValidator"
>
>>> classname="common.SampleUsernamePasswordValidator"/>
>>>
>>>
>>> to plugin the custom class for validating the username/password of the
>>>
>>>
>> the
>>
>>
>>> clients.
>>>
>>> For this sample, we hard coded the username/password in the
>>>
> implementation
>
>>> class /src/common/SampleUsernamePasswordValidator.java
>>> You may just modify it to add for example chris/chris. In reality, you
>>>
> can
>
>>> have an validatior class connecting to a user data store, etc.
>>>
>>>
>>> 3. client:
>>>
>>> client configuration is here src/fs/etc/client-config/wsit-client.xml.
>>> It contains client key store and truststore information as well the
>>>
>>>
>> callback
>>
>>
>>> class for the username/password:
>>>
>>> src/common/SampleUsernamePasswordCallbackHandler.java
>>>
>>> Note that you need to configure the client to the service and to the STS
>>> seperately
>>> in wsit-client.xml.
>>>
>>> Jiandong
>>>
>>>
>>>
>>> Chris Richmond wrote:
>>>
>>>
>>>
>>>
>>>> Jiandong,
>>>>
>>>> Success!
>>>>
>>>> I was finally able to run the sample in Tomcat6.0.18 and it returns
the
>>>> account balance and outputs Company A, Department B on the server side.
>>>>
>>>>
>> I
>>
>>
>>>> tried both alice/alice and bob/bob.
>>>>
>>>>
>>>> Now the real questions begin of figuring out how exactly this thing is
>>>> working and how I integrate it into my own servers/clients.
>>>>
>>>> What was done to create those certificates on the server and to set
>>>>
> those
>
>>>> user credentials? That's one big area I don't understand.
>>>> Keystores/truststores, etc.
>>>>
>>>> It is my understanding for METRO using an STS service such as this
>>>>
>>>>
>> example
>>
>>
>>>> that a truststore and keystore are both needed on the server as well as
>>>>
>>>>
>> by
>>
>>
>>>> the client?
>>>>
>>>> How are these stores generated/maintained and how are users certs
>>>>
>>>>
>> maintaied
>>
>>
>>>> in this example?
>>>>
>>>> For example, if I wanted to add a new user chris/chris to access this
>>>> service, what would be the steps on the server/client for starters?
>>>>
>>>> Thanks so much for your help..I've made more progress in the last 2
days
>>>> than in the previous 2 weeks.
>>>>
>>>> Thanks,
>>>>
>>>> Chris
>>>>
>>>> -----Original Message-----
>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>> Sent: Wednesday, December 31, 2008 11:20 PM
>>>> To: users@metro.dev.java.net
>>>> Subject: Re: STS issued token sample
>>>>
>>>> Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
>>>>
>>>> for installing Metro on tomcat 6.*.
>>>>
>>>> Also modified the file etc\common-targets-tomcat.xml
>>>>
>>>>
>>>>
>
>
>>
>>
>>>>
>>>>
>>>>
>>> m
>>>
>>>
>>>
>>>> on-targets-tomcat.xml?rev=1.6&view=log>
>>>> for the Metro jars in tomcat.
>>>>
>>>>
>>>>
>>>> Chris Richmond wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Yes..I'm using tomcat 6.0.18
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>> Sent: Wednesday, December 31, 2008 2:52 PM
>>>>> To: users@metro.dev.java.net
>>>>> Subject: Re: STS issued token sample
>>>>>
>>>>> Ah, this sample is set up for tomcat 5.* with the classpath:
>>>>>
>>>>>
>>>>>
>>>>> location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>>>>>
>>>>> location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>> location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>>>>>
>>>>> Are you using tomcat 6.*?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Chris Richmond wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Ok..I have done that installation process. But I still get the
errors
>>>>>>
>>>>>>
>> I
>>
>>
>>>>>> mentioned when I run the ant run-sample.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>> Sent: Wednesday, December 31, 2008 2:09 PM
>>>>>> To: users@metro.dev.java.net
>>>>>> Subject: Re: STS issued token sample
>>>>>>
>>>>>> Follow the steps in [1]
>>>>>>
>>>>>> in the end
>>>>>>
>>>>>> [1]
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>
https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>
>>
>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> T
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> _Download_Build_Install.html
>>>>>>
>>>>>>
>>>>>>
>>>>>> Chris Richmond wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> '.. 1. Follow the steps in [1] to download, build and install WSIT
in
>>>>>>> Glassfish or Tomcat..."
>>>>>>>
>>>>>>> What does this mean from the readme? It says follow the steps in
>>>>>>>
> step
>
>>>>>>>
>>>>>>>
>> 1
>>
>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> and
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> that *IS* step 1???
>>>>>>>
>>>>>>> Where is the step 1 it refers to?
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Chris
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>>> Sent: Wednesday, December 31, 2008 12:00 PM
>>>>>>> To: users@metro.dev.java.net
>>>>>>> Subject: Re: STS issued token sample
>>>>>>>
>>>>>>> Hi Chris,
>>>>>>>
>>>>>>> We have a bundled ws-trust sample:
>>>>>>>
>>>>>>> https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>>>>>>
>>>>>>> Let us know if you need any help on it.
>>>>>>>
>>>>>>> Thanks!
>>>>>>>
>>>>>>> Jiandong
>>>>>>>
>>>>>>>
>>>>>>> Chris Richmond wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hello all,
>>>>>>>>
>>>>>>>> I have been trying and trying to get a working sample of WSIT using
>>>>>>>>
> a
>
>>>>>>>>
>>>>>>>>
>>
>>
>>>>>>>> secured service using an STS issued token to work with absolutely
no
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>> luck.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>>>>>> plain doesn't work..it has dialogs and tabs/options that are for
>>>>>>>>
> some
>
>>>>>>>>
>>>>>>>>
>>
>>
>>>>>>>> other version(earlier?) of netbeans and things just do not work.
>>>>>>>>
>>>>>>>> What I would REALLY like to do is get a sample running using hand
>>>>>>>> coded configurations rather than relying on the Netbeans/glassfish
>>>>>>>> integration so I can understand more what is involved. As it is
now,
>>>>>>>>
>
>
>>>>>>>> when something goes wrong with the Netbeans IDE wizards, I have no
>>>>>>>> idea how to work around it.
>>>>>>>>
>>>>>>>> My end goal is to run an STS secured webservice using WSIT inside
>>>>>>>> tomcat 6. It would be fine if the STS were in Glassfish for now,
but
>>>>>>>>
>
>
>>>>>>>> the service that is secured needs to run inside tomcat and a
>>>>>>>>
> standard
>
>>>>>>>>
>>>>>>>>
>>
>>
>>>>>>>> command line client for that in java.
>>>>>>>>
>>>>>>>> Does anyone have a working sample similar to this or could point me
>>>>>>>>
>>>>>>>>
>> to
>>
>>
>>>>>>>> a good resource for doing this? I am quite frustrated, as every
>>>>>>>> tutorial I have come across is targetted at running all inside
>>>>>>>> Netbeans wizards and with a servlet client that runs inside the
same
>>>>>>>>
>
>
>>>>>>>> glassfish instance as the STS and the secured service. This is not
>>>>>>>> ideal for seeing how things work.since it uses built in development

>>>>>>>> keystores/trusttores etc(the same one for client and service which
>>>>>>>>
> is
>
>>>>>>>>
>>>>>>>>
>>
>>
>>>>>>>> not realistic in an environment where the client and server are on
>>>>>>>> different machines among other things).
>>>>>>>>
>>>>>>>> Any guidance greatly appreciated..
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Chris
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Jiandong Guo

Yes, it is encrypted selectively. You can configure to encrypt which
part of the message.

Thanks!

Jiandong

Chris Richmond wrote:
> So are the messages using the current implementation being encrypted between
> the client and the server? Or is it only encrypted if I use SSL?
>
> Thanks,
>
> Chris
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Tuesday, January 06, 2009 12:10 PM
> To: users@metro.dev.java.net
> Subject: Re: STS issued token sample
>
>
>
>> Do you have any references on how you crated the bob and alice certs for
>>
> the
>
>> server and client and how to utilize a new cert for this imlementation?
>>
> Is
>
>> there a turorial on createing the certes and placing them in the proper
>> places and updating the stores appropriately?
>>
> You may find in any of the Java security tutorials on managing
> certificates with KeyStores.
>
>> I am also not 100% clean on
>> exactly what the x509 cert is doing?
>>
>
> 1. The client use the service certificate to secure the message to the
> service.
> 2. The client use the STS cert to secure the messages to the STS. You
> may configure to use SSL for security as well.
> 3. The STS use the service cert to encrypt the proof key in the issued
> token or the issued token itself targeted for the service.
>
> Thanks!
>
> Jiandong
>
>
>> Is that only to encrypt the STS token
>> or is it doing more? Could it be configured to encrypt all messages to
>>
> the
>
>> actual services(regular impl service mainly, STS could be using SSL
>> perhaps?)
>>
>> Thanks again,
>>
>> Chris
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> Sent: Monday, January 05, 2009 11:13 AM
>> To: users@metro.dev.java.net
>> Cc: Fabian Ritzmann
>> Subject: Re: STS issued token sample
>>
>> Ok, in this case you can always stop the service and change the policy.
>> But the policy must be attached or referenced
>> in the wsdl to be effective.
>>
>> For example, you may have your front WSDL with business logic (has
>> Service and portType, e.g.
>>
>>
> http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...
>
>> .svc?wsdl)
>> This wsdl in turn imports a back end WSDL with binding and policy
>> referenced there (e.g
>>
>>
> http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...
>
>> .svc?wsdl=wsdl0).
>>
>> Is this something work for you?
>>
>> Thanks!
>>
>> Jiandong
>>
>>
>> CC Fabian for more insight on this.
>>
>> Thanks!
>>
>> Jiandong
>>
>>
>> Chris Richmond wrote:
>>
>>
>>> Jiandong,
>>>
>>> Keep in mind I do not need to be able to reconfigure on the fly.
>>>
> Stopping
>
>>> the service and deploying configuration files or stopping the server and
>>> removing them is perfectly acceptable to me. I just mean that I could
>>> deploy artifacts/config files without having to change my basic service
>>>
>>>
>> code
>>
>>
>>> is all. That link seems to mention on the fly reconfiguration without
>>> losing any messages, which is not a requirement. Does you answer still
>>> stand?
>>>
>>> Thanks,
>>>
>>> Chris
>>>
>>> -----Original Message-----
>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>> Sent: Monday, January 05, 2009 10:23 AM
>>> To: users@metro.dev.java.net
>>> Subject: Re: STS issued token sample
>>>
>>> Unfortunately, this is not the case currently.
>>>
>>> See
>>>
>>>
>>>
> http://wikis.glassfish.org/metro/Wiki.jsp?page=DynamicReconfigurationOne...
>
>>
>>
>>> r
>>>
>>> Thanks!
>>>
>>> Jiandong
>>>
>>>
>>> Chris Richmond wrote:
>>>
>>>
>>>
>>>> Jiandong,
>>>>
>>>> It was my understanding that one feature of the WSIT toolkit is that you
>>>> could take an existing JAX-WS service and as long as the proper
>>>>
> libraries
>
>>>> are in place on the tomcat server, you could simply place additional
>>>> .xml files in certain directories and the WSIT toolkit would
>>>>
>>>>
>>>>
>>> inject
>>>
>>>
>>>
>>>> these WSDL elemenents into the document as the server generated it on
>>>>
> the
>
>>>> fly...that way you could have an unsecured service by ommitting those
>>>>
> xml
>
>>>> files, or make them present and make the service secure? Am I way off
>>>>
>>>>
>>>>
>>> base
>>>
>>>
>>>
>>>> on my understanding?
>>>>
>>>> Thanks,
>>>>
>>>> Chris
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>> Sent: Saturday, January 03, 2009 8:43 AM
>>>> To: users@metro.dev.java.net
>>>> Subject: Re: STS issued token sample
>>>>
>>>> Hi Chris,
>>>>
>>>> Great!
>>>>
>>>> It is in my to do to provide a detailed description of the sample.
>>>> Before that, here is a quick description of what is going.
>>>>
>>>> There are three parties in the sample: service,sts, client.
>>>> Each party has configuration(policy) in the WSDL or wsdl like file
>>>>
>>>>
>>>>
>>> (client.
>>>
>>>
>>>
>>>> 1. service:
>>>> Check /src/fs/etc/service/PingService.wsdl. There are two types of
>>>>
>>>>
>>>>
>>> polices:
>>>
>>>
>>>
>>>> public ones to cominicate to the other parties and private ones
>>>> (Keystore, TrustStore) for local configuration.
>>>>
>>>> In the policy
>>>>
>>>>
>>>>
>>>> * There is a
>>>> under with >>>> indicate
>>>> that the X509 certificate of the service is used to protect the
>>>>
> messages
>
>>>> from the client to the service.
>>>>
>>>> * There is an >>>> that an issued token from an STS
>>>> is required for the client to acess the service.
>>>>
>>>> * >>>> >>>> >>>> particular case,
>>>> only the certificate of the STS is needed in the Truststore.
>>>>
>>>> You may have your own key store and trust store and configure them with
>>>> these two policy assertions.
>>>>
>>>> 2. sts: /src/fs/etc/sts/sts.wsdl
>>>>
>>>> In the policy
>>>>
>>>>
>>>>
>>>> * There is a
>>>> under with >>>> indicate
>>>> that the X509 certificate of the service is used to protect the
>>>>
> messages
>
>>>> from the client to the sts.
>>>>
>>>> * There is a >>>>
> indicating
>
>>>> that username/password is required from the
>>>> client to authenticate to the STS.
>>>>
>>>> *
>>>> >>>> >>>> >>>> particular case,
>>>> only the certificate of all the trusted services are needed in the
>>>> Truststore.
>>>>
>>>> Note that STS should maitain different key store and trust store from
>>>>
> the
>
>>>> service.
>>>>
>>>> *
>>>> >>>> xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
>>>> >>>>
>>>>
>> name="usernameValidator"
>>
>>
>>>> classname="common.SampleUsernamePasswordValidator"/>
>>>>
>>>>
>>>> to plugin the custom class for validating the username/password of the
>>>>
>>>>
>>>>
>>> the
>>>
>>>
>>>
>>>> clients.
>>>>
>>>> For this sample, we hard coded the username/password in the
>>>>
>>>>
>> implementation
>>
>>
>>>> class /src/common/SampleUsernamePasswordValidator.java
>>>> You may just modify it to add for example chris/chris. In reality, you
>>>>
>>>>
>> can
>>
>>
>>>> have an validatior class connecting to a user data store, etc.
>>>>
>>>>
>>>> 3. client:
>>>>
>>>> client configuration is here src/fs/etc/client-config/wsit-client.xml.
>>>> It contains client key store and truststore information as well the
>>>>
>>>>
>>>>
>>> callback
>>>
>>>
>>>
>>>> class for the username/password:
>>>>
>>>> src/common/SampleUsernamePasswordCallbackHandler.java
>>>>
>>>> Note that you need to configure the client to the service and to the STS
>>>> seperately
>>>> in wsit-client.xml.
>>>>
>>>> Jiandong
>>>>
>>>>
>>>>
>>>> Chris Richmond wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Jiandong,
>>>>>
>>>>> Success!
>>>>>
>>>>> I was finally able to run the sample in Tomcat6.0.18 and it returns
>>>>>
> the
>
>>>>> account balance and outputs Company A, Department B on the server side.
>>>>>
>>>>>
>>>>>
>>> I
>>>
>>>
>>>
>>>>> tried both alice/alice and bob/bob.
>>>>>
>>>>>
>>>>> Now the real questions begin of figuring out how exactly this thing is
>>>>> working and how I integrate it into my own servers/clients.
>>>>>
>>>>> What was done to create those certificates on the server and to set
>>>>>
>>>>>
>> those
>>
>>
>>>>> user credentials? That's one big area I don't understand.
>>>>> Keystores/truststores, etc.
>>>>>
>>>>> It is my understanding for METRO using an STS service such as this
>>>>>
>>>>>
>>>>>
>>> example
>>>
>>>
>>>
>>>>> that a truststore and keystore are both needed on the server as well as
>>>>>
>>>>>
>>>>>
>>> by
>>>
>>>
>>>
>>>>> the client?
>>>>>
>>>>> How are these stores generated/maintained and how are users certs
>>>>>
>>>>>
>>>>>
>>> maintaied
>>>
>>>
>>>
>>>>> in this example?
>>>>>
>>>>> For example, if I wanted to add a new user chris/chris to access this
>>>>> service, what would be the steps on the server/client for starters?
>>>>>
>>>>> Thanks so much for your help..I've made more progress in the last 2
>>>>>
> days
>
>>>>> than in the previous 2 weeks.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Chris
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>> Sent: Wednesday, December 31, 2008 11:20 PM
>>>>> To: users@metro.dev.java.net
>>>>> Subject: Re: STS issued token sample
>>>>>
>>>>> Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
>>>>>
>>>>> for installing Metro on tomcat 6.*.
>>>>>
>>>>> Also modified the file etc\common-targets-tomcat.xml
>>>>>
>>>>>
>>>>>
>>>>>
> >
>>
>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> m
>>>>
>>>>
>>>>
>>>>
>>>>> on-targets-tomcat.xml?rev=1.6&view=log>
>>>>> for the Metro jars in tomcat.
>>>>>
>>>>>
>>>>>
>>>>> Chris Richmond wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Yes..I'm using tomcat 6.0.18
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>> Sent: Wednesday, December 31, 2008 2:52 PM
>>>>>> To: users@metro.dev.java.net
>>>>>> Subject: Re: STS issued token sample
>>>>>>
>>>>>> Ah, this sample is set up for tomcat 5.* with the classpath:
>>>>>>
>>>>>>
>>>>>>
>>>>>> location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>>>>>>
>>>>>> location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>>>>>>
>>>>>> Are you using tomcat 6.*?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Chris Richmond wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Ok..I have done that installation process. But I still get the
>>>>>>>
> errors
>
>>>>>>>
>>>>>>>
>>>>>>>
>>> I
>>>
>>>
>>>
>>>>>>> mentioned when I run the ant run-sample.
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>>> Sent: Wednesday, December 31, 2008 2:09 PM
>>>>>>> To: users@metro.dev.java.net
>>>>>>> Subject: Re: STS issued token sample
>>>>>>>
>>>>>>> Follow the steps in [1]
>>>>>>>
>>>>>>> in the end
>>>>>>>
>>>>>>> [1]
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
> https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>
>>
>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> T
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> _Download_Build_Install.html
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Chris Richmond wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> '.. 1. Follow the steps in [1] to download, build and install WSIT
>>>>>>>>
> in
>
>>>>>>>> Glassfish or Tomcat..."
>>>>>>>>
>>>>>>>> What does this mean from the readme? It says follow the steps in
>>>>>>>>
>>>>>>>>
>> step
>>
>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>> 1
>>>
>>>
>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> and
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> that *IS* step 1???
>>>>>>>>
>>>>>>>> Where is the step 1 it refers to?
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Chris
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>>>> Sent: Wednesday, December 31, 2008 12:00 PM
>>>>>>>> To: users@metro.dev.java.net
>>>>>>>> Subject: Re: STS issued token sample
>>>>>>>>
>>>>>>>> Hi Chris,
>>>>>>>>
>>>>>>>> We have a bundled ws-trust sample:
>>>>>>>>
>>>>>>>> https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>>>>>>>
>>>>>>>> Let us know if you need any help on it.
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>>
>>>>>>>> Jiandong
>>>>>>>>
>>>>>>>>
>>>>>>>> Chris Richmond wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hello all,
>>>>>>>>>
>>>>>>>>> I have been trying and trying to get a working sample of WSIT using
>>>>>>>>>
>>>>>>>>>
>> a
>>
>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>> secured service using an STS issued token to work with absolutely
>>>>>>>>>
> no
>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>> luck.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>>>>>>> plain doesn't work..it has dialogs and tabs/options that are for
>>>>>>>>>
>>>>>>>>>
>> some
>>
>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>> other version(earlier?) of netbeans and things just do not work.
>>>>>>>>>
>>>>>>>>> What I would REALLY like to do is get a sample running using hand
>>>>>>>>> coded configurations rather than relying on the Netbeans/glassfish
>>>>>>>>> integration so I can understand more what is involved. As it is
>>>>>>>>>
> now,
>
>>>>>>>>>
>>>>>>>>>
>>
>>
>>>>>>>>> when something goes wrong with the Netbeans IDE wizards, I have no
>>>>>>>>> idea how to work around it.
>>>>>>>>>
>>>>>>>>> My end goal is to run an STS secured webservice using WSIT inside
>>>>>>>>> tomcat 6. It would be fine if the STS were in Glassfish for now,
>>>>>>>>>
> but
>
>>>>>>>>>
>>>>>>>>>
>>
>>
>>>>>>>>> the service that is secured needs to run inside tomcat and a
>>>>>>>>>
>>>>>>>>>
>> standard
>>
>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>> command line client for that in java.
>>>>>>>>>
>>>>>>>>> Does anyone have a working sample similar to this or could point me
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>> to
>>>
>>>
>>>
>>>>>>>>> a good resource for doing this? I am quite frustrated, as every
>>>>>>>>> tutorial I have come across is targetted at running all inside
>>>>>>>>> Netbeans wizards and with a servlet client that runs inside the
>>>>>>>>>
> same
>
>>>>>>>>>
>>>>>>>>>
>>
>>
>>>>>>>>> glassfish instance as the STS and the secured service. This is not
>>>>>>>>> ideal for seeing how things work.since it uses built in development
>>>>>>>>>
>
>
>>>>>>>>> keystores/trusttores etc(the same one for client and service which
>>>>>>>>>
>>>>>>>>>
>> is
>>
>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>> not realistic in an environment where the client and server are on
>>>>>>>>> different machines among other things).
>>>>>>>>>
>>>>>>>>> Any guidance greatly appreciated..
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> Chris
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
> ---------------------------------------------------------------------
>
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
> ---------------------------------------------------------------------
>
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Chris Richmond

Where is guidance on how and where to encrypt each part of the message?

Thanks,

Chris

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Tuesday, January 06, 2009 6:54 PM
To: users@metro.dev.java.net
Subject: Re: STS issued token sample

Yes, it is encrypted selectively. You can configure to encrypt which
part of the message.

Thanks!

Jiandong

Chris Richmond wrote:
> So are the messages using the current implementation being encrypted
between
> the client and the server? Or is it only encrypted if I use SSL?
>
> Thanks,
>
> Chris
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Tuesday, January 06, 2009 12:10 PM
> To: users@metro.dev.java.net
> Subject: Re: STS issued token sample
>
>
>
>> Do you have any references on how you crated the bob and alice certs for
>>
> the
>
>> server and client and how to utilize a new cert for this imlementation?
>>
> Is
>
>> there a turorial on createing the certes and placing them in the proper
>> places and updating the stores appropriately?
>>
> You may find in any of the Java security tutorials on managing
> certificates with KeyStores.
>
>> I am also not 100% clean on
>> exactly what the x509 cert is doing?
>>
>
> 1. The client use the service certificate to secure the message to the
> service.
> 2. The client use the STS cert to secure the messages to the STS. You
> may configure to use SSL for security as well.
> 3. The STS use the service cert to encrypt the proof key in the issued
> token or the issued token itself targeted for the service.
>
> Thanks!
>
> Jiandong
>
>
>> Is that only to encrypt the STS token
>> or is it doing more? Could it be configured to encrypt all messages to
>>
> the
>
>> actual services(regular impl service mainly, STS could be using SSL
>> perhaps?)
>>
>> Thanks again,
>>
>> Chris
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> Sent: Monday, January 05, 2009 11:13 AM
>> To: users@metro.dev.java.net
>> Cc: Fabian Ritzmann
>> Subject: Re: STS issued token sample
>>
>> Ok, in this case you can always stop the service and change the policy.
>> But the policy must be attached or referenced
>> in the wsdl to be effective.
>>
>> For example, you may have your front WSDL with business logic (has
>> Service and portType, e.g.
>>
>>
>
http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...
>
>> .svc?wsdl)
>> This wsdl in turn imports a back end WSDL with binding and policy
>> referenced there (e.g
>>
>>
>
http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...
>
>> .svc?wsdl=wsdl0).
>>
>> Is this something work for you?
>>
>> Thanks!
>>
>> Jiandong
>>
>>
>> CC Fabian for more insight on this.
>>
>> Thanks!
>>
>> Jiandong
>>
>>
>> Chris Richmond wrote:
>>
>>
>>> Jiandong,
>>>
>>> Keep in mind I do not need to be able to reconfigure on the fly.
>>>
> Stopping
>
>>> the service and deploying configuration files or stopping the server and
>>> removing them is perfectly acceptable to me. I just mean that I could
>>> deploy artifacts/config files without having to change my basic service
>>>
>>>
>> code
>>
>>
>>> is all. That link seems to mention on the fly reconfiguration without
>>> losing any messages, which is not a requirement. Does you answer still
>>> stand?
>>>
>>> Thanks,
>>>
>>> Chris
>>>
>>> -----Original Message-----
>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>> Sent: Monday, January 05, 2009 10:23 AM
>>> To: users@metro.dev.java.net
>>> Subject: Re: STS issued token sample
>>>
>>> Unfortunately, this is not the case currently.
>>>
>>> See
>>>
>>>
>>>
>
http://wikis.glassfish.org/metro/Wiki.jsp?page=DynamicReconfigurationOne...
>
>>
>>
>>> r
>>>
>>> Thanks!
>>>
>>> Jiandong
>>>
>>>
>>> Chris Richmond wrote:
>>>
>>>
>>>
>>>> Jiandong,
>>>>
>>>> It was my understanding that one feature of the WSIT toolkit is that
you
>>>> could take an existing JAX-WS service and as long as the proper
>>>>
> libraries
>
>>>> are in place on the tomcat server, you could simply place additional
>>>> .xml files in certain directories and the WSIT toolkit would
>>>>
>>>>
>>>>
>>> inject
>>>
>>>
>>>
>>>> these WSDL elemenents into the document as the server generated it on
>>>>
> the
>
>>>> fly...that way you could have an unsecured service by ommitting those
>>>>
> xml
>
>>>> files, or make them present and make the service secure? Am I way off
>>>>
>>>>
>>>>
>>> base
>>>
>>>
>>>
>>>> on my understanding?
>>>>
>>>> Thanks,
>>>>
>>>> Chris
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>> Sent: Saturday, January 03, 2009 8:43 AM
>>>> To: users@metro.dev.java.net
>>>> Subject: Re: STS issued token sample
>>>>
>>>> Hi Chris,
>>>>
>>>> Great!
>>>>
>>>> It is in my to do to provide a detailed description of the sample.
>>>> Before that, here is a quick description of what is going.
>>>>
>>>> There are three parties in the sample: service,sts, client.
>>>> Each party has configuration(policy) in the WSDL or wsdl like file
>>>>
>>>>
>>>>
>>> (client.
>>>
>>>
>>>
>>>> 1. service:
>>>> Check /src/fs/etc/service/PingService.wsdl. There are two types of
>>>>
>>>>
>>>>
>>> polices:
>>>
>>>
>>>
>>>> public ones to cominicate to the other parties and private ones
>>>> (Keystore, TrustStore) for local configuration.
>>>>
>>>> In the policy
>>>>
>>>>
>>>>
>>>> * There is a
>>>> under with >>>> indicate
>>>> that the X509 certificate of the service is used to protect the
>>>>
> messages
>
>>>> from the client to the service.
>>>>
>>>> * There is an indicating
>>>> that an issued token from an STS
>>>> is required for the client to acess the service.
>>>>
>>>> * >>>> >>>> >>>> particular case,
>>>> only the certificate of the STS is needed in the Truststore.
>>>>
>>>> You may have your own key store and trust store and configure them with
>>>> these two policy assertions.
>>>>
>>>> 2. sts: /src/fs/etc/sts/sts.wsdl
>>>>
>>>> In the policy
>>>>
>>>>
>>>>
>>>> * There is a
>>>> under with >>>> indicate
>>>> that the X509 certificate of the service is used to protect the
>>>>
> messages
>
>>>> from the client to the sts.
>>>>
>>>> * There is a >>>>
> indicating
>
>>>> that username/password is required from the
>>>> client to authenticate to the STS.
>>>>
>>>> *
>>>> >>>> >>>> >>>> particular case,
>>>> only the certificate of all the trusted services are needed in the
>>>> Truststore.
>>>>
>>>> Note that STS should maitain different key store and trust store from
>>>>
> the
>
>>>> service.
>>>>
>>>> *
>>>> >>>> xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
>>>> >>>>
>>>>
>> name="usernameValidator"
>>
>>
>>>> classname="common.SampleUsernamePasswordValidator"/>
>>>>
>>>>
>>>> to plugin the custom class for validating the username/password of the
>>>>
>>>>
>>>>
>>> the
>>>
>>>
>>>
>>>> clients.
>>>>
>>>> For this sample, we hard coded the username/password in the
>>>>
>>>>
>> implementation
>>
>>
>>>> class /src/common/SampleUsernamePasswordValidator.java
>>>> You may just modify it to add for example chris/chris. In reality, you
>>>>
>>>>
>> can
>>
>>
>>>> have an validatior class connecting to a user data store, etc.
>>>>
>>>>
>>>> 3. client:
>>>>
>>>> client configuration is here src/fs/etc/client-config/wsit-client.xml.
>>>> It contains client key store and truststore information as well the
>>>>
>>>>
>>>>
>>> callback
>>>
>>>
>>>
>>>> class for the username/password:
>>>>
>>>> src/common/SampleUsernamePasswordCallbackHandler.java
>>>>
>>>> Note that you need to configure the client to the service and to the
STS
>>>> seperately
>>>> in wsit-client.xml.
>>>>
>>>> Jiandong
>>>>
>>>>
>>>>
>>>> Chris Richmond wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Jiandong,
>>>>>
>>>>> Success!
>>>>>
>>>>> I was finally able to run the sample in Tomcat6.0.18 and it returns
>>>>>
> the
>
>>>>> account balance and outputs Company A, Department B on the server
side.
>>>>>
>>>>>
>>>>>
>>> I
>>>
>>>
>>>
>>>>> tried both alice/alice and bob/bob.
>>>>>
>>>>>
>>>>> Now the real questions begin of figuring out how exactly this thing
is
>>>>> working and how I integrate it into my own servers/clients.
>>>>>
>>>>> What was done to create those certificates on the server and to set
>>>>>
>>>>>
>> those
>>
>>
>>>>> user credentials? That's one big area I don't understand.
>>>>> Keystores/truststores, etc.
>>>>>
>>>>> It is my understanding for METRO using an STS service such as this
>>>>>
>>>>>
>>>>>
>>> example
>>>
>>>
>>>
>>>>> that a truststore and keystore are both needed on the server as well
as
>>>>>
>>>>>
>>>>>
>>> by
>>>
>>>
>>>
>>>>> the client?
>>>>>
>>>>> How are these stores generated/maintained and how are users certs
>>>>>
>>>>>
>>>>>
>>> maintaied
>>>
>>>
>>>
>>>>> in this example?
>>>>>
>>>>> For example, if I wanted to add a new user chris/chris to access this
>>>>> service, what would be the steps on the server/client for starters?
>>>>>
>>>>> Thanks so much for your help..I've made more progress in the last 2
>>>>>
> days
>
>>>>> than in the previous 2 weeks.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Chris
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>> Sent: Wednesday, December 31, 2008 11:20 PM
>>>>> To: users@metro.dev.java.net
>>>>> Subject: Re: STS issued token sample
>>>>>
>>>>> Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
>>>>>
>>>>> for installing Metro on tomcat 6.*.
>>>>>
>>>>> Also modified the file etc\common-targets-tomcat.xml
>>>>>
>>>>>
>>>>>
>>>>>
>
>
>>
>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> m
>>>>
>>>>
>>>>
>>>>
>>>>> on-targets-tomcat.xml?rev=1.6&view=log>
>>>>> for the Metro jars in tomcat.
>>>>>
>>>>>
>>>>>
>>>>> Chris Richmond wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Yes..I'm using tomcat 6.0.18
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>> Sent: Wednesday, December 31, 2008 2:52 PM
>>>>>> To: users@metro.dev.java.net
>>>>>> Subject: Re: STS issued token sample
>>>>>>
>>>>>> Ah, this sample is set up for tomcat 5.* with the classpath:
>>>>>>
>>>>>>
location="${tomcat.home}/shared/lib/webservices-rt.jar"/>
>>>>>>
>>>>>> location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>>>>>>
>>>>>> location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>>>>>>
>>>>>> Are you using tomcat 6.*?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Chris Richmond wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Ok..I have done that installation process. But I still get the
>>>>>>>
> errors
>
>>>>>>>
>>>>>>>
>>>>>>>
>>> I
>>>
>>>
>>>
>>>>>>> mentioned when I run the ant run-sample.
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>>> Sent: Wednesday, December 31, 2008 2:09 PM
>>>>>>> To: users@metro.dev.java.net
>>>>>>> Subject: Re: STS issued token sample
>>>>>>>
>>>>>>> Follow the steps in [1]
>>>>>>>
>>>>>>> in the end
>>>>>>>
>>>>>>> [1]
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>
https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>
>>
>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> T
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> _Download_Build_Install.html
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Chris Richmond wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> '.. 1. Follow the steps in [1] to download, build and install WSIT
>>>>>>>>
> in
>
>>>>>>>> Glassfish or Tomcat..."
>>>>>>>>
>>>>>>>> What does this mean from the readme? It says follow the steps in
>>>>>>>>
>>>>>>>>
>> step
>>
>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>> 1
>>>
>>>
>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> and
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> that *IS* step 1???
>>>>>>>>
>>>>>>>> Where is the step 1 it refers to?
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Chris
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>>>> Sent: Wednesday, December 31, 2008 12:00 PM
>>>>>>>> To: users@metro.dev.java.net
>>>>>>>> Subject: Re: STS issued token sample
>>>>>>>>
>>>>>>>> Hi Chris,
>>>>>>>>
>>>>>>>> We have a bundled ws-trust sample:
>>>>>>>>
>>>>>>>>
https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>>>>>>>
>>>>>>>> Let us know if you need any help on it.
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>>
>>>>>>>> Jiandong
>>>>>>>>
>>>>>>>>
>>>>>>>> Chris Richmond wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hello all,
>>>>>>>>>
>>>>>>>>> I have been trying and trying to get a working sample of WSIT
using
>>>>>>>>>
>>>>>>>>>
>> a
>>
>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>> secured service using an STS issued token to work with absolutely
>>>>>>>>>
> no
>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>> luck.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>>>>>>> plain doesn't work..it has dialogs and tabs/options that are for
>>>>>>>>>
>>>>>>>>>
>> some
>>
>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>> other version(earlier?) of netbeans and things just do not work.
>>>>>>>>>
>>>>>>>>> What I would REALLY like to do is get a sample running using hand
>>>>>>>>> coded configurations rather than relying on the Netbeans/glassfish

>>>>>>>>> integration so I can understand more what is involved. As it is
>>>>>>>>>
> now,
>
>>>>>>>>>
>>>>>>>>>
>>
>>
>>>>>>>>> when something goes wrong with the Netbeans IDE wizards, I have no

>>>>>>>>> idea how to work around it.
>>>>>>>>>
>>>>>>>>> My end goal is to run an STS secured webservice using WSIT inside
>>>>>>>>> tomcat 6. It would be fine if the STS were in Glassfish for now,
>>>>>>>>>
> but
>
>>>>>>>>>
>>>>>>>>>
>>
>>
>>>>>>>>> the service that is secured needs to run inside tomcat and a
>>>>>>>>>
>>>>>>>>>
>> standard
>>
>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>> command line client for that in java.
>>>>>>>>>
>>>>>>>>> Does anyone have a working sample similar to this or could point
me
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>> to
>>>
>>>
>>>
>>>>>>>>> a good resource for doing this? I am quite frustrated, as every
>>>>>>>>> tutorial I have come across is targetted at running all inside
>>>>>>>>> Netbeans wizards and with a servlet client that runs inside the
>>>>>>>>>
> same
>
>>>>>>>>>
>>>>>>>>>
>>
>>
>>>>>>>>> glassfish instance as the STS and the secured service. This is not

>>>>>>>>> ideal for seeing how things work.since it uses built in
development
>>>>>>>>>
>
>
>>>>>>>>> keystores/trusttores etc(the same one for client and service which
>>>>>>>>>
>>>>>>>>>
>> is
>>
>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>> not realistic in an environment where the client and server are on

>>>>>>>>> different machines among other things).
>>>>>>>>>
>>>>>>>>> Any guidance greatly appreciated..
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> Chris
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
> ---------------------------------------------------------------------
>
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
> ---------------------------------------------------------------------
>
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Jiandong Guo

The policy assertion and specify what
to be signed and encrypted respectively.

Thanks!

Jiandong

Chris Richmond wrote:
> Where is guidance on how and where to encrypt each part of the message?
>
> Thanks,
>
> Chris
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Tuesday, January 06, 2009 6:54 PM
> To: users@metro.dev.java.net
> Subject: Re: STS issued token sample
>
> Yes, it is encrypted selectively. You can configure to encrypt which
> part of the message.
>
> Thanks!
>
> Jiandong
>
>
> Chris Richmond wrote:
>
>> So are the messages using the current implementation being encrypted
>>
> between
>
>> the client and the server? Or is it only encrypted if I use SSL?
>>
>> Thanks,
>>
>> Chris
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> Sent: Tuesday, January 06, 2009 12:10 PM
>> To: users@metro.dev.java.net
>> Subject: Re: STS issued token sample
>>
>>
>>
>>
>>> Do you have any references on how you crated the bob and alice certs for
>>>
>>>
>> the
>>
>>
>>> server and client and how to utilize a new cert for this imlementation?
>>>
>>>
>> Is
>>
>>
>>> there a turorial on createing the certes and placing them in the proper
>>> places and updating the stores appropriately?
>>>
>>>
>> You may find in any of the Java security tutorials on managing
>> certificates with KeyStores.
>>
>>
>>> I am also not 100% clean on
>>> exactly what the x509 cert is doing?
>>>
>>>
>> 1. The client use the service certificate to secure the message to the
>> service.
>> 2. The client use the STS cert to secure the messages to the STS. You
>> may configure to use SSL for security as well.
>> 3. The STS use the service cert to encrypt the proof key in the issued
>> token or the issued token itself targeted for the service.
>>
>> Thanks!
>>
>> Jiandong
>>
>>
>>
>>> Is that only to encrypt the STS token
>>> or is it doing more? Could it be configured to encrypt all messages to
>>>
>>>
>> the
>>
>>
>>> actual services(regular impl service mainly, STS could be using SSL
>>> perhaps?)
>>>
>>> Thanks again,
>>>
>>> Chris
>>>
>>> -----Original Message-----
>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>> Sent: Monday, January 05, 2009 11:13 AM
>>> To: users@metro.dev.java.net
>>> Cc: Fabian Ritzmann
>>> Subject: Re: STS issued token sample
>>>
>>> Ok, in this case you can always stop the service and change the policy.
>>> But the policy must be attached or referenced
>>> in the wsdl to be effective.
>>>
>>> For example, you may have your front WSDL with business logic (has
>>> Service and portType, e.g.
>>>
>>>
>>>
> http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...
>
>>
>>
>>> .svc?wsdl)
>>> This wsdl in turn imports a back end WSDL with binding and policy
>>> referenced there (e.g
>>>
>>>
>>>
> http://131.107.72.15/Security_WsSecurity_Service_Indigo/WSSecureConversa...
>
>>
>>
>>> .svc?wsdl=wsdl0).
>>>
>>> Is this something work for you?
>>>
>>> Thanks!
>>>
>>> Jiandong
>>>
>>>
>>> CC Fabian for more insight on this.
>>>
>>> Thanks!
>>>
>>> Jiandong
>>>
>>>
>>> Chris Richmond wrote:
>>>
>>>
>>>
>>>> Jiandong,
>>>>
>>>> Keep in mind I do not need to be able to reconfigure on the fly.
>>>>
>>>>
>> Stopping
>>
>>
>>>> the service and deploying configuration files or stopping the server and
>>>> removing them is perfectly acceptable to me. I just mean that I could
>>>> deploy artifacts/config files without having to change my basic service
>>>>
>>>>
>>>>
>>> code
>>>
>>>
>>>
>>>> is all. That link seems to mention on the fly reconfiguration without
>>>> losing any messages, which is not a requirement. Does you answer still
>>>> stand?
>>>>
>>>> Thanks,
>>>>
>>>> Chris
>>>>
>>>> -----Original Message-----
>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>> Sent: Monday, January 05, 2009 10:23 AM
>>>> To: users@metro.dev.java.net
>>>> Subject: Re: STS issued token sample
>>>>
>>>> Unfortunately, this is not the case currently.
>>>>
>>>> See
>>>>
>>>>
>>>>
>>>>
> http://wikis.glassfish.org/metro/Wiki.jsp?page=DynamicReconfigurationOne...
>
>>
>>
>>>
>>>
>>>
>>>> r
>>>>
>>>> Thanks!
>>>>
>>>> Jiandong
>>>>
>>>>
>>>> Chris Richmond wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> Jiandong,
>>>>>
>>>>> It was my understanding that one feature of the WSIT toolkit is that
>>>>>
> you
>
>>>>> could take an existing JAX-WS service and as long as the proper
>>>>>
>>>>>
>> libraries
>>
>>
>>>>> are in place on the tomcat server, you could simply place additional
>>>>> .xml files in certain directories and the WSIT toolkit would
>>>>>
>>>>>
>>>>>
>>>>>
>>>> inject
>>>>
>>>>
>>>>
>>>>
>>>>> these WSDL elemenents into the document as the server generated it on
>>>>>
>>>>>
>> the
>>
>>
>>>>> fly...that way you could have an unsecured service by ommitting those
>>>>>
>>>>>
>> xml
>>
>>
>>>>> files, or make them present and make the service secure? Am I way off
>>>>>
>>>>>
>>>>>
>>>>>
>>>> base
>>>>
>>>>
>>>>
>>>>
>>>>> on my understanding?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Chris
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>> Sent: Saturday, January 03, 2009 8:43 AM
>>>>> To: users@metro.dev.java.net
>>>>> Subject: Re: STS issued token sample
>>>>>
>>>>> Hi Chris,
>>>>>
>>>>> Great!
>>>>>
>>>>> It is in my to do to provide a detailed description of the sample.
>>>>> Before that, here is a quick description of what is going.
>>>>>
>>>>> There are three parties in the sample: service,sts, client.
>>>>> Each party has configuration(policy) in the WSDL or wsdl like file
>>>>>
>>>>>
>>>>>
>>>>>
>>>> (client.
>>>>
>>>>
>>>>
>>>>
>>>>> 1. service:
>>>>> Check /src/fs/etc/service/PingService.wsdl. There are two types of
>>>>>
>>>>>
>>>>>
>>>>>
>>>> polices:
>>>>
>>>>
>>>>
>>>>
>>>>> public ones to cominicate to the other parties and private ones
>>>>> (Keystore, TrustStore) for local configuration.
>>>>>
>>>>> In the policy
>>>>>
>>>>>
>>>>>
>>>>> * There is a
>>>>> under with >>>>> indicate
>>>>> that the X509 certificate of the service is used to protect the
>>>>>
>>>>>
>> messages
>>
>>
>>>>> from the client to the service.
>>>>>
>>>>> * There is an >>>>>
> indicating
>
>>>>> that an issued token from an STS
>>>>> is required for the client to acess the service.
>>>>>
>>>>> * >>>>> >>>>> >>>>> particular case,
>>>>> only the certificate of the STS is needed in the Truststore.
>>>>>
>>>>> You may have your own key store and trust store and configure them with
>>>>> these two policy assertions.
>>>>>
>>>>> 2. sts: /src/fs/etc/sts/sts.wsdl
>>>>>
>>>>> In the policy
>>>>>
>>>>>
>>>>>
>>>>> * There is a
>>>>> under with >>>>> indicate
>>>>> that the X509 certificate of the service is used to protect the
>>>>>
>>>>>
>> messages
>>
>>
>>>>> from the client to the sts.
>>>>>
>>>>> * There is a >>>>>
>>>>>
>> indicating
>>
>>
>>>>> that username/password is required from the
>>>>> client to authenticate to the STS.
>>>>>
>>>>> *
>>>>> >>>>> >>>>> >>>>> particular case,
>>>>> only the certificate of all the trusted services are needed in the
>>>>> Truststore.
>>>>>
>>>>> Note that STS should maitain different key store and trust store from
>>>>>
>>>>>
>> the
>>
>>
>>>>> service.
>>>>>
>>>>> *
>>>>> >>>>> xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
>>>>> >>>>>
>>>>>
>>>>>
>>> name="usernameValidator"
>>>
>>>
>>>
>>>>> classname="common.SampleUsernamePasswordValidator"/>
>>>>>
>>>>>
>>>>> to plugin the custom class for validating the username/password of the
>>>>>
>>>>>
>>>>>
>>>>>
>>>> the
>>>>
>>>>
>>>>
>>>>
>>>>> clients.
>>>>>
>>>>> For this sample, we hard coded the username/password in the
>>>>>
>>>>>
>>>>>
>>> implementation
>>>
>>>
>>>
>>>>> class /src/common/SampleUsernamePasswordValidator.java
>>>>> You may just modify it to add for example chris/chris. In reality, you
>>>>>
>>>>>
>>>>>
>>> can
>>>
>>>
>>>
>>>>> have an validatior class connecting to a user data store, etc.
>>>>>
>>>>>
>>>>> 3. client:
>>>>>
>>>>> client configuration is here src/fs/etc/client-config/wsit-client.xml.
>>>>> It contains client key store and truststore information as well the
>>>>>
>>>>>
>>>>>
>>>>>
>>>> callback
>>>>
>>>>
>>>>
>>>>
>>>>> class for the username/password:
>>>>>
>>>>> src/common/SampleUsernamePasswordCallbackHandler.java
>>>>>
>>>>> Note that you need to configure the client to the service and to the
>>>>>
> STS
>
>>>>> seperately
>>>>> in wsit-client.xml.
>>>>>
>>>>> Jiandong
>>>>>
>>>>>
>>>>>
>>>>> Chris Richmond wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Jiandong,
>>>>>>
>>>>>> Success!
>>>>>>
>>>>>> I was finally able to run the sample in Tomcat6.0.18 and it returns
>>>>>>
>>>>>>
>> the
>>
>>
>>>>>> account balance and outputs Company A, Department B on the server
>>>>>>
> side.
>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>> I
>>>>
>>>>
>>>>
>>>>
>>>>>> tried both alice/alice and bob/bob.
>>>>>>
>>>>>>
>>>>>> Now the real questions begin of figuring out how exactly this thing
>>>>>>
> is
>
>>>>>> working and how I integrate it into my own servers/clients.
>>>>>>
>>>>>> What was done to create those certificates on the server and to set
>>>>>>
>>>>>>
>>>>>>
>>> those
>>>
>>>
>>>
>>>>>> user credentials? That's one big area I don't understand.
>>>>>> Keystores/truststores, etc.
>>>>>>
>>>>>> It is my understanding for METRO using an STS service such as this
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>> example
>>>>
>>>>
>>>>
>>>>
>>>>>> that a truststore and keystore are both needed on the server as well
>>>>>>
> as
>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>> by
>>>>
>>>>
>>>>
>>>>
>>>>>> the client?
>>>>>>
>>>>>> How are these stores generated/maintained and how are users certs
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>> maintaied
>>>>
>>>>
>>>>
>>>>
>>>>>> in this example?
>>>>>>
>>>>>> For example, if I wanted to add a new user chris/chris to access this
>>>>>> service, what would be the steps on the server/client for starters?
>>>>>>
>>>>>> Thanks so much for your help..I've made more progress in the last 2
>>>>>>
>>>>>>
>> days
>>
>>
>>>>>> than in the previous 2 weeks.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Chris
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>> Sent: Wednesday, December 31, 2008 11:20 PM
>>>>>> To: users@metro.dev.java.net
>>>>>> Subject: Re: STS issued token sample
>>>>>>
>>>>>> Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
>>>>>>
>>>>>> for installing Metro on tomcat 6.*.
>>>>>>
>>>>>> Also modified the file etc\common-targets-tomcat.xml
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
> >
>>
>>
>>>
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> m
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> on-targets-tomcat.xml?rev=1.6&view=log>
>>>>>> for the Metro jars in tomcat.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Chris Richmond wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Yes..I'm using tomcat 6.0.18
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>>> Sent: Wednesday, December 31, 2008 2:52 PM
>>>>>>> To: users@metro.dev.java.net
>>>>>>> Subject: Re: STS issued token sample
>>>>>>>
>>>>>>> Ah, this sample is set up for tomcat 5.* with the classpath:
>>>>>>>
>>>>>>>
>>>>>>>
> location="${tomcat.home}/shared/lib/webservices-rt.jar"/>
>
>>>>>>>
>>>>>>> location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>>>>>>>
>>>>>>> location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>>>>>>>
>>>>>>> Are you using tomcat 6.*?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Chris Richmond wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Ok..I have done that installation process. But I still get the
>>>>>>>>
>>>>>>>>
>> errors
>>
>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>> I
>>>>
>>>>
>>>>
>>>>
>>>>>>>> mentioned when I run the ant run-sample.
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>>>> Sent: Wednesday, December 31, 2008 2:09 PM
>>>>>>>> To: users@metro.dev.java.net
>>>>>>>> Subject: Re: STS issued token sample
>>>>>>>>
>>>>>>>> Follow the steps in [1]
>>>>>>>>
>>>>>>>> in the end
>>>>>>>>
>>>>>>>> [1]
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
> https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>
>>
>>
>>>
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> T
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> _Download_Build_Install.html
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Chris Richmond wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> '.. 1. Follow the steps in [1] to download, build and install WSIT
>>>>>>>>>
>>>>>>>>>
>> in
>>
>>
>>>>>>>>> Glassfish or Tomcat..."
>>>>>>>>>
>>>>>>>>> What does this mean from the readme? It says follow the steps in
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>> step
>>>
>>>
>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>> 1
>>>>
>>>>
>>>>
>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> and
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> that *IS* step 1???
>>>>>>>>>
>>>>>>>>> Where is the step 1 it refers to?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> Chris
>>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>>>>>>>> Sent: Wednesday, December 31, 2008 12:00 PM
>>>>>>>>> To: users@metro.dev.java.net
>>>>>>>>> Subject: Re: STS issued token sample
>>>>>>>>>
>>>>>>>>> Hi Chris,
>>>>>>>>>
>>>>>>>>> We have a bundled ws-trust sample:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
> https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>
>>>>>>>>> Let us know if you need any help on it.
>>>>>>>>>
>>>>>>>>> Thanks!
>>>>>>>>>
>>>>>>>>> Jiandong
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Chris Richmond wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hello all,
>>>>>>>>>>
>>>>>>>>>> I have been trying and trying to get a working sample of WSIT
>>>>>>>>>>
> using
>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>> a
>>>
>>>
>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>>>>> secured service using an STS issued token to work with absolutely
>>>>>>>>>>
>>>>>>>>>>
>> no
>>
>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> luck.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>>>>>>>> plain doesn't work..it has dialogs and tabs/options that are for
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>> some
>>>
>>>
>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>>>>> other version(earlier?) of netbeans and things just do not work.
>>>>>>>>>>
>>>>>>>>>> What I would REALLY like to do is get a sample running using hand
>>>>>>>>>> coded configurations rather than relying on the Netbeans/glassfish
>>>>>>>>>>
>
>
>>>>>>>>>> integration so I can understand more what is involved. As it is
>>>>>>>>>>
>>>>>>>>>>
>> now,
>>
>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>>> when something goes wrong with the Netbeans IDE wizards, I have no
>>>>>>>>>>
>
>
>>>>>>>>>> idea how to work around it.
>>>>>>>>>>
>>>>>>>>>> My end goal is to run an STS secured webservice using WSIT inside
>>>>>>>>>> tomcat 6. It would be fine if the STS were in Glassfish for now,
>>>>>>>>>>
>>>>>>>>>>
>> but
>>
>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>>> the service that is secured needs to run inside tomcat and a
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>> standard
>>>
>>>
>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>>>>> command line client for that in java.
>>>>>>>>>>
>>>>>>>>>> Does anyone have a working sample similar to this or could point
>>>>>>>>>>
> me
>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>> to
>>>>
>>>>
>>>>
>>>>
>>>>>>>>>> a good resource for doing this? I am quite frustrated, as every
>>>>>>>>>> tutorial I have come across is targetted at running all inside
>>>>>>>>>> Netbeans wizards and with a servlet client that runs inside the
>>>>>>>>>>
>>>>>>>>>>
>> same
>>
>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>
>>>
>>>
>>>>>>>>>> glassfish instance as the STS and the secured service. This is not
>>>>>>>>>>
>
>
>>>>>>>>>> ideal for seeing how things work.since it uses built in
>>>>>>>>>>
> development
>
>>>>>>>>>>
>>>>>>>>>>
>>
>>
>>>>>>>>>> keystores/trusttores etc(the same one for client and service which
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>> is
>>>
>>>
>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>>>>> not realistic in an environment where the client and server are on
>>>>>>>>>>
>
>
>>>>>>>>>> different machines among other things).
>>>>>>>>>>
>>>>>>>>>> Any guidance greatly appreciated..
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>>
>>>>>>>>>> Chris
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>> ---------------------------------------------------------------------
>>
>>
>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>> ---------------------------------------------------------------------
>>
>>
>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
> ---------------------------------------------------------------------
>
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
> ---------------------------------------------------------------------
>
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Chris Richmond

Jiandong,

Progress!

I found that the sts war wasn't be rebuilt without the clean ant target so
that was left over from my earlier bad builds, now it builds, runs asks me
for username/password to which I reply alice/and here is what happens:

( replaced large binary strings with
placeholder so the ouput wasn't so huge here. I cannot figure out exactly
what is going on...I see that there was a 500 server error...along with some
HTML being returned??? Do you have any ideas?

Thanks,
Chris

[java] ***Please Enter Your User Name:
alice
[java] ***Please Enter Your Password:
alice
[java] ---[HTTP request - http://localhost:8080/jaxws-fs-sts/sts]---
[java] Content-type:
application/soap+xml;charset="utf-8";action="http://schemas.xmlsoap.org/ws/2
005/02/trust/RST/Issue"
[java] Accept: application/soap+xml, multipart/related, text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2
[java] xmlns:S="http://www.w3.org/2003/05/soap-envelope"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http
://www.w3.org/2000/09/xmldsig#"
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-
c14n#"> wsu:Id="_5007">http://localhost:8080/jaxws-fs-sts/sts xmlns="http://www.w3.org/2005/08/addressing" wsu
:Id="_5006">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue eplyTo xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5005">
[java]

http://www.w3.org/2005/08/addressing/anonymous

[java] xmlns="http://www.w3.org/2005/08/addressing"
wsu:Id="_5004">uuid:2f5ecfee-13c3-45a0-a777-a725616550df curity S:mustUnderstand="t
rue"> xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:ns17="http://schemas.xmlsoap.org/soap/envelope/"
wsu:Id="_5">2009-
01-03T01:00:30Z
2009-01-03T01:05:30Z
xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/20
0512" xmlns:ns17="http://schemas.xmlsoap.org/soap/envelope/"
Id="_5002"> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" /> xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="keyInfo"> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-secu
rity-1.1#ThumbprintSHA1"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-m
essage-security-1.0#Base64Binary">W+rgYBmLmVEG//scD7Vo8Kq5G7I= tif
ier>
Value>alI9w5PL/FM2NhuCHENB4mRSj63iYbT/crOKXTVMR5GrwRMafdDB+CLQeAoMt18IuoY6Yg
3tpELzpROnATpqaSGC1LPpaMCYId
kIlJLiuvDx66Ohk6dXRLZzOchPkQDj3qJwH7+v0St+1sfTfpKMBSfLVDFwVIbSh5HtjitaBeo= xenc:CipherValue>
xmlns:ns18="http://docs.oasi
s-open.org/ws-sx/ws-secureconversation/200512"
xmlns:ns17="http://schemas.xmlsoap.org/soap/envelope/"
wsu:Id="_3"> wsu:Id="uuid_eb9dbe5f-528f-460e-bde0-
34c9931c1791"> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.
1#EncryptedKey" URI="#_5002" />0
16A57jKciCtGtmL4WjFWlbeqOz<
/wsc:Nonce> xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-se
cureconversation/200512"
xmlns:ns17="http://schemas.xmlsoap.org/soap/envelope/"
wsu:Id="_4"> ValueType="http://docs.oasis-open.org/wss/o
asis-wss-soap-message-security-1.1#EncryptedKey" URI="#_5002"
/>
016 c:Length>6C3NWzmx6UKgSRInLf5p6+
Zp
xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:ns17="http://schemas.xmlsoap.org/soap/envel
ope/"> /> /> xmlns:ns17="http://schemas.xmlsoap.org/soap/envelope/"
Type="http://www.w3.org/2001/04/xmlenc#Element"
Id="_5012"> hod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" /> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="keyInfo"> e:Reference URI="#_4"
/>
lue>

a xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns
:ns17="http://schemas.xmlsoap.org/soap/envelope/"
Type="http://www.w3.org/2001/04/xmlenc#Element"
Id="_5011"> Algorithm="http://www.w3.org/2001/04/xmlenc#aes1
28-cbc" /> xsi:type="keyInfo"> /> e>
STRING>
rity> dData
xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:ns17="http://schemas.xmlsoap.org/soap/envelope/"
Type="http://www.w3.org/2001/04/xmlenc#Conte
nt" Id="_5010"> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" /> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="keyInfo"
> /> lue>

ope>--------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Chris Richmond

Hmm...I also checked the webapps/jaxws-fs-sts directory in tomcat that was
deployed during the build and it is totally empty. There is only

/WEB-INF

/wsdl

Only those completely empty directories. Clearly something has gone wrong
in the build/deployment of the STS?

Thanks,

Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Chris Richmond

Jiandong,

Ok I am able to start the build, it runs through most of the process,
deploys the wars, but fails on run-tc:

It seems as though the sts deployed and there are not tomcat log errors,
however I cannot locate the STS anywhere by URL in the brower either. And
it certainly is not located at the URL it is trying to find below..and so
hence the MEX is not being fount either.

Any ideas?

Thanks again,

Chris

run-tc:
[mkdir] Created dir:
C:\wsit\wsit\samples\ws-trust\src\build\classes\META-INF\services
[java] Jan 2, 2009 2:38:18 PM
[com.sun.xml.ws.policy.jaxws.PolicyConfigParser] parse
[java] INFO: WSP1049: Loaded WSIT configuration from file:
file:/C:/wsit/wsit/samples/ws-trust/src/fs/etc/client-config/wsit-client.xml
[java] Service URL=http://localhost:8080/jaxws-fs/simple
[java] STS URL=http://localhost:8080/jaxws-fs-sts/sts
[java] Jan 2, 2009 2:38:19 PM
com.sun.xml.ws.security.trust.impl.TrustPluginImpl doMexRequest
[java] SEVERE: WST0017:Could not obtain STS metadata. MEX call to STS
http://localhost:8080/jaxws-fs-sts/sts/mex failed.
[java] Jan 2, 2009 2:38:19 PM
com.sun.xml.wss.jaxws.impl.SecurityClientTube invokeTrustPlugin
[java] SEVERE: WSSTUBE0035: Recieved Exception during IssuedToken
Creation.
[java] com.sun.xml.ws.api.security.trust.WSTrustException:
WST0017:Could not obtain STS metadata. MEX call to STS
http://localhost:8080/jaxws-fs-sts/sts/mex failed.
[java] at
com.sun.xml.ws.security.trust.impl.TrustPluginImpl.doMexRequest(TrustPluginI
mpl.java:627)
[java] at
com.sun.xml.ws.security.trust.impl.TrustPluginImpl.invokeRST(TrustPluginImpl
.java:480)
[java] at
com.sun.xml.ws.security.trust.impl.TrustPluginImpl.process(TrustPluginImpl.j
ava:163)
[java] at
com.sun.xml.ws.security.trust.impl.client.STSIssuedTokenProviderImpl.issue(S
TSIssuedTokenProviderImpl.java:53)
[java] at
com.sun.xml.ws.api.security.trust.client.IssuedTokenManager.getIssuedToken(I
ssuedTokenManager.java:79)
[java] at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.invokeTrustPlugin(SecurityClie
ntTube.java:568)
[java] at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(Sec
urityClientTube.java:200)
[java] at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
ube.java:167)
[java] at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
[java] at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
[java] at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
[java] at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
[java] at com.sun.xml.ws.client.Stub.process(Stub.java:222)
[java] at
com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
[java] at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:10
9)
[java] at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89
)
[java] at
com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
[java] at $Proxy40.getAccountBalance(Unknown Source)
[java] at
simple.client.FinancialServiceClient.main(FinancialServiceClient.java:79)
[java] Caught Exception: WSSTUBE0035: Recieved Exception during
IssuedToken Creation.
[java] javax.xml.ws.WebServiceException: WSSTUBE0035: Recieved
Exception during IssuedToken Creation.
[java] at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.invokeTrustPlugin(SecurityClie
ntTube.java:577)
[java] at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(Sec
urityClientTube.java:200)
[java] at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
ube.java:167)
[java] at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
[java] at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
[java] at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
[java] at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
[java] at com.sun.xml.ws.client.Stub.process(Stub.java:222)
[java] at
com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
[java] at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:10
9)
[java] at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89
)
[java] at
com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
[java] at $Proxy40.getAccountBalance(Unknown Source)
[java] at
simple.client.FinancialServiceClient.main(FinancialServiceClient.java:79)
[java] Caused by: com.sun.xml.ws.api.security.trust.WSTrustException:
WST0017:Could not obtain STS metadata. MEX call to STS
http://localhost:8080/jaxws-fs-sts/sts/mex failed.

[java] at
com.sun.xml.ws.security.trust.impl.TrustPluginImpl.doMexRequest(TrustPluginI
mpl.java:627)
[java] at
com.sun.xml.ws.security.trust.impl.TrustPluginImpl.invokeRST(TrustPluginImpl
.java:480)
[java] at
com.sun.xml.ws.security.trust.impl.TrustPluginImpl.process(TrustPluginImpl.j
ava:163)
[java] at
com.sun.xml.ws.security.trust.impl.client.STSIssuedTokenProviderImpl.issue(S
TSIssuedTokenProviderImpl.java:53)
[java] at
com.sun.xml.ws.api.security.trust.client.IssuedTokenManager.getIssuedToken(I
ssuedTokenManager.java:79)
[java] at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.invokeTrustPlugin(SecurityClie
ntTube.java:568)
[java] ... 13 more

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Chris Richmond

Jiandong,

Ok I found one problem. When I list tomcat.home in the .properties file as
C:\apache-tomcat-6.0.18

it is interpereted as

C: apache-tomcat-6.0.18 (notice the directory slash is gone)

So I changed it to using the other slash (/) and now those taskdefs do not
fail, so the build continues on , but during deployment, the STS cannot
start up and tomcat gives the error I copied at the end of this email.

Now I went through the installing METRO on tomcat 6 procedure and I have
even copied webservices-api.jar to my jdk/jre/endorsed tomcat/endorsed
tomcat/lib tomcat/shared/lib....EVERYWHERE! but it still seems as if that
com/sun/xml/ws/security/trust/sts/BaseSTSImpl cannot be found!

Any ideas?

Thanks,

Chris

SEVERE: WSSERVLET11: failed to parse runtime descriptor:
java.lang.NoClassDefFoundError:
com/sun/xml/ws/security/trust/sts/BaseSTSImpl
java.lang.NoClassDefFoundError:
com/sun/xml/ws/security/trust/sts/BaseSTSImpl
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:620)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
at
org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLo
ader.java:1847)
at
org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.jav
a:890)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.jav
a:1354)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.jav
a:1233)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:247)
at
com.sun.xml.ws.transport.http.DeploymentDescriptorParser.getImplementorClass
(DeploymentDescriptorParser.java:545)
at
com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parseAdapters(Deplo
ymentDescriptorParser.java:223)
at
com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parse(DeploymentDes
criptorParser.java:147)
at
com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitia
lized(WSServletContextListener.java:108)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:
3843)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4342)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:7
91)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
at
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:830)
at
org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:719)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490)
at
org.apache.catalina.startup.HostConfig.check(HostConfig.java:1217)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:293)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSuppor
t.java:117)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:
1337)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processC
hildren(ContainerBase.java:1601)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processC
hildren(ContainerBase.java:1610)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(Cont
ainerBase.java:1590)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.ClassNotFoundException:
com.sun.xml.ws.security.trust.sts.BaseSTSImpl
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.jav
a:1387)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.jav
a:1233)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Chris Richmond

Specifically when I try to run:

ant run-sample:

Buildfile: build.xml

run-sample:
[echo] RUN SAMPLE

setup-tc:
[echo] In setup-TC in targets.xml
[echo] TC

BUILD FAILED
C:\wsit\wsit\wsit\samples\ws-trust\src\fs\build.xml:53: The following error
occurred while executing this line:
C:\wsit\wsit\wsit\samples\ws-trust\etc\common-targets-tomcat.xml:48: taskdef
class org.apache.catalina.ant.DeployTask cannot be found

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Wednesday, December 31, 2008 12:00 PM
To: users@metro.dev.java.net
Subject: Re: STS issued token sample

Hi Chris,

We have a bundled ws-trust sample:

https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.

Let us know if you need any help on it.

Thanks!

Jiandong

Chris Richmond wrote:

> Hello all,
>
> I have been trying and trying to get a working sample of WSIT using a
> secured service using an STS issued token to work with absolutely no luck.
>
> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
> plain doesn't work..it has dialogs and tabs/options that are for some
> other version(earlier?) of netbeans and things just do not work.
>
> What I would REALLY like to do is get a sample running using hand
> coded configurations rather than relying on the Netbeans/glassfish
> integration so I can understand more what is involved. As it is now,
> when something goes wrong with the Netbeans IDE wizards, I have no
> idea how to work around it.
>
> My end goal is to run an STS secured webservice using WSIT inside
> tomcat 6. It would be fine if the STS were in Glassfish for now, but
> the service that is secured needs to run inside tomcat and a standard
> command line client for that in java.
>
> Does anyone have a working sample similar to this or could point me to
> a good resource for doing this? I am quite frustrated, as every
> tutorial I have come across is targetted at running all inside
> Netbeans wizards and with a servlet client that runs inside the same
> glassfish instance as the STS and the secured service. This is not
> ideal for seeing how things work.since it uses built in development
> keystores/trusttores etc(the same one for client and service which is
> not realistic in an environment where the client and server are on
> different machines among other things).
>
> Any guidance greatly appreciated..
>
>
> Thanks,
>
> Chris
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Chris Richmond

'.. 1. Follow the steps in [1] to download, build and install WSIT in
Glassfish or Tomcat..."

What does this mean from the readme? It says follow the steps in step 1 and
that *IS* step 1???

Where is the step 1 it refers to?

Thanks,

Chris

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Wednesday, December 31, 2008 12:00 PM
To: users@metro.dev.java.net
Subject: Re: STS issued token sample

Hi Chris,

We have a bundled ws-trust sample:

https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.

Let us know if you need any help on it.

Thanks!

Jiandong

Chris Richmond wrote:

> Hello all,
>
> I have been trying and trying to get a working sample of WSIT using a
> secured service using an STS issued token to work with absolutely no luck.
>
> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
> plain doesn't work..it has dialogs and tabs/options that are for some
> other version(earlier?) of netbeans and things just do not work.
>
> What I would REALLY like to do is get a sample running using hand
> coded configurations rather than relying on the Netbeans/glassfish
> integration so I can understand more what is involved. As it is now,
> when something goes wrong with the Netbeans IDE wizards, I have no
> idea how to work around it.
>
> My end goal is to run an STS secured webservice using WSIT inside
> tomcat 6. It would be fine if the STS were in Glassfish for now, but
> the service that is secured needs to run inside tomcat and a standard
> command line client for that in java.
>
> Does anyone have a working sample similar to this or could point me to
> a good resource for doing this? I am quite frustrated, as every
> tutorial I have come across is targetted at running all inside
> Netbeans wizards and with a servlet client that runs inside the same
> glassfish instance as the STS and the secured service. This is not
> ideal for seeing how things work.since it uses built in development
> keystores/trusttores etc(the same one for client and service which is
> not realistic in an environment where the client and server are on
> different machines among other things).
>
> Any guidance greatly appreciated..
>
>
> Thanks,
>
> Chris
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Jiandong Guo

Follow the steps in [1]

in the end

[1] https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/...

Chris Richmond wrote:

>'.. 1. Follow the steps in [1] to download, build and install WSIT in
>Glassfish or Tomcat..."
>
>What does this mean from the readme? It says follow the steps in step 1 and
>that *IS* step 1???
>
>Where is the step 1 it refers to?
>
>
>Thanks,
>
>Chris
>
>-----Original Message-----
>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>Sent: Wednesday, December 31, 2008 12:00 PM
>To: users@metro.dev.java.net
>Subject: Re: STS issued token sample
>
>Hi Chris,
>
>We have a bundled ws-trust sample:
>
>https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>
>Let us know if you need any help on it.
>
>Thanks!
>
>Jiandong
>
>
>Chris Richmond wrote:
>
>
>
>>Hello all,
>>
>>I have been trying and trying to get a working sample of WSIT using a
>>secured service using an STS issued token to work with absolutely no luck.
>>
>>I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>plain doesn't work..it has dialogs and tabs/options that are for some
>>other version(earlier?) of netbeans and things just do not work.
>>
>>What I would REALLY like to do is get a sample running using hand
>>coded configurations rather than relying on the Netbeans/glassfish
>>integration so I can understand more what is involved. As it is now,
>>when something goes wrong with the Netbeans IDE wizards, I have no
>>idea how to work around it.
>>
>>My end goal is to run an STS secured webservice using WSIT inside
>>tomcat 6. It would be fine if the STS were in Glassfish for now, but
>>the service that is secured needs to run inside tomcat and a standard
>>command line client for that in java.
>>
>>Does anyone have a working sample similar to this or could point me to
>>a good resource for doing this? I am quite frustrated, as every
>>tutorial I have come across is targetted at running all inside
>>Netbeans wizards and with a servlet client that runs inside the same
>>glassfish instance as the STS and the secured service. This is not
>>ideal for seeing how things work.since it uses built in development
>>keystores/trusttores etc(the same one for client and service which is
>>not realistic in an environment where the client and server are on
>>different machines among other things).
>>
>>Any guidance greatly appreciated..
>>
>>
>>Thanks,
>>
>>Chris
>>
>>
>>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Chris Richmond

Ok..I have done that installation process. But I still get the errors I
mentioned when I run the ant run-sample.

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Wednesday, December 31, 2008 2:09 PM
To: users@metro.dev.java.net
Subject: Re: STS issued token sample

Follow the steps in [1]

in the end

[1]
https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/...
_Download_Build_Install.html

Chris Richmond wrote:

>'.. 1. Follow the steps in [1] to download, build and install WSIT in
>Glassfish or Tomcat..."
>
>What does this mean from the readme? It says follow the steps in step 1
and
>that *IS* step 1???
>
>Where is the step 1 it refers to?
>
>
>Thanks,
>
>Chris
>
>-----Original Message-----
>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>Sent: Wednesday, December 31, 2008 12:00 PM
>To: users@metro.dev.java.net
>Subject: Re: STS issued token sample
>
>Hi Chris,
>
>We have a bundled ws-trust sample:
>
>https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>
>Let us know if you need any help on it.
>
>Thanks!
>
>Jiandong
>
>
>Chris Richmond wrote:
>
>
>
>>Hello all,
>>
>>I have been trying and trying to get a working sample of WSIT using a
>>secured service using an STS issued token to work with absolutely no luck.
>>
>>I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>plain doesn't work..it has dialogs and tabs/options that are for some
>>other version(earlier?) of netbeans and things just do not work.
>>
>>What I would REALLY like to do is get a sample running using hand
>>coded configurations rather than relying on the Netbeans/glassfish
>>integration so I can understand more what is involved. As it is now,
>>when something goes wrong with the Netbeans IDE wizards, I have no
>>idea how to work around it.
>>
>>My end goal is to run an STS secured webservice using WSIT inside
>>tomcat 6. It would be fine if the STS were in Glassfish for now, but
>>the service that is secured needs to run inside tomcat and a standard
>>command line client for that in java.
>>
>>Does anyone have a working sample similar to this or could point me to
>>a good resource for doing this? I am quite frustrated, as every
>>tutorial I have come across is targetted at running all inside
>>Netbeans wizards and with a servlet client that runs inside the same
>>glassfish instance as the STS and the secured service. This is not
>>ideal for seeing how things work.since it uses built in development
>>keystores/trusttores etc(the same one for client and service which is
>>not realistic in an environment where the client and server are on
>>different machines among other things).
>>
>>Any guidance greatly appreciated..
>>
>>
>>Thanks,
>>
>>Chris
>>
>>
>>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Jiandong Guo

Ah, this sample is set up for tomcat 5.* with the classpath:

Are you using tomcat 6.*?

Chris Richmond wrote:

>Ok..I have done that installation process. But I still get the errors I
>mentioned when I run the ant run-sample.
>
>-----Original Message-----
>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>Sent: Wednesday, December 31, 2008 2:09 PM
>To: users@metro.dev.java.net
>Subject: Re: STS issued token sample
>
>Follow the steps in [1]
>
>in the end
>
>[1]
>https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSIT
>_Download_Build_Install.html
>
>
>
>Chris Richmond wrote:
>
>
>
>>'.. 1. Follow the steps in [1] to download, build and install WSIT in
>>Glassfish or Tomcat..."
>>
>>What does this mean from the readme? It says follow the steps in step 1
>>
>>
>and
>
>
>>that *IS* step 1???
>>
>>Where is the step 1 it refers to?
>>
>>
>>Thanks,
>>
>>Chris
>>
>>-----Original Message-----
>>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>Sent: Wednesday, December 31, 2008 12:00 PM
>>To: users@metro.dev.java.net
>>Subject: Re: STS issued token sample
>>
>>Hi Chris,
>>
>>We have a bundled ws-trust sample:
>>
>>https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>
>>Let us know if you need any help on it.
>>
>>Thanks!
>>
>>Jiandong
>>
>>
>>Chris Richmond wrote:
>>
>>
>>
>>
>>
>>>Hello all,
>>>
>>>I have been trying and trying to get a working sample of WSIT using a
>>>secured service using an STS issued token to work with absolutely no luck.
>>>
>>>I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>plain doesn't work..it has dialogs and tabs/options that are for some
>>>other version(earlier?) of netbeans and things just do not work.
>>>
>>>What I would REALLY like to do is get a sample running using hand
>>>coded configurations rather than relying on the Netbeans/glassfish
>>>integration so I can understand more what is involved. As it is now,
>>>when something goes wrong with the Netbeans IDE wizards, I have no
>>>idea how to work around it.
>>>
>>>My end goal is to run an STS secured webservice using WSIT inside
>>>tomcat 6. It would be fine if the STS were in Glassfish for now, but
>>>the service that is secured needs to run inside tomcat and a standard
>>>command line client for that in java.
>>>
>>>Does anyone have a working sample similar to this or could point me to
>>>a good resource for doing this? I am quite frustrated, as every
>>>tutorial I have come across is targetted at running all inside
>>>Netbeans wizards and with a servlet client that runs inside the same
>>>glassfish instance as the STS and the secured service. This is not
>>>ideal for seeing how things work.since it uses built in development
>>>keystores/trusttores etc(the same one for client and service which is
>>>not realistic in an environment where the client and server are on
>>>different machines among other things).
>>>
>>>Any guidance greatly appreciated..
>>>
>>>
>>>Thanks,
>>>
>>>Chris
>>>
>>>
>>>
>>>
>>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Chris Richmond

Yes..I'm using tomcat 6.0.18

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Wednesday, December 31, 2008 2:52 PM
To: users@metro.dev.java.net
Subject: Re: STS issued token sample

Ah, this sample is set up for tomcat 5.* with the classpath:

location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>

Are you using tomcat 6.*?

Chris Richmond wrote:

>Ok..I have done that installation process. But I still get the errors I
>mentioned when I run the ant run-sample.
>
>-----Original Message-----
>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>Sent: Wednesday, December 31, 2008 2:09 PM
>To: users@metro.dev.java.net
>Subject: Re: STS issued token sample
>
>Follow the steps in [1]
>
>in the end
>
>[1]
>https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
T
>_Download_Build_Install.html
>
>
>
>Chris Richmond wrote:
>
>
>
>>'.. 1. Follow the steps in [1] to download, build and install WSIT in
>>Glassfish or Tomcat..."
>>
>>What does this mean from the readme? It says follow the steps in step 1
>>
>>
>and
>
>
>>that *IS* step 1???
>>
>>Where is the step 1 it refers to?
>>
>>
>>Thanks,
>>
>>Chris
>>
>>-----Original Message-----
>>From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>Sent: Wednesday, December 31, 2008 12:00 PM
>>To: users@metro.dev.java.net
>>Subject: Re: STS issued token sample
>>
>>Hi Chris,
>>
>>We have a bundled ws-trust sample:
>>
>>https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>
>>Let us know if you need any help on it.
>>
>>Thanks!
>>
>>Jiandong
>>
>>
>>Chris Richmond wrote:
>>
>>
>>
>>
>>
>>>Hello all,
>>>
>>>I have been trying and trying to get a working sample of WSIT using a
>>>secured service using an STS issued token to work with absolutely no
luck.
>>>
>>>I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>plain doesn't work..it has dialogs and tabs/options that are for some
>>>other version(earlier?) of netbeans and things just do not work.
>>>
>>>What I would REALLY like to do is get a sample running using hand
>>>coded configurations rather than relying on the Netbeans/glassfish
>>>integration so I can understand more what is involved. As it is now,
>>>when something goes wrong with the Netbeans IDE wizards, I have no
>>>idea how to work around it.
>>>
>>>My end goal is to run an STS secured webservice using WSIT inside
>>>tomcat 6. It would be fine if the STS were in Glassfish for now, but
>>>the service that is secured needs to run inside tomcat and a standard
>>>command line client for that in java.
>>>
>>>Does anyone have a working sample similar to this or could point me to
>>>a good resource for doing this? I am quite frustrated, as every
>>>tutorial I have come across is targetted at running all inside
>>>Netbeans wizards and with a servlet client that runs inside the same
>>>glassfish instance as the STS and the secured service. This is not
>>>ideal for seeing how things work.since it uses built in development
>>>keystores/trusttores etc(the same one for client and service which is
>>>not realistic in an environment where the client and server are on
>>>different machines among other things).
>>>
>>>Any guidance greatly appreciated..
>>>
>>>
>>>Thanks,
>>>
>>>Chris
>>>
>>>
>>>
>>>
>>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Jiandong Guo

Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x

for installing Metro on tomcat 6.*.

Also modified the file etc\common-targets-tomcat.xml

for the Metro jars in tomcat.

Chris Richmond wrote:
> Yes..I'm using tomcat 6.0.18
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Wednesday, December 31, 2008 2:52 PM
> To: users@metro.dev.java.net
> Subject: Re: STS issued token sample
>
> Ah, this sample is set up for tomcat 5.* with the classpath:
>
>
>
> location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>
> location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>
>
> location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>
> Are you using tomcat 6.*?
>
>
>
>
>
>
> Chris Richmond wrote:
>
>
>> Ok..I have done that installation process. But I still get the errors I
>> mentioned when I run the ant run-sample.
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> Sent: Wednesday, December 31, 2008 2:09 PM
>> To: users@metro.dev.java.net
>> Subject: Re: STS issued token sample
>>
>> Follow the steps in [1]
>>
>> in the end
>>
>> [1]
>> https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>>
> T
>
>> _Download_Build_Install.html
>>
>>
>>
>> Chris Richmond wrote:
>>
>>
>>
>>
>>> '.. 1. Follow the steps in [1] to download, build and install WSIT in
>>> Glassfish or Tomcat..."
>>>
>>> What does this mean from the readme? It says follow the steps in step 1
>>>
>>>
>>>
>> and
>>
>>
>>
>>> that *IS* step 1???
>>>
>>> Where is the step 1 it refers to?
>>>
>>>
>>> Thanks,
>>>
>>> Chris
>>>
>>> -----Original Message-----
>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>> Sent: Wednesday, December 31, 2008 12:00 PM
>>> To: users@metro.dev.java.net
>>> Subject: Re: STS issued token sample
>>>
>>> Hi Chris,
>>>
>>> We have a bundled ws-trust sample:
>>>
>>> https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>>
>>> Let us know if you need any help on it.
>>>
>>> Thanks!
>>>
>>> Jiandong
>>>
>>>
>>> Chris Richmond wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>> Hello all,
>>>>
>>>> I have been trying and trying to get a working sample of WSIT using a
>>>> secured service using an STS issued token to work with absolutely no
>>>>
> luck.
>
>>>> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>> plain doesn't work..it has dialogs and tabs/options that are for some
>>>> other version(earlier?) of netbeans and things just do not work.
>>>>
>>>> What I would REALLY like to do is get a sample running using hand
>>>> coded configurations rather than relying on the Netbeans/glassfish
>>>> integration so I can understand more what is involved. As it is now,
>>>> when something goes wrong with the Netbeans IDE wizards, I have no
>>>> idea how to work around it.
>>>>
>>>> My end goal is to run an STS secured webservice using WSIT inside
>>>> tomcat 6. It would be fine if the STS were in Glassfish for now, but
>>>> the service that is secured needs to run inside tomcat and a standard
>>>> command line client for that in java.
>>>>
>>>> Does anyone have a working sample similar to this or could point me to
>>>> a good resource for doing this? I am quite frustrated, as every
>>>> tutorial I have come across is targetted at running all inside
>>>> Netbeans wizards and with a servlet client that runs inside the same
>>>> glassfish instance as the STS and the secured service. This is not
>>>> ideal for seeing how things work.since it uses built in development
>>>> keystores/trusttores etc(the same one for client and service which is
>>>> not realistic in an environment where the client and server are on
>>>> different machines among other things).
>>>>
>>>> Any guidance greatly appreciated..
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Chris
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Chris Richmond

Jiandong,

Is the common-targets-tomcat.xml updated in CVS? I went and the last
update I see is still from 10 months ago and the file is identintical to the
one I downloaded with the full samples package. Has it been updated?

Thanks,

Chris

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Wednesday, December 31, 2008 11:20 PM
To: users@metro.dev.java.net
Subject: Re: STS issued token sample

Ok. Check out http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x

for installing Metro on tomcat 6.*.

Also modified the file etc\common-targets-tomcat.xml
on-targets-tomcat.xml?rev=1.6&view=log>
for the Metro jars in tomcat.

Chris Richmond wrote:
> Yes..I'm using tomcat 6.0.18
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Wednesday, December 31, 2008 2:52 PM
> To: users@metro.dev.java.net
> Subject: Re: STS issued token sample
>
> Ah, this sample is set up for tomcat 5.* with the classpath:
>
>
>
> location="${tomcat.home}/shared/lib/webservices-tools.jar"/>
>
> location="${tomcat.home}/shared/lib/webservices-extra.jar"/>
>
location="${tomcat.home}/shared/lib/webservices-api.jar"/>
>
> location="${tomcat.home}/shared/lib/webservices-extra-api.jar"/>
>
> Are you using tomcat 6.*?
>
>
>
>
>
>
> Chris Richmond wrote:
>
>
>> Ok..I have done that installation process. But I still get the errors I
>> mentioned when I run the ant run-sample.
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> Sent: Wednesday, December 31, 2008 2:09 PM
>> To: users@metro.dev.java.net
>> Subject: Re: STS issued token sample
>>
>> Follow the steps in [1]
>>
>> in the end
>>
>> [1]
>>
https://wsit.dev.java.net/source/browse/*checkout*/wsit/wsit/docs/howto/WSI
>>
> T
>
>> _Download_Build_Install.html
>>
>>
>>
>> Chris Richmond wrote:
>>
>>
>>
>>
>>> '.. 1. Follow the steps in [1] to download, build and install WSIT in
>>> Glassfish or Tomcat..."
>>>
>>> What does this mean from the readme? It says follow the steps in step 1
>>>
>>>
>>>
>> and
>>
>>
>>
>>> that *IS* step 1???
>>>
>>> Where is the step 1 it refers to?
>>>
>>>
>>> Thanks,
>>>
>>> Chris
>>>
>>> -----Original Message-----
>>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>>> Sent: Wednesday, December 31, 2008 12:00 PM
>>> To: users@metro.dev.java.net
>>> Subject: Re: STS issued token sample
>>>
>>> Hi Chris,
>>>
>>> We have a bundled ws-trust sample:
>>>
>>> https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>>>
>>> Let us know if you need any help on it.
>>>
>>> Thanks!
>>>
>>> Jiandong
>>>
>>>
>>> Chris Richmond wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>> Hello all,
>>>>
>>>> I have been trying and trying to get a working sample of WSIT using a
>>>> secured service using an STS issued token to work with absolutely no
>>>>
> luck.
>
>>>> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>>>> plain doesn't work..it has dialogs and tabs/options that are for some
>>>> other version(earlier?) of netbeans and things just do not work.
>>>>
>>>> What I would REALLY like to do is get a sample running using hand
>>>> coded configurations rather than relying on the Netbeans/glassfish
>>>> integration so I can understand more what is involved. As it is now,
>>>> when something goes wrong with the Netbeans IDE wizards, I have no
>>>> idea how to work around it.
>>>>
>>>> My end goal is to run an STS secured webservice using WSIT inside
>>>> tomcat 6. It would be fine if the STS were in Glassfish for now, but
>>>> the service that is secured needs to run inside tomcat and a standard
>>>> command line client for that in java.
>>>>
>>>> Does anyone have a working sample similar to this or could point me to
>>>> a good resource for doing this? I am quite frustrated, as every
>>>> tutorial I have come across is targetted at running all inside
>>>> Netbeans wizards and with a servlet client that runs inside the same
>>>> glassfish instance as the STS and the secured service. This is not
>>>> ideal for seeing how things work.since it uses built in development
>>>> keystores/trusttores etc(the same one for client and service which is
>>>> not realistic in an environment where the client and server are on
>>>> different machines among other things).
>>>>
>>>> Any guidance greatly appreciated..
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Chris
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Jiandong Guo

Hi Chris,

We have a bundled ws-trust sample:

https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.

Let us know if you need any help on it.

Thanks!

Jiandong

Chris Richmond wrote:

> Hello all,
>
> I have been trying and trying to get a working sample of WSIT using a
> secured service using an STS issued token to work with absolutely no luck.
>
> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
> plain doesn’t work….it has dialogs and tabs/options that are for some
> other version(earlier?) of netbeans and things just do not work.
>
> What I would REALLY like to do is get a sample running using hand
> coded configurations rather than relying on the Netbeans/glassfish
> integration so I can understand more what is involved. As it is now,
> when something goes wrong with the Netbeans IDE wizards, I have no
> idea how to work around it.
>
> My end goal is to run an STS secured webservice using WSIT inside
> tomcat 6. It would be fine if the STS were in Glassfish for now, but
> the service that is secured needs to run inside tomcat and a standard
> command line client for that in java.
>
> Does anyone have a working sample similar to this or could point me to
> a good resource for doing this? I am quite frustrated, as every
> tutorial I have come across is targetted at running all inside
> Netbeans wizards and with a servlet client that runs inside the same
> glassfish instance as the STS and the secured service. This is not
> ideal for seeing how things work…since it uses built in development
> keystores/trusttores etc(the same one for client and service which is
> not realistic in an environment where the client and server are on
> different machines among other things).
>
> Any guidance greatly appreciated….
>
>
> Thanks,
>
> Chris
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Jiandong Guo

I should say there are really multiple samples in the link provided.

1. A basic sample. Check out the readme there.

2. entension of the basic sample to connect to SUN's AccessManager for
access control
of issuing tokens on the STS.

3. An advances sample
https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/valid...
where the STS servers both as a token issuing and token validating party.

4. Interop samples:
https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/interop/
Samples to work with Microsost WCF plugfest public enspoints.

Thanks!

Jiandong

Jiandong Guo wrote:

> Hi Chris,
>
> We have a bundled ws-trust sample:
>
> https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/.
>
> Let us know if you need any help on it.
>
> Thanks!
>
> Jiandong
>
>
> Chris Richmond wrote:
>
>> Hello all,
>>
>> I have been trying and trying to get a working sample of WSIT using a
>> secured service using an STS issued token to work with absolutely no
>> luck.
>>
>> I am using Netbeans 6.5 and Glassfish, but the WSIT tutorial just
>> plain doesn’t work….it has dialogs and tabs/options that are for some
>> other version(earlier?) of netbeans and things just do not work.
>>
>> What I would REALLY like to do is get a sample running using hand
>> coded configurations rather than relying on the Netbeans/glassfish
>> integration so I can understand more what is involved. As it is now,
>> when something goes wrong with the Netbeans IDE wizards, I have no
>> idea how to work around it.
>>
>> My end goal is to run an STS secured webservice using WSIT inside
>> tomcat 6. It would be fine if the STS were in Glassfish for now, but
>> the service that is secured needs to run inside tomcat and a standard
>> command line client for that in java.
>>
>> Does anyone have a working sample similar to this or could point me
>> to a good resource for doing this? I am quite frustrated, as every
>> tutorial I have come across is targetted at running all inside
>> Netbeans wizards and with a servlet client that runs inside the same
>> glassfish instance as the STS and the secured service. This is not
>> ideal for seeing how things work…since it uses built in development
>> keystores/trusttores etc(the same one for client and service which is
>> not realistic in an environment where the client and server are on
>> different machines among other things).
>>
>> Any guidance greatly appreciated….
>>
>>
>> Thanks,
>>
>> Chris
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Jiandong Guo

In case you have been use DOM API to get user information from SAML
assertion:

http://blogs.sun.com/trustjdg/entry/parsing_saml_assertion_with_metro

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net