Skip to main content

Access raw STS response using Metro

14 replies [Last post]
cbr600
Offline
Joined: 2009-05-13

Hi all,

I have just encountered a problem with my Java Metro STS client.

Problem description: I requested a security token with claim data which cannot be provided by the STS. The STS returned a meaningful error message (e.g. claim data blah is not available) but my Java Metro client outputs this error message:
"Error: {http://www.w3.org/2001/12/soap-envelope}Sender is not a standard Code value"
This error message is not really helpful for the end user.

I am just wondering if there is any way we can access the raw STS response?

Any help or advices would be greatly appreciated.

Regards,
Phillip

Message was edited by: cbr600

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Igor Mameshin

OpenSSO folks pointed me to TrustAuthorityClient API which can be used to
obtain SAML assertion from the Open SSO STS, based on user credential Single
Sign-On Token. I will go ahead and give it a try to implement Metro's
SamlCallbackHandler. Will keep you updated on the progress.

Thank you,

Igor

_____

From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Thursday, September 17, 2009 3:25 PM
To: users@metro.dev.java.net
Subject: Re: Keystore error for STS security profile

Basically, with the OpenSSO SDK to call the STS, you should be able to
get the SAML assertion returned from the STS.

The using an Metro based client to call the service. You need to supply
an SAML call back handler as illustrated by this sample:

http://fisheye5.cenqua.com/browse/wsit/wsit/samples/ws-trust/propagate/s...
ommon/SamlCallbackHandler.java?r=1.1

Here is how you plug in the call back handler to the client:

http://fisheye5.cenqua.com/browse/wsit/wsit/samples/ws-trust/propagate/s...
s/etc/service/client/wsit-client.xml?r=1.1, line 55-57.

Thanks!

Jiandong

Jiandong Guo wrote:

I need to understand more about the process:

Igor Mameshin wrote:

Hi Jiandong,

Yes, in my case keysore.jks contains certificate "test" which was used by
STS to sign the SAML assertion.

> You should let the Metro to create the Security header fro the request
message. Use a callback handler
> to set the SAML assertion obtained from the OpenSSO STS.

I will try to use Metro to create security headers.

My challenge is how to create a SAML subject and attribute statements that
are derived from Open SSO SSO token. You can take a look at the attached
SOAP message that contains SAML subject.

Who created the attached message? with OpenSSO client?
Then how do you send it to the service? With an JAX-WS dispatch client?


"http://example.com">id=bankUser,ou=user,dc=opensso,dc=java,dc=net meID>

Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>

I used OpenSSO SDK to get the subject:

SSOTokenManager manager = SSOTokenManager.getInstance();

SSOToken ssoToken = manager.createSSOToken(httpRequest);

Subject subject = new Subject();

subject.getPrivateCredentials().add(ssoToken);

cred.set(subject);

Is this before or after the call to the STS?

Thanks!

Jiandong

I looked at examples that describe how to use Metro with OpenSSO STS for
security:

https://metro.dev.java.net/guide/Example_Applications.html#gfrls

The examples do not cover how to pass identity of the web application user
into SAML token.

Do you have an example of Java callback handler I can use to set the right
subject for the call to STS?

Thank you,

Igor

_____

From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Thursday, September 17, 2009 1:45 PM
To: users@metro.dev.java.net
Subject: Re: Keystore error for STS security profile

Igor Mameshin wrote:

I have resolved the keystore problem - upgraded to the latest build of Metro
2.0.

I have defined "SAML Sender Vouches with Certificates" that points to the
keystore.jks with X509 v1 certificate for Sun STS.

Is this the certificate STS used to sign the SAML assertion?

I may need to create a
new X509 v3 certificate to make this work.

But first, I am getting the following error.

This new error does not seem to be related to the keystore or certificates.

javax.xml.ws.WebServiceException: java.lang.ClassCastException:
com.sun.xml.ws.message.saaj.SAAJHeader cannot be cast to
com.sun.xml.ws.security.opt.impl.outgoing.SecurityHeader
at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
ube.java:243)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
at com.sun.xml.ws.client.Stub.process(Stub.java:319)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:10
9)
at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89
)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
at $Proxy201.getRecordById(Unknown Source)
at com.sun.gte.sfsd.service.TestsResource.get(TestsResource.java:92)

Is there a classpath conflict?

My project includes the following APIs:
javac.classpath=\
${libs.restapi.classpath}:\
${libs.restlib.classpath}:\
${file.reference.opensso-sharedlib.jar}:\
${file.reference.openssoclientsdk.jar}

Can it be that there are some classes in Open SSO SDK that cause a conflict?

Please note that the SOAP message already contains WS-Security headers,

You should let the Metro to create the Security header fro the request
message. Use a callback handler
to set the SAML assertion obtained from the OpenSSO STS.

Thanks!

Jiandong

I
want JAXWS to simply pass it through on the client.

Thank you,
Igor

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Thursday, September 17, 2009 12:46 PM
To: users@metro.dev.java.net
Subject: Re: Keystore error for STS security profile

Igor Mameshin wrote:

Hi everyone,

I have a question about configuring Metro with Open SSO STS. In our POC

we

use Metro to implement the provider-side Web service security. The
client-side is already implemented with Open SSO SDK. Web application is
using SSO token (and STS certificate) to request SAML token from STS and

to

secure SOAP requst.

I am trying to configure Metro policy for JAXWS service, deployed on
GlassFishESB 2.1. Based on recent messages on this message group, I
upgraded to the latest Metro 2.0 build (Sep17 nightly build). Still, I
can't get past the keystore configuration.

Can you please answer two questions.

1) My service needs to authenticate and authorize requests that contain
SAML2 SV token generated by Open SSO STS. What Metro profile should I

use?

"SAML Sender Vouches with Certificates" or "STS Issued Token"?

SAML Sender Vouches with Certificates . Then you need to get the SAML
assertion in an call back handler.

2) How to configure the keystore locations? I first tried pointing to a
non-default keystore. I am also trying to use the default keystore (as in
Netbeans development defaults checkbox), and still getting the same error.

Please see attached wsit config file, and the error message is at the end

of

this email.

Thank you,
Igor

Could not locate KeyStore, check keystore assertion in WSIT configuration
WSS0216: An Error occurred using Callback Handler for :
SignatureKeyCallback.DefaultPrivKeyCertRequest
WSS0217: An Error occurred using Callback Handler handle() Method.
com.sun.xml.wss.impl.XWSSecurityRuntimeException: Could not locate

KeyStore,

check keystore assertion in WSIT configuration
at

com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getKeyStore(DefaultCallback

Handler.java:2250)
at

com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getDefaultPrivKeyCert(Defau

ltCallbackHandler.java:1380)
at

com.sun.xml.wss.impl.misc.DefaultCallbackHandler.handle(DefaultCallbackHandl

er.java:545)
at

com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getDefaultPrivKeyCe

rtRequest(DefaultSecurityEnvironmentImpl.java:229)
at

com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:212

)
at
com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
at
com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
at

com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotato

r.java:189)
at

com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:

150)
at

com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTu

beBase.java:397)
at

com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(Sec

urityClientTube.java:311)
at

com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT

ube.java:240)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)

------------------------------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

_____

This body part will be downloaded on demand.

[att1.html]

Jiandong Guo

Great! You don't need to use the handler anymore. It is in conflict with
Metro security tube.

Thanks!

Jiandong

Igor Mameshin wrote:
>
> OpenSSO folks pointed me to TrustAuthorityClient API which can be used
> to obtain SAML assertion from the Open SSO STS, based on user
> credential Single Sign-On Token. I will go ahead and give it a try to
> implement Metro's SamlCallbackHandler. Will keep you updated on the
> progress.
>
>
>
> Thank you,
>
> Igor
>
>
> ------------------------------------------------------------------------
>
> *From:* Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> *Sent:* Thursday, September 17, 2009 3:25 PM
> *To:* users@metro.dev.java.net
> *Subject:* Re: Keystore error for STS security profile
>
>
>
> Basically, with the OpenSSO SDK to call the STS, you should be able to
> get the SAML assertion returned from the STS.
>
> The using an Metro based client to call the service. You need to supply
> an SAML call back handler as illustrated by this sample:
>
> http://fisheye5.cenqua.com/browse/wsit/wsit/samples/ws-trust/propagate/s...
>
> Here is how you plug in the call back handler to the client:
>
> http://fisheye5.cenqua.com/browse/wsit/wsit/samples/ws-trust/propagate/s...,
> line 55-57.
>
> Thanks!
>
> Jiandong
>
>
>
> Jiandong Guo wrote:
>
> I need to understand more about the process:
>
> Igor Mameshin wrote:
>
> Hi Jiandong,
>
>
>
> Yes, in my case keysore.jks contains certificate "test" which was used
> by STS to sign the SAML assertion.
>
>
>
> > You should let the Metro to create the Security header fro the
> request message. Use a callback handler
> > to set the SAML assertion obtained from the OpenSSO STS.
>
>
>
> I will try to use Metro to create security headers.
>
> My challenge is how to create a SAML subject and attribute statements
> that are derived from Open SSO SSO token. You can take a look at the
> attached SOAP message that contains SAML subject.
>
> Who created the attached message? with OpenSSO client?
> Then how do you send it to the service? With an JAX-WS dispatch client?
>
>
>
>
>
>
>
> > >id=bankUser,ou=user,dc=opensso,dc=java,dc=net
>
> > Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>

>
>
>
> I used OpenSSO SDK to get the subject:
>
> SSOTokenManager manager = SSOTokenManager.getInstance();
>
> SSOToken ssoToken = manager.createSSOToken(httpRequest);
>
> Subject subject = new Subject();
>
> subject.getPrivateCredentials().add(ssoToken);
>
> cred.set(subject);
>
> Is this before or after the call to the STS?
>
> Thanks!
>
> Jiandong
>
>
>
>
>
> I looked at examples that describe how to use Metro with OpenSSO STS
> for security:
>
> https://metro.dev.java.net/guide/Example_Applications.html#gfrls
>
>
>
>
>
> The examples do not cover how to pass identity of the web application
> user into SAML token.
>
> Do you have an example of Java callback handler I can use to set the
> right subject for the call to STS?
>
>
>
> Thank you,
>
> Igor
>
>
>
>
>
> ------------------------------------------------------------------------
>
> *From:* Jiandong.Guo@Sun.COM
> [mailto:Jiandong.Guo@Sun.COM]
> *Sent:* Thursday, September 17, 2009 1:45 PM
> *To:* users@metro.dev.java.net
> *Subject:* Re: Keystore error for STS security profile
>
>
>
> Igor Mameshin wrote:
>
> I have resolved the keystore problem - upgraded to the latest build of Metro
> 2.0.
>
> I have defined "SAML Sender Vouches with Certificates" that points to the
> keystore.jks with X509 v1 certificate for Sun STS.
>
> Is this the certificate STS used to sign the SAML assertion?
>
>
> I may need to create a
> new X509 v3 certificate to make this work.
>
> But first, I am getting the following error.
>
> This new error does not seem to be related to the keystore or certificates.
>
> javax.xml.ws.WebServiceException: java.lang.ClassCastException:
> com.sun.xml.ws.message.saaj.SAAJHeader cannot be cast to
> com.sun.xml.ws.security.opt.impl.outgoing.SecurityHeader
> at
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
> ube.java:243)
> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
> at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
> at com.sun.xml.ws.client.Stub.process(Stub.java:319)
> at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
> at
> com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:10
> 9)
> at
> com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89
> )
> at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
> at $Proxy201.getRecordById(Unknown Source)
> at com.sun.gte.sfsd.service.TestsResource.get(TestsResource.java:92)
>
>
> Is there a classpath conflict?
>
> My project includes the following APIs:
> javac.classpath=\
> ${libs.restapi.classpath}:\
> ${libs.restlib.classpath}:\
> ${file.reference.opensso-sharedlib.jar}:\
> ${file.reference.openssoclientsdk.jar}
>
> Can it be that there are some classes in Open SSO SDK that cause a conflict?
>
>
> Please note that the SOAP message already contains WS-Security headers,
>
> You should let the Metro to create the Security header fro the request
> message. Use a callback handler
> to set the SAML assertion obtained from the OpenSSO STS.
>
> Thanks!
>
> Jiandong
>
>
> I
> want JAXWS to simply pass it through on the client.
>
> Thank you,
> Igor
>
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Thursday, September 17, 2009 12:46 PM
> To: users@metro.dev.java.net
> Subject: Re: Keystore error for STS security profile
>
> Igor Mameshin wrote:
>
>> Hi everyone,
>>
>> I have a question about configuring Metro with Open SSO STS. In our POC
>>
> we
>
>> use Metro to implement the provider-side Web service security. The
>> client-side is already implemented with Open SSO SDK. Web application is
>> using SSO token (and STS certificate) to request SAML token from STS and
>>
> to
>
>> secure SOAP requst.
>>
>> I am trying to configure Metro policy for JAXWS service, deployed on
>> GlassFishESB 2.1. Based on recent messages on this message group, I
>> upgraded to the latest Metro 2.0 build (Sep17 nightly build). Still, I
>> can't get past the keystore configuration.
>>
>> Can you please answer two questions.
>>
>> 1) My service needs to authenticate and authorize requests that contain
>> SAML2 SV token generated by Open SSO STS. What Metro profile should I
>>
> use?
>
>> "SAML Sender Vouches with Certificates" or "STS Issued Token"?
>>
>>
> SAML Sender Vouches with Certificates . Then you need to get the SAML
> assertion in an call back handler.
>
>> 2) How to configure the keystore locations? I first tried pointing to a
>> non-default keystore. I am also trying to use the default keystore (as in
>> Netbeans development defaults checkbox), and still getting the same error.
>>
>> Please see attached wsit config file, and the error message is at the end
>>
> of
>
>> this email.
>>
>> Thank you,
>> Igor
>>
>>
>>
>> Could not locate KeyStore, check keystore assertion in WSIT configuration
>> WSS0216: An Error occurred using Callback Handler for :
>> SignatureKeyCallback.DefaultPrivKeyCertRequest
>> WSS0217: An Error occurred using Callback Handler handle() Method.
>> com.sun.xml.wss.impl.XWSSecurityRuntimeException: Could not locate
>>
> KeyStore,
>
>> check keystore assertion in WSIT configuration
>> at
>>
>>
> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getKeyStore(DefaultCallback
>
>> Handler.java:2250)
>> at
>>
>>
> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getDefaultPrivKeyCert(Defau
>
>> ltCallbackHandler.java:1380)
>> at
>>
>>
> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.handle(DefaultCallbackHandl
>
>> er.java:545)
>> at
>>
>>
> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getDefaultPrivKeyCe
>
>> rtRequest(DefaultSecurityEnvironmentImpl.java:229)
>> at
>>
>>
> com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:212
>
>> )
>> at
>> com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
>> at
>> com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
>> at
>>
>>
> com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotato
>
>> r.java:189)
>> at
>>
>>
> com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:
>
>> 150)
>> at
>>
>>
> com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTu
>
>> beBase.java:397)
>> at
>>
>>
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(Sec
>
>> urityClientTube.java:311)
>> at
>>
>>
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
>
>> ube.java:240)
>> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
>> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
>> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
>>
>>
>> ------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
>
>
> This body part will be downloaded on demand.
>
>
>
>
>

[att1.html]

Jiandong Guo

Igor Mameshin wrote:
> Hi everyone,
>
> I have a question about configuring Metro with Open SSO STS. In our POC we
> use Metro to implement the provider-side Web service security. The
> client-side is already implemented with Open SSO SDK. Web application is
> using SSO token (and STS certificate) to request SAML token from STS and to
> secure SOAP requst.
>
> I am trying to configure Metro policy for JAXWS service, deployed on
> GlassFishESB 2.1. Based on recent messages on this message group, I
> upgraded to the latest Metro 2.0 build (Sep17 nightly build). Still, I
> can't get past the keystore configuration.
>
> Can you please answer two questions.
>
> 1) My service needs to authenticate and authorize requests that contain
> SAML2 SV token generated by Open SSO STS. What Metro profile should I use?
> "SAML Sender Vouches with Certificates" or "STS Issued Token"?
>
SAML Sender Vouches with Certificates . Then you need to get the SAML
assertion in an call back handler.
> 2) How to configure the keystore locations? I first tried pointing to a
> non-default keystore. I am also trying to use the default keystore (as in
> Netbeans development defaults checkbox), and still getting the same error.
>
> Please see attached wsit config file, and the error message is at the end of
> this email.
>
> Thank you,
> Igor
>
>
>
> Could not locate KeyStore, check keystore assertion in WSIT configuration
> WSS0216: An Error occurred using Callback Handler for :
> SignatureKeyCallback.DefaultPrivKeyCertRequest
> WSS0217: An Error occurred using Callback Handler handle() Method.
> com.sun.xml.wss.impl.XWSSecurityRuntimeException: Could not locate KeyStore,
> check keystore assertion in WSIT configuration
> at
> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getKeyStore(DefaultCallback
> Handler.java:2250)
> at
> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getDefaultPrivKeyCert(Defau
> ltCallbackHandler.java:1380)
> at
> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.handle(DefaultCallbackHandl
> er.java:545)
> at
> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getDefaultPrivKeyCe
> rtRequest(DefaultSecurityEnvironmentImpl.java:229)
> at
> com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:212
> )
> at
> com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
> at
> com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
> at
> com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotato
> r.java:189)
> at
> com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:
> 150)
> at
> com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTu
> beBase.java:397)
> at
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(Sec
> urityClientTube.java:311)
> at
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
> ube.java:240)
> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
>
>
> ------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Igor Mameshin

I have resolved the keystore problem - upgraded to the latest build of Metro
2.0.

I have defined "SAML Sender Vouches with Certificates" that points to the
keystore.jks with X509 v1 certificate for Sun STS. I may need to create a
new X509 v3 certificate to make this work.

But first, I am getting the following error.

This new error does not seem to be related to the keystore or certificates.

javax.xml.ws.WebServiceException: java.lang.ClassCastException:
com.sun.xml.ws.message.saaj.SAAJHeader cannot be cast to
com.sun.xml.ws.security.opt.impl.outgoing.SecurityHeader
at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
ube.java:243)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
at com.sun.xml.ws.client.Stub.process(Stub.java:319)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:10
9)
at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89
)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
at $Proxy201.getRecordById(Unknown Source)
at com.sun.gte.sfsd.service.TestsResource.get(TestsResource.java:92)

Is there a classpath conflict?

My project includes the following APIs:
javac.classpath=\
${libs.restapi.classpath}:\
${libs.restlib.classpath}:\
${file.reference.opensso-sharedlib.jar}:\
${file.reference.openssoclientsdk.jar}

Can it be that there are some classes in Open SSO SDK that cause a conflict?

Please note that the SOAP message already contains WS-Security headers, I
want JAXWS to simply pass it through on the client.

Thank you,
Igor

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Thursday, September 17, 2009 12:46 PM
To: users@metro.dev.java.net
Subject: Re: Keystore error for STS security profile

Igor Mameshin wrote:
> Hi everyone,
>
> I have a question about configuring Metro with Open SSO STS. In our POC
we
> use Metro to implement the provider-side Web service security. The
> client-side is already implemented with Open SSO SDK. Web application is
> using SSO token (and STS certificate) to request SAML token from STS and
to
> secure SOAP requst.
>
> I am trying to configure Metro policy for JAXWS service, deployed on
> GlassFishESB 2.1. Based on recent messages on this message group, I
> upgraded to the latest Metro 2.0 build (Sep17 nightly build). Still, I
> can't get past the keystore configuration.
>
> Can you please answer two questions.
>
> 1) My service needs to authenticate and authorize requests that contain
> SAML2 SV token generated by Open SSO STS. What Metro profile should I
use?
> "SAML Sender Vouches with Certificates" or "STS Issued Token"?
>
SAML Sender Vouches with Certificates . Then you need to get the SAML
assertion in an call back handler.
> 2) How to configure the keystore locations? I first tried pointing to a
> non-default keystore. I am also trying to use the default keystore (as in
> Netbeans development defaults checkbox), and still getting the same error.
>
> Please see attached wsit config file, and the error message is at the end
of
> this email.
>
> Thank you,
> Igor
>
>
>
> Could not locate KeyStore, check keystore assertion in WSIT configuration
> WSS0216: An Error occurred using Callback Handler for :
> SignatureKeyCallback.DefaultPrivKeyCertRequest
> WSS0217: An Error occurred using Callback Handler handle() Method.
> com.sun.xml.wss.impl.XWSSecurityRuntimeException: Could not locate
KeyStore,
> check keystore assertion in WSIT configuration
> at
>
com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getKeyStore(DefaultCallback
> Handler.java:2250)
> at
>
com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getDefaultPrivKeyCert(Defau
> ltCallbackHandler.java:1380)
> at
>
com.sun.xml.wss.impl.misc.DefaultCallbackHandler.handle(DefaultCallbackHandl
> er.java:545)
> at
>
com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getDefaultPrivKeyCe
> rtRequest(DefaultSecurityEnvironmentImpl.java:229)
> at
>
com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:212
> )
> at
> com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
> at
> com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
> at
>
com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotato
> r.java:189)
> at
>
com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:
> 150)
> at
>
com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTu
> beBase.java:397)
> at
>
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(Sec
> urityClientTube.java:311)
> at
>
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
> ube.java:240)
> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
>
>
> ------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Jiandong Guo

Igor Mameshin wrote:
> I have resolved the keystore problem - upgraded to the latest build of Metro
> 2.0.
>
> I have defined "SAML Sender Vouches with Certificates" that points to the
> keystore.jks with X509 v1 certificate for Sun STS.
Is this the certificate STS used to sign the SAML assertion?
> I may need to create a
> new X509 v3 certificate to make this work.
>
> But first, I am getting the following error.
>
> This new error does not seem to be related to the keystore or certificates.
>
> javax.xml.ws.WebServiceException: java.lang.ClassCastException:
> com.sun.xml.ws.message.saaj.SAAJHeader cannot be cast to
> com.sun.xml.ws.security.opt.impl.outgoing.SecurityHeader
> at
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
> ube.java:243)
> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
> at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
> at com.sun.xml.ws.client.Stub.process(Stub.java:319)
> at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
> at
> com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:10
> 9)
> at
> com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89
> )
> at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
> at $Proxy201.getRecordById(Unknown Source)
> at com.sun.gte.sfsd.service.TestsResource.get(TestsResource.java:92)
>
>
> Is there a classpath conflict?
>
> My project includes the following APIs:
> javac.classpath=\
> ${libs.restapi.classpath}:\
> ${libs.restlib.classpath}:\
> ${file.reference.opensso-sharedlib.jar}:\
> ${file.reference.openssoclientsdk.jar}
>
> Can it be that there are some classes in Open SSO SDK that cause a conflict?
>
>
> Please note that the SOAP message already contains WS-Security headers,
You should let the Metro to create the Security header fro the request
message. Use a callback handler
to set the SAML assertion obtained from the OpenSSO STS.

Thanks!

Jiandong
> I
> want JAXWS to simply pass it through on the client.
>
> Thank you,
> Igor
>
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Thursday, September 17, 2009 12:46 PM
> To: users@metro.dev.java.net
> Subject: Re: Keystore error for STS security profile
>
> Igor Mameshin wrote:
>
>> Hi everyone,
>>
>> I have a question about configuring Metro with Open SSO STS. In our POC
>>
> we
>
>> use Metro to implement the provider-side Web service security. The
>> client-side is already implemented with Open SSO SDK. Web application is
>> using SSO token (and STS certificate) to request SAML token from STS and
>>
> to
>
>> secure SOAP requst.
>>
>> I am trying to configure Metro policy for JAXWS service, deployed on
>> GlassFishESB 2.1. Based on recent messages on this message group, I
>> upgraded to the latest Metro 2.0 build (Sep17 nightly build). Still, I
>> can't get past the keystore configuration.
>>
>> Can you please answer two questions.
>>
>> 1) My service needs to authenticate and authorize requests that contain
>> SAML2 SV token generated by Open SSO STS. What Metro profile should I
>>
> use?
>
>> "SAML Sender Vouches with Certificates" or "STS Issued Token"?
>>
>>
> SAML Sender Vouches with Certificates . Then you need to get the SAML
> assertion in an call back handler.
>
>> 2) How to configure the keystore locations? I first tried pointing to a
>> non-default keystore. I am also trying to use the default keystore (as in
>> Netbeans development defaults checkbox), and still getting the same error.
>>
>> Please see attached wsit config file, and the error message is at the end
>>
> of
>
>> this email.
>>
>> Thank you,
>> Igor
>>
>>
>>
>> Could not locate KeyStore, check keystore assertion in WSIT configuration
>> WSS0216: An Error occurred using Callback Handler for :
>> SignatureKeyCallback.DefaultPrivKeyCertRequest
>> WSS0217: An Error occurred using Callback Handler handle() Method.
>> com.sun.xml.wss.impl.XWSSecurityRuntimeException: Could not locate
>>
> KeyStore,
>
>> check keystore assertion in WSIT configuration
>> at
>>
>>
> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getKeyStore(DefaultCallback
>
>> Handler.java:2250)
>> at
>>
>>
> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getDefaultPrivKeyCert(Defau
>
>> ltCallbackHandler.java:1380)
>> at
>>
>>
> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.handle(DefaultCallbackHandl
>
>> er.java:545)
>> at
>>
>>
> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getDefaultPrivKeyCe
>
>> rtRequest(DefaultSecurityEnvironmentImpl.java:229)
>> at
>>
>>
> com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:212
>
>> )
>> at
>> com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
>> at
>> com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
>> at
>>
>>
> com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotato
>
>> r.java:189)
>> at
>>
>>
> com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:
>
>> 150)
>> at
>>
>>
> com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTu
>
>> beBase.java:397)
>> at
>>
>>
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(Sec
>
>> urityClientTube.java:311)
>> at
>>
>>
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
>
>> ube.java:240)
>> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
>> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
>> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
>>
>>
>> ------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

[att1.html]

Igor Mameshin

Hi Jiandong,

Yes, in my case keysore.jks contains certificate "test" which was used by
STS to sign the SAML assertion.

> You should let the Metro to create the Security header fro the request
message. Use a callback handler
> to set the SAML assertion obtained from the OpenSSO STS.

I will try to use Metro to create security headers.

My challenge is how to create a SAML subject and attribute statements that
are derived from Open SSO SSO token. You can take a look at the attached
SOAP message that contains SAML subject.

NameQualifier="http://example.com">id=bankUser,ou=user,dc=opensso,dc=java,dc
=net

Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>

I used OpenSSO SDK to get the subject:

SSOTokenManager manager = SSOTokenManager.getInstance();

SSOToken ssoToken = manager.createSSOToken(httpRequest);

Subject subject = new Subject();

subject.getPrivateCredentials().add(ssoToken);

cred.set(subject);

I looked at examples that describe how to use Metro with OpenSSO STS for
security:

https://metro.dev.java.net/guide/Example_Applications.html#gfrls

The examples do not cover how to pass identity of the web application user
into SAML token.

Do you have an example of Java callback handler I can use to set the right
subject for the call to STS?

Thank you,

Igor

_____

From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Thursday, September 17, 2009 1:45 PM
To: users@metro.dev.java.net
Subject: Re: Keystore error for STS security profile

Igor Mameshin wrote:

I have resolved the keystore problem - upgraded to the latest build of Metro
2.0.

I have defined "SAML Sender Vouches with Certificates" that points to the
keystore.jks with X509 v1 certificate for Sun STS.

Is this the certificate STS used to sign the SAML assertion?

I may need to create a
new X509 v3 certificate to make this work.

But first, I am getting the following error.

This new error does not seem to be related to the keystore or certificates.

javax.xml.ws.WebServiceException: java.lang.ClassCastException:
com.sun.xml.ws.message.saaj.SAAJHeader cannot be cast to
com.sun.xml.ws.security.opt.impl.outgoing.SecurityHeader
at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
ube.java:243)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
at com.sun.xml.ws.client.Stub.process(Stub.java:319)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:10
9)
at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89
)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
at $Proxy201.getRecordById(Unknown Source)
at com.sun.gte.sfsd.service.TestsResource.get(TestsResource.java:92)

Is there a classpath conflict?

My project includes the following APIs:
javac.classpath=\
${libs.restapi.classpath}:\
${libs.restlib.classpath}:\
${file.reference.opensso-sharedlib.jar}:\
${file.reference.openssoclientsdk.jar}

Can it be that there are some classes in Open SSO SDK that cause a conflict?

Please note that the SOAP message already contains WS-Security headers,

You should let the Metro to create the Security header fro the request
message. Use a callback handler
to set the SAML assertion obtained from the OpenSSO STS.

Thanks!

Jiandong

I
want JAXWS to simply pass it through on the client.

Thank you,
Igor

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Thursday, September 17, 2009 12:46 PM
To: users@metro.dev.java.net
Subject: Re: Keystore error for STS security profile

Igor Mameshin wrote:

Hi everyone,

I have a question about configuring Metro with Open SSO STS. In our POC

we

use Metro to implement the provider-side Web service security. The
client-side is already implemented with Open SSO SDK. Web application is
using SSO token (and STS certificate) to request SAML token from STS and

to

secure SOAP requst.

I am trying to configure Metro policy for JAXWS service, deployed on
GlassFishESB 2.1. Based on recent messages on this message group, I
upgraded to the latest Metro 2.0 build (Sep17 nightly build). Still, I
can't get past the keystore configuration.

Can you please answer two questions.

1) My service needs to authenticate and authorize requests that contain
SAML2 SV token generated by Open SSO STS. What Metro profile should I

use?

"SAML Sender Vouches with Certificates" or "STS Issued Token"?

SAML Sender Vouches with Certificates . Then you need to get the SAML
assertion in an call back handler.

2) How to configure the keystore locations? I first tried pointing to a
non-default keystore. I am also trying to use the default keystore (as in
Netbeans development defaults checkbox), and still getting the same error.

Please see attached wsit config file, and the error message is at the end

of

this email.

Thank you,
Igor

Could not locate KeyStore, check keystore assertion in WSIT configuration
WSS0216: An Error occurred using Callback Handler for :
SignatureKeyCallback.DefaultPrivKeyCertRequest
WSS0217: An Error occurred using Callback Handler handle() Method.
com.sun.xml.wss.impl.XWSSecurityRuntimeException: Could not locate

KeyStore,

check keystore assertion in WSIT configuration
at

com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getKeyStore(DefaultCallback

Handler.java:2250)
at

com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getDefaultPrivKeyCert(Defau

ltCallbackHandler.java:1380)
at

com.sun.xml.wss.impl.misc.DefaultCallbackHandler.handle(DefaultCallbackHandl

er.java:545)
at

com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getDefaultPrivKeyCe

rtRequest(DefaultSecurityEnvironmentImpl.java:229)
at

com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:212

)
at
com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
at
com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
at

com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotato

r.java:189)
at

com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:

150)
at

com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTu

beBase.java:397)
at

com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(Sec

urityClientTube.java:311)
at

com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT

ube.java:240)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)

------------------------------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

[att1.html]
[request_pretty_format.txt]
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Jiandong Guo

I need to understand more about the process:

Igor Mameshin wrote:
>
> Hi Jiandong,
>
>
>
> Yes, in my case keysore.jks contains certificate "test" which was used
> by STS to sign the SAML assertion.
>
>
>
> > You should let the Metro to create the Security header fro the
> request message. Use a callback handler
> > to set the SAML assertion obtained from the OpenSSO STS.
>
>
>
> I will try to use Metro to create security headers.
>
> My challenge is how to create a SAML subject and attribute statements
> that are derived from Open SSO SSO token. You can take a look at the
> attached SOAP message that contains SAML subject.
>
Who created the attached message? with OpenSSO client?
Then how do you send it to the service? With an JAX-WS dispatch client?

>
>
>
>
> > NameQualifier="http://example.com">id=bankUser,ou=user,dc=opensso,dc=java,dc=net
>
> > Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>

>
>
>
> I used OpenSSO SDK to get the subject:
>
> SSOTokenManager manager = SSOTokenManager.getInstance();
>
> SSOToken ssoToken = manager.createSSOToken(httpRequest);
>
> Subject subject = new Subject();
>
> subject.getPrivateCredentials().add(ssoToken);
>
> cred.set(subject);
>
Is this before or after the call to the STS?

Thanks!

Jiandong
>
>
>
>
>
> I looked at examples that describe how to use Metro with OpenSSO STS
> for security:
>
> https://metro.dev.java.net/guide/Example_Applications.html#gfrls
>
>
>
>
>
> The examples do not cover how to pass identity of the web application
> user into SAML token.
>
> Do you have an example of Java callback handler I can use to set the
> right subject for the call to STS?
>
>
>
> Thank you,
>
> Igor
>
>
>
>
>
> ------------------------------------------------------------------------
>
> *From:* Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> *Sent:* Thursday, September 17, 2009 1:45 PM
> *To:* users@metro.dev.java.net
> *Subject:* Re: Keystore error for STS security profile
>
>
>
> Igor Mameshin wrote:
>
> I have resolved the keystore problem - upgraded to the latest build of Metro
> 2.0.
>
> I have defined "SAML Sender Vouches with Certificates" that points to the
> keystore.jks with X509 v1 certificate for Sun STS.
>
> Is this the certificate STS used to sign the SAML assertion?
>
> I may need to create a
> new X509 v3 certificate to make this work.
>
> But first, I am getting the following error.
>
> This new error does not seem to be related to the keystore or certificates.
>
> javax.xml.ws.WebServiceException: java.lang.ClassCastException:
> com.sun.xml.ws.message.saaj.SAAJHeader cannot be cast to
> com.sun.xml.ws.security.opt.impl.outgoing.SecurityHeader
> at
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
> ube.java:243)
> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
> at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
> at com.sun.xml.ws.client.Stub.process(Stub.java:319)
> at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
> at
> com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:10
> 9)
> at
> com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89
> )
> at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
> at $Proxy201.getRecordById(Unknown Source)
> at com.sun.gte.sfsd.service.TestsResource.get(TestsResource.java:92)
>
>
> Is there a classpath conflict?
>
> My project includes the following APIs:
> javac.classpath=\
> ${libs.restapi.classpath}:\
> ${libs.restlib.classpath}:\
> ${file.reference.opensso-sharedlib.jar}:\
> ${file.reference.openssoclientsdk.jar}
>
> Can it be that there are some classes in Open SSO SDK that cause a conflict?
>
>
> Please note that the SOAP message already contains WS-Security headers,
>
> You should let the Metro to create the Security header fro the request
> message. Use a callback handler
> to set the SAML assertion obtained from the OpenSSO STS.
>
> Thanks!
>
> Jiandong
>
> I
> want JAXWS to simply pass it through on the client.
>
> Thank you,
> Igor
>
>
> -----Original Message-----
> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
> Sent: Thursday, September 17, 2009 12:46 PM
> To: users@metro.dev.java.net
> Subject: Re: Keystore error for STS security profile
>
> Igor Mameshin wrote:
>
>> Hi everyone,
>>
>> I have a question about configuring Metro with Open SSO STS. In our POC
>>
> we
>
>> use Metro to implement the provider-side Web service security. The
>> client-side is already implemented with Open SSO SDK. Web application is
>> using SSO token (and STS certificate) to request SAML token from STS and
>>
> to
>
>> secure SOAP requst.
>>
>> I am trying to configure Metro policy for JAXWS service, deployed on
>> GlassFishESB 2.1. Based on recent messages on this message group, I
>> upgraded to the latest Metro 2.0 build (Sep17 nightly build). Still, I
>> can't get past the keystore configuration.
>>
>> Can you please answer two questions.
>>
>> 1) My service needs to authenticate and authorize requests that contain
>> SAML2 SV token generated by Open SSO STS. What Metro profile should I
>>
> use?
>
>> "SAML Sender Vouches with Certificates" or "STS Issued Token"?
>>
>>
> SAML Sender Vouches with Certificates . Then you need to get the SAML
> assertion in an call back handler.
>
>> 2) How to configure the keystore locations? I first tried pointing to a
>> non-default keystore. I am also trying to use the default keystore (as in
>> Netbeans development defaults checkbox), and still getting the same error.
>>
>> Please see attached wsit config file, and the error message is at the end
>>
> of
>
>> this email.
>>
>> Thank you,
>> Igor
>>
>>
>>
>> Could not locate KeyStore, check keystore assertion in WSIT configuration
>> WSS0216: An Error occurred using Callback Handler for :
>> SignatureKeyCallback.DefaultPrivKeyCertRequest
>> WSS0217: An Error occurred using Callback Handler handle() Method.
>> com.sun.xml.wss.impl.XWSSecurityRuntimeException: Could not locate
>>
> KeyStore,
>
>> check keystore assertion in WSIT configuration
>> at
>>
>>
> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getKeyStore(DefaultCallback
>
>> Handler.java:2250)
>> at
>>
>>
> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getDefaultPrivKeyCert(Defau
>
>> ltCallbackHandler.java:1380)
>> at
>>
>>
> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.handle(DefaultCallbackHandl
>
>> er.java:545)
>> at
>>
>>
> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getDefaultPrivKeyCe
>
>> rtRequest(DefaultSecurityEnvironmentImpl.java:229)
>> at
>>
>>
> com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:212
>
>> )
>> at
>> com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
>> at
>> com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
>> at
>>
>>
> com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotato
>
>> r.java:189)
>> at
>>
>>
> com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:
>
>> 150)
>> at
>>
>>
> com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTu
>
>> beBase.java:397)
>> at
>>
>>
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(Sec
>
>> urityClientTube.java:311)
>> at
>>
>>
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
>
>> ube.java:240)
>> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
>> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
>> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
>>
>>
>> ------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
>
>
> ------------------------------------------------------------------------
>
> This body part will be downloaded on demand.

[att1.html]

Jiandong Guo

Basically, with the OpenSSO SDK to call the STS, you should be able to
get the SAML assertion returned from the STS.

The using an Metro based client to call the service. You need to supply
an SAML call back handler as illustrated by this sample:

http://fisheye5.cenqua.com/browse/wsit/wsit/samples/ws-trust/propagate/s...

Here is how you plug in the call back handler to the client:

http://fisheye5.cenqua.com/browse/wsit/wsit/samples/ws-trust/propagate/s...,
line 55-57.

Thanks!

Jiandong

Jiandong Guo wrote:
> I need to understand more about the process:
>
> Igor Mameshin wrote:
>>
>> Hi Jiandong,
>>
>>
>>
>> Yes, in my case keysore.jks contains certificate "test" which was
>> used by STS to sign the SAML assertion.
>>
>>
>>
>> > You should let the Metro to create the Security header fro the
>> request message. Use a callback handler
>> > to set the SAML assertion obtained from the OpenSSO STS.
>>
>>
>>
>> I will try to use Metro to create security headers.
>>
>> My challenge is how to create a SAML subject and attribute statements
>> that are derived from Open SSO SSO token. You can take a look at the
>> attached SOAP message that contains SAML subject.
>>
> Who created the attached message? with OpenSSO client?
> Then how do you send it to the service? With an JAX-WS dispatch client?
>
>
>>
>>
>>
>>
>> >> NameQualifier="http://example.com">id=bankUser,ou=user,dc=opensso,dc=java,dc=net
>>
>> >> Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>

>>
>>
>>
>> I used OpenSSO SDK to get the subject:
>>
>> SSOTokenManager manager = SSOTokenManager.getInstance();
>>
>> SSOToken ssoToken = manager.createSSOToken(httpRequest);
>>
>> Subject subject = new Subject();
>>
>> subject.getPrivateCredentials().add(ssoToken);
>>
>> cred.set(subject);
>>
> Is this before or after the call to the STS?
>
> Thanks!
>
> Jiandong
>>
>>
>>
>>
>>
>> I looked at examples that describe how to use Metro with OpenSSO STS
>> for security:
>>
>> https://metro.dev.java.net/guide/Example_Applications.html#gfrls
>>
>>
>>
>>
>>
>> The examples do not cover how to pass identity of the web application
>> user into SAML token.
>>
>> Do you have an example of Java callback handler I can use to set the
>> right subject for the call to STS?
>>
>>
>>
>> Thank you,
>>
>> Igor
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> *From:* Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> *Sent:* Thursday, September 17, 2009 1:45 PM
>> *To:* users@metro.dev.java.net
>> *Subject:* Re: Keystore error for STS security profile
>>
>>
>>
>> Igor Mameshin wrote:
>>
>> I have resolved the keystore problem - upgraded to the latest build of Metro
>> 2.0.
>>
>> I have defined "SAML Sender Vouches with Certificates" that points to the
>> keystore.jks with X509 v1 certificate for Sun STS.
>>
>> Is this the certificate STS used to sign the SAML assertion?
>>
>> I may need to create a
>> new X509 v3 certificate to make this work.
>>
>> But first, I am getting the following error.
>>
>> This new error does not seem to be related to the keystore or certificates.
>>
>> javax.xml.ws.WebServiceException: java.lang.ClassCastException:
>> com.sun.xml.ws.message.saaj.SAAJHeader cannot be cast to
>> com.sun.xml.ws.security.opt.impl.outgoing.SecurityHeader
>> at
>> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
>> ube.java:243)
>> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
>> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
>> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
>> at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
>> at com.sun.xml.ws.client.Stub.process(Stub.java:319)
>> at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
>> at
>> com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:10
>> 9)
>> at
>> com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89
>> )
>> at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
>> at $Proxy201.getRecordById(Unknown Source)
>> at com.sun.gte.sfsd.service.TestsResource.get(TestsResource.java:92)
>>
>>
>> Is there a classpath conflict?
>>
>> My project includes the following APIs:
>> javac.classpath=\
>> ${libs.restapi.classpath}:\
>> ${libs.restlib.classpath}:\
>> ${file.reference.opensso-sharedlib.jar}:\
>> ${file.reference.openssoclientsdk.jar}
>>
>> Can it be that there are some classes in Open SSO SDK that cause a conflict?
>>
>>
>> Please note that the SOAP message already contains WS-Security headers,
>>
>> You should let the Metro to create the Security header fro the
>> request message. Use a callback handler
>> to set the SAML assertion obtained from the OpenSSO STS.
>>
>> Thanks!
>>
>> Jiandong
>>
>> I
>> want JAXWS to simply pass it through on the client.
>>
>> Thank you,
>> Igor
>>
>>
>> -----Original Message-----
>> From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
>> Sent: Thursday, September 17, 2009 12:46 PM
>> To: users@metro.dev.java.net
>> Subject: Re: Keystore error for STS security profile
>>
>> Igor Mameshin wrote:
>>
>>> Hi everyone,
>>>
>>> I have a question about configuring Metro with Open SSO STS. In our POC
>>>
>> we
>>
>>> use Metro to implement the provider-side Web service security. The
>>> client-side is already implemented with Open SSO SDK. Web application is
>>> using SSO token (and STS certificate) to request SAML token from STS and
>>>
>> to
>>
>>> secure SOAP requst.
>>>
>>> I am trying to configure Metro policy for JAXWS service, deployed on
>>> GlassFishESB 2.1. Based on recent messages on this message group, I
>>> upgraded to the latest Metro 2.0 build (Sep17 nightly build). Still, I
>>> can't get past the keystore configuration.
>>>
>>> Can you please answer two questions.
>>>
>>> 1) My service needs to authenticate and authorize requests that contain
>>> SAML2 SV token generated by Open SSO STS. What Metro profile should I
>>>
>> use?
>>
>>> "SAML Sender Vouches with Certificates" or "STS Issued Token"?
>>>
>>>
>> SAML Sender Vouches with Certificates . Then you need to get the SAML
>> assertion in an call back handler.
>>
>>> 2) How to configure the keystore locations? I first tried pointing to a
>>> non-default keystore. I am also trying to use the default keystore (as in
>>> Netbeans development defaults checkbox), and still getting the same error.
>>>
>>> Please see attached wsit config file, and the error message is at the end
>>>
>> of
>>
>>> this email.
>>>
>>> Thank you,
>>> Igor
>>>
>>>
>>>
>>> Could not locate KeyStore, check keystore assertion in WSIT configuration
>>> WSS0216: An Error occurred using Callback Handler for :
>>> SignatureKeyCallback.DefaultPrivKeyCertRequest
>>> WSS0217: An Error occurred using Callback Handler handle() Method.
>>> com.sun.xml.wss.impl.XWSSecurityRuntimeException: Could not locate
>>>
>> KeyStore,
>>
>>> check keystore assertion in WSIT configuration
>>> at
>>>
>>>
>> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getKeyStore(DefaultCallback
>>
>>> Handler.java:2250)
>>> at
>>>
>>>
>> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getDefaultPrivKeyCert(Defau
>>
>>> ltCallbackHandler.java:1380)
>>> at
>>>
>>>
>> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.handle(DefaultCallbackHandl
>>
>>> er.java:545)
>>> at
>>>
>>>
>> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getDefaultPrivKeyCe
>>
>>> rtRequest(DefaultSecurityEnvironmentImpl.java:229)
>>> at
>>>
>>>
>> com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:212
>>
>>> )
>>> at
>>> com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
>>> at
>>> com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
>>> at
>>>
>>>
>> com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotato
>>
>>> r.java:189)
>>> at
>>>
>>>
>> com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:
>>
>>> 150)
>>> at
>>>
>>>
>> com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTu
>>
>>> beBase.java:397)
>>> at
>>>
>>>
>> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(Sec
>>
>>> urityClientTube.java:311)
>>> at
>>>
>>>
>> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
>>
>>> ube.java:240)
>>> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
>>> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
>>> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>>> For additional commands, e-mail: users-help@metro.dev.java.net
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> This body part will be downloaded on demand.
>

[att1.html]

Igor Mameshin

Hi Jiandong,

You guessed right, the attached message was created with Open SSO SDK. Here
is the code which is currently executed in JAXWS SOAP handler on the client:

SOAPRequestHandler handler = new SOAPRequestHandler();

Map map = new HashMap();

map.put("providername", "wsc");

handler.init(map);

Subject subject = (Subject)cred.get();

SOAPMessage secureMsg = handler.secureRequest(msg, subject, new HashMap());

The above code secures the entire SOAPMessage by inserting WS-Security
headers as defined in agent profile "wsc".

There is no API in OpenSSO client SDK to get just a SAML token (but I can
doublecheck with OpenSSO experts). That would be the best approach, since I
can use the SamlCallbackHandler example you provided.

Currently, it looks like those WS-Security headers that are inserted by Open
SSO SDK are not compatible with the rest of Metro.

I did not use Dispatch code for JAXWS client. I will try to use dispatch
code to see if it helps.

Thanks for your advice,

Igor

_____

From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Thursday, September 17, 2009 3:25 PM
To: users@metro.dev.java.net
Subject: Re: Keystore error for STS security profile

Basically, with the OpenSSO SDK to call the STS, you should be able to
get the SAML assertion returned from the STS.

The using an Metro based client to call the service. You need to supply
an SAML call back handler as illustrated by this sample:

http://fisheye5.cenqua.com/browse/wsit/wsit/samples/ws-trust/propagate/s...
ommon/SamlCallbackHandler.java?r=1.1

Here is how you plug in the call back handler to the client:

http://fisheye5.cenqua.com/browse/wsit/wsit/samples/ws-trust/propagate/s...
s/etc/service/client/wsit-client.xml?r=1.1, line 55-57.

Thanks!

Jiandong

Jiandong Guo wrote:

I need to understand more about the process:

Igor Mameshin wrote:

Hi Jiandong,

Yes, in my case keysore.jks contains certificate "test" which was used by
STS to sign the SAML assertion.

> You should let the Metro to create the Security header fro the request
message. Use a callback handler
> to set the SAML assertion obtained from the OpenSSO STS.

I will try to use Metro to create security headers.

My challenge is how to create a SAML subject and attribute statements that
are derived from Open SSO SSO token. You can take a look at the attached
SOAP message that contains SAML subject.

Who created the attached message? with OpenSSO client?
Then how do you send it to the service? With an JAX-WS dispatch client?


"http://example.com">id=bankUser,ou=user,dc=opensso,dc=java,dc=net meID>

Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>

I used OpenSSO SDK to get the subject:

SSOTokenManager manager = SSOTokenManager.getInstance();

SSOToken ssoToken = manager.createSSOToken(httpRequest);

Subject subject = new Subject();

subject.getPrivateCredentials().add(ssoToken);

cred.set(subject);

Is this before or after the call to the STS?

Thanks!

Jiandong

I looked at examples that describe how to use Metro with OpenSSO STS for
security:

https://metro.dev.java.net/guide/Example_Applications.html#gfrls

The examples do not cover how to pass identity of the web application user
into SAML token.

Do you have an example of Java callback handler I can use to set the right
subject for the call to STS?

Thank you,

Igor

_____

From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Thursday, September 17, 2009 1:45 PM
To: users@metro.dev.java.net
Subject: Re: Keystore error for STS security profile

Igor Mameshin wrote:

I have resolved the keystore problem - upgraded to the latest build of Metro
2.0.

I have defined "SAML Sender Vouches with Certificates" that points to the
keystore.jks with X509 v1 certificate for Sun STS.

Is this the certificate STS used to sign the SAML assertion?

I may need to create a
new X509 v3 certificate to make this work.

But first, I am getting the following error.

This new error does not seem to be related to the keystore or certificates.

javax.xml.ws.WebServiceException: java.lang.ClassCastException:
com.sun.xml.ws.message.saaj.SAAJHeader cannot be cast to
com.sun.xml.ws.security.opt.impl.outgoing.SecurityHeader
at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
ube.java:243)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
at com.sun.xml.ws.client.Stub.process(Stub.java:319)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:10
9)
at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89
)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
at $Proxy201.getRecordById(Unknown Source)
at com.sun.gte.sfsd.service.TestsResource.get(TestsResource.java:92)

Is there a classpath conflict?

My project includes the following APIs:
javac.classpath=\
${libs.restapi.classpath}:\
${libs.restlib.classpath}:\
${file.reference.opensso-sharedlib.jar}:\
${file.reference.openssoclientsdk.jar}

Can it be that there are some classes in Open SSO SDK that cause a conflict?

Please note that the SOAP message already contains WS-Security headers,

You should let the Metro to create the Security header fro the request
message. Use a callback handler
to set the SAML assertion obtained from the OpenSSO STS.

Thanks!

Jiandong

I
want JAXWS to simply pass it through on the client.

Thank you,
Igor

-----Original Message-----
From: Jiandong.Guo@Sun.COM [mailto:Jiandong.Guo@Sun.COM]
Sent: Thursday, September 17, 2009 12:46 PM
To: users@metro.dev.java.net
Subject: Re: Keystore error for STS security profile

Igor Mameshin wrote:

Hi everyone,

I have a question about configuring Metro with Open SSO STS. In our POC

we

use Metro to implement the provider-side Web service security. The
client-side is already implemented with Open SSO SDK. Web application is
using SSO token (and STS certificate) to request SAML token from STS and

to

secure SOAP requst.

I am trying to configure Metro policy for JAXWS service, deployed on
GlassFishESB 2.1. Based on recent messages on this message group, I
upgraded to the latest Metro 2.0 build (Sep17 nightly build). Still, I
can't get past the keystore configuration.

Can you please answer two questions.

1) My service needs to authenticate and authorize requests that contain
SAML2 SV token generated by Open SSO STS. What Metro profile should I

use?

"SAML Sender Vouches with Certificates" or "STS Issued Token"?

SAML Sender Vouches with Certificates . Then you need to get the SAML
assertion in an call back handler.

2) How to configure the keystore locations? I first tried pointing to a
non-default keystore. I am also trying to use the default keystore (as in
Netbeans development defaults checkbox), and still getting the same error.

Please see attached wsit config file, and the error message is at the end

of

this email.

Thank you,
Igor

Could not locate KeyStore, check keystore assertion in WSIT configuration
WSS0216: An Error occurred using Callback Handler for :
SignatureKeyCallback.DefaultPrivKeyCertRequest
WSS0217: An Error occurred using Callback Handler handle() Method.
com.sun.xml.wss.impl.XWSSecurityRuntimeException: Could not locate

KeyStore,

check keystore assertion in WSIT configuration
at

com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getKeyStore(DefaultCallback

Handler.java:2250)
at

com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getDefaultPrivKeyCert(Defau

ltCallbackHandler.java:1380)
at

com.sun.xml.wss.impl.misc.DefaultCallbackHandler.handle(DefaultCallbackHandl

er.java:545)
at

com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getDefaultPrivKeyCe

rtRequest(DefaultSecurityEnvironmentImpl.java:229)
at

com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:212

)
at
com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
at
com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
at

com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotato

r.java:189)
at

com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:

150)
at

com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTu

beBase.java:397)
at

com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(Sec

urityClientTube.java:311)
at

com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT

ube.java:240)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)

------------------------------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

_____

This body part will be downloaded on demand.

[att1.html]

cbr600
Offline
Joined: 2009-05-13

Hi Kumar,

The error message is generated by the Metro web service client. I tested the STS with a .Net client with the same request, the STS responded with more meaningful error message.

I just wonder if there is a way for Metro user to access the decrypted STS request (sent by Metro client to STS) and the decrypted STS response (sent by STS (.NET) to the Metro client) at runtime?

I also have another question: we have a Java Metro web service which uses STS, I have to extract the claims data from the security token on the server side. Would it be possible to access the STS response/request in the @WebMethod function (not by using custom SAMLValidator) on the server side? (I am currently using Singleton and a custom SAMLValidator to achieve this but this means that my web service can only serve one request at a time :-()

Any help would be greatly appreciated.

Best regards,
Phillip

Message was edited by: cbr600

Message was edited by: cbr600

cbr600
Offline
Joined: 2009-05-13

Hi Igor,

We are trying to resolve different problems. I am afraid that this would be confusing for future readers. Would it be possible to create a new thread for your question?

Regards,
Phillip

kumarjayanti
Offline
Joined: 2003-12-10

is that a FaultCode that your WebService is sending ?. Can you show us the full stack trace and also mention the version of Metro u are using.

There was code in the SAAJ API that was disallowing non-standard codes but that has been relaxed as i remember.

Igor Mameshin

Hi everyone,

I have a question about configuring Metro with Open SSO STS. In our POC we
use Metro to implement the provider-side Web service security. The
client-side is already implemented with Open SSO SDK. Web application is
using SSO token (and STS certificate) to request SAML token from STS and to
secure SOAP requst.

I am trying to configure Metro policy for JAXWS service, deployed on
GlassFishESB 2.1. Based on recent messages on this message group, I
upgraded to the latest Metro 2.0 build (Sep17 nightly build). Still, I
can't get past the keystore configuration.

Can you please answer two questions.

1) My service needs to authenticate and authorize requests that contain
SAML2 SV token generated by Open SSO STS. What Metro profile should I use?
"SAML Sender Vouches with Certificates" or "STS Issued Token"?

2) How to configure the keystore locations? I first tried pointing to a
non-default keystore. I am also trying to use the default keystore (as in
Netbeans development defaults checkbox), and still getting the same error.

Please see attached wsit config file, and the error message is at the end of
this email.

Thank you,
Igor

Could not locate KeyStore, check keystore assertion in WSIT configuration
WSS0216: An Error occurred using Callback Handler for :
SignatureKeyCallback.DefaultPrivKeyCertRequest
WSS0217: An Error occurred using Callback Handler handle() Method.
com.sun.xml.wss.impl.XWSSecurityRuntimeException: Could not locate KeyStore,
check keystore assertion in WSIT configuration
at
com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getKeyStore(DefaultCallback
Handler.java:2250)
at
com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getDefaultPrivKeyCert(Defau
ltCallbackHandler.java:1380)
at
com.sun.xml.wss.impl.misc.DefaultCallbackHandler.handle(DefaultCallbackHandl
er.java:545)
at
com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getDefaultPrivKeyCe
rtRequest(DefaultSecurityEnvironmentImpl.java:229)
at
com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:212
)
at
com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
at
com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
at
com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotato
r.java:189)
at
com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:
150)
at
com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTu
beBase.java:397)
at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(Sec
urityClientTube.java:311)
at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
ube.java:240)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)

[wsit-testsoapws.TestDataSOAPWS.xml]
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

suresh

This problem has been fixed recently, please use todays nightly build,
then you can overcome this exception!!
Thanks
suresh
Igor Mameshin wrote:
> Hi everyone,
>
> I have a question about configuring Metro with Open SSO STS. In our POC we
> use Metro to implement the provider-side Web service security. The
> client-side is already implemented with Open SSO SDK. Web application is
> using SSO token (and STS certificate) to request SAML token from STS and to
> secure SOAP requst.
>
> I am trying to configure Metro policy for JAXWS service, deployed on
> GlassFishESB 2.1. Based on recent messages on this message group, I
> upgraded to the latest Metro 2.0 build (Sep17 nightly build). Still, I
> can't get past the keystore configuration.
>
> Can you please answer two questions.
>
> 1) My service needs to authenticate and authorize requests that contain
> SAML2 SV token generated by Open SSO STS. What Metro profile should I use?
> "SAML Sender Vouches with Certificates" or "STS Issued Token"?
>
> 2) How to configure the keystore locations? I first tried pointing to a
> non-default keystore. I am also trying to use the default keystore (as in
> Netbeans development defaults checkbox), and still getting the same error.
>
> Please see attached wsit config file, and the error message is at the end of
> this email.
>
> Thank you,
> Igor
>
>
>
> Could not locate KeyStore, check keystore assertion in WSIT configuration
> WSS0216: An Error occurred using Callback Handler for :
> SignatureKeyCallback.DefaultPrivKeyCertRequest
> WSS0217: An Error occurred using Callback Handler handle() Method.
> com.sun.xml.wss.impl.XWSSecurityRuntimeException: Could not locate KeyStore,
> check keystore assertion in WSIT configuration
> at
> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getKeyStore(DefaultCallback
> Handler.java:2250)
> at
> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getDefaultPrivKeyCert(Defau
> ltCallbackHandler.java:1380)
> at
> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.handle(DefaultCallbackHandl
> er.java:545)
> at
> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getDefaultPrivKeyCe
> rtRequest(DefaultSecurityEnvironmentImpl.java:229)
> at
> com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:212
> )
> at
> com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
> at
> com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
> at
> com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotato
> r.java:189)
> at
> com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:
> 150)
> at
> com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTu
> beBase.java:397)
> at
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(Sec
> urityClientTube.java:311)
> at
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientT
> ube.java:240)
> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
>
>
> ------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net

[att1.html]