|
Replies:
21
-
Last Post:
Jun 11, 2009 4:29 AM
by: kumarjayanti
|
|
|
|
|
|
|
Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 9, 2009 3:11 AM
|
|
|
|
|
Hi all,
i'm implementing a STS Service Consumer project(based on the SecureCalculator project) using jmacCallbakhandler.
I use UsernameAuthentification mechanism on STS side, and STS issued Token on service side.
I use metro 1.5 and GF v2.1
i'm locked with this error message :
com.sun.xml.wss.impl.WssSoapFaultException: WSS1926: Key not set for EncryptedData
(the complete stack trace is attached)
The error comes just after accepting the consumer, using a CertificateValidator on service side.
all steps before this one looks good (the consumer send encrypted messages to the STS correctly ...)
I try to handle callbacks in service side, but there's just a NameCallback that i can handle.
Thanks
jferrandi
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 9, 2009 5:13 AM
in response to: jferrandi
|
|
|
can you enable message dumping to see what is happening (and send us the messages that got exchanged).
<jvm-options>-Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true</jvm-options>
it appears the service recieved an EncryptedData with the KeyInfo not set. Seems to indicate a problem with the request message to the service.
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 9, 2009 5:14 AM
in response to: kumarjayanti
|
|
|
also show us the policies of the STS and the Service.
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 9, 2009 5:31 AM
in response to: kumarjayanti
|
|
|
|
|
Here comes http logs and STS policies
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 9, 2009 5:33 AM
in response to: jferrandi
|
|
|
|
|
and the Service polices
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 9, 2009 12:02 PM
in response to: jferrandi
|
|
|
The issued SAML assertion has no Subject. Very likely something wrong with
your JmacCallbackHander where you don't set username after authentication.
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 10, 2009 1:31 AM
in response to: jdg6688
|
|
|
Hi jdg6688,
I don't understand what you mean :
> your JmacCallbackHander where you don't set username
> after authentication.
my user is correctly authentificated. Why should i reset username after this one is authentificated.
> The issued SAML assertion has no Subject.
True, and this is the problem.
Nowhere i set a subject field or anything else.
I only set login/pwd with NameCallbackHandler and PasswordCallbackHandler in my jmacCallbackHandler on client side.
I try to put samlHandler on each side, but didn't intercept any callback.
thx
Message was edited by: jferrandi
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 10, 2009 1:51 AM
in response to: jferrandi
|
|
|
So does the JSR 196 callback called CallerPrincipalCallback get called on your CallbackHandler ?. That is the one which establishes the subject.
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 10, 2009 2:05 AM
in response to: kumarjayanti
|
|
|
> So does the JSR 196 callback called
> CallerPrincipalCallback get called on your
> CallbackHandler ?.
Yes it is.
GetName() method return the correct login setted, but getSubject & getPrincipal method seems to be Null
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 10, 2009 2:26 AM
in response to: jferrandi
|
|
|
Can you do the following in your CBH
If (callbacks\[i\] instanceof CallerPrincipalCallback) {
Exception e = new Exception();
e.fillInStackTrace();
e.printStackTrace();
}
and send the trace to me. I am having trouble understanding the scenario and so that will help diagnose what is wrong. you may have hit some bug.
Message was edited by: kumarjayanti
Message was edited by: kumarjayanti
Message was edited by: kumarjayanti
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 10, 2009 2:44 AM
in response to: kumarjayanti
|
|
|
|
|
here attached the stack trace for the handle method of the jmacCallbackHandler on server(STS) side.
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 10, 2009 3:54 AM
in response to: jferrandi
|
|
|
Ok, so what do you do in when the callback is a CallerPrincipalCallback ?.
You are actually supposed to set the caller principal into the Subject using some code like this :
private void processCallerPrincipal(CallerPrincipalCallback cpCallback) {
final Subject fs = cpCallback.getSubject();
Principal principal = cpCallback.getPrincipal();
if (principal == null) {
if (cpCallback.getName() != null) {
principal = new X500Principal(cpCallback.getName()); //or some other Principal
}
}
final Principal fprin = principal;
AccessController.doPrivileged(new PrivilegedAction(){
public java.lang.Object run() {
fs.getPrincipals().add(fprin);
//fs.getPublicCredentials().add(fdpc);
return fs;
}
});
}
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 10, 2009 5:17 AM
in response to: kumarjayanti
|
|
|
Currently I don't do anything with this callback ! 
gonna looking for some code about it, but i don't know exactly what i have to do : setting the subject,ok, but how...
I've try with a custom STSAttributeProvider, but can't work with null Subject.
thx for all
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 10, 2009 11:57 PM
in response to: jferrandi
|
|
|
Not sure if i understood the problem.
you need to set the principal in the Subject. Are you saying cpCallback.getSubject() returns NULL ?.
From the logs that you sent it appeared the subject was not null, because you printed Subject.isReadOnly as "false".
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 11, 2009 12:55 AM
in response to: kumarjayanti
|
|
|
> Not sure if i understood the problem.
>
> you need to set the principal in the Subject. Are you
> saying cpCallback.getSubject() returns NULL ?.
>
> From the logs that you sent it appeared the subject
> was not null, because you printed Subject.isReadOnly
> as "false".
Ok,
cpCallback.getSubject() is not null, but, for example, cpCallback.getSubject().getPrincipals() is null.
I didn't test all cpCallback.getSubject() methods, but looks like cpCallback.getSubject() is not null, and all its attributes are null (except primitive types).
moreover, cpCallback.getPrincipal() is Null.
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 11, 2009 1:10 AM
in response to: jferrandi
|
|
|
Did you say : cpCallback.getSubject().getPrincipals() is Null or is it an Empty Set. It has to be an Empty set because that is where you need to add the principals. If it is really null then it is a Bug and i will have to scratch my head to see why it is null.
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 11, 2009 1:27 AM
in response to: kumarjayanti
|
|
|
> Did you say :
> cpCallback.getSubject().getPrincipals() is Null or is
> it an Empty Set. It has to be an Empty set because
> that is where you need to add the principals. If it
> is really null then it is a Bug and i will have to
> scratch my head to see why it is null.
Oh sorry for the mistake, cpCallback.getSubject().getPrincipals() is not null, it's just an empty set.
U'll escape some headaches.
Now i don't know where i have to get the principals to add to the Subject.
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 11, 2009 1:48 AM
in response to: jferrandi
|
|
|
I already mentioned this in the code above
principal = new X500Principal(cpCallback.getName()); //or some other Principal
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 11, 2009 2:04 AM
in response to: kumarjayanti
|
|
|
> I already mentioned this in the code above
>
> principal = new X500Principal(cpCallback.getName());
> //or some other Principal
this code produce this error :
javax.xml.ws.soap.SOAPFaultException: java.lang.IllegalArgumentException: improperly specified input name: jeremy
...
not seems to be so trivial, gonna working on it.
Thx for all !
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 11, 2009 2:27 AM
in response to: jferrandi
|
|
|
you can create your own principal class and put it inside that.
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 11, 2009 3:02 AM
in response to: kumarjayanti
|
|
|
Ok, finaly this works !
|
|
|
|
|
|
|
|
|
Re: Key not set error using jmacCallback handler with Sts/Service/Consumer
Posted:
Jun 11, 2009 4:29 AM
in response to: jferrandi
|
|
|
Wow. You are the first user that i know has used the jmacCallbackHandler.
BTW when you are setting the subject please be aware of the following :
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/Subject.html#getPrincipals()
To modify the Principals Set, the caller must have AuthPermission("modifyPrincipals"). To modify the public credential Set, the caller must have AuthPermission("modifyPublicCredentials"). To modify the private credential Set, the caller must have AuthPermission("modifyPrivateCredentials").
Ususally application code will not have this permission. However it is working because you are running with the VM security manager off. Once you switch ON VM security manager your application will need the above two permissions. You will have to add those permissions in GlassFish server.policy file with a codebase pointing to the codebase of your deployed application in glassfish.
Thanks.
|
|
|
|
|
java.net RSS
