1 2 3 4 Previous Next 57 Replies Latest reply on Jun 9, 2010 10:51 AM by sguilhen Go to original post
      • 15. Re: Classcast exception while executing WSTrustClientTest
        sguilhen

        Hi Jamere,

         

        I've updated the WSTrustClientTest sample in PicketLinkSecurityTokenService. It now uses the WSTrustClient API which simplifies the process of issuing and validating security tokens. Try to run this class and just use JDK6, without any kind of endorsed libraries and let me know how it goes.

        • 16. Re: Classcast exception while executing WSTrustClientTest
          morrowjl

          Im soooo frustrated. This is my entire set up....what is WRONG!!!

           

          I am using eclipse and running the test as a junit. I imported the junit.jar and the log4j.jar into the build path. And I am using Jboss 5.1.0GA

           

           

          1. I placed the picketlink-sts-1.0.3.CR3.war in the D:\jboss-5.1.0.GA\server\default\deploy directory

          2. Start jboss from within eclipse and I see the

                    09:34:09,487 INFO  [DefaultEndpointRegistry] register: jboss.ws:context=picketlink-sts-1.0.3.CR3,endpoint=PicketLinkSTS
                    09:34:09,534 INFO  [TomcatDeployment] deploy, ctxPath=/picketlink-sts-1.0.3.CR3
                    09:34:09,971 INFO  [WSDLFilePublisher] WSDL published to: file:/D:/jboss-5.1.0.GA/server/default/data/wsdl/picketlink-sts-1.0.3.CR3.war          /PicketLinkSTS.wsdl


          3. I go to the http://localhost:8080/jbossws/services and verify that the wsdl is able to be seen (included a pic of it)

          4. Created a new project for the client

          5. Created test package so everything would line up.

          6. Paste the client from http://community.jboss.org/wiki/PicketLinkSecurityTokenService.

          7. Add the external jars needed to remove the error. From the Download section: picketlink-build-jbas-1.0.3.CR3.zip

          8. Run the test as a junit

          9. This is what I had in the VM arguments until the fix yesterday: -Djava.endorsed.dirs=D:\jboss-5.1.0.GA\lib\endorsed....but now its removed

           

          Errors

           

          java.lang.ClassCastException: com.sun.xml.internal.ws.util.xml.StAXSource cannot be cast to javax.xml.transform.dom.DOMSource
              at org.picketlink.identity.federation.core.wstrust.STSClient.issueToken(STSClient.java:156)
              at org.picketlink.identity.federation.core.wstrust.STSClient.issueToken(STSClient.java:131)
              at org.picketlink.identity.federation.api.wstrust.WSTrustClient.issueToken(WSTrustClient.java:81)
              at test.WSTrustClientTest.testSTS(WSTrustClientTest.java:65)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
              at java.lang.reflect.Method.invoke(Unknown Source)
              at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:44)
              at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
              at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:41)
              at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)
              at org.junit.runners.BlockJUnit4ClassRunner.runNotIgnored(BlockJUnit4ClassRunner.java:79)
              at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:71)
              at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:49)
              at org.junit.runners.ParentRunner$3.run(ParentRunner.java:193)
              at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:52)
              at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:191)
              at org.junit.runners.ParentRunner.access$000(ParentRunner.java:42)
              at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:184)
              at org.junit.runners.ParentRunner.run(ParentRunner.java:236)
              at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:46)
              at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
              at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
              at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
              at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
              at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)

          • 17. Re: Classcast exception while executing WSTrustClientTest
            sguilhen

            Jamere,

             

            your client application is probably using an older version of picketlink-fed.jar. Make sure you have the latest (CR3) version in your classpath as this version contains the fix for the ClassCastException.

             

            Stefan

            • 18. Re: Classcast exception while executing WSTrustClientTest
              morrowjl

              I got the fed jar from the picketlink-build-jbas-1.0.3.CR3.zip download. Isn't that all the latest

               

              this is what my jbossWS is showing now...is this right??

               

              service2.JPG

               

              And if it is, any idea why I am not getting back the verification from running the test

              • 19. Re: Classcast exception while executing WSTrustClientTest
                morrowjl

                Want to personally than you Stefan for everything. I have finally got this to work. There are a few things that need to be done if using eclipse and jdk6 using Junit to test the client

                 

                SETTING UP JBOSS SERVER IN ECLIPSE

                 

                In  eclipse, right click in the package explorer and create a new server...I  am using Jboss 5.1.0GA follow the instructions(This is assuming you  have download Jboss) and point it to the istance of JBOSS you have  installed. Once Jboss is downloaded. Go to the client directory and move jbossws-native-jaxrpc.jar, jbossws-native-jaxws.jar, jbossws-native-jaxws-ext.jar and jbossws-native-saaj.jar to <Jboss Home>\lib\endorsed folder.

                 

                1. Download picketlink-build-jbas-1.0.3.CR3.zip from the Jboss Picketlink Download Section (http://www.jboss.org/picketlink/downloads.html)

                 

                2. Secondly go download the picketlink-fed-1.0.3.CR3.jar from the repository(https://repository.jboss.org/nexus/content/groups/public/org/picketlink/picketlink-fed/1.0.3.CR3/) which will replace the picketlink-fed-1.0.3.CR2.jar in the zip file above

                 

                3. Go download the junit.jar(http://github.com/KentBeck/junit/downloads) - Im using the 4.8.2

                 

                4. Go download the log4j jar(http://logging.apache.org/log4j/1.2/download.html) - Im using log4j-1.2.16.jar

                 

                5. Create a new project named whatever you like and create a new package named test

                 

                6. Go get the recently updated PicketLinkTokenService client code (http://community.jboss.org/wiki/PicketLinkSecurityTokenService)

                 

                7. In eclipse, create a new class with the name of the client from step 5 and paste the code in.

                 

                8. Go over to the Package Explorer and right-click on the created project and go down to properties and within the properties go to the build path and import the external jars that were downloaded.  click ok

                 

                9. Also take the jars from the zip and make a copy of them in the <Jboss Home>\server\default\lib

                 

                9. In the client code you will need to add the import org.junit.* and above where the method testSTS() starts...place @Test - it should then gray out

                    And you need to switch the directory of

                 

                10. Now back in the package explorer, you can right click on the client class and select RUN AS and go to the configurations. Now here is where you need to make some changes. Go up to the Generic Server section where you should see your Jboss instance. click on it and go over to arguments. In the VM arguments box after the line that is already there add a space and put in -Djava.endorsed.dirs=<Jboss Home>\lib\endorsed

                 

                11. You should now be able to start jboss from eclipse and see the everything all deploys and jboss starts.

                 

                12. Go back and now click on the client and select Run As Junit and you should see all green!!!!

                 

                 

                I have included the client code update if you are trying to do this.

                • 20. Re: Classcast exception while executing WSTrustClientTest
                  sguilhen

                  Hi Jamere,

                   

                  I'm glad to know you've gotten your application up and running Out of curiosity, what was that problem that was leading to the ClassCastException you were experiencing before? I've checked out picketlink-build-jbas-1.0.3.CR3 and it has all the correct jars, including pickeling-fed-1.0.3.CR3.jar.

                   

                  I think I will create a quick start guide with your instructions. This might help other users in the community.

                   

                  Cheers,

                  Stefan

                  • 21. Re: Classcast exception while executing WSTrustClientTest
                    morrowjl

                    I think the one I checked out must of been older copy...b/c mine had fed.CR2.

                     

                    Just downloaded the new copy and it is up to date. So no need to download both. The main zip should work just fine.

                    • 22. Re: Classcast exception while executing WSTrustClientTest
                      rashmirajappa

                      Stefan,

                       

                      I've updated WSTrustContants as follows:

                       

                       

                         // WS-Trust request types.
                         public static final String ISSUE_REQUEST = BASE_NAMESPACE + "/Issue";
                         public static final String RENEW_REQUEST = BASE_NAMESPACE + "/Renew";
                         public static final String CANCEL_REQUEST = BASE_NAMESPACE + "/Cancel";
                         public static final String VALIDATE_REQUEST = BASE_NAMESPACE + "/Validate";
                        
                         // WS-Trust validation constants.
                         public static final String STATUS_TYPE = BASE_NAMESPACE + "/RSTR/Status";
                         public static final String STATUS_CODE_VALID = BASE_NAMESPACE + "/status/valid";
                         public static final String STATUS_CODE_INVALID = BASE_NAMESPACE + "/status/invalid";
                        
                         // WS-Trust key types.
                         public static final String KEY_TYPE_BEARER = BASE_NAMESPACE + "/Bearer";
                         public static final String KEY_TYPE_SYMMETRIC = BASE_NAMESPACE + "/SymmetricKey";
                         public static final String KEY_TYPE_PUBLIC = BASE_NAMESPACE + "/PublicKey";
                        
                         // WS-Trust binary secret types.
                         public static final String BS_TYPE_ASYMMETRIC = BASE_NAMESPACE + "/AsymmetricKey";
                         public static final String BS_TYPE_SYMMETRIC = BASE_NAMESPACE + "/SymmetricKey";
                         public static final String BS_TYPE_NONCE = BASE_NAMESPACE + "/Nonce";
                        
                         // WS-Trust computed key types.
                         public static final String CK_PSHA1 = BASE_NAMESPACE + "/CK/PSHA1";

                       

                      executed command mvn install on SVN folder picketlink-fed-pom

                       

                      deleted picketlink-fed-1.0.3.CR3 jar from the server and placed the newly built jar from the assembly

                       

                      But issue persists; getting the following exception:

                       

                      at java.lang.Thread.run(Thread.java:619)


                      Caused by: org.picketlink.identity.federation.core.wstrust.WSTrustException: Err
                      or parsing security token request


                              at org.picketlink.identity.federation.core.wstrust.WSTrustJAXBFactory.pa
                      rseRequestSecurityToken(WSTrustJAXBFactory.java:152)


                              at org.picketlink.identity.federation.core.wstrust.PicketLinkSTS.invoke(
                      PicketLinkSTS.java:79)


                              ... 43 more


                      Caused by: javax.xml.bind.UnmarshalException: unexpected element (uri:"http://do
                      cs.oasis-open.org/ws-sx/ws-trust/200512", local:"RequestSecurityToken"). Expecte
                      d elements are <{http://www.w3.org/2005/08/addressing}Action>,<{http://schemas.x
                      mlsoap.org/ws/2004/09/policy}All>,<{http://docs.oasis-open.org/ws-sx/ws-trust/20
                      0512/}AllowPostdating>,<{http://schemas.xmlsoap.org/ws/2004/09/policy}AppliesTo>
                      ,<{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}AuthenticationType>,<{http:
                      //docs.oasis-open.org/ws-sx/ws-trust/200512/}Authenticator>,<{http://docs.oasis-
                      open.org/ws-sx/ws-trust/200512/}BinaryExchange>,<{http://docs.oasis-open.org/ws-
                      sx/ws-trust/200512/}BinarySecret>,<{http://docs.oasis-open.org/wss/2004/01/oasis
                      -200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken>,<{http://docs.oasis-o
                      pen.org/ws-sx/ws-trust/200512/}CancelTarget>,<{http://docs.oasis-open.org/ws-sx/
                      ws-trust/200512/}CanonicalizationAlgorithm>,<{http://docs.oasis-open.org/ws-sx/w
                      s-trust/200512/}Challenge>,<{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}C
                      laims>,<{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}CombinedHash>,<{http:
                      //docs.oasis-open.org/ws-sx/ws-trust/200512/}ComputedKey>,<{http://docs.oasis-op
                      en.org/ws-sx/ws-trust/200512/}ComputedKeyAlgorithm>,<{http://docs.oasis-open.org
                      /wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Created>,<{http://docs.
                      oasis-open.org/ws-sx/ws-trust/200512/}Delegatable>,<{http://docs.oasis-open.org/
                      ws-sx/ws-trust/200512/}DelegateTo>,<{http://docs.oasis-open.org/wss/2004/01/oasi
                      s-200401-wss-wssecurity-secext-1.0.xsd}Embedded>,<{http://docs.oasis-open.org/ws
                      -sx/ws-trust/200512/}EncryptWith>,<{http://docs.oasis-open.org/ws-sx/ws-trust/20
                      0512/}Encryption>,<{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Encryption
                      Algorithm>,<{http://www.w3.org/2005/08/addressing}EndpointReference>,<{http://do

                       

                       

                      Can you pl provide a new patch release?

                       

                      regards,

                      Rashmi

                      • 23. Re: Classcast exception while executing WSTrustClientTest
                        sguilhen

                        Rashmi,

                         

                        just changing WSTrustConstants won't do the trick. The main problem here is that the ws-trust-1.3.xsd from OASIS declares the wrong namespace and we used this xsd to generate the JAXB classes with the xjc JDK tool. So the ObjectFactory that has been generated by xjc uses the wrong namespace as well.

                         

                        As a result, when we marshall a WS-Trust request using JAXB, the ObjectFactory creates elements with the wrong namespace and this is why these elements are still not recognized by WSTrustJAXBFactory.

                         

                        I have performed all required changes in my local workspace and I will just run the full build before committing everything. Once I do that I'll attach the fixed jar here.

                         

                        Stefan

                        • 24. Re: Classcast exception while executing WSTrustClientTest
                          anil.saldhana

                          Stefan, as we discovered from http://lists.oasis-open.org/archives/ws-sx-comment/200901/msg00001.html,  we need to remove the "/" at the end of the uri.  I guess you will change the model today.

                          • 25. Re: Classcast exception while executing WSTrustClientTest
                            sguilhen

                            Rashmi,

                             

                            As pointed by Anil, the namespace used by the JAXB model and WSTrustConstants is indeed incorrect. I've fixed it and generated a new snapshot jar. I'm attaching this jar here in case you want to give it a try now instead of waiting for the CR4 release.

                             

                            Stefan

                            • 26. Re: Classcast exception while executing WSTrustClientTest
                              rashmirajappa

                              Thank you Anil and Stefan.

                               

                              I'm now able to configure a custom TokenProvider and ClaimsProcessor to picketlink STS.

                               

                              I need your help on validation.

                              I tried executing the updated WSTrustClient from http://community.jboss.org/wiki/PicketLinkSecurityTokenService though i'm able to get the SAML assertion in the response it is reporting the assertion status as invalid.

                               

                               

                               

                              Successfully issued a standard SAMLV2.0 Assertion!
                              <?xml version="1.0" encoding="UTF-8"?><Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_3d54afec-38f3-4d32-969f-dc1931644c76" IssueInstant="2010-05-03T11:30:44.035Z" Version="2.0"><Issuer>PicketLinkSTS</Issuer><Subject><NameID NameQualifier="urn:picketlink:identity-federation">ANONYMOUS</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></Subject><Conditions NotBefore="2010-05-03T11:30:44.035Z" NotOnOrAfter="2010-05-03T13:30:44.035Z"/><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#ID_3d54afec-38f3-4d32-969f-dc1931644c76"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>d9DxkD7uHP1khLd5s4ZdC20r5z4=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>HLQe68bxsHsuKMXKeESmbMNsq6issi0WFmoUST09vxSi3U5VrL0na07sq0vCDWMgU1Xz1Zm7Vvck
                              UImF026uNMtpNUKtUH0cK7mnqEVq1t5zphXU6bf8hffdf61k57uM3lvld+XAjf4KQ3C8yn+qCQai
                              KigzA+cdsTXlbGBi4Tc=</dsig:SignatureValue><dsig:KeyInfo><dsig:KeyValue><dsig:RSAKeyValue><dsig:Modulus>suGIyhVTbFvDwZdx8Av62zmP+aGOlsBN8WUE3eEEcDtOIZgO78SImMQGwB2C0eIVMhiLRzVPqoW1
                              dCPAveTm653zHOmubaps1fY0lLJDSZbTbhjeYhoQmmaBro/tDpVw5lKJns2qVnMuRK19ju2dxpKw
                              lYGGtrP5VQv00dfNPbs=</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></dsig:KeyValue></dsig:KeyInfo></dsig:Signature></Assertion>

                              Is assertion valid? false

                               

                               

                              I did some debugging and found boolean coreValidity = signature.validate(valContext);

                              coreValidity returns false.

                              Pl give me some pointers what could be causing this.

                               

                              And I have one more question. Not sure if this is already handled.

                              I have the WS-Trust header constructed with UserName

                               

                               

                               

                              <wsse:UsernameToken>
                                      <wsse:Username>admin</wsse:Username>
                                      <wsse:Password Type='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText'>admin</wsse:Password>
                              </wsse:UsernameToken>

                               

                              Does this translate in picketlink as the MessageContext attribute value for the following:

                               

                               

                              /**
                                   * Constant that can be used by handlers to set the username in the SOAPMessageContext.
                                   */
                                  public static final String USERNAME_MSG_CONTEXT_PROPERTY = "org.picketlink.identity.federation.core.wstrust.handlers.username";
                                 
                                  /**
                                   * Constant that can be used by handlers to set the password in the SOAPMessageContext.
                                   */
                                  public static final String PASSWORD_MSG_CONTEXT_PROPERTY = "org.picketlink.identity.federation.core.wstrust.handlers.password";
                                

                               

                              Thanks a ton for all your help.

                               

                              regards,

                              Rashmi

                              • 27. Re: Classcast exception while executing WSTrustClientTest
                                anil.saldhana

                                Have you set up the keystore, keys etc properly?  Unless that is done correctly, signature validation will not work.  Imported the STS public key into your truststore?

                                • 28. Re: Classcast exception while executing WSTrustClientTest
                                  morrowjl

                                  I am missing what we are doing now. I have been away out of town. What changes are we making. I am planning on using this for our services. Now I have a question.

                                   

                                  I see the changes being made but are unware of the purpose.

                                   

                                  Also for me to create our tokens all I need to do is input the security information into the keystore and run it against the test. Now how to I get that into my service. After getting the saml response, do I place that into our soap header?

                                   

                                  I think we are trying to create a token and place it within our soap to send across. Is this possible??

                                   

                                  thanks everyone

                                  • 29. Re: Classcast exception while executing WSTrustClientTest
                                    rashmirajappa

                                    I think yes i was able to view that the SAML Assertion was signed.

                                     

                                    I've used picketlink-sts.war from downloads. The configurations are not changed.

                                     

                                     

                                    regards,

                                    Rashmi