I'm currently on the one day tutorial of the Eclipse Scout Framework, and I'm stuck at exactly this part. I don't think that my question is Tutorial-specific, which is why I'm asking my question here: Suddenly, when I try to open a menu in my scout localhost environment; I get an "access denied" message in my browser, and the java console gives back the following log:
2022-04-06 22:27:06,597 WARN [qtp1600667055-41] org.eclipse.scout.rt.server.commons.authentication.DevelopmentAccessController.handle(DevelopmentAccessController.java:66) -
+++ Development access control with user xxx.yyy - MDC[]
2022-04-06 22:27:06,875 INFO [qtp1600667055-33] org.eclipse.scout.rt.ui.html.csp.ContentSecurityPolicyReportHandler.log(ContentSecurityPolicyReportHandler.java:80) - CSP-REPORT: {
"csp-report": {
"blocked-uri": "inline",
"column-number": 797897,
"document-uri": "http:\/\/localhost:8082\/",
"line-number": 71,
"original-policy": "img-src 'self'; style-src 'self' 'unsafe-inline'; child-src *; default-src 'self'; report-uri http:\/\/localhost:8082\/csp-report; script-src 'self'",
"referrer": "",
"source-file": "moz-extension",
"violated-directive": "script-src"
}
} - MDC[principal=xxx.yyy,
httpUri=/csp-report,
cid=d3e5c2b5-19b8-4f62-b512-56bbd82eb685]
2022-04-06 22:27:07,
575 INFO [scout-model-thread-4 Starting ClientSession [sessionId=v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah]] org.eclipse.scout.rt.client.AbstractClientSession.start(AbstractClientSession.java:294) - Client session started [session=org.eclipse.scout.contacts.client.ClientSession#49956588[id = v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah], user=xxx.yyy] - MDC[principal=xxx.yyy, httpUri=/json, jobName=Starting ClientSession [sessionId=v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah], cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:07,575 INFO [qtp1600667055-45] org.eclipse.scout.rt.ui.html.UiSession.getOrCreateClientSession(UiSession.java:303) - Created new client session [clientSessionId=v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah, userAgent=HTML|DESKTOP|FIREFOX|WINDOWS|Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0] - MDC[principal=xxx.yyy, httpUri=/json, cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:07,575 INFO [qtp1600667055-45] org.eclipse.scout.rt.ui.html.UiThemeHelper.getConfiguredTheme(UiThemeHelper.java:59) - UI theme configured in config.properties: default - MDC[principal=xxx.yyy, httpUri=/json, cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:07,591 INFO [scout-model-thread-10 Starting JsonClientSession] org.eclipse.scout.rt.ui.html.json.MainJsonObjectFactory.getFactories(MainJsonObjectFactory.java:36) - Using following object factories: [org.eclipse.scout.rt.ui.html.JsonObjectFactory#7646906d] - MDC[principal=xxx.yyy, httpUri=/json, scoutSession=v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah, jobName=Starting JsonClientSession, cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:07,701 INFO [qtp1600667055-45] org.eclipse.scout.rt.ui.html.UiSession.init(UiSession.java:264) - UiSession with ID 1:gsk4adjmlv49n219mb0v7ono8bfv2g3bo4kdiimvse5duppfdl4 initialized - MDC[principal=xxx.yyy, httpUri=/json, cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:07,717 INFO [qtp1600667055-45] org.eclipse.scout.rt.ui.html.json.JsonMessageRequestHandler.createUiSession(JsonMessageRequestHandler.java:362) - Created new UI session with ID 1:gsk4adjmlv49n219mb0v7ono8bfv2g3bo4kdiimvse5duppfdl4 in 558.412900 ms [maxIdleTime=14400s, httpSession.maxInactiveInterval=3600s] - MDC[principal=xxx.yyy, httpUri=/json, cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:11,793 INFO [scout-model-thread-18 Processing JSON request] org.eclipse.scout.rt.platform.exception.ExceptionHandler.handlePlatformException(ExceptionHandler.java:125) - VetoException: Zugriff verweigert [severity=ERROR, user=xxx.yyy, remote-service.name=org.eclipse.scout.contacts.shared.person.IPersonService, remote-service.operation=prepareCreate, form=org.eclipse.scout.contacts.client.person.PersonForm, ui.event=action, ui.adapter=Menu[id=5, modelClass=org.eclipse.scout.contacts.client.Desktop$QuickAccessMenu$NewPersonMenu, parentId=4]] - MDC[principal=xxx.yyy, httpUri=/json, uiSession=1:gsk4adjmlv49n219mb0v7ono8bfv2g3bo4kdiimvse5duppfdl4, scoutSession=v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah, jobName=Processing JSON request, cid=Bp3cD7ar8Gp/4]
To me it seems that there's a Content Security Policy issue somewhere, but no clue if that's the case, and if so how to fix that, even after researching the issue for quite some time now.
Help?
Are you running some kind of ad-blocker or privacy plugin in your browser? This would explain the reported CSP error. By default, the CSP rules block inline JavaScript code (e.g. <script>...</script>). Scout itself does not use inline code. It is therefore likely that a browser plugin has injected code into the page. The reported "source-file" ("moz-extension") also hints to that.
The access denied error is probably not caused by the CSP rules. According to the log file, the click was successfully dispatched to the corresponding Menu instance on the UI server. That code calls a backend service (IPersonService) over the service tunnel, which fails with an exception. There are a lot of things that could have gone wrong here:
Backend not running.
Backend running, but not in a valid state.
Auth keys of UI server and backend server don't match, so the service tunnel cannot be established securely. Check the values of the config properties scout.auth.privateKey and scout.auth.publicKey. If necessary, use the SecurityUtility to create a new pair.
User does not have the necessary permissions. For every call to the backend over the service tunnel, RemoteServiceAccessPermission is required. And for most services, a specific permission is required, e.g. ReadPersonPermission.
User doesn't exist.
To analyze these kinds of errors, first check the logs of both the UI server and the backend server. If this does not help, set some breakpoints and step through the code. Here are some classes that make a good starting point: ServerServletFilter, ServiceTunnelServlet, AccessControlService.
If your are running Java 17 version, then you need to update the private & public keys which can be found on config.properties file.
Related
In the Web Service (SOAP) Client call, i can see org.apache.axis.transport.http.HTTPTransport is taking almost 500 ms for each call. This is leading to the latency in all the transactions. Anyone has experienced the same issue and how was it resolved?
I'm using Axis 1.4 and Java8
2022-11-13 07:42:51,930 DEBUG ProjectResourceBundle:72 - org.apache.axis.i18n.resource::handleGetObject(transport00)
2022-11-13 07:42:51,930 DEBUG Call:2119 - Transport is org.apache.axis.transport.http.HTTPTransport#1d20e46
2022-11-13 07:42:52,429 DEBUG Call:2351 - Enter: Call::invoke(ns, meth, args)
2022-11-13 07:42:52,436 DEBUG Call:2043 - operation=name: addRequest
I tried using CommonsHTTPSender, but till facing this latency.
Currently I am supporting a production application which makes a rest call to an external site. This site is called with an url , let say foreignapi.com, and this host does not have a static api, it changes ,and the provider adds new IP every now and then. I would like to keep an inventory of these IP's . but unfortunately I cannot change the code , I have to achieve this goal using whatever the JVM brings, or configuration change like logging properties.
so far in my research I have found that I could enable HttpURLConnection debug logging, but unfortunately this is not outputting the ip.
handlers = java.util.logging.ConsoleHandler
java.util.logging.ConsoleHandler.level = FINEST
sun.net.www.protocol.http.HttpURLConnection.level = ALL
here is the output of the previous approach if I set the logging level to TRACE
2022-04-05 18:44:13.539 TRACE 43344 --- [ main] s.n.www.protocol.http.HttpURLConnection : ProxySelector Request for https://stackoverflow.com/
2022-04-05 18:44:13.540 TRACE 43344 --- [ main] s.n.www.protocol.http.HttpURLConnection : Looking for HttpClient for URL https://stackoverflow.com and proxy value of DIRECT
2022-04-05 18:44:13.540 TRACE 43344 --- [ main] s.n.www.protocol.http.HttpURLConnection : Creating new HttpsClient with url:https://stackoverflow.com and proxy:DIRECT with connect timeout:-1
2022-04-05 18:44:13.622 TRACE 43344 --- [ main] s.n.www.protocol.http.HttpURLConnection : Proxy used: DIRECT
2022-04-05 18:44:13.769 DEBUG 43344 --- [ main] s.n.www.protocol.http.HttpURLConnection : sun.net.www.MessageHeader#76c387f95 pairs: {GET / HTTP/1.1: null}{User-Agent: Java/17.0.2}{Host: stackoverflow.com}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
2022-04-05 18:44:13.906 DEBUG 43344 --- [ main] s.n.www.protocol.http.HttpURLConnection : sun.net.www.MessageHeader#1976f53720 pairs: {null: HTTP/1.1 200 OK}{Connection: keep-alive}{cache-control: private}{content-type: text/html; charset=utf-8}{strict-transport-security: max-age=15552000}{x-frame-options: SAMEORIGIN}{x-request-guid: e8e59f65-0ef0-453b-8021-34d74a4aa7a4}{feature-policy: microphone 'none'; speaker 'none'}{content-security-policy: upgrade-insecure-requests; frame-ancestors 'self' https://stackexchange.com}{Accept-Ranges: bytes}{Date: Tue, 05 Apr 2022 23:44:14 GMT}{Via: 1.1 varnish}{X-Served-By: cache-sna10750-LGB}{X-Cache: MISS}{X-Cache-Hits: 0}{X-Timer: S1649202254.025882,VS0,VE75}{Vary: Fastly-SSL}{X-DNS-Prefetch-Control: off}{Set-Cookie: prov=222f077a-0b7b-25cc-fa73-ee9846242ae7; domain=.stackoverflow.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly}{transfer-encoding: chunked}
I hope someone in the community could shed some light here, thank you.
I'm not sure about internal java httpclient logs, but Apache HttpClient definitely logs IPs / hostnames - but it seems you are not using that.
You could use an external program to capture the traffic though - tcpdump for example can capture such things naturally.
sudo tcpdump -v -nni any ip host foreignapi.com
There are other tools available to capture process network traffic like ngrep or DNS queries specifically (dnspeep, gethostlatency-bpfcc, etc.)
Using an external tool might not be the best solution if you need to run it continuously but in that case, I would question the inability to modify the code (since you obviously can change the logging configuration).
Few years back we have developed a client to consume a usi-ws v2, this webservice uses a STS service v2. It was working fine.
But, now soap-ws v2 is updated to usi-ws v3 which in turns uses STS service v3.
Key differences are
1) usi-ws v3 uses <sp:Basic256Sha256Rsa15/> as AlgorithmSuite policy which matches STS service v3's AlgorithmSuite policy.
2) usi-ws v3 uses STS service v3 instead of STS service v2
I can integrate the change by two different approaches
First Approach
I use apache-cxf wsdl2java on usi-ws v3 to generate the client code. Below is sample endpoint code
private static void SetupRequestContext(IUSIService endpoint, X509Certificate certificate, PrivateKey privateKey) {
Map<String, Object> requestContext = ((BindingProvider)endpoint).getRequestContext();
requestContext.put(XWSSConstants.CERTIFICATE_PROPERTY, certificate);
requestContext.put(XWSSConstants.PRIVATEKEY_PROPERTY, privateKey);
requestContext.put(STSIssuedTokenConfiguration.STS_ENDPOINT, "https://thirdparty.authentication.business.gov.au/R3.0/vanguard/S007v1.3/Service.svc");
requestContext.put(STSIssuedTokenConfiguration.STS_NAMESPACE, "http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice");
requestContext.put(STSIssuedTokenConfiguration.STS_WSDL_LOCATION, "https://thirdparty.authentication.business.gov.au/R3.0/vanguard/S007v1.3/Service.svc");
requestContext.put(STSIssuedTokenConfiguration.STS_SERVICE_NAME, "SecurityTokenService");
requestContext.put(STSIssuedTokenConfiguration.LIFE_TIME, 30);
requestContext.put(STSIssuedTokenConfiguration.STS_PORT_NAME, "S007SecurityTokenServiceEndpoint");
requestContext.put(BindingProviderProperties.REQUEST_TIMEOUT, REQUEST_TIMEOUT);
requestContext.put(BindingProviderProperties.CONNECT_TIMEOUT, CONNECT_TIMEOUT);
}
After configuring the endpoint context, I try to createUSI
endpoint.createUSI(createUsiRequest);
It throws below error (logs)
... LOGS before are removed
[main] WARN au.gov.abr.akm.credential.store.ABRRequester$ABRHttpPost - XML request is => <ns:requests xmlns:ns="http://auth.sbr.gov.au/AutoRenew"><request id="ABRD:TESTDeviceID" credentialType="D"><cmsB64>MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwGggCSABIIBqDCCAaQwggENAgEAMDoxFTATBgNVBAMMDFRlc3REZXZpY2UwMzEUMBIGA1UECgwLMTIzMDAwMDAwNTkxCzAJBgNVBAYTAkFVMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjFrK/biRUDUpRBEmJtV1XAM+sNP0NMwydRdv4NntG0x/JHZaOoJJpFrTXvB0gAIIHhHlhfkpLkSLQmz8iMYKnPgaqG+g/quSM6VYKQcCMr0UwS9b37NdzOhpf8n6JRWkTIFWznUz8WxiASCLuj5VmRiacHlrtJul/Gj89zbDJtwIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgYqJAGCTQEEDRYLMTIzMDAwMDAwNTkwDQYJKoZIhvcNAQEFBQADgYEAmUIkEDpCtZJbCZ04DfVxMgsjZfIEsF3yh+VWlCO/6jJcdcJKKjY0xbJDxzdh8xhbq2RzBKnP5th4p/yzBGN8Wafvr/2mQVNC9LG/3IGsawZLGMqUjeL0aIwDEmYBJWt0wm1ntKUF5DiuZJgcIgjFIfHWBq0WB2bU8SroO5O07coAAAAAAACggDCCBB0wggMFoAMCAQICAwQHvDANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMCQVUxJTAjBgNVBAoTHEF1c3RyYWxpYW4gQnVzaW5lc3MgUmVnaXN0ZXIxIDAeBgNVBAsTF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5MS0wKwYDVQQDEyRUZXN0IEF1c3RyYWxpYW4gQnVzaW5lc3MgUmVnaXN0ZXIgQ0EwHhcNMTgxMTI4MDQyMDMwWhcNMjAwMzI5MDQyMDMwWjA6MQswCQYDVQQGEwJBVTEUMBIGA1UEChMLMTIzMDAwMDAwNTkxFTATBgNVBAMTDFRlc3REZXZpY2UwMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA866tnV+RQ5v09wEPTTeA8C679zsZhgWhc4RjqtwvB73ZN7+g9NjJ1KujZUxXB5RbBdLQQ9GFPBx1DYifjDIN2Z1vMObqhT/QqUwz0sy8y6xQh6ukJjlyr4r9CHCQOBuHCe8rB3DzirMZsAv+qjT8lCOfdK9lq++IlsglpYkSAO8CAwEAAaOCAWIwggFeMAwGA1UdEwEB/wQCMAAwgeQGA1UdIASB3DCB2TCB1gYJKiQBlzllAQgBMIHIMIGmBggrBgEFBQcCAjCBmRqBllVzZSB0aGlzIGNlcnRpZmljYXRlIG9ubHkgZm9yIHRoZSBwdXJwb3NlIHBlcm1pdHRlZCBpbiB0aGUgYXBwbGljYWJsZSBDZXJ0aWZpY2F0ZSBQb2xpY3kuIExpbWl0ZWQgbGlhYmlsaXR5IGFwcGxpZXMgLSByZWZlciB0byB0aGUgQ2VydGlmaWNhdGUgUG9saWN5LjAdBggrBgEFBQcCARYRd3d3LnRlc3RhYnJjYS5jb20wFwYGKiQBgk0BBA0WCzEyMzAwMDAwMDU5MA4GA1UdDwEB/wQEAwIE8DAfBgNVHSMEGDAWgBSJfa5qeCJphOwHaVTGwPRjl+HPTjAdBgNVHQ4EFgQU17H18nWNxfR8MnD6gVtz8f91bu4wDQYJKoZIhvcNAQELBQADggEBADFiv5BD06bmEwkvr8cKF0MDET9+kUCPz2Kka5YuEfy8gIITz6ET2upJRLlt9BKOFpyrevCfEdoSd1Tbsz9czm6Vn/fDhQZ25HfKZgDLxQU8zqrMkc2rNyxXrJIWT1LNaVtNmUN5KMcHRjHXQcN6Qou5GkjsmPk/wuzcp0K7F2DI1pvjbr7r2TE1xiaO1l4sD+6JpPugqidPT+/41ADdmcbKwWH1p0HjPR1/XoIiR/qcQWL0TWBozZsiJq7Ad4xI2mm/8AS6wjGMkwckDH2wpROfiZkcfKavDOf2/wJaWG+RBCL2B2LNYAltG30LNwno4R/J7LfGauoOSPmkd3Tdc00wggXdMIIDxaADAgECAgECMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYDVQQGEwJBVTElMCMGA1UEChMcQXVzdHJhbGlhbiBCdXNpbmVzcyBSZWdpc3RlcjEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxMjAwBgNVBAMTKVRlc3QgQXVzdHJhbGlhbiBCdXNpbmVzcyBSZWdpc3RlciBSb290IENBMB4XDTEwMDMyMDAwMDAwMFoXDTIwMDMyMDAwMDAwMFowgYUxCzAJBgNVBAYTAkFVMSUwIwYDVQQKExxBdXN0cmFsaWFuIEJ1c2luZXfghfghfFDN0cmFsaWFuIEJ1c2luZXNzIFJlZ2lzdGVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxGJ5qZfrXMMxOq24M8K13oLHegF1C0fN2j1q2RotpIIkGCGszJtpV8n/XAOM6pVm9jp5Pc4+v3No1mtdj/dVP1nMP9xxGuDrd/gJUddZnhRGQVeXto9pB03bioWLmsszoG8e2OvTf4AnBum0ukHRqTFuNJ1qQu4HXUjahxg66ArdMVVRDbS4fHO4hwoPAob5gyHFP5NoiJjBZTWcmmF3gC6AYIkx64NLZMxNFImGqJvc1G1zBxKU4a79fiz4kM779N/pzdAjafxu7vpaC/N5xjx6uI+sV8bAucLgiCuGCfQIPeoTwoSlQQn65WxFYAx3m3KfiTN+PzQQniViWRI5OQIDAQABo4IBTzCCAUswEgYDVR0TAQH/BAgwBgEB/wIBADCB5AYDVR0gBIHcMIHZMIHWBgkqJAGXOWUBAQEwgcgwgaYGCCsGAQUFBwICMIGZGoGWVXNlIHRoaXMgY2VydGlmaWNhdGUgb25seSBmb3IgdGhlIHB1cnBvc2UgcGVybWl0dGVkIGluIHRoZSBhcHBsaWNhYmxlIENlcnRpZmljYXRlIFBvbGljeS4gTGltaXRlZCBsaWFiaWxpdHkgYXBwbGllcyAtIHJlZmVyIHRvIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kuMB0GCCsGAQUFBwIBFhF3d3cudGVzdGFicmNhLmNvbTAOBgNVHQ8BAf8EBAMCAcYwHwYDVR0jBBgwFoAUaoz51J3tdoVnf3kQz50VsOUivyIwHQYDVR0OBBYEFIl9rmp4ImmE7AdpVMbA9GOX4c9OMA0GCSqGSIb3DQEBCwUAA4ICAQCjCpFDZXLAuhgMZPMCl9goYzAPrReIal90oKEh1WrQn7iZrampLL00fL5EUlb9kiaVKo6MfYEot6T2Zu3GsIMMHnfKDBAAMYEUH7XDutwJChmm9eVX5p7sRSxON+Ldah7MDlF4kjPzDIa/QsUFuXyJZicGrMlQEu5qiMdXo+z4Dtq/R+O8pEuyzLv1tIcbufDk0V/ofz0VUuUEntwigsyputtes9OouikEvERzLLif+y4nOducyAaIXSVMFEqREafT6eC05k/A2K2RrTowMb1NKKybUjW89Wvbj2z/O5h1WP8s3U+A5sPtOEJYBU+zM1+lxz3NinRceIAKkyBjOPsX5Zh+ao4fAN3Vhyl3tIGlc3o+bWvOl7AUMGWv+gOAIexaAHYIaK7nX9qhZqkNqGOqBVtG9Hxr0WUXMLKMjMSpCUvYWZAb/ReCt5mISw6ZOxLPUxY/jBRE8MzoLNqAEH+dHiSVuyLy0y3dFiCUkKZ1yUJWy+mytmvS8FxLQ6Dl3CRxoQhms6dRNg5WIk7rtdHHNPwoWd2Ew3JdhDO4YiwtkVxcwzajhlNWlum5sUUJqSlajxlBdtE7mkuOvBcvqv7fyzuHStGwXDy0F0S9ZeSQB5Q45K23L3Z1v9CygiBocAUGdtBHxZGmikbymewqiX6gdQhqc9I0a2Y6bd6xUPMyuzCCBuMwggTLoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwgYoxCzAJBgNVBAYTAkFVMSUwIwYDVQQKExxBdXN0cmFsaWFuIEJ1c2ludferJlZ2lzdGVyMSAwHgYDVQQLExdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEyMDAGA1UEAxMpVGVzdCBBdXN0cmFsaWFuIEJ1c2luZXNzIFJlZ2lzdGVyIFJvb3QgQ0EwHhcNMTAwMzIwMDAwMDAwWhcNMzAwMzIwMDAwMDAwWjCBijELMAkGA1UEBhMCQVUxJTAjBgNVBAoTHEF1c3RyYWxpYW4gQnVzaW5lc3MgUmVnaXN0ZXIxIDAeBgNVBAsTF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5MTIwMAYDVQQDEylUZXN0IEF1c3RyYWxpYW4gQnVzaW5lc3MgUmVnaXN0ZXIgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKViU48+OChS9P2MsQlroR+xTHQlut/q6R5r1yEzsXjBBSiy9HYOnuO31cCqoZWw87QGfS2A4ZfaoVMcj0Mu89+HKeuqBeYuGLr5oc1xU+fZDft/BbvN1BHLJsD7srmPivC4MDoKDvCHXX4ayHEDuCCKJ8ywguKT/kaFzzDTLcl0rL7ayB2XHdL7eWiBAwbB/YCe/3vUe+g1kDsEeY7OatU1l5VZkStomOr/vD1O+MlYMkn7LtmJ89NhL2ZwaHp1twYN7g7FpapOQTT9Uw1JlxkA1d2h6XU8VsXxqmriSV7kyJNLeUpKngZO8XmjbW4FIYLu6tHs1Pv0viUsfP9GLlI3IkbXOptyfToKPMH3bJXGvgYGzQWK2P3MsspRXfWpMajoFi/WN4EuApf/j0iRKC1tGk4UXfHfVHMSJlTbQUQt4UAyDHgLqGVgA7rpWJJHux1SUE0lYpxufMuDD7CQdELI2VTFjxjaDLzLuNgLqM9DP4fc3/4QxTiYQacUA0DwZYk6tLRgbGPUB6VTO699THa8OeoBlmR/zk5LWDDf3CLVRJxbm4ylBcor/PQ8DmqpFlrGubHkmZaEo/nm9GhCvhn97uEcZ+uHGal8xYfUe5/k4e7nDLYBK2lF7hQA5KLkWhDG+z8b0+RBHF7KvVN3LjapAHEF2V1a/Q1AgMBAAGjggFQMIIBTDASBgNVHRMBAf8ECDAGAQH/AgECMIHlBgNVHSAEgd0wgdowgdcGCCokAZc5ZQEBMIHKMIGmBggrBgEFBQcCAjCBmRqBllVzZSB0aGlzIGNlcnRpZmljYXRlIG9ubHkgZm9yIHRoZSBwdXJwb3NlIHBlcm1pdHRlZCBpbiB0bGljYWJsZSBDZXJ0aWZpY2F0ZSBQb2xpY3kuIExpbWl0ZWQgbGlhYmlsaXR5IGFwcGxpZXMgLSByZWZlciB0byB0aGUgQ2VydGlmaWNhdGUgUG9saWN5LjAfBggrBgEFBQcCARYTd3d3LnRlc3RzYnJyb290LmNvbTAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFGqM+dSd7XaFZ395EM+dFbDlIr8iMB8GA1UdIwQYMBaAFGqM+dSd7XaFZ395EM+dFbDlIr8iMA0GCSqGSIb3DQEBCwUAA4ICAQAo6w3fIgwhYJXhA7RxyXTJvmtglTwIY9xUabR7GxvivITy07VSiCSti/pMaNFx5sl0C93kB1UrJzehuzG3usIQPVQBcOin8lP7DPlI0trIHF2KZyA7J2uU116fRV4imXYOyt1odj4nLJPnB7GEYmfA4LpTFoP1/kqAYpnbGvNqu6S+4QKhIhaMR88b/s5PEYMNYSVVxBFQGLs4RT6+xnMCxsohuaLB/YuPGrtr1gwptz+nObJPL4e/8TyzTXMbgeWfgl70c6OlSEO+VhHyJf5HONSAN4ioVZ+aHZMcwWf3PGMu6jmLi2e3SuXZImWzXNyHBwtdhGdA8jZj8RLqlkNm8qZioooVw9fmI+uB+04E5SVeMDvcPq8Afxrdkt9/nYiI9ijLmmW11k8zxhQdS6oU/6gEQpFfjaIcY5PeaOyO4K57ihO74T0CC9al1ZBx5Wvz/Mo731TrXJuLYuOPBaDFmc5puu33ZBV9uirQqH15Xy2J1gf0wZK0wa3FdibH8mEO9mkmJsw74SoHepBBLjD/ymSDhDJSpkmFsub9pX3RvVl0M9r8EsO6YSCSc9wD99eg24ESiM9iXeLhyAvJ/al99FOspGFUBFgxsIg24RCp/49e2M4w7mzHePCzcvhtR8xUefqm702HaSJm1Cl0X010Qo6AAAMYIBozCCAZ8CAQEwgY0wgYUxCzAJBgNVBAYTAkFVMSUwIwYDVQQKExxBdXN0cmFsaWFuIEJ1c2luZXNzIFJlZ2lzdGVyMSAwHgYDVQQLExdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEtMCsGA1UEAxMkVGVzdCBBdXN0cmFsaWFuIEJ1c2luZXNzIFJlZ2lzdGVyIENBAgMEB7wwDQYJYIZIAWUDBAIBBQCgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDAyMDQwNTU5MzBaMC8GCSqGSIb3DQEJBDEiBCDLdB9zB8ImqwV9/2iNqAKmkxGzFclxM97JbZQaKQubsTANBgkqhkiG9w0BAQEFAASBgKEUqCKv1btBuUVC3PcJMBDFkulVKvZP1GBR9ZIRku8s9LVnOItemvz3PdnV0dCxhDzwYR+QAXdpnYAhq45Khx/T0NlDHxICgdyFF4oXVgpz9tHJehXH8VoYZtEy5GxmgGZHQeHc9BZfzCywdnGLDHXdwIP+JEa4WwmCrzaf0e9sAAAAAAAA</cmsB64></request></ns:requests>
[main] INFO au.gov.abr.akm.credential.store.DaemonThreadFactory - Creating a new Thread in ThreadGroup: main
[pool-1-thread-1] WARN au.gov.abr.akm.credential.store.ABRRequester$ABRHttpPost - Constructing the response reader
[pool-1-thread-1] WARN au.gov.abr.akm.credential.store.ABRRequester$ABRHttpPost - java.net connection timeout = 0
[pool-1-thread-1] WARN au.gov.abr.akm.credential.store.ABRRequester$ABRHttpPost - java.net read timeout = 0
[main] INFO au.gov.abr.akm.credential.store.ABRKeyStoreImpl - correct password given, resetting bad password count to zero
[main] INFO au.gov.abr.akm.credential.store.ABRKeyStoreFactory - Will attempt to load the keystore, if the keystore doesn't exist then an exception will be thrown
[main] INFO au.gov.abr.akm.credential.store.ABRKeyStoreSerializerTransporterFactory - No custom Transporter specified, using the default File Transporter.
[main] INFO au.gov.abr.akm.credential.store.ABRKeyStoreSerializerTransporterFile - A keystore file has been passed through, keystore location is that of the provided file
[pool-1-thread-1] WARN au.gov.abr.akm.credential.store.ABRRequester - ABRRequester timeout = 60000ms
[pool-1-thread-1] INFO au.gov.abr.akm.cryptoOps.CredentialRequestResponse - XML Response length -> 358
[pool-1-thread-1] INFO au.gov.abr.akm.cryptoOps.CredentialRequestResponse - Auto-renew => ***BEGIN XML RESPONSE***
<?xml version="1.0" encoding="utf-8"?><responses xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://auth.sbr.gov.au/AutoRenew"><response id="ABRD:TESTDeviceID" xmlns=""><error><errorId>2106</errorId><errorMessage>Unrecognised error - 1137</errorMessage></error></response></responses>
******END XML******
[pool-1-thread-1] WARN au.gov.abr.akm.cryptoOps.CredentialRequestResponse - CredentialRequestResponse.processResponse (2106) Unrecognised error - 1137
javax.xml.ws.soap.SOAPFaultException: An error occurred when verifying security for the message.
at com.sun.xml.ws.fault.SOAP12Fault.getProtocolException(SOAP12Fault.java:225)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:122)
at com.sun.xml.ws.client.dispatch.DispatchImpl.doInvoke(DispatchImpl.java:195)
at com.sun.xml.ws.client.dispatch.DispatchImpl.invoke(DispatchImpl.java:214)
at com.sun.xml.ws.security.trust.impl.TrustPluginImpl.invokeRST(TrustPluginImpl.java:624)
at com.sun.xml.ws.security.trust.impl.TrustPluginImpl.process(TrustPluginImpl.java:170)
at com.sun.xml.ws.security.trust.impl.client.STSIssuedTokenProviderImpl.getIssuedTokenContext(STSIssuedTokenProviderImpl.java:136)
at com.sun.xml.ws.security.trust.impl.client.STSIssuedTokenProviderImpl.issue(STSIssuedTokenProviderImpl.java:74)
at com.sun.xml.ws.api.security.trust.client.IssuedTokenManager.getIssuedToken(IssuedTokenManager.java:79)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.invokeTrustPlugin(SecurityClientTube.java:655)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(SecurityClientTube.java:264)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTube.java:233)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
at com.sun.xml.ws.client.Stub.process(Stub.java:319)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
at com.sun.proxy.$Proxy44.createUSI(Unknown Source)
at usi.gov.au.USITest.main(USITest.java:83)
Second Approach
2nd approach is that I directly call STS service v3 by generating wsdl2java client class. This approach is already answered here. But I couldn't understand the answer nor I was able to achieve the result by adding signatureAlgorithm="SHA256withRSA" in sp:AlgorithmSuite
<sp:AlgorithmSuite signatureAlgorithm="SHA256withRSA">
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
OR
<sp:AlgorithmSuite signatureAlgorithm="SHA256withRSA">
<wsp:Policy>
<sp:Basic256Sha256Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
Everytime I get
com.microsoft.schemas.ws._2008._06.identity.securitytokenservice.IWSTrust13SyncTrust13IssueSTSFaultFaultMessage: Could not validate the ActAs token
I can't understand that which approach is right and how to fix WSDL or my code to update the SecurityPolicy i.e. switchs from Sha1 to Sha256 with RSA.
You need updated STS 1.3 wsdl which does not require ActAs token as old one did
I triggered CAS Single Sign Out event by visit https://xx/cas-server/logout?service=myservice, and CAS POST a request to myservice(http://test.ogg:8080/cas) with the body:
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-329-TxwPlscwOydLQH0JD0R2AKmOr4ew5FdiKN2" Version="2.0" IssueInstant="2016-07-15T08:21:38Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">#NOT_USED#</saml:NameID><samlp:SessionIndex>ST-329-lNWcDWJIW0Ve7ij9gsNG-cas</samlp:SessionIndex></samlp:LogoutRequest>
I have customised logout logic, so used the ticket in <samlp:SessionIndex>ST-329-lNWcDWJIW0Ve7ij9gsNG-cas</samlp:SessionIndex> to call https://xx/cas-server/validateService?service=myservice&ticket=ST-329-lNWcDWJIW0Ve7ij9gsNG-cas, but CAS report ticket invalid:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code='INVALID_TICKET'>
Ticket 'ST-329-lNWcDWJIW0Ve7ij9gsNG-cas' not recognized
</cas:authenticationFailure>
Here is the log from CAS server:
2016-07-15 08:21:38,334 DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator.create(SamlCompliantLogoutMessageCreator.java:53)] - Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-328-qwK2GgGVhRlRtu9QtebIoXIo30iwd4dWWwu" Version="2.0" IssueInstant="2016-07-15T08:21:38Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">#NOT_USED#</saml:NameID><samlp:SessionIndex>ST-329-lNWcDWJIW0Ve7ij9gsNG-cas</samlp:SessionIndex></samlp:LogoutRequest>]
2016-07-15 08:21:38,334 DEBUG [org.jasig.cas.logout.LogoutManagerImpl.performBackChannelLogout(LogoutManagerImpl.java:143)] - Sending logout request for: [http://test.ogg:8080/cas]
2016-07-15 08:21:38,334 DEBUG [org.jasig.cas.util.SimpleHttpClient$MessageSender.call(SimpleHttpClient.java:297)] - Attempting to access http://test.ogg:8080/cas
2016-07-15 08:21:38,371 DEBUG [org.jasig.cas.web.support.AbstractArgumentExtractor.extractService(AbstractArgumentExtractor.java:45)] - Extractor generated service for: http://test.ogg:8080/cas
2016-07-15 08:21:38,372 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry.getTicket(DefaultTicketRegistry.java:80)] - Attempting to retrieve ticket [ST-329-lNWcDWJIW0Ve7ij9gsNG-cas]
2016-07-15 08:21:38,372 INFO [org.jasig.cas.CentralAuthenticationServiceImpl.validateServiceTicket(CentralAuthenticationServiceImpl.java:413)] - ServiceTicket [ST-329-lNWcDWJIW0Ve7ij9gsNG-cas] does not exist.
It seems the ticket was expired in 1 second?
When you have logged out, you have logged out. There is nothing further for you to do. Everything is gone. You can't validate something that is destroyed.
In production environment - tomcat_7_0_53 behind Apache/mod_jk - our customers report problems caused by random lost session issues.
We have investigated enabling AccessLogValve and to exclude bad session handling in request processing, like programmatically invoking of session.invalidate or session.setMaxTimeInterval etc.., we have catched and logged HttpSessionEvent via HttpSessionListener interface implementation.
####################################################################################
##### Logging by AccessLogValve
##### At first access time tomcat sent cookie: JSESSIONID=ADDBC908E913C159A330C746ABFE2340;
82.112.204.155 - - [03/Mar/2016:08:27:03 +0100] "GET /rdsv5i/servlet/custom-logon/clienti-asp HTTP/1.1" Cookie="__utma=31431036.270103424.1433757878.1456913762.1456990022.212; __utmz=31431036.1433757878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=31431036.1.10.1456990022; __utmt=1; __utmc=31431036; CustomLogonServlet.company=IAP; user=caruso; rds_home_page_logon=%2Frdsv5i%2Fservlet%2Fcustom-logon%2Fclienti-asp%3F1456913769327" Set-Cookie="JSESSIONID=ADDBC908E913C159A330C746ABFE2340; Path=/rdsv5i; Secure"
##### User work without problems for 10 minutes:
82.112.204.155 - - [03/Mar/2016:08:37:58 +0100] "POST /rdsv5i/spoolviewer/spoolavailable.jsp HTTP/1.1" Cookie="AlreadyConnectedGUID=f34dc1bb-a117-4405-a40d-289c73e07de9; JSESSIONID=ADDBC908E913C159A330C746ABFE2340; __utma=31431036.270103424.1433757878.1456913762.1456990022.212; __utmz=31431036.1433757878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=31431036.1.10.1456990022; __utmc=31431036; CustomLogonServlet.company=IAP; user=caruso; rds_home_page_logon=%2Frdsv5i%2Fservlet%2Fcustom-logon%2Fclienti-asp%3F1456990031203" Set-Cookie="-"
#### Suddenly Tomcat send renewed JSESSIONID=28C983BAE315B709093B357C0DE7810D; ignoring browser sent back cookie: JSESSIONID=ADDBC908E913C159A330C746ABFE2340;
82.112.204.155 - - [03/Mar/2016:08:38:06 +0100] "POST /rdsv5i/spoolviewer/spoolavailable.jsp HTTP/1.1" Cookie="AlreadyConnectedGUID=f34dc1bb-a117-4405-a40d-289c73e07de9; JSESSIONID=ADDBC908E913C159A330C746ABFE2340; __utma=31431036.270103424.1433757878.1456913762.1456990022.212; __utmz=31431036.1433757878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=31431036.1.10.1456990022; __utmc=31431036; CustomLogonServlet.company=IAP; user=caruso; rds_home_page_logon=%2Frdsv5i%2Fservlet%2Fcustom-logon%2Fclienti-asp%3F1456990031203" Set-Cookie="JSESSIONID=28C983BAE315B709093B357C0DE7810D; Path=/rdsv5i; Secure"
and session lost issues...
#### Logging by my HttpSessionListener
##### At first access time tomcat sent cookie: JSESSIONID=ADDBC908E913C159A330C746ABFE2340;
03-Mar-2016 08:27:03.437 INFO [ajp-apr-8109-exec-5] com.rds_software.RdsUtil.http.HttpSessionEventsLogger.sessionCreated id="ADDBC908E913C159A330C746ABFE2340"
#### Suddenly Tomcat send renewed JSESSIONID=28C983BAE315B709093B357C0DE7810D;
03-Mar-2016 08:38:06.358 INFO [ajp-apr-8109-exec-6] com.rds_software.RdsUtil.http.HttpSessionEventsLogger.sessionCreated id="28C983BAE315B709093B357C0DE7810D"
#### Here destroy first access time JSESSIONID=ADDBC908E913C159A330C746ABFE2340
03-Mar-2016 09:08:43.365 INFO [ContainerBackgroundProcessor[StandardEngine[Catalina]]] com.rds_software.RdsUtil.http.HttpSessionEventsLogger.sessionDestroyed id="ADDBC908E913C159A330C746ABFE2340" lastAccessedTime="08:37" maxInactiveTimeInterval="1800" stackTrace="Stacktrace:
org.apache.catalina.session.StandardSession.expire(StandardSession.java:806)
org.apache.catalina.session.StandardSession.isValid(StandardSession.java:656)
org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:532)
org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:517)
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1352)
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1530)
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1540)
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1540)
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1519)
"
####################################################################################
My question is:
How is possible tomcat create a new session at 08:38:06 when browser sent back JSESSIONID=ADDBC908E913C159A330C746ABFE2340 and ADDBC908E913C159A330C746ABFE2340 have been destroyed at 9:08:46?
At 08:38:06 Session ADDBC908E913C159A330C746ABFE2340 not was valid?
I worked heavy for a week to code a test case to reproduce this strange behaviour but unsuccesfully.
Increasing org.apache.catalina.connector.CoyoteAdapter loglevel, it seems that tomcat in some circumstances, is not able to recognize JSESSIONID sent from browser.
#AccessLogValve say:
93.145.128.242 - - [08/Mar/2016:10:16:35 +0100] "GET /uri Cookie="JSESSIONID=CE848CE8D53223658BD8D69D5CB667D4" Set-Cookie="JSESSIONID=0D954B6C1223E63C54DB8BDA265A7B83; Path=/rdsv5i; Secure"
#CoyoteAdapter say:
08-Mar-2016 10:16:35.864 FINE [ajp-apr-8109-exec-6] org.apache.catalina.connector.CoyoteAdapter.parsePathParameters The variable [uriBC] has value [/rdsv5i/rds-its/xmlv5i/js/customers/righi.js]
08-Mar-2016 10:16:35.864 FINE [ajp-apr-8109-exec-6] org.apache.catalina.connector.CoyoteAdapter.parsePathParameters The variable [semicolon] has value [-1]
08-Mar-2016 10:16:35.864 FINE [ajp-apr-8109-exec-6] org.apache.catalina.connector.CoyoteAdapter.parsePathParameters The variable [enc] has value [ISO-8859-1]
In normal circumstances I should see also:
08-Mar-2016 10:16:35.864 FINE [ajp-apr-8109-exec-6] org.apache.catalina.connector.CoyoteAdapter.parseSessionCookiesId Requested cookie session id is CE848CE8D53223658BD8D69D5CB667D4
I suppose cookie parsing not handled properly, I will try to reproduce case activating RequestDumpValve.
Can you try proxy instead of mod_jk in your single instance environment? You should add something like below to your httpd.conf. I had same issue while i was working with mod_jk and spring security, now I am using proxy and have no problems. You should change httpServer and tomcatServer definitions.
<VirtualHost *:80>
ServerName httpServer
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://tomcatServer:8080/rdsv5i
ProxyPassReverse / http://tomcatServer:8080/rdsv5i
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>