In the Web Service (SOAP) Client call, i can see org.apache.axis.transport.http.HTTPTransport is taking almost 500 ms for each call. This is leading to the latency in all the transactions. Anyone has experienced the same issue and how was it resolved?
I'm using Axis 1.4 and Java8
2022-11-13 07:42:51,930 DEBUG ProjectResourceBundle:72 - org.apache.axis.i18n.resource::handleGetObject(transport00)
2022-11-13 07:42:51,930 DEBUG Call:2119 - Transport is org.apache.axis.transport.http.HTTPTransport#1d20e46
2022-11-13 07:42:52,429 DEBUG Call:2351 - Enter: Call::invoke(ns, meth, args)
2022-11-13 07:42:52,436 DEBUG Call:2043 - operation=name: addRequest
I tried using CommonsHTTPSender, but till facing this latency.
My Java Spring Authentication and Authorization Server is working.
I want to solve the errors in the requests I send from a client according to the OAuth2 flow. But none of the errors I get are detailed. For example, this request sent to /oauth2/authorize:
https://MY_DOMAIN/authorize?
response_type=code&
client_id=MY_CLIENT_ID&
redirect_uri=MY_CALLBACK_URL&
scope=SCOPE&
state=STATE
Gives the following error after I enter credentials:
My goal is not to resolve the error here, but there are different errors I get like this and I need to see a more informative error message so I can debug them all.
The console also has a non-informative output that goes like this:
...
2022-08-15 15:52:33.739 DEBUG 50827 --- [nio-9000-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2022-08-15 15:52:33.739 DEBUG 50827 --- [nio-9000-exec-4] o.a.c.c.C.[Tomcat].[localhost] : Processing ErrorPage[errorCode=0, location=/error]
2022-08-15 15:52:33.739 DEBUG 50827 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy : Securing GET /error?protocol=oauth2&response_type=code&access_type&client_id=articles-client&redirect_uri=http%3A%2F%2F127.0.0.1%3A3000%2Flms%2Flogin&scope=openid%20articles.read&state=XqqDv6wx6O&code_challenge_method=plain&code_challenge=e964fe0c4b609ef3cf29658efc6077e7feb591f78c458c2092aa56c9
...
I'm currently on the one day tutorial of the Eclipse Scout Framework, and I'm stuck at exactly this part. I don't think that my question is Tutorial-specific, which is why I'm asking my question here: Suddenly, when I try to open a menu in my scout localhost environment; I get an "access denied" message in my browser, and the java console gives back the following log:
2022-04-06 22:27:06,597 WARN [qtp1600667055-41] org.eclipse.scout.rt.server.commons.authentication.DevelopmentAccessController.handle(DevelopmentAccessController.java:66) -
+++ Development access control with user xxx.yyy - MDC[]
2022-04-06 22:27:06,875 INFO [qtp1600667055-33] org.eclipse.scout.rt.ui.html.csp.ContentSecurityPolicyReportHandler.log(ContentSecurityPolicyReportHandler.java:80) - CSP-REPORT: {
"csp-report": {
"blocked-uri": "inline",
"column-number": 797897,
"document-uri": "http:\/\/localhost:8082\/",
"line-number": 71,
"original-policy": "img-src 'self'; style-src 'self' 'unsafe-inline'; child-src *; default-src 'self'; report-uri http:\/\/localhost:8082\/csp-report; script-src 'self'",
"referrer": "",
"source-file": "moz-extension",
"violated-directive": "script-src"
}
} - MDC[principal=xxx.yyy,
httpUri=/csp-report,
cid=d3e5c2b5-19b8-4f62-b512-56bbd82eb685]
2022-04-06 22:27:07,
575 INFO [scout-model-thread-4 Starting ClientSession [sessionId=v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah]] org.eclipse.scout.rt.client.AbstractClientSession.start(AbstractClientSession.java:294) - Client session started [session=org.eclipse.scout.contacts.client.ClientSession#49956588[id = v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah], user=xxx.yyy] - MDC[principal=xxx.yyy, httpUri=/json, jobName=Starting ClientSession [sessionId=v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah], cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:07,575 INFO [qtp1600667055-45] org.eclipse.scout.rt.ui.html.UiSession.getOrCreateClientSession(UiSession.java:303) - Created new client session [clientSessionId=v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah, userAgent=HTML|DESKTOP|FIREFOX|WINDOWS|Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0] - MDC[principal=xxx.yyy, httpUri=/json, cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:07,575 INFO [qtp1600667055-45] org.eclipse.scout.rt.ui.html.UiThemeHelper.getConfiguredTheme(UiThemeHelper.java:59) - UI theme configured in config.properties: default - MDC[principal=xxx.yyy, httpUri=/json, cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:07,591 INFO [scout-model-thread-10 Starting JsonClientSession] org.eclipse.scout.rt.ui.html.json.MainJsonObjectFactory.getFactories(MainJsonObjectFactory.java:36) - Using following object factories: [org.eclipse.scout.rt.ui.html.JsonObjectFactory#7646906d] - MDC[principal=xxx.yyy, httpUri=/json, scoutSession=v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah, jobName=Starting JsonClientSession, cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:07,701 INFO [qtp1600667055-45] org.eclipse.scout.rt.ui.html.UiSession.init(UiSession.java:264) - UiSession with ID 1:gsk4adjmlv49n219mb0v7ono8bfv2g3bo4kdiimvse5duppfdl4 initialized - MDC[principal=xxx.yyy, httpUri=/json, cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:07,717 INFO [qtp1600667055-45] org.eclipse.scout.rt.ui.html.json.JsonMessageRequestHandler.createUiSession(JsonMessageRequestHandler.java:362) - Created new UI session with ID 1:gsk4adjmlv49n219mb0v7ono8bfv2g3bo4kdiimvse5duppfdl4 in 558.412900 ms [maxIdleTime=14400s, httpSession.maxInactiveInterval=3600s] - MDC[principal=xxx.yyy, httpUri=/json, cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:11,793 INFO [scout-model-thread-18 Processing JSON request] org.eclipse.scout.rt.platform.exception.ExceptionHandler.handlePlatformException(ExceptionHandler.java:125) - VetoException: Zugriff verweigert [severity=ERROR, user=xxx.yyy, remote-service.name=org.eclipse.scout.contacts.shared.person.IPersonService, remote-service.operation=prepareCreate, form=org.eclipse.scout.contacts.client.person.PersonForm, ui.event=action, ui.adapter=Menu[id=5, modelClass=org.eclipse.scout.contacts.client.Desktop$QuickAccessMenu$NewPersonMenu, parentId=4]] - MDC[principal=xxx.yyy, httpUri=/json, uiSession=1:gsk4adjmlv49n219mb0v7ono8bfv2g3bo4kdiimvse5duppfdl4, scoutSession=v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah, jobName=Processing JSON request, cid=Bp3cD7ar8Gp/4]
To me it seems that there's a Content Security Policy issue somewhere, but no clue if that's the case, and if so how to fix that, even after researching the issue for quite some time now.
Help?
Are you running some kind of ad-blocker or privacy plugin in your browser? This would explain the reported CSP error. By default, the CSP rules block inline JavaScript code (e.g. <script>...</script>). Scout itself does not use inline code. It is therefore likely that a browser plugin has injected code into the page. The reported "source-file" ("moz-extension") also hints to that.
The access denied error is probably not caused by the CSP rules. According to the log file, the click was successfully dispatched to the corresponding Menu instance on the UI server. That code calls a backend service (IPersonService) over the service tunnel, which fails with an exception. There are a lot of things that could have gone wrong here:
Backend not running.
Backend running, but not in a valid state.
Auth keys of UI server and backend server don't match, so the service tunnel cannot be established securely. Check the values of the config properties scout.auth.privateKey and scout.auth.publicKey. If necessary, use the SecurityUtility to create a new pair.
User does not have the necessary permissions. For every call to the backend over the service tunnel, RemoteServiceAccessPermission is required. And for most services, a specific permission is required, e.g. ReadPersonPermission.
User doesn't exist.
To analyze these kinds of errors, first check the logs of both the UI server and the backend server. If this does not help, set some breakpoints and step through the code. Here are some classes that make a good starting point: ServerServletFilter, ServiceTunnelServlet, AccessControlService.
If your are running Java 17 version, then you need to update the private & public keys which can be found on config.properties file.
Few years back we have developed a client to consume a usi-ws v2, this webservice uses a STS service v2. It was working fine.
But, now soap-ws v2 is updated to usi-ws v3 which in turns uses STS service v3.
Key differences are
1) usi-ws v3 uses <sp:Basic256Sha256Rsa15/> as AlgorithmSuite policy which matches STS service v3's AlgorithmSuite policy.
2) usi-ws v3 uses STS service v3 instead of STS service v2
I can integrate the change by two different approaches
First Approach
I use apache-cxf wsdl2java on usi-ws v3 to generate the client code. Below is sample endpoint code
private static void SetupRequestContext(IUSIService endpoint, X509Certificate certificate, PrivateKey privateKey) {
Map<String, Object> requestContext = ((BindingProvider)endpoint).getRequestContext();
requestContext.put(XWSSConstants.CERTIFICATE_PROPERTY, certificate);
requestContext.put(XWSSConstants.PRIVATEKEY_PROPERTY, privateKey);
requestContext.put(STSIssuedTokenConfiguration.STS_ENDPOINT, "https://thirdparty.authentication.business.gov.au/R3.0/vanguard/S007v1.3/Service.svc");
requestContext.put(STSIssuedTokenConfiguration.STS_NAMESPACE, "http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice");
requestContext.put(STSIssuedTokenConfiguration.STS_WSDL_LOCATION, "https://thirdparty.authentication.business.gov.au/R3.0/vanguard/S007v1.3/Service.svc");
requestContext.put(STSIssuedTokenConfiguration.STS_SERVICE_NAME, "SecurityTokenService");
requestContext.put(STSIssuedTokenConfiguration.LIFE_TIME, 30);
requestContext.put(STSIssuedTokenConfiguration.STS_PORT_NAME, "S007SecurityTokenServiceEndpoint");
requestContext.put(BindingProviderProperties.REQUEST_TIMEOUT, REQUEST_TIMEOUT);
requestContext.put(BindingProviderProperties.CONNECT_TIMEOUT, CONNECT_TIMEOUT);
}
After configuring the endpoint context, I try to createUSI
endpoint.createUSI(createUsiRequest);
It throws below error (logs)
... LOGS before are removed
[main] WARN au.gov.abr.akm.credential.store.ABRRequester$ABRHttpPost - XML request is => <ns:requests xmlns:ns="http://auth.sbr.gov.au/AutoRenew"><request id="ABRD:TESTDeviceID" credentialType="D"><cmsB64>MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwGggCSABIIBqDCCAaQwggENAgEAMDoxFTATBgNVBAMMDFRlc3REZXZpY2UwMzEUMBIGA1UECgwLMTIzMDAwMDAwNTkxCzAJBgNVBAYTAkFVMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjFrK/biRUDUpRBEmJtV1XAM+sNP0NMwydRdv4NntG0x/JHZaOoJJpFrTXvB0gAIIHhHlhfkpLkSLQmz8iMYKnPgaqG+g/quSM6VYKQcCMr0UwS9b37NdzOhpf8n6JRWkTIFWznUz8WxiASCLuj5VmRiacHlrtJul/Gj89zbDJtwIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgYqJAGCTQEEDRYLMTIzMDAwMDAwNTkwDQYJKoZIhvcNAQEFBQADgYEAmUIkEDpCtZJbCZ04DfVxMgsjZfIEsF3yh+VWlCO/6jJcdcJKKjY0xbJDxzdh8xhbq2RzBKnP5th4p/yzBGN8Wafvr/2mQVNC9LG/3IGsawZLGMqUjeL0aIwDEmYBJWt0wm1ntKUF5DiuZJgcIgjFIfHWBq0WB2bU8SroO5O07coAAAAAAACggDCCBB0wggMFoAMCAQICAwQHvDANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMCQVUxJTAjBgNVBAoTHEF1c3RyYWxpYW4gQnVzaW5lc3MgUmVnaXN0ZXIxIDAeBgNVBAsTF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5MS0wKwYDVQQDEyRUZXN0IEF1c3RyYWxpYW4gQnVzaW5lc3MgUmVnaXN0ZXIgQ0EwHhcNMTgxMTI4MDQyMDMwWhcNMjAwMzI5MDQyMDMwWjA6MQswCQYDVQQGEwJBVTEUMBIGA1UEChMLMTIzMDAwMDAwNTkxFTATBgNVBAMTDFRlc3REZXZpY2UwMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA866tnV+RQ5v09wEPTTeA8C679zsZhgWhc4RjqtwvB73ZN7+g9NjJ1KujZUxXB5RbBdLQQ9GFPBx1DYifjDIN2Z1vMObqhT/QqUwz0sy8y6xQh6ukJjlyr4r9CHCQOBuHCe8rB3DzirMZsAv+qjT8lCOfdK9lq++IlsglpYkSAO8CAwEAAaOCAWIwggFeMAwGA1UdEwEB/wQCMAAwgeQGA1UdIASB3DCB2TCB1gYJKiQBlzllAQgBMIHIMIGmBggrBgEFBQcCAjCBmRqBllVzZSB0aGlzIGNlcnRpZmljYXRlIG9ubHkgZm9yIHRoZSBwdXJwb3NlIHBlcm1pdHRlZCBpbiB0aGUgYXBwbGljYWJsZSBDZXJ0aWZpY2F0ZSBQb2xpY3kuIExpbWl0ZWQgbGlhYmlsaXR5IGFwcGxpZXMgLSByZWZlciB0byB0aGUgQ2VydGlmaWNhdGUgUG9saWN5LjAdBggrBgEFBQcCARYRd3d3LnRlc3RhYnJjYS5jb20wFwYGKiQBgk0BBA0WCzEyMzAwMDAwMDU5MA4GA1UdDwEB/wQEAwIE8DAfBgNVHSMEGDAWgBSJfa5qeCJphOwHaVTGwPRjl+HPTjAdBgNVHQ4EFgQU17H18nWNxfR8MnD6gVtz8f91bu4wDQYJKoZIhvcNAQELBQADggEBADFiv5BD06bmEwkvr8cKF0MDET9+kUCPz2Kka5YuEfy8gIITz6ET2upJRLlt9BKOFpyrevCfEdoSd1Tbsz9czm6Vn/fDhQZ25HfKZgDLxQU8zqrMkc2rNyxXrJIWT1LNaVtNmUN5KMcHRjHXQcN6Qou5GkjsmPk/wuzcp0K7F2DI1pvjbr7r2TE1xiaO1l4sD+6JpPugqidPT+/41ADdmcbKwWH1p0HjPR1/XoIiR/qcQWL0TWBozZsiJq7Ad4xI2mm/8AS6wjGMkwckDH2wpROfiZkcfKavDOf2/wJaWG+RBCL2B2LNYAltG30LNwno4R/J7LfGauoOSPmkd3Tdc00wggXdMIIDxaADAgECAgECMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYDVQQGEwJBVTElMCMGA1UEChMcQXVzdHJhbGlhbiBCdXNpbmVzcyBSZWdpc3RlcjEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxMjAwBgNVBAMTKVRlc3QgQXVzdHJhbGlhbiBCdXNpbmVzcyBSZWdpc3RlciBSb290IENBMB4XDTEwMDMyMDAwMDAwMFoXDTIwMDMyMDAwMDAwMFowgYUxCzAJBgNVBAYTAkFVMSUwIwYDVQQKExxBdXN0cmFsaWFuIEJ1c2luZXfghfghfFDN0cmFsaWFuIEJ1c2luZXNzIFJlZ2lzdGVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxGJ5qZfrXMMxOq24M8K13oLHegF1C0fN2j1q2RotpIIkGCGszJtpV8n/XAOM6pVm9jp5Pc4+v3No1mtdj/dVP1nMP9xxGuDrd/gJUddZnhRGQVeXto9pB03bioWLmsszoG8e2OvTf4AnBum0ukHRqTFuNJ1qQu4HXUjahxg66ArdMVVRDbS4fHO4hwoPAob5gyHFP5NoiJjBZTWcmmF3gC6AYIkx64NLZMxNFImGqJvc1G1zBxKU4a79fiz4kM779N/pzdAjafxu7vpaC/N5xjx6uI+sV8bAucLgiCuGCfQIPeoTwoSlQQn65WxFYAx3m3KfiTN+PzQQniViWRI5OQIDAQABo4IBTzCCAUswEgYDVR0TAQH/BAgwBgEB/wIBADCB5AYDVR0gBIHcMIHZMIHWBgkqJAGXOWUBAQEwgcgwgaYGCCsGAQUFBwICMIGZGoGWVXNlIHRoaXMgY2VydGlmaWNhdGUgb25seSBmb3IgdGhlIHB1cnBvc2UgcGVybWl0dGVkIGluIHRoZSBhcHBsaWNhYmxlIENlcnRpZmljYXRlIFBvbGljeS4gTGltaXRlZCBsaWFiaWxpdHkgYXBwbGllcyAtIHJlZmVyIHRvIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kuMB0GCCsGAQUFBwIBFhF3d3cudGVzdGFicmNhLmNvbTAOBgNVHQ8BAf8EBAMCAcYwHwYDVR0jBBgwFoAUaoz51J3tdoVnf3kQz50VsOUivyIwHQYDVR0OBBYEFIl9rmp4ImmE7AdpVMbA9GOX4c9OMA0GCSqGSIb3DQEBCwUAA4ICAQCjCpFDZXLAuhgMZPMCl9goYzAPrReIal90oKEh1WrQn7iZrampLL00fL5EUlb9kiaVKo6MfYEot6T2Zu3GsIMMHnfKDBAAMYEUH7XDutwJChmm9eVX5p7sRSxON+Ldah7MDlF4kjPzDIa/QsUFuXyJZicGrMlQEu5qiMdXo+z4Dtq/R+O8pEuyzLv1tIcbufDk0V/ofz0VUuUEntwigsyputtes9OouikEvERzLLif+y4nOducyAaIXSVMFEqREafT6eC05k/A2K2RrTowMb1NKKybUjW89Wvbj2z/O5h1WP8s3U+A5sPtOEJYBU+zM1+lxz3NinRceIAKkyBjOPsX5Zh+ao4fAN3Vhyl3tIGlc3o+bWvOl7AUMGWv+gOAIexaAHYIaK7nX9qhZqkNqGOqBVtG9Hxr0WUXMLKMjMSpCUvYWZAb/ReCt5mISw6ZOxLPUxY/jBRE8MzoLNqAEH+dHiSVuyLy0y3dFiCUkKZ1yUJWy+mytmvS8FxLQ6Dl3CRxoQhms6dRNg5WIk7rtdHHNPwoWd2Ew3JdhDO4YiwtkVxcwzajhlNWlum5sUUJqSlajxlBdtE7mkuOvBcvqv7fyzuHStGwXDy0F0S9ZeSQB5Q45K23L3Z1v9CygiBocAUGdtBHxZGmikbymewqiX6gdQhqc9I0a2Y6bd6xUPMyuzCCBuMwggTLoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwgYoxCzAJBgNVBAYTAkFVMSUwIwYDVQQKExxBdXN0cmFsaWFuIEJ1c2ludferJlZ2lzdGVyMSAwHgYDVQQLExdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEyMDAGA1UEAxMpVGVzdCBBdXN0cmFsaWFuIEJ1c2luZXNzIFJlZ2lzdGVyIFJvb3QgQ0EwHhcNMTAwMzIwMDAwMDAwWhcNMzAwMzIwMDAwMDAwWjCBijELMAkGA1UEBhMCQVUxJTAjBgNVBAoTHEF1c3RyYWxpYW4gQnVzaW5lc3MgUmVnaXN0ZXIxIDAeBgNVBAsTF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5MTIwMAYDVQQDEylUZXN0IEF1c3RyYWxpYW4gQnVzaW5lc3MgUmVnaXN0ZXIgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKViU48+OChS9P2MsQlroR+xTHQlut/q6R5r1yEzsXjBBSiy9HYOnuO31cCqoZWw87QGfS2A4ZfaoVMcj0Mu89+HKeuqBeYuGLr5oc1xU+fZDft/BbvN1BHLJsD7srmPivC4MDoKDvCHXX4ayHEDuCCKJ8ywguKT/kaFzzDTLcl0rL7ayB2XHdL7eWiBAwbB/YCe/3vUe+g1kDsEeY7OatU1l5VZkStomOr/vD1O+MlYMkn7LtmJ89NhL2ZwaHp1twYN7g7FpapOQTT9Uw1JlxkA1d2h6XU8VsXxqmriSV7kyJNLeUpKngZO8XmjbW4FIYLu6tHs1Pv0viUsfP9GLlI3IkbXOptyfToKPMH3bJXGvgYGzQWK2P3MsspRXfWpMajoFi/WN4EuApf/j0iRKC1tGk4UXfHfVHMSJlTbQUQt4UAyDHgLqGVgA7rpWJJHux1SUE0lYpxufMuDD7CQdELI2VTFjxjaDLzLuNgLqM9DP4fc3/4QxTiYQacUA0DwZYk6tLRgbGPUB6VTO699THa8OeoBlmR/zk5LWDDf3CLVRJxbm4ylBcor/PQ8DmqpFlrGubHkmZaEo/nm9GhCvhn97uEcZ+uHGal8xYfUe5/k4e7nDLYBK2lF7hQA5KLkWhDG+z8b0+RBHF7KvVN3LjapAHEF2V1a/Q1AgMBAAGjggFQMIIBTDASBgNVHRMBAf8ECDAGAQH/AgECMIHlBgNVHSAEgd0wgdowgdcGCCokAZc5ZQEBMIHKMIGmBggrBgEFBQcCAjCBmRqBllVzZSB0aGlzIGNlcnRpZmljYXRlIG9ubHkgZm9yIHRoZSBwdXJwb3NlIHBlcm1pdHRlZCBpbiB0bGljYWJsZSBDZXJ0aWZpY2F0ZSBQb2xpY3kuIExpbWl0ZWQgbGlhYmlsaXR5IGFwcGxpZXMgLSByZWZlciB0byB0aGUgQ2VydGlmaWNhdGUgUG9saWN5LjAfBggrBgEFBQcCARYTd3d3LnRlc3RzYnJyb290LmNvbTAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFGqM+dSd7XaFZ395EM+dFbDlIr8iMB8GA1UdIwQYMBaAFGqM+dSd7XaFZ395EM+dFbDlIr8iMA0GCSqGSIb3DQEBCwUAA4ICAQAo6w3fIgwhYJXhA7RxyXTJvmtglTwIY9xUabR7GxvivITy07VSiCSti/pMaNFx5sl0C93kB1UrJzehuzG3usIQPVQBcOin8lP7DPlI0trIHF2KZyA7J2uU116fRV4imXYOyt1odj4nLJPnB7GEYmfA4LpTFoP1/kqAYpnbGvNqu6S+4QKhIhaMR88b/s5PEYMNYSVVxBFQGLs4RT6+xnMCxsohuaLB/YuPGrtr1gwptz+nObJPL4e/8TyzTXMbgeWfgl70c6OlSEO+VhHyJf5HONSAN4ioVZ+aHZMcwWf3PGMu6jmLi2e3SuXZImWzXNyHBwtdhGdA8jZj8RLqlkNm8qZioooVw9fmI+uB+04E5SVeMDvcPq8Afxrdkt9/nYiI9ijLmmW11k8zxhQdS6oU/6gEQpFfjaIcY5PeaOyO4K57ihO74T0CC9al1ZBx5Wvz/Mo731TrXJuLYuOPBaDFmc5puu33ZBV9uirQqH15Xy2J1gf0wZK0wa3FdibH8mEO9mkmJsw74SoHepBBLjD/ymSDhDJSpkmFsub9pX3RvVl0M9r8EsO6YSCSc9wD99eg24ESiM9iXeLhyAvJ/al99FOspGFUBFgxsIg24RCp/49e2M4w7mzHePCzcvhtR8xUefqm702HaSJm1Cl0X010Qo6AAAMYIBozCCAZ8CAQEwgY0wgYUxCzAJBgNVBAYTAkFVMSUwIwYDVQQKExxBdXN0cmFsaWFuIEJ1c2luZXNzIFJlZ2lzdGVyMSAwHgYDVQQLExdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEtMCsGA1UEAxMkVGVzdCBBdXN0cmFsaWFuIEJ1c2luZXNzIFJlZ2lzdGVyIENBAgMEB7wwDQYJYIZIAWUDBAIBBQCgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDAyMDQwNTU5MzBaMC8GCSqGSIb3DQEJBDEiBCDLdB9zB8ImqwV9/2iNqAKmkxGzFclxM97JbZQaKQubsTANBgkqhkiG9w0BAQEFAASBgKEUqCKv1btBuUVC3PcJMBDFkulVKvZP1GBR9ZIRku8s9LVnOItemvz3PdnV0dCxhDzwYR+QAXdpnYAhq45Khx/T0NlDHxICgdyFF4oXVgpz9tHJehXH8VoYZtEy5GxmgGZHQeHc9BZfzCywdnGLDHXdwIP+JEa4WwmCrzaf0e9sAAAAAAAA</cmsB64></request></ns:requests>
[main] INFO au.gov.abr.akm.credential.store.DaemonThreadFactory - Creating a new Thread in ThreadGroup: main
[pool-1-thread-1] WARN au.gov.abr.akm.credential.store.ABRRequester$ABRHttpPost - Constructing the response reader
[pool-1-thread-1] WARN au.gov.abr.akm.credential.store.ABRRequester$ABRHttpPost - java.net connection timeout = 0
[pool-1-thread-1] WARN au.gov.abr.akm.credential.store.ABRRequester$ABRHttpPost - java.net read timeout = 0
[main] INFO au.gov.abr.akm.credential.store.ABRKeyStoreImpl - correct password given, resetting bad password count to zero
[main] INFO au.gov.abr.akm.credential.store.ABRKeyStoreFactory - Will attempt to load the keystore, if the keystore doesn't exist then an exception will be thrown
[main] INFO au.gov.abr.akm.credential.store.ABRKeyStoreSerializerTransporterFactory - No custom Transporter specified, using the default File Transporter.
[main] INFO au.gov.abr.akm.credential.store.ABRKeyStoreSerializerTransporterFile - A keystore file has been passed through, keystore location is that of the provided file
[pool-1-thread-1] WARN au.gov.abr.akm.credential.store.ABRRequester - ABRRequester timeout = 60000ms
[pool-1-thread-1] INFO au.gov.abr.akm.cryptoOps.CredentialRequestResponse - XML Response length -> 358
[pool-1-thread-1] INFO au.gov.abr.akm.cryptoOps.CredentialRequestResponse - Auto-renew => ***BEGIN XML RESPONSE***
<?xml version="1.0" encoding="utf-8"?><responses xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://auth.sbr.gov.au/AutoRenew"><response id="ABRD:TESTDeviceID" xmlns=""><error><errorId>2106</errorId><errorMessage>Unrecognised error - 1137</errorMessage></error></response></responses>
******END XML******
[pool-1-thread-1] WARN au.gov.abr.akm.cryptoOps.CredentialRequestResponse - CredentialRequestResponse.processResponse (2106) Unrecognised error - 1137
javax.xml.ws.soap.SOAPFaultException: An error occurred when verifying security for the message.
at com.sun.xml.ws.fault.SOAP12Fault.getProtocolException(SOAP12Fault.java:225)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:122)
at com.sun.xml.ws.client.dispatch.DispatchImpl.doInvoke(DispatchImpl.java:195)
at com.sun.xml.ws.client.dispatch.DispatchImpl.invoke(DispatchImpl.java:214)
at com.sun.xml.ws.security.trust.impl.TrustPluginImpl.invokeRST(TrustPluginImpl.java:624)
at com.sun.xml.ws.security.trust.impl.TrustPluginImpl.process(TrustPluginImpl.java:170)
at com.sun.xml.ws.security.trust.impl.client.STSIssuedTokenProviderImpl.getIssuedTokenContext(STSIssuedTokenProviderImpl.java:136)
at com.sun.xml.ws.security.trust.impl.client.STSIssuedTokenProviderImpl.issue(STSIssuedTokenProviderImpl.java:74)
at com.sun.xml.ws.api.security.trust.client.IssuedTokenManager.getIssuedToken(IssuedTokenManager.java:79)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.invokeTrustPlugin(SecurityClientTube.java:655)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(SecurityClientTube.java:264)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTube.java:233)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
at com.sun.xml.ws.client.Stub.process(Stub.java:319)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
at com.sun.proxy.$Proxy44.createUSI(Unknown Source)
at usi.gov.au.USITest.main(USITest.java:83)
Second Approach
2nd approach is that I directly call STS service v3 by generating wsdl2java client class. This approach is already answered here. But I couldn't understand the answer nor I was able to achieve the result by adding signatureAlgorithm="SHA256withRSA" in sp:AlgorithmSuite
<sp:AlgorithmSuite signatureAlgorithm="SHA256withRSA">
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
OR
<sp:AlgorithmSuite signatureAlgorithm="SHA256withRSA">
<wsp:Policy>
<sp:Basic256Sha256Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
Everytime I get
com.microsoft.schemas.ws._2008._06.identity.securitytokenservice.IWSTrust13SyncTrust13IssueSTSFaultFaultMessage: Could not validate the ActAs token
I can't understand that which approach is right and how to fix WSDL or my code to update the SecurityPolicy i.e. switchs from Sha1 to Sha256 with RSA.
You need updated STS 1.3 wsdl which does not require ActAs token as old one did
I am writing some Java code that authenticates to Active Directory using SASL GSSAPI. Mostly this code is working fine but for one user I am getting the response:
javax.naming.AuthenticationException: [LDAP: error code 49 - 8
0090304: LdapErr: DSID-0C0904D1, comment: AcceptSecurityContext error, data 568,
v1772 ]
I know that 49 means this is an authentication failure, and that the relevant sub code is 568, but I am only aware of the following meanings for that data:
525 - user not found
52e - invalid credentials
530 - not permitted to logon at this time
532 - password expired
533 - account disabled
701 - account expired
773 - user must reset password
So far I am unable to find an authorative source of these error codes from Microsoft (this list is pieced together from forum posts) and I can't find anything for that 568 error.
Does anyone know what it means?
EDIT: It looks like the source of this list comes from this documentation from IBM
This and this list contain error codes that seem to correspond to the above numbers, viz.
ERROR_NO_SUCH_USER 1317 (0x525) The specified account does not exist.
ERROR_LOGON_FAILURE 1326 (0x52E) Logon failure: unknown user name or bad password.
ERROR_INVALID_LOGON_HOURS 1328 (0x530) Logon failure: account logon time restriction violation.
ERROR_PASSWORD_EXPIRED 1330 (0x532) Logon failure: the specified account password has expired.
ERROR_ACCOUNT_DISABLED 1331 (0x533) Logon failure: account currently disabled.
ERROR_ACCOUNT_EXPIRED 1793 (0x701) The user's account has expired.
ERROR_PASSWORD_MUST_CHANGE 1907 (0x773) The user's password must be changed before logging on the first time.
From this list it appears that this error code means:
ERROR_TOO_MANY_CONTEXT_IDS 1384 (0x568) During a logon attempt, the user's security context accumulated too many security IDs.
It turns out that this account has 2000 group memberships which are overrunning an internal Active Directory limit. You may only have 1015 or so group memberships otherwise login will fail.
More information is available on this error at: http://go.microsoft.com/fwlink/?LinkId=146571.