Get Security Token from WSO2 Identity Server 5.3 WS-Trust STS
I have WSO2IS set up with an AD LDS user store and have a WS-Federation Passive STS prototype written in ASP.NET MVC that works and can authenticate as a user defined in AD LDS. I am now attempting to write a simple .NET console app to manually connect to the WS-Trust endpoint and authentication as this same user (or the admin user, tried both). I have secured the WS-Trust endpoint using UserNamePassword, and selected which users can authenticate.
However, when I run this prototype I get a "java.lang.NullPointerException" from WSO2IS.
What am I doing wrong or leaving out?
System.ServiceModel.FaultException occurred HResult=0x80131501
Message=java.lang.NullPointerException Source=System.ServiceModel
StackTrace: at System.ServiceModel.Security.WSTrustChannel.ReadResponse(Message response) at System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) at WsTrustActiveSTSClient.Program.Main(String[] args) in C:\Source\caci\MFOMID Prototypes\STS\WSO2IS-RP\WsTrustActiveSTSClient\Program.cs:line 38
I have looked at the logs for the exception information and it seems to be thrown in org.apache.rahas.impl.SAMLTokenIssuer.createHoKAssertion.
TID: [-1234] [] [2017-10-12 20:10:34,719] ERROR {org.apache.axis2.transport.http.AxisServlet} -
java.lang.NullPointerException at org.apache.rahas.impl.SAMLTokenIssuer.createHoKAssertion(SAMLTokenIssuer.java:452) at org.apache.rahas.impl.SAMLTokenIssuer.issue(SAMLTokenIssuer.java:202) at org.apache.rahas.TokenRequestDispatcher.handle(TokenRequestDispatcher.java:69) at org.apache.rahas.STSMessageReceiver.invokeBusinessLogic(STSMessageReceiver.java:57) at org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40) at org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:110) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:173) at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146) at org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231) at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:72) at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:91) at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:60) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99) at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57) at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:958) at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1756) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1715) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
Here is the source code for this simple WS-Trust STS client written using WIF 4.5 under the .NET Framework 4.5.2.
using System;
using System.IdentityModel.Claims;
using System.IdentityModel.Protocols.WSTrust;
using System.IdentityModel.Tokens;
using System.ServiceModel;
using System.ServiceModel.Security;
namespace WsTrustActiveSTSClient
{
internal class Program
{
private static void Main(string[] args)
{
WS2007HttpBinding binding = new WS2007HttpBinding(SecurityMode.TransportWithMessageCredential, false);
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Message.EstablishSecurityContext = false;
EndpointAddress endpoint = new EndpointAddress("https://localhost:9443/services/wso2carbon-sts");
WSTrustChannelFactory factory = new WSTrustChannelFactory(binding, endpoint);
factory.Credentials.UserName.UserName = "admin";
factory.Credentials.UserName.Password = "admin";
WSTrustChannel channel = (WSTrustChannel) factory.CreateChannel();
RequestSecurityToken rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Symmetric,
Claims =
{
new RequestClaim(ClaimTypes.Name)
}
};
RequestSecurityTokenResponse rstr = null;
SecurityToken token = channel.Issue(rst, out rstr);
Console.WriteLine("{0}", token);
Console.ReadLine();
}
}
}
Jeffrey1 Answer
The issue is that I was requesting a Symmetric key token and it looks like I wasn't configured for that. I changed it to a Bearer token and it worked fine. I am still looking into the Symmetric key use case, though.
JeffreyUser contributions licensed under CC BY-SA 3.0