I am a beginner to WSO2. I am facing some challenges in integrating WSO2 identity server with ESB. I followed the "http://wso2.org/library/articles/2010/10/using-xacml-fine-grained-authorization-wso2-platform/" blog. I am getting some errors related to authenticating the user when using entitlement component in ESB.
Following is the error i get in console:-
[2012-07-06 19:23:42,312] ERROR - EntitlementMediator User name not
provided for the Entitlement mediator - can't proceed [2012-07-06
19:23:42,312] ERROR - EntitlementMediator Error occured while
evaluating the policy org.apache.synapse.SynapseException: User name
not provided for the Entitlement mediator - can't proceed at
org.wso2.carbon.identity.entitlement.mediator.EntitlementMediator.mediate(EntitlementMediator.java:149)
at
org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:60)
at
org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:114)
at
org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:154)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:181)
at
org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
at
org.apache.synapse.transport.nhttp.ServerWorker.processEntityEnclosingMethod(ServerWorker.java:409)
at
org.apache.synapse.transport.nhttp.ServerWorker.run(ServerWorker.java:261)
at
org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:173)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Can any one please help me understanding it.
Thanks in advance.
Charan
Have a look at this article[1] as to see how you can secure.
[1] http://wso2.org/library/articles/2011/06/securing-web-service-integration
This is because the service request to the ESB proxy service is not secured using a username token based policy. Please make sure that proxy is secured with Username token based security scenario as per the article and your client is sending the username token credentials in the WS Security header of the request to the proxy service.
Related
I have a simple setup of WSO2 APIM with MYSQL and have published APIs using the admin user.
On changing the default admin password for API manager I am able to login using the new password on Publisher/Store but not use the published apis.
Have followed the WSO2 documentation on changing the password. Restarted the WSO2 APIM
On calling the published API, I see the following response:
{"fault":{"code":900900,"message":"Unclassified Authentication Failure","description":"Error while accessing backend services for API key validation"}}
Below is the stacktrace of the error observed in wso2-apigw-errors.log:
org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Cannot borrow client for ssl://10.93.16.127:9711.
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:134)
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.run(DataEndpointConnectionWorker.java:59)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Error while trying to login to data receiver :/10.93.16.127:9711
at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryDataEndpoint.login(BinaryDataEndpoint.java:50)
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:128)
... 6 more
Caused by: org.wso2.carbon.databridge.commons.exception.AuthenticationException: wrong userName or password
at sun.reflect.GeneratedConstructorAccessor194.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryEventSender.processResponse(BinaryEventSender.java:163)
at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryDataEndpoint.login(BinaryDataEndpoint.java:44)
... 7 more
This error goes away as soon as I change the password back to the default "admin".
Please check if you have correct password here.
<ThrottlingConfigurations>
<EnableAdvanceThrottling>true</EnableAdvanceThrottling>
<TrafficManager>
<Type>Binary</Type>
<ReceiverUrlGroup>tcp://${carbon.local.ip}:${receiver.url.port}</ReceiverUrlGroup>
<AuthUrlGroup>ssl://${carbon.local.ip}:${auth.url.port}</AuthUrlGroup>
<Username>admin</Username>
<Password>admin</Password>
</TrafficManager>
I am using WSO2 API Manager 2.6.0 and configured Pre packaged Identity Server 5.7.0 as Key Manager. When I create an Application in API Store and generate keys I can see that Service Providers are getting created in Identity Server. Also I am able to obtain token using the generated consumer id and secret.
However when I pass that token to my APIs I am getting unclassified authentication error. Below is the exception that I can see in the logs,
ERROR - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAllURITemplates(WSAPIKeyDataStore.java:77)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getAllURITemplates(APIKeyValidator.java:791)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.doGetAPIInfo(APIKeyValidator.java:639)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.findMatchingVerb(APIKeyValidator.java:573)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getResourceAuthenticationScheme(APIKeyValidator.java:357)
at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:127)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:210)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:158)
at org.apache.synapse.rest.API.process(API.java:325)
at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149)
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95)
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:303)
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:92)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:337)
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:383)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:151)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
at org.wso2.carbon.apimgt.gateway.handlers.security.keys.APIKeyValidatorClient.getAllURITemplates(APIKeyValidatorClient.java:189)
at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAllURITemplates(WSAPIKeyDataStore.java:75)
... 21 more
Caused by: java.lang.NullPointerException
at org.wso2.carbon.apimgt.gateway.handlers.security.keys.APIKeyValidatorClient.getAllURITemplates(APIKeyValidatorClient.java:183)
... 22 more
Any help would be much appreciated.
Please cross check with this issue [1]
[1] https://github.com/wso2/product-apim/issues/3768
We are using WSO2 EI 6.1.1 and WSO2 Identity server of version 5.5.0. We have a requirement of using Oauth Mediator to validate the access token. I have a service provider registered with the identity server and generated the oauth2.0 bearer access token using curl command. I tried the Oauth2webservice to validate the authorization which was succeed and request going to identity server. But if I use the Oauth Mediator of WSO2 Integrator getting the below error message and the request is not going to identity server which was confirmed from the logs of identity server.Please help on it.Is there any other jar files or configuration settings needed for the same.
<oauthService remoteServiceUrl="https://localhost:9444/services/" username="admin" password="admin"/>
ERROR - OAuthMediator Error occured while validating oauth access token.java.lang.Exception: Error while validating OAuth2 request. at org.wso2.carbon.identity.oauth.mediator.OAuth2TokenValidationServiceClient.validateAuthenticationRequest(OAuth2TokenValidationServiceClient.java:61).
Caused by: org.apache.axis2.AxisFault: SSL peer failed hostname validation for name: null.at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
I have the same issue and can't resolve, This bug has not been corrected yet
https://wso2.org/jira/browse/IDENTITY-5243
Having WSO2 API Manager 2.1.0 and WSO2 IS 5.3.0 KM (with prepackaged Key Manager) I set up the Key Manager as described in the documentation.
The main intention is authenticate and authorize users with other federated IdPs and add some authorization capabilities. My assumption is that users auhorized with WSO2IS will receive an OAuth token valid for the defined APP and API.
So far all on localhost with IS offset 1. I created an API, an application and that is usable from the API Store.
When trying to authorize a client through WSO2 IS using the code grant_type authorization:
https://localhost:9444/oauth2/authorize?response_type=code&client_id=KJTbkbFmcDvslo2fjhzfQkaBH3Ea&redirect_uri=http%3A//localhost%3A8080/test2/callback
I am asked for credentials and authorization grant (looks ok) and then I receive an exception on IS:
[2018-03-27 10:43:51,822] ERROR {org.apache.catalina.core.StandardWrapperValve} - Servlet.service() for servlet [OAuth2Endpoints] in context with path [/oauth2] threw exception
java.lang.RuntimeException: org.apache.cxf.interceptor.Fault
at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:116)
...
Caused by: java.lang.NullPointerException
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:251)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.sendRequestToFramework(OAuth2AuthzEndpoint.java:1163)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:135)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorizePost(OAuth2AuthzEndpoint.java:574)
What I assume I misconfigured some endpoint, however - any idea which service is invoked by the OAuth2AuthzEndpoint implementation or potential cause for this exception?
This is already reported in https://wso2.org/jira/browse/IDENTITY-5581.
You can WUM update the WSO2 IS 5.3.0 to resolve the issue.
I have WSO2 API Manager 1.10.0 configured for IdP initiated SSO with PingFederate. When I try to access publisher URL, it logs in fine and I got the right SAML response.
But the UI threw the error:
Error 500 : The page cannot be displayed.
The server encountered an internal error or misconfiguration and was unable to complete your request.
The server side has:
Caused by: javax.script.ScriptException: **Invalid argument. Relay state value is missing.**
at org.wso2.carbon.hostobjects.sso.SAMLSSORelyingPartyObject.jsFunction_getRelayStateProperty(SAMLSSORelyingPartyObject.java:868)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
... 50 more
Does WSO2 API Manager 1.10.0 support IdP initiated SSO only at all?
***UPDATE: Per reply below, the best option is to upgrade to >2.1.0.
APIM 1.10.0 does not have the support for IDP intitiated SSO. However, it is supported in APIM 2.1.0. Refer this.