Error invoking IssueToken operation on WSO2 Identity Server Security Token Service

StackOverflow https://stackoverflow.com/questions/22176261

Question

I'm getting a cryptic error message - Wrong element order encountred at Reason

Here's a summary of what I am doing:

  1. I’ve applied the UsernameToken security policy to the Security Token Service.

  2. I've added my app (http://localhost:3000/) as a trusted service.

  3. I attempt to invoke the IssueToken operation at

    https://localhost:9443/services/wso2carbon-sts.wso2carbon-stsHttpsSoap12Endpoint/

Using this message:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
    <a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>
    <a:To s:mustUnderstand="1">https://localhost:9443/services/wso2carbon-sts.wso2carbon-stsHttpsSoap12Endpoint/</a:To>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <o:UsernameToken u:Id="uuid-6a13a244-dac6-42c1-84c5-cbb345b0c4c4-1">
        <o:Username>user1</o:Username>
        <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</o:Password>
      </o:UsernameToken>
    </o:Security>
  </s:Header>
  <s:Body>
    <trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
      <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
        <a:EndpointReference>
          <a:Address>http://localhost:3000/</a:Address>
        </a:EndpointReference>
      </wsp:AppliesTo>
      <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
      <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
      <trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType>
    </trust:RequestSecurityToken>
  </s:Body>
</s:Envelope>

I get this error:

<html><head><title>Apache Tomcat/7.0.34 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - Wrong element order encountred at Reason</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>Wrong element order encountred at Reason</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.apache.axiom.om.impl.exception.OMBuilderException: Wrong element order encountred at Reason
                org.apache.axiom.soap.impl.builder.SOAP12BuilderHelper.handleEvent(SOAP12BuilderHelper.java:94)
                org.apache.axiom.soap.impl.builder.StAXSOAPModelBuilder.constructNode(StAXSOAPModelBuilder.java:429)
                org.apache.axiom.soap.impl.builder.StAXSOAPModelBuilder.createOMElement(StAXSOAPModelBuilder.java:273)
                org.apache.axiom.soap.impl.builder.StAXSOAPModelBuilder.createNextOMElement(StAXSOAPModelBuilder.java:234)
                org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:249)
                org.apache.axiom.om.impl.dom.NodeImpl.build(NodeImpl.java:447)
                org.apache.axiom.om.impl.dom.ParentNode.getChildNodes(ParentNode.java:168)
                org.apache.ws.security.util.WSSecurityUtil.findChildElement(WSSecurityUtil.java:596)
                org.apache.ws.security.util.WSSecurityUtil.findWsseSecurityHeaderBlock(WSSecurityUtil.java:717)
                org.apache.ws.security.message.WSSecHeader.insertSecurityHeader(WSSecHeader.java:145)
                org.apache.rampart.RampartMessageData.&lt;init&gt;(RampartMessageData.java:406)
                org.apache.rampart.MessageBuilder.build(MessageBuilder.java:61)
                org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
                org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
                org.apache.axis2.engine.Phase.invoke(Phase.java:313)
                org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
                org.apache.axis2.engine.AxisEngine.sendFault(AxisEngine.java:515)
                org.apache.axis2.transport.http.AxisServlet.handleFault(AxisServlet.java:433)
                org.apache.axis2.transport.http.AxisServlet.processAxisFault(AxisServlet.java:398)
                org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:188)
                org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231)
                javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
                javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
                org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
                org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
                org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
                javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
                org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
                org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.34 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.34</h3></body></html>

Any ideas on what I am doing wrong?

Was it helpful?

Solution

I am not sure about the exact error that you mentioned. But, if i just look, i could see that timestamp has been missed in the security header. However i would copy the request message that i tried out...I use this message with SOAPUI to get the SAML Assertion from the STS service.. I guess this may help you.. If you are using this message, Please consider about timestamp value.. you can change it as it is not signed.

<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"> <soapenv:Header xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true"> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1"> <wsu:Created>2014-03-04T17:53:57.033Z</wsu:Created> <wsu:Expires>2014-03-04T17:58:57.033Z</wsu:Expires> </wsu:Timestamp> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-2"> <wsse:Username>admin</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password> </wsse:UsernameToken> </wsse:Security> <wsa:To>https://localhost:9443/services/wso2carbon-sts</wsa:To> <wsa:ReplyTo> <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address> </wsa:ReplyTo> <wsa:MessageID>urn:uuid:258de3bc-c053-4b41-93d5-5d292a896b3a</wsa:MessageID> <wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action> </soapenv:Header> <soapenv:Body> <wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType> <wst:Lifetime> <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-03-04T17:53:56.768Z</wsu:Created> <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-03-04T17:58:56.768Z</wsu:Expires> </wst:Lifetime> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType> <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/Bearer</wst:KeyType> <wst:Claims xmlns:wsp="http://schemas.xmlsoap.org/ws/2005/02/trust" wsp:Dialect="http://wso2.org/claims"> <wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/emailaddress"></wsid:ClaimType> <wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/givenname"></wsid:ClaimType> </wst:Claims> </wst:RequestSecurityToken> </soapenv:Body> </soapenv:Envelope>

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top