cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brijpal (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-2403) Use of client certificates via http conduit configuration broken
Date Fri, 24 Feb 2012 09:51:48 GMT

    [ https://issues.apache.org/jira/browse/CXF-2403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215533#comment-13215533
] 

Brijpal commented on CXF-2403:
------------------------------

This is in reference to sample demo soap_https.zip

Thank you very much for such wonderful explanation. It's really good demo and tried it, it's
working when if I use both server and client part of it. I am impressed and decided to use
it's client part to access web service running on my local machine. The web service is provided
by some third party to generate random string. I can put my public certificate in it's trust
store and I know it's public certificates too. I followed these steps

1. I put server's certificate in client-truststore

2. I extracted client certificate from "client-keystore" and put it in server's trust store

3. Put my WSDL ("GenerateRandom.wsdl") parallel to "HelloWorld.wsdl"

4. Wrote RandomClient.java in parallel to Client.java (which uses cxfContext.xml placed parallel
to hello_world_client.xml)

5. Modified build.xml to generate code and run the client.

When I tried to run using ant I am getting following exception.


     [java] org.apache.cxf.interceptor.Fault: Could not send Message.
     [java]  at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
     [java]  at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
     [java]  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:487)
     [java]  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
     [java]  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:265)
     [java]  at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
     [java]  at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
     [java]  at $Proxy38.oprRandomRequest(Unknown Source)
     [java]  at demo.soaphttps.client.RandomClient.main(UTNClient.java:37)
     [java] Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: UntrustedURLConnectionIOException
invoking https://localhost:9091/XYZ.Common/WcfService_XYZ_Common_Orchestrations.svc: RequireClientCertificate
is set, but no local certificates were negotiated.  Is the server set to ask for client authorization?
     [java]  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
     [java]  at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
     [java]  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
     [java]  at java.lang.reflect.Constructor.newInstance(Unknown Source)
     [java]  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:2058)
     [java]  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:2043)
     [java]  at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
     [java]  at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:639)
     [java]  at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)

I tried to google but cound not find any help. Please help me how to get rid of this. I am
using apache cxf 2.2.9


Service WSDL is


<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions name="ServiceInstance"
 targetNamespace="http://tempuri.org/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
 xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsa10="http://www.w3.org/2005/08/addressing"
 xmlns:tns="http://tempuri.org/" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
 xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
 xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract"
 xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
 xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
 xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
 xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
 <wsdl:documentation>
  <CreationInfo Created="2012-01-24 12:35:14Z" />
 </wsdl:documentation>
 <wsp:Policy wsu:Id="WSHttpBinding_ITwoWayAsync_policy">
  <wsp:ExactlyOne>
   <wsp:All>
    <sp:TransportBinding
     xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
     <wsp:Policy>
      <sp:TransportToken>
       <wsp:Policy>
        <sp:HttpsToken RequireClientCertificate="true" />
       </wsp:Policy>
      </sp:TransportToken>
      <sp:AlgorithmSuite>
       <wsp:Policy>
        <sp:Basic256 />
       </wsp:Policy>
      </sp:AlgorithmSuite>
      <sp:Layout>
       <wsp:Policy>
        <sp:Strict />
       </wsp:Policy>
      </sp:Layout>
     </wsp:Policy>
    </sp:TransportBinding>
    <wsaw:UsingAddressing />
   </wsp:All>
  </wsp:ExactlyOne>
 </wsp:Policy>
 <wsdl:types>
  <xsd:schema targetNamespace="http://tempuri.org/Imports">
   <xsd:import schemaLocation="XYZ.Common.Interfaces.CreateRandom+RandomRequest.xsd"
    namespace="http://XYZ.Common.Interfaces.CreateRandom" />
  </xsd:schema>
 </wsdl:types>
 <wsdl:message
  name="WcfService_XYZ_Common_Orchestrations_OprRandomRequest_InputMessage">
  <wsdl:part name="part" element="q1:RandomRequest"
   xmlns:q1="http://XYZ.Common.Interfaces.CreateRandom" />
 </wsdl:message>
 <wsdl:message
  name="WcfService_XYZ_Common_Orchestrations_OprRandomRequest_OutputMessage">
  <wsdl:part name="part" element="q2:RandomResponse"
   xmlns:q2="http://XYZ.Common.Interfaces.CreateRandom" />
 </wsdl:message>
 <wsdl:portType name="WcfService_XYZ_Common_Orchestrations">
  <wsdl:documentation>service "*" port "*"</wsdl:documentation>
  <wsdl:operation name="OprRandomRequest">
   <wsdl:documentation>operation "OprRandomRequest"
   </wsdl:documentation>
   <wsdl:input
    message="tns:WcfService_XYZ_Common_Orchestrations_OprRandomRequest_InputMessage" />
   <wsdl:output
    message="tns:WcfService_XYZ_Common_Orchestrations_OprRandomRequest_OutputMessage" />
  </wsdl:operation>
 </wsdl:portType>
 <wsdl:binding name="WSHttpBinding_ITwoWayAsync"
  type="tns:WcfService_XYZ_Common_Orchestrations">
  <wsp:PolicyReference URI="#WSHttpBinding_ITwoWayAsync_policy" />
  <soap12:binding transport="http://schemas.xmlsoap.org/soap/http" />
  <wsdl:operation name="OprRandomRequest">
   <wsdl:documentation>operation "OprRandomRequest"
   </wsdl:documentation>
   <soap12:operation soapAction="OprRandomRequest" style="document" />
   <wsdl:input>
    <soap12:body use="literal"
     encodingStyle="http://www.w3.org/2003/05/soap-encoding" />
   </wsdl:input>
   <wsdl:output>
    <soap12:body use="literal"
     encodingStyle="http://www.w3.org/2003/05/soap-encoding" />
   </wsdl:output>
  </wsdl:operation>
 </wsdl:binding>
 <wsdl:service name="ServiceInstance">
  <wsdl:port name="WSHttpBinding_ITwoWayAsync" binding="tns:WSHttpBinding_ITwoWayAsync">
   <soap12:address
    location="https://localhost.com:9091/XYZ.Common/WcfService_XYZ_Common_Orchestrations.svc"
/>
   <wsa10:EndpointReference>
    <wsa10:Address>
     https://localhost:9091/XYZ.Common/WcfService_XYZ_Common_Orchestrations.svc
    </wsa10:Address>
   </wsa10:EndpointReference>
  </wsdl:port>
 </wsdl:service>
</wsdl:definitions>


Spring configuration is

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns:sec="http://cxf.apache.org/configuration/security"
 xmlns:http="http://cxf.apache.org/transports/http/configuration" 
 xmlns:jaxws="http://cxf.apache.org/jaxws"
 xsi:schemaLocation="
   http://cxf.apache.org/configuration/security
   http://cxf.apache.org/schemas/configuration/security.xsd
   http://cxf.apache.org/transports/http/configuration
   http://cxf.apache.org/schemas/configuration/http-conf.xsd
   http://www.springframework.org/schema/beans 
   http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
   http://cxf.apache.org/jaxws 
   http://cxf.apache.org/schemas/jaxws.xsd">
  
 <http:conduit name="*.http-conduit">
    <http:tlsClientParameters disableCNCheck="true">
       <sec:keyManagers keyPassword="password">
            <sec:keyStore type="JKS" password="password"
                 file="certs/client-keystore"/>
       </sec:keyManagers>
       <sec:trustManagers>
           <sec:keyStore type="JKS" password="password"
                file="certs/client-truststore"/>
       </sec:trustManagers>
       <sec:cipherSuitesFilter>
         <sec:include>.*</sec:include>
         <sec:exclude>.*_DH_anon_.*</sec:exclude>
       </sec:cipherSuitesFilter>
   </http:tlsClientParameters>
   </http:conduit> 
</beans>
    
                
> Use of client certificates via http conduit configuration broken
> ----------------------------------------------------------------
>
>                 Key: CXF-2403
>                 URL: https://issues.apache.org/jira/browse/CXF-2403
>             Project: CXF
>          Issue Type: Bug
>          Components: Configuration
>            Reporter: Wolfgang Nagele
>         Attachments: client-keystore, client-truststore, client.crt, client.key, client.p12,
server-keystore, server-truststore, server.crt, server.key, server.p12, soap_https.zip
>
>
> To use standard SSL client certificates for authentication the following configuration
should work:
> <http:conduit name="*.http-conduit">
>   <http:tlsClientParameters>
>     <sec:keyManagers keyPassword="password">
>       <sec:keyStore type="JKS" password="password" file="keystore" />
>     </sec:keyManagers>
>     <sec:trustManagers>
>       <sec:keyStore type="JKS" password="password" file="truststore" />
>     </sec:trustManagers>
>   </http:tlsClientParameters>
> </http:conduit>
> In this configuration we would have the public certificate of the server we want to connect
to in the truststore and the private key and certificate in the keystore.
> With the current CXF implementation this results in the following exception:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target
> 	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
[na:1.6.0_13]
> 	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) [na:1.6.0_13]
> 	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280) [na:1.6.0_13]
> 	... 39 common frames omitted
> Once we additionally define the following properties it works:
> * javax.net.ssl.keyStore=keystore
> * javax.net.ssl.keyStorePassword=password
> * javax.net.ssl.trustStore=truststore
> * javax.net.ssl.trustStorePassword=password
> This however results in very ugly setups where we have to define the same data twice.
Also we miss out on CXF's option of defining specific keystores and truststores per webservice.
> For further information also see: http://www.quendor.org/archiv/428

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message