Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Date: Fri, 24 Feb 2012 09:51:48 +0000 (UTC)
From: "Brijpal (Commented) (JIRA)" <jira@apache.org>
To: issues@cxf.apache.org
Message-ID: 
 <292566193.14784.1330077108974.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Commented] (CXF-2403) Use of client certificates via http
 conduit configuration broken
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/CXF-2403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215533#comment-13215533 ] 

Brijpal commented on CXF-2403:
------------------------------

This is in reference to sample demo soap_https.zip

Thank you very much for such wonderful explanation. It's really good demo and tried it, it's working when if I use both server and client part of it. I am impressed and decided to use it's client part to access web service running on my local machine. The web service is provided by some third party to generate random string. I can put my public certificate in it's trust store and I know it's public certificates too. I followed these steps

1. I put server's certificate in client-truststore

2. I extracted client certificate from "client-keystore" and put it in server's trust store

3. Put my WSDL ("GenerateRandom.wsdl") parallel to "HelloWorld.wsdl"

4. Wrote RandomClient.java in parallel to Client.java (which uses cxfContext.xml placed parallel to hello_world_client.xml)

5. Modified build.xml to generate code and run the client.

When I tried to run using ant I am getting following exception.


     [java] org.apache.cxf.interceptor.Fault: Could not send Message.
     [java]  at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
     [java]  at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
     [java]  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:487)
     [java]  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
     [java]  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:265)
     [java]  at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
     [java]  at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
     [java]  at $Proxy38.oprRandomRequest(Unknown Source)
     [java]  at demo.soaphttps.client.RandomClient.main(UTNClient.java:37)
     [java] Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: UntrustedURLConnectionIOException invoking https://localhost:9091/XYZ.Common/WcfService_XYZ_Common_Orchestrations.svc: RequireClientCertificate is set, but no local certificates were negotiated.  Is the server set to ask for client authorization?
     [java]  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
     [java]  at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
     [java]  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
     [java]  at java.lang.reflect.Constructor.newInstance(Unknown Source)
     [java]  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:2058)
     [java]  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:2043)
     [java]  at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
     [java]  at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:639)
     [java]  at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)

I tried to google but cound not find any help. Please help me how to get rid of this. I am using apache cxf 2.2.9


Service WSDL is


<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions name="ServiceInstance"
 targetNamespace="http://tempuri.org/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
 xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsa10="http://www.w3.org/2005/08/addressing"
 xmlns:tns="http://tempuri.org/" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
 xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
 xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract"
 xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
 xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
 xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
 xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
 <wsdl:documentation>
  <CreationInfo Created="2012-01-24 12:35:14Z" />
 </wsdl:documentation>
 <wsp:Policy wsu:Id="WSHttpBinding_ITwoWayAsync_policy">
  <wsp:ExactlyOne>
   <wsp:All>
    <sp:TransportBinding
     xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
     <wsp:Policy>
      <sp:TransportToken>
       <wsp:Policy>
        <sp:HttpsToken RequireClientCertificate="true" />
       </wsp:Policy>
      </sp:TransportToken>
      <sp:AlgorithmSuite>
       <wsp:Policy>
        <sp:Basic256 />
       </wsp:Policy>
      </sp:AlgorithmSuite>
      <sp:Layout>
       <wsp:Policy>
        <sp:Strict />
       </wsp:Policy>
      </sp:Layout>
     </wsp:Policy>
    </sp:TransportBinding>
    <wsaw:UsingAddressing />
   </wsp:All>
  </wsp:ExactlyOne>
 </wsp:Policy>
 <wsdl:types>
  <xsd:schema targetNamespace="http://tempuri.org/Imports">
   <xsd:import schemaLocation="XYZ.Common.Interfaces.CreateRandom+RandomRequest.xsd"
    namespace="http://XYZ.Common.Interfaces.CreateRandom" />
  </xsd:schema>
 </wsdl:types>
 <wsdl:message
  name="WcfService_XYZ_Common_Orchestrations_OprRandomRequest_InputMessage">
  <wsdl:part name="part" element="q1:RandomRequest"
   xmlns:q1="http://XYZ.Common.Interfaces.CreateRandom" />
 </wsdl:message>
 <wsdl:message
  name="WcfService_XYZ_Common_Orchestrations_OprRandomRequest_OutputMessage">
  <wsdl:part name="part" element="q2:RandomResponse"
   xmlns:q2="http://XYZ.Common.Interfaces.CreateRandom" />
 </wsdl:message>
 <wsdl:portType name="WcfService_XYZ_Common_Orchestrations">
  <wsdl:documentation>service "*" port "*"</wsdl:documentation>
  <wsdl:operation name="OprRandomRequest">
   <wsdl:documentation>operation "OprRandomRequest"
   </wsdl:documentation>
   <wsdl:input
    message="tns:WcfService_XYZ_Common_Orchestrations_OprRandomRequest_InputMessage" />
   <wsdl:output
    message="tns:WcfService_XYZ_Common_Orchestrations_OprRandomRequest_OutputMessage" />
  </wsdl:operation>
 </wsdl:portType>
 <wsdl:binding name="WSHttpBinding_ITwoWayAsync"
  type="tns:WcfService_XYZ_Common_Orchestrations">
  <wsp:PolicyReference URI="#WSHttpBinding_ITwoWayAsync_policy" />
  <soap12:binding transport="http://schemas.xmlsoap.org/soap/http" />
  <wsdl:operation name="OprRandomRequest">
   <wsdl:documentation>operation "OprRandomRequest"
   </wsdl:documentation>
   <soap12:operation soapAction="OprRandomRequest" style="document" />
   <wsdl:input>
    <soap12:body use="literal"
     encodingStyle="http://www.w3.org/2003/05/soap-encoding" />
   </wsdl:input>
   <wsdl:output>
    <soap12:body use="literal"
     encodingStyle="http://www.w3.org/2003/05/soap-encoding" />
   </wsdl:output>
  </wsdl:operation>
 </wsdl:binding>
 <wsdl:service name="ServiceInstance">
  <wsdl:port name="WSHttpBinding_ITwoWayAsync" binding="tns:WSHttpBinding_ITwoWayAsync">
   <soap12:address
    location="https://localhost.com:9091/XYZ.Common/WcfService_XYZ_Common_Orchestrations.svc" />
   <wsa10:EndpointReference>
    <wsa10:Address>
     https://localhost:9091/XYZ.Common/WcfService_XYZ_Common_Orchestrations.svc
    </wsa10:Address>
   </wsa10:EndpointReference>
  </wsdl:port>
 </wsdl:service>
</wsdl:definitions>


Spring configuration is

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns:sec="http://cxf.apache.org/configuration/security"
 xmlns:http="http://cxf.apache.org/transports/http/configuration" 
 xmlns:jaxws="http://cxf.apache.org/jaxws"
 xsi:schemaLocation="
   http://cxf.apache.org/configuration/security
   http://cxf.apache.org/schemas/configuration/security.xsd
   http://cxf.apache.org/transports/http/configuration
   http://cxf.apache.org/schemas/configuration/http-conf.xsd
   http://www.springframework.org/schema/beans 
   http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
   http://cxf.apache.org/jaxws 
   http://cxf.apache.org/schemas/jaxws.xsd">
  
 <http:conduit name="*.http-conduit">
    <http:tlsClientParameters disableCNCheck="true">
       <sec:keyManagers keyPassword="password">
            <sec:keyStore type="JKS" password="password"
                 file="certs/client-keystore"/>
       </sec:keyManagers>
       <sec:trustManagers>
           <sec:keyStore type="JKS" password="password"
                file="certs/client-truststore"/>
       </sec:trustManagers>
       <sec:cipherSuitesFilter>
         <sec:include>.*</sec:include>
         <sec:exclude>.*_DH_anon_.*</sec:exclude>
       </sec:cipherSuitesFilter>
   </http:tlsClientParameters>
   </http:conduit> 
</beans>
    
                
> Use of client certificates via http conduit configuration broken
> ----------------------------------------------------------------
>
>                 Key: CXF-2403
>                 URL: https://issues.apache.org/jira/browse/CXF-2403
>             Project: CXF
>          Issue Type: Bug
>          Components: Configuration
>            Reporter: Wolfgang Nagele
>         Attachments: client-keystore, client-truststore, client.crt, client.key, client.p12, server-keystore, server-truststore, server.crt, server.key, server.p12, soap_https.zip
>
>
> To use standard SSL client certificates for authentication the following configuration should work:
> <http:conduit name="*.http-conduit">
>   <http:tlsClientParameters>
>     <sec:keyManagers keyPassword="password">
>       <sec:keyStore type="JKS" password="password" file="keystore" />
>     </sec:keyManagers>
>     <sec:trustManagers>
>       <sec:keyStore type="JKS" password="password" file="truststore" />
>     </sec:trustManagers>
>   </http:tlsClientParameters>
> </http:conduit>
> In this configuration we would have the public certificate of the server we want to connect to in the truststore and the private key and certificate in the keystore.
> With the current CXF implementation this results in the following exception:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> 	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174) [na:1.6.0_13]
> 	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) [na:1.6.0_13]
> 	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280) [na:1.6.0_13]
> 	... 39 common frames omitted
> Once we additionally define the following properties it works:
> * javax.net.ssl.keyStore=keystore
> * javax.net.ssl.keyStorePassword=password
> * javax.net.ssl.trustStore=truststore
> * javax.net.ssl.trustStorePassword=password
> This however results in very ugly setups where we have to define the same data twice. Also we miss out on CXF's option of defining specific keystores and truststores per webservice.
> For further information also see: http://www.quendor.org/archiv/428

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira