cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jakub Neubauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-5525) Client - UntrustedURLConnectionIOException even the HTTPS established with client certificate auth
Date Thu, 08 Oct 2015 13:57:27 GMT

    [ https://issues.apache.org/jira/browse/CXF-5525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14948686#comment-14948686
] 

Jakub Neubauer commented on CXF-5525:
-------------------------------------

Ok, maybe dirty, but it works. But that you probably expect from "workaround", yeah? Can somebody
try to analyze if it causes some security flaw? I personally don't see a problem in it.

{code:title=WorkaroundCxfBug5525.java|borderStyle=solid}
public class WorkaroundCxfBug5525 {
	
		private static class CxfBug5525WorkaroundInterceptor extends AbstractPhaseInterceptor<Message>
{
	
			public CxfBug5525WorkaroundInterceptor() {
				super(Phase.PREPARE_SEND);
			}
			@Override
			public void handleMessage(Message message) throws Fault {
				AssertionInfoMap aim = message.get(AssertionInfoMap.class);
				if (aim == null) { return; }
				Collection<AssertionInfo> ais = aim.get(SP12Constants.HTTPS_TOKEN);
				if (ais == null) { return; }
				for (AssertionInfo ai : ais) {
					if(!(ai.getAssertion() instanceof HttpsToken)) { continue; }
					HttpsToken token = (HttpsToken)ai.getAssertion();
					token.setRequireClientCertificate(false);
				}
			}
		}
	
		/**
		 * See https://issues.apache.org/jira/browse/CXF-5525
		 *
		 * @param client
		 */
		public static void setupWorkaround(Client client) {
			client.getOutInterceptors().add(new CxfBug5525WorkaroundInterceptor());
		}
	}
{code}

You can use it like this:
{code}
Client client = ClientProxy.getClient(yourProxyPort);
WorkaroundCxfBug5525.setupWorkaround(client);
{code}

> Client - UntrustedURLConnectionIOException even the HTTPS established with client certificate
auth
> --------------------------------------------------------------------------------------------------
>
>                 Key: CXF-5525
>                 URL: https://issues.apache.org/jira/browse/CXF-5525
>             Project: CXF
>          Issue Type: Bug
>         Environment: java 1.6.0_45 and 1.7.0_45 on Windows 8, CXF version 2.7.6
>            Reporter: Jakub Neubauer
>
> Hi,
> I'm facing issue with CXF client. I have a Java client generated from WSDL. The WSDL
contains RequireClientCertificate="true" in the Policy. I'm calling a web service over HTTPS
with client certificate authentication. Although HTTPS connection is established and with
client certificate authentication (ensured with -Djavax.net.debug=all), calling a WS method
throws exception.
> The strange thing is, that the first call succeeded and the second and all other calls,
fail with this exception (!). The other calls can be done with the same client object or can
create new, no matter. The client object is created as follows:
> {code}
> // our custom ssl settings, with client cert auth in this case.
> SSLSocketFactory sslSockF =
> createSSLSocketFactoryFromProperties(_properties);
> ProductionService service = new ProductionService(
>          new URL(myURL),
>          new QName("http://mycompany.com/api/productionService",
> "ProductionService"));
> port = service.getBasicHttpBindingIProductionService();
> Client client = ClientProxy.getClient(port);
> HTTPConduit http = (HTTPConduit) client.getConduit();
> TLSClientParameters tlsParams = new TLSClientParameters();
> tlsParams.setDisableCNCheck(true);
> tlsParams.setSSLSocketFactory(sslSockF);
> http.setTlsClientParameters(tlsParams);
> return port;
> {code}
> The exception:
> {noformat}
> -----------------------------
> etc...
> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: UntrustedURLConnectionIOException
invoking https://192.168.101.14/myApplication/services/ProductionService.svc: RequireClientCertificate
is set, but no local certificates were negotiated.  Is the server set to ask for client authorization?
>  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>  at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
>  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
>  at java.lang.reflect.Constructor.newInstance(Unknown Source)
>  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1334)
>  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1318)
>  at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
>  at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:623)
>  at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
>  at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
>  at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:541)
>  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
>  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
>  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
>  at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
>  at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
>  ... 14 more
> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: RequireClientCertificate
is set, but no local certificates were negotiated.  Is the server set to ask for client authorization?
>  at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:117)
>  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.makeTrustDecision(HTTPConduit.java:1680)
>  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1264)
>  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1234)
>  at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195)
>  at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
>  at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
>  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1291)
>  ... 24 more
> -----------------------------
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message