cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: WS SecurityPolicy
Date Tue, 25 Aug 2009 20:16:02 GMT

No idea on that one.   Sounds like with Java 6, it's delaying opening the 
connection (and thus establishing the trust) a bit longer than with java 5.  
Is there any way you could write a quick "hello world" type test case?   That 
would be  a big help to me.

Dan


On Sat August 22 2009 5:42:44 pm Stephen Langella wrote:
> Dan,
>
>     In performing this I was using Java 5, then I had to context switch to
> something else that required Java 6.  In context switching back to this
> issue, I tried running the same scenario as I described below with Java 6
> and now I run into a different issue.   When the client tries to connect I
> get the following error:
>
> java.lang.IllegalStateException: connection not yet open
>     at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getLocalCerti
>f icates(AbstractDelegateHttpsURLConnection.java:213)
>     at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getLocalCertificates(Http
>s URLConnectionImpl.java:167)
>     at
> org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvide
>r
> $HttpsTokenOutInterceptor.assertHttps(HttpsTokenInterceptorProvider.java:10
>1 )
>     at
> org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvide
>r
> $HttpsTokenOutInterceptor.handleMessage(HttpsTokenInterceptorProvider.java:
>8 1)
>     at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai
>n .java:236)
>     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:472)
>     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:302)
>     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:254)
>     at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
>     at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:123)
>     at $Proxy37.sayHello(Unknown Source)
>     at
> org.cagrid.helloworld.client.SpringClient3.main(SpringClient3.java:69)
> Invocation failed with the following: java.lang.IllegalStateException:
> connection not yet open
>
>
> I should mention that I only get this error if
> RequireClientCertificate="true", if RequireClientCertificate="false"
> everything works fine.   I still plan on debugging in Java 5 as you
> suggested but I thought I would mention this because I find it concerning
> that I see different behaviors between Java 5 and Java 6.   I also was
> hoping that the error I provide above might be familiar to you or ring a
> bell.  BTW, I did switch back to Java 5 and encountered the original
> problem I posted.  Please let me know if you have other suggestions given
> this additional information.  I appreciate you help, thanks in advance.
>
> --Steve
>
> Stephen Langella
> Co-Director
> Software Research Institute
> Center for IT Innovations in Healthcare
> Ohio State University
>
> Senior Researcher
> Department of Biomedical Informatics
> Ohio State University
>
> Office: (614) 293-9534
> Lab: (614) 292-8420
> Stephen.Langella@osumc.edu
>
> > From: Daniel Kulp <dkulp@apache.org>
> > Reply-To: <users@cxf.apache.org>
> > Date: Wed, 19 Aug 2009 16:09:20 -0400
> > To: <users@cxf.apache.org>
> > Cc: Stephen Langella <Stephen.Langella@inventrio.com>
> > Subject: Re: WS SecurityPolicy
> >
> >
> >
> > Hmm...   it definitely should be asserted.   Is there any way you can run
> > this in a debugger?   If you could put a break point on line 174 of
> > HttpsTokenInterceptorProvider, that would be a big help.   At that point,
> > I'd like to see the contents of TLSSessionInfo and make sure the certs
> > are correct in there.    The other place to breakpoint is line 550 of
> > SSLUtils where the SSL certs and stuff are pulled from the request.   If
> > you can check that the correct information is pulled from there, that
> > would also be a big help.
> >
> > Dan
> >
> > On Tue August 18 2009 1:06:23 pm Stephen Langella wrote:
> >> I am trying to configure my service to use WS SecurityPolicy for
> >> specifying a transport binding policy for HTTPS.    I have added a
> >> TransportBinding policy to my WSDL and created  a transport binding
> >> policy and binded it to an endpoint policy subject.  At first I
> >> configured the server (through the WS-SecurityPolicy in the WSDL) to
> >> not require the client to provide a certificate.   This worked fine,
> >> second I changed the server to require a client certificate
> >> (<sp:HttpsToken RequireClientCertificate="true"/>).   In testing this
> >> I tried my client without providing a certificate and it still
> >> worked.  This seems to suggest that either the WS-SecurityPolicy is
> >> not being applied or that CXF is not enforcing that a client
> >> certificate be provided.  Any ideas what I might be doing wrong?
> >> Below I have provided my WSDL for reference, thanks in advance.
> >>
> >> <?xml version="1.0" encoding="UTF-8"?>
> >> <wsdl:definitions name="HelloWorld"
> >>     xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> >>      xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> >>     xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
> >>      xmlns:tns="http://www.cagrid.org/HelloWorld"
> >>      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> >>      xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
> >>
> >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
> >>uri ty-utility-1.0.xsd "
> >>      targetNamespace="http://www.cagrid.org/HelloWorld">
> >>     <wsdl:types>
> >>         <xsd:schema targetNamespace="http://www.cagrid.org/HelloWorld">
> >>             <xsd:element name="SayHelloRequest" type="xsd:string" />
> >>             <xsd:element name="SayHelloResponse" type="xsd:string" />
> >>         </xsd:schema>
> >>     </wsdl:types>
> >>     <wsdl:message name="SayHelloRequest">
> >>         <wsdl:part element="tns:SayHelloRequest" name="parameters" />
> >>     </wsdl:message>
> >>     <wsdl:message name="SayHelloResponse">
> >>         <wsdl:part element="tns:SayHelloResponse" name="parameters" />
> >>     </wsdl:message>
> >>     <wsdl:portType name="HelloWorld">
> >>         <wsdl:operation name="SayHello">
> >>             <wsdl:input message="tns:SayHelloRequest"
> >> name="sayHelloRequest" />
> >>             <wsdl:output message="tns:SayHelloResponse"
> >> name="sayHelloResponse" />
> >>         </wsdl:operation>
> >>     </wsdl:portType>
> >>     <wsdl:binding name="HelloWorldBinding" type="tns:HelloWorld">
> >>         <wsp:PolicyReference URI="#HelloWorldSecureTransportPolicy"/>
> >>         <soap:binding style="document"
> >>             transport="http://schemas.xmlsoap.org/soap/http" />
> >>         <wsdl:operation name="SayHello">
> >>             <soap:operation soapAction="" style="document" />
> >>             <wsdl:input name="sayHelloRequest">
> >>                 <soap:body use="literal" />
> >>             </wsdl:input>
> >>             <wsdl:output name="sayHelloResponse">
> >>                 <soap:body use="literal" />
> >>             </wsdl:output>
> >>         </wsdl:operation>
> >>     </wsdl:binding>
> >>     <wsdl:service name="HelloWorldService">
> >>         <wsdl:port name="HelloWorldPort"
> >> binding="tns:HelloWorldBinding">
> >>             <soap:address
> >> location="https://llanowar:9001/HelloWorldService " />
> >>         </wsdl:port>
> >>     </wsdl:service>
> >>
> >>      <wsp:Policy wsu:Id="HelloWorldSecureTransportPolicy">
> >>         <wsp:ExactlyOne>
> >>             <wsp:All>
> >>                 <sp:TransportBinding
> >>
> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy ">
> >>                     <wsp:Policy>
> >>                         <sp:TransportToken>
> >>                             <wsp:Policy>
> >>                                 <sp:HttpsToken
> >> RequireClientCertificate="true" />
> >>                             </wsp:Policy>
> >>                         </sp:TransportToken>
> >>                         <sp:AlgorithmSuite>
> >>                             <wsp:Policy>
> >>                                 <sp:Basic256 />
> >>                             </wsp:Policy>
> >>                         </sp:AlgorithmSuite>
> >>                         <sp:Layout>
> >>                             <wsp:Policy>
> >>                                 <sp:Lax />
> >>                             </wsp:Policy>
> >>                         </sp:Layout>
> >>                         <sp:IncludeTimestamp />
> >>                     </wsp:Policy>
> >>                 </sp:TransportBinding>
> >>                 <sp:Wss10
> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy ">
> >>                     <wsp:Policy>
> >>                         <sp:MustSupportRefKeyIdentifier />
> >>                         <sp:MustSupportRefIssuerSerial />
> >>                     </wsp:Policy>
> >>                 </sp:Wss10>
> >>             </wsp:All>
> >>         </wsp:ExactlyOne>
> >>     </wsp:Policy>
> >> </wsdl:definitions>
> >>
> >>
> >> --Steve
> >>
> >> Stephen Langella
> >> Co-Founder
> >> Inventrio, LLC
> >> www.inventrio.com
> >>
> >> Stephen.Langella@inventrio.com

-- 
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog

Mime
View raw message