Mailing-List: contact users-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@cxf.apache.org
Received-SPF: neutral (nike.apache.org: local policy)
From: Daniel Kulp <dkulp@apache.org>
To: users@cxf.apache.org
Cc: David Sills <DSills@datasourceinc.com>
Subject: Re: HTTPS client configuration using JaxWsProxyFactoryBean
Date: Tue, 18 Oct 2011 13:34:50 -0400
Message-ID: <3166338.shfQ9qBCWE@dilbert.dankulp.com>
User-Agent: KMail/4.7.2 (Linux/3.0.1; KDE/4.7.2; x86_64; ; )
In-Reply-To: <A859ED91E5B64A49A34C4340328BB43D6B785E@dsource.local>
References: <A859ED91E5B64A49A34C4340328BB43D6B785E@dsource.local>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"


I think if you add a "factory.setEndpointName(....)" call to the appropriate 
qname used in the http:conduit, it should work.

Alternatively, if you setup the address on the factory prior to calling create 
(factory.setAddress(...)), you can configure the http conduit via something 
like:


 <http:conduit name="https://blah.com:9000/.*">

(note the .* at the end to match all tails)

Dan


On Tuesday, October 18, 2011 11:18:24 AM David Sills wrote:
> All:
> 
> 
> 
> Is it possible to configure the JaxWsProxyFactoryBean to use HTTPS? It
> looks as though it should be, but I can't quite figure out how to
> connect up the bits. I have added this to the Spring configuration file:
> 
> 
> 
>   <http:conduit
> name="{http://of306.ws.abis.datasourceinc.com/}Of306ServerPort.http-cond
> uit">
> 
>     <http:tlsClientParameters secureSocketProtocol="SSL">
> 
>       <sec:keyManagers>
> 
>         <sec:keyStore type="JKS" password="0ftobp8ssw0rd"
> file="C:/Java/jks/of306-truststore.jks"/>
> 
>       </sec:keyManagers>
> 
>       <sec:trustManagers>
> 
>         <sec:keyStore type="JKS" password="0ftobp8ssw0rd"
> file="C:/Java/jks/of306-truststore.jks"/>
> 
>       </sec:trustManagers>
> 
>          <sec:cipherSuitesFilter>
> 
>         <!-- these filters ensure that a ciphersuite with
> 
>              export-suitable or null encryption is used,
> 
>              but exclude anonymous Diffie-Hellman key change as
> 
>              this is vulnerable to man-in-the-middle attacks -->
> 
>         <sec:include>.*_EXPORT_.*</sec:include>
> 
>         <sec:include>.*_EXPORT1024_.*</sec:include>
> 
>         <sec:include>.*_WITH_DES_.*</sec:include>
> 
>         <sec:include>.*_WITH_NULL_.*</sec:include>
> 
>         <sec:exclude>.*_DH_anon_.*</sec:exclude>
> 
>       </sec:cipherSuitesFilter>
> 
>     </http:tlsClientParameters>
> 
>     <http:client AutoRedirect="true" Connection="Keep-Alive"/>
> 
>   </http:conduit>
> 
> 
> 
> The name is (appropriately, I think) the namespace + port name +
> ".http-conduit". (I have also tried using "<sec:certStore
> file="C:/Java/jks/of306-truststore.jks"/>" under <sec:trustManagers>)
> However, when I try this:
> 
> 
> 
>                      JaxWsProxyFactoryBean factory = new
> JaxWsProxyFactoryBean();
> 
>                      LoggingInInterceptor inInterceptor = new
> LoggingInInterceptor();
> 
>                      inInterceptor.setLimit(-1);
> 
>                      factory.getInInterceptors().add(inInterceptor);
> 
>                      LoggingOutInterceptor outInterceptor = new
> LoggingOutInterceptor();
> 
>                      outInterceptor.setLimit(-1);
> 
>                      factory.getOutInterceptors().add(outInterceptor);
> 
>                      factory.setServiceClass(Of306Service.class);
> 
> 
> factory.setAddress(applicationConfig.getMessage("of306.service.url"));
> 
> ******               ConduitSelector conduitSelector =
> factory.getConduitSelector();
> 
>                      Of306Service client = (Of306Service)
> factory.create();
> 
>                      PinValidationDataImpl data = new
> PinValidationDataImpl();
> 
>                      Of306 of306 = (Of306) command;
> 
>                      data.setPin(of306.getPin());
> 
>                      data.setSsn(of306.getSsn());
> 
> 
> data.setDateOfBirth(formatter.format(of306.getDateOfBirth().getDate()));
> 
>                      ValidationOutcome outcome =
> client.validatePin(data);
> 
> 
> 
> The ConduitSelector is null (which didn't surprise me too much, though
> it certainly looks in the HTTPS setup that it should "just work", as so
> much in Spring does). Do I need to set the ConduitSelector? Is it even
> possible to do so? Which type should be used?
> 
> 
> 
> This is what the logging looks like - it looks as though it's possible
> it is getting the idea, in fact (and yes, the appropriate exported
> self-signed certificate is imported into the trust-store, before anyone
> asks):
> 
> 
> 
> 2011-10-18 10:53:36,398 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleMessage on
> interceptor
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingI
> nterceptor@1a85a3b0
> 
> 2011-10-18 10:53:36,400 INFO
> [org.apache.cxf.interceptor.LoggingOutInterceptor] - Outbound Message
> 
> ---------------------------
> 
> ID: 1
> 
> Address: https://dsills-t1500:8300/dsi-services/secure/Of306Service
> 
> Encoding: UTF-8
> 
> Content-Type: text/xml
> 
> Headers: {Accept=[*/*], SOAPAction=[""]}
> 
> Messages: (message truncated to -1 bytes)
> 
> 
> 
> Payload: <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns1:v
> alidatePin
> xmlns:ns1="http://of306.ws.abis.datasourceinc.com/"><validationData><pin
> 
> >333333</pin><ssn>555827444</ssn><dateOfBirth>11/01/1953</dateOfBirth></
> 
> validationData></ns1:validatePin></soap:Body></soap:Envelope>
> 
> --------------------------------------
> 
> 2011-10-18 10:53:36,402 DEBUG [org.apache.cxf.transport.http.Headers] -
> Accept: */*
> 
> 2011-10-18 10:53:36,402 DEBUG [org.apache.cxf.transport.http.Headers] -
> SOAPAction: ""
> 
> 2011-10-18 10:53:36,404 DEBUG
> [org.apache.cxf.transport.http.TrustDecisionUtil] - No Trust Decider for
> Conduit
> '{http://of306.ws.abis.datasourceinc.com/}Of306ServicePort.http-conduit'
> . An afirmative Trust Decision is assumed.
> 
> 2011-10-18 10:53:36,430 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingI
> nterceptor@1a85a3b0
> 
> 2011-10-18 10:53:36,430 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor org.apache.cxf.interceptor.StaxOutEndingInterceptor@553d26fd
> 
> 2011-10-18 10:53:36,430 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor
> org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor$SoapOutEnding
> Interceptor@63d587bf
> 
> 2011-10-18 10:53:36,430 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor
> org.apache.cxf.interceptor.WrappedOutInterceptor$WrappedOutEndingInterce
> ptor@c2ccccf
> 
> 2011-10-18 10:53:36,430 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor org.apache.cxf.interceptor.BareOutInterceptor@607e334
> 
> 2011-10-18 10:53:36,430 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor org.apache.cxf.interceptor.WrappedOutInterceptor@19451392
> 
> 2011-10-18 10:53:36,430 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor
> org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor@2529c051
> 
> 2011-10-18 10:53:36,430 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor org.apache.cxf.interceptor.StaxOutInterceptor@6234a1ed
> 
> 2011-10-18 10:53:36,430 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor org.apache.cxf.interceptor.AttachmentOutInterceptor@4323c852
> 
> 2011-10-18 10:53:36,430 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor org.apache.cxf.interceptor.LoggingOutInterceptor@341b8757
> 
> 2011-10-18 10:53:36,430 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor org.apache.cxf.interceptor.MessageSenderInterceptor@7b527b7a
> 
> 2011-10-18 10:53:36,430 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor
> org.apache.cxf.binding.soap.interceptor.SoapPreProtocolOutInterceptor@6f
> d56e03
> 
> 2011-10-18 10:53:36,430 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor
> org.apache.cxf.binding.soap.interceptor.SoapHeaderOutFilterInterceptor@6
> d7300f9
> 
> 2011-10-18 10:53:36,431 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor
> org.apache.cxf.jaxws.interceptors.WrapperClassOutInterceptor@30d497f9
> 
> 2011-10-18 10:53:36,431 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor org.apache.cxf.jaxws.interceptors.SwAOutInterceptor@6428c5d6
> 
> 2011-10-18 10:53:36,431 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor
> org.apache.cxf.jaxws.interceptors.HolderOutInterceptor@5545757a
> 
> 2011-10-18 10:53:36,431 DEBUG
> [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
> interceptor org.apache.cxf.ws.policy.PolicyOutInterceptor@60abe06e
> 
> 2011-10-18 10:53:36,434 WARN
> [org.apache.cxf.phase.PhaseInterceptorChain] - Interceptor for
> {http://of306.ws.abis.datasourceinc.com/}Of306ServiceService#{http://of3
> 06.ws.abis.datasourceinc.com/}validatePin has thrown exception,
> unwinding now
> 
> org.apache.cxf.interceptor.Fault: Could not send Message.
> 
>             at
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingI
> nterceptor.handleMessage(MessageSenderInterceptor.java:64)
> 
>             at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
> hain.java:263)
> 
>             at
> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
> 
>             at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
> 
>             at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
> 
>             at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
> 
>             at
> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
> 
>             at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
> 
>             at $Proxy84.validatePin(Unknown Source)
> 
>             at
> com.datasourceinc.of306.controller.Of306Controller.validatePin(Of306Cont
> roller.java:187)
> 
>             at
> com.datasourceinc.of306.controller.Of306Controller.onBindAndValidate(Of3
> 06Controller.java:147)
> 
>             at
> org.springframework.web.servlet.mvc.AbstractWizardFormController.onBindA
> ndValidate(AbstractWizardFormController.java:231)
> 
>             at
> org.springframework.web.servlet.mvc.BaseCommandController.bindAndValidat
> e(BaseCommandController.java:401)
> 
>             at
> org.springframework.web.servlet.mvc.AbstractFormController.handleRequest
> Internal(AbstractFormController.java:266)
> 
>             at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs
> tractController.java:153)
> 
>             at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl
> e(SimpleControllerHandlerAdapter.java:48)
> 
>             at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS
> ervlet.java:788)
> 
>             at
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe
> rvlet.java:717)
> 
>             at
> org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor
> kServlet.java:644)
> 
>             at
> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet
> .java:560)
> 
>             at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
> 
>             at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
> 
>             at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
> tionFilterChain.java:304)
> 
>             at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
> erChain.java:210)
> 
>             at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
> e.java:240)
> 
>             at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
> e.java:164)
> 
>             at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
> Base.java:498)
> 
>             at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
> 
> :164)
> 
>             at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
> 
> :100)
> 
>             at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562
> )
> 
>             at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
> java:118)
> 
>             at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:3
> 94)
> 
>             at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:24
> 3)
> 
>             at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
> Http11Protocol.java:188)
> 
>             at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.j
> ava:302)
> 
>             at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecuto
> r.java:886)
> 
>             at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.ja
> va:908)
> 
>             at java.lang.Thread.run(Thread.java:662)
> 
> Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException
> invoking https://dsills-t1500:8300/dsi-services/secure/Of306Service:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
-- 
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Talend - http://www.talend.com