Hello all,
I'm new to CXF and am currently evaluating it. I'm experiencing issues when
trying to set it up over HTTPS, as a web application that requires
CLIENT-CERT authentication.
My env is this:
JBoss 4.0.5 GA which runs my CXF-based web service, plus another separate
simple servlet web app.
My standalone webservice client is a CXF java application. I also have a
standalone java app that simply connects to the servlet (not the webservice)
using apache's httpclient. Both client apps set the same the javax.net.ssl.*
properties for key and trust stores.
All apps run on the same host.
When I invoke the servlet standalone client, it is able to connect to the
servlet and authenticate using its certificate - no problems.
When I invoke the webservice client, I get a 1 min timeout and after that a
long exception (I cut it short for clarity):
INFO: Interceptor has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220)
...
Caused by: java.net.SocketTimeoutException: Read timed out
... 7 more
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: Could not
send Message.
...
Caused by: org.apache.cxf.interceptor.Fault: Could not send Message.
... 2 more
Caused by: java.net.SocketTimeoutException: Read timed out
... 7 more
Java Result: 1
I also get on the server side (JBoss) log file:
2008-10-07 19:15:04,026 INFO [org.apache.tomcat.util.net.jsse.JSSESupport]
SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
...
2008-10-07 19:15:04,027 WARN [org.apache.coyote.http11.Http11Processor]
Exception getting SSL attributes
javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
...
2008-10-07 19:15:04,028 TRACE [org.jboss.security.SecurityAssociation]
clear, server=true
Both webservice app and servlet app use the SAME pre-configured jaas entry:
<jboss-web>
<security-domain>java:/jaas/servlet-clientcert-secdomain</security-domain>
</jboss-web>
What other info can I provide to diagnose this?
Here is what I could think of:
The jaas entry looks like this:
<server>
<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.security:service=SecurityDomain">
<constructor>
<arg type="java.lang.String"
value="servlet-clientcert-secdomain"/>
</constructor>
<attribute name="KeyStoreURL">v:\tmp\servertrust.jks</attribute>
<attribute name="KeyStorePass">changeit</attribute>
<depends>jboss.security:service=JaasSecurityManager</depends>
</mbean>
</server>
And the login module looks like this (in login-config.xml):
<application-policy name = "servlet-clientcert-secdomain">
<authentication>
<login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
flag = "required">
<module-option
name="password-stacking">useFirstPass</module-option>
<module-option
name="securityDomain">java:/jaas/servlet-clientcert-secdomain</module-option>
</login-module>
<login-module
code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option
name="password-stacking">useFirstPass</module-option>
<module-option
name="usersProperties">clientcert-users.properties</module-option>
<module-option
name="rolesProperties">clientcert-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
The clientcert-users.properties is empty, and the
clientcert-roles.properties contains a mapping between the cert DN and the
'tester' role which is used by both web apps:
CN\=testhost7,\ OU\=orgunit,\ O\=org,\ L\=city,\ ST\=state,\ C\=st=tester
In both web apps, web.xml contains:
<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>tester</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<description/>
<role-name>tester</role-name>
</security-role>
The webservice client code is the one generated by the cxf client code
generator:
public final class Hello_HelloImplPort_Client {
private static final QName SERVICE_NAME = new QName("http://cxf/";,
"HelloService");
private Hello_HelloImplPort_Client() {
}
public static void main(String args[]) throws Exception {
System.setProperty("javax.net.ssl.keyStore",
"v:/tmp/clientkey.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.trustStore",
"v:/tmp/clienttrust.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
URL wsdlURL = HelloService.WSDL_LOCATION;
if (args.length > 0) {
File wsdlFile = new File(args[0]);
try {
if (wsdlFile.exists()) {
wsdlURL = wsdlFile.toURI().toURL();
} else {
wsdlURL = new URL(args[0]);
}
} catch (MalformedURLException e) {
e.printStackTrace();
}
}
HelloService ss = new HelloService(wsdlURL, SERVICE_NAME);
Hello port = ss.getHelloImplPort();
// start invoking the port's methods...
}
}
The servlet client code is this:
System.setProperty("javax.net.ssl.keyStore",
"v:/tmp/clientkey.jks");
System.setProperty("javax.net.ssl.keyStorePassword",
"changeit");
System.setProperty("javax.net.ssl.trustStore",
"v:/tmp/clienttrust.jks");
System.setProperty("javax.net.ssl.trustStorePassword",
"changeit");
URL url;
url = new URL(args[0]);
conmgr.getParams().setDefaultMaxConnectionsPerHost(10);
HttpClient hc = new HttpClient();
GetMethod method = new GetMethod(url.toURI().toString());
hc.executeMethod(method);
System.out.println(method.getResponseBodyAsString());
method.releaseConnection();
both clients get the following parameter at runtime:
https://testhost7:8443/servlet-clientcert/TestServlet
--
View this message in context:
http://www.nabble.com/-JSSESupport--SSL-Error-getting-client-Certs-tp19863789p19863789.html
Sent from the cxf-user mailing list archive at Nabble.com.
