Dan,
In performing this I was using Java 5, then I had to context switch to
something else that required Java 6. In context switching back to this
issue, I tried running the same scenario as I described below with Java 6
and now I run into a different issue. When the client tries to connect I
get the following error:
java.lang.IllegalStateException: connection not yet open
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getLocalCertif
icates(AbstractDelegateHttpsURLConnection.java:213)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getLocalCertificates(Https
URLConnectionImpl.java:167)
at
org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider
$HttpsTokenOutInterceptor.assertHttps(HttpsTokenInterceptorProvider.java:101
)
at
org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider
$HttpsTokenOutInterceptor.handleMessage(HttpsTokenInterceptorProvider.java:8
1)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain
.java:236)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:472)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:302)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:254)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:123)
at $Proxy37.sayHello(Unknown Source)
at
org.cagrid.helloworld.client.SpringClient3.main(SpringClient3.java:69)
Invocation failed with the following: java.lang.IllegalStateException:
connection not yet open
I should mention that I only get this error if
RequireClientCertificate="true", if RequireClientCertificate="false"
everything works fine. I still plan on debugging in Java 5 as you
suggested but I thought I would mention this because I find it concerning
that I see different behaviors between Java 5 and Java 6. I also was
hoping that the error I provide above might be familiar to you or ring a
bell. BTW, I did switch back to Java 5 and encountered the original problem
I posted. Please let me know if you have other suggestions given this
additional information. I appreciate you help, thanks in advance.
--Steve
Stephen Langella
Co-Director
Software Research Institute
Center for IT Innovations in Healthcare
Ohio State University
Senior Researcher
Department of Biomedical Informatics
Ohio State University
Office: (614) 293-9534
Lab: (614) 292-8420
stephen.lange...@osumc.edu
> From: Daniel Kulp <dk...@apache.org>
> Reply-To: <users@cxf.apache.org>
> Date: Wed, 19 Aug 2009 16:09:20 -0400
> To: <users@cxf.apache.org>
> Cc: Stephen Langella <stephen.lange...@inventrio.com>
> Subject: Re: WS SecurityPolicy
>
>
>
> Hmm... it definitely should be asserted. Is there any way you can run this
> in a debugger? If you could put a break point on line 174 of
> HttpsTokenInterceptorProvider, that would be a big help. At that point, I'd
> like to see the contents of TLSSessionInfo and make sure the certs are correct
> in there. The other place to breakpoint is line 550 of SSLUtils where the
> SSL certs and stuff are pulled from the request. If you can check that the
> correct information is pulled from there, that would also be a big help.
>
> Dan
>
>
>
> On Tue August 18 2009 1:06:23 pm Stephen Langella wrote:
>> I am trying to configure my service to use WS SecurityPolicy for
>> specifying a transport binding policy for HTTPS. I have added a
>> TransportBinding policy to my WSDL and created a transport binding
>> policy and binded it to an endpoint policy subject. At first I
>> configured the server (through the WS-SecurityPolicy in the WSDL) to
>> not require the client to provide a certificate. This worked fine,
>> second I changed the server to require a client certificate
>> (<sp:HttpsToken RequireClientCertificate="true"/>). In testing this
>> I tried my client without providing a certificate and it still
>> worked. This seems to suggest that either the WS-SecurityPolicy is
>> not being applied or that CXF is not enforcing that a client
>> certificate be provided. Any ideas what I might be doing wrong?
>> Below I have provided my WSDL for reference, thanks in advance.
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <wsdl:definitions name="HelloWorld"
>> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
>> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
>> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
>> xmlns:tns="http://www.cagrid.org/HelloWorld";
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";
>>
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
>> ty-utility-1.0.xsd "
>> targetNamespace="http://www.cagrid.org/HelloWorld";>
>> <wsdl:types>
>> <xsd:schema targetNamespace="http://www.cagrid.org/HelloWorld";>
>> <xsd:element name="SayHelloRequest" type="xsd:string" />
>> <xsd:element name="SayHelloResponse" type="xsd:string" />
>> </xsd:schema>
>> </wsdl:types>
>> <wsdl:message name="SayHelloRequest">
>> <wsdl:part element="tns:SayHelloRequest" name="parameters" />
>> </wsdl:message>
>> <wsdl:message name="SayHelloResponse">
>> <wsdl:part element="tns:SayHelloResponse" name="parameters" />
>> </wsdl:message>
>> <wsdl:portType name="HelloWorld">
>> <wsdl:operation name="SayHello">
>> <wsdl:input message="tns:SayHelloRequest"
>> name="sayHelloRequest" />
>> <wsdl:output message="tns:SayHelloResponse"
>> name="sayHelloResponse" />
>> </wsdl:operation>
>> </wsdl:portType>
>> <wsdl:binding name="HelloWorldBinding" type="tns:HelloWorld">
>> <wsp:PolicyReference URI="#HelloWorldSecureTransportPolicy"/>
>> <soap:binding style="document"
>> transport="http://schemas.xmlsoap.org/soap/http"; />
>> <wsdl:operation name="SayHello">
>> <soap:operation soapAction="" style="document" />
>> <wsdl:input name="sayHelloRequest">
>> <soap:body use="literal" />
>> </wsdl:input>
>> <wsdl:output name="sayHelloResponse">
>> <soap:body use="literal" />
>> </wsdl:output>
>> </wsdl:operation>
>> </wsdl:binding>
>> <wsdl:service name="HelloWorldService">
>> <wsdl:port name="HelloWorldPort"
>> binding="tns:HelloWorldBinding">
>> <soap:address location="https://llanowar:9001/HelloWorldService
>> " />
>> </wsdl:port>
>> </wsdl:service>
>>
>> <wsp:Policy wsu:Id="HelloWorldSecureTransportPolicy">
>> <wsp:ExactlyOne>
>> <wsp:All>
>> <sp:TransportBinding
>>
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy ">
>> <wsp:Policy>
>> <sp:TransportToken>
>> <wsp:Policy>
>> <sp:HttpsToken
>> RequireClientCertificate="true" />
>> </wsp:Policy>
>> </sp:TransportToken>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:Basic256 />
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>> <sp:Layout>
>> <wsp:Policy>
>> <sp:Lax />
>> </wsp:Policy>
>> </sp:Layout>
>> <sp:IncludeTimestamp />
>> </wsp:Policy>
>> </sp:TransportBinding>
>> <sp:Wss10
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy ">
>> <wsp:Policy>
>> <sp:MustSupportRefKeyIdentifier />
>> <sp:MustSupportRefIssuerSerial />
>> </wsp:Policy>
>> </sp:Wss10>
>> </wsp:All>
>> </wsp:ExactlyOne>
>> </wsp:Policy>
>> </wsdl:definitions>
>>
>>
>> --Steve
>>
>> Stephen Langella
>> Co-Founder
>> Inventrio, LLC
>> www.inventrio.com
>>
>> stephen.lange...@inventrio.com
>
> --
> Daniel Kulp
> dk...@apache.org
> http://www.dankulp.com/blog
