Re: WS SecurityPolicy

Mon, 24 Aug 2009 10:11:03 -0700 

Dan,
In performing this I was using Java 5, then I had to context switch to something else that required Java 6. In context switching back to this issue, I tried running the same scenario as I described below with Java 6 and now I run into a different issue. When the client tries to connect I get the following error: 

java.lang.IllegalStateException: connection not yet open

    at  
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getLocalCertificates 
(AbstractDelegateHttpsURLConnection.java:213)
    at  
sun.net.www.protocol.https.HttpsURLConnectionImpl.getLocalCertificates 
(HttpsURLConnectionImpl.java:167)
    at  
org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider 
$HttpsTokenOutInterceptor.assertHttps 
(HttpsTokenInterceptorProvider.java:101)
    at  
org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider 
$HttpsTokenOutInterceptor.handleMessage 
(HttpsTokenInterceptorProvider.java:81)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept 
(PhaseInterceptorChain.java:236)

    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:472)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:302)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:254)

    at org.apache.cxf.frontend.ClientProxy.invokeSync 
(ClientProxy.java:73)
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke 
(JaxWsClientProxy.java:123)

    at $Proxy37.sayHello(Unknown Source)

    at org.cagrid.helloworld.client.SpringClient3.main 
(SpringClient3.java:69)
Invocation failed with the following: java.lang.IllegalStateException:  
connection not yet open




I should mention that I only get this error if  
RequireClientCertificate="true", if RequireClientCertificate="false"  
everything works fine.   I still plan on debugging in Java 5 as you  
suggested but I thought I would mention this because I find it  
concerning that I see different behaviors between Java 5 and Java 6.    
I also was hoping that the error I provide above might be familiar to  
you or ring a bell.  BTW, I did switch back to Java 5 and encountered  
the original problem I posted.  Please let me know if you have other  
suggestions given this additional information.  I appreciate you help,  
thanks in advance.


--Steve

Stephen Langella
Co-Founder
Inventrio, LLC
www.inventrio.com

[email protected]






On Aug 19, 2009, at 4:09 PM, Daniel Kulp wrote:





Hmm...   it definitely should be asserted.   Is there any way you  
can run this

in a debugger?   If you could put a break point on line 174 of

HttpsTokenInterceptorProvider, that would be a big help.   At that  
point, I'd
like to see the contents of TLSSessionInfo and make sure the certs  
are correct
in there.    The other place to breakpoint is line 550 of SSLUtils  
where the
SSL certs and stuff are pulled from the request.   If you can check  
that the
correct information is pulled from there, that would also be a big  
help.


Dan



On Tue August 18 2009 1:06:23 pm Stephen Langella wrote:

I am trying to configure my service to use WS SecurityPolicy for
specifying a transport binding policy for HTTPS.    I have added a
TransportBinding policy to my WSDL and created  a transport binding
policy and binded it to an endpoint policy subject.  At first I
configured the server (through the WS-SecurityPolicy in the WSDL) to
not require the client to provide a certificate.   This worked fine,
second I changed the server to require a client certificate
(<sp:HttpsToken RequireClientCertificate="true"/>).   In testing this
I tried my client without providing a certificate and it still
worked.  This seems to suggest that either the WS-SecurityPolicy is
not being applied or that CXF is not enforcing that a client
certificate be provided.  Any ideas what I might be doing wrong?
Below I have provided my WSDL for reference, thanks in advance.

<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions name="HelloWorld"
   xmlns:xsd="http://www.w3.org/2001/XMLSchema";
    xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
   xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
    xmlns:tns="http://www.cagrid.org/HelloWorld";
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
    xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";

xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-utility-1.0.xsd "
    targetNamespace="http://www.cagrid.org/HelloWorld";>
   <wsdl:types>

       <xsd:schema targetNamespace="http://www.cagrid.org/ 
HelloWorld">

           <xsd:element name="SayHelloRequest" type="xsd:string" />
           <xsd:element name="SayHelloResponse" type="xsd:string" />
       </xsd:schema>
   </wsdl:types>
   <wsdl:message name="SayHelloRequest">
       <wsdl:part element="tns:SayHelloRequest" name="parameters" />
   </wsdl:message>
   <wsdl:message name="SayHelloResponse">
       <wsdl:part element="tns:SayHelloResponse" name="parameters" />
   </wsdl:message>
   <wsdl:portType name="HelloWorld">
       <wsdl:operation name="SayHello">
           <wsdl:input message="tns:SayHelloRequest"
name="sayHelloRequest" />
           <wsdl:output message="tns:SayHelloResponse"
name="sayHelloResponse" />
       </wsdl:operation>
   </wsdl:portType>
   <wsdl:binding name="HelloWorldBinding" type="tns:HelloWorld">
       <wsp:PolicyReference URI="#HelloWorldSecureTransportPolicy"/>
       <soap:binding style="document"
           transport="http://schemas.xmlsoap.org/soap/http"; />
       <wsdl:operation name="SayHello">
           <soap:operation soapAction="" style="document" />
           <wsdl:input name="sayHelloRequest">
               <soap:body use="literal" />
           </wsdl:input>
           <wsdl:output name="sayHelloResponse">
               <soap:body use="literal" />
           </wsdl:output>
       </wsdl:operation>
   </wsdl:binding>
   <wsdl:service name="HelloWorldService">
       <wsdl:port name="HelloWorldPort"
binding="tns:HelloWorldBinding">
           <soap:address location="https://llanowar:9001/HelloWorldService
" />
       </wsdl:port>
   </wsdl:service>

    <wsp:Policy wsu:Id="HelloWorldSecureTransportPolicy">
       <wsp:ExactlyOne>
           <wsp:All>
               <sp:TransportBinding

xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy ">
                   <wsp:Policy>
                       <sp:TransportToken>
                           <wsp:Policy>
                               <sp:HttpsToken
RequireClientCertificate="true" />
                           </wsp:Policy>
                       </sp:TransportToken>
                       <sp:AlgorithmSuite>
                           <wsp:Policy>
                               <sp:Basic256 />
                           </wsp:Policy>
                       </sp:AlgorithmSuite>
                       <sp:Layout>
                           <wsp:Policy>
                               <sp:Lax />
                           </wsp:Policy>
                       </sp:Layout>
                       <sp:IncludeTimestamp />
                   </wsp:Policy>
               </sp:TransportBinding>
               <sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy ">
                   <wsp:Policy>
                       <sp:MustSupportRefKeyIdentifier />
                       <sp:MustSupportRefIssuerSerial />
                   </wsp:Policy>
               </sp:Wss10>
           </wsp:All>
       </wsp:ExactlyOne>
   </wsp:Policy>
</wsdl:definitions>


--Steve

Stephen Langella
Co-Founder
Inventrio, LLC
www.inventrio.com

[email protected]


--
Daniel Kulp
[email protected]
http://www.dankulp.com/blog
























					Reply via email to