No idea on that one. Sounds like with Java 6, it's delaying opening the connection (and thus establishing the trust) a bit longer than with java 5. Is there any way you could write a quick "hello world" type test case? That would be a big help to me.
Dan On Sat August 22 2009 5:42:44 pm Stephen Langella wrote: > Dan, > > In performing this I was using Java 5, then I had to context switch to > something else that required Java 6. In context switching back to this > issue, I tried running the same scenario as I described below with Java 6 > and now I run into a different issue. When the client tries to connect I > get the following error: > > java.lang.IllegalStateException: connection not yet open > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getLocalCerti >f icates(AbstractDelegateHttpsURLConnection.java:213) > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getLocalCertificates(Http >s URLConnectionImpl.java:167) > at > org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvide >r > $HttpsTokenOutInterceptor.assertHttps(HttpsTokenInterceptorProvider.java:10 >1 ) > at > org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvide >r > $HttpsTokenOutInterceptor.handleMessage(HttpsTokenInterceptorProvider.java: >8 1) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai >n .java:236) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:472) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:302) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:254) > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73) > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:123) > at $Proxy37.sayHello(Unknown Source) > at > org.cagrid.helloworld.client.SpringClient3.main(SpringClient3.java:69) > Invocation failed with the following: java.lang.IllegalStateException: > connection not yet open > > > I should mention that I only get this error if > RequireClientCertificate="true", if RequireClientCertificate="false" > everything works fine. I still plan on debugging in Java 5 as you > suggested but I thought I would mention this because I find it concerning > that I see different behaviors between Java 5 and Java 6. I also was > hoping that the error I provide above might be familiar to you or ring a > bell. BTW, I did switch back to Java 5 and encountered the original > problem I posted. Please let me know if you have other suggestions given > this additional information. I appreciate you help, thanks in advance. > > --Steve > > Stephen Langella > Co-Director > Software Research Institute > Center for IT Innovations in Healthcare > Ohio State University > > Senior Researcher > Department of Biomedical Informatics > Ohio State University > > Office: (614) 293-9534 > Lab: (614) 292-8420 > [email protected] > > > From: Daniel Kulp <[email protected]> > > Reply-To: <[email protected]> > > Date: Wed, 19 Aug 2009 16:09:20 -0400 > > To: <[email protected]> > > Cc: Stephen Langella <[email protected]> > > Subject: Re: WS SecurityPolicy > > > > > > > > Hmm... it definitely should be asserted. Is there any way you can run > > this in a debugger? If you could put a break point on line 174 of > > HttpsTokenInterceptorProvider, that would be a big help. At that point, > > I'd like to see the contents of TLSSessionInfo and make sure the certs > > are correct in there. The other place to breakpoint is line 550 of > > SSLUtils where the SSL certs and stuff are pulled from the request. If > > you can check that the correct information is pulled from there, that > > would also be a big help. > > > > Dan > > > > On Tue August 18 2009 1:06:23 pm Stephen Langella wrote: > >> I am trying to configure my service to use WS SecurityPolicy for > >> specifying a transport binding policy for HTTPS. I have added a > >> TransportBinding policy to my WSDL and created a transport binding > >> policy and binded it to an endpoint policy subject. At first I > >> configured the server (through the WS-SecurityPolicy in the WSDL) to > >> not require the client to provide a certificate. This worked fine, > >> second I changed the server to require a client certificate > >> (<sp:HttpsToken RequireClientCertificate="true"/>). In testing this > >> I tried my client without providing a certificate and it still > >> worked. This seems to suggest that either the WS-SecurityPolicy is > >> not being applied or that CXF is not enforcing that a client > >> certificate be provided. Any ideas what I might be doing wrong? > >> Below I have provided my WSDL for reference, thanks in advance. > >> > >> <?xml version="1.0" encoding="UTF-8"?> > >> <wsdl:definitions name="HelloWorld" > >> xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > >> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; > >> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; > >> xmlns:tns="http://www.cagrid.org/HelloWorld"; > >> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"; > >> > >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec > >>uri ty-utility-1.0.xsd " > >> targetNamespace="http://www.cagrid.org/HelloWorld";> > >> <wsdl:types> > >> <xsd:schema targetNamespace="http://www.cagrid.org/HelloWorld";> > >> <xsd:element name="SayHelloRequest" type="xsd:string" /> > >> <xsd:element name="SayHelloResponse" type="xsd:string" /> > >> </xsd:schema> > >> </wsdl:types> > >> <wsdl:message name="SayHelloRequest"> > >> <wsdl:part element="tns:SayHelloRequest" name="parameters" /> > >> </wsdl:message> > >> <wsdl:message name="SayHelloResponse"> > >> <wsdl:part element="tns:SayHelloResponse" name="parameters" /> > >> </wsdl:message> > >> <wsdl:portType name="HelloWorld"> > >> <wsdl:operation name="SayHello"> > >> <wsdl:input message="tns:SayHelloRequest" > >> name="sayHelloRequest" /> > >> <wsdl:output message="tns:SayHelloResponse" > >> name="sayHelloResponse" /> > >> </wsdl:operation> > >> </wsdl:portType> > >> <wsdl:binding name="HelloWorldBinding" type="tns:HelloWorld"> > >> <wsp:PolicyReference URI="#HelloWorldSecureTransportPolicy"/> > >> <soap:binding style="document" > >> transport="http://schemas.xmlsoap.org/soap/http"; /> > >> <wsdl:operation name="SayHello"> > >> <soap:operation soapAction="" style="document" /> > >> <wsdl:input name="sayHelloRequest"> > >> <soap:body use="literal" /> > >> </wsdl:input> > >> <wsdl:output name="sayHelloResponse"> > >> <soap:body use="literal" /> > >> </wsdl:output> > >> </wsdl:operation> > >> </wsdl:binding> > >> <wsdl:service name="HelloWorldService"> > >> <wsdl:port name="HelloWorldPort" > >> binding="tns:HelloWorldBinding"> > >> <soap:address > >> location="https://llanowar:9001/HelloWorldService " /> > >> </wsdl:port> > >> </wsdl:service> > >> > >> <wsp:Policy wsu:Id="HelloWorldSecureTransportPolicy"> > >> <wsp:ExactlyOne> > >> <wsp:All> > >> <sp:TransportBinding > >> > >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy "> > >> <wsp:Policy> > >> <sp:TransportToken> > >> <wsp:Policy> > >> <sp:HttpsToken > >> RequireClientCertificate="true" /> > >> </wsp:Policy> > >> </sp:TransportToken> > >> <sp:AlgorithmSuite> > >> <wsp:Policy> > >> <sp:Basic256 /> > >> </wsp:Policy> > >> </sp:AlgorithmSuite> > >> <sp:Layout> > >> <wsp:Policy> > >> <sp:Lax /> > >> </wsp:Policy> > >> </sp:Layout> > >> <sp:IncludeTimestamp /> > >> </wsp:Policy> > >> </sp:TransportBinding> > >> <sp:Wss10 > >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy "> > >> <wsp:Policy> > >> <sp:MustSupportRefKeyIdentifier /> > >> <sp:MustSupportRefIssuerSerial /> > >> </wsp:Policy> > >> </sp:Wss10> > >> </wsp:All> > >> </wsp:ExactlyOne> > >> </wsp:Policy> > >> </wsdl:definitions> > >> > >> > >> --Steve > >> > >> Stephen Langella > >> Co-Founder > >> Inventrio, LLC > >> www.inventrio.com > >> > >> [email protected] -- Daniel Kulp [email protected] http://www.dankulp.com/blog
