(1) I don't know how to implement .Net web service providers so can't
help you there. For Java you'd need the WSP-side configuration as shown
in the blog entry, namely, have the servlet running the web service use SSL.
For (3) yes, it should in most cases be all you need for the client.
More advanced config primarily comes in when you need to specify
specific encryption libraries to use other than the JDK's default ones.
(4) I can't help you on, as I haven't researched using WS-SecurityPolicy
to activate transport-layer encryption (I'm not even sure it can be done
that way, as you still need to configure the servlet container holding
your WSP provider to use SSL, and same story I would assume with
embedded Jetty via Endpoint.publish()). Others here may know more.
HTH,
Glen
On 10/13/2011 11:31 AM, Beyer, Doug wrote:
Thanks for the response.
From the article your referenced, my take away is:
1) I don't think I need to do anything with the web server side of things,
correct?
2) I've confirmed that for our web services, no specific certificates are
needed on the client side.
3) The client needs to ensure that the protocol being used HTTPS and that the
login credentials get sent correctly. Am I correct in that if I use
ClientService svcObj = new ClientService();
IClientService svc = svcObj.getCustomBindingIClientService();
BindingProvider provider = (BindingProvider)svc;
provider.getRequestContext().put( BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
"https://dev.socsuite.com/Services/ClientService.svc";);
provider.getRequestContext().put(BindingProvider.USERNAME_PROPERTY,
"username");
provider.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY,
"password");
Then the need for **all** this configuration goes away:
<http:conduit name="http://dev.socsuite.com/Services/.*";>
<!-- Hopefully this sets up a SOAP Security element?!? -->
<http:authorization>
<sec:UserName><the user name></sec:UserName>
<sec:Password><the password></sec:Password>
</http:authorization>
<!-- Should set up https. -->
<http:tlsClientParameters
secureSocketProtocol="SSL"></http:tlsClientParameters>
</http:conduit>
4) Assuming that #3 above was correct but I still want to use configuration, do
you have any comments about my configuration shown in the original email and
how that might be causing the runtime error shown in the CXF debug log output?
Do I need to spend time understanding WS-Policy to get around that runtime
error?
Thanks again for helping.
-----Original Message-----
From: Glen Mazza [mailto:[email protected]]
Sent: Thursday, October 13, 2011 8:04 AM
To: [email protected]
Subject: Re: Configuration for https
Might this help you:
http://www.jroller.com/gmazza/entry/ssl_for_web_services ? It may be easier to
just hardcode the use of SSL rather than rely on WS-Policy statements
implementing it.
Glen
On 10/13/2011 10:34 AM, Beyer, Doug wrote:
I'm trying to connect to our own .Net web services using java. I need to use
HTTPS.
http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html is
a bit confusing as the configuration examples shown don't seem to align
correctly with the data in the CXF 2.4.2
samples\wsdl_first_https\wsdl\hello_world.wsdl file.
I am not an expert in Spring or CXF and am just trying to get my java web
service client configured as quickly as possible.
Below is a snippet containing the pertinent (I hope) sections from our wsdl:
<wsdl:definitions name="ClientService" targetNamespace="http://www.troppussoftware.com/service/2010/12/"; xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex";
xmlns:wsa10="http://www.w3.org/2005/08/addressing"; xmlns:tns="http://www.troppussoftware.com/service/2010/12/"; xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy";
xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract"; xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"; xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/";>
<wsp:Policy wsu:Id="CustomBinding_IClientService_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpToken/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy/>
</sp:Wss11>
<sp:Trust10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
...
<wsdl:service name="ClientService">
<wsdl:port name="CustomBinding_IClientService"
binding="tns:CustomBinding_IClientService">
<soap12:address
location="http://dev.socsuite.com/Services/ClientService.svc/ClientService"/>
<wsa10:EndpointReference>
<wsa10:Address>http://dev.socsuite.com/Services/ClientService.svc/ClientService</wsa10:Address>
<Identity
xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";>
<Dns>localhost</Dns>
</Identity>
</wsa10:EndpointReference>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
From
http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html , I
decided to use the following shorthand since all our clients will need the same
https conduit for all our services:
Another option for the name attribute is a reg-ex expression for the ORIGINAL
URL of the endpoint. The configuration is matched at conduit creation so the
address used in the WSDL or used for the JAX-WS Service.create(...) call can be
used for the name. For example, you can do:
<http:conduit name="http://localhost:8080/.*";>
......
</http:conduit>
to configure a conduit for all interactions on localhost:8080. If you have
multiple clients interacting with different services on the same server, this
is probably the easiest way to configure it.
That same CXF web page references a blog entry at
http://techpolesen.blogspot.com/2007/08/using-ssl-with-xfirecxf-battling.html .
Using the info from that blog entry, the CXF web page, and my wsdl, I decided
to use the following conduit configuration in my cxf.xml:
<http:conduit name="http://dev.socsuite.com/Services/.*";>
<http:authorization>
<sec:UserName><the user name></sec:UserName>
<sec:Password><the password></sec:Password>
</http:authorization>
<http:tlsClientParameters
secureSocketProtocol="SSL"></http:tlsClientParameters>
</http:conduit>
When I attempt to execute a method of our web service, I get the following from
the CXF debug logging (with log level = INFO):
Oct 13, 2011 7:28:46 AM
org.springframework.context.support.AbstractApplicationContext
prepareRefresh
INFO: Refreshing
org.apache.cxf.bus.spring.BusApplicationContext@11a01dd: startup date
[Thu Oct 13 07:28:46 PDT 2011]; root of context hierarchy Oct 13, 2011
7:28:46 AM org.apache.cxf.bus.spring.BusApplicationContext
getConfigResources
INFO: Loaded configuration file cxf.xml.
Oct 13, 2011 7:28:46 AM
org.springframework.beans.factory.xml.XmlBeanDefinitionReader
loadBeanDefinitions
INFO: Loading XML bean definitions from file
[D:\Dev\phoenix_git\protocolprototype2\CxfWebServices\cxf.xml]
Oct 13, 2011 7:28:47 AM
org.springframework.beans.factory.support.DefaultListableBeanFactory
preInstantiateSingletons
INFO: Pre-instantiating singletons in
org.springframework.beans.factory.support.DefaultListableBeanFactory@1
abcd9b: defining beans
[cxf,org.apache.cxf.bus.spring.BusWiringBeanFactoryPostProcessor,org.a
pache.cxf.bus.spring.Jsr250BeanPostProcessor,org.apache.cxf.bus.spring
.BusExtensionPostProcessor,org.apache.cxf.wstx_msv_validation.Woodstox
ValidationImpl,LoggingInInterceptor,LoggingOutInterceptor,cxf.config0,
http://dev.socsuite.com/Services/.*]; root of factory hierarchy Oct
13, 2011 7:28:47 AM
org.apache.cxf.service.factory.ReflectionServiceFactoryBean
buildServiceFromWSDL
INFO: Creating Service
{http://www.troppussoftware.com/service/2010/12/}ClientService from
WSDL: file:wsdl/ClientService.svc.wsdl Oct 13, 2011 7:28:48 AM
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
handleNoRegisteredBuilder
WARNING: No assertion builder for type
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}HttpToken registered.
Oct 13, 2011 7:28:48 AM
org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvi
der getElementPolicy
WARNING: Failed to build the policy
'CustomBinding_IClientService_policy':org.apache.neethi.builders.Primi
tiveAssertion cannot be cast to
org.apache.cxf.ws.security.policy.model.Token
ERROR - login_1() - javax.xml.ws.soap.SOAPFaultException:
org.apache.neethi.builders.PrimitiveAssertion cannot be cast to
org.apache.cxf.ws.security.policy.model.Token
Is the problem simple like mis-matched jars or does it have to do with my
configuration?
Thanks in advance for your help.
--
Glen Mazza
Talend - http://www.talend.com/apache
Blog - http://www.jroller.com/gmazza
Twitter - glenmazza
--
Glen Mazza
Talend - http://www.talend.com/apache
Blog - http://www.jroller.com/gmazza
Twitter - glenmazza
