Do you have control over the web service provider? If so, I would
disable the redirect so clients can't use it (i.e., force them to use
the SSL URL or the call won't go through.) If you allow for sending
over HTTP it's quite possible sensitive information will be sent out
over cleartext.
Glen
On 01/08/2013 09:40 PM, Freeman Fang wrote:
Hi,
If it's a https server, you should specify the https url for the address.
-------------
Freeman(Yue) Fang
Red Hat, Inc.
FuseSource is now part of Red Hat
Web: http://fusesource.com | http://www.redhat.com/
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com
http://blog.sina.com.cn/u/1473905042
weibo: @Freeman小屋
On 2013-1-8, at 下午11:10, Mickael Marrache wrote:
Hi,
I'm using JaxWsProxyFactoryBean to create clients to connect to a web service
secured with Spring Security. The authentication mechanism used is Basic access
of HTTP. Here's my client code:
// Initialize JAXWS proxy factories
JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
factory.setServiceClass(MyServiceInterface.class);
factory.setAddress("http://localhost:8080/MyWebApp/MyService";);
HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
httpClientPolicy.setAllowChunking(false);
httpClientPolicy.setAutoRedirect(true);
MyServiceInterface proxy = (MyServiceInterface) factory.create();
AuthorizationPolicy authPolicy = new AuthorizationPolicy();
authPolicy.setAuthorizationType("Basic");
authPolicy.setUserName(username);
authPolicy.setPassword(password);
Client myClient = ClientProxy.getClient(proxy);
HTTPConduit httpConduit = (HTTPConduit) myClient.getConduit();
httpConduit.setClient(httpClientPolicy);
httpConduit.setAuthorization(authPolicy);
((BindingProvider) proxy).getRequestContext().put(
BindingProvider.SESSION_MAINTAIN_PROPERTY, true);
// Load truststore
KeyStore truststore = KeyStore.getInstance("JKS");
char[] trustPassword = new char[] { 'c', 'h', 'a', 'n', 'g', 'e', 'i', 't' };
InputStream in = null;
try {
in = this.getClass().getClassLoader()
.getResourceAsStream("trust.jks");
truststore.load(in, tsPassword);
} finally {
if (in != null)
in.close();
}
TrustManagerFactory trustManagerFactory = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(truststore);
TLSClientParameters tlsClientParams = new TLSClientParameters();
tlsClientParams.setTrustManagers(trustManagerFactory.getTrustManagers());
httpConduit.setTlsClientParameters(tlsClientParams);
Then, I call one service method...let's say:
proxy.ping();
On the server side, I see that the request is done to the HTTP URL and then a
redirect is sent back to the client. Then, the server receives the second
request this time to the HTTPS URL as expected and the process continues. The
principal is successfully authenticated, a new session is created and saved and
the request is processed. Also, a cookie named JSESSIONID is sent back to the
client. But, if call the same method another time, all this process is
repeated. The request is sent to the HTTP URL and the redirect has to happen
another time, etc... I expect the redirect to occur for the first request only.
Should I do factory.setAddress("https://localhost:8443/MyWebApp/MyService";) ?
or maybe I'm missing something in the configuration?
Thanks
--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza
