[jboss-user] [JBossWS] - JBossWS with JBoss 4.2.0 and Axis 1.4 don't work with WSSecu
bigdaddy66
do-not-reply at jboss.com
Tue Jun 5 11:10:03 EDT 2007
Hi,
i want to setup a testbed to communicate secure between JBoss 4.2.0 and Axis 1.4 with WSS4J 1.5.2.
I already setup an WSFacade (EJB2.1) with a simple Add-Method to sum up two Integer. The Method works (the whole WSFacade has more Methods that are all already used and working fine.
Now i want to setup WSSecurity with WSS4J. No Authentication - only Signing and Encryption between the Server (JBoss) and the Client (Axis).
I developed a simple standalone J2SE-Application which successful call the add-method and get the result - all fine without signing etc.
Now with signing i receive following error-message in the jboss-console:
anonymous wrote :
| 16:51:27,394 ERROR [WSSecurityDispatcher] Internal error occured handling inbound message:
| org.jboss.ws.extensions.security.SecurityTokenUnavailableException: Could not locate certificate by issuer and serial number
| at org.jboss.ws.extensions.security.KeyResolver.resolveX509IssuerSerial(KeyResolver.java:122)
| at org.jboss.ws.extensions.security.KeyResolver.resolve(KeyResolver.java:92)
| at org.jboss.ws.extensions.security.KeyResolver.resolveCertificate(KeyResolver.java:129)
| at org.jboss.ws.extensions.security.KeyResolver.resolvePublicKey(KeyResolver.java:139)
| at org.jboss.ws.extensions.security.KeyResolver.resolvePublicKey(KeyResolver.java:159)
| at org.jboss.ws.extensions.security.element.Signature.(Signature.java:56)
| at org.jboss.ws.extensions.security.element.SecurityHeader.(SecurityHeader.java:87)
| at org.jboss.ws.extensions.security.SecurityDecoder.decode(SecurityDecoder.java:182)
| at org.jboss.ws.extensions.security.WSSecurityDispatcher.handleInbound(WSSecurityDispatcher.java:145)
| at org.jboss.ws.extensions.security.jaxrpc.WSSecurityHandler.handleInboundSecurity(WSSecurityHandler.java:66)
| at org.jboss.ws.extensions.security.jaxrpc.WSSecurityHandlerInbound.handleRequest(WSSecurityHandlerInbound.java:42)
| at org.jboss.ws.core.jaxrpc.handler.HandlerWrapper.handleRequest(HandlerWrapper.java:121)
| at org.jboss.ws.core.jaxrpc.handler.HandlerChainBaseImpl.handleRequestInternal(HandlerChainBaseImpl.java:291)
| at org.jboss.ws.core.jaxrpc.handler.HandlerChainBaseImpl.handleRequest(HandlerChainBaseImpl.java:251)
| at org.jboss.ws.core.jaxrpc.handler.ServerHandlerChain.handleRequest(ServerHandlerChain.java:54)
| at org.jboss.ws.core.jaxrpc.handler.HandlerDelegateJAXRPC.callRequestHandlerChain(HandlerDelegateJAXRPC.java:108)
| at org.jboss.ws.integration.jboss42.ServiceEndpointInvokerEJB21$HandlerCallback.callRequestHandlerChain(ServiceEndpointInvokerEJB21.java:248)
| at org.jboss.ws.integration.jboss42.ServiceEndpointInterceptor.invoke(ServiceEndpointInterceptor.java:83)
| at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:158)
| at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstanceInterceptor.java:169)
| at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
| at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
| at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:350)
| at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:181)
| at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:168)
| at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
| at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:138)
| at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:648)
| at org.jboss.ejb.Container.invoke(Container.java:960)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
| at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
| at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
| at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
| at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
| at org.jboss.ws.integration.jboss42.ServiceEndpointInvokerEJB21.invokeServiceEndpointInstance(ServiceEndpointInvokerEJB21.java:189)
| at org.jboss.ws.core.server.AbstractServiceEndpointInvoker.invoke(AbstractServiceEndpointInvoker.java:207)
| at org.jboss.ws.core.server.ServiceEndpoint.processRequest(ServiceEndpoint.java:212)
| at org.jboss.ws.core.server.ServiceEndpointManager.processRequest(ServiceEndpointManager.java:448)
| at org.jboss.ws.core.server.AbstractServiceEndpointServlet.doPost(AbstractServiceEndpointServlet.java:114)
| at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
| at org.jboss.ws.core.server.AbstractServiceEndpointServlet.service(AbstractServiceEndpointServlet.java:75)
| at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
| at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
| at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
| at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
| at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
| at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
| at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
| at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
| at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
| at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
| at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
| at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
| at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
| at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
| at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
| at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
| at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
| at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
| at java.lang.Thread.run(Thread.java:595)
|
I can't find the errormessage in this forum or the internet (except the sourcecode of jboss)
The error comes clear to the client as SOAP Fault:
anonymous wrote :
| Exception in thread "main" AxisFault
| faultCode: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenUnavailable
| faultSubcode:
| faultString: Could not locate certificate by issuer and serial number
| faultActor:
| faultNode:
| faultDetail:
| {http://xml.apache.org/axis/}stackTrace:Could not locate certificate by issuer and serial number
| .... CUT
|
What can happend?
Now to my little client:
| public static void main(String[] args) throws Exception {
| URL url = new URL(
| "http://127.0.0.1:8080/WSFacadeSessionService/WSFacadeSession?wsdl");
|
| QName qname = new QName("http://model.nhb.cerebral.de",
| "WSFacadeService");
|
| ServiceFactory factory = ServiceFactory.newInstance();
| Service service = factory.createService(url, qname);
|
| WSFacadeEndpoint endpoint = (WSFacadeEndpoint) service
| .getPort(WSFacadeEndpoint.class);
|
| int a = 5;
| int b = 7;
| int sum = endpoint.add(a, b);
|
| System.out.println(a + " + " + b + " = " + sum);
|
| }
|
My PWCallback simple set the password. (Its only a testbed, u can know the stupid passwd :-))
| public void handle(Callback[] callbacks) throws IOException,
| UnsupportedCallbackException {
|
| for (int i = 0; i < callbacks.length; i++) {
| if (callbacks instanceof WSPasswordCallback) {
| WSPasswordCallback pc = (WSPasswordCallback) callbacks;
|
| pc.setPassword("guenthermuh");
|
| } else {
| throw new UnsupportedCallbackException(callbacks,
| "Unrecognized Callback");
| }
| }
| }
|
Now the DDs:
client-config.wsdd:
| <deployment xmlns="http://xml.apache.org/axis/wsdd/"
| xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
| <transport name="http"
| pivot="java:org.apache.axis.transport.http.HTTPSender" />
| <globalConfiguration>
| <requestFlow>
| <handler
| type="java:org.apache.ws.axis.security.WSDoAllSender">
| <parameter name="action" value="Signature" />
| <parameter name="user" value="clientcert" />
| <parameter name="passwordCallbackClass"
| value="PWCallback" />
| <parameter name="signaturePropFile"
| value="crypto.properties" />
| <parameter name="mustUnderstand" value="true" />
| </handler>
| </requestFlow>
| <responseFlow>
| <handler
| type="java:org.apache.ws.axis.security.WSDoAllReceiver">
| <parameter name="action" value="Signature" />
| <parameter name="signaturePropFile"
| value="crypto.properties" />
| </handler>
| </responseFlow>
| </globalConfiguration>
| </deployment>
|
my crypto.properties:
| org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
| org.apache.ws.security.crypto.merlin.keystore.type=jks
| org.apache.ws.security.crypto.merlin.file=client.keystore
| org.apache.ws.security.crypto.merlin.keystore.alias=clientcert
| org.apache.ws.security.crypto.merlin.keystore.password=guenthermuh
| org.apache.ws.security.crypto.merlin.alias.password=guenthermuh
|
To the certificates later.
Now the JBoss-server:
in the webservices.xml in the port-component-block i added this:
| <endpoint-config>
|
| <config-name>Standard Secure Endpoint</config-name>
| <handler-config>
| <handler-chain>
| <handler-chain-name>
| SecureHandlerChain
| </handler-chain-name>
| <handler>
| <handler-name>
| WSSecurityHandlerInbound
| </handler-name>
| <handler-class>
| org.jboss.ws.extensions.security.jaxrpc.WSSecurityHandlerInbound
| </handler-class>
| </handler>
| </handler-chain>
| </handler-config>
| <endpoint-config>
|
my jboss-wsse-server.xml:
| <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
| xsi:schemaLocation="http://www.jboss.com/ws-security/config
| http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
| <key-store-file>META-INF/wsse.keystore</key-store-file>
| <key-store-password>guenthermuh</key-store-password>
| <trust-store-file>META-INF/wsse.truststore</trust-store-file>
| <trust-store-password>guenthermuh</trust-store-password>
| <config>
| <!-- <timestamp ttl="15" /> -->
| <sign type="x509v1" alias="wsse" />
| <!-- <encrypt type="x509v3" alias="wsse" /> -->
| <requires>
| <signature />
| </requires>
| </config>
| </jboss-ws-security>
|
to "sign type="x509v1" " - the same error exist with x509x3 as type definition
I can post the webservice request when you want.It has the security-header etc.
To the certificates: i generated all with the keytool like the schema described here in the forums.
alice (JBoss) has in his wsse.keystore there own private and public-key (signed) and i imported the public-key from Bob (signed too). the wsse.truststore only has the public-key from alice. (Alias: wsse)
Bob has only a keystore: client.keystore - alias: clientcert.
it included his own private and publickey (signed) and the publickey from alice (signed too).
so, what is wrong? :-)
And does i need the WSSecurityHandlerOutbound for a fullsecure communication?
Thanks
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4051413#4051413
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4051413
More information about the jboss-user
mailing list