JBossWS with JBoss 4.2.0 and Axis 1.4 don't work with WSSecu
bigdaddy66 Jun 5, 2007 11:10 AMHi,
i want to setup a testbed to communicate secure between JBoss 4.2.0 and Axis 1.4 with WSS4J 1.5.2.
I already setup an WSFacade (EJB2.1) with a simple Add-Method to sum up two Integer. The Method works (the whole WSFacade has more Methods that are all already used and working fine.
Now i want to setup WSSecurity with WSS4J. No Authentication - only Signing and Encryption between the Server (JBoss) and the Client (Axis).
I developed a simple standalone J2SE-Application which successful call the add-method and get the result - all fine without signing etc.
Now with signing i receive following error-message in the jboss-console:
16:51:27,394 ERROR [WSSecurityDispatcher] Internal error occured handling inbound message:
org.jboss.ws.extensions.security.SecurityTokenUnavailableException: Could not locate certificate by issuer and serial number
at org.jboss.ws.extensions.security.KeyResolver.resolveX509IssuerSerial(KeyResolver.java:122)
at org.jboss.ws.extensions.security.KeyResolver.resolve(KeyResolver.java:92)
at org.jboss.ws.extensions.security.KeyResolver.resolveCertificate(KeyResolver.java:129)
at org.jboss.ws.extensions.security.KeyResolver.resolvePublicKey(KeyResolver.java:139)
at org.jboss.ws.extensions.security.KeyResolver.resolvePublicKey(KeyResolver.java:159)
at org.jboss.ws.extensions.security.element.Signature.<init>(Signature.java:56)
at org.jboss.ws.extensions.security.element.SecurityHeader.<init>(SecurityHeader.java:87)
at org.jboss.ws.extensions.security.SecurityDecoder.decode(SecurityDecoder.java:182)
at org.jboss.ws.extensions.security.WSSecurityDispatcher.handleInbound(WSSecurityDispatcher.java:145)
at org.jboss.ws.extensions.security.jaxrpc.WSSecurityHandler.handleInboundSecurity(WSSecurityHandler.java:66)
at org.jboss.ws.extensions.security.jaxrpc.WSSecurityHandlerInbound.handleRequest(WSSecurityHandlerInbound.java:42)
at org.jboss.ws.core.jaxrpc.handler.HandlerWrapper.handleRequest(HandlerWrapper.java:121)
at org.jboss.ws.core.jaxrpc.handler.HandlerChainBaseImpl.handleRequestInternal(HandlerChainBaseImpl.java:291)
at org.jboss.ws.core.jaxrpc.handler.HandlerChainBaseImpl.handleRequest(HandlerChainBaseImpl.java:251)
at org.jboss.ws.core.jaxrpc.handler.ServerHandlerChain.handleRequest(ServerHandlerChain.java:54)
at org.jboss.ws.core.jaxrpc.handler.HandlerDelegateJAXRPC.callRequestHandlerChain(HandlerDelegateJAXRPC.java:108)
at org.jboss.ws.integration.jboss42.ServiceEndpointInvokerEJB21$HandlerCallback.callRequestHandlerChain(ServiceEndpointInvokerEJB21.java:248)
at org.jboss.ws.integration.jboss42.ServiceEndpointInterceptor.invoke(ServiceEndpointInterceptor.java:83)
at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:158)
at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstanceInterceptor.java:169)
at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:350)
at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:181)
at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:168)
at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:138)
at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:648)
at org.jboss.ejb.Container.invoke(Container.java:960)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at org.jboss.ws.integration.jboss42.ServiceEndpointInvokerEJB21.invokeServiceEndpointInstance(ServiceEndpointInvokerEJB21.java:189)
at org.jboss.ws.core.server.AbstractServiceEndpointInvoker.invoke(AbstractServiceEndpointInvoker.java:207)
at org.jboss.ws.core.server.ServiceEndpoint.processRequest(ServiceEndpoint.java:212)
at org.jboss.ws.core.server.ServiceEndpointManager.processRequest(ServiceEndpointManager.java:448)
at org.jboss.ws.core.server.AbstractServiceEndpointServlet.doPost(AbstractServiceEndpointServlet.java:114)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at org.jboss.ws.core.server.AbstractServiceEndpointServlet.service(AbstractServiceEndpointServlet.java:75)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:595)
I can't find the errormessage in this forum or the internet (except the sourcecode of jboss)
The error comes clear to the client as SOAP Fault:
Exception in thread "main" AxisFault
faultCode: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenUnavailable
faultSubcode:
faultString: Could not locate certificate by issuer and serial number
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:Could not locate certificate by issuer and serial number
.... CUT
What can happend?
Now to my little client:
public static void main(String[] args) throws Exception { URL url = new URL( "http://127.0.0.1:8080/WSFacadeSessionService/WSFacadeSession?wsdl"); QName qname = new QName("http://model.nhb.cerebral.de", "WSFacadeService"); ServiceFactory factory = ServiceFactory.newInstance(); Service service = factory.createService(url, qname); WSFacadeEndpoint endpoint = (WSFacadeEndpoint) service .getPort(WSFacadeEndpoint.class); int a = 5; int b = 7; int sum = endpoint.add(a, b); System.out.println(a + " + " + b + " = " + sum); }
My PWCallback simple set the password. (Its only a testbed, u can know the stupid passwd :-))
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks instanceof WSPasswordCallback) { WSPasswordCallback pc = (WSPasswordCallback) callbacks; pc.setPassword("guenthermuh"); } else { throw new UnsupportedCallbackException(callbacks, "Unrecognized Callback"); } } }
Now the DDs:
client-config.wsdd:
<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender" /> <globalConfiguration> <requestFlow> <handler type="java:org.apache.ws.axis.security.WSDoAllSender"> <parameter name="action" value="Signature" /> <parameter name="user" value="clientcert" /> <parameter name="passwordCallbackClass" value="PWCallback" /> <parameter name="signaturePropFile" value="crypto.properties" /> <parameter name="mustUnderstand" value="true" /> </handler> </requestFlow> <responseFlow> <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver"> <parameter name="action" value="Signature" /> <parameter name="signaturePropFile" value="crypto.properties" /> </handler> </responseFlow> </globalConfiguration> </deployment>
my crypto.properties:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.file=client.keystore org.apache.ws.security.crypto.merlin.keystore.alias=clientcert org.apache.ws.security.crypto.merlin.keystore.password=guenthermuh org.apache.ws.security.crypto.merlin.alias.password=guenthermuh
To the certificates later.
Now the JBoss-server:
in the webservices.xml in the port-component-block i added this:
<endpoint-config> <config-name>Standard Secure Endpoint</config-name> <handler-config> <handler-chain> <handler-chain-name> SecureHandlerChain </handler-chain-name> <handler> <handler-name> WSSecurityHandlerInbound </handler-name> <handler-class> org.jboss.ws.extensions.security.jaxrpc.WSSecurityHandlerInbound </handler-class> </handler> </handler-chain> </handler-config> <endpoint-config>
my jboss-wsse-server.xml:
<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> <key-store-file>META-INF/wsse.keystore</key-store-file> <key-store-password>guenthermuh</key-store-password> <trust-store-file>META-INF/wsse.truststore</trust-store-file> <trust-store-password>guenthermuh</trust-store-password> <config> <!-- <timestamp ttl="15" /> --> <sign type="x509v1" alias="wsse" /> <!-- <encrypt type="x509v3" alias="wsse" /> --> <requires> <signature /> </requires> </config> </jboss-ws-security>
to "sign type="x509v1" " - the same error exist with x509x3 as type definition
I can post the webservice request when you want.It has the security-header etc.
To the certificates: i generated all with the keytool like the schema described here in the forums.
alice (JBoss) has in his wsse.keystore there own private and public-key (signed) and i imported the public-key from Bob (signed too). the wsse.truststore only has the public-key from alice. (Alias: wsse)
Bob has only a keystore: client.keystore - alias: clientcert.
it included his own private and publickey (signed) and the publickey from alice (signed too).
so, what is wrong? :-)
And does i need the WSSecurityHandlerOutbound for a fullsecure communication?
Thanks