12 Replies Latest reply: Mar 16, 2012 7:44 PM by spyhunter99 RSS

    @WS with CLIENT-CERT throws Invalid HTTP server response [401] - Unauthorized on client side

    Claudio Miranda Novice

      Hi, my environment is:

      - JBoss EAP 5.1.2

      - Linux

      - JDK 6 update 30

       

      There is an EJB annotated as webservice with auth as CLIENT-CERT. But testing from wsrunclient.sh throws WSException: Invalid HTTP server response [401] - Unauthorized

       

      Caused by: org.jboss.ws.WSException: Invalid HTTP server response [401] - Unauthorized

              at org.jboss.ws.core.soap.SOAPMessageUnMarshallerHTTP.read(SOAPMessageUnMarshallerHTTP.java:75)

              at org.jboss.remoting.transport.http.HTTPClientInvoker.readResponse(HTTPClientInvoker.java:608)

              at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:402)

              at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:253)

       

       

      I have configured my application as following, sorry for the long post, but I want to give yout the relevant details of my test.

       

      I have searched jbossws forums, found and example using CLIENT-CERT with POJO and Servlets. But was unable to fix it.

       

      Thanks

       

       

      The server application is an EAR file that packages the EJB module

      jaas-ms-ejb-ear.ear/

      |-- jaas-ms-ejb-ws-1.0.0.jar

      |   |-- br

      |   |   `-- com

      |   |       `-- myapp

      |   |           `-- jaas

      |   |               |-- IPesquisarUsuario.class

      |   |               `-- PesquisarUsuarioEjbService.class

      |   |-- META-INF

      |   |   |-- myapp-jaxws-endpoint-config.xml

      |   |   |-- jboss-wsse-server.xml

      |   |   |-- MANIFEST.MF

      |   |-- server_jbossws.jks

      |   `-- server_jbossws_truststore.jks

      |-- lib

      |   |-- jaas-ms-1.1.4.jar

      |   `-- myapp-lib-client-2.1.2.jar

      `-- META-INF

          |-- application.xml

          |-- MANIFEST.MF

       

      The files content is

       

      PesquisarUsuarioEjbService.java

      package br.com.myapp.jaas;
      
      import java.util.logging.Logger;
      
      import javax.annotation.security.PermitAll;
      import javax.ejb.Stateless;
      import javax.jws.HandlerChain;
      import javax.jws.WebMethod;
      import javax.jws.WebService;
      import javax.jws.soap.SOAPBinding;
      import javax.jws.soap.SOAPBinding.Style;
      import javax.security.auth.Subject;
      import javax.security.jacc.PolicyContext;
      import javax.security.jacc.PolicyContextException;
      
      import org.jboss.ejb3.annotation.SecurityDomain;
      import org.jboss.ws.annotation.EndpointConfig;
      import org.jboss.wsf.spi.annotation.WebContext;
      
      import myapp.*;
      
      @SOAPBinding(style = Style.RPC)
      @WebService(endpointInterface="br.com.myapp.jaas.IPesquisarUsuario", targetNamespace="http://jaas.myapp.com.br/")
      //@EndpointConfig(configName = "Standard WSSecurity Endpoint")
      @EndpointConfig(configFile = "META-INF/myapp-jaxws-endpoint-config.xml", configName="MyApp WSSecurity Endpoint")
      @Stateless
      @WebContext(contextRoot = "/jaas-cert", secureWSDLAccess=false, authMethod="CLIENT-CERT", transportGuarantee="NONE")
      @SecurityDomain("UserCertPolicy")
      @PermitAll()
      public class PesquisarUsuarioEjbService  implements IPesquisarUsuario {
      
           private static Logger log = Logger.getLogger(PesquisarUsuarioEjbService.class.getName());
           /** The JACC PolicyContext key for the current Subject */
           private static final String SUBJECT_CONTEXT_KEY = "javax.security.auth.Subject.container";
      
           @WebMethod
           public String pesquisar(String nome) {
      
                // SecurityContextAssociation.getSecurityContext().getUtil().getSubject()
                try {
                     Subject subject = (Subject) PolicyContext.getContext(SUBJECT_CONTEXT_KEY);
                  PerfilPrincipal perfil = subject.getPrincipals(PerfilPrincipal.class).iterator().next();
                     log.info(perfil.getUsuario().getNome());
                     for (PerfilWrapper perfilWrapper : perfil.getPerfis()) {
                          log.info(perfilWrapper.getPerfil().getNome());
                     }
                     log.info("received = " + nome);
                } catch (PolicyContextException e) {
                     e.printStackTrace();
                }
                return nome + " results: ";
           }
      
      }
      
      

       

      myapp-jaxws-endpoint-config.xml

       

      <?xml version="1.0" encoding="UTF-8"?>
      
      <jaxws-config xmlns="urn:jboss:jaxws-config:2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee="http://java.sun.com/xml/ns/javaee"
        xsi:schemaLocation="urn:jboss:jaxws-config:2.0 schema/jaxws-config_2_0.xsd">
      
        <endpoint-config>
          <config-name>Datasus WSSecurity Endpoint</config-name>
          <post-handler-chains>
            <javaee:handler-chain>
              <javaee:protocol-bindings>##SOAP11_HTTP ##SOAP11_HTTP_MTOM</javaee:protocol-bindings>
              <javaee:handler>
                <javaee:handler-name>Autorizacao Handler</javaee:handler-name>
                <javaee:handler-class>br.com.myapp.jaas.spi.AutorizacaoWSHandler</javaee:handler-class>
              </javaee:handler>
              <javaee:handler>
                <javaee:handler-name>WSSecurity Handler</javaee:handler-name>
                <javaee:handler-class>org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer</javaee:handler-class>
              </javaee:handler>
              <javaee:handler>
                <javaee:handler-name>Recording Handler</javaee:handler-name>
                <javaee:handler-class>org.jboss.wsf.framework.invocation.RecordingServerHandler</javaee:handler-class>
              </javaee:handler>
            </javaee:handler-chain>
          </post-handler-chains>
        </endpoint-config>
      
       </jaxws-config>
      

      jboss-wsse-server.xml

       

      <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
          xmlns:xsi="http://ww.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://www.jboss.com/ws-security/config
                            http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
      
          <key-store-file>server_jbossws.jks</key-store-file>
          <key-store-password>admin123</key-store-password>
          <trust-store-file>server_jbossws_truststore.jks</trust-store-file>
          <trust-store-password>admin123</trust-store-password>
      
          <key-passwords>
              <key-password alias="server_jbossws" password="admin123"/>
          </key-passwords>
          <config>
              <sign  type="x509v3" alias="server_jbossws" includeTimestamp="false"/>
              <encrypt type="x509v3" alias="client_jbossws" />
              <requires>
                  <signature/>
                  <encryption/>
              </requires>
              <authenticate>
                  <signatureCertAuth certificatePrincipal="br.com.myapp.jaas.spi.SubjectMapper"/>
              </authenticate>
          </config>    
      </jboss-ws-security>
      

       

      server_jbossws.jks

       
      $ keytool -list -v -keystore jaas-ms-ejb-ear.ear/jaas-ms-ejb-ws-1.0.0.jar/server_jbossws.jks -storepass admin123
      
      Keystore type: JKS
      Keystore provider: SUN
      
      Your keystore contains 2 entries
      
      Alias name: server_jbossws
      Creation date: Mar 7, 2012
      Entry type: PrivateKeyEntry
      Certificate chain length: 1
      Certificate[1]:
      Owner: CN=jbossws server, OU=myapp, O=min_myapp, L=Brasilia, ST=DF, C=BR
      Issuer: CN=jbossws server, OU=myapp, O=min_myapp, L=Brasilia, ST=DF, C=BR
      Serial number: 4f57ba78
      Valid from: Wed Mar 07 16:43:52 BRT 2012 until: Tue Jun 05 16:43:52 BRT 2012
      Certificate fingerprints:
               MD5:  77:15:35:EA:A5:01:70:BB:FD:3D:99:11:7B:36:E8:3F
               SHA1: C0:68:43:28:D9:D9:6F:B7:75:62:02:0F:75:F8:19:D4:E8:50:24:C5
               Signature algorithm name: SHA1withRSA
               Version: 3
      
      
      *******************************************
      *******************************************
      
      
      Alias name: client_jbossws
      Creation date: Mar 7, 2012
      Entry type: trustedCertEntry
      
      Owner: CN=jbossws client, OU=myapp, O=min_myapp, L=Brasilia, ST=DF, C=BR
      Issuer: CN=jbossws client, OU=myapp, O=min_myapp, L=Brasilia, ST=DF, C=BR
      Serial number: 4f57baa3
      Valid from: Wed Mar 07 16:44:35 BRT 2012 until: Tue Jun 05 16:44:35 BRT 2012
      Certificate fingerprints:
               MD5:  78:48:E3:54:2D:85:7F:62:C7:48:2D:22:D3:DB:56:49
               SHA1: 15:D9:AB:33:2E:A2:BD:52:08:A0:1B:1F:16:C6:60:A2:29:A4:53:7D
               Signature algorithm name: SHA1withRSA
               Version: 3
      
      

      server_jbossws_truststore.jks

      $ keytool -list -v -keystore jaas-ms-ejb-ear.ear/jaas-ms-ejb-ws-1.0.0.jar/server_jbossws_truststore.jks -storepass admin123
      
      Keystore type: JKS
      Keystore provider: SUN
      
      Your keystore contains 2 entries
      
      Alias name: server_jbossws
      Creation date: Mar 7, 2012
      Entry type: trustedCertEntry
      
      Owner: CN=jbossws server, OU=myapp, O=min_myapp, L=Brasilia, ST=DF, C=BR
      Issuer: CN=jbossws server, OU=myapp, O=min_myapp, L=Brasilia, ST=DF, C=BR
      Serial number: 4f57ba78
      Valid from: Wed Mar 07 16:43:52 BRT 2012 until: Tue Jun 05 16:43:52 BRT 2012
      Certificate fingerprints:
               MD5:  77:15:35:EA:A5:01:70:BB:FD:3D:99:11:7B:36:E8:3F
               SHA1: C0:68:43:28:D9:D9:6F:B7:75:62:02:0F:75:F8:19:D4:E8:50:24:C5
               Signature algorithm name: SHA1withRSA
               Version: 3
      
      
      *******************************************
      *******************************************
      
      
      Alias name: client_jbossws
      Creation date: Mar 8, 2012
      Entry type: trustedCertEntry
      
      Owner: CN=jbossws client, OU=myapp, O=min_myapp, L=Brasilia, ST=DF, C=BR
      Issuer: CN=jbossws client, OU=myapp, O=min_myapp, L=Brasilia, ST=DF, C=BR
      Serial number: 4f57baa3
      Valid from: Wed Mar 07 16:44:35 BRT 2012 until: Tue Jun 05 16:44:35 BRT 2012
      Certificate fingerprints:
               MD5:  78:48:E3:54:2D:85:7F:62:C7:48:2D:22:D3:DB:56:49
               SHA1: 15:D9:AB:33:2E:A2:BD:52:08:A0:1B:1F:16:C6:60:A2:29:A4:53:7D
               Signature algorithm name: SHA1withRSA
               Version: 3
      

      Server log at initialization

       
      
      ServerEndpointMetaData:
       type=JAXWS
       qname={http://jaas.myapp.com.br/}PesquisarUsuarioEjbServicePort
       id=jboss.ws:context=jaas-cert,endpoint=PesquisarUsuarioEjbService
       address=http://localhost:8080/jaas-cert/PesquisarUsuarioEjbService
       binding=http://schemas.xmlsoap.org/wsdl/soap/http
       linkName=PesquisarUsuarioEjbService
       implName=br.com.myapp.jaas.PesquisarUsuarioEjbService
       seiName=br.com.myapp.jaas.IPesquisarUsuario
       serviceMode=null
       portComponentName=null
       contextRoot=/jaas-cert
       urlPattern=/PesquisarUsuarioEjbService
       configFile=META-INF/myapp-jaxws-endpoint-config.xml
       configName=MyApp WSSecurity Endpoint
       authMethod=CLIENT-CERT
       transportGuarantee=null
       secureWSDLAccess=false
       properties={}
      
      OperationMetaData:
       qname={http://jaas.myapp.com.br/}pesquisar
       javaName=pesquisar
       style=document/literal/WRAPPED
       oneWay=false
       soapAction=
      ParameterMetaData:
       xmlName={http://jaas.myapp.com.br/}pesquisar
       partName=pesquisar
       xmlType={http://jaas.myapp.com.br/}pesquisar
       javaType=br.com.myapp.jaas.jaxws.Pesquisar
       mode=IN
       inHeader=false
       index=0
       wrappedParameters=[[name = arg0, type = java.lang.String, typeArgs = null, variable = arg0, index = 0]]
      ReturnMetaData:
       xmlName={http://jaas.myapp.com.br/}pesquisarResponse
       partName=pesquisarResponse
       xmlType={http://jaas.myapp.com.br/}pesquisarResponse
       javaType=br.com.myapp.jaas.jaxws.PesquisarResponse
       mode=OUT
       inHeader=false
       index=-1
       wrappedParameters=[[name = return, type = java.lang.String, typeArgs = null, variable = return, index = -1]]
      
      HandlerMetaDataJAXWS:
       type=POST
       name=Autorizacao Handler
       class=class br.com.myapp.jaas.spi.AutorizacaoWSHandler
       params=[]
       protocols=##SOAP11_HTTP ##SOAP11_HTTP_MTOM
       services=null
       ports=null
      
      HandlerMetaDataJAXWS:
       type=POST
       name=WSSecurity Handler
       class=class org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer
       params=[]
       protocols=##SOAP11_HTTP ##SOAP11_HTTP_MTOM
       services=null
       ports=null
      
      HandlerMetaDataJAXWS:
       type=POST
       name=Recording Handler
       class=class org.jboss.wsf.framework.invocation.RecordingServerHandler
       params=[]
       protocols=##SOAP11_HTTP ##SOAP11_HTTP_MTOM
       services=null
       ports=null
      
      

       

      Client organization

      jaas-ms-client/

      |-- bin

      |   |-- br

      |   |   `-- com

      |   |       `-- myapp

      |   |           `-- jaas

      |   |               |-- IPesquisarUsuario.class

      |   |               `-- spi

      |   |                   |-- AutorizacaoWSHandler.class

      |   |                   |-- MsUsernameTokenLoginModule.class

      |   |                   |-- SubjectMapper.class

      |   |                   `-- UserCertLoginModule.class

      |   |-- JaasAuthClient.class

      |   |-- JaasAuthClientSetup.class

      |   |-- log4j.properties

      |   `-- META-INF

      |       |-- client_jbossws.jks

      |       |-- client_jbossws_truststore.jks

      |       |-- myapp-jaxws-client-config.xml

      |       |-- jboss-wsse-client.xml

      |       `-- standard-jaxws-client-config.xml

      Client java class

      public class JaasAuthClient {
      
          public static void main(String[] args) throws Exception {
              JaasAuthClientSetup setup = new JaasAuthClientSetup();
              IPesquisarUsuario wsPesq = setup.getPesquisarUsuarioEjbServicePort();
              StubExt stubExt = (StubExt) wsPesq;
              
              stubExt.setConfigName("Standard WSSecurity Client");
              
              System.out.println("========================================" );
              System.out.println("=====>  config name =  " + stubExt.getConfigName());
              System.out.println("=====>  config file =  " + stubExt.getConfigFile());
              System.out.println("=====>  security config =  " + stubExt.getSecurityConfig());
              System.out.println("========================================" );
              String res = wsPesq.pesquisar("claudio");
              System.out.println("resultado ws: " + res);
          }
          
      }
      
      @WebServiceClient(name="PesquisarUsuarioEjbServiceService",  targetNamespace="http://jaas.myapp.com.br/", 
          wsdlLocation="http://localhost:8080/jaas-cert/PesquisarUsuarioEjbService?wsdl")
      public class JaasAuthClientSetup extends Service {
      
          public JaasAuthClientSetup() throws MalformedURLException {
              super(new URL("http://localhost:8080/jaas-cert/PesquisarUsuarioEjbService?wsdl"), 
                      new QName("http://jaas.myapp.com.br/", "PesquisarUsuarioEjbServiceService"));
          }
          
          public JaasAuthClientSetup(URL wsdlDocumentLocation, QName serviceName) {
              super(wsdlDocumentLocation, serviceName);
          }
      
          @WebEndpoint(name="PesquisarUsuarioEjbServicePort")
          public IPesquisarUsuario getPesquisarUsuarioEjbServicePort() {
              return (IPesquisarUsuario) super.getPort(new QName("http://jaas.myapp.com.br/", "PesquisarUsuarioEjbServicePort"), 
                      IPesquisarUsuario.class);
          }
      
      
      }
      

       

      jboss-wsse-client.xml

       

      <jboss-ws-security 
          xmlns="http://www.jboss.com/ws-security/config"
          xmlns:xsi="http://ww.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://www.jboss.com/ws-security/config
                            http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
      
          <key-store-file>META-INF/client_jbossws.jks</key-store-file>
          <key-store-password>admin123</key-store-password>
          <key-store-type>jks</key-store-type>
          <trust-store-file>META-INF/client_jbossws_truststore.jks</trust-store-file>
          <trust-store-password>admin123</trust-store-password>
          <trust-store-type>jks</trust-store-type>
      
          <key-passwords>
              <key-password alias="client_jbossws" password="admin123"/>
          </key-passwords>
          <config>
              <sign  type="x509v3" alias="client_jbossws" />
              <encrypt type="x509v3" alias="server_jbossws"/>
              <requires>
                  <signature />
                  <encryption />
              </requires>
          </config>
      
      </jboss-ws-security>
      

      standard-jaxws-client-config.xml

       

      <?xml version="1.0" encoding="UTF-8"?>
      
      <jaxws-config xmlns="urn:jboss:jaxws-config:2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee="http://java.sun.com/xml/ns/javaee"
        xsi:schemaLocation="urn:jboss:jaxws-config:2.0 schema/jaxws-config_2_0.xsd">
      
        <client-config>
          <config-name>Standard WSSecurity Client</config-name>
          <post-handler-chains>
            <javaee:handler-chain>
              <javaee:protocol-bindings>##SOAP11_HTTP ##SOAP11_HTTP_MTOM</javaee:protocol-bindings>
              <javaee:handler>
                <javaee:handler-name>WSSecurityHandlerOutbound</javaee:handler-name>
                <javaee:handler-class>org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerClient</javaee:handler-class>
              </javaee:handler>
            </javaee:handler-chain>
          </post-handler-chains>
        </client-config>
      
      </jaxws-config>
      

      client_jbossws_truststore.jks

      $ keytool -list -v -keystore src/META-INF/client_jbossws_truststore.jks  -storepass admin123
      
      Keystore type: JKS
      Keystore provider: SUN
      
      Your keystore contains 2 entries
      
      Alias name: client_jbossws
      Creation date: Mar 7, 2012
      Entry type: trustedCertEntry
      
      Owner: CN=jbossws client, OU=myapp, O=min_myapp, L=Brasilia, ST=DF, C=BR
      Issuer: CN=jbossws client, OU=myapp, O=min_myapp, L=Brasilia, ST=DF, C=BR
      Serial number: 4f57baa3
      Valid from: Wed Mar 07 16:44:35 BRT 2012 until: Tue Jun 05 16:44:35 BRT 2012
      Certificate fingerprints:
               MD5:  78:48:E3:54:2D:85:7F:62:C7:48:2D:22:D3:DB:56:49
               SHA1: 15:D9:AB:33:2E:A2:BD:52:08:A0:1B:1F:16:C6:60:A2:29:A4:53:7D
               Signature algorithm name: SHA1withRSA
               Version: 3
      
      
      *******************************************
      *******************************************
      
      
      Alias name: server_jbossws
      Creation date: Mar 8, 2012
      Entry type: trustedCertEntry
      
      Owner: CN=jbossws server, OU=myapp, O=min_myapp, L=Brasilia, ST=DF, C=BR
      Issuer: CN=jbossws server, OU=myapp, O=min_myapp, L=Brasilia, ST=DF, C=BR
      Serial number: 4f57ba78
      Valid from: Wed Mar 07 16:43:52 BRT 2012 until: Tue Jun 05 16:43:52 BRT 2012
      Certificate fingerprints:
               MD5:  77:15:35:EA:A5:01:70:BB:FD:3D:99:11:7B:36:E8:3F
               SHA1: C0:68:43:28:D9:D9:6F:B7:75:62:02:0F:75:F8:19:D4:E8:50:24:C5
               Signature algorithm name: SHA1withRSA
               Version: 3
      
      
      *******************************************
      *******************************************
      
      

      client_jbossws.jks

      $ keytool -list -v -keystore src/META-INF/client_jbossws.jks  -storepass admin123
      
      Keystore type: JKS
      Keystore provider: SUN
      
      Your keystore contains 2 entries
      
      Alias name: client_jbossws
      Creation date: Mar 7, 2012
      Entry type: PrivateKeyEntry
      Certificate chain length: 1
      Certificate[1]:
      Owner: CN=jbossws client, OU=myapp, O=min_myapp, L=Brasilia, ST=DF, C=BR
      Issuer: CN=jbossws client, OU=myapp, O=min_myapp, L=Brasilia, ST=DF, C=BR
      Serial number: 4f57baa3
      Valid from: Wed Mar 07 16:44:35 BRT 2012 until: Tue Jun 05 16:44:35 BRT 2012
      Certificate fingerprints:
               MD5:  78:48:E3:54:2D:85:7F:62:C7:48:2D:22:D3:DB:56:49
               SHA1: 15:D9:AB:33:2E:A2:BD:52:08:A0:1B:1F:16:C6:60:A2:29:A4:53:7D
               Signature algorithm name: SHA1withRSA
               Version: 3
      
      
      *******************************************
      *******************************************
      
      
      Alias name: server_jbossws
      Creation date: Mar 7, 2012
      Entry type: trustedCertEntry
      
      Owner: CN=jbossws server, OU=myapp, O=min_myapp, L=Brasilia, ST=DF, C=BR
      Issuer: CN=jbossws server, OU=myapp, O=min_myapp, L=Brasilia, ST=DF, C=BR
      Serial number: 4f57ba78
      Valid from: Wed Mar 07 16:43:52 BRT 2012 until: Tue Jun 05 16:43:52 BRT 2012
      Certificate fingerprints:
               MD5:  77:15:35:EA:A5:01:70:BB:FD:3D:99:11:7B:36:E8:3F
               SHA1: C0:68:43:28:D9:D9:6F:B7:75:62:02:0F:75:F8:19:D4:E8:50:24:C5
               Signature algorithm name: SHA1withRSA
               Version: 3
      
      
      *******************************************
      *******************************************
      
      

      The relevant client log

       
      $ /opt/jboss-eap-5.1.2/jboss-as/bin/wsrunclient.sh -classpath bin/ JaasAuthClient
      DEBUG [main] - START: rebuildMetaData
      DEBUG [main] - setParameterStyle: null
      DEBUG [main] - Create new config [name=Standard Client,file=META-INF/standard-jaxws-client-config.xml]
      DEBUG [main] - getConfig: [name=Standard Client,url=META-INF/standard-jaxws-client-config.xml]
      DEBUG [main] - parse: file:/home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/bin/META-INF/standard-jaxws-client-config.xml
      DEBUG [main] - Created parser: org.apache.xerces.jaxp.SAXParserImpl@1efb4be, isNamespaceAware: true, isValidating: true, isXIncludeAware: true
      DEBUG [main] - http://xml.org/sax/features/validation set to: true
      DEBUG [main] - http://xml.org/sax/features/namespaces set to: true
      DEBUG [main] - http://apache.org/xml/features/validation/dynamic set to: true
      DEBUG [main] - http://xml.org/sax/features/validation set to: true
      DEBUG [main] - http://apache.org/xml/features/validation/schema set to: true
      DEBUG [main] - Created parser: org.apache.xerces.jaxp.SAXParserImpl@1efb4be, isNamespaceAware: true, isValidating: true, isXIncludeAware: true
      DEBUG [main] - resolveEntity: [pub=null,sysid=file:///home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/schema/jaxws-config_2_0.xsd]
      DEBUG [main] - resolveEntity: [pub=null,sysid=file:///home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/schema/javaee_web_services_1_2.xsd]
      DEBUG [main] - resolveEntity: [pub=null,sysid=file:///home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/schema/javaee_5.xsd]
      DEBUG [main] - resolveEntity: [pub=null,sysid=http://www.w3.org/2001/xml.xsd]
      DEBUG [main] - resolveEntity: [pub=null,sysid=file:///home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/schema/javaee_web_services_client_1_2.xsd]
      DEBUG [main] - Configure EndpointMetaData
      DEBUG [main] - Added 0 PRE handlers
      DEBUG [main] - Added 0 ENDPOINT handlers
      DEBUG [main] - Added 1 POST handlers
      DEBUG [main] - Using default parameter style: WRAPPED
      DEBUG [main] - Generating wrapper: br.com.myapp.jaas.jaxws.Pesquisar
      DEBUG [main] - Generating wrapper: br.com.myapp.jaas.jaxws.PesquisarResponse
      DEBUG [main] - JAXBContext [types=[class br.com.myapp.jaas.jaxws.Pesquisar, class br.com.myapp.jaas.jaxws.PesquisarResponse],tns=http://jaas.myapp.com.br/]
      DEBUG [main] - Found best matching java method: public abstract java.lang.String br.com.myapp.jaas.IPesquisarUsuario.pesquisar(java.lang.String)
      DEBUG [main] - END: rebuildMetaData
      
      ServiceMetaData:
       qname={http://jaas.myapp.com.br/}PesquisarUsuarioEjbServiceService
       refName=null
       wsdName=null
       wsdlFile=null
       wsdlLocation=http://localhost:8080/jaas-cert/PesquisarUsuarioEjbService?wsdl
       jaxrpcMapping=null
       publishLocation=null
       securityConfig=null
       properties=null
      
      TypesMetaData: 
        [complexType={http://jaas.myapp.com.br/}pesquisar,javaType=br.com.myapp.jaas.jaxws.Pesquisar]
        [complexType={http://jaas.myapp.com.br/}pesquisarResponse,javaType=br.com.myapp.jaas.jaxws.PesquisarResponse]
                          
      
      ClientEndpointMetaData:
       type=JAXWS
       qname={http://jaas.myapp.com.br/}PesquisarUsuarioEjbServicePort
       address=http://localhost:8080/jaas-cert/PesquisarUsuarioEjbService
       binding=http://schemas.xmlsoap.org/wsdl/soap/http
       seiName=br.com.myapp.jaas.IPesquisarUsuario
       configFile=META-INF/standard-jaxws-client-config.xml
       configName=Standard Client
       authMethod=null
       properties={}
      
      OperationMetaData:
       qname={http://jaas.myapp.com.br/}pesquisar
       javaName=pesquisar
       style=document/literal/WRAPPED
       oneWay=false
       soapAction=
      ParameterMetaData:
       xmlName={http://jaas.myapp.com.br/}pesquisar
       partName=pesquisar
       xmlType={http://jaas.myapp.com.br/}pesquisar
       javaType=br.com.myapp.jaas.jaxws.Pesquisar
       mode=IN
       inHeader=false
       index=0
       wrappedParameters=[[name = arg0, type = java.lang.String, typeArgs = null, variable = arg0, index = 0]]
      ReturnMetaData:
       xmlName={http://jaas.myapp.com.br/}pesquisarResponse
       partName=pesquisarResponse
       xmlType={http://jaas.myapp.com.br/}pesquisarResponse
       javaType=br.com.myapp.jaas.jaxws.PesquisarResponse
       mode=OUT
       inHeader=false
       index=-1
       wrappedParameters=[[name = return, type = java.lang.String, typeArgs = null, variable = return, index = -1]]
      
      HandlerMetaDataJAXWS:
       type=POST
       name=WSSecurityHandlerOutbound
       class=class org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerClient
       params=[]
       protocols=##SOAP11_HTTP ##SOAP11_HTTP_MTOM
       services=null
       ports=null
      DEBUG [main] - Configure SOAPBinding
      DEBUG [main] - initHandlerChain: PRE
      DEBUG [main] - initHandlerChain: ENDPOINT
      DEBUG [main] - initHandlerChain: POST
      DEBUG [main] - addHandler: 
      HandlerMetaDataJAXWS:
       type=POST
       name=WSSecurityHandlerOutbound
       class=class org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerClient
       params=[]
       protocols=##SOAP11_HTTP ##SOAP11_HTTP_MTOM
       services=null
       ports=null
      DEBUG [main] - getHandlerChain: [type=PRE,info=[service={http://jaas.myapp.com.br/}PesquisarUsuarioEjbServiceService,port={http://jaas.myapp.com.br/}PesquisarUsuarioEjbServicePort,binding=http://schemas.xmlsoap.org/wsdl/soap/http]]
      DEBUG [main] - getHandlerChain: [type=POST,info=[service={http://jaas.myapp.com.br/}PesquisarUsuarioEjbServiceService,port={http://jaas.myapp.com.br/}PesquisarUsuarioEjbServicePort,binding=http://schemas.xmlsoap.org/wsdl/soap/http]]
      DEBUG [main] - getHandlerChain: [type=ENDPOINT,info=[service={http://jaas.myapp.com.br/}PesquisarUsuarioEjbServiceService,port={http://jaas.myapp.com.br/}PesquisarUsuarioEjbServicePort,binding=http://schemas.xmlsoap.org/wsdl/soap/http]]
      DEBUG [main] - setHandlerChain: []
      DEBUG [main] - No port configuration for: {http://jaas.myapp.com.br/}PesquisarUsuarioEjbServicePort
      DEBUG [main] - Create new config [name=Standard WSSecurity Client,file=META-INF/standard-jaxws-client-config.xml]
      DEBUG [main] - getConfig: [name=Standard WSSecurity Client,url=META-INF/standard-jaxws-client-config.xml]
      DEBUG [main] - parse: file:/home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/bin/META-INF/standard-jaxws-client-config.xml
      DEBUG [main] - Created parser: org.apache.xerces.jaxp.SAXParserImpl@146b6db, isNamespaceAware: true, isValidating: true, isXIncludeAware: true
      DEBUG [main] - http://xml.org/sax/features/validation set to: true
      DEBUG [main] - http://xml.org/sax/features/namespaces set to: true
      DEBUG [main] - http://apache.org/xml/features/validation/dynamic set to: true
      DEBUG [main] - http://xml.org/sax/features/validation set to: true
      DEBUG [main] - http://apache.org/xml/features/validation/schema set to: true
      DEBUG [main] - Created parser: org.apache.xerces.jaxp.SAXParserImpl@146b6db, isNamespaceAware: true, isValidating: true, isXIncludeAware: true
      DEBUG [main] - resolveEntity: [pub=null,sysid=file:///home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/schema/jaxws-config_2_0.xsd]
      DEBUG [main] - resolveEntity: [pub=null,sysid=file:///home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/schema/javaee_web_services_1_2.xsd]
      DEBUG [main] - resolveEntity: [pub=null,sysid=file:///home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/schema/javaee_5.xsd]
      DEBUG [main] - resolveEntity: [pub=null,sysid=http://www.w3.org/2001/xml.xsd]
      DEBUG [main] - resolveEntity: [pub=null,sysid=file:///home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/schema/javaee_web_services_client_1_2.xsd]
      DEBUG [main] - Configure EndpointMetaData
      DEBUG [main] - Added 0 PRE handlers
      DEBUG [main] - Added 0 ENDPOINT handlers
      DEBUG [main] - Added 1 POST handlers
      DEBUG [main] - initHandlerChain: PRE
      DEBUG [main] - initHandlerChain: ENDPOINT
      DEBUG [main] - initHandlerChain: POST
      DEBUG [main] - addHandler: 
      HandlerMetaDataJAXWS:
       type=POST
       name=WSSecurityHandlerOutbound
       class=class org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerClient
       params=[]
       protocols=##SOAP11_HTTP ##SOAP11_HTTP_MTOM
       services=null
       ports=null
      DEBUG [main] - getHandlerChain: [type=PRE,info=[service={http://jaas.myapp.com.br/}PesquisarUsuarioEjbServiceService,port={http://jaas.myapp.com.br/}PesquisarUsuarioEjbServicePort,binding=http://schemas.xmlsoap.org/wsdl/soap/http]]
      DEBUG [main] - getHandlerChain: [type=POST,info=[service={http://jaas.myapp.com.br/}PesquisarUsuarioEjbServiceService,port={http://jaas.myapp.com.br/}PesquisarUsuarioEjbServicePort,binding=http://schemas.xmlsoap.org/wsdl/soap/http]]
      DEBUG [main] - getHandlerChain: [type=ENDPOINT,info=[service={http://jaas.myapp.com.br/}PesquisarUsuarioEjbServiceService,port={http://jaas.myapp.com.br/}PesquisarUsuarioEjbServicePort,binding=http://schemas.xmlsoap.org/wsdl/soap/http]]
      DEBUG [main] - setHandlerChain: []
      ========================================
      =====>  config name =  Standard WSSecurity Client
      =====>  config file =  META-INF/standard-jaxws-client-config.xml
      =====>  security config =  null
      ========================================
      DEBUG [main] - pushMessageContext: org.jboss.ws.core.jaxws.handler.SOAPMessageContextJAXWS@504ec1 (Thread main)
      DEBUG [main] - wrapRequestParameters: br.com.myapp.jaas.jaxws.Pesquisar
      DEBUG [main] - setRequestParamValue: [name={http://jaas.myapp.com.br/}pesquisar,value=br.com.myapp.jaas.jaxws.Pesquisar]
      DEBUG [main] - bindRequestMessage: {http://jaas.myapp.com.br/}pesquisar
      DEBUG [main] - getRequestParamValue: {http://jaas.myapp.com.br/}pesquisar
      DEBUG [main] - transformPayloadValue: br.com.myapp.jaas.jaxws.Pesquisar -> br.com.myapp.jaas.jaxws.Pesquisar
      DEBUG [main] - Create a handler executor: []
      DEBUG [main] - Create a handler executor: []
      DEBUG [main] - Create a handler executor: [WSSecurityHandlerOutbound]
      DEBUG [main] - Enter: handleOutBoundMessage
      DEBUG [main] - createConfiguration from: file:/home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/bin/META-INF/jboss-wsse-client.xml
      DEBUG [main] - Created parser: org.apache.xerces.jaxp.SAXParserImpl@4b82d2, isNamespaceAware: true, isValidating: true, isXIncludeAware: true
      DEBUG [main] - http://xml.org/sax/features/validation set to: true
      DEBUG [main] - http://xml.org/sax/features/namespaces set to: true
      DEBUG [main] - http://apache.org/xml/features/validation/dynamic set to: true
      DEBUG [main] - Created parser: org.apache.xerces.jaxp.SAXParserImpl@4b82d2, isNamespaceAware: true, isValidating: true, isXIncludeAware: true
      DEBUG [main] - Add keystore: file:/home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/bin/META-INF/client_jbossws.jks
      DEBUG [main] - Add truststore: file:/home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/bin/META-INF/client_jbossws_truststore.jks
      DEBUG [main] - WS-Security config: org.jboss.ws.metadata.wsse.Config@166f9b9
      DEBUG [main] - -----------------------------------
      DEBUG [main] - Transitioning from OBJECT_VALID to DOM_VALID
      DEBUG [main] - getXMLFragment from Object [xmlType={http://jaas.myapp.com.br/}pesquisar,javaType=class br.com.myapp.jaas.jaxws.Pesquisar]
      DEBUG [main] - serialize: [xmlName={http://jaas.myapp.com.br/}pesquisar,xmlType={http://jaas.myapp.com.br/}pesquisar]
      DEBUG [main] - serialized: claudioDEBUG [main] - xmlFragment: [source=claudio]
      DEBUG [main] - -----------------------------------
      DEBUG [main] - Encoding Message:
             claudio   DEBUG [main] - loadStore: file:/home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/bin/META-INF/client_jbossws.jks
      DEBUG [main] - loadStore: file:/home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/bin/META-INF/client_jbossws_truststore.jks
      DEBUG [main] - Canonicalizer.register(http://www.w3.org/TR/2001/REC-xml-c14n-20010315, org.apache.xml.security.c14n.implementations.Canonicalizer20010315OmitComments)
      DEBUG [main] - Canonicalizer.register(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments, org.apache.xml.security.c14n.implementations.Canonicalizer20010315WithComments)
      DEBUG [main] - Canonicalizer.register(http://www.w3.org/2001/10/xml-exc-c14n#, org.apache.xml.security.c14n.implementations.Canonicalizer20010315ExclOmitComments)
      DEBUG [main] - Canonicalizer.register(http://www.w3.org/2001/10/xml-exc-c14n#WithComments, org.apache.xml.security.c14n.implementations.Canonicalizer20010315ExclWithComments)
      DEBUG [main] - Canonicalizer.register(http://www.w3.org/2006/12/xml-c14n11, org.apache.xml.security.c14n.implementations.Canonicalizer11_OmitComments)
      DEBUG [main] - Canonicalizer.register(http://www.w3.org/2006/12/xml-c14n11#WithComments, org.apache.xml.security.c14n.implementations.Canonicalizer11_WithComments)
      DEBUG [main] - Transform.register(http://www.w3.org/2000/09/xmldsig#base64, org.apache.xml.security.transforms.implementations.TransformBase64Decode)
      DEBUG [main] - Transform.register(http://www.w3.org/TR/2001/REC-xml-c14n-20010315, org.apache.xml.security.transforms.implementations.TransformC14N)
      DEBUG [main] - Transform.register(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments, org.apache.xml.security.transforms.implementations.TransformC14NWithComments)
      DEBUG [main] - Transform.register(http://www.w3.org/2006/12/xml-c14n11, org.apache.xml.security.transforms.implementations.TransformC14N11)
      DEBUG [main] - Transform.register(http://www.w3.org/2006/12/xml-c14n11#WithComments, org.apache.xml.security.transforms.implementations.TransformC14N11_WithComments)
      DEBUG [main] - Transform.register(http://www.w3.org/2001/10/xml-exc-c14n#, org.apache.xml.security.transforms.implementations.TransformC14NExclusive)
      DEBUG [main] - Transform.register(http://www.w3.org/2001/10/xml-exc-c14n#WithComments, org.apache.xml.security.transforms.implementations.TransformC14NExclusiveWithComments)
      DEBUG [main] - Transform.register(http://www.w3.org/TR/1999/REC-xpath-19991116, org.apache.xml.security.transforms.implementations.TransformXPath)
      DEBUG [main] - Transform.register(http://www.w3.org/2000/09/xmldsig#enveloped-signature, org.apache.xml.security.transforms.implementations.TransformEnvelopedSignature)
      DEBUG [main] - Transform.register(http://www.w3.org/TR/1999/REC-xslt-19991116, org.apache.xml.security.transforms.implementations.TransformXSLT)
      DEBUG [main] - Transform.register(http://www.w3.org/2002/04/xmldsig-filter2, org.apache.xml.security.transforms.implementations.TransformXPath2Filter)
      DEBUG [main] - Transform.register(http://www.w3.org/2002/06/xmldsig-filter2, org.apache.xml.security.transforms.implementations.TransformXPath2Filter)
      DEBUG [main] - Init() called
      DEBUG [main] - SignatureAlgorithm.register(http://www.w3.org/2000/09/xmldsig#dsa-sha1, org.apache.xml.security.algorithms.implementations.SignatureDSA)
      DEBUG [main] - Try to register http://www.w3.org/2000/09/xmldsig#dsa-sha1 org.apache.xml.security.algorithms.implementations.SignatureDSA
      DEBUG [main] - SignatureAlgorithm.register(http://www.w3.org/2000/09/xmldsig#rsa-sha1, org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1)
      DEBUG [main] - Try to register http://www.w3.org/2000/09/xmldsig#rsa-sha1 org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1
      DEBUG [main] - SignatureAlgorithm.register(http://www.w3.org/2000/09/xmldsig#hmac-sha1, org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA1)
      DEBUG [main] - Try to register http://www.w3.org/2000/09/xmldsig#hmac-sha1 org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA1
      DEBUG [main] - SignatureAlgorithm.register(http://www.w3.org/2001/04/xmldsig-more#rsa-md5, org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSAMD5)
      DEBUG [main] - Try to register http://www.w3.org/2001/04/xmldsig-more#rsa-md5 org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSAMD5
      DEBUG [main] - SignatureAlgorithm.register(http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160, org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSARIPEMD160)
      DEBUG [main] - Try to register http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160 org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSARIPEMD160
      DEBUG [main] - SignatureAlgorithm.register(http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA256)
      DEBUG [main] - Try to register http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA256
      DEBUG [main] - SignatureAlgorithm.register(http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA384)
      DEBUG [main] - Try to register http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA384
      DEBUG [main] - SignatureAlgorithm.register(http://www.w3.org/2001/04/xmldsig-more#rsa-sha512, org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA512)
      DEBUG [main] - Try to register http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA512
      DEBUG [main] - SignatureAlgorithm.register(http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1, org.apache.xml.security.algorithms.implementations.SignatureECDSA$SignatureECDSASHA1)
      DEBUG [main] - Try to register http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1 org.apache.xml.security.algorithms.implementations.SignatureECDSA$SignatureECDSASHA1
      DEBUG [main] - SignatureAlgorithm.register(http://www.w3.org/2001/04/xmldsig-more#hmac-md5, org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacMD5)
      DEBUG [main] - Try to register http://www.w3.org/2001/04/xmldsig-more#hmac-md5 org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacMD5
      DEBUG [main] - SignatureAlgorithm.register(http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160, org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacRIPEMD160)
      DEBUG [main] - Try to register http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160 org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacRIPEMD160
      DEBUG [main] - SignatureAlgorithm.register(http://www.w3.org/2001/04/xmldsig-more#hmac-sha256, org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA256)
      DEBUG [main] - Try to register http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA256
      DEBUG [main] - SignatureAlgorithm.register(http://www.w3.org/2001/04/xmldsig-more#hmac-sha384, org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA384)
      DEBUG [main] - Try to register http://www.w3.org/2001/04/xmldsig-more#hmac-sha384 org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA384
      DEBUG [main] - SignatureAlgorithm.register(http://www.w3.org/2001/04/xmldsig-more#hmac-sha512, org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA512)
      DEBUG [main] - Try to register http://www.w3.org/2001/04/xmldsig-more#hmac-sha512 org.apache.xml.security.algorithms.implementations.IntegrityHmac$IntegrityHmacSHA512
      DEBUG [main] - Register Resolver: org.apache.xml.security.utils.resolver.implementations.ResolverDirectHTTP: A simple resolver for requests to HTTP space
      DEBUG [main] - Register Resolver: org.apache.xml.security.utils.resolver.implementations.ResolverLocalFilesystem: A simple resolver for requests to the local file system
      DEBUG [main] - Register Resolver: org.apache.xml.security.utils.resolver.implementations.ResolverFragment: A simple resolver for requests of same-document URIs
      DEBUG [main] - Register Resolver: org.apache.xml.security.utils.resolver.implementations.ResolverXPointer: A simple resolver for requests of XPointer fragents
      DEBUG [main] - Register Resolver: org.apache.xml.security.keys.keyresolver.implementations.RSAKeyValueResolver: Can extract RSA public keys
      DEBUG [main] - Register Resolver: org.apache.xml.security.keys.keyresolver.implementations.DSAKeyValueResolver: Can extract DSA public keys
      DEBUG [main] - Register Resolver: org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver: Can extract public keys from X509 certificates
      DEBUG [main] - Register Resolver: org.apache.xml.security.keys.keyresolver.implementations.X509SKIResolver: Uses an X509v3 SubjectKeyIdentifier extension to retrieve a certificate from the storages
      DEBUG [main] - Register Resolver: org.apache.xml.security.keys.keyresolver.implementations.RetrievalMethodResolver: Resolves keys and certificates using ResourceResolvers
      DEBUG [main] - Register Resolver: org.apache.xml.security.keys.keyresolver.implementations.X509SubjectNameResolver: Uses an X509 SubjectName to retrieve a certificate from the storages
      DEBUG [main] - Register Resolver: org.apache.xml.security.keys.keyresolver.implementations.X509IssuerSerialResolver: Uses an X509 IssuerName and IssuerSerial to retrieve a certificate from the storages
      DEBUG [main] - Now I try to bind prefixes:
      DEBUG [main] - Now I try to bind ds to http://www.w3.org/2000/09/xmldsig#
      DEBUG [main] - Now I try to bind xenc to http://www.w3.org/2001/04/xmlenc#
      DEBUG [main] - Now I try to bind experimental to http://www.xmlsecurity.org/experimental#
      DEBUG [main] - Now I try to bind dsig-xpath-old to http://www.w3.org/2002/04/xmldsig-filter2
      DEBUG [main] - Now I try to bind dsig-xpath to http://www.w3.org/2002/06/xmldsig-filter2
      DEBUG [main] - Now I try to bind ec to http://www.w3.org/2001/10/xml-exc-c14n#
      DEBUG [main] - Now I try to bind xx to http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/#xpathFilter
      DEBUG [main] - XX_init                             146 ms
      DEBUG [main] -   XX_prng                           0 ms
      DEBUG [main] -   XX_parsing                        36 ms
      DEBUG [main] -   XX_configure_i18n                 16 ms
      DEBUG [main] -   XX_configure_reg_c14n             18 ms
      DEBUG [main] -   XX_configure_reg_jcemapper        5 ms
      DEBUG [main] -   XX_configure_reg_keyInfo          6 ms
      DEBUG [main] -   XX_configure_reg_keyResolver      10 ms
      DEBUG [main] -   XX_configure_reg_prefixes         1 ms
      DEBUG [main] -   XX_configure_reg_resourceresolver 18 ms
      DEBUG [main] -   XX_configure_reg_sigalgos         19 ms
      DEBUG [main] -   XX_configure_reg_transforms       16 ms
      DEBUG [main] - Transforms.addTransform(http://www.w3.org/2001/10/xml-exc-c14n#)
      DEBUG [main] - Create URI "http://www.w3.org/2001/10/xml-exc-c14n#" class "class org.apache.xml.security.transforms.implementations.TransformC14NExclusive"
      DEBUG [main] - The NodeList is null
      DEBUG [main] - Transforms.addTransform(http://www.w3.org/2001/10/xml-exc-c14n#)
      DEBUG [main] - Request for URI http://www.w3.org/2000/09/xmldsig#sha1
      DEBUG [main] - Transforms.addTransform(http://www.w3.org/2001/10/xml-exc-c14n#)
      DEBUG [main] - Create URI "http://www.w3.org/2001/10/xml-exc-c14n#" class "class org.apache.xml.security.transforms.implementations.TransformC14NExclusive"
      DEBUG [main] - The NodeList is null
      DEBUG [main] - Transforms.addTransform(http://www.w3.org/2001/10/xml-exc-c14n#)
      DEBUG [main] - Create URI "http://www.w3.org/2000/09/xmldsig#rsa-sha1" class "class org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1"
      DEBUG [main] - Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1
      DEBUG [main] - Created SignatureRSA using SHA1withRSA
      DEBUG [main] - I was asked to create a ResourceResolver and got 1
      DEBUG [main] -  extra resolvers to my existing 4 system-wide resolvers
      DEBUG [main] - check resolvability by class org.jboss.ws.extensions.security.WsuIdResolver
      DEBUG [main] - setElement("ds:Transform", "null")
      DEBUG [main] - Pre-digested input:
      DEBUG [main] - claudioDEBUG [main] - I was asked to create a ResourceResolver and got 1
      DEBUG [main] -  extra resolvers to my existing 4 system-wide resolvers
      DEBUG [main] - check resolvability by class org.jboss.ws.extensions.security.WsuIdResolver
      DEBUG [main] - setElement("ds:Transform", "null")
      DEBUG [main] - Pre-digested input:
      DEBUG [main] - 2012-03-13T20:48:22.843ZDEBUG [main] - Canonicalized SignedInfo:
      DEBUG [main] - 9tKRdsLGTAHmI9yKcnih3TQ70B4=GYbJeXFXc2DObR0bHo9BLdAB3Ug=DEBUG [main] - Getting XMLCipher...
      DEBUG [main] - Constructing XMLCipher...
      DEBUG [main] - Request for URI http://www.w3.org/2001/04/xmlenc#aes128-cbc
      DEBUG [main] - cihper.algoritm = AES/CBC/ISO10126Padding
      DEBUG [main] - Initializing XMLCipher...
      DEBUG [main] - opmode = ENCRYPT_MODE
      DEBUG [main] - Initializing XMLCipher...
      DEBUG [main] - opmode = ENCRYPT_MODE
      DEBUG [main] - Returning EncryptedData
      DEBUG [main] - Processing source element...
      DEBUG [main] - Encrypting element content...
      DEBUG [main] - Encrypting element...
      DEBUG [main] - Serialized octets:
      claudioDEBUG [main] - Expected cipher.outputSize = 240
      DEBUG [main] - Actual cipher.outputSize = 240
      DEBUG [main] - Encrypted octets:
      O7DrN9b0ttATynzRSC/1+IZ+ZcV+Ifzlw8dL/OQYFOzDiWb54AZF1l1+zA31jkARytk1J4tYPY+a
      ScAcBN0RXZjFEtqq20+DuBspGNRmTMB6EHWpCElCJmOs9jAPoNx6CTfFjPfpLFV+/fc8tLwjEyT5
      2VJmL+gUkB501NwBUiE87IF4HBOSpLS6LKEM/x1sxqNj9KZndwKHuRdHpjzLPx/dP223SV1myhuJ
      XIRZt5srrX8ZMxZJU/rby/NTjxfQ0G78RiaxIuqrVfRG1ZLbSZiGxnZP+M6Jfkd3RdJoA+fFTaJ2
      n6+5wvNCqtiyi6OoOcDX9cV04yDEGcDhzP6veg==
      DEBUG [main] - Encrypted octets length = 348
      DEBUG [main] - Getting XMLCipher...
      DEBUG [main] - Constructing XMLCipher...
      DEBUG [main] - Request for URI http://www.w3.org/2001/04/xmlenc#rsa-1_5
      DEBUG [main] - cihper.algoritm = RSA/ECB/PKCS1Padding
      DEBUG [main] - Initializing XMLCipher...
      DEBUG [main] - opmode = WRAP_MODE
      DEBUG [main] - Encrypting key ...
      DEBUG [main] - Encrypted key octets:
      YeNE51YUZL82XMZyfetnRDBMF+SRbw0PO+26U3tL4LYZbNJXLb+PJjp6gvf1OH3/LlX4VhDRMBA0
      JVRSuVuDdQrC008vG5Vr6TqIgiv4W2qbpFAZkrbIPdwlzuxNklplzB0tGZE8pW0nQ51Jywy9W4RA
      GKvy1zbO2sqHLdXOW1s=
      DEBUG [main] - Encrypted key octets length = 174
      DEBUG [main] - Exit: handleOutBoundMessage with status: true
      DEBUG [main] - Get locator for: [addr=http://localhost:8080/jaas-cert/PesquisarUsuarioEjbService,props={javax.xml.ws.service.endpoint.address=http://localhost:8080/jaas-cert/PesquisarUsuarioEjbService}]
      DEBUG [main] - Remoting version: 2.5.4.SP3 (Flounder)
      DEBUG [main] - Client[25793043:a15l2r-h22djk-gzrey6ey-1-gzrey6f0-2] setting invokerDestructionDelay to 5000
      DEBUG [main] - Client[25793043:a15l2r-h22djk-gzrey6ey-1-gzrey6f0-2].connect(null)
      DEBUG [main] - org.jboss.remoting.transport.http.HTTPClientInvoker@1f68272 setting unmarshalNullStream to true
      DEBUG [main] - org.jboss.remoting.transport.http.HTTPClientInvoker@1f68272 setting disconnectAfterUse to true
      DEBUG [main] - org.jboss.remoting.transport.http.HTTPClientInvoker@1f68272 connecting
      DEBUG [main] - org.jboss.remoting.transport.http.HTTPClientInvoker@1f68272 connected
      DEBUG [main] - Client[25793043:a15l2r-h22djk-gzrey6ey-1-gzrey6f0-2] connected to InvokerLocator [http://localhost:8080/jaas-cert/PesquisarUsuarioEjbService]
      DEBUG [main] - Client[25793043:a15l2r-h22djk-gzrey6ey-1-gzrey6f0-2] clientCounter: 1
      DEBUG [main] - Client[25793043:a15l2r-h22djk-gzrey6ey-1-gzrey6f0-2] is connected
      DEBUG [main] - Remoting metadata: {NoThrowOnError=true, HEADER={SOAPAction="", Content-Type=text/xml; charset=UTF-8}}
      DEBUG [main] - Setting request header with SOAPAction : ""
      DEBUG [main] - Setting request header with Content-Type : text/xml; charset=UTF-8
      DEBUG [main] - Cannot connect on attempt 1
      ERROR [main] - Exception caught while (preparing for) performing the invocation: 
      java.io.IOException: Could not transmit message
              at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:267)
              at org.jboss.ws.core.client.SOAPProtocolConnectionHTTP.invoke(SOAPProtocolConnectionHTTP.java:71)
              at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:360)
              at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:232)
              at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:171)
              at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:157)
              at $Proxy12.pesquisar(Unknown Source)
              at JaasAuthClient.main(JaasAuthClient.java:33)
      Caused by: org.jboss.remoting.CannotConnectException: Can not connect http client invoker after 1 attempt(s)
              at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:271)
              at org.jboss.remoting.transport.http.HTTPClientInvoker.transport(HTTPClientInvoker.java:176)
              at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:169)
              at org.jboss.remoting.Client.invoke(Client.java:2070)
              at org.jboss.remoting.Client.invoke(Client.java:879)
              at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:246)
              ... 7 more
      Caused by: org.jboss.ws.WSException: Invalid HTTP server response [401] - Unauthorized
              at org.jboss.ws.core.soap.SOAPMessageUnMarshallerHTTP.read(SOAPMessageUnMarshallerHTTP.java:75)
              at org.jboss.remoting.transport.http.HTTPClientInvoker.readResponse(HTTPClientInvoker.java:608)
              at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:402)
              at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:253)
              ... 12 more
      DEBUG [main] - Begin response processing
      DEBUG [main] - popMessageContext: org.jboss.ws.core.jaxws.handler.SOAPMessageContextJAXWS@504ec1 (Thread main)
      DEBUG [main] - pushMessageContext: org.jboss.ws.core.jaxws.handler.SOAPMessageContextJAXWS@11df164 (Thread main)
      DEBUG [main] - Enter: handleIn BoundFault
      ERROR [main] - SOAP request exception
      java.io.IOException: Could not transmit message
              at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:267)
              at org.jboss.ws.core.client.SOAPProtocolConnectionHTTP.invoke(SOAPProtocolConnectionHTTP.java:71)
              at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:360)
              at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:232)
              at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:171)
              at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:157)
              at $Proxy12.pesquisar(Unknown Source)
              at JaasAuthClient.main(JaasAuthClient.java:33)
      Caused by: org.jboss.remoting.CannotConnectException: Can not connect http client invoker after 1 attempt(s)
              at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:271)
              at org.jboss.remoting.transport.http.HTTPClientInvoker.transport(HTTPClientInvoker.java:176)
              at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:169)
              at org.jboss.remoting.Client.invoke(Client.java:2070)
              at org.jboss.remoting.Client.invoke(Client.java:879)
              at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:246)
              ... 7 more
      Caused by: org.jboss.ws.WSException: Invalid HTTP server response [401] - Unauthorized
              at org.jboss.ws.core.soap.SOAPMessageUnMarshallerHTTP.read(SOAPMessageUnMarshallerHTTP.java:75)
              at org.jboss.remoting.transport.http.HTTPClientInvoker.readResponse(HTTPClientInvoker.java:608)
              at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:402)
              at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:253)
              ... 12 more
      DEBUG [main] - Cannot obtain fault meta data for: class java.io.IOException
      DEBUG [main] - Exit: handleIn BoundFault with status: true
      DEBUG [main] - close
      DEBUG [main] - close
      DEBUG [main] - close
      DEBUG [main] - popMessageContext: org.jboss.ws.core.jaxws.handler.SOAPMessageContextJAXWS@11df164 (Thread main)
      Exception in thread "main" javax.xml.ws.WebServiceException: java.io.IOException: Could not transmit message
              at org.jboss.ws.core.jaxws.client.ClientImpl.handleRemoteException(ClientImpl.java:311)
              at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:244)
              at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:171)
              at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:157)
              at $Proxy12.pesquisar(Unknown Source)
              at JaasAuthClient.main(JaasAuthClient.java:33)
      Caused by: java.io.IOException: Could not transmit message
              at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:267)
              at org.jboss.ws.core.client.SOAPProtocolConnectionHTTP.invoke(SOAPProtocolConnectionHTTP.java:71)
              at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:360)
              at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:232)
              ... 4 more
      Caused by: org.jboss.remoting.CannotConnectException: Can not connect http client invoker after 1 attempt(s)
              at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:271)
              at org.jboss.remoting.transport.http.HTTPClientInvoker.transport(HTTPClientInvoker.java:176)
              at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:169)
              at org.jboss.remoting.Client.invoke(Client.java:2070)
              at org.jboss.remoting.Client.invoke(Client.java:879)
              at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:246)
              ... 7 more
      Caused by: org.jboss.ws.WSException: Invalid HTTP server response [401] - Unauthorized
              at org.jboss.ws.core.soap.SOAPMessageUnMarshallerHTTP.read(SOAPMessageUnMarshallerHTTP.java:75)
              at org.jboss.remoting.transport.http.HTTPClientInvoker.readResponse(HTTPClientInvoker.java:608)
              at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:402)
              at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:253)
      
      

       

      sa

        • 1. Re: @WS with CLIENT-CERT throws Invalid HTTP server response [401] - Unauthorized on client side
          spyhunter99 Novice

          try turning on SSL debugging. it's most likely a problem there

           

          edit: are you trying to use SSL with Client-Cert? Or some variant of WS-Security with certificates?

          • 2. Re: @WS with CLIENT-CERT throws Invalid HTTP server response [401] - Unauthorized on client side
            Claudio Miranda Novice

            Added -Djava.security.auth.debug=all it prints a LOT of message, trying to figure out any issue there.

            -Djavax.net.debug=all didn't print anything relevant.

            • 4. Re: @WS with CLIENT-CERT throws Invalid HTTP server response [401] - Unauthorized on client side
              Claudio Miranda Novice

              Firefox answer: HTTP GET not supported

               

              I tried with soapUI

               

              The request

               

              POST http://localhost:8080/jaas-cert/PesquisarUsuarioEjbService HTTP/1.1
              Accept-Encoding: gzip,deflate
              Content-Type: text/xml;charset=UTF-8
              SOAPAction: ""
              User-Agent: Jakarta Commons-HttpClient/3.1
              Host: localhost:8080
              Content-Length: 2966
              
                 MIICTzCCAbigAwIBAgIET1e6ozANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJCUjELMAkGA1UECBMCREYxETAPBgNVBAcTCEJyYXNpbGlhMRIwEAYDVQQKDAltaW5fc2F1ZGUxEDAOBgNVBAsTB2RhdGFzdXMxFzAVBgNVBAMTDmpib3Nzd3MgY2xpZW50MB4XDTEyMDMwNzE5NDQzNVoXDTEyMDYwNTE5NDQzNVowbDELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAkRGMREwDwYDVQQHEwhCcmFzaWxpYTESMBAGA1UECgwJbWluX3NhdWRlMRAwDgYDVQQLEwdkYXRhc3VzMRcwFQYDVQQDEw5qYm9zc3dzIGNsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhd2XAXxR0FGcyoVGAGW/1nUz33TBQBQBjkJm+hrN6/kUJz8yDueLnuFc5YcJVSPGOLubVaRYudt5o8+iKMHDZPvBywv2SpExKcW8MRpocYsAyrPTASoUX4Mj/Ca5PPIcBpaZqEniI7Zj8LkXnPtSAwOOvCPco1ibclndognp4YECAwEAATANBgkqhkiG9w0BAQUFAAOBgQBC4k6AAf6CwS8d3fNKB8XS4hiOrIGvwtNPjiWAV+ipORsNRiP0s4PjXJdWTK9RhHQc6/KyuYKFU7z1fzShJtYBP3gqBHTo+9kTVkRX/uwcDmIrHnCUlyz5eF1Aj/aFMhrAxidZSrGCcPEbWcJbpE2bF0Xde8UbdTtbqG1WLNOKCw==GVCdFu+VnbtIEdnHBr3p7iqT7/odF56knHdMCp6mpFTMUR+8gHLZoyzIlkxHHhR8S1ho8KVVH9ryg/e4qDiJ6X9Mvlf+DjF+K2lTk/xNeRqCKYwtcjlORvgpQide+yMamPUncyV/2dQD/mWQxq2/Vu7qWI+pkHYJKA5oEShuCx8=   JIwUK/+kt/RL0tV/s38N9/LpNgb7jRe6NUPRWY6lyOqI9Sz2WRtzGZDCEtp5gl/I2sS5b2KtG8h1
              grhGfO9GzsZOXOo6q5ZM3rVeIdfOqBzOCdU1J66Omn0C/Ox9faNTgufViyzEkzdTyeIHpOgK96ke
              EaSTCM4oVhwO8K4pb77FejJtOe2rFXz7rJDw2T/wogPGasdGwzboXXFu4ZAoqAXvzxKEO4QSSzxi
              b5X7CSNwy0Ev28yF6y0LoX0lodk8MbAb9E6v0KEgoi4tgkwMvIbRHce7W7QWE6hvD8j1c4qZW0EJ
              auqyzFVfRT54Ys1lg8za3c687G7NDpW5q04RaOjHN4inQ1f14q7fbOBiBO0=

               

              The response

              HTTP/1.1 401 Unauthorized
              Server: Apache-Coyote/1.1
              Content-Type: text/html;charset=utf-8
              Content-Length: 1099
              Date: Tue, 13 Mar 2012 21:58:13 GMT
              
              

              <html><head><title>JBoss Web/2.1.12.GA-patch-01 - Error report</title></head>

              <body><h1>HTTP Status 401 - No client certificate chain in this request</h1>

              <HR size="1" noshade="noshade"><p><b>type</b> Status report</p>

              <p><b>message</b> <u>No client certificate chain in this request</u></p><p><b>description</b>

              <u>This request requires HTTP authentication (No client certificate chain in this request).</u></p>

              <HR size="1" noshade="noshade"><h3>JBoss Web/2.1.12.GA-patch-01</h3></body></html>

              • 5. Re: @WS with CLIENT-CERT throws Invalid HTTP server response [401] - Unauthorized on client side
                spyhunter99 Novice

                notice that the security config is null on your client, try setting that to the jboss-wsse-client.xml

                • 6. Re: @WS with CLIENT-CERT throws Invalid HTTP server response [401] - Unauthorized on client side
                  Claudio Miranda Novice

                  From the client log file I see that the it load the Standard Client, after then it loads correctlry the Standard WSSecurity Client.

                   

                  Also, the client code uses the Standard WSSecurity Client.

                   

                          StubExt stubExt = (StubExt) wsPesq;
                          stubExt.setConfigName("Standard WSSecurity Client");

                   

                  DEBUG [main] - Create new config [name=Standard Client,file=META-INF/standard-jaxws-client-config.xml]

                  DEBUG [main] - getConfig: [name=Standard Client,url=META-INF/standard-jaxws-client-config.xml]

                  DEBUG [main] - parse: file:/home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/bin/META-INF/standard-jaxws-client-config.xml

                   

                   

                   

                  DEBUG [main] - Create new config [name=Standard WSSecurity Client,file=META-INF/standard-jaxws-client-config.xml]

                  DEBUG [main] - getConfig: [name=Standard WSSecurity Client,url=META-INF/standard-jaxws-client-config.xml]

                  DEBUG [main] - parse: file:/home/claudio/alphaworks/projects/myapp/jaas/jaas-ms-client/bin/META-INF/standard-jaxws-client-config.xml

                   

                  Is that incorrect ?

                   

                  I modified as below, but didn't work, the exception is the same.

                   

                  URL wsseClientURL = Thread.currentThread().getContextClassLoader().getResource("META-INF/jboss-wsse-client.xml");

                  stubExt.setSecurityConfig(wsseClientURL.toExternalForm());

                   


                  • 7. Re: @WS with CLIENT-CERT throws Invalid HTTP server response [401] - Unauthorized on client side
                    spyhunter99 Novice

                    stubExt.setSecurityConfig("jboss-wsse-client.xml");

                    stubExt.setConfigName("Standard WSSecurity Client");

                     

                    I think by default it looks in META-INF

                    • 8. Re: @WS with CLIENT-CERT throws Invalid HTTP server response [401] - Unauthorized on client side
                      Claudio Miranda Novice

                      I see from the client log that "Standard WSSecurity Client" is picked up, see previous comment.

                       

                      Do you think there is something missing from the server side ?

                       

                      Thanks for your help.

                      • 9. Re: @WS with CLIENT-CERT throws Invalid HTTP server response [401] - Unauthorized on client side
                        Claudio Miranda Novice

                        Used soapUI to test the ws request, the error is the same, HTTP 401.

                         

                        It is really frustrating, I couldn't grasp where is the problem. Thanks if you can take a look here and suggestion.

                         

                        (click at the image to enlarge)

                        soapui_ws.jpg

                        • 10. Re: @WS with CLIENT-CERT throws Invalid HTTP server response [401] - Unauthorized on client side
                          spyhunter99 Novice

                          can you verify the following?

                           

                          from the service side, confirm that there is a certificate that can be used by the service and that the trust store contains the issuing certificate authority for the certificate used by the client

                          from the client side, confifrm  that there is a certificate that can be used by the client and that the trust store contains the issuing certificate authority for the certificate used by the service

                           

                           

                          from login-config.xml of jboss, what does UserCertPolicy look like? the @SecurityDomain ties the security context back to the login-config.xml, useful for http authentication but I'm not sure what effect it would have for you, because you are trying to do message level authentication, not transport. I'd suggest commenting that out and trying again

                           

                          And what does this class look like? what does it do?

                          br.com.myapp.jaas.spi.SubjectMapper

                          • 11. Re: @WS with CLIENT-CERT throws Invalid HTTP server response [401] - Unauthorized on client side
                            Claudio Miranda Novice

                            > from the service side, confirm that there is a certificate that can be used by the service and that the trust store contains the issuing certificate authority

                            > for the certificate used by the client

                             

                            The server keystore jaas-ms-ejb-ear.ear/jaas-ms-ejb-ws-1.0.0.jar/server_jbossws.jks

                            has 2 entries

                            PrivateKeyEntry: server_jbossws

                            trustedCertEntry: client_jbossws

                             

                            The server truststore has 2 public keys: server_jbossws and client_jbossws

                             

                            You can see it in details from the original post.

                             

                            > from the client side, confifrm  that there is a certificate that can be used by the client and that the trust store contains the issuing certificate authority for

                            > the certificate used by the service

                             

                            The client keystore src/META-INF/client_jbossws.jks

                            has 2 entries

                            PrivateKeyEntry: client_jbossws

                            trustedCertEntry: server_jbossws

                             

                            The client truststore has 2 public keys: server_jbossws and client_jbossws

                             

                            You can see it in details from the original post.

                             

                             

                            > from login-config.xml of jboss, what does UserCertPolicy look like?

                             

                            The security-domain setting is in the file jaas-ms-ejb-ear.ear/lib/jaas-ms-1.1.4.jar/META-INF/ms-auth-jboss-beans.xml

                             

                            Its contents are

                             

                            <deployment xmlns="urn:jboss:bean-deployer:2.0">

                             

                                <application-policy name="UserCertPolicy" xmlns="urn:jboss:security-beans:1.0">

                                    <authentication>

                                        <login-module code="br.gov.saude.jaas.spi.UserCertLoginModule" flag="required"></login-module>

                                    </authentication>

                                </application-policy>

                            </deployment>

                             

                            > And what does this class look like? what does it do? br.com.myapp.jaas.spi.SubjectMapper

                             

                             

                            Accordingly to [1] I want to extract the username from certificate to authenticate.

                            public class SubjectMapper extends SubjectCNMapping {

                             

                                public Principal toPrinicipal(X509Certificate[] arg0) {

                                    Principal prinicipal = super.toPrinicipal(arg0);

                                    return prinicipal;

                                }

                            }

                             

                            Thank you for the help.

                             

                            1. https://community.jboss.org/wiki/JBossWS-WS-SecurityOptions#X509_certificate_token

                            • 12. Re: @WS with CLIENT-CERT throws Invalid HTTP server response [401] - Unauthorized on client side
                              spyhunter99 Novice

                              Alright, I have an idea

                               

                              download a copy of tcpmon here http://code.google.com/p/tcpmon/

                               

                              try directing the client at that. maybe you'll get some more information.

                               

                              I think the problem is with the server/service's configuration.

                               

                              You can try turning on remote debugging on your jboss server, attach to it and set break points at every entry point in your code, especially the authorization pieces.

                               

                              worse case scenario, download the source for your version of jbossws and then set break points with that. There's some example code/smoke tests in there as well that may help you model your service after for this specific task.

                               

                              In addition, I'd suggest you try searching the issue tracker to see if there is anything related to this and your version of jbossws. Make sure you're running the latest version supported by your container version