0 Replies Latest reply on Nov 17, 2014 7:07 AM by aupres

    Question about wildfly CertificateRoles configuration?

    aupres

      This is my wildfly sample CertificateRoles configuration but it throws exception.

       

      > keytool -genkey -alias server -keyalg RSA –keystore server.jks

          ....

          CN=Joseph Hwang, OU=DEP, O=my home, L=Seoul, ST=Seoul, C=KR이(가) 맞습니까?

            [아니오]: y

             

      > keytool -genkey -alias client -keyalg RSA -keystore client.jks

          ...

          CN=Jina Kim, OU=DEP, O=my home, L=Seoul, ST=Seoul, C=KR이(가) 맞습니까?

            [아니오]: y

               

      > keytool -export –file server.cert -keystore server.jks -storepass password -alias server

      > keytool -export –file client.cert -keystore client.jks -storepass password -alias client

      > keytool -import –file client.cert -keystore server.jks -storepass password -alias client

      > keytool -import –file server.cert -keystore client.jks -storepass password -alias server

       

      All key generation process works well. And I create security-realm and security domain in wildfly standalone.xml file like below :

      ...

             <security-realm name="CertRequiredRealm">

                <authentication>

                   <truststore path="${jboss.server.config.dir}/client.jks" keystore-password="password"/>

                </authentication>

             </security-realm>

          </security-realms>

          .....

             <security-domain name="my_secure_domain" cache-type="default">

                <authentication>

                   <login-module code="CertificateRoles" flag="required">

                      <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>

                      <module-option name="usersProperties" value="${jboss.server.config.dir}/sample-users.properties"/>

                      <module-option name="rolesProperties" value="${jboss.server.config.dir}/sample-roles.properties"/>

                   </login-module>

                </authentication>

                <jsse keystore-password="password" keystore-url="file:/${jboss.server.config.dir}/client.jks" truststore-password="password" truststore-url="file:/${jboss.server.config.dir}/server.jks" server-alias="server" protocols="TLS"/>

             </security-domain>

          </security-domains>

       

      === sample-users.properties

          admin=password

       

      === sample-roles.properties

          CN\=Jina\ Kim,\ OU\=DEP,\ O\=my\ home,\ L\=Seoul,\ ST\=Seoul,\ C\=KR=administrator

       

      In eclipse ide I create dynamic web project including jboss-web.xml and web.xml which conatin following codes :

      === jboss-web.xml

          <?xml version="1.0" encoding="UTF-8"?>
          <jboss-web>
              <security-domain>java:/jaas/my_secure_domain</security-domain>
          </jboss-web>

       

      === web.xml

          ...
             <security-constraint>
                <web-resource-collection>
                   <web-resource-name>admin</web-resource-name>
                   <url-pattern>/*</url-pattern>
                   <http-method>GET</http-method>
                   <http-method>POST</http-method>
                </web-resource-collection>
                <auth-constraint>
                  <role-name>administrator</role-name>
                </auth-constraint>
             </security-constraint>
         
             <security-role>
                <role-name>administrator</role-name>
             </security-role>
         
             <login-config>
                <auth-method>CLIENT-CERT</auth-method>
                <realm-name>CertRequiredRealm</realm-name>
             </login-config>
          </web-app>

       

      And I finally make client codes

          public class SOAPClient {
          
             private final String serviceURL = "http://localhost:8080/SOAPSecureWeb/HelloWorld";
             private IHelloWorld port;
         
             public SOAPClient() {
                try {
                   QName serviceName = new QName("http://soap.aaa.com/", "HelloWorldService");
                   URL wsdlURL = new URL(serviceURL + "?wsdl");
         
                   Service service = Service.create(wsdlURL, serviceName);
                   port = (IHelloWorld) service.getPort(IHelloWorld.class);
          ...

      But the client codes throws exception.

      javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
           at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:151)
           at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:101)
           at javax.xml.ws.Service.<init>(Unknown Source)
           at javax.xml.ws.Service.create(Unknown Source)
           at com.aaa.soap.SOAPClient.<init>(SOAPClient.java:23)
           at com.aaa.soap.SOAPClient.main(SOAPClient.java:43)

          Caused by: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
           at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:100)
           at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:204)
           at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:149)
           ... 5 more

          Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'http://localhost:8080/SOAPSecureWeb/HelloWorld?wsdl'.: java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/SOAPSecureWeb/HelloWorld?wsdl
           at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2198)
           at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2390)
           at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2422)
           at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:263)
           at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:206)
           at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
           ... 7 more

          Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/SOAPSecureWeb/HelloWorld?wsdl
           at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
           at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
           at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(Unknown Source)
           at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
           at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
           at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
           at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source)
           at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source)
           at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2188)
           ... 12 more

       

      It seems there are some problems in my wildfly CertificateRoles configuration. However I have no idea what is my mis-configuration.

      Your help will be deeply appreciated. Thanks