5 Replies Latest reply on Oct 24, 2008 12:09 PM by jim

    SSL & Authorization

    Fabrizio Boco Newbie

      Hi guys,

      I really need some directions from you.

      I have a test ws:

      @Stateless
      @WebService(name = "wstest", serviceName = "wstest")
      @WebContext(contextRoot = "/ma", transportGuarantee="NONE", secureWSDLAccess = false)
      @Remote(WsTest.class)
      @RemoteBinding
      @SOAPBinding(style = SOAPBinding.Style.DOCUMENT)
      public class WsTestBean implements WsTest
      {
       Logger log = Logger.getLogger(WsTestBean.class);
      
       @WebMethod
       public String echo(String message)
       {
       return message;
       }
      }
      


      deployed into Jboss 4.2.0

      Using wsconsume I prepared the proxy and my client is able to call the ws:

      public class WsTestClient
      {
      
       public static void main(String[] args)
       {
       System.out.println("WsTest Client Start");
      
      
       Wstest_Service ws = new Wstest_Service();
      
       Wstest wsTest = ws.getWstestPort();
      
       System.out.println("Echo message: "+wsTest.echo("Ciao Ciao sono Fabrizio"));
      
       System.out.println("WsTest Client End");
       }
      
      }
      


      What I have to do now (for a real application !) is:

      1) use SSL
      2) enforce authentication (only authorized user can call the ws)

      I have changed the servers as follows:

      
      @WebContext(contextRoot = "/ma", transportGuarantee="CONFIDENTIAL", secureWSDLAccess = false)
      
      


      and than the SSL should be ok. The ServiceEndpointAddress switch from http://.....?wsdl to https://.....?wsdl

      Then I have tried to regenerate the proxy using wsconsume and I get the following error:

      failed to parse document at "https://fabocoxp2:8443/ma/WsTestBean?wsdl": javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at org.jboss.com.sun.tools.ws.processor.modeler.wsdl.WSDLModeler.buildModel(WSDLModeler.java:215)
       at org.jboss.com.sun.tools.ws.processor.config.ModelInfo.buildModel(ModelInfo.java:88)
       at org.jboss.com.sun.tools.ws.processor.Processor.runModeler(Processor.java:82)
       at org.jboss.com.sun.tools.ws.wscompile.CompileTool.run(CompileTool.java:543)
       at org.jboss.com.sun.tools.ws.util.ToolBase.run(ToolBase.java:57)
       at org.jboss.ws.tools.jaxws.impl.WSContractConsumerImpl$1.run(WSContractConsumerImpl.java:163)
       at org.jboss.ws.tools.jaxws.impl.WSContractConsumerImpl.consume(WSContractConsumerImpl.java:166)
       at org.jboss.ws.tools.jaxws.command.wsconsume.importServices(wsconsume.java:193)
       at org.jboss.ws.tools.jaxws.command.wsconsume.main(wsconsume.java:76)
      Caused by: failed to parse document at "https://fabocoxp2:8443/ma/WsTestBean?wsdl": javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at org.jboss.com.sun.tools.ws.wsdl.parser.WSDLParser.buildDocumentFromWSDL(WSDLParser.java:318)
       at org.jboss.com.sun.tools.ws.wsdl.parser.WSDLParser.parseDefinitions(WSDLParser.java:222)
       at org.jboss.com.sun.tools.ws.wsdl.parser.WSDLParser.parse(WSDLParser.java:213)
       at org.jboss.com.sun.tools.ws.processor.modeler.wsdl.WSDLModeler.buildModel(WSDLModeler.java:166)
       ... 8 more
      Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
       at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
       at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)
       at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
       at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:938)
       at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
       at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
       at org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Unknown Source)
       at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
       at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
       at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
       at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
       at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
       at org.jboss.com.sun.tools.ws.wsdl.parser.WSDLParser.buildDocumentFromWSDL(WSDLParser.java:276)
       ... 11 more
      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
       at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
       at sun.security.validator.Validator.validate(Validator.java:203)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
       at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
       ... 30 more
      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
       at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
       ... 35 more
      error: failed to parse document at "https://fabocoxp2:8443/ma/WsTestBean?wsdl": javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      

      I think that I have to put a certificate somewhere !

      Reading documentation I realized that I have to configure:

      boss-wsse-server.xml

      and

      jboss-wsse-client.xml

      but I can't find a step-by-step procedure.

      What about authorization ?

      Thank you in advance for any help.

      Regards

      Fabrizio



        • 1. Re: SSL & Authorization
          Fabrizio Boco Newbie

          Please gurus,

          can you provide to me some pointers to step-by-step documentation ?

          Thanks

          Fab.

          • 2. Re: SSL & Authorization
            Heiko Braun Master

            Honestly, i see this for the first time. But one thing for sure: It's not related to jboss-wsse*.xml. That's the WS-Security configuration. However you may try to specify a client side key and trustore, like:

            -Djavax.net.ssl.trustStore=<truststore>
            


            To me it looks like the SSLSocketFactory fails because it's not correctly configured. This might as well play together with the SSL configuration you are using for tomcat.





            • 3. Re: SSL & Authorization
              nathan dennis Expert

              I have the same error. i was trying to connect a mailSession to a server running TLS on a self signed cert. not sure if i'm missing something. ive read the wiki associated with installing the keys a couple times. i tried specifying the truststore and passing it a password in the run.conf. any other thoughts? did you ever get this resolved?

              seam 121 jboss 405

              • 4. Re: SSL & Authorization
                nathan dennis Expert

                nevermind that... i blame confusion on being up for three days straight trying to overcome the laws of chaos that have been attacking my brainchild. (because i can't blame myself :).... i had mistakenly put keyStore in the java param instead of trustStore...
                bravo for a good tip even though i was not tedious enough to follow it.

                20 hours ago coffee stopped having an affect on my alertness... it only makes me shake more.

                • 5. Re: SSL & Authorization
                  jim Newbie

                  you need to create a truststore. the exception is telling you that the server you are connecting to probably self gernerated it's certificate. So you can setup a truststore, containing the public keys for anyone you trust.