2 Replies Latest reply: Jul 11, 2012 10:42 AM by Alessio Soldano RSS

    CXF SSL Client to Register an WS-T participant

    grunchitog Newbie

      Hi!

       

      I'm developing an application that needs to sync two different web services on both .NET and J2EE platform, using JBoss AS 7. I've already created all the WS-T stuff (MSTDC on .NET, WS-AT wsdl, JBOSSTS with XTS configuration, handlers for the J2EE services, etc).

       

      After a lot of reading, all seems to be working fine.., except for just one las thing. When the JaxWSHeaderContextProcessor receives the request with an incoming transaction, it detects it ok and tries to register on MSTDC service as a participant. MS requires this communication to be done with SSL and sends the coordinator URL as https.

       

      At this moment, JBoss initates the communication with this endpoint creating a CXF client, but when sending the register message, fails throwing an SSL exception pasted at the end of this post.

       

      I've configured the standalone-xts.xml with system properties and the corresponding certificates (both signing and trustore, paired with the MSTDC configuration so there is mutual trust between Jboss and .NET).

      I've also tried by creating the cxf.xml configuration on WEB-INF/classes and setting it by parameter (on standalone.sh as -Dcxf.config.file) without success.

       

      Finally, trying to detect where could be the problem, I've downloaded Apache CXF source (2.4.6 version, same as included on JBoss) and debugged it to see how the HttpConduit is being configured. To test it, I've setted the attribute "disableCNCheck="true", but on debug time, the HttpConduit used to send the message to MSDTC has that property setted to false.

       

      At this point, it seems clear to me that CXF is ignoring my configuration for the dynamic client. ¿Any clues on what i could be doing wrong? ¿Could be that JBoss is ignoring the cxf configuration? I'm running out of ideas .

       

      Thanks in advance!

       

      Here is my cxf configuration file:

       

       

       <http:conduit name="*.http-conduit">
      
      
                   <http:tlsClientParameters disableCNCheck="true">
                      <sec:keyManagers keyPassword="123456">
                           <sec:keyStore type="JKS" password="123456"
                                file="C:\\wsat.keystore"/>
                      </sec:keyManagers>
                      <sec:trustManagers>
                          <sec:keyStore type="JKS" password="123456"
                               file="C:\\wsat.truststore"/>
                      </sec:trustManagers>
                      <sec:cipherSuitesFilter>
                        <!-- these filters ensure that a ciphersuite with
                          export-suitable or null encryption is used,
                          but exclude anonymous Diffie-Hellman key change as
                          this is vulnerable to man-in-the-middle attacks -->
                        <sec:include>.*_EXPORT_.*</sec:include>
                        <sec:include>.*_EXPORT1024_.*</sec:include>
                        <sec:include>.*_WITH_DES_.*</sec:include>
                      <sec:include>.*_WITH_AES_.*</sec:include>
                        <sec:include>.*_WITH_NULL_.*</sec:include>
                        <sec:exclude>.*_DH_anon_.*</sec:exclude>
                      </sec:cipherSuitesFilter>
                  </http:tlsClientParameters>
            <http:client AutoRedirect="true" Connection="Keep-Alive"/>
      
      
         </http:conduit>
      
      

       

      And finally the exception:

       

      [org.apache.cxf.phase.PhaseInterceptorChain] (http--127.0.0.1-8080-1) Inter

      ceptor for {http://docs.oasis-open.org/ws-tx/wscoor/2006/06}RegistrationService#{http://docs.oasis-o

      pen.org/ws-tx/wscoor/2006/06}RegisterOperation has thrown exception, unwinding now: org.apache.cxf.i

      nterceptor.Fault: Could not send Message.

              at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handle

      Message(MessageSenderInterceptor.java:64)

              at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)

              at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531)

              at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:461)

              at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:364)

              at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:317)

              at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)

              at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)

              at $Proxy102.registerOperation(Unknown Source)  at com.arjuna.wsc11.RegistrationCoordinator.

      register(RegistrationCoordinator.java:54) [jbossxts-4.16.2.Final.jar:]

              at com.arjuna.mwlabs.wst11.at.remote.TransactionManagerImple.registerParticipant(Transaction

      ManagerImple.java:156) [jbossxts-4.16.2.Final.jar:]

              at com.arjuna.mwlabs.wst11.at.remote.TransactionManagerImple.enlistForDurableTwoPhase(Transa

      ctionManagerImple.java:41) [jbossxts-4.16.2.Final.jar:]

              at org.jboss.jbossts.txbridge.inbound.InboundBridgeManager.createMapping(InboundBridgeManage

      r.java:140) [jbosstxbridge-4.16.2.Final.jar:]

              at org.jboss.jbossts.txbridge.inbound.InboundBridgeManager.getInboundBridge(InboundBridgeMan

      ager.java:77) [jbosstxbridge-4.16.2.Final.jar:]

              at org.jboss.jbossts.txbridge.inbound.JaxWSTxInboundBridgeHandler.handleInbound(JaxWSTxInbou

      ndBridgeHandler.java:93) [jbosstxbridge-4.16.2.Final.jar:]

              at org.jboss.jbossts.txbridge.inbound.JaxWSTxInboundBridgeHandler.handleMessage(JaxWSTxInbou

      ndBridgeHandler.java:59) [jbosstxbridge-4.16.2.Final.jar:]

              at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandleMessage(HandlerChainInvoker.

      java:335)

              at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandlerChain(HandlerChainInvoker.j

      ava:253)

              at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeProtocolHandlers(HandlerChainInvok

      er.java:131)

              at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessageInternal(SOAPHandle

      rInterceptor.java:168)

              at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterce

      ptor.java:123)

              at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterce

      ptor.java:70)

              at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)

              at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:1

      21)

              at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java

      :207)

              at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:91)

              at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:169

      )

              at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)

              at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.ja

      va:185)

              at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108)

       

       

              at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-

      1.0.0.Final.jar:1.0.0.Final]

              at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)

              at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.0.3.G

      A.jar:2.0.3.GA]

              at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-

      1.0.0.Final.jar:1.0.0.Final]

              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j

      ava:329) [jbossweb-7.0.13.Final.jar:]

              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)

      [jbossweb-7.0.13.Final.jar:]

              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbos

      sweb-7.0.13.Final.jar:]

              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbos

      sweb-7.0.13.Final.jar:]

              at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)

      [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]

              at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociati

      onValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7

      .0.13.Final.jar:]

              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7

      .0.13.Final.jar:]

              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossw

      eb-7.0.13.Final.jar:]

              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0

      .13.Final.jar:]

              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.

      13.Final.jar:]

              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.ja

      va:671) [jbossweb-7.0.13.Final.jar:]

              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.

      Final.jar:]

              at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_29]

      Caused by: javax.net.ssl.SSLException: SSLException invoking https://localhost/WsatService/

      Registration/Coordinator11/: Unrecognized SSL message, plaintext connection?

              at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) [rt.jar:1.6.0_29]

              at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:

      39) [rt.jar:1.6.0_29]

              at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorIm

      pl.java:27) [rt.jar:1.6.0_29]

              at java.lang.reflect.Constructor.newInstance(Constructor.java:513) [rt.jar:1.6.0_29]

              at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.ja

      va:1430)

              at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1415

      )

              at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)

              at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:648)

              at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handle

      Message(MessageSenderInterceptor.java:62)

              ... 47 more

      Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

              at com.sun.net.ssl.internal.ssl.InputRecord.handleUnknownRecord(InputRecord.java:523) [jsse.

      jar:1.6]

              at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:355) [jsse.jar:1.6]

              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:830) [jsse.jar:1

      .6]

              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:117

      0) [jsse.jar:1.6]

              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197) [jsse.

      jar:1.6]

              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181) [jsse.

      jar:1.6]

              at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434) [jsse.jar:1.6]

              at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHtt

      psURLConnection.java:166) [jsse.jar:1.6]

              at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1014)

      [rt.jar:1.6.0_29]

              at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.

      java:230) [jsse.jar:1.6]

              at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(H

      TTPConduit.java:1367)

              at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.ja

      va:1309)

              at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)

              at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:

      69)

              at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1387

      )

              ... 50 more

       

       

      09:56:07,506 ERROR [org.jboss.jbossts.txbridge] (http--127.0.0.1-8080-1) com.arjuna.wst.SystemExcept

      ion: javax.xml.ws.WebServiceException: Could not send Message.

       

       

        • 1. Re: CXF SSL Client to Register an WS-T participant
          grunchitog Newbie

          Sorry guys,

           

          This is the right exception:

           

          [org.apache.cxf.phase.PhaseInterceptorChain] (http-127.0.0.1-127.0.0.1-8080

          -1) Interceptor for {http://docs.oasis-open.org/ws-tx/wscoor/2006/06}RegistrationService#{http://doc

          s.oasis-open.org/ws-tx/wscoor/2006/06}RegisterOperation has thrown exception, unwinding now: org.apa

          che.cxf.interceptor.Fault: Could not send Message.

                  at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handle

          Message(MessageSenderInterceptor.java:64)

                  at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)

                  at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531)

                  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:461)

                  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:364)

                  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:317)

                  at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)

                  at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)

                  at $Proxy102.registerOperation(Unknown Source)  at com.arjuna.wsc11.RegistrationCoordinator.

          register(RegistrationCoordinator.java:54) [jbossxts-4.16.2.Final.jar:]

                  at com.arjuna.mwlabs.wst11.at.remote.TransactionManagerImple.registerParticipant(Transaction

          ManagerImple.java:156) [jbossxts-4.16.2.Final.jar:]

                  at com.arjuna.mwlabs.wst11.at.remote.TransactionManagerImple.enlistForDurableTwoPhase(Transa

          ctionManagerImple.java:41) [jbossxts-4.16.2.Final.jar:]

                  at org.jboss.jbossts.txbridge.inbound.InboundBridgeManager.createMapping(InboundBridgeManage

          r.java:140) [jbosstxbridge-4.16.2.Final.jar:]

                  at org.jboss.jbossts.txbridge.inbound.InboundBridgeManager.getInboundBridge(InboundBridgeMan

          ager.java:77) [jbosstxbridge-4.16.2.Final.jar:]

                  at org.jboss.jbossts.txbridge.inbound.JaxWSTxInboundBridgeHandler.handleInbound(JaxWSTxInbou

          ndBridgeHandler.java:93) [jbosstxbridge-4.16.2.Final.jar:]

                  at org.jboss.jbossts.txbridge.inbound.JaxWSTxInboundBridgeHandler.handleMessage(JaxWSTxInbou

          ndBridgeHandler.java:59) [jbosstxbridge-4.16.2.Final.jar:]

                  at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandleMessage(HandlerChainInvoker.

          java:335)

                  at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandlerChain(HandlerChainInvoker.j

          ava:253)

                  at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeProtocolHandlers(HandlerChainInvok

          er.java:131)

                  at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessageInternal(SOAPHandle

          rInterceptor.java:168)

                  at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterce

          ptor.java:123)

                  at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterce

          ptor.java:70)

                  at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)

                  at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:1

          21)

                  at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java

          :207)

                  at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:91)

                  at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:169

          )

                  at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)

                  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.ja

          va:185)

                  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108)

           

           

                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-

          1.0.0.Final.jar:1.0.0.Final]

                  at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)

                  at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.0.3.G

          A.jar:2.0.3.GA]

                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-

          1.0.0.Final.jar:1.0.0.Final]

                  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j

          ava:329) [jbossweb-7.0.13.Final.jar:]

                  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)

          [jbossweb-7.0.13.Final.jar:]

                  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbos

          sweb-7.0.13.Final.jar:]

                  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbos

          sweb-7.0.13.Final.jar:]

                  at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)

          [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]

                  at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociati

          onValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

                  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7

          .0.13.Final.jar:]

                  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7

          .0.13.Final.jar:]

                  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossw

          eb-7.0.13.Final.jar:]

                  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0

          .13.Final.jar:]

                  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.

          13.Final.jar:]

                  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.ja

          va:671) [jbossweb-7.0.13.Final.jar:]

                  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.

          Final.jar:]

                  at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_29]

          Caused by: org.apache.cxf.transport.http.HTTPException: HTTP response '403: Forbidden' when communic

          ating with https://localhost/WsatService/Registration/Coordinator11/

                  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTP

          Conduit.java:1554)

                  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.

          java:1493)

                  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1401

          )

                  at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)

                  at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:648)

                  at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handle

          Message(MessageSenderInterceptor.java:62)

                  ... 47 more

           

           

          11:43:17,289 ERROR [org.jboss.jbossts.txbridge] (http-127.0.0.1-127.0.0.1-8080-1) com.arjuna.wst.Sys

          temException: javax.xml.ws.WebServiceException: Could not send Message.

          • 2. Re: CXF SSL Client to Register an WS-T participant
            Alessio Soldano Master

            Unless the current thread bus is explicitely configured with a specific httpconduit, the JBossWS-CXF integration stack has the CXF 'useHttpsURLConnectionDefaultSslSocketFactory' flag set to true, to have a neutral SSL client behavior as per HttpsURLConnection defaults. So you should be able to rely on the usual javax.net.ssl.* system properties. Moreover, you can use the org.jboss.security.ignoreHttpsHost system property to set 'disableCNCheck' flag to true.

             

            Besides setting a given thread bus for your client, you can also programmatically configure the conduit for the proxy, using Apache CXF ClientProxy.getClient().getConduit() ...