Re: CXF ws client. UntrustedURLConnectionIOException even HTTPS established with client certificate auth

Tue, 21 Jan 2014 03:38:27 -0800 

I have additional info.
Although first call succeeds, the second call fails even with newly created client object. Only after application restart, in a new JVM, the first call succeeds again and any other call fails. I cannot find out why. 
Regards

On 20.1.2014 09:46, Jakub Neubauer wrote:

Hi,
I'm facing issue with CXF client. I have a Java client generated from WSDL. The WSDL contains RequireClientCertificate="true" in the Policy. I'm calling a web service over HTTPS with client certificate authentication. Although HTTPS connection is established and with client certificate authentication (ensured with -Djavax.net.debug=all), calling a WS method throws this exception: 

-----------------------------
etc...
Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: UntrustedURLConnectionIOException invoking https://192.168.101.14/storefront90_cert/services/ProductionService.svc: RequireClientCertificate is set, but no local certificates were negotiated. Is the server set to ask for client authorization? 
 at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
 at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) 
 at java.lang.reflect.Constructor.newInstance(Unknown Source)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1334) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1318) at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) 
 at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:623)
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) 
 at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:541)
 at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
 at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
 at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
 at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134) 
 ... 14 more
Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: RequireClientCertificate is set, but no local certificates were negotiated. Is the server set to ask for client authorization? at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:117) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.makeTrustDecision(HTTPConduit.java:1680) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1264) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1234) at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195) at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1291) 
 ... 24 more
-----------------------------
The strange thing is, that the first call succeeded and the second call, fails with this exception (!), when reusing the same client object. The second call is done in different thread (but not in parallel with the first call, the calls are effectively serial). 
The client object is created as follows:

-----------------------------
// our custom ssl settings, with client cert auth in this case.
SSLSocketFactory sslSockF = createSSLSocketFactoryFromProperties(_properties); 
ProductionService service = new ProductionService(
        new URL(myURL),
new QName("http://portalbuilder.gmc.net/api/productionService";, "ProductionService")); 
port = service.getBasicHttpBindingIProductionService();
Client client = ClientProxy.getClient(port);
HTTPConduit http = (HTTPConduit) client.getConduit();
TLSClientParameters tlsParams = new TLSClientParameters();
tlsParams.setDisableCNCheck(true);
tlsParams.setSSLSocketFactory(sslSockF);
http.setTlsClientParameters(tlsParams);
return port;
-----------------------------

We use CXF version 2.7.6

Any suggestion?
Thank you

Reply via email to