Sorry, this got replied to the wrong address. -----Original Message----- From: David Sills Sent: Wednesday, October 19, 2011 7:06 AM To: 'Daniel Kulp' Subject: RE: HTTPS client configuration using JaxWsProxyFactoryBean
Daniel: Many thanks for the suggestions. I have tried using factory.setEndpointName(new QName("http://of306.ws.abis.datasourceinc.com/", "Of306ServerPort")); Given the configuration below, does that seem right? It did not work correctly. I also tried several variations on your idea of calling the setAddress method and naming conventions, none of which have yet worked. Further ideas? I have probably missed something.... David -----Original Message----- From: Daniel Kulp [mailto:dk...@apache.org] Sent: Tuesday, October 18, 2011 1:35 PM To: users@cxf.apache.org Cc: David Sills Subject: Re: HTTPS client configuration using JaxWsProxyFactoryBean I think if you add a "factory.setEndpointName(....)" call to the appropriate qname used in the http:conduit, it should work. Alternatively, if you setup the address on the factory prior to calling create (factory.setAddress(...)), you can configure the http conduit via something like: <http:conduit name="https://blah.com:9000/.*"> (note the .* at the end to match all tails) Dan On Tuesday, October 18, 2011 11:18:24 AM David Sills wrote: > All: > > > > Is it possible to configure the JaxWsProxyFactoryBean to use HTTPS? It > looks as though it should be, but I can't quite figure out how to > connect up the bits. I have added this to the Spring configuration file: > > > > <http:conduit > name="{http://of306.ws.abis.datasourceinc.com/}Of306ServerPort.http-cond > uit"> > > <http:tlsClientParameters secureSocketProtocol="SSL"> > > <sec:keyManagers> > > <sec:keyStore type="JKS" password="0ftobp8ssw0rd" > file="C:/Java/jks/of306-truststore.jks"/> > > </sec:keyManagers> > > <sec:trustManagers> > > <sec:keyStore type="JKS" password="0ftobp8ssw0rd" > file="C:/Java/jks/of306-truststore.jks"/> > > </sec:trustManagers> > > <sec:cipherSuitesFilter> > > <!-- these filters ensure that a ciphersuite with > > export-suitable or null encryption is used, > > but exclude anonymous Diffie-Hellman key change as > > this is vulnerable to man-in-the-middle attacks --> > > <sec:include>.*_EXPORT_.*</sec:include> > > <sec:include>.*_EXPORT1024_.*</sec:include> > > <sec:include>.*_WITH_DES_.*</sec:include> > > <sec:include>.*_WITH_NULL_.*</sec:include> > > <sec:exclude>.*_DH_anon_.*</sec:exclude> > > </sec:cipherSuitesFilter> > > </http:tlsClientParameters> > > <http:client AutoRedirect="true" Connection="Keep-Alive"/> > > </http:conduit> > > > > The name is (appropriately, I think) the namespace + port name + > ".http-conduit". (I have also tried using "<sec:certStore > file="C:/Java/jks/of306-truststore.jks"/>" under <sec:trustManagers>) > However, when I try this: > > > > JaxWsProxyFactoryBean factory = new > JaxWsProxyFactoryBean(); > > LoggingInInterceptor inInterceptor = new > LoggingInInterceptor(); > > inInterceptor.setLimit(-1); > > factory.getInInterceptors().add(inInterceptor); > > LoggingOutInterceptor outInterceptor = new > LoggingOutInterceptor(); > > outInterceptor.setLimit(-1); > > factory.getOutInterceptors().add(outInterceptor); > > factory.setServiceClass(Of306Service.class); > > > factory.setAddress(applicationConfig.getMessage("of306.service.url")); > > ****** ConduitSelector conduitSelector = > factory.getConduitSelector(); > > Of306Service client = (Of306Service) > factory.create(); > > PinValidationDataImpl data = new > PinValidationDataImpl(); > > Of306 of306 = (Of306) command; > > data.setPin(of306.getPin()); > > data.setSsn(of306.getSsn()); > > > data.setDateOfBirth(formatter.format(of306.getDateOfBirth().getDate())); > > ValidationOutcome outcome = > client.validatePin(data); > > > > The ConduitSelector is null (which didn't surprise me too much, though > it certainly looks in the HTTPS setup that it should "just work", as so > much in Spring does). Do I need to set the ConduitSelector? Is it even > possible to do so? Which type should be used? > > > > This is what the logging looks like - it looks as though it's possible > it is getting the idea, in fact (and yes, the appropriate exported > self-signed certificate is imported into the trust-store, before anyone > asks): > > > > 2011-10-18 10:53:36,398 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleMessage on > interceptor > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingI > nterceptor@1a85a3b0 > > 2011-10-18 10:53:36,400 INFO > [org.apache.cxf.interceptor.LoggingOutInterceptor] - Outbound Message > > --------------------------- > > ID: 1 > > Address: https://dsills-t1500:8300/dsi-services/secure/Of306Service > > Encoding: UTF-8 > > Content-Type: text/xml > > Headers: {Accept=[*/*], SOAPAction=[""]} > > Messages: (message truncated to -1 bytes) > > > > Payload: <soap:Envelope > xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns1:v > alidatePin > xmlns:ns1="http://of306.ws.abis.datasourceinc.com/"><validationData><pin > > >333333</pin><ssn>555827444</ssn><dateOfBirth>11/01/1953</dateOfBirth></ > > validationData></ns1:validatePin></soap:Body></soap:Envelope> > > -------------------------------------- > > 2011-10-18 10:53:36,402 DEBUG [org.apache.cxf.transport.http.Headers] - > Accept: */* > > 2011-10-18 10:53:36,402 DEBUG [org.apache.cxf.transport.http.Headers] - > SOAPAction: "" > > 2011-10-18 10:53:36,404 DEBUG > [org.apache.cxf.transport.http.TrustDecisionUtil] - No Trust Decider for > Conduit > '{http://of306.ws.abis.datasourceinc.com/}Of306ServicePort.http-conduit' > . An afirmative Trust Decision is assumed. > > 2011-10-18 10:53:36,430 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingI > nterceptor@1a85a3b0 > > 2011-10-18 10:53:36,430 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor org.apache.cxf.interceptor.StaxOutEndingInterceptor@553d26fd > > 2011-10-18 10:53:36,430 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor > org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor$SoapOutEnding > Interceptor@63d587bf > > 2011-10-18 10:53:36,430 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor > org.apache.cxf.interceptor.WrappedOutInterceptor$WrappedOutEndingInterce > ptor@c2ccccf > > 2011-10-18 10:53:36,430 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor org.apache.cxf.interceptor.BareOutInterceptor@607e334 > > 2011-10-18 10:53:36,430 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor org.apache.cxf.interceptor.WrappedOutInterceptor@19451392 > > 2011-10-18 10:53:36,430 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor > org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor@2529c051 > > 2011-10-18 10:53:36,430 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor org.apache.cxf.interceptor.StaxOutInterceptor@6234a1ed > > 2011-10-18 10:53:36,430 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor org.apache.cxf.interceptor.AttachmentOutInterceptor@4323c852 > > 2011-10-18 10:53:36,430 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor org.apache.cxf.interceptor.LoggingOutInterceptor@341b8757 > > 2011-10-18 10:53:36,430 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor org.apache.cxf.interceptor.MessageSenderInterceptor@7b527b7a > > 2011-10-18 10:53:36,430 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor > org.apache.cxf.binding.soap.interceptor.SoapPreProtocolOutInterceptor@6f > d56e03 > > 2011-10-18 10:53:36,430 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor > org.apache.cxf.binding.soap.interceptor.SoapHeaderOutFilterInterceptor@6 > d7300f9 > > 2011-10-18 10:53:36,431 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor > org.apache.cxf.jaxws.interceptors.WrapperClassOutInterceptor@30d497f9 > > 2011-10-18 10:53:36,431 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor org.apache.cxf.jaxws.interceptors.SwAOutInterceptor@6428c5d6 > > 2011-10-18 10:53:36,431 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor > org.apache.cxf.jaxws.interceptors.HolderOutInterceptor@5545757a > > 2011-10-18 10:53:36,431 DEBUG > [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on > interceptor org.apache.cxf.ws.policy.PolicyOutInterceptor@60abe06e > > 2011-10-18 10:53:36,434 WARN > [org.apache.cxf.phase.PhaseInterceptorChain] - Interceptor for > {http://of306.ws.abis.datasourceinc.com/}Of306ServiceService#{http://of3 > 06.ws.abis.datasourceinc.com/}validatePin has thrown exception, > unwinding now > > org.apache.cxf.interceptor.Fault: Could not send Message. > > at > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingI > nterceptor.handleMessage(MessageSenderInterceptor.java:64) > > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC > hain.java:263) > > at > org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519) > > at > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449) > > at > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352) > > at > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304) > > at > org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88) > > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134) > > at $Proxy84.validatePin(Unknown Source) > > at > com.datasourceinc.of306.controller.Of306Controller.validatePin(Of306Cont > roller.java:187) > > at > com.datasourceinc.of306.controller.Of306Controller.onBindAndValidate(Of3 > 06Controller.java:147) > > at > org.springframework.web.servlet.mvc.AbstractWizardFormController.onBindA > ndValidate(AbstractWizardFormController.java:231) > > at > org.springframework.web.servlet.mvc.BaseCommandController.bindAndValidat > e(BaseCommandController.java:401) > > at > org.springframework.web.servlet.mvc.AbstractFormController.handleRequest > Internal(AbstractFormController.java:266) > > at > org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs > tractController.java:153) > > at > org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl > e(SimpleControllerHandlerAdapter.java:48) > > at > org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS > ervlet.java:788) > > at > org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe > rvlet.java:717) > > at > org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor > kServlet.java:644) > > at > org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet > .java:560) > > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:641) > > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:722) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica > tionFilterChain.java:304) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt > erChain.java:210) > > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv > e.java:240) > > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv > e.java:164) > > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator > Base.java:498) > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java > > :164) > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java > > :100) > > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562 > ) > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. > java:118) > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:3 > 94) > > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:24 > 3) > > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process( > Http11Protocol.java:188) > > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.j > ava:302) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecuto > r.java:886) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.ja > va:908) > > at java.lang.Thread.run(Thread.java:662) > > Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException > invoking https://dsills-t1500:8300/dsi-services/secure/Of306Service: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target -- Daniel Kulp dk...@apache.org http://dankulp.com/blog Talend - http://www.talend.com