Announcement Announcement Module
Collapse
No announcement yet.
HttpInvoker Security Issues Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • HttpInvoker Security Issues

    hi,

    we are in the process of developing a warehouse management system using spring + hibernate + swing.

    we are very please with using httpInvoker as a remoting solution.

    however, my boss have raised a question regarding the security of using such remoting technique.

    we are already using acegi security with basic authentication to filter access to remote services.

    however, since it is using http for transport, could the data in transit be possibly be compromised, as in being evesdropped etc, since it is not being encrypted to the best of my understanding.

    if this is really the case, is it possible for us to use maybe ssl (i.e over https) to rectify this situation.

    we would be very grateful for any advice given.

    thank you

  • #2
    I'm interested in this too... I'm writing a rich client and for intranet usage http is fine, but for remote users I really need ssl encryption... I can't find anything on the user guide about this matter...

    Comment


    • #3
      httpInvoker has support for Jakarta Commons HttpClient. You can configure the later using CommonsHttpInvokerRequestExecutor.
      HTH

      Comment


      • #4
        Nice. Just for the record, is it possible to use ssl along with burlap or hessian?

        Comment


        • #5
          hi Omar,

          i have tried out your suggestions. below i have detailed what i have done.

          enable ssl on tomcat
          --------------------------
          keytool -genkey -alias tomcat -keyalg RSA -keystore D:/jakarta-tomcat-4.1.29/keystore -storepass changeit

          uncommented https support in tomcat's server.xml

          client side (bean definition)
          --------------------------------
          <bean id="importBookingFinderService" class="org.springframework.remoting.httpinvoker.Ht tpInvokerProxyFactoryBean">
          <property name="serviceInterface">
          <value>com.wms.services.booking.importBooking.impo rtBookingFinder.ImportBookingFinder</value>
          </property>
          <property name="serviceUrl">
          <value>https://localhost:8443/wms/remoting/ImportBookingFinderService-httpinvoker</value>
          </property>
          <property name="httpInvokerRequestExecutor">
          <bean class="org.springframework.remoting.httpinvoker.Co mmonsHttpInvokerRequestExecutor"/>
          </property>
          </bean>

          Exception Occurred
          ----------------------
          javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
          at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(U nknown Source)
          at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
          at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
          at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
          ...

          somehow i feel that i'm closer to getting it to work. but i may have missed out something important.

          we are very grateful for any help u can give.

          thank you

          Comment


          • #6
            Well,

            Judging by the Exception you are getting your truststore is not setup
            correctly. Make sure the servers ssl certificate is in your client ssl truststore. You can specify the truststore to use on the cmd line or in
            a properties file i believe.

            Greetings
            Leo

            Originally posted by bthh78
            hi Omar,

            i have tried out your suggestions. below i have detailed what i have done.

            enable ssl on tomcat
            --------------------------
            keytool -genkey -alias tomcat -keyalg RSA -keystore D:/jakarta-tomcat-4.1.29/keystore -storepass changeit

            uncommented https support in tomcat's server.xml

            client side (bean definition)
            --------------------------------
            <bean id="importBookingFinderService" class="org.springframework.remoting.httpinvoker.Ht tpInvokerProxyFactoryBean">
            <property name="serviceInterface">
            <value>com.wms.services.booking.importBooking.impo rtBookingFinder.ImportBookingFinder</value>
            </property>
            <property name="serviceUrl">
            <value>https://localhost:8443/wms/remoting/ImportBookingFinderService-httpinvoker</value>
            </property>
            <property name="httpInvokerRequestExecutor">
            <bean class="org.springframework.remoting.httpinvoker.Co mmonsHttpInvokerRequestExecutor"/>
            </property>
            </bean>

            Exception Occurred
            ----------------------
            javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
            at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(U nknown Source)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
            at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
            ...

            somehow i feel that i'm closer to getting it to work. but i may have missed out something important.

            we are very grateful for any help u can give.

            thank you

            Comment


            • #7
              hi leo,

              thank you for your valuable advice.

              i have tried to import the server certificate as a trusted keystore. but i am not too sure what i am doing is correct.

              Steps
              -------
              Open "https://localhost:8443/wms/jsp/index.jsp" in IE.
              Click on the "Lock" icon found on the bottom right corner
              Export the certificate as "tomcat.cer"
              Run the cmd "keytool -import -alias tomcat -file tomcat.cer"

              However, i still have the same exception so most problem what i am doing isn't correct at all.

              we would be grateful if you show us how we can install the certificate in the client keystore correctly.

              thank you very much.

              Comment


              • #8
                Hi,

                Well I am not fully aware of where the exception you have happened,
                maybe post the whole stacktrace of the exception for clarification.

                Secondly the exception is not caused by IE so therefore importing it
                into the key/trust store of IE is not going to help. My guess is you have
                to import it into the trust store file used by the Java VM wich is running
                your program. You can do this by setting the property on startup or
                trough your code.

                Greetz
                Leo

                Originally posted by bthh78
                hi leo,

                thank you for your valuable advice.

                i have tried to import the server certificate as a trusted keystore. but i am not too sure what i am doing is correct.

                Steps
                -------
                Open "https://localhost:8443/wms/jsp/index.jsp" in IE.
                Click on the "Lock" icon found on the bottom right corner
                Export the certificate as "tomcat.cer"
                Run the cmd "keytool -import -alias tomcat -file tomcat.cer"

                However, i still have the same exception so most problem what i am doing isn't correct at all.

                we would be grateful if you show us how we can install the certificate in the client keystore correctly.

                thank you very much.

                Comment


                • #9
                  hi leo,

                  thank you for your prompt reply.

                  i guess my problem is that i do not know how to get the certificate from the server and add it to the keystore that will be used by java on the client side.

                  if you could tell me how it could be done, i would be most grateful.

                  below is a stack trace of another similar service

                  thank you very much

                  org.springframework.remoting.RemoteAccessException : Cannot access HTTP invoker remote service at [https://localhost:8443/wms/remoting/...-httpinvoker]; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
                  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
                  at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(U nknown Source)
                  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
                  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
                  at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
                  at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
                  at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(Unknown Source)
                  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
                  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unkno wn Source)
                  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
                  at com.sun.net.ssl.internal.ssl.AppOutputStream.write (Unknown Source)
                  at org.apache.commons.httpclient.HttpConnection$Wrapp edOutputStream.write(HttpConnection.java:1344)
                  at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
                  at java.io.BufferedOutputStream.flush(Unknown Source)
                  at org.apache.commons.httpclient.HttpConnection.flush RequestOutputStream(HttpConnection.java:775)
                  at org.apache.commons.httpclient.MultiThreadedHttpCon nectionManager$HttpConnectionAdapter.flushRequestO utputStream(MultiThreadedHttpConnectionManager.jav a:1356)
                  at org.apache.commons.httpclient.HttpMethodBase.write Request(HttpMethodBase.java:2252)
                  at org.apache.commons.httpclient.HttpMethodBase.proce ssRequest(HttpMethodBase.java:2632)
                  at org.apache.commons.httpclient.HttpMethodBase.execu te(HttpMethodBase.java:1065)
                  at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:643)
                  at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:497)
                  at org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor.executePostMethod(Commons HttpInvokerRequestExecutor.java:120)
                  at org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor.doExecuteRequest(CommonsH ttpInvokerRequestExecutor.java:87)
                  at org.springframework.remoting.httpinvoker.AbstractH ttpInvokerRequestExecutor.executeRequest(AbstractH ttpInvokerRequestExecutor.java:67)
                  at org.springframework.remoting.httpinvoker.HttpInvok erClientInterceptor.executeRequest(HttpInvokerClie ntInterceptor.java:86)
                  at org.springframework.remoting.httpinvoker.HttpInvok erClientInterceptor.invoke(HttpInvokerClientInterc eptor.java:60)
                  at org.springframework.aop.framework.ReflectiveMethod Invocation.proceed(ReflectiveMethodInvocation.java :138)
                  at org.springframework.aop.framework.JdkDynamicAopPro xy.invoke(JdkDynamicAopProxy.java:152)
                  at $Proxy0.findUserById(Unknown Source)
                  at test.com.wmsClient.UserTest.testUserFind(UserTest. java:24)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknow n Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Un known Source)
                  at java.lang.reflect.Method.invoke(Unknown Source)
                  at junit.framework.TestCase.runTest(TestCase.java:154 )
                  at junit.framework.TestCase.runBare(TestCase.java:127 )
                  at junit.framework.TestResult$1.protect(TestResult.ja va:106)
                  at junit.framework.TestResult.runProtected(TestResult .java:124)
                  at junit.framework.TestResult.run(TestResult.java:109 )
                  at junit.framework.TestCase.run(TestCase.java:118)
                  at junit.framework.TestSuite.runTest(TestSuite.java:2 08)
                  at junit.framework.TestSuite.run(TestSuite.java:203)
                  at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.runTests(RemoteTestRunner.java:421)
                  at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.run(RemoteTestRunner.java:305)
                  at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.main(RemoteTestRunner.java:186)
                  Caused by: sun.security.validator.ValidatorException: No trusted certificate found
                  at sun.security.validator.SimpleValidator.buildTruste dChain(Unknown Source)
                  at sun.security.validator.SimpleValidator.engineValid ate(Unknown Source)
                  at sun.security.validator.Validator.validate(Unknown Source)
                  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(Unknown Source)
                  at com.sun.net.ssl.internal.ssl.JsseX509TrustManager. checkServerTrusted(Unknown Source)
                  ... 41 more

                  Comment


                  • #10
                    Ok,

                    Yes definitely you need a server ssl certificate somehow and the client
                    needs to know about it. For some more info on ssl in java aplications
                    check out the bottom of the page on this link :

                    http://forum.java.sun.com/thread.jsp...676&tstart=270

                    Greetz
                    Leo

                    Originally posted by bthh78
                    hi leo,

                    thank you for your prompt reply.

                    i guess my problem is that i do not know how to get the certificate from the server and add it to the keystore that will be used by java on the client side.

                    if you could tell me how it could be done, i would be most grateful.

                    below is a stack trace of another similar service

                    thank you very much

                    org.springframework.remoting.RemoteAccessException : Cannot access HTTP invoker remote service at [https://localhost:8443/wms/remoting/...-httpinvoker]; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
                    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
                    at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(U nknown Source)
                    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
                    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
                    at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
                    at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
                    at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(Unknown Source)
                    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
                    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unkno wn Source)
                    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
                    at com.sun.net.ssl.internal.ssl.AppOutputStream.write (Unknown Source)
                    at org.apache.commons.httpclient.HttpConnection$Wrapp edOutputStream.write(HttpConnection.java:1344)
                    at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
                    at java.io.BufferedOutputStream.flush(Unknown Source)
                    at org.apache.commons.httpclient.HttpConnection.flush RequestOutputStream(HttpConnection.java:775)
                    at org.apache.commons.httpclient.MultiThreadedHttpCon nectionManager$HttpConnectionAdapter.flushRequestO utputStream(MultiThreadedHttpConnectionManager.jav a:1356)
                    at org.apache.commons.httpclient.HttpMethodBase.write Request(HttpMethodBase.java:2252)
                    at org.apache.commons.httpclient.HttpMethodBase.proce ssRequest(HttpMethodBase.java:2632)
                    at org.apache.commons.httpclient.HttpMethodBase.execu te(HttpMethodBase.java:1065)
                    at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:643)
                    at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:497)
                    at org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor.executePostMethod(Commons HttpInvokerRequestExecutor.java:120)
                    at org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor.doExecuteRequest(CommonsH ttpInvokerRequestExecutor.java:87)
                    at org.springframework.remoting.httpinvoker.AbstractH ttpInvokerRequestExecutor.executeRequest(AbstractH ttpInvokerRequestExecutor.java:67)
                    at org.springframework.remoting.httpinvoker.HttpInvok erClientInterceptor.executeRequest(HttpInvokerClie ntInterceptor.java:86)
                    at org.springframework.remoting.httpinvoker.HttpInvok erClientInterceptor.invoke(HttpInvokerClientInterc eptor.java:60)
                    at org.springframework.aop.framework.ReflectiveMethod Invocation.proceed(ReflectiveMethodInvocation.java :138)
                    at org.springframework.aop.framework.JdkDynamicAopPro xy.invoke(JdkDynamicAopProxy.java:152)
                    at $Proxy0.findUserById(Unknown Source)
                    at test.com.wmsClient.UserTest.testUserFind(UserTest. java:24)
                    at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
                    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknow n Source)
                    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Un known Source)
                    at java.lang.reflect.Method.invoke(Unknown Source)
                    at junit.framework.TestCase.runTest(TestCase.java:154 )
                    at junit.framework.TestCase.runBare(TestCase.java:127 )
                    at junit.framework.TestResult$1.protect(TestResult.ja va:106)
                    at junit.framework.TestResult.runProtected(TestResult .java:124)
                    at junit.framework.TestResult.run(TestResult.java:109 )
                    at junit.framework.TestCase.run(TestCase.java:118)
                    at junit.framework.TestSuite.runTest(TestSuite.java:2 08)
                    at junit.framework.TestSuite.run(TestSuite.java:203)
                    at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.runTests(RemoteTestRunner.java:421)
                    at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.run(RemoteTestRunner.java:305)
                    at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.main(RemoteTestRunner.java:186)
                    Caused by: sun.security.validator.ValidatorException: No trusted certificate found
                    at sun.security.validator.SimpleValidator.buildTruste dChain(Unknown Source)
                    at sun.security.validator.SimpleValidator.engineValid ate(Unknown Source)
                    at sun.security.validator.Validator.validate(Unknown Source)
                    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(Unknown Source)
                    at com.sun.net.ssl.internal.ssl.JsseX509TrustManager. checkServerTrusted(Unknown Source)
                    ... 41 more

                    Comment


                    • #11
                      hi leo,

                      thanks again for you reply.

                      will try it out and if successful will post the result here.

                      thanks you.

                      Comment


                      • #12
                        Use HTTPS for your transport-layer security. Use Acegi Security and BASIC authentication for your application-layer security.

                        No need to use Jakarta Commons HttpInvoker. I looked at it when writing some integration, but personally found it added too much complexity for the expected benefit.

                        I assume you're already doing so, but CVS has a class, net.sf.acegisecurity.ui.httpinvoker.Authentication SimplehttpInvoker, which will help set the BASIC authentication headers.

                        Comment


                        • #13
                          Ben, thank you, in fact that's exactly what I'm doing (trying to do, at least). I'll look at the class in CVS, in fact I'm using a version that uses the commons http client that has been posted on the forums some time ago.

                          Comment


                          • #14
                            hi,

                            just like to thank all of you who have replied to my queries.

                            i finally got it to work. just as i promised, i have listed down when is to be done to get ssl working for httpInvoker.

                            enable ssl on tomcat
                            --------------------------
                            keytool -genkey -alias tomcat -keyalg RSA -keystore D:/jakarta-tomcat-4.1.29/keystore -storepass changeit

                            uncommented https support in tomcat's server.xml

                            client side (bean definition)
                            --------------------------------
                            <bean id="importBookingFinderService" class="org.springframework.remoting.httpinvoker.Ht tpInvokerProxyFactoryBean">
                            <property name="serviceInterface">
                            <value>com.wms.services.booking.importBooking.impo rtBookingFinder.ImportBookingFinder</value>
                            </property>
                            <property name="serviceUrl">
                            <value>https://localhost:8443/wms/remoting/ImportBookingFinderService-httpinvoker</value>
                            </property>
                            <property name="httpInvokerRequestExecutor">
                            <bean class="org.springframework.remoting.httpinvoker.Co mmonsHttpInvokerRequestExecutor"/>
                            </property>
                            </bean>

                            Export the server certificate
                            ---------------------------------
                            Open "https://localhost:8443/wms/jsp/index.jsp" in IE.
                            Click on the "Lock" icon found on the bottom right corner
                            Export the certificate as "tomcat.cer"

                            Import the server certificate into client
                            ---------------------------------------------
                            Run the cmd "keytool -import -keystore C:/j2sdk1.4.2_06/jre/lib/security/cacerts -alias tomcat -file tomcat.cer"

                            UnitTestCase Setup
                            -----------------------
                            public class UserTest extends ContextAwareTestCase{
                            public void testUserFind(){
                            System.setProperty("javax.net.ssl.trustStore","C:/j2sdk1.4.2_06/jre/lib/security/cacerts");

                            UserService userService = (UserService)this.context.getBean("httpInvokerProx y");
                            try {
                            userService.findUserById(new Integer(1));
                            } catch (FindException e) {
                            // TODO Auto-generated catch block
                            e.printStackTrace();
                            Assert.fail();
                            }catch(Exception e){
                            e.printStackTrace();
                            Assert.fail();
                            }
                            }
                            }

                            Important Notes
                            -------------------
                            - CommonsHttpInvokerRequestExecutor is required to support ssl
                            - System.setProperty("javax.net.ssl.trustStore","C:/j2sdk1.4.2_06/jre/lib/security/cacerts"); is required to tell the jvm where to look for the trustStore, mine was defaulted to null.


                            Further Queries
                            ------------------
                            - Would it still work if i have installed a real server certificate from a CA like versign etc, without specifying System.setProperty("javax.net.ssl.trustStore","C:/j2sdk1.4.2_06/jre/lib/security/cacerts");
                            - Also is there a better way to get the certificate from the server instead of using IE

                            thank all of you for your help.

                            Comment


                            • #15
                              To avoid sun.security.validator.ValidatorException, your server SSL certificate must be signed by a certificate already trusted by the client-side $JAVA_HOME\lib\security\cacerts. You can add a self-signed certificate (as your docs described) or have your server certificate signed by a CA already in the cacerts file (eg Verisign).

                              You might find this file helpful, as it uses keytool rather than IE (BTW, try FireFox instead!): http://cvs.sourceforge.net/viewcvs.p...=1.1&view=auto

                              Comment

                              Working...
                              X