Announcement Announcement Module
Collapse
No announcement yet.
Can't get SSL with X509 working with 1.5.7 Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can't get SSL with X509 working with 1.5.7

    I have been trying for several days to get SSL working with certs in a keystore, without success. Any help or suggestions will be greatly appreciated.

    First, I created a web service and got it working straight-up, without ssl using AbstractMarshallingPayloadEndpoint with an XMLBeans based implementation.

    Then I attempted to add SSL Security:

    Note: I am using the same keystore and certs for both server side and client side for now, just to keep it simple.

    The server side config:
    Code:
      <bean id="folderEndpoint" class="com.hrworx.formworx.ws.endpoint.folder.FolderEndpoint">
        <property name="entitiesService">
          <ref bean="serviceEntities" />
        </property>
        <property name="folderService">
          <ref bean="serviceFolder" />
        </property>
        <property name="marshaller" ref="marshaller" />
        <property name="unmarshaller" ref="marshaller" />
      </bean>
    
      <bean
        class="org.springframework.ws.server.endpoint.mapping.PayloadRootQNameEndpointMapping">
        <property name="mappings">
          <props>
            <prop key="{http://hrworx.com}CreateAccountRequest">folderEndpoint</prop>
          </props>
        </property>
        <property name="interceptors">
          <list>
            <ref local="wsSecurityInterceptor" />
            <bean
              class="org.springframework.ws.server.endpoint.interceptor.PayloadLoggingInterceptor" />
          </list>
        </property>
      </bean>
    
      <bean id="folderWebService"
        class="org.springframework.ws.wsdl.wsdl11.DynamicWsdl11Definition">
        <property name="builder">
          <bean
            class="org.springframework.ws.wsdl.wsdl11.builder.XsdBasedSoap11Wsdl4jDefinitionBuilder">
            <property name="schema"
              value="classpath:com/hrworx/formworx/model/xsd/AccountService.xsd" />
            <property name="portTypeName" value="Folder" />
            <property name="locationUri" value="/folderService/" />
            <property name="targetNamespace" value="http://hrworx.com/definitions" />
          </bean>
        </property>
      </bean>
    
    
      <bean id="marshaller" class="org.springframework.oxm.xmlbeans.XmlBeansMarshaller" />
    
      <!-- Security -->
    
      <!-- Server Side  -->
      <bean id="wsSecurityInterceptor"
        class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
        <property name="policyConfiguration" value="classpath:securityPolicy.xml" />
        <property name="callbackHandlers">
          <list>
            <ref bean="keyStoreHandler" />
          </list>
        </property>
      </bean>
      
      <bean id="keyStoreHandler"
        class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
        <property name="trustStore" ref="trustStore" />
        <property name="keyStore" ref="keyStore" />
        <property name="privateKeyPassword" value="xxx" />
      </bean>
    
      <bean id="trustStore"
        class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
        <property name="location" value="classpath:hrworx.jks" />
        <property name="password" value="xxx" />
      </bean>
    
    
      <bean id="keyStore"
        class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
        <property name="location" value="classpath:hrworx.jks" />
        <property name="password" value="xxx" />
      </bean>
    Server side policy file:

    Code:
    <xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
      <xwss:RequireSignature requireTimestamp="false" />
    </xwss:SecurityConfiguration>
    On the client side I have:

    Code:
     <bean id="wsclientFolder"
        class="com.hrworx.formworx.ws.client.folder.FolderWebClientImpl">
        <property name="defaultUri"
          value="http://localhost:8080/formworx-ws/folderService" />
        <property name="marshaller" ref="marshaller" />
        <property name="unmarshaller" ref="marshaller" />
      </bean>
    
      <bean id="wsSecurityInterceptor"
        class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
        <property name="policyConfiguration" value="classpath:securityPolicy.xml" />
        <property name="callbackHandlers">
          <list>
            <ref bean="keyStoreHandler" />
          </list>
        </property>
      </bean>
    
      <bean id="keyStoreHandler"
        class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
        <property name="trustStore" ref="trustStore" />
        <property name="keyStore" ref="keyStore" />
        <property name="privateKeyPassword" value="xxx" />
      </bean>
    
      <bean id="trustStore"
        class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
        <property name="location" value="classpath:hrworx.jks" />
        <property name="password" value="xxx" />
      </bean>
    
    
      <bean id="keyStore"
        class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
        <property name="location" value="classpath:hrworx.jks" />
        <property name="password" value="xxx" />
      </bean>
    
      <bean id="marshaller" class="org.springframework.oxm.xmlbeans.XmlBeansMarshaller" />
    With a security policy of:
    Code:
    <xwss:SecurityConfiguration dumpMessages="true"
      xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
      <xwss:Sign id="signature" includeTimestamp="false">
        <xwss:X509Token certificateAlias="hrworxserver" />
      </xwss:Sign>
      
    </xwss:SecurityConfiguration>
    With this configuration I get:
    Code:
    org.springframework.ws.soap.client.SoapFaultClientException: com.sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ SignaturePolicy(P) ]:  No Security Header found; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ SignaturePolicy(P) ]:  No Security Header found
    I actually trace this in the Spring code as far as XwsSecurityInterceptor.validateMessage which fails on the line:
    SOAPMessage result = processor.verifyInboundMessage(context);

    When I set a breakpoint at this point and look at the value of the header of soapMessage it is:
    [SOAP-ENV:Header: null]

    so, OK, let's try to jam a header in there sideways somehow:

    I extended AbstractValidatingInterceptor (called SoapMessageClientInterceptor) and created the following method implementation:

    Code:
     public boolean handleRequest(MessageContext messageContext)
            throws WebServiceClientException
        {
            SoapMessage soapMessage = (SoapMessage)messageContext.getRequest();
            SoapHeader soapHeader = soapMessage.getSoapHeader();
            QName securityHeader = new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "Security", "wsse");
            SoapHeaderElement headerElement = soapHeader.addHeaderElement(securityHeader);
            headerElement.setMustUnderstand(false);
    
     
            return true;
        }
    I have no idea if that qname is right, but i got it from here:
    https://xwss.dev.java.net/Securing_J...bServices.html

    after adding it to my extended version of WebServiceGatewaySupport:


    Code:
     private void initializeWebServiceCommunications()
        {
            HostnameVerifier hv = new LocalHostNameVerifier();
            HttpsURLConnection.setDefaultHostnameVerifier(hv);
    
            registerInterceptor();
        }
    
        /**
         * 
         */
        private void registerInterceptor()
        {
            ClientInterceptor[] interceptors = new ClientInterceptor[1];
            ClientInterceptor interceptor = new SoapMessageClientInterceptor();
            interceptors[0] = interceptor;
            getWebServiceTemplate().setInterceptors(interceptors);
        }
    I now get a new exception:

    Code:
    org.springframework.ws.soap.client.SoapFaultClientException: com.sun.xml.wss.XWSSecurityException: More Receiver requirements [ SignaturePolicy  ] specified than present in the message; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: More Receiver requirements [ SignaturePolicy  ] specified than present in the message
    I don't know where to go with this next. I have read on various posts about a lot of incompatibilities between various jar versions, but have not seen a definitive post about what should or should not be used. I wanted to add the dependencies from my pom and my keystore configuration, but that made the post exceed the maximum 10000 characters.

  • #2
    I have been trying for several days to get SSL working with certs in a keystore, without success. Any help or suggestions will be greatly appreciated.
    I have actually been fighting with the same thing this week. Oddly, I am getting a different error than you are. While my attempt looks quite similar to yours, I am actually receiving this error:

    Code:
    org.springframework.ws.soap.client.SoapFaultClientException: com.sun.xml.wss.impl.WssSoapFaultException: Certificate validation failed;
    When I enable logging on the server, I see the following error:

    Code:
    May 29, 2009 4:33:35 PM com.sun.xml.wss.impl.dsig.SignatureProcessor verify
    SEVERE: WSS1315: Signature Verification Failed
    May 29, 2009 4:33:35 PM com.sun.xml.wss.impl.dsig.SignatureProcessor verify
    SEVERE: WSS1338: Error occured in verifying the signature
    See this thread:
    http://forum.springsource.org/showthread.php?t=69558

    I can upload some sample code if that helps; but I'm not sure how code which results in a slightly different manner is helpful.

    Good luck,
    -Dave

    Comment


    • #3
      sample code/ bad certs?

      Dave,

      I had already reviewed the post you suggest, but it did not get me going.

      It looks like you might be getting farther than me. I would like to see the sample code.

      It looks like your problem might be with the structure of your keystore or how you are doing your certs.

      I did my keystore according to the procedure here:
      http://www.informit.com/articles/art...07886&seqNum=1

      Ignore the bit about weblogic at the beginning of the article, everything in there is just plain java.

      Regards,
      Bob

      Comment


      • #4
        It looks like you might be getting farther than me. I would like to see the sample code.
        I am not sure that is the case. I have attached a sample application. There is a client and a web service. I have been running it on Tomcat 6.0.14.

        Originally, I was using the Metro stack which I downloaded from here ( https://metro.dev.java.net/1.2/ ). However, I found that I could not import this library and pull in most necessities via Maven. The only exception was xmlsec, which I needed to track down as I was getting a ClassNotFound for com.sun.org.apache.xml.internal.security.Init. I downloaded that JAR file from here ( https://springframework.svn.sourcefo...ty/xmlsec/2.0/ ).

        They keystore I am using is included in the zip file. The password for the keystore is 'password'. The password for the only key ('dortman') is 'password. I created the keystore using keytool from 1.6.13 JDK. I invoked the following command:

        Code:
        keytool -genkey -keyalg rsa -alias dortman -keypass password -keystore dortman.jks -storepass password
        I actually have this same application working using Spring WSS. However, it seemed reasonable to have it work using XWS as well. It also seems reasonable that the two should work together without *too* much difficulty.

        If after revisiting the issue with XWS I make any progress, I'll be sure to update this thread. If you have any problems running the code I have attached, please let me know.

        Have fun,
        -Dave

        Comment


        • #5
          Trying it under WSS4J

          Dave,

          I would be interested in seeing your wss4j example as well. I have tried to switch over and get essentially the same result. Maybe the problem is in my keystore, since it does look a good bit different from yours.

          Thanks for posting!

          Bob

          Here is my wssj security configuration:

          Server Side:
          Code:
          <bean id="wsSecurityInterceptor"
              class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
              <property name="validationActions" value="Signature" />
              <property name="validationSignatureCrypto" ref="keyStore" />
              <property name="securementActions" value="NoSecurity" />
            </bean>
          
            <bean id="keyStore"
              class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
              <property name="keyStorePassword" value="xxx" />
              <property name="keyStoreLocation" value="classpath:hrworx.jks" />
            </bean>
          Client side:
          Code:
          <bean id="wsSecurityInterceptor"
              class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
              <property name="securementActions" value="Signature" />
              <property name="securementUsername" value="hrworxserver" />
              <property name="securementPassword" value="formworx" />
              <property name="securementSignatureCrypto" ref="keyStore" />
              <property name="securementSignatureKeyIdentifier" value="DirectReference"/>
               <property name="validationActions" value="NoSecurity" />
            </bean>
          
            <bean id="keyStore"
              class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
              <property name="keyStorePassword" value="formworx" />
              <property name="keyStoreLocation" value="classpath:/hrworx.jks" />
            </bean>
          and the exception (essentially the same thing I was getting with XWS):
          Code:
          org.springframework.ws.soap.client.SoapFaultClientException: No WS-Security header found
          Your keystore looks like this:
          Code:
          Keystore type: jks
          Keystore provider: SUN
          
          Your keystore contains 1 entry
          
          Alias name: dortman
          Creation date: Jun 1, 2009
          Entry type: keyEntry
          Certificate chain length: 1
          Certificate[1]:
          Owner: CN=Dave Ortman, OU=Unknown, O=Vantage Consulting Group, L=Sacramento, ST=CA, C=US
          Issuer: CN=Dave Ortman, OU=Unknown, O=Vantage Consulting Group, L=Sacramento, ST=CA, C=US
          Serial number: 4a24667d
          Valid from: Mon Jun 01 17:38:37 CST 2009 until: Sun Aug 30 17:38:37 CST 2009
          Certificate fingerprints:
          	 MD5:  12:04:89:6F:C6:7F:09:EF:F9:97:D8:EE:A0:FF:90:61
          	 SHA1: 0C:72:9A:2D:5D:63:FA:82:1E:AB:5B:2E:A1:B3:55:67:DA:D0:61:32
          Mine looks like this:
          Code:
          Keystore type: jks
          Keystore provider: SUN
          
          Your keystore contains 3 entries
          
          Alias name: hrworxserver
          Creation date: May 29, 2009
          Entry type: keyEntry
          Certificate chain length: 3
          Certificate[1]:
          Owner: CN=formworx.hrworx.com, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=Corporate, O=hrworx, L=Sterling, ST=Virginia, C=US
          Issuer: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
          Serial number: 2ed3a08e0f1a51e2f61bc8b3259e9457
          Valid from: Thu May 28 18:00:00 CST 2009 until: Fri Jun 12 17:59:59 CST 2009
          Certificate fingerprints:
          	 MD5:  41:45:3B:EB:62:3B:5A:5F:D4:3C:59:50:15:D9:42:0A
          	 SHA1: 60:1C:A9:D7:85:60:54:A8:9C:55:BB:F9:57:1F:95:FC:0A:25:0C:47
          Certificate[2]:
          Owner: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
          Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
          Serial number: 7e3bb784bbc654abd2b8d677ecc394a8
          Valid from: Tue Mar 31 18:00:00 CST 2009 until: Sun Mar 31 17:59:59 CST 2019
          Certificate fingerprints:
          	 MD5:  71:13:D9:3A:CD:21:F2:EE:9F:59:17:8D:A6:F9:AE:14
          	 SHA1: BE:D1:D1:4E:25:A7:94:36:83:9E:4B:A7:CD:84:48:96:B7:0A:7F:B0
          Certificate[3]:
          Owner: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
          Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
          Serial number: 168164a428ca12dfab12f19fb1b93554
          Valid from: Tue Mar 31 18:00:00 CST 2009 until: Sat Mar 31 17:59:59 CST 2029
          Certificate fingerprints:
          	 MD5:  E0:19:F5:FC:C0:9A:13:0E:38:B7:BF:0D:02:40:D3:C2
          	 SHA1: 51:51:B8:63:8A:4C:1F:15:54:56:ED:37:C9:10:35:CA:D3:01:B9:36
          
          
          *******************************************
          *******************************************
          
          
          Alias name: verisigndemointermediatecert
          Creation date: May 29, 2009
          Entry type: trustedCertEntry
          
          Owner: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
          Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
          Serial number: 7e3bb784bbc654abd2b8d677ecc394a8
          Valid from: Tue Mar 31 18:00:00 CST 2009 until: Sun Mar 31 17:59:59 CST 2019
          Certificate fingerprints:
          	 MD5:  71:13:D9:3A:CD:21:F2:EE:9F:59:17:8D:A6:F9:AE:14
          	 SHA1: BE:D1:D1:4E:25:A7:94:36:83:9E:4B:A7:CD:84:48:96:B7:0A:7F:B0
          
          
          *******************************************
          *******************************************
          
          
          Alias name: verisigndemocert
          Creation date: May 29, 2009
          Entry type: trustedCertEntry
          
          Owner: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
          Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
          Serial number: 168164a428ca12dfab12f19fb1b93554
          Valid from: Tue Mar 31 18:00:00 CST 2009 until: Sat Mar 31 17:59:59 CST 2029
          Certificate fingerprints:
          	 MD5:  E0:19:F5:FC:C0:9A:13:0E:38:B7:BF:0D:02:40:D3:C2
          	 SHA1: 51:51:B8:63:8A:4C:1F:15:54:56:ED:37:C9:10:35:CA:D3:01:B9:36

          Comment


          • #6
            Here is the same application using the WSS interceptor. It appears to work as expected.

            Comment


            • #7
              Solved

              OK, Many thanks to Dave Dortman for providing his examples. I now have my project working with both WSSJ and XWSS. The problem with both was an omitted property on the client bean which extends WebServiceGatewaySupport:

              Originally I had:
              Code:
              <bean id="wsclientFolder"
                  class="com.hrworx.formworx.ws.client.folder.FolderWebClientImpl">
                  <property name="defaultUri"
                    value="http://localhost:8080/formworx-ws/folderService" />
                  <property name="marshaller" ref="marshaller" />
                  <property name="unmarshaller" ref="marshaller" />
                </bean>
              but it should have been:
              Code:
              <bean id="wsclientFolder"
                  class="com.hrworx.formworx.ws.client.folder.FolderWebClientImpl">
                  <property name="defaultUri"
                    value="http://localhost:8080/formworx-ws/folderService" />
                  <property name="marshaller" ref="marshaller" />
                  <property name="unmarshaller" ref="marshaller" />
                  <property name="interceptors">
                    <list>
                      <ref bean="wsSecurityInterceptor-wss4j" />
                    </list>
                  </property>
                </bean>
              I left off the security interceptor that was supposed to sign the message. Doh! Where is the Homer Simpson Smiley?

              Anyway now I am off to really build out this web service. To anyone else following this path, I recommend the truly excellent tutorial at:
              http://gleichmann.wordpress.com/2009...uthentication/

              Cheers,
              Bob

              Comment


              • #8
                Help

                Hey,

                this a shoot in the dark, but maybe you can/want to help me.
                I'm trying for some time now to secure a WS call. I tried so far
                xws only, with no success. I just found your post so, I tried to
                do the same thing that you suggested and created a key using
                the same command. Anyway by using the same configuration and
                the same method for generating the key, I couldn't make it work.
                I used the same key for client and server. The thrown message
                is:

                Code:
                com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: No X509Certificate was provided
                I hope you can give me a hand with this, it's killing me.

                Best regards,

                OP

                Comment


                • #9
                  Cert not found

                  Clearly you certificate is not being found. That probably means there is something incorrect in your configuration, but there is not enough information in the post. If you post your client and server side spring configurations for the xws, perhaps someone will be able to see the problem.

                  You must configure a client that has security interceptor that has a keystore handler that points to the keystore.

                  As an aside, due to many other problems with xws, both I and the other poster here Dave gave up on xws and went to wss4j. It was the only way I could get all of the features such as encryption, timestamp, signing, etc. to work.

                  This SSL stuff is a real pain, you just have to be persistent.

                  Comment


                  • #10
                    Config

                    Thank you for quick response and for the fact that you responeded. I already posted all the information related to my configuration. You can
                    see it on this post:

                    http://forum.springsource.org/showth...702#post251702

                    Thank you for your time.

                    OP

                    Comment


                    • #11
                      Code:
                      org.springframework.ws.soap.client.SoapFaultClientException: com.sun.xml.wss.XWSSecurityException: More Receiver requirements [ SignaturePolicy  ] specified than present in the message; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: More Receiver requirements [ SignaturePolicy  ] specified than present in the message
                      i know it's an old thread but my solution to the above problem was changing my client policy i was missing the timestamp property.
                      the server expected a timestamp so the client should add this to the message.

                      Comment


                      • #12
                        Regarding WSS4J

                        This is a great blog to understand about the security that can be implemented on WS.

                        Assuming a scenario server is using Spring-ws WSS4J and Client is totally different may be some other platform other than Spring-ws WSS4J. With this scenario in mind how would the client need to woirk with server.

                        Or client can just know what the certificate/key is and then establish the communication with the server with client's logic of implementing the security.

                        One more doubt, if I put the keystore in Webserver/application server itself, does it required to implement this security at application level, assuming the server is dedicated to the specific application.

                        Since I am in learning stage, I believe the above one is too abstract. Appreciate your response.
                        Last edited by ramspring; Sep 8th, 2012, 01:13 PM.

                        Comment

                        Working...
                        X