HttpInvoker Security Issues

[bthh78]

hi,

we are in the process of developing a warehouse management system using spring + hibernate + swing.

we are very please with using httpInvoker as a remoting solution.

however, my boss have raised a question regarding the security of using such remoting technique.

we are already using acegi security with basic authentication to filter access to remote services.

however, since it is using http for transport, could the data in transit be possibly be compromised, as in being evesdropped etc, since it is not being encrypted to the best of my understanding.

if this is really the case, is it possible for us to use maybe ssl (i.e over https) to rectify this situation.

we would be very grateful for any advice given.

thank you

[aaime]

I'm interested in this too... I'm writing a rich client and for intranet usage http is fine, but for remote users I really need ssl encryption... I can't find anything on the user guide about this matter...

[irbouho]

httpInvoker has support for Jakarta Commons HttpClient. You can configure the later using CommonsHttpInvokerRequestExecutor.
HTH

[aaime]

Nice. Just for the record, is it possible to use ssl along with burlap or hessian?

[bthh78]

hi Omar,

i have tried out your suggestions. below i have detailed what i have done.

enable ssl on tomcat
--------------------------
keytool -genkey -alias tomcat -keyalg RSA -keystore D:/jakarta-tomcat-4.1.29/keystore -storepass changeit

uncommented https support in tomcat's server.xml

client side (bean definition)
--------------------------------
<bean id="importBookingFinderService" class="org.springframework.remoting.httpinvoker.Ht tpInvokerProxyFactoryBean">
<property name="serviceInterface">
<value>com.wms.services.booking.importBooking.impo rtBookingFinder.ImportBookingFinder</value>
</property>
<property name="serviceUrl">
<value>https://localhost:8443/wms/remoting/ImportBookingFinderService-httpinvoker</value>
</property>
<property name="httpInvokerRequestExecutor">
<bean class="org.springframework.remoting.httpinvoker.Co mmonsHttpInvokerRequestExecutor"/>
</property>
</bean>

Exception Occurred
----------------------
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(U nknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
...

somehow i feel that i'm closer to getting it to work. but i may have missed out something important.

we are very grateful for any help u can give.

thank you

[lblaauw]

Well,

Judging by the Exception you are getting your truststore is not setup
correctly. Make sure the servers ssl certificate is in your client ssl truststore. You can specify the truststore to use on the cmd line or in
a properties file i believe.

Greetings
Leo

hi Omar,

i have tried out your suggestions. below i have detailed what i have done.

enable ssl on tomcat
--------------------------
keytool -genkey -alias tomcat -keyalg RSA -keystore D:/jakarta-tomcat-4.1.29/keystore -storepass changeit

uncommented https support in tomcat's server.xml

client side (bean definition)
--------------------------------
<bean id="importBookingFinderService" class="org.springframework.remoting.httpinvoker.Ht tpInvokerProxyFactoryBean">
<property name="serviceInterface">
<value>com.wms.services.booking.importBooking.impo rtBookingFinder.ImportBookingFinder</value>
</property>
<property name="serviceUrl">
<value>https://localhost:8443/wms/remoting/ImportBookingFinderService-httpinvoker</value>
</property>
<property name="httpInvokerRequestExecutor">
<bean class="org.springframework.remoting.httpinvoker.Co mmonsHttpInvokerRequestExecutor"/>
</property>
</bean>

Exception Occurred
----------------------
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(U nknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
...

somehow i feel that i'm closer to getting it to work. but i may have missed out something important.

we are very grateful for any help u can give.

thank you

[bthh78]

hi leo,

thank you for your valuable advice.

i have tried to import the server certificate as a trusted keystore. but i am not too sure what i am doing is correct.

Steps
-------
Open "https://localhost:8443/wms/jsp/index.jsp" in IE.
Click on the "Lock" icon found on the bottom right corner
Export the certificate as "tomcat.cer"
Run the cmd "keytool -import -alias tomcat -file tomcat.cer"

However, i still have the same exception so most problem what i am doing isn't correct at all.

we would be grateful if you show us how we can install the certificate in the client keystore correctly.

thank you very much.

[lblaauw]

Hi,

Well I am not fully aware of where the exception you have happened,
maybe post the whole stacktrace of the exception for clarification.

Secondly the exception is not caused by IE so therefore importing it
into the key/trust store of IE is not going to help. My guess is you have
to import it into the trust store file used by the Java VM wich is running
your program. You can do this by setting the property on startup or
trough your code.

Greetz
Leo

hi leo,

thank you for your valuable advice.

i have tried to import the server certificate as a trusted keystore. but i am not too sure what i am doing is correct.

Steps
-------
Open "https://localhost:8443/wms/jsp/index.jsp" in IE.
Click on the "Lock" icon found on the bottom right corner
Export the certificate as "tomcat.cer"
Run the cmd "keytool -import -alias tomcat -file tomcat.cer"

However, i still have the same exception so most problem what i am doing isn't correct at all.

we would be grateful if you show us how we can install the certificate in the client keystore correctly.

thank you very much.

[bthh78]

hi leo,

thank you for your prompt reply.

i guess my problem is that i do not know how to get the certificate from the server and add it to the keystore that will be used by java on the client side.

if you could tell me how it could be done, i would be most grateful.

below is a stack trace of another similar service

thank you very much

org.springframework.remoting.RemoteAccessException : Cannot access HTTP invoker remote service at [https://localhost:8443/wms/remoting/...-httpinvoker]; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(U nknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write (Unknown Source)
at org.apache.commons.httpclient.HttpConnection$Wrapp edOutputStream.write(HttpConnection.java:1344)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at org.apache.commons.httpclient.HttpConnection.flush RequestOutputStream(HttpConnection.java:775)
at org.apache.commons.httpclient.MultiThreadedHttpCon nectionManager$HttpConnectionAdapter.flushRequestO utputStream(MultiThreadedHttpConnectionManager.jav a:1356)
at org.apache.commons.httpclient.HttpMethodBase.write Request(HttpMethodBase.java:2252)
at org.apache.commons.httpclient.HttpMethodBase.proce ssRequest(HttpMethodBase.java:2632)
at org.apache.commons.httpclient.HttpMethodBase.execu te(HttpMethodBase.java:1065)
at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:643)
at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:497)
at org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor.executePostMethod(Commons HttpInvokerRequestExecutor.java:120)
at org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor.doExecuteRequest(CommonsH ttpInvokerRequestExecutor.java:87)
at org.springframework.remoting.httpinvoker.AbstractH ttpInvokerRequestExecutor.executeRequest(AbstractH ttpInvokerRequestExecutor.java:67)
at org.springframework.remoting.httpinvoker.HttpInvok erClientInterceptor.executeRequest(HttpInvokerClie ntInterceptor.java:86)
at org.springframework.remoting.httpinvoker.HttpInvok erClientInterceptor.invoke(HttpInvokerClientInterc eptor.java:60)
at org.springframework.aop.framework.ReflectiveMethod Invocation.proceed(ReflectiveMethodInvocation.java :138)
at org.springframework.aop.framework.JdkDynamicAopPro xy.invoke(JdkDynamicAopProxy.java:152)
at $Proxy0.findUserById(Unknown Source)
at test.com.wmsClient.UserTest.testUserFind(UserTest. java:24)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknow n Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Un known Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at junit.framework.TestCase.runTest(TestCase.java:154 )
at junit.framework.TestCase.runBare(TestCase.java:127 )
at junit.framework.TestResult$1.protect(TestResult.ja va:106)
at junit.framework.TestResult.runProtected(TestResult .java:124)
at junit.framework.TestResult.run(TestResult.java:109 )
at junit.framework.TestCase.run(TestCase.java:118)
at junit.framework.TestSuite.runTest(TestSuite.java:2 08)
at junit.framework.TestSuite.run(TestSuite.java:203)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.runTests(RemoteTestRunner.java:421)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.run(RemoteTestRunner.java:305)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.main(RemoteTestRunner.java:186)
Caused by: sun.security.validator.ValidatorException: No trusted certificate found
at sun.security.validator.SimpleValidator.buildTruste dChain(Unknown Source)
at sun.security.validator.SimpleValidator.engineValid ate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(Unknown Source)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager. checkServerTrusted(Unknown Source)
... 41 more

[lblaauw]

Ok,

Yes definitely you need a server ssl certificate somehow and the client
needs to know about it. For some more info on ssl in java aplications
check out the bottom of the page on this link :

http://forum.java.sun.com/thread.jsp...676&tstart=270

Greetz
Leo

hi leo,

thank you for your prompt reply.

i guess my problem is that i do not know how to get the certificate from the server and add it to the keystore that will be used by java on the client side.

if you could tell me how it could be done, i would be most grateful.

below is a stack trace of another similar service

thank you very much

org.springframework.remoting.RemoteAccessException : Cannot access HTTP invoker remote service at [https://localhost:8443/wms/remoting/...-httpinvoker]; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(U nknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write (Unknown Source)
at org.apache.commons.httpclient.HttpConnection$Wrapp edOutputStream.write(HttpConnection.java:1344)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at org.apache.commons.httpclient.HttpConnection.flush RequestOutputStream(HttpConnection.java:775)
at org.apache.commons.httpclient.MultiThreadedHttpCon nectionManager$HttpConnectionAdapter.flushRequestO utputStream(MultiThreadedHttpConnectionManager.jav a:1356)
at org.apache.commons.httpclient.HttpMethodBase.write Request(HttpMethodBase.java:2252)
at org.apache.commons.httpclient.HttpMethodBase.proce ssRequest(HttpMethodBase.java:2632)
at org.apache.commons.httpclient.HttpMethodBase.execu te(HttpMethodBase.java:1065)
at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:643)
at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:497)
at org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor.executePostMethod(Commons HttpInvokerRequestExecutor.java:120)
at org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor.doExecuteRequest(CommonsH ttpInvokerRequestExecutor.java:87)
at org.springframework.remoting.httpinvoker.AbstractH ttpInvokerRequestExecutor.executeRequest(AbstractH ttpInvokerRequestExecutor.java:67)
at org.springframework.remoting.httpinvoker.HttpInvok erClientInterceptor.executeRequest(HttpInvokerClie ntInterceptor.java:86)
at org.springframework.remoting.httpinvoker.HttpInvok erClientInterceptor.invoke(HttpInvokerClientInterc eptor.java:60)
at org.springframework.aop.framework.ReflectiveMethod Invocation.proceed(ReflectiveMethodInvocation.java :138)
at org.springframework.aop.framework.JdkDynamicAopPro xy.invoke(JdkDynamicAopProxy.java:152)
at $Proxy0.findUserById(Unknown Source)
at test.com.wmsClient.UserTest.testUserFind(UserTest. java:24)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknow n Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Un known Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at junit.framework.TestCase.runTest(TestCase.java:154 )
at junit.framework.TestCase.runBare(TestCase.java:127 )
at junit.framework.TestResult$1.protect(TestResult.ja va:106)
at junit.framework.TestResult.runProtected(TestResult .java:124)
at junit.framework.TestResult.run(TestResult.java:109 )
at junit.framework.TestCase.run(TestCase.java:118)
at junit.framework.TestSuite.runTest(TestSuite.java:2 08)
at junit.framework.TestSuite.run(TestSuite.java:203)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.runTests(RemoteTestRunner.java:421)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.run(RemoteTestRunner.java:305)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.main(RemoteTestRunner.java:186)
Caused by: sun.security.validator.ValidatorException: No trusted certificate found
at sun.security.validator.SimpleValidator.buildTruste dChain(Unknown Source)
at sun.security.validator.SimpleValidator.engineValid ate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(Unknown Source)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager. checkServerTrusted(Unknown Source)
... 41 more