Can't get SSL with X509 working with 1.5.7

[rmilstead]

I have been trying for several days to get SSL working with certs in a keystore, without success. Any help or suggestions will be greatly appreciated.

First, I created a web service and got it working straight-up, without ssl using AbstractMarshallingPayloadEndpoint with an XMLBeans based implementation.

Then I attempted to add SSL Security:

Note: I am using the same keystore and certs for both server side and client side for now, just to keep it simple.

The server side config:

Code:

  <bean id="folderEndpoint" class="com.hrworx.formworx.ws.endpoint.folder.FolderEndpoint">
    <property name="entitiesService">
      <ref bean="serviceEntities" />
    </property>
    <property name="folderService">
      <ref bean="serviceFolder" />
    </property>
    <property name="marshaller" ref="marshaller" />
    <property name="unmarshaller" ref="marshaller" />
  </bean>

  <bean
    class="org.springframework.ws.server.endpoint.mapping.PayloadRootQNameEndpointMapping">
    <property name="mappings">
      <props>
        <prop key="{http://hrworx.com}CreateAccountRequest">folderEndpoint</prop>
      </props>
    </property>
    <property name="interceptors">
      <list>
        <ref local="wsSecurityInterceptor" />
        <bean
          class="org.springframework.ws.server.endpoint.interceptor.PayloadLoggingInterceptor" />
      </list>
    </property>
  </bean>

  <bean id="folderWebService"
    class="org.springframework.ws.wsdl.wsdl11.DynamicWsdl11Definition">
    <property name="builder">
      <bean
        class="org.springframework.ws.wsdl.wsdl11.builder.XsdBasedSoap11Wsdl4jDefinitionBuilder">
        <property name="schema"
          value="classpath:com/hrworx/formworx/model/xsd/AccountService.xsd" />
        <property name="portTypeName" value="Folder" />
        <property name="locationUri" value="/folderService/" />
        <property name="targetNamespace" value="http://hrworx.com/definitions" />
      </bean>
    </property>
  </bean>


  <bean id="marshaller" class="org.springframework.oxm.xmlbeans.XmlBeansMarshaller" />

  <!-- Security -->

  <!-- Server Side  -->
  <bean id="wsSecurityInterceptor"
    class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
    <property name="policyConfiguration" value="classpath:securityPolicy.xml" />
    <property name="callbackHandlers">
      <list>
        <ref bean="keyStoreHandler" />
      </list>
    </property>
  </bean>
  
  <bean id="keyStoreHandler"
    class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
    <property name="trustStore" ref="trustStore" />
    <property name="keyStore" ref="keyStore" />
    <property name="privateKeyPassword" value="xxx" />
  </bean>

  <bean id="trustStore"
    class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
    <property name="location" value="classpath:hrworx.jks" />
    <property name="password" value="xxx" />
  </bean>


  <bean id="keyStore"
    class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
    <property name="location" value="classpath:hrworx.jks" />
    <property name="password" value="xxx" />
  </bean>

Server side policy file:

Code:

<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
  <xwss:RequireSignature requireTimestamp="false" />
</xwss:SecurityConfiguration>

On the client side I have:

Code:

 <bean id="wsclientFolder"
    class="com.hrworx.formworx.ws.client.folder.FolderWebClientImpl">
    <property name="defaultUri"
      value="http://localhost:8080/formworx-ws/folderService" />
    <property name="marshaller" ref="marshaller" />
    <property name="unmarshaller" ref="marshaller" />
  </bean>

  <bean id="wsSecurityInterceptor"
    class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
    <property name="policyConfiguration" value="classpath:securityPolicy.xml" />
    <property name="callbackHandlers">
      <list>
        <ref bean="keyStoreHandler" />
      </list>
    </property>
  </bean>

  <bean id="keyStoreHandler"
    class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
    <property name="trustStore" ref="trustStore" />
    <property name="keyStore" ref="keyStore" />
    <property name="privateKeyPassword" value="xxx" />
  </bean>

  <bean id="trustStore"
    class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
    <property name="location" value="classpath:hrworx.jks" />
    <property name="password" value="xxx" />
  </bean>


  <bean id="keyStore"
    class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
    <property name="location" value="classpath:hrworx.jks" />
    <property name="password" value="xxx" />
  </bean>

  <bean id="marshaller" class="org.springframework.oxm.xmlbeans.XmlBeansMarshaller" />

With a security policy of:

Code:

<xwss:SecurityConfiguration dumpMessages="true"
  xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
  <xwss:Sign id="signature" includeTimestamp="false">
    <xwss:X509Token certificateAlias="hrworxserver" />
  </xwss:Sign>
  
</xwss:SecurityConfiguration>

With this configuration I get:

Code:

org.springframework.ws.soap.client.SoapFaultClientException: com.sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ SignaturePolicy(P) ]:  No Security Header found; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ SignaturePolicy(P) ]:  No Security Header found

I actually trace this in the Spring code as far as XwsSecurityInterceptor.validateMessage which fails on the line:
SOAPMessage result = processor.verifyInboundMessage(context);

When I set a breakpoint at this point and look at the value of the header of soapMessage it is:
[SOAP-ENV:Header: null]

so, OK, let's try to jam a header in there sideways somehow:

I extended AbstractValidatingInterceptor (called SoapMessageClientInterceptor) and created the following method implementation:

Code:

 public boolean handleRequest(MessageContext messageContext)
        throws WebServiceClientException
    {
        SoapMessage soapMessage = (SoapMessage)messageContext.getRequest();
        SoapHeader soapHeader = soapMessage.getSoapHeader();
        QName securityHeader = new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "Security", "wsse");
        SoapHeaderElement headerElement = soapHeader.addHeaderElement(securityHeader);
        headerElement.setMustUnderstand(false);

 
        return true;
    }

I have no idea if that qname is right, but i got it from here:
https://xwss.dev.java.net/Securing_J...bServices.html

after adding it to my extended version of WebServiceGatewaySupport:

Code:

 private void initializeWebServiceCommunications()
    {
        HostnameVerifier hv = new LocalHostNameVerifier();
        HttpsURLConnection.setDefaultHostnameVerifier(hv);

        registerInterceptor();
    }

    /**
     * 
     */
    private void registerInterceptor()
    {
        ClientInterceptor[] interceptors = new ClientInterceptor[1];
        ClientInterceptor interceptor = new SoapMessageClientInterceptor();
        interceptors[0] = interceptor;
        getWebServiceTemplate().setInterceptors(interceptors);
    }

I now get a new exception:

Code:

org.springframework.ws.soap.client.SoapFaultClientException: com.sun.xml.wss.XWSSecurityException: More Receiver requirements [ SignaturePolicy  ] specified than present in the message; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: More Receiver requirements [ SignaturePolicy  ] specified than present in the message

I don't know where to go with this next. I have read on various posts about a lot of incompatibilities between various jar versions, but have not seen a definitive post about what should or should not be used. I wanted to add the dependencies from my pom and my keystore configuration, but that made the post exceed the maximum 10000 characters.

[dortman]

I have been trying for several days to get SSL working with certs in a keystore, without success. Any help or suggestions will be greatly appreciated.

I have actually been fighting with the same thing this week. Oddly, I am getting a different error than you are. While my attempt looks quite similar to yours, I am actually receiving this error:

Code:

org.springframework.ws.soap.client.SoapFaultClientException: com.sun.xml.wss.impl.WssSoapFaultException: Certificate validation failed;

When I enable logging on the server, I see the following error:

Code:

May 29, 2009 4:33:35 PM com.sun.xml.wss.impl.dsig.SignatureProcessor verify
SEVERE: WSS1315: Signature Verification Failed
May 29, 2009 4:33:35 PM com.sun.xml.wss.impl.dsig.SignatureProcessor verify
SEVERE: WSS1338: Error occured in verifying the signature

See this thread:
http://forum.springsource.org/showthread.php?t=69558

I can upload some sample code if that helps; but I'm not sure how code which results in a slightly different manner is helpful.

Good luck,
-Dave

[rmilstead]

Dave,

I had already reviewed the post you suggest, but it did not get me going.

It looks like you might be getting farther than me. I would like to see the sample code.

It looks like your problem might be with the structure of your keystore or how you are doing your certs.

I did my keystore according to the procedure here:
http://www.informit.com/articles/art...07886&seqNum=1

Ignore the bit about weblogic at the beginning of the article, everything in there is just plain java.

Regards,
Bob

[dortman]

It looks like you might be getting farther than me. I would like to see the sample code.

I am not sure that is the case. I have attached a sample application. There is a client and a web service. I have been running it on Tomcat 6.0.14.

Originally, I was using the Metro stack which I downloaded from here ( https://metro.dev.java.net/1.2/ ). However, I found that I could not import this library and pull in most necessities via Maven. The only exception was xmlsec, which I needed to track down as I was getting a ClassNotFound for com.sun.org.apache.xml.internal.security.Init. I downloaded that JAR file from here ( https://springframework.svn.sourcefo...ty/xmlsec/2.0/ ).

They keystore I am using is included in the zip file. The password for the keystore is 'password'. The password for the only key ('dortman') is 'password. I created the keystore using keytool from 1.6.13 JDK. I invoked the following command:

Code:

keytool -genkey -keyalg rsa -alias dortman -keypass password -keystore dortman.jks -storepass password

I actually have this same application working using Spring WSS. However, it seemed reasonable to have it work using XWS as well. It also seems reasonable that the two should work together without *too* much difficulty.

If after revisiting the issue with XWS I make any progress, I'll be sure to update this thread. If you have any problems running the code I have attached, please let me know.

Have fun,
-Dave

[rmilstead]

Dave,

I would be interested in seeing your wss4j example as well. I have tried to switch over and get essentially the same result. Maybe the problem is in my keystore, since it does look a good bit different from yours.

Thanks for posting!

Bob

Here is my wssj security configuration:

Server Side:

Code:

<bean id="wsSecurityInterceptor"
    class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
    <property name="validationActions" value="Signature" />
    <property name="validationSignatureCrypto" ref="keyStore" />
    <property name="securementActions" value="NoSecurity" />
  </bean>

  <bean id="keyStore"
    class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
    <property name="keyStorePassword" value="xxx" />
    <property name="keyStoreLocation" value="classpath:hrworx.jks" />
  </bean>

Client side:

Code:

<bean id="wsSecurityInterceptor"
    class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
    <property name="securementActions" value="Signature" />
    <property name="securementUsername" value="hrworxserver" />
    <property name="securementPassword" value="formworx" />
    <property name="securementSignatureCrypto" ref="keyStore" />
    <property name="securementSignatureKeyIdentifier" value="DirectReference"/>
     <property name="validationActions" value="NoSecurity" />
  </bean>

  <bean id="keyStore"
    class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
    <property name="keyStorePassword" value="formworx" />
    <property name="keyStoreLocation" value="classpath:/hrworx.jks" />
  </bean>

and the exception (essentially the same thing I was getting with XWS):

Code:

org.springframework.ws.soap.client.SoapFaultClientException: No WS-Security header found

Your keystore looks like this:

Code:

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: dortman
Creation date: Jun 1, 2009
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Dave Ortman, OU=Unknown, O=Vantage Consulting Group, L=Sacramento, ST=CA, C=US
Issuer: CN=Dave Ortman, OU=Unknown, O=Vantage Consulting Group, L=Sacramento, ST=CA, C=US
Serial number: 4a24667d
Valid from: Mon Jun 01 17:38:37 CST 2009 until: Sun Aug 30 17:38:37 CST 2009
Certificate fingerprints:
	 MD5:  12:04:89:6F:C6:7F:09:EF:F9:97:D8:EE:A0:FF:90:61
	 SHA1: 0C:72:9A:2D:5D:63:FA:82:1E:AB:5B:2E:A1:B3:55:67:DA:D0:61:32

Mine looks like this:

Code:

Keystore type: jks
Keystore provider: SUN

Your keystore contains 3 entries

Alias name: hrworxserver
Creation date: May 29, 2009
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=formworx.hrworx.com, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=Corporate, O=hrworx, L=Sterling, ST=Virginia, C=US
Issuer: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
Serial number: 2ed3a08e0f1a51e2f61bc8b3259e9457
Valid from: Thu May 28 18:00:00 CST 2009 until: Fri Jun 12 17:59:59 CST 2009
Certificate fingerprints:
	 MD5:  41:45:3B:EB:62:3B:5A:5F:D4:3C:59:50:15:D9:42:0A
	 SHA1: 60:1C:A9:D7:85:60:54:A8:9C:55:BB:F9:57:1F:95:FC:0A:25:0C:47
Certificate[2]:
Owner: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
Serial number: 7e3bb784bbc654abd2b8d677ecc394a8
Valid from: Tue Mar 31 18:00:00 CST 2009 until: Sun Mar 31 17:59:59 CST 2019
Certificate fingerprints:
	 MD5:  71:13:D9:3A:CD:21:F2:EE:9F:59:17:8D:A6:F9:AE:14
	 SHA1: BE:D1:D1:4E:25:A7:94:36:83:9E:4B:A7:CD:84:48:96:B7:0A:7F:B0
Certificate[3]:
Owner: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
Serial number: 168164a428ca12dfab12f19fb1b93554
Valid from: Tue Mar 31 18:00:00 CST 2009 until: Sat Mar 31 17:59:59 CST 2029
Certificate fingerprints:
	 MD5:  E0:19:F5:FC:C0:9A:13:0E:38:B7:BF:0D:02:40:D3:C2
	 SHA1: 51:51:B8:63:8A:4C:1F:15:54:56:ED:37:C9:10:35:CA:D3:01:B9:36


*******************************************
*******************************************


Alias name: verisigndemointermediatecert
Creation date: May 29, 2009
Entry type: trustedCertEntry

Owner: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
Serial number: 7e3bb784bbc654abd2b8d677ecc394a8
Valid from: Tue Mar 31 18:00:00 CST 2009 until: Sun Mar 31 17:59:59 CST 2019
Certificate fingerprints:
	 MD5:  71:13:D9:3A:CD:21:F2:EE:9F:59:17:8D:A6:F9:AE:14
	 SHA1: BE:D1:D1:4E:25:A7:94:36:83:9E:4B:A7:CD:84:48:96:B7:0A:7F:B0


*******************************************
*******************************************


Alias name: verisigndemocert
Creation date: May 29, 2009
Entry type: trustedCertEntry

Owner: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C=US
Serial number: 168164a428ca12dfab12f19fb1b93554
Valid from: Tue Mar 31 18:00:00 CST 2009 until: Sat Mar 31 17:59:59 CST 2029
Certificate fingerprints:
	 MD5:  E0:19:F5:FC:C0:9A:13:0E:38:B7:BF:0D:02:40:D3:C2
	 SHA1: 51:51:B8:63:8A:4C:1F:15:54:56:ED:37:C9:10:35:CA:D3:01:B9:36

[dortman]

Here is the same application using the WSS interceptor. It appears to work as expected.

[rmilstead]

OK, Many thanks to Dave Dortman for providing his examples. I now have my project working with both WSSJ and XWSS. The problem with both was an omitted property on the client bean which extends WebServiceGatewaySupport:

Originally I had:

Code:

<bean id="wsclientFolder"
    class="com.hrworx.formworx.ws.client.folder.FolderWebClientImpl">
    <property name="defaultUri"
      value="http://localhost:8080/formworx-ws/folderService" />
    <property name="marshaller" ref="marshaller" />
    <property name="unmarshaller" ref="marshaller" />
  </bean>

but it should have been:

Code:

<bean id="wsclientFolder"
    class="com.hrworx.formworx.ws.client.folder.FolderWebClientImpl">
    <property name="defaultUri"
      value="http://localhost:8080/formworx-ws/folderService" />
    <property name="marshaller" ref="marshaller" />
    <property name="unmarshaller" ref="marshaller" />
    <property name="interceptors">
      <list>
        <ref bean="wsSecurityInterceptor-wss4j" />
      </list>
    </property>
  </bean>

I left off the security interceptor that was supposed to sign the message. Doh! Where is the Homer Simpson Smiley?

Anyway now I am off to really build out this web service. To anyone else following this path, I recommend the truly excellent tutorial at:
http://gleichmann.wordpress.com/2009...uthentication/

Cheers,
Bob

[olimpiu.pop]

Hey,

this a shoot in the dark, but maybe you can/want to help me.
I'm trying for some time now to secure a WS call. I tried so far
xws only, with no success. I just found your post so, I tried to
do the same thing that you suggested and created a key using
the same command. Anyway by using the same configuration and
the same method for generating the key, I couldn't make it work.
I used the same key for client and server. The thrown message
is:

Code:

com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: No X509Certificate was provided

I hope you can give me a hand with this, it's killing me.

Best regards,

OP

[rmilstead]

Clearly you certificate is not being found. That probably means there is something incorrect in your configuration, but there is not enough information in the post. If you post your client and server side spring configurations for the xws, perhaps someone will be able to see the problem.

You must configure a client that has security interceptor that has a keystore handler that points to the keystore.

As an aside, due to many other problems with xws, both I and the other poster here Dave gave up on xws and went to wss4j. It was the only way I could get all of the features such as encryption, timestamp, signing, etc. to work.

This SSL stuff is a real pain, you just have to be persistent.

[olimpiu.pop]

Thank you for quick response and for the fact that you responeded. I already posted all the information related to my configuration. You can
see it on this post:

http://forum.springsource.org/showth...702#post251702

Thank you for your time.

OP