1

We have a web application that is comprised of various web services that are exposed to our front end development team. We are a small shop so security has never been a concern for us, but we still want to know how to implement it.

We are using Netbeans 7.0.1, Glassfish 3.1.1 b12, and SOAP. We have configured basic security through the wizards in Netbeans and had that working. We then tried to added Transport Security and we verified that it was added to the WSDL file. It is when we tried to add SSL that we are getting the following errors:

On the Server side:

SEVERE: WSS1601: Security Requirements not met - Transport binding configured in policy but incoming message was not SSL enabled SEVERE: WSITPVD0035: Error in Verifying Security in Inbound Message. com.sun.xml.wss.impl.XWSSecurityRuntimeException: WSS1601: Security Requirements not met - Transport binding configured in policy but incoming message was not SSL enabled at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:125) at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:983) at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:232) at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.verifyInboundMessage(WSITServerAuthContext.java:586) at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:360) at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:263) at com.sun.enterprise.security.webservices.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:173) at com.sun.enterprise.security.webservices.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:144) at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:119)

On the Client side:

09:36:16,464 WARNING [org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor] (http--127.0.0.1-443-1) Request does not contain Security header, but it's a fault. 09:36:16,467 ERROR [org.jboss.ejb3.invocation] (http--127.0.0.1-443-1) JBAS014134: EJB Invocation failed on component ActivityEJB for method public ja va.util.List com.enginsol.ActivityEJB.getActivities(int): javax.ejb.EJBException: javax.xml.ws.soap.SOAPFaultException: Invalid Security Header at org.jboss.as.ejb3.tx.CMTTxInterceptor.handleExceptionInOurTx(CMTTxInterceptor.java:166) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final] at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:230) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final] at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:304) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final] at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:190) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.1.0.Final.jar:7. 1.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.1.0.Final.jar:7 .1.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.1.0.Final.jar:7.1.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.1.0.Final.jar:7.1.0.Final] at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173) [jboss-as-ee-7.1.0.Final.jar:7.1.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) [jboss-as-ee-7.1.0.Final.jar:7.1.0.Final]

Each web service is protected basically the same way in the sun-ejb-jar.xml: 

<ejb>
        <ejb-name>ActivityWS</ejb-name>
        <webservice-endpoint>
            <port-component-name>ActivityWS</port-component-name>
            <login-config>
                <auth-method>BASIC</auth-method>
            </login-config>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </webservice-endpoint>
    </ejb>

I'm pretty sure the certificate setup is done correctly because we've cleared the startup errors associated with missing keystores and bad keystore passwords. Also, our recently added RESTful service works fine (pops up a dialog box for username/password and runs through SSL). The client and server were both originally deployed to Glassfish but we created a small consumer of the service and deployed it to JBoss 7.1 to try and rule out a Glassfish bug.

This is the closest answer we could find on SO and the answer the OP gave was vague so we still have no resolution. Java Glassfish - How to consume SSL web service?

UPDATE:

I went through and followed the guide posted by Jim, ( http://www.ryandelaplante.com/2007/06/ssl-and-http-basic-authentication-with.html ) and tweaked my setup a bit. I added security roles to the sun-ejb-jar and added the roles allowed annotation to the Web Service (previously, the roles were handled in a sun-application.xml and in another ejb-jar.xml). Our services are EJB endpoints so I went through the relevant information in the guide but I still get the same errors.

Community
  • 1
  • 1
MikeG
  • 1,205
  • 12
  • 19

1 Answers1

0

Where did you add the certs to? keystore.jks in the domain1/config dir inside glassfish? Did you point your SSL http listener to the new cert's alias? Did you connect to glassfish on the ssl port (8181 by default)?

Jim
  • 3,476
  • 4
  • 23
  • 33
  • Yes, the cert was inserted into default glassfish keystore. I removed the original, generated one and created a new one with my full qualified name. On the client side, I created a new keystore and imported my certificate into that. When the client was just a Java SE app, I imported the cert into the keystore located in $JAVA_HOME/jre/lib/security with the same error message. – MikeG Apr 09 '12 at 15:42
  • To clarify, the new cert is using the same alias as the old cert? I think that's what you're saying. – Jim Apr 09 '12 at 15:48
  • Also, about your cert, did you generate it, or did you get it from something like entrust, verisign, or thawte? – Jim Apr 09 '12 at 15:49
  • Right. The old cert had the alias s1as so I deleted it, changed the Dname but kept alias to eliminate configuration errors from Glassfish. All the certs are generated because this is for development/POC work. – MikeG Apr 09 '12 at 16:01
  • Are you getting a "pkix path building failed" error somewhere? You might try this on the client: http://en.wikibooks.org/wiki/WebObjects/Web_Services/How_to_Trust_Any_SSL_Certificate I use that when writing testing harnesses for in-house stuff, since I'm not testing the SSL, I'm testing the web service. You'll still be getting encrypted traffic, you just aren't verifying the cert, which seems ok in dev/poc situations. – Jim Apr 09 '12 at 16:36
  • Originally we were getting those PKIX errors but they have been resolved. Now we believe that the client has all the tools and directives to send an encrypted message but it doesn't. Inspecting the SOAP message, the security tags are there as well as the timestamps so that's why we are confused. – MikeG Apr 09 '12 at 16:55
  • Looking at things, the main difference I see between my working app and yours is that my soap is packaged in a war, which then calls into the ejb jar. So my login-config and transport-guarantee are in web.xml; my login-config has a realm-name element; glassfish-web.xml has a security-role-mapping from the security-contraint/auth-contraint/role-name to the realm-name. I think I used this page as a guide (it's been a while): http://www.ryandelaplante.com/2007/06/ssl-and-http-basic-authentication-with.html – Jim Apr 09 '12 at 17:42
  • Maybe try a simple java client to see if that can help diagnose the problems? See Aviram's answer: http://stackoverflow.com/questions/5158537/jaxws-how-to-change-the-endpoint-address combine that with the SSLUtilities link from earlier in this conversation. – Jim Apr 09 '12 at 19:42
  • The client IS simple java client. It is a bare minimum app just to make sure the web service project has been secured. It consists of the generated JAX-WS files, an EJB to hide the WS calls, and a servlet to present them. I just tried calling the WS from the EJB and directly inside the servlet. I tried your SSLUtilities link and added those method calls to a static block to make sure they're called and that didn't work. I also took your advice about Aviram's Binding Provider and added Endpoint_Address and still the same result. – MikeG Apr 09 '12 at 20:20