0

I created a JAXWS webservice from wsdl using wsdlc ANT task and deployed in Weblogic 10.3.0. And we have Sun one Java Server 7.0 where Verisign Server certificate is installed and configured to forward the webservice requests to weblogic.

I created a JAXWS client using wsimport ant task to invoke the webservice. When running the client using https URL I can see xml request in weblogic and webservice is processed successfully. But I couldnt able to find any evidence of x509 certificate in the xml request/response. Do I need to do anything on the client side apart from generating the stubs using wsimport? FYI when viewing the wsdl through the browser I can see the certificate details through the browser.

Doss
  • 91
  • 1
  • 2
  • 7

2 Answers2

5

What you connect to WebService via HTTPS, your client and server do x509 certificate exchange. This is something performed on connection level, wsimport has nothing to do with that. If you want to use x509 certificates on that level, you need to dig into Java HTTPS client certificate authentication / Java client for the X.509 secured web-service and on the server side Securing WebLogic Server: Configuring SSL.

Alternatively you can step one level down: use HTTP protocol to connect to server and perform encryption / signing / authentication on SOAP level. Then refer User authenticate in SOAP or Using JAX-WS-Based Web Services with SSL for Metro/JAX-WS services, WS-Security for Apache CXF, Spring Security With X.509 Certificate for Spring Security – depending on what framework you will choose.

Community
  • 1
  • 1
dma_k
  • 10,431
  • 16
  • 76
  • 128
  • Yes we need authentication at transport level. How do we verify that Authentication is really happening when webservice is invoked? I believe on SOAP level we can see the certificate details in the xml request correct? – Doss Jan 04 '12 at 17:05
  • Try running the client with no certificate store initialized. It should fail. Debugging on server side is also helpful. – dma_k Jan 04 '12 at 17:19
  • Actually I didnt initialize any store and it didnt fail. So I was thinking certificate is not enabled at server side but when I was viewing the wsdl through the browser using https I can view certificate details through the browser window. – Doss Jan 04 '12 at 17:32
  • Enabling the certificate on the server is only half of the story. What you need is to force 2-way SSL (not only server provides certificate to the client, but also client provides the certificate to server). Read [this guide](http://www.weblogic-tips.com/2010/05/20/two-way-ssl-on-weblogic-server/) and [this post](http://stackoverflow.com/questions/2196740). – dma_k Jan 04 '12 at 18:06
  • But my requirement is to force only Server authentication(Server provides certificate) – Doss Jan 04 '12 at 20:58
  • If you want client to fail if server provides wrong (unknown) certificate, you need need to create client trust store that should contain the CA certificate which was used to sign your server certificate and pass it as `javax.net.ssl.trustStore`. Provide your client code in your question if something goes wrong. – dma_k Jan 05 '12 at 16:42
0

I am able to verify the SSL handshake using -Djavax.net.debug=all. I didnt modify my client to include truststore and it is not needed if the certificate is signed by a trusted CA.

Doss
  • 91
  • 1
  • 2
  • 7