In this document I explore the effects of selected web services security policies on SOAP message exchange in the GlassFish ESB v2.x.
This is a work-in-progress document, now at rev 0.4.1.
To provide early access I intend to release revisions of this document as significant new sections become available.
Rev 0.1: Content
• Assumptions and Notes
• Person Service XML Schema and WSDL Interface
• Common XML Project
• PersonSvc BPEL Module
• PersonCli BPEL Module
• JBI-based Person Service – Plain End-to-End
• JBI-based Person Service – SSL with Server-side Authentication
Rev 0.2: Additional Content
• JBI-based Person Service – SSL with Mutual Authentication (broken)
• EJB-based Person Service – No security
• EJB-based Person Service – SSL with Server-side Authentication
Rev 0.3: Additional Content
• EJB-based Person Service – SSL with Mutual Authentication
• JBI-based Person Service – Exploring WS-Addressing
Rev 0.4: Additional and Changed Content
• Modified sections 5.8 and 5.9 (SSL Server side and mutual authentication)
• Using WS-Addressing for Explicit Dynamic Routing
• Pre-requisite Cryptographic Objects [TBC]
• Upgrading Metro to version 1.5 [TBC]
• Username Token Profile 1.0 (2004) Policy [TBC]
More in CH05_WSSecurityExploration_r0.4.1.pdf at https://blogs.czapski.id.au/wp-content/uploads/2010/03/CH05_WSSecurityExploration_r0.4.1.pdf
The archive, CH05_WSSecurityExploration_r0.4.1.zip, containing all projects developed so far is to be found at https://blogs.czapski.id.au/wp-content/uploads/2010/03/CH05_WSSecurityExploration_r0.4.1.zip.
Hi Michael,
I am trying this mutual ssl authentication on two pc.
Refer to r0.4.1.pdf, I successfully implemented the steps until I reached to page chapter 5, 62 . I have copied the Person.xsd, PersonAbsSvc.wsdl and casaPort1.wsdl to “Process Files”, and changed the location value in new casaPort1.wsdl, also have imported the server certificate to client cacerts.jks, when I deployed the client application PersonCli_CA_SSLServerAuth, I got below errors:
run-jbi-deploy:
[undeploy-service-assembly]
Undeploying a service assembly…
host=localhost
port=4848
name=PersonCli_CA_SSLServerAuth
[deploy-service-assembly]
Deploying a service assembly…
host=localhost
port=4848
file=C:\Documents and Settings\xiaohua.xiong\My Documents\NetBeansProjects\PersonCli_CA_SSLServerAuth/dist/PersonCli_CA_SSLServerAuth.zip
ERROR: Successful execution of Deploy: C:\Documents and Settings\xiaohua.xiong\My Documents\NetBeansProjects\PersonCli_CA_SSLServerAuth/dist/PersonCli_CA_SSLServerAuth.zip
WARNING: (JBIMA0404) Deployment of service assembly PersonCli_CA_SSLServerAuth succeeded partially; some service units failed to deploy.
* Component: sun-http-binding
ERROR: (SOAPBC_DEPLOY_2) HTTPBC-E00201: Deployment failed. javax.wsdl.WSDLException: WSDLException (at /definitions/import): faultCode=OTHER_ERROR: Unable to resolve imported document at ”https://10.1.3.21:9181/PersonSvc_CA_SSLServerAuth-sun-http-binding/PersonAbsSvc.wsdl”, relative to ”file:/E:/JavaCAPS62/appserver/domains/domain1/jbi/service-assemblies/PersonCli_CA_SSLServerAuth.2/PersonCli_CA_SSLServerAuth-sun-http-binding/sun-http-binding/FS-EAS-D1QSYQ1S_9181/casaService1/casaPort1.wsdl”: java.io.IOException: HTTPS hostname wrong: should be
Cleaning up…
[undeploy-service-assembly]
Undeploying a service assembly…
host=localhost
port=4848
name=PersonCli_CA_SSLServerAuth
C:\Documents and Settings\xiaohua.xiong\My Documents\NetBeansProjects\PersonCli_CA_SSLServerAuth\nbproject\build-impl.xml:201: Deployment failure.
It complains HTTPS hostname wrong. Did I miss any steps or any other files need to be modified?
Thanks a lot.
Bob
Hello, Bob.
The host name in teh certificate does not agree with teh host name of teh real host. This is a fairly common occurence, see http://www.google.com/search?q=%22java.io.IOException%3A+HTTPS+hostname+wrong%3A++should+be+%22&rls=com.microsoft:*&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1. You need to have a certificate issued for the host in question or work around the issue perhaps with a host validator class. Best to have certificates issued for the appropriate hosts.
Regards
Michael
Hi Michael,
Thanks a lot for your reply. I re-issued the certificates for client and server, still go the same problem.
I found that when i created new “external wsdl document”, after i specifed the url like: https://FS-EAS-D1QSYQ1S:9181/casaService1/casaPort1?WSDL, I got 2 folders under “Process Files”: one folder name is 10.1.3.21_9181, another folder name is FS-EAS-D1QSYQ1S_9181, and FS-EAS-D1QSYQ1S is the server name for 10.1.3.21. According to the tutorial, there should be only one folder with sever name generated.
why are two folders generated on my machine, is it the reason?
Thanks.
Bob
Hi Michael,
I figured it out. As mentioned above, when I import the external wsdl file, two folders are generated, one is with IP address in folder name, another one with server name in folder name.
So i replace all occurance of https://10.1.3.21:9181/PersonSvc_CA_SSLServerAuth-sun-http-binding with https://FS-EAS-D1QSYQ1S:9181/PersonSvc_CA_SSLServerAuth-sun-http-binding,
then it works. I think it is because the certificate is tied to server name instead of ip address, and thus deployment failed because of it can’t verify the url containing ip address.
Thanks for your help.
Bob
Hello, Bob.
I am glad you resolved the issue.
I noticed some anomalies in the way the web services infrastructure in the GalssFish ESB kit treated IP addresses/host names. I put up a fight with the development team but lost 🙁
Regards
Michael
That’s great! Thanks
Hi Michael,
I am using software to capture the traffic generated by the Web Services, the configuration is as follows:
http://localhost:9080/PersonSvc_CA_Plain/PersonSvc_CA_Plain/casaPort1
And within Glassfish, configure:
Proxy Type: HTML
Proxy Host: localhost
Proxy Port: 12345
When I begin to capture the files, just capture the following:
GET http://143.106.24.166:9080/PersonSvc_CA_Plain-sun-http-binding/META-INF/PersonSvc/src/_references/_projects/CommonXML/src/Person.xsd HTTP/1.1
User-Agent: Java/1.6.0_10
Host: 143.106.24.166:9080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive
Somehow, the rest of the SOAP message does not go through the proxy, how I can configure for the rest of
Proxy passes the message or any suggestions?
Thanks,
Hello, Marcelo.
I don;t know what software you are using to invoke the service so I can’t say why it is not behaving the way you are expecting it to behave. I use tcpmon to capture SOAP exchanges when I need to and it works well for me when using non-SSL HTTP exchanges.
All the best
Michael
Hello Michael,
First of all, I just want to comment that this article is more valuable than anything I have found online to learn the basics of creating, configuring and deploying BPEL and EJB projects. However, I am running into an issue with section “5.10 EJB-based Person Svc with No Channel Security” that I hope you have some time to help me with.
1. When creating the EJB project, what Java EE version (Java EE 5 or J2EE 1.4) did you select and why? I selected Java EE 5 because I believe it uses the Metro stack instead of JAX-RPC.
2. Another issue I had was after creating the “New WebService From WSDL”, the auto-generated source code is missing some statements when compare to your code. They are:
import org.netbeans.j2ee.wsdl.commonxml.src.personabssvc.GetPersonDetailsFault;
import org.netbeans.j2ee.wsdl.commonxml.src.personabssvc.PersonAbsSvcPortType;
“implements PersonAbsSvcPortType” statement.
Can you help me resolve this issue?
3. Last but most importantly, I am very interested in learning how to digitally sign the soap message with a certificate (in the header section), could you please refer me to an article you may have already written on this topic?
Thank you so much for your help and by the way, I learned JCAPS after purchasing your excellent book “Java CAPS Basic”.
Dustin
Thanks for the good word, Dustin.
Alas, this is a pretty old article, as IT developments go, and I moved on a fair way away from this topic area in the intervening years. So did OpenESB, I gather – I don’t know for sure since I have been out of touch with it for over 2 years. So, unfortunately, I can’t help you.
Good luck
Michael
Hello, Dustin.
Thanks for the good word 🙂
ALas, I moved a pretty far away from this topic area in the last 3 years so I can’t really help. OpenESB has moved along pretty far as well, I gather – I don;t know for sure since I have not been keeping up with it for years.
Good luck
Michael
Thank you for the response Michael. Would you happen to have any documentation that can help me understand how to sign a soap message with a X.509 certificate (in the header section)?
Dustin
Sorry, Dustin. Alaso I have nothing handy. There ought to be material on this topic available on the Net.