Cannot connect to secured JAXRS endpoint (via CXF via Spring) - spring

I try to implement one JAXRS endpoint with https protocol. I followed the instructions of http://cxf.apache.org/docs/secure-jax-rs-services.html#SecureJAX-RSServices-Configuringendpoints here.
I have declared a jaxrs:server endpoint in my XML file which depends on the httpj:engine-factory.
A log file tells me that my service is started and that it is running, but if I try to connect to it, the Firefox web browser tells me "Error: Data Transfer Interrupted" (German: "Fehler: Datenübertragung unterbrochen"). The web service (or JAXRS or CXF) doesn't throw an error message. Opera just says that it cannot connect to the server. Wireshark tells me that the client tries to reconnect to the server a few times and then the client (web browser) seems to give up.
My configuration looks like this:
<httpj:engine-factory id="httpsSettings" bus="cxf">
<httpj:engine port="8545">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="...">
<sec:keyStore type="PKCS12" password="..." file="..."/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="..." file="..."/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
<sec:clientAuthentication want="true" required="false"/>
</httpj:tlsServerParameters>
</httpj:engine>
</httpj:engine-factory>
<jaxrs:server id="cdmiSSLService" address="https://localhost:8545/"
depends-on="httpsSettings" beanNames="...">
<jaxrs:inInterceptors>
<ref bean="..."/>
</jaxrs:inInterceptors>
<jaxrs:providers>
<ref bean="..."/>
...
</jaxrs:providers>
<jaxrs:serviceBeans>
<ref bean="..."/>
...
</jaxrs:serviceBeans>
</jaxrs:server>
I should add that I had only one JAXRS endpoint configured at this time, and if I change the JAXRS endpoint configuration to http protocol, everything works fine and I can connect to the web service without any problems.
Can someone please help me what I can do here? I know that isn't much information, but it doesn't give me more information at the moment. Please bear with me, it's the first time that I implement it in that way. I'm a beginner here. It's a Maven multi-module project which uses the Spring Framework. The configuration needs to be via jaxrs:server.
Many thanks in advance!

Problem is solved. Please don't answer anymore. It helped me to test the with the jks files http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/config/ and the configuration of http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ServerConfig.xml.

Related

Spring web service outbound gateway

Here is a requirement where i want to mention explicitly that to communicate with other outside system use TLSV1.2 and not the default TLSV1.0
How i could override or implement this requirement
<int-ws:outbound-gateway id="someID"
request-channel="clientRequest" reply-channel="clientReply"
uri="some.com" reply-timeout="1000" marshaller="clientMarshaller"
unmarshaller="clientMarshaller" message-sender="messageSender" >
</int-ws:outbound-gateway>
Looks like you are on the Java 7 and seems for me this should help you:
-Dhttps.protocols=TLSv1.2
More info, please here.

Spring Integration call Web service

I'm still new to Spring Integration and I've few question.
I have a service with WSDL deploy in tomcat server.
and I would like to send parameter from my spring integration flow to that service and receive
response back to do next things in the flow.
I should use outbound WS gateway to do this right?
and how to config the xml to do this?
i've try temperature example but still don't understand it.
thank you.
///////////////////////////////////////////////////////////////
Here is my config:
<int:gateway service-interface="com.app.service.IRequester" id="IRequester"
default-request-channel="requestChannel"
default-reply-channel="responseChannel"
error-channel="errorChannel" >
</int:gateway>
<int:service-activator input-channel="requestChannel" id="bu1"
ref="BU1" method="bu1Method"
output-channel="buChannel">
</int:service-activator>
<int:service-activator input-channel="errorChannel"
ref="handlerError" method="errorReturnToGateway"
output-channel="responseChannel" >
</int:service-activator>
<int:router id="routingChannel" input-channel="buChannel" ref="RoutingChannel" method="routingChannel">
<int:mapping value="firstChannel" channel="channelFirst" />
<int:mapping value="otherChannel" channel="channelOther" />
</int:router>
<int:service-activator id="firstBU" input-channel="channelFirst"
ref="FirstBU" method="doSomething" output-channel="responseChannel">
</int:service-activator>
<int:service-activator id="otherBU" input-channel="channelOther"
ref="OtherBU" method="doSomething" output-channel="responseChannel">
</int:service-activator>
I need to change output channel from both firstBU and otherBU activator to call web service which is send a paremeter to that service(paremeter type is Hashmap) and receive same type response.
I don't know how to call web service by using ws:outbound-gateway.Since I have only known to call web service using java way by generate client java class and may be i'll call service in method doSomething.
In my case,Do you think which way is better?
And I still want to know how to solve this by use ws:outbound-gateway too.
thank you.
As far as it is SOAP, so you get deal with XML. And your WSDL provides you the contract - an XSD which XML should be sent to the service and which will be returned as a response.
So, your task to configure <int-ws:outbound-gateway> and provide correct XML as a message payload to the request-channel of that component.
The same is about a response: you get an XML as payload.
However, it is for simple WS Outbound Gateway. You can configure it with marshaller and send to the request-channel some domain POJO and that marshaller takes care about converting that POJO to the XML representation for the SOAP request.
Show, your config, please, and maybe we can help more with your concreate issues.

Trouble with session attributes getting replicated in Tomcat 6

I have configured Tomcat 6 with in-memory session replication. I am also using IIS 7 (I know, I know) and the AJP connector via isapi_redirector. The cluster is working properly and I am able to replicate session attributes using the SessionExample in the examples war. The problem is that I am unable to do the same in my custom application. I have added the distributable tag to the web.xml file on both servers in my test cluster. However, I don't see any message in the logs mentioning the attributes getting sent to the cluster (I see them for SessionExample). The only primary differences that I can see in my app from the examples:
The examples war uses servlet 2.5. I am still required to use 2.4.
My application uses SSO and requires the user to login.
The application is a portal application.
Also, in the code of the application, I am setting a simple string in the attribute, so nothing fancy.
So, I was wondering if anyone has some tips to get this working?
Thanks
Here is the cluster section within of my server.xml:
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"
channelSendOptions="6">
<Manager className="org.apache.catalina.ha.session.DeltaManager"
expireSessionsOnShutdown="false"
notifyListenersOnReplication="true"/>
<Channel className="org.apache.catalina.tribes.group.GroupChannel">
<Membership className="org.apache.catalina.tribes.membership.McastService"
address="228.0.0.104"
port="45564"
frequency="500"
dropTime="10000"/>
<Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
address="auto"
port="4000"
autoBind="100"
selectorTimeout="7000"
maxThreads="6"
timeout="15000"/>
<Sender className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
<Transport className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"
timeout="70000"/>
</Sender>
<Interceptor className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/>
<Interceptor className="org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor"/>
</Channel>
<Valve className="org.apache.catalina.ha.tcp.ReplicationValve"
filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/>
<Valve className="org.apache.catalina.ha.session.JvmRouteBinderValve"/>
<Deployer className="org.apache.catalina.ha.deploy.FarmWarDeployer"
tempDir="/apache-tomcat-6.0.37/war-deploy/war-temp/"
deployDir="/apache-tomcat-6.0.37/webapps/"
watchDir="/apache-tomcat-6.0.37/war-deploy/war-listen/"
watchEnabled="true"/>
<ClusterListener className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener"/>
<ClusterListener className="org.apache.catalina.ha.session.ClusterSessionListener"/>
</Cluster>
Sorry. I found the issue. I was expecting to see messages in the log regarding the creation of the session attributes. I didn't realize that the examples project had a session listener that was outputting the messages to the log. I was thinking that it was simply from the log level that I had set.
Thanks to anyone who read this post.

Acegi pligin not enabling HTTPS with 'forceHttps' param

I am working on an old application which has huge code from legacy.
Application is based on Spring 2.0 and using Acegi plugin for security. The Tomcat server is successfully configured on HTTPS port.
Now I need to redirect the login over HTTPS. I tries setting following in my template_spring_config.xml
<bean id="authenticationEntryPoint" class="src.auth.acegi.myAuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="http://#domain.name#/welcome"/>
<property name="forceHttps" value="true"/>
</bean>
Help found so far indicates that this much should be enough to redirect on HTTPS. But this is not working at all and my Request for login remains on HTTP.
I cannot switch to Spring-Security and higher Spring versions due to time constraint.
Please help if you know what else I need to do.
It's difficult to say for sure since you are using a custom entry point implementation (which may behave differently), but you are using an absolute URL, which will probably override the default logic for building the redirect. Try using https:// rather than http:// for your login URL scheme.
Note that you really shouldn't be using Acegi since development stopped on it a long time ago. It contains most (possibly all) of the vulnerabilities that have subsequently been patched in Spring Security. The same goes for Spring itself.

Configuring Spring Security Ldap 3.0 to work with Active Directory LDS

I am hoping that someone will help me out with a really frustrating problem I have.
Currently I am trying to get Spring Security 3.0 Web App to authenticate with an AD LDS instance but I keep getting this error 'Bad Credentials'. Unfortunately I dont have anything more to go on at the moment.
Below is a copy of the Security configuration being used:
<authentication-manager alias="ldapAuthenicationManager">
<ldap-authentication-provider user-dn-pattern="CN={0},OU=Users,O=JLP,C=UK" >
</ldap-authentication-provider> </authentication-manager>
<ldap-server url="ldap://servner ip/o=JLP,c=UK" manager-dn="CN=Manager,O=JLP,C=UK" manager-password="manager" />
I suspect the problem is caused by the <Ldap server> tag and that the manager-dn is not configured correctly. The DN of the Manager is copied directly from AD LDS - have I not provided enough information? Or does the password need to encrypted\hashed?
Has anyone done anything like this with LDS - how did you work around this problem?
Applogies that this is so vague, but this is as much information as I have to go on. Does any one have any suggestions of things to look at or for solutions?
All help is gratefully recieved!
Cheers
Mo
I am not sure if things would be significantly different for LDS but can you try upgrading to spring security 3.1 as it has a specialized Authenticator for AD.
It does not need manager account as it tries to bind using the username/password being authenticated. Also the configuration is minimal (No DN, search pattern, etc to be provided)
<security:authentication-manager>
<security:authentication-provider ref="activeDirectoryAuthenticationProvider"/>
</security:authentication-manager>
<bean id="activeDirectoryAuthenticationProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="${activedirectory.domain}" />
<constructor-arg value="${activedirectory.server}" />
<property name="convertSubErrorCodesToExceptions" value="true"/>
</bean>
where domain = example.com (from your example, jlp.uk) and server = ldap://ip
I remember that I came across with the same issue and the solution was to set the value of manager-dn
to manageruser#yourdomain
e.g.
<ldap-server url="ldap://servner ip/o=JLP,c=UK" manager-dn="morrislgn#example.com" manager-password="manager" />
Thanks for your answers they were very helpful.
Also found that the user account you are using for the manager-dn needs to be added to the reader role within LDS to allow it to search.
If you add the user role to the Administrators group you can connect but not search.
Cheers for your help
Slight necromancy here, but for those who stumble across this via Google, the most helpful tool I found regarding configuring my LDAP connection was to install Apache Directory Studio LDAP browser. It was via this tool that I was able to get verbose enough error messages to discover what was wrong with my LDAP configuration, and how to correct it.

Resources