访问SSL CXF SOAP客户端下的Web服务

时间:2011-08-02 10:18:30

标签: spring ssl cxf ws-security

这是与我的问题here有关的问题。当我尝试使用自签名证书添加SSL时,出现以下错误。

org.springframework.web.util.NestedServletException: Request processing failed; nested 
exception is javax.xml.ws.soap.SOAPFaultException: Error reading XMLStreamReader.
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.jav

a:656)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

root cause

javax.xml.ws.soap.SOAPFaultException: Error reading XMLStreamReader.
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
$Proxy107.getEmployee(Unknown Source)
org.samith.web.controller.FrontController.frontRequestHandler(FrontController.java:27)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176)
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426)
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414)
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

root cause

com.ctc.wstx.exc.WstxEOFException: Unexpected EOF in prolog
at [row,col {unknown-source}]: [1,0]
com.ctc.wstx.sr.StreamScanner.throwUnexpectedEOF(StreamScanner.java:682)
com.ctc.wstx.sr.BasicStreamReader.handleEOF(BasicStreamReader.java:2090)
com.ctc.wstx.sr.BasicStreamReader.nextFromProlog(BasicStreamReader.java:1996)
com.ctc.wstx.sr.BasicStreamReader.next(BasicStreamReader.java:1100)
com.ctc.wstx.sr.BasicStreamReader.nextTag(BasicStreamReader.java:1123)
org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor.handleMessage(ReadHeadersInterceptor.java:122)
org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor.handleMessage(ReadHeadersInterceptor.java:60)
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:755)
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2335)
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2193)
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:2037)
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:188)
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:697)
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.h  andleMessage(MessageSenderInterceptor.java:62)
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:516)
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:265)
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
$Proxy107.getEmployee(Unknown Source)
org.samith.web.controller.FrontController.frontRequestHandler(FrontController.java:27)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176)
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426)
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414)
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

我的客户端配置文件有这个xml段

<http-conf:conduit name="*.http-conduit">
    <http-conf:tlsClientParameters secureSocketProtocol="SSL">
        <sec:keyManagers keyPassword="*****">
            <sec:keyStore type="JKS" password="welcome" file="full_path_to_employee_auth.jks" />
        </sec:keyManagers>
    </http-conf:tlsClientParameters>
    <http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http-conf:conduit>

我添加了对conf / server.xml tomcat文件的引用,其中包含employee_auth.jks文件的正确路径。顺便说一下,服务端的web xml文件有这个条目

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Restricted web services</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <user-data-constraint>
         require SSL 
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

当服务端未启用SSL时,客户端服务器通信发生得非常好。我正在研究这个问题以便挂起CXF。任何帮助将不胜感激。

1 个答案:

答案 0 :(得分:0)

这是导致软件消化不良的自签名证书;双方未能进行完整的SSL握手,并且在传输SOAP消息之前就会崩溃。

您需要tell the client 信任自签名证书,即您需要将其添加到trustManagers,而不是keyManagers(这就是你将客户的身份用于证明服务器的身份的地方。您可能还需要通过以下方式禁用检查服务器的CN是否与所需地址匹配:

<http-conf:tlsClientParameters disableCNcheck="true" />

但请注意,这有潜在危险。

最终,您最好获得正确的CA签名主机证书,因为这比让每个该死的客户端使用半安全性更加麻烦。单个主机证书非常便宜(可能对您免费;您的组织 - 如我的 - 可能已经有现有的交易)。