Securing Web Service communication with SSL using CXF - web-services

I am trying to secure communications via SSL/TLS for one of our Web Service using CXF 2.2.5.
I am wondering how to update client and server Spring configuration file to activate this feature.
I found some information on CXF's website (CXF Wiki) for the client configuration, here is the given example:
<http:conduit name="{http://apache.org/hello_world}HelloWorld.http-conduit">
<http:tlsClientParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/Morpit.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:authorization>
<sec:UserName>Betty</sec:UserName>
<sec:Password>password</sec:Password>
</http:authorization>
<http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http:conduit>
Concerning this configuration, the
Concerning the server side configuration I am unable to launch the server properly, here is the configuration I have:
<http:destination name="{urn:ihe:iti:xds-b:2007}DocumentRepository_Port_Soap12.http-destination">
</http:destination>
<httpj:engine-factory>
<httpj:engine port="9043">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="changeit">
<sec:keyStore type="JKS" password="changeit" file="security/keystore.jks" />
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="changeit" file="security/cacerts.jks" />
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!--
these filters ensure that a ciphersuite with export-suitable or null encryption is used, but exclude
anonymous Diffie-Hellman key change as this is vulnerable to man-in-the-middle attacks
-->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
<sec:clientAuthentication want="true" required="true" />
</httpj:tlsServerParameters>
</httpj:engine>
</httpj:engine-factory>
But when I run my application server (JOnas) with this configuration I have the following error message:
Line 20 in XML document from ServletContext resource [/WEB-INF/beans.xml] is invalid; nested exception is org.xml.sax.SAXParseException: cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'httpj:engine-factory'.
Do you guys know how to solve this issue?
Thanks in advance,

It sounds like you are missing a namespace declaration or you have fat-fingered your XML. This is likely more of a Spring related issue than a CXF issue.
Check that the following items appear on your beans element where you declare httj:engine-factory:
<beans
...
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
...
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd
...">
<import resource="classpath:META-INF/cxf/cxf-extension-http.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-http-jetty.xml" />
Check that the CXF Jetty Transport JAR is in your classpath at runtime.
If you add the declaration and the schema location to your context file in your IDE (at least in Eclipse with the Spring plug-ins and IDEA) you should get schema validation right in your IDE so you can easily find any mistakes you make and take advantage of auto-completion.

Related

Can`t enable WS-SecurityPolice with CXF in Web Service

It`s my first project with CXF and Web Services,using Tomcat as a servlet container and my first question in StackOverflow too,so be patient with me....;-)
I'm using :
Tomcat 9 (standalone and integrated with Eclipse).
CXF (3.2.0)
JDK 1.8
Windows 7
**The problem:**WS-SecurityPolicy not enabled/ not working in the server side.
WS-SecurityPolicy is implemented in the wsdl file of the web service and the policy seems working fine,because in the client side the SOAP output message body is signed.
The problem I'm stuck is in the server side,none of the policies are applied in response.
The first issue I had was with the SOAP header "must understand=1",the server does not recognize the security headers and throws an exception.
My suspect was that the web service is not applying the policy,then to avoid the exception of the header I put a handler that does nothing whith it.
Now the server response the SOAP message but in clear form (unsigned, without the BinarySecurityTolen and other stuff),my suspect was true,the policy is not working.
I think the porblem is a misconfiguration of CXF files...
The cxf bean configuration of the web service is loaded during Tomcat's startup.
INFO: Creating Service {http://ole/wsTransaccion}WsTransaccionService from WSDL: wsdl/wsTransaccion.wsdl
....
....
INFO: Loading XML bean definitions from ServletContext resource [/WEB-INF/cxf-wsTransaccion.xml]
The cxf-wsTransaccion.xml file contains:
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://cxf.apache.org/bindings/soap http://cxf.apache.org/schemas/configuration/soap.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
<bean id="myPasswordCallback"
class="implementacion.ServerKeystorePasswordCallback" />
<jaxws:endpoint xmlns:tns="http://ole/wsTransaccion" id="wsTransaccion"
implementor="implementacion.WsTransaccionImpl"
wsdlLocation="wsdl/wsTransaccion,wsdl" endpointName="tns:WsTransaccionPort"
serviceName="tns:WsTransaccionService" address="/WsTransaccionPort">
<jaxws:features>
<bean class="org.apache.cxf.feature.LoggingFeature" />
</jaxws:features>
<jaxws:properties>
<entry key="security.callback-handler">
<ref bean="myPasswordCallback"/>
</entry>
<entry key="security.encryption.properties" value="keystore.properties"/>
<entry key="security.signature.properties" value="keystore.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
</jaxws:properties>
</jaxws:endpoint>
I think the problem coluld be in the location of the file keystore.properties, although no exception is thrown (like a java.io.FileNotFoundException) if not exists..
All examples I saw were Maven's projects ,but this is NOT A MAVEN project so I haven't the folder "resources" where properties files and keystore are placed.
I don't know the right place of keystore.properties, i think must be in the classpath ,then i put it in a package named resources with the keystore together.
The content of keystore.properties:
>org.apache.wss4j.crypto.provider=org.apache.ws.security.components.crypto.Merlin
>org.apache.wss4j.crypto.merlin.keystore.file=server.p12
>org.apache.wss4j.crypto.merlin.keystore.type=PKCS12
>org.apache.wss4j.crypto.merlin.keystore.alias=server
>org.apache.wss4j.crypto.merlin.keystore.password=xxxxxx<br/>
Other possibility is that org.apache.wss4j.crypto.merlin.keystore.file=server.p12 is not in the right place too, although is in the same place like keystore.properties
Any suggestion would be very appreciated.
Thanks very much!!!.
The problem was here:
Tomcat console:
"WARNING: Resource classpath:./resources/policyBinding.xml was not found in the classloaders."Although policyBinding.xml is in the classpath is not properly loaded due to the following annotation in the interface of the web service:
#Policy(uri = "./resources policyBinding.xml",placement=Policy.Placement.DEFAULT)
Thank you to Alfredo (WS-Security Policy node not being generated in Apache CXF with Spring and custom context file
) i figured it out the right syntax:
#Policy(uri = "classpath:policyBinding.xml",placement=Policy.Placement.DEFAULT)

Apache CFX Schema validation - contract first

I am developing a Web service using Apache CXF and contract first approach with schema validation. Problem is, that validation is not working. There is no error, so it like is not activated. But validation is configured.
So, I have took a look to official Apache CXF examples you can find here.
I took a look to wsdl_first example and modify it adding schema validation and some restriction in WSDL:
<!-- HTTP Endpoint -->
<jaxws:endpoint xmlns:customer="http://customerservice.example.com/"
id="CustomerServiceHTTP" address="http://localhost:9090/CustomerServicePort"
serviceName="customer:CustomerServiceService" endpointName="customer:CustomerServiceEndpoint"
implementor="com.example.customerservice.server.CustomerServiceImpl">
<jaxws:features>
<bean class="org.apache.cxf.feature.LoggingFeature" />
</jaxws:features>
<!-- schema validation-->
<jaxws:properties>
<entry key="schema-validation-enabled" value="true" />
</jaxws:properties>
</jaxws:endpoint>
To my surprise, it doesn't work either.
OK, so I took a look to wsdl_first_xmlbeans example, where according with the README.txt file, it also shows how CXF configuration can be used to enable schema validation.
And for this example, schema validation works. The difference between both examples is that the second one use JAX-WS APIs and with the XMLBeans approach. Does it have something to do? Why schema validation is not working for first example? Probably, I am missing something.
For validation on the service side, it would likely need to have a wsdlLocation attribute set on the jaxws:endpoint so it would load the WSDL (that would then contain the schemas). Currently, the validation in that example is on the client side only. If you run the service, the log shows:
INFO: Creating Service {http://server.customerservice.example.com/}CustomerServiceImplService from class com.example.customerservice.CustomerService
which shows it's not using the WSDL at all.

Webservice .Net 4.0 publishing problems in IIS7

I cant get my Webservice published, it should be simple:
I create the app in the IIS,
place it as a 4.0 Classic .Net
I publish it from .Net Solution within VS2012 Right click and publish
on the Webservice project.
The files are placed and it should show by itself on the browser on the URL of the server specified.
But I stumbled upon the following problems:
HTTP Error 404.17 - Not Found
The requested content appears to be script and will not be served by the static file handler.
So I've looked for It and found this two options:
Option 1:
http://www.banmanpro.com/support2/Requested_Content_Appears_to_be_Script.asp
This one says I should go to Integrated, instead of Classic App Pool. but it's like if I changed a problem for another because now it says:
HTTP Error 500.21 - Internal Server Error
Handler "WebServiceHandlerFactory-Integrated" has a bad module "ManagedPipelineHandler" in its module list
When I go to the web config see what is this error talking about I see no handler tag!
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<appSettings />
<connectionStrings />
<system.web>
<compilation targetFramework="4.0" />
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authentication mode="Windows" />
<!--
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.
<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm"/>
<error statusCode="404" redirect="FileNotFound.htm"/>
</customErrors>
-->
<pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" />
</system.web>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
<!--
The system.webServer section is required for running ASP.NET AJAX under Internet
Information Services 7.0. It is not necessary for previous version of IIS.
-->
</configuration>
Should I add one? If so, how?
Option 2:
Script not served by static file handler on IIS7.5
Basically it says I shoud do a aspnet_regiis -i, but when I try
going to %windir%\Microsoft.NET\Framework\v4.0.30319
Even when the folder exists, There is no aspnet_regiis!!
I've only found the aspnet_regiis on the 2.0 Fwk =(
Is that normal?
The handler tag wasn't the answer, however, both options drove me to look for the missing aspnet_regiis of fwk 4.
There was no aspnet_regiis because the full fwk 4.0 wasn't actually installed on a first place.
I had installed on the server the Framework 4 Client Profile and the debugger, which isn't the full version. From now on, whenever I think I have fwk 4 installed, I'll check twice.
After installing it, on Framework 4.0 Classic Pipeline Mode (instead of Integrated) made it work just fine.
But Attention!
After installing the framework, IIS will change the default pipeline to 4.0, that means, if you had ongoing a web(site/service) on 2.0 it will automatically stop working. (It happened to me)

The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'

I am trying to program a VisualWebPart using Visual Studio 2010 which has to do a simple thing: invoke a web service (hosted in a remote server, NOT locally). When I execute within the Sharepoint site (version 2010, which I have published in my IIS) I get this error:
"The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'."
Pardon my ignorance, but the only difference here is the case of the Ntlm authentication scheme! I have been all over the web and found many related problems, but none of the solutions worked. Almost ALL solutions i found involve modifications in the webservice security configuration, this is not an option for me.
Looking for a solution, I created a sample windows form and invoked the web service from it: no problems whatsoever.
In order to be able to invoke the webservice correctly this is the necessary security configuration:
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" proxyCredentialType="Ntlm" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
I believe the problem is that I havenĀ“t been able to properly set this security property to the web.config of my Sharepoint site, since I tried to put it in the security tag that appears in the web.config but still get the same error.
Any further information needed please ask, I am REALLY desperate, for days I have been with the SAME error.
In the end I was given permissions in their server: more precisely in the database which was the one that wouldn't let me create the web part in the server. Once this was done, the call to the webservice worked just fine, because they have the web.config correctly configured.

Silverlight 4.0: Cross Domain Policy Error

I have a webservice and a Silverlight application.
I also have a crossdomain.xml and clientaccesspolicy.xml
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
here my cross domain policy
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="http://localhost/MHVWS/MachineHistoryWS.asmx" />
</cross-domain-policy>
My web service is being hosted in IIS.
With this configuration I still have this kind of error:
An error occurred while trying to make a request to URI 'http://localhost/MHVWS/MachineHistoryWS.asmx'. This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services. You may need to contact the owner of the service to publish a cross-domain policy file and to ensure it allows SOAP-related HTTP headers to be sent. This error may also be caused by using internal types in the web service proxy without using the InternalsVisibleToAttribute attribute. Please see the inner exception for more details.
Please help
You only need one policy file. You dont require both.
Be sure one (or both) of those policy files exist in the same location (domain) as the webservice.
To debug and see what is going on, use a tool like Fiddler to verify the url path of the policy xml file the client is looking for.