Web Services Security with Apache Rampart – Part 1 ( Transport Level Security )

Apache Rampart is the Axis2 module that provides WS-Security functionality to Axis2 Web services and their clients. Rampart currently implements WS-Security, WS-SecurityPolicy , WS-SecureConversation and WS-Trust specifications. In this tutorial, we will look at applying transport level security to a Web service or a client using Apache Rampart.

Date: Thu, 7th Feb, 2008
Level: Introductory
Reads: 125514
Discuss this article on Stack Overflow

Nandana Mihindukulasooriya
Tech Lead
WSO2 Inc.

Introduction

This tutorial is a step by step guide on how to use username token authentication with Apache Rampart using policy based configuration. We'll first look at a scenario. Then we'll look at deploying the Apache Rampart module in Axis2. We will then go on to look at how a Axis2 web service and a client can be secured with Rampart. With Axis2/Rampart proven to be highly interoperable, either the Web service or the client can be also written and secured using some Web service stack other than Axis2/Java, such as .NET , C or PHP. For example, Axis2 client with Rampart can be used to consume a secure .NET Web service.
Read Web Services Security with Apache Rampart – Part 2 (Message-Level Security)

Applies To

Apache Axis2/Java	1.3
Apache Rampart/Java	1.3

Scenario
Deploying the Rampart Module
- Deploying Rampart Module and Necessary Jars
- Configuring SSL in Apache Tomcat
Securing the Service
Securing the Client
- Calling the Web Service
SOAP Messages Exchanged
- Without Security
- With Security
Summary
References
Resources

Scenario

In this tutorial, we will look at a scenario, where message protection is provided by the transport layer. All message exchanges will be done over the https transport. Clients will authenticate to the service using username tokens (usename/password).

We will use the Axis2 WAR deployed in Apache Tomcat server for this tutorial, as it is one of the most common use cases.

scenario

Deploying the Rampart Module

Step 1. Deploying the Module and Necessary Jars

Apache Rampart 1.3 binary distribution can be downloaded here. Rampart distribution contains two module files, rampart-1.3 and rahas-1.3.mar . These module files should be copied to the "modules" directory of Axis2, that can be found in TOMCAT_HOME/webapps/axis2/WEB-INF/modules, where, TOMCAT_HOME is the home directory of the Apache Tomcat server in which Axis2 war is deployed. All the dependency jars needed for Apache Rampart can be found under the libs directory of the Rampart distribution. These has to be copied to the "lib" directory of Axis2, which can found under TOMCAT_HOME/webapps/axis2/WEB-INF/lib.

You can check whether Apache Rampart is successfully deployed by logging in to Axis2 as admin and using 'system components/available modules' option in admin Web console . Both "rampart" and "rahas" should be listed under available modules, if you have already successfully deployed Rampart and Rahas modules.

Step 2. Configuring SSL in Apache Tomcat

In this tutorial, we use https transport in Apache Tomcat to provide transport. So we have to modify the server.xml of Apache Tomcat, which can be found in TOMCAT_HOME/conf directory, to include SSL configuration. You can use the server.jks keytore which can be found in the source code zip file, as the keystore for this tutorial. Key store password is "password". SSL configuration in the server should look like the one given below:

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    
    <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"           
               keystoreFile="path/to/server.jks" 
               keystorePass="password" />

Securing the Service

Step 1. Writing the Web Service and the Service Descriptor

For this tutorial, we will be using a simple service that has a single operation called "add", that adds two integers and returns the sum. For simplicity, we will be using the code first approach for this tutorial. Service implementation class is given below.

package tutorial.rampart.service;

/**
 * Secure Service implementation class
 */
public class SecureService {
	
	public int add(int a, int b) {
		return a+b;
	}

}

Service descriptor for the above mentioned service is given below. You can find more information on how to write an Axis2 Web service, in this tutorial: "Hello, World with Apache Axis2".

<service>   
    <parameter name="ServiceClass" locked="false">tutorial.rampart.service.SecureService </parameter> 
    <operation name="add">
        <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
    </operation>
</service>

Step 2. Writing the Password Callback

As we use username token authentication in this scenario, we need to write a password callback class, to be used by the Web service to authenticate username tokens. The password callback class which we use for this tutorial, is given below. Even though passwords are hard coded in this example, passwords can be retrieved from a database, LDAP server or any storage, by writing the relevant password retrieval logic in the password callback class.

package tutorial.rampart.service;

import org.apache.ws.security.WSPasswordCallback;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;

import java.io.IOException;

public class PWCBHandler implements CallbackHandler {

    public void handle(Callback[] callbacks) throws IOException,
            UnsupportedCallbackException {

        for (int i = 0; i < callbacks.length; i++) {
            
            //When the server side need to authenticate the user
            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
            
            if(pwcb.getIdentifer().equals("apache") && pwcb.getPassword().equals("password")) {
                //If authentication successful, simply return
                return;
            } else {
                throw new UnsupportedCallbackException(callbacks[i], "check failed");
            }
                
        }
    }

}

Step 3. Constructing the Security Policy

We will be using the policy based configuration approach in Apache Rampart for this tutorial. So we should construct a suitable security policy using WS-Security Policy Language, to define the requirements of the Web service. The security policy used in this tutorial is given below:

<wsp:Policy wsu:Id="UsernameTokenOverHTTPS" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
		<wsp:ExactlyOne>
		  <wsp:All>
			<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
			  <wsp:Policy>
				<sp:TransportToken>
				  <wsp:Policy>
					<sp:HttpsToken RequireClientCertificate="false"/>
				  </wsp:Policy>
				</sp:TransportToken>
				<sp:AlgorithmSuite>
				  <wsp:Policy>
					<sp:Basic256/>
				  </wsp:Policy>
				</sp:AlgorithmSuite>
				<sp:Layout>
				  <wsp:Policy>
					<sp:Lax/>
				  </wsp:Policy>
				</sp:Layout>
				<sp:IncludeTimestamp/>
			  </wsp:Policy>
			</sp:TransportBinding>
			<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
				<wsp:Policy>
					<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" />
			  </wsp:Policy>
			</sp:SignedSupportingTokens>
			<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> 
				<ramp:passwordCallbackClass>tutorial.rampart.service.PWCBHandler</ramp:passwordCallbackClass>
			</ramp:RampartConfig>		
		  </wsp:All>
		</wsp:ExactlyOne>
	</wsp:Policy>

As you can see, the above security policy contains two main security assertions, a transport binding assertion and a signed supporting token assertion. Transport binding assertion defines the requirement of using a SSL transport using the Https transport token assertion. Signed supporting token defines, the requirement of a username token that should be integrity protected at the transport level. You can find more information on constructing a security policy in this article: "Understanding WS-Security Policy Language" [3].

Last assertion, which is a Rampart specific assertion, is used to provide configuration details to Rampart. In the above policy, it defines a password callback class to be used. This assertion will not appear in WSDL.

Step 4. Engaging Rampart and Applying the Security Policy

Now, we will look at how we can engage Rampart to the Web service and apply the security policy. This is altogether done using the service descriptor. We don't have to modify the source of the Web service to secure it. First, we engage the Rampart module to the Web service adding <module ref="rampart"/> element to the service descriptor. Then we apply security, by adding the policy to the service descriptor. Modified service descriptor after engaging rampart and applying policy, is given below. Elements with the policy element is not shown for brevity.

<service>   
    <module ref="rampart"/>
    <parameter name="ServiceClass" locked="false">tutorial.rampart.service.SecureService</parameter>
    <operation name="add">
        <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
    </operation>    
    <wsp:Policy wsu:Id="UsernameTokenOverHTTPS" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    ..... 
    </wsp:Policy>  
</service>

Step 5. Deploy the Service

Now, we have to deploy this service in the Axis2 server. Create a service archive named SecureService.aar and drop it into the services directory which can found at: TOMCAT_HOME/webapps/axis2/WEB-INF/services, where, the TOMCAT_HOME is the home of Apache Tomcat server. You can find information on how to create an Axis2 service archive in the "Hello, World with Axis2" tutorial [2] listed under references.

Policy Annotated WSDL

When a security policy is applied to Web service, the WSDL will be annotated with the relevant security policy so the clients can secure SOAP messages according to the policy defined in the WSDL. Code generators that generates stubs to access the Web service can make use of these security policies defined in the WSDL. The policy annotated WSDL of the Web service we use for this tutorial can be found here.

Securing the Client

Step 1. Generating the Stub using WSDL2Java Tool

Java2WSDL tool provided by Axis2 can be used to generate stubs that can be used to call Web services. Given below is the command which we use in this tutorial to generate the stub. -uri option is used to provide the URL of the WSDL, -p option is used to specify a custom package name for the code generated, -o option to specify a directory path for the code generated and -uw option to switch on un-wrapping.

[Linux]
$ sh WSDL2Java.sh -uri http://localhost:8080/axis2/services/SecureService?wsdl -p tutorial.rampart.client -uw  -o /project/path/

[Windows]
WSDL2Java.bat -uri http://localhost:8080/axis2/services/SecureService?wsdl -p tutorial.rampart.client -uw -o /project/to/path/

Step 2. Writting the Client

Now, we will write a client to the Web service using the stub generated. Source code of the client is given below:

package tutorial.rampart.client;

public class SecureServiceCGClient {
	
	public static void main(String[] args) throws Exception {
		
		SecureServiceStub stub = new SecureServiceStub(null,"https://localhost:8443/axis2/services/SecureService");
		
		int a = 3;
		int b = 4;
		
		int result = stub.add(a, b);
		
		System.out.println(a + " + " + b + " = " + result);		
	}
}

Step 3. Engaging Rampart and Setting Authentication Information

To secure SOAP request made by the client, we need to engage the Rampart module to the client. So we have to create a client repository and the rampart-1.3.mar should be deployed in the modules directory. We should make sure that all dependency .jar files of the Apache Rampart module are in the classpath of the client. Then we can use the following code to engage Rampart in the client. Note that username and password to be used in the Username token, is provided using the Options class.

As you can see, we don't have to apply the policy to the client manually. WSDL2Java tool does that for us. It extracts the relevant policy from the WSDL and apply it correctly to the generatd stub.

// Rampart module should be in the repository 
    	ConfigurationContext ctx = ConfigurationContextFactory.createConfigurationContextFromFileSystem("path/to/client/repo", null);
		
	SecureServiceStub stub = new SecureServiceStub(ctx,"https://localhost:8443/axis2/services/SecureService");
		
	ServiceClient sc = stub._getServiceClient();
		
	sc.engageModule("rampart");
		
	Options options = sc.getOptions();
	options.setUserName("apache");
	options.setPassword("password");

Step 4. Adding Server Certificate as a Trusted Certificate

As we are using HTTPS as the transport protocoal , SSL handshake has to happen and the client need to trust the server's certificate. We have to add the key store containg the server's certificate as a trust store and it can be done by seting the following system properties:

System.setProperty("javax.net.ssl.trustStore", "/path/to/server.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "password");

NOTE: We only have to do this since we are using a self signed certificate. In a situation where the SSL channel is secured using a certificate signed by a known CA (Ceritificate Authority) we don't have to set these JSSE (Java Secure Socket Extension) properties.

Step 5. Calling the Web Service

Now, everything is well set and you can run the client and consume the Web service.

SOAP Messages Exchanged

We will take a look at the SOAP messages exchanged between the client and the service.

Without Security

This is SOAP message sent by the client without security;

<soapenv:Envelope>
	<soapenv:Body>
		<ns1:add
			xmlns:ns1="http://service.rampart.tutorial">
			<ns1:a>4</ns1:a>
			<ns1:b>6</ns1:b>
		</ns1:add>
	</soapenv:Body>
</soapenv:Envelope>

With Security

This is the SOAP message sent by the client when Rampart is engaged and the above security policy applied. As you can see, SOAP header with a security header, is added to the SOAP message. Security header is used to send all security claims required by the security policy of the server.

<soapenv:Envelope>
	<soapenv:Header>
		<wsse:Security
			soapenv:mustUnderstand="1">
			<wsu:Timestamp
				wsu:Id="Timestamp-31497899">
				<wsu:Created>2008-02-06T13:39:50.943Z</wsu:Created>
				<wsu:Expires>2008-02-06T13:44:50.943Z</wsu:Expires>
			</wsu:Timestamp>
			<wsse:UsernameToken
				wsu:Id="UsernameToken-10697954">
				<wsse:Username>apache</wsse:Username>
				<wsse:Password
					Type="http://...#PasswordText">password</wsse:Password>
			</wsse:UsernameToken>
		</wsse:Security>
	</soapenv:Header>
	<soapenv:Body>
		<ns1:add
			xmlns:ns1="http://service.rampart.tutorial">
			<ns1:a>4</ns1:a>
			<ns1:b>6</ns1:b>
		</ns1:add>
	</soapenv:Body>
</soapenv:Envelope>

Summary

In this tutorial, we looked at how to deploy Apache Rampart module and apply security to a Web service. We aslo looked at how to consume a secure Web service.

In part II of this tutorial "Web services security with Apache Rampart - Part II ( Message level security), we will look at how to secure Web services with Apache Rampart using message level security. We will look at how to sign and encrypt various message parts, using Apache Rampart.

References

Resources

Download source code this tutorial

Author

Nandana Mihindukulasooriya, Software Engineer, WSO2 Inc. nandana AT wso2 DOT com

MAJOR BUG

Submitted by shrav.sweety.gm... on January 9, 2012 - 01:27.

Connection refused when trying to run the Client code and remote host closed connection during ssl handshake ------------------------------------------------------------------------------------------------------------- Key: RAMPART-353 URL: https://issues.apache.org/jira/browse/RAMPART-353 Project: Rampart Issue Type: Bug Components: rampart-core, rampart-integration, rampart-policy, rampart-tests, rampart-trust Affects Versions: 1.5.2 Environment: Windows7 Reporter: karthika sravanthi Priority: Blocker Fix For: 1.5.2 log4j:WARN No appenders could be found for logger (org.apache.axis2.deployment.F ileSystemConfigurator). log4j:WARN Please initialize the log4j system properly. Exception in thread "main" org.apache.axis2.AxisFault: Connection refused: conne ct at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430) at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.jav a:203) at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:76) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessa geWithCommons(CommonsHTTPTransportSender.java:400) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(Com monsHTTPTransportSender.java:225) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:438) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisO peration.java:402) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(Out InAxisOperation.java:229) at org.apache.axis2.client.OperationClient.execute(OperationClient.java: 165) at tutorial.rampart.client.SecureServiceStub.add(SecureServiceStub.java: 191) at tutorial.rampart.client.SecureServiceCGClient.main(SecureServiceCGCli ent.java:34) Caused by: java.net.ConnectException: Connection refused: connect at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.PlainSocketImpl.doConnect(Unknown Source) at java.net.PlainSocketImpl.connectToAddress(Unknown Source) at java.net.PlainSocketImpl.connect(Unknown Source) at java.net.SocksSocketImpl.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.commons.httpclient.protocol.ReflectionSocketFactory.create Socket(ReflectionSocketFactory.java:140) at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.creat eSocket(SSLProtocolSocketFactory.java:130) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java :707) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$Http ConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Htt pMethodDirector.java:387) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMe thodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.jav a:397) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.jav a:346) at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(Abst ractHTTPSender.java:557) at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.jav a:199) ... 9 more WE ARE STUCK WITH THIS EXCEPTION WHEN RUNNING THE CLIENT. PLEASE HELP

Hi PsychoRex, I think this

Submitted by posstaridli1591... on June 5, 2012 - 19:18.

Hi PsychoRex, I think this due to the bug - AXIS2-3915 in Axis2 1.4 ( The good news is this is fixed in Axis2 1.4.1). Possible work around for this is discussed here in the Axis2 user mailing list. thanks, nandana @ Cheap travel deals

http://www.atcoachoutletsonli

Submitted by 597529167.qq.com on June 2, 2012 - 00:52.

http://www.atcoachoutletsonline.net Coach Outlet http://www.getcoachfactoryoutlet.org Coach Factory http://www.louisvuittonhandbagsoutlet.org/ Louis Vuitton Handbags Outlet http://www.saleincoachoutlets.com Coach Outlet Online http://www.atcoachoutletsonline.net Coach Outlet Online http://www.getcoachfactoryoutlet.org Coach Factory Outlet http://www.louisvuittonhandbagsoutlet.org/ Louis Vuitton Handbags http://www.saleincoachoutlets.com Coach Outlet http://www.coachfactoryoutlet-s.org Coach Factory Outlet http://www.buycoachoutletonline.org Coach Outlet http://www.coachoutletonfactory.net Coach Outlet http://www.buycoachoutletonline.org Coach Outlet Online

problem running client

Submitted by jesoufiane.gmail.com on March 19, 2011 - 22:19.

Hello; I have this problem when I running the client: Exception in thread "main" org.apache.axis2.AxisFault: Read timed out at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430) at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:83) at org.apache.axis2.transport.http.AxisRequestEntity.writeRequest(AxisRequestEntity.java:84) at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499) at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346) at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:542) at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:189) at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:75) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:364) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:208) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:448) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:401) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163) at tutorial.rampart.client.SecureServiceStub.add(SecureServiceStub.java:192) at tutorial.rampart.client.SecureServiceCGClient.main(SecureServiceCGClient.java:39) Caused by: com.ctc.wstx.exc.WstxIOException: Read timed out at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313) at org.apache.axiom.om.impl.MTOMXMLStreamWriter.flush(MTOMXMLStreamWriter.java:146) at org.apache.axiom.om.impl.dom.NodeImpl.serializeAndConsume(NodeImpl.java:817) at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:79) ... 19 more Caused by: java.net.SocketTimeoutException: Read timed out at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(Unknown Source) at com.sun.net.ssl.internal.ssl.InputRecord.readFully(Unknown Source) at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source) at java.io.BufferedOutputStream.flushBuffer(Unknown Source) at java.io.BufferedOutputStream.flush(Unknown Source) at org.apache.commons.httpclient.ChunkedOutputStream.flush(ChunkedOutputStream.java:191) at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:99) at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214) at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311) ... 22 more

need help

Submitted by ansh7jan.gmail.com on May 19, 2010 - 05:55.

hi I have just started learning about web services I just made a web service from a java file. I need to know how to add security to it. Do we need to do all of the above mentioned steps. Please tell me from simplest and most basic steps. Thank you Anshul

Package org.apache.ws.axis.security does not exist

Submitted by bk_pani.yahoo.co.in on May 9, 2010 - 22:14.

Thanks for the tutorial. I am new to axis. When running the service it shows Package org.apache.ws.axis.security does not exist on PWCBHandler.java line no 3 I am using: rampat 1.5 axis 1.5.1 java 1.6 tomcat 6 Any suggestions please :)

source code zip file???

Submitted by lmteijon on February 2, 2010 - 12:03.

Firstly, I'd like to thanks Nandana for giving us this amazing guide. Please I need someone to help me with the source code zip file, I can't find it. I suppose it's no longer available.

ERROR trying to consume a client

Submitted by lmteijon on February 3, 2010 - 13:18.

Hi, finally I found it... but I´ve got this error while trying to consume the client: [INFO] No services directory was found under D:\Work\My Eclipse Work Space\SecuredClient\client-repo. [INFO] Deploying module: rahas-1.4 - file:/D:/Work/My Eclipse Work Space/SecuredClient/client-repo/modules/rahas-1.4.mar [INFO] Deploying module: rampart-1.4 - file:/D:/Work/My Eclipse Work Space/SecuredClient/client-repo/modules/rampart-1.4.mar Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/http/HttpResponseFactory at org.apache.axis2.transport.http.SimpleHTTPServer.init(SimpleHTTPServer.java:116) at org.apache.axis2.engine.ListenerManager.init(ListenerManager.java:74) at org.apache.axis2.context.ConfigurationContext.getListenerManager(ConfigurationContext.java:692) at org.apache.axis2.client.ServiceClient.configureServiceClient(ServiceClient.java:163) at org.apache.axis2.client.ServiceClient.(ServiceClient.java:143) at tutorial.rampart.service.SecureServiceStub.(SecureServiceStub.java:95) at tutorial.rampart.service.SecureServiceStub.(SecureServiceStub.java:81) at myPackage.SecureServiceCGClient.main(SecureServiceCGClient.java:27) Caused by: java.lang.ClassNotFoundException: org.apache.http.HttpResponseFactory at java.net.URLClassLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClassInternal(Unknown Source) ... 8 more here it is my client code: import java.rmi.RemoteException; import org.apache.axis2.client.ServiceClient; import org.apache.axis2.context.ConfigurationContext; import org.apache.axis2.context.ConfigurationContextFactory; import tutorial.rampart.service.SecureServiceStub; import tutorial.rampart.service.SecureServiceStub.Add; import tutorial.rampart.service.SecureServiceStub.AddResponse; public class SecureServiceCGClient { /** * @param args * @throws RemoteException */ public static void main(String[] args) throws RemoteException { // TODO Auto-generated method stub System.setProperty("javax.net.ssl.trustStore", "keys/server.jks"); System.setProperty("javax.net.ssl.trustStorePassword", "password"); ConfigurationContext ctx = ConfigurationContextFactory.createConfigurationContextFromFileSystem("client-repo", null); SecureServiceStub stub = new SecureServiceStub(ctx,"https://localhost:8443/axis2/services/SecureService"); ServiceClient sc = stub._getServiceClient(); sc.engageModule("rampart"); org.apache.axis2.client.Options options = new org.apache.axis2.client.Options(); sc.getOptions(); options.setUserName("apache"); options.setPassword("password"); Add param = new Add(); int a = 3; int b = 4; param.setA(a); param.setB(b); AddResponse response = new AddResponse(); response = stub.add(param); int result = response.get_return(); System.out.println(a + " + " + b + " = " + result); } } thanks for any help...

where are the sources?

Submitted by i62vacar.uco.es on March 5, 2010 - 05:55.

I can't locate the sources into the tutorial, where did you find it? Thanks

RSA premaster secret error

Submitted by areebsa.yahoo.com on November 14, 2009 - 03:09.

Thanx for the tutorial, I am new to axis. When running the client I had this error, I am using: rampat 1.4 axis 1.5 java 1.6 tomcat 6 Any suggestions please :) Exception in thread "main" org.apache.axis2.AxisFault: RSA premaster secret error at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430) at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:83) at org.apache.axis2.transport.http.AxisRequestEntity.writeRequest(AxisRequestEntity.java:84) at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499) at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346) at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:550) at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:189) at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:75) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:389) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:222) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:435) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:402) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165) at tutorial.rampart.client.SecureServiceStub.add(SecureServiceStub.java:191) at tutorial.rampart.client.SecureServiceCGClient.main(SecureServiceCGClient.java:38) Caused by: com.ctc.wstx.exc.WstxIOException: RSA premaster secret error at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313) at org.apache.axiom.om.impl.MTOMXMLStreamWriter.flush(MTOMXMLStreamWriter.java:168) at org.apache.axiom.om.impl.dom.NodeImpl.serializeAndConsume(NodeImpl.java:830) at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:79) ... 19 more

Solved the RSA premaster secret error, but

Submitted by areebsa.yahoo.com on November 14, 2009 - 03:47.

I added the path to the folder contianing the files (dnsns.jar, localedata.jar, sunjce_provider.jar and sunpkcs11.jar) when running the client. and the error was resolved, however I got the following error Exception in thread "main" org.apache.axis2.AxisFault: SOAP header missing at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:172) This error was mentioned by psychorex, though I am using axis 1.5 I'll try the workaround you linked to. Thanks

Good info

Submitted by scola351.yahoo.com on November 15, 2009 - 05:45.

Thanks for sharing. cleaner reviews

Not able to get a Fault exception in client side.

Submitted by mariraja.a on October 13, 2009 - 23:05.

Hi Nandana, Thanks for your article. It is very useful article for beginner. I did all the steps as per your article. I am facing a one issue now. I created one user defined exception in my code. While sending a request from SoapUI,I get some exceptions in my webservice. But I could not able to see that exception message in client side. I mean FaultString is not working. I can able to see it in server side. When I remove rampart module from axis2, I can able to get FaultException in client side. Please help to fix it. Thanks, A. MariRaja.

getting error while creating the client

Submitted by satya_mca on July 18, 2009 - 01:30.

Hi , I am getting error while creating the client using above steps. I created the service archive file and deployed in tomacat5.5/webapps/axis2/webinf/services/. I am listing the services and its showing the service also. For client generation I am using following comdition: 1) D:\webservices\article-transport\src\temp>WSDL2Java.bat -uri http://localhost:8080/axis2/services/SimpleService?wsdl -p tutorial.rampart.client -uw -o D:\webservices\article-transport\src\temp\client While doing this I am not getting the errors but following warning is showing: D:\webservices\article-transport\src\temp>WSDL2Java.bat -uri http://localhost:8080/axis2/services/SimpleService?wsdl -p tutorial.rampart.client -uw -o D:\webservices\article-transport\src\temp\client Using AXIS2_HOME: D:\ProgramFiles\axis2-1.4.1 Using JAVA_HOME: D:\ProgramFiles\Java\jdk1.6.0 Retrieving document at 'http://localhost:8080/axis2/services/SimpleService?wsdl'. cannot find a PolicyExtension to process http://schemas.xmlsoap.org/ws/2005/07/securitypolicytype assertions After that stub is creating. But in the stub I am am not found the https url calling. If I use the following command : D:\webservices\article-transport\src\temp>WSDL2Java.bat -uri https://localhost:8443/axis2/services/SimpleService?wsdl -p tutorial.rampart.client -uw -o D:\webservices\article-transport\src\temp\client Using AXIS2_HOME: D:\ProgramFiles\axis2-1.4.1 Using JAVA_HOME: D:\ProgramFiles\Java\jdk1.6.0 Retrieving document at 'https://localhost:8443/axis2/services/SimpleService?wsdl '. Exception in thread "main" org.apache.axis2.wsdl.codegen.CodeGenerationException : Error parsing WSDL at org.apache.axis2.wsdl.codegen.CodeGenerationEngine.<init>(CodeGenerat ionEngine.java:156) at org.apache.axis2.wsdl.WSDL2Code.main(WSDL2Code.java:35) at org.apache.axis2.wsdl.WSDL2Java.main(WSDL2Java.java:24) Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=OTHER_ERROR: Unabl e to resolve imported document at 'https://localhost:8443/axis2/services/SimpleS ervice?wsdl'.: javax.net.ssl.SSLHandshakeException: sun.security.validator.Valid atorException: PKIX path building failed: sun.security.provider.certpath.SunCert PathBuilderException: unable to find valid certification path to requested targe t at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source) at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source) at org.apache.axis2.wsdl.codegen.CodeGenerationEngine.readInTheWSDLFile( CodeGenerationEngine.java:288) at org.apache.axis2.wsdl.codegen.CodeGenerationEngine.<init>(CodeGenerat ionEngine.java:111) ... 2 more Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.Validator Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPath BuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1 520) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:182) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Clien tHandshaker.java:975) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHa ndshaker.java:123) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:5 11) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.jav a:449) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.j ava:817) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SS LSocketImpl.java:1029) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketIm pl.java:1056) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketIm pl.java:1040) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java: 405) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect (AbstractDelegateHttpsURLConnection.java:170) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLCon nection.java:981) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Http sURLConnectionImpl.java:234) at java.net.URL.openStream(URL.java:1009) at com.ibm.wsdl.util.StringUtils.getContentAsInputStream(Unknown Source) ... 6 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali d certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav a:191) at sun.security.validator.Validator.validate(Validator.java:218) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustM anagerImpl.java:126) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted( X509TrustManagerImpl.java:209) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted( X509TrustManagerImpl.java:249) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Clien tHandshaker.java:954) ... 19 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert PathBuilder.java:174) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280) ... 25 more Can you help me... Satya M

Security credentials displayed in SOAP message

Submitted by mgibson77 on July 8, 2009 - 15:07.

Hi Nandana, Thanks for this tutorial...its a great way to get started on Web Service Security. Following the tutorial, I have successfully created a secured Web Service using the following enrivonment: Windows Vista, Jboss 5.0, Eclipse Ganymede (3.4), Rampart1.3 and Axis2 1.4.1. My worry is with the username and password being displayed in the soap message(I used TCPMon to capture it). Is this acceptable or we'll have to add encryption using Bounty Castle or something like that? Those credentials are also displayed in your soap message in the tutorial as username = 'apache' and pwd = 'password' Regards.. Java King.

I tried use WSDL2C on the

Submitted by hankjmatt on June 15, 2009 - 22:50.

I tried use WSDL2C on the policy annotated WSDL so that my Axis2/C client is able to talk to the now secured web service. But it seems that the generated stub doesn't contain the policy information in the policy annotated WSDL. Therefore it is not able to communicate with the web service. Have I missed any thing? club penguin

axis2 1.4.1 / rampart 1.4

Submitted by daniel.silva on June 3, 2009 - 07:52.

First of all, thank you Nandana for this tutorials! Great job! I've completed both (part 1 and 2) with no problems using axis2 1.3 and rampart 1.4. But I found a problem using axis2 1.4. I'm getting the following exception (I'm using axiom-impl-1.2.8): java.lang.AbstractMethodError at org.apache.axiom.om.impl.builder.StAXBuilder.processAttributes(StAXBuilder.java:230) at org.apache.axiom.soap.impl.builder.StAXSOAPModelBuilder.constructNode(StAXSOAPModelBuilder.java:369) at org.apache.axiom.soap.impl.builder.StAXSOAPModelBuilder.createOMElement(StAXSOAPModelBuilder.java:235) at org.apache.axiom.soap.impl.builder.StAXSOAPModelBuilder.createNextOMElement(StAXSOAPModelBuilder.java:196) at org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:207) at org.apache.axiom.om.impl.dom.NodeImpl.build(NodeImpl.java:449) at org.apache.axiom.om.impl.dom.DocumentImpl.build(DocumentImpl.java:488) at org.apache.rampart.util.Axis2Util.getDocumentFromSOAPEnvelope(Axis2Util.java:134) at org.apache.rampart.RampartMessageData.(RampartMessageData.java:158) at org.apache.rampart.RampartEngine.process(RampartEngine.java:70) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) at org.apache.axis2.engine.Phase.invoke(Phase.java:317) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163) at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275) at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:133) at javax.servlet.http.HttpServlet.service(HttpServlet.java:709) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) Any help will be apreciated. Daniel

axiom-api-1.2.7/1.2.8

Submitted by daniel.silva on June 4, 2009 - 00:21.

The problem is related with axiom libs. I got the error using axiom-api-1.2.8 and axiom-impl-1.2.8 but everything works fine with 1.2.7 version of this jars... I'm currently using axis2 1.4.1 with rampart 1.4.

The security token could not be authenticated or authorized

Submitted by killix on May 6, 2009 - 04:12.

Resolved

Example still work with 1.4?

Submitted by vinfang on March 19, 2009 - 13:41.

Has anyone tried or know if this example will work with rampart 1.4? Edit: Nevermind, I believe this example works with rampart 1.4, just a few more testing I have to do. Another question I have. Say I have one service with multiple operations (functions). So say A and B for example. Is it possible to make the security policy for the heading apply only for operation A but not B? So operation A requires that you provide the correct security headings, but B doesn't.

i want to add web securities with spring on net beans

Submitted by vinaysingh on April 13, 2009 - 02:30.

hi, can anyone tell me how to make an application on net beans with the spring implemented with web securities,can anyone tell me a samle application on that as i am newbie to web securities and spring and i wamt to try it out

WSDL 2.0

Submitted by komp on March 5, 2009 - 09:18.

As others before me, I'd like to thank you for a this detailed example and explanation. I'd like to use this example as a template for adding security to a numbers of services that we are implementing. But, on our project, we are using WSDL 2.0 to describe our services, instead of version 1.1 used in this example. Since the utility wsdl2java accepts specs in either version 1.1 or 2.0, I thought this would not make any difference. Unfortunately, if the spec is written in 2.0, the generated stub does not contain any security policy information. Why is this ? Have I overlooked some command line option? Or is it dependent upon where in the WSDL the policy information is included? I have placed the policy element inside the wsdl2:binding element. As a workaround, I have included the security policy in my clients, using the Rampart samples code as a guideline. But, this is not what we want. For our purposes, it is definitely better to incorporate the security policy info in the service stub. thanks for your help ! ed

Thx for this tutorial, but I

Submitted by sysmat on February 9, 2009 - 04:20.

Thx for this tutorial, but I have error in rampart modul I use JKS from download source. Error in signature with X509Token .... Caused by: org.apache.ws.security.WSSecurityException: Signature creation failed; nested exception is: java.security.UnrecoverableKeyException: Cannot recover key

Multiple user in Rampart policy based configuration approach ...

Submitted by techi.anand on January 7, 2009 - 21:40.

Hi Nandana, Thanks for the wonderful tutorial. The above described has been implemented by another party. What they are looking for implementing the multiple user, following this policy based configuration. Can you help me in understanding it more and implementing the requirement? Is it possible to implement multiple user in policy based configuration ? Thanks in advance .. Anand

Re: Multiple user in Rampart policy based configuration approach

Submitted by nandanam on January 28, 2009 - 05:17.

Hi Anad, I didn't clearly get your requirement. You can easily allow multiple users to access your web service with an appropriate password callback. Please look at the following tutorial. http://wso2.org/library/3733 thanks, nandana

ERROR : the trustAnchors parameter must be non-empty

Submitted by sridhar_ratna on November 24, 2008 - 22:33.

When I am executing this example with Axis2 1.3,Rampart 1.3 and java 6 i am getting the following error. Exception in thread "main" org.apache.axis2.AxisFault: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at org.apache.axis2.AxisFault.makeFault(AxisFault.java:417) at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:72) at org.apache.axis2.transport.http.AxisRequestEntity.writeRequest(AxisRequestEntity.java:84) at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:495) at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1973) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346) at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:520) at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:191) at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:77) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:327) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:206) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:396) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:374) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163) at tutorial.rampart.client.SecureServiceStub.add(SecureServiceStub.java:179) at tutorial.rampart.client.SecureServiceCGClient.main(SecureServiceCGClient.java:37) Caused by: com.ctc.wstx.exc.WstxIOException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313) at org.apache.axiom.om.impl.MTOMXMLStreamWriter.flush(MTOMXMLStreamWriter.java:118) at org.apache.axiom.om.impl.dom.NodeImpl.serializeAndConsume(NodeImpl.java:770) at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:68) ... 19 more Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1554) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1537) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1463) at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:64) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123) at org.apache.commons.httpclient.ChunkedOutputStream.flush(ChunkedOutputStream.java:190) at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:99) at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214) at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311) ... 22 more Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.validator.PKIXValidator.(PKIXValidator.java:59) at sun.security.validator.Validator.getInstance(Validator.java:161) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:108) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:204) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623) at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59) ... 28 more Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:183) at java.security.cert.PKIXParameters.(PKIXParameters.java:103) at java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:87) at sun.security.validator.PKIXValidator.(PKIXValidator.java:57) ... 40 more

Re: ERROR : the trustAnchors parameter must be non-empty

Submitted by nandanam on January 28, 2009 - 05:22.

Hi, I have experienced this error when path to the keystore is wrong or keystore password is wrong. Too bad the real reason is not propagated by the PKIXValidator. Please recheck the keystore path and password. thanks, nandana

Unable to engage module : rampart

Submitted by elzas on October 10, 2008 - 01:37.

Hi, When I try to run the client code, I get the following exception: Exception in thread "main" org.apache.axis2.AxisFault: Unable to engage module : rampart at org.apache.axis2.client.ServiceClient.engageModule(ServiceClient.java:357) I'm reasonably sure that the problem for me has to do with this line: ConfigurationContext ctx = ConfigurationContextFactory.createConfigurationContextFromFileSystem("path/to/client/repo", null); The thing is, I don't know what is expected at "path/to/client/repo". Currently I'm pointing it at the root folder of my Rampart 1.4 download, which contains a modules directory with the rampart-1.4.mar. But I guess I need to point it at something else, please advise. Thanks, Elzas

Re: Unable to engage module : rampart

Submitted by nandanam on January 28, 2009 - 05:25.

Hi, You need to point to a valid axis2 repository. You can find more about Axis2 repository here. http://wso2.org/library/tutorials/axis2-repository thanks, nandana

Securing the Client

Submitted by ranma112004 on October 8, 2008 - 20:07.

hi... By the way, thank you for this tutorial, it really helps alot to understand things. I was following it but I got stuck on Step 3, 4 and 5 of Securing the client. Step 3: I dont know where to include the stub Step 4: I dont know where to edit the System.setProperty Step 5: I dont know how to consume the service. I also dont know how to view the SOAP message. I tried using tcpmonitor but I didnt know which port to connect to. I hope you could help me with this. THank you in advance :) Thank you for your time. Best Regards, Ryan

Strange behavior

Submitted by belkouram on October 7, 2008 - 10:20.

Thanks for the tutorial. After reading your tutorial, My assumption is that "SecureService" will be listeting on HTTPS. However, when I deploy mine, and I check http://localhost:8080/axis2/axis2-admin/listService, I see that it is listening on "http://localhost:8080/axis2/services/SecureService". I try the generated client talking to "http://localhost:8080/axis2/services/SecureService", and it works fine. However, if I change the address to "https://localhost:8843/axis2/services/SecureService" in the client, I get a "connection refused error". Is setiing the security policy the only thing to do to secure the service? or that I am missing something else either in Axis2 or Tomcat config? By the way, tomcat is listening on both 8080 and 8843? Thanks Amine

PWCBHandler Class (server side)

Submitted by merlyn on August 20, 2008 - 06:47.

Hi Nandana. First of all, thank you so mutch: with your tutorial I start to understand (just a little bit! :)) how I can run Axis2 client - server system with Rampart. I have some problem now. 1°) In my PWCBHandler class (server side) I take RESERVED data from DB; I need for these data in my service class (the class where is the method that implements the service). Where can I store these data so that I can use these in my business logic? Is there any data structure in any Axis2 scope that gives me a solution? 2°) Could you say how I can access to http request data (e.g. used browser, language, encoding, ip address...). Is it possible? Thank you in advance for your assistance in this matter and.. sorry for my bad english! :)

PWCBHandler Class (server side)

Submitted by aunts.aunts.de on January 10, 2012 - 08:46.

Hi merlyn, did you find a solution for getting access to the AxisService or ServiceContext object in PWCBHandler class (server side)? nandanam explained, no access to MessageContext, got it (only via handler). But whatś about AxisService or ServiceContext object? Thanks so much, Andrew

Re: PWCBHandler Class (server side)

Submitted by nandanam on September 18, 2008 - 20:50.

Hi Merlyn, 1) Nope, in the password callback handler you don't have access to the the Message Context. So the only thing you can get in the service is the authenticated user. You can do that using MessageContext.getCurrentMessageContext().getProperty(RampartMessageData.USERNAME); If you want to get other information as well, you can write a simple Axis2 handler and then you get access to the message context. In the message context you can store the information as properties and later retrive them with in the service. 2) Yes, it is poosible. This blog post shows how to do it. thanks, nandana

have problem : read time out

Submitted by pskarthic on September 25, 2008 - 06:00.

i followed u thru but lastly i got this err Exception in thread "main" org.apache.axis2.AxisFault: Read timed out

Getting similiar problem

Submitted by ravik on August 15, 2009 - 23:41.

Hi Karthic, Were you able to resolve Read Timed out exception? I am facing similiar problem Thanks in advance. Ravi

Problems with Axis2 1.4 and Rampart 1.4

Submitted by psychorex on August 3, 2008 - 23:54.

Hi, first of all I have to say thanks. Your tutorial was a big help to make my first steps in WSS. But now I encountered a problem. I am running a Tomcat 6.0 Server with Axis2 1.4 and Rampart 1.4. I have done all steps of your tutorial but when I start the client, I get the following exception: Exception in thread "main" org.apache.axis2.AxisFault: SOAP header missing at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:512) at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:370) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:416) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163) at tutorial.rampart.client.SecureServiceStub.add(SecureServiceStub.java:151) at tutorial.rampart.client.SecureServiceCGClient.main(SecureServiceCGClient.java:31) Do you have an idea, where the problem is? Or do I have to use Axis2 and Rampart in version 1.3? I would be thankful for any idea. Greetings PsychoRex

Re: Problems with Axis2 1.4 and Rampart 1.4

Submitted by nandanam on August 4, 2008 - 00:47.

Hi nandana, I owe you one,

Submitted by psychorex on August 4, 2008 - 01:49.

Hi nandana, I owe you one, worked perfectly. Big thanks. Greetings PsychoRex

Hi Yuan, Currently WSDL2C

Submitted by manjula peiris on July 3, 2008 - 02:06.

Hi Yuan, Currently WSDL2C does not generate stubs for wsdl's with policy. You need to add following code in your stub code in order to invoke securely with Axis2/C. axis2_char_t* policy_file = NULL; neethi_policy_t* policy = NULL; policy = neethi_util_create_policy_from_file(env, policy_file); if(policy_file){ AXIS2_FREE(env->allocator, policy_file); policy_file = NULL; } if(!policy) { printf("\nPolicy creation failed from the file. %s\n", policy_file); } axis2_status_t status = axis2_svc_client_set_policy(svc_client, env, policy); Please see Rampart/C sample client for more details.If you have any questions please ask them in WSO2 WSF/C developers list or Axis2/C user or developer's list.

Can WSDL2C also generate stub with policy?

Submitted by yuan on July 2, 2008 - 14:28.

Thank you so much for the elaborate tutorial. Following the steps in the tutorial, I am able to add in transport level security to my web service and java test client. I tried use WSDL2C on the policy annotated WSDL so that my Axis2/C client is able to talk to the now secured web service. But it seems that the generated stub doesn't contain the policy information in the policy annotated WSDL. Therefore it is not able to communicate with the web service. Have I missed any thing? The command I used to generate the C stub is: /axis2.sh org.apache.axis2.wsdl.WSDL2C -uri SecureService.wsdl -d adb -u Thank you so much for the help Yuan

100% Open Source

Security

Enterprise Integration

Web Services Security with Apache Rampart – Part 1 ( Transport Level Security )

Introduction

Applies To

Table of Contents

Author