[jira] [Comment Edited] (CXF-5525) Client - UntrustedURLConnectionIOException even the HTTPS established with client certificate auth

Wed, 30 Apr 2014 14:16:24 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-5525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13986091#comment-13986091
 ] 

Jakub Neubauer edited comment on CXF-5525 at 4/30/14 9:13 PM:
--------------------------------------------------------------

I think first byte will be not enough, at least first line is necessary, so 
that the server can know the request URL and can decide if it will trigger the 
renegotiation.
But I didn't tested, if the first line of request is enough specifically for 
IIS. The fact that it is enough theoretically, doesn't mean that IIS behaves 
so. But hopefully yes.


was (Author: jakub.neubauer):
I think first byte will be not enough, at least first line is necessary, so 
that the server can know the request URL and can decide if it will trigger the 
renegotiation.

> Client - UntrustedURLConnectionIOException even the HTTPS established with 
> client certificate auth
> --------------------------------------------------------------------------------------------------
>
>                 Key: CXF-5525
>                 URL: https://issues.apache.org/jira/browse/CXF-5525
>             Project: CXF
>          Issue Type: Bug
>         Environment: java 1.6.0_45 and 1.7.0_45 on Windows 8, CXF version 
> 2.7.6
>            Reporter: Jakub Neubauer
>
> Hi,
> I'm facing issue with CXF client. I have a Java client generated from WSDL. 
> The WSDL contains RequireClientCertificate="true" in the Policy. I'm calling 
> a web service over HTTPS with client certificate authentication. Although 
> HTTPS connection is established and with client certificate authentication 
> (ensured with -Djavax.net.debug=all), calling a WS method throws exception.
> The strange thing is, that the first call succeeded and the second and all 
> other calls, fail with this exception (!). The other calls can be done with 
> the same client object or can create new, no matter. The client object is 
> created as follows:
> {code}
> // our custom ssl settings, with client cert auth in this case.
> SSLSocketFactory sslSockF =
> createSSLSocketFactoryFromProperties(_properties);
> ProductionService service = new ProductionService(
>          new URL(myURL),
>          new QName("http://mycompany.com/api/productionService";,
> "ProductionService"));
> port = service.getBasicHttpBindingIProductionService();
> Client client = ClientProxy.getClient(port);
> HTTPConduit http = (HTTPConduit) client.getConduit();
> TLSClientParameters tlsParams = new TLSClientParameters();
> tlsParams.setDisableCNCheck(true);
> tlsParams.setSSLSocketFactory(sslSockF);
> http.setTlsClientParameters(tlsParams);
> return port;
> {code}
> The exception:
> {noformat}
> -----------------------------
> etc...
> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: 
> UntrustedURLConnectionIOException invoking 
> https://192.168.101.14/myApplication/services/ProductionService.svc: 
> RequireClientCertificate is set, but no local certificates were negotiated.  
> Is the server set to ask for client authorization?
>  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>  at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
>  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
>  at java.lang.reflect.Constructor.newInstance(Unknown Source)
>  at 
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1334)
>  at 
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1318)
>  at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
>  at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:623)
>  at 
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
>  at 
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
>  at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:541)
>  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
>  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
>  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
>  at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
>  at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
>  ... 14 more
> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: 
> RequireClientCertificate is set, but no local certificates were negotiated.  
> Is the server set to ask for client authorization?
>  at 
> org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:117)
>  at 
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.makeTrustDecision(HTTPConduit.java:1680)
>  at 
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1264)
>  at 
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1234)
>  at 
> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195)
>  at 
> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
>  at 
> org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
>  at 
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1291)
>  ... 24 more
> -----------------------------
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to