3

We have exposed a webservice deployed on a Tomcat instance which is behind the Load Balancer. The Load-Balancer only allows the HTTPS traffic but the Jax-ws End-point points to the HTTP WSDL url instead of the HTTPS. When the Client access the Loadbalancer HTTPS URL it gets re-directed to HTTP and since the traffic is HTTP is blocked on LB, The client gets an error as WSDL is Inaccessible.

Is there any configuration in the sun-jaxws.xml or the webservice annotation to specify to tell the JAX-WS to expose the HTTPS url instead of HTTP.

Below is my Configuration:

sun-jaxws.xml:

<?xml version="1.0" encoding="UTF-8"?>
<endpoints
xmlns='http://java.sun.com/xml/ns/jax-ws/ri/runtime'
version='2.0'>
<endpoint
    name='/TestService'
    implementation='com.test.service.TestServiceImpl'
    url-pattern='/TestService' />    


Annotation Config On WebService Impl class:

@WebService(serviceName="TestServiceImpl",
portName="TestService",
endpointInterface = "com.test.service.TestService",
targetNamespace="http://test.com"
)
@HandlerChain(file = "handlers.xml")
@MTOM
@XmlAccessorType(XmlAccessType.PROPERTY)
public class TestServiceImpl implements TestService{
//Implementation
}

WebService End-Point, Please see the HTTPS protocol in Browser and HTTP in the WSDL location URL, I have removed the Service and url's due to security reasons

It would be great if some can point me in the right direction.

Please Read the Comments too for the Solution in different scenarios

John
  • 121
  • 6
  • 18
  • Have you tried pointing to the SSL version of the WSDL, as in, instead of creating the client based on the http://server:port/web_service?WSDL, use https://server:ssl_port/web_service?WSDL ? The SSL version of WSDL should be created automatically when you deploy the WS (if the servers SSL is configured). – Xargos Mar 25 '13 at 07:57
  • I am pointing to the HTTPS url of the LoadBalancer but as you can see in the above picture the WSDL url is pointing to the HTTP – John Mar 25 '13 at 13:41

2 Answers2

2

I wouldn't suggest that approach - much better option is to terminate SSL communication on the load balancer and have plain HTTP between the load balancer and your server (unless you also need to protect the traffic between the balancer and server, but I doubt it). Namely, you don't have to setup SSL on two places and have double headaches when something doesn't work as it should. Therefore, first try to configure load balancer that way. Additionally, you'll have to manually rewrite <soap:address location=".."> tag in WSDL (add HTTPS address, of course) and generate WS client from locally stored WSDL.

If you still want to setup SSL on Tomcat, then you'll first have to setup keystore - your "database" of keys and certificates. There are many tutorials on Web how to do it, one is here. Then, you need to change Tomcat's server.xml file by adding this snippet:

 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           keystoreFile="<PATH-TO-KEYSTORE>" keystorePass="<YOUR-KEYSTORE-PASSWORD>"
           clientAuth="false" sslProtocol="TLS"/>

Finally, you need to specify that your Web service redirects all HTTP requests to HTTPS listener - but in web.xml file, not in sun-jaxws.xml:

<user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

Restart Tomcat and that should do it.

Miljen Mikic
  • 14,765
  • 8
  • 58
  • 66
  • 1
    As you mentioned I don't want SSL communication between LoadBalancer and Server, I have only Plain HTTP communication between LB and Server. But when I access the HTTPS url of the LoadBalancer Ex: https://myloadbalalncer/Application/TestService, The End-Point Page which gets generated from JAX-WS: The WSDL url points to the HTTP URL of the LoadBalancer, and since http is disabled from Client to LB, the client gets an error of Inaccesible WSDL – John Mar 25 '13 at 13:40
  • @John It seems that the balancer in your case just redirects the traffic on HTTP port. Load balancer, if properly configured, should be transparent and client should be unaware of its existence. Try to configure it differently: either just pass HTTPS to the server (in which case you need to enable SSL on Tomcat), or (better) terminate the SSL connection and communicate with server using plain HTTP - not just redirect traffic on HTTP like in your case currently. – Miljen Mikic Mar 25 '13 at 15:17
  • 1
    Hi Miljen, we need to implement your first suggestion, HTTPS between Client and LB, and HTTP between LB and Server. But we have the same problem that John has. WSDL descriptors points to HTTP instead of HTTPS, therefore "second" call from the client is to http://... so it doesn't work. If you can give an example about how to implement your first suggestion I'll really appreciate it. – gguardin Mar 26 '13 at 01:02
  • 1
    @Milijen, thanks for your fast response. But the problem is that I'm using annotations to configure the WS, so I don't have a WSDL file to change. Is there a way to edit it with in this case? – gguardin Mar 26 '13 at 17:05
  • @MiljenMikic Sorry for the late update was pulled-in in different task. I resolved my issue by changing the Client Implementation as discussed in the following link: [link](http://stackoverflow.com/questions/13702022/calling-web-service-that-sits-on-a-load-balancer-with-jax-ws-returns-at-http-sta) but I am still not sure if this is the right approach. As you mentioned in your 1st comment, We are using Amazon Console and we are having HTTP protocol between LB and Server. I don't know if by using the HTTP protocol would be EQUAL TO terminating the SSL coonection? – John Mar 26 '13 at 22:13
  • @MiljenMikic I would like to give half the points for your answer and half points to this link [link](http://stackoverflow.com/questions/13702022/calling-web-service-that-sits-on-a-load-balancer-with-jax-ws-returns-at-http-sta) how can I do this? – John Mar 26 '13 at 22:14
  • @gguardin Yes, there is. You've created your Web service with code-first approach, but you can still generate WSDL from Web service. All standard IDEs (Eclipse, Netbeans etc.) have that option, just search for it depending on IDE you are using. When you have WSDL, manually change mentioned line and send WSDL to the client so the client can generate stubs from locally stored WSDL. – Miljen Mikic Mar 27 '13 at 07:23
  • 1
    @John Yes, that's equal. If you are using HTTP between LB and server, that means that you terminated SSL connection on the balancer and that's the best approach. Regarding the points, you can upvote the answer on that link, and upvote/accept my answer if you consider it helpful. – Miljen Mikic Mar 27 '13 at 07:25
2

An alternative is to add a line like this to Tomcat's "server.xml" file

<Connector URIEncoding="UTF-8" port="8080" protocol="HTTP/1.1" 
    connectionTimeout="20000"  scheme="https" proxyPort="443"
    redirectPort="8443" />

And point the LB, in this case, to port 8080 using HTTP.

This will work when Client connects to LB using HTTPS to port 443, LB connects to Server using HTTP to port 8080. In that case WSDL returns 

<soap:address location="https://www.yoursite.com:443/...">

Important things there are

scheme: Set this attribute to the name of the protocol you wish to have returned by calls to request.getScheme(). For example, you would set this attribute to "https" for an SSL Connector. The default value is "http".

proxyPort: If this Connector is being used in a proxy configuration, configure this attribute to specify the server port to be returned for calls to request.getServerPort().

Both methods in bold are used by Jax-ws to build soap:address.

Thanks Chino who helps us with this!

gguardin
  • 551
  • 1
  • 4
  • 9
  • Interesting. When we redirect to port 8443, Should the Connector config for 8443 include Keystore and alias name, Ex like this: – John Mar 29 '13 at 18:34
  • You just need that line, there's no need to add another connector to port 8443 since there won't be a request that needs to force SSL to the server, and therefore that redirect won't we called. – gguardin Mar 31 '13 at 19:12