1

I'm using wsit to create a webserice client with some security enhancements. To justify some deployment specifiactions i had to use the callback mechanism for keystore loading:

<wsp:Policy wsu:Id="WSPortBindingPolicy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsp:ExactlyOne>
        <wsp:All>
            <!-- define a keystore and truststore with the ith certificates for ssl encrypted connections -->
            <sc:KeyStore wspp:visibility="private" callbackHandler="webservice.auth.KeyStoreHandler" />
            <sc:TrustStore wspp:visibility="private" callbackHandler="webservice.auth.KeyStoreHandler"/>

now according to my logfiles, the KeyStore handler will be correctly instantiated, but will never be called for keystore creation. That means the callback method 'handle(Callback[] callbacks)' will never be called. Please can someone give me some hints how to better analyse the problem.

The call stack of the instanciation indicates, that the policy is correctly parsed and setup. But during SSL handshake the callbacks will not be triggered.

INFO: WSP5018: WSIT-Konfiguration wurde aus Datei geladen: jar:file:/C:/app.jar!/META-INF/wsit-client.xml.
11:22:08,753 DEBUG [AWT-EventQueue-0] webservice.auth.KeyStoreHandler () : instantiate KeyStoreHandlerjava.lang.Exception
at webservice.auth.KeyStoreHandler.<init>(KeyStoreHandler.java:60)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at com.sun.xml.wss.impl.misc.DefaultCallbackHandler.initNewInstances(DefaultCallbackHandler.java:2022)
at com.sun.xml.wss.impl.misc.DefaultCallbackHandler.<init>(DefaultCallbackHandler.java:344)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.configureClientHandler(SecurityClientTube.java:823)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.<init>(SecurityClientTube.java:180)
at com.sun.xml.wss.provider.wsit.SecurityTubeFactory.createTube(SecurityTubeFactory.java:275)
at com.sun.xml.ws.assembler.TubeCreator.createTube(TubeCreator.java:85)
at com.sun.xml.ws.assembler.MetroTubelineAssembler.createClient(MetroTubelineAssembler.java:137)
at com.sun.xml.ws.client.Stub.createPipeline(Stub.java:328)
at com.sun.xml.ws.client.Stub.<init>(Stub.java:297)
at com.sun.xml.ws.client.Stub.<init>(Stub.java:239)
at com.sun.xml.ws.client.Stub.<init>(Stub.java:254)
at com.sun.xml.ws.client.sei.SEIStub.<init>(SEIStub.java:92)
at com.sun.xml.ws.client.WSServiceDelegate.getStubHandler(WSServiceDelegate.java:746)
at com.sun.xml.ws.client.WSServiceDelegate.createEndpointIFBaseProxy(WSServiceDelegate.java:724)
at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:408)
at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:384)
at javax.xml.ws.Service.getPort(Service.java:175)
Johann Sonntagbauer
  • 1,294
  • 1
  • 10
  • 20
  • Have you seen that your constructor of the `KeyStoreHandler` throws an Exception? – Uwe Plonus Jun 17 '13 at 09:49
  • the constructor doesn't throw an exception, the exception is only logged just because of debugging purpose. i wanted to find out which tube instances will setup the callback. Because of the fact, that a SecurityClientTube is holding the callback the keystore callback should be called for retrival of the client certificate, but it doesn't :( – Johann Sonntagbauer Jun 17 '13 at 10:55
  • What's your choice for security mechanism: http://docs.oracle.com/cd/E17802_01/webservices/webservices/interop/reference/tutorials/doc/SecurityProfiles4.html#wp129545 - Mutual Certs? Note keystore discrepency in table 6.2 and table 7.1: http://docs.oracle.com/cd/E17802_01/webservices/webservices/interop/reference/tutorials/doc/ClientSecurity3.html – Glen Best Jun 27 '13 at 01:56
  • i.e. in a couple of cases server (table 6.2) gets different keystore/trust store configuration to client (table 7.1). Could you provide your full WSDL? – Glen Best Jun 27 '13 at 02:02

2 Answers2

3

some hints how to better analyse the problem:

  1. enable Level.FINE for logger com.sun.xml.wss.logging you should see some helpfull messages from DefaultCallbackHandler

  2. set a breakpoint on DefaultCallbackHandler#getKeyStoreUsingCallback(Map runtimeProps) and getPrivateKey(Map runtimeProps, String alias) methods. I gues they are not called at all. Maybe SSL is not initialized at all?

  3. To debug SSL set system property javax.net.debug=ssl. Then you will see what exactly happens. You can find more info here: Debugging SSL/TLS Connections.

If you provide the output then maybe we will be able to help you.

zacheusz
  • 8,750
  • 3
  • 36
  • 60
0

To justify some deployment specifiactions i had to use the callback mechanism for keystore loading

You use keystore callback mechanism to avoid providing cleartext Keystore key/password.

  1. Understand your chosen Security Mechanism, and whether the keystore is used used on server/client:

    Keystore is used on the server for these security mechanisms:

    • Username Auth. w/Symmetric Keys
    • Mutual Certs.
    • SAML Auth. over SSL
    • Endorsing Cert.
    • SAML Sender Vouches with Cert.
    • SAML Holder of Key

    Keystore is used on the client for these security mechanisms:

    • Mutual Certs.
    • Transport Sec.
    • Message Auth. over SSL - Username Token
    • Message Auth. over SSL - X.509 Token
    • SAML Auth. over SSL
    • Endorsing Cert.
    • SAML Sender Vouches with Cert.
    • SAML Holder of Key
    • STS Issued Token
    • STS Issued Token with Service Cert.
    • STS Issued Endorsing Token

  2. Understand your app server/container and Java EE version whether Keystore is used:

  3. Understand your client implementation and whether Keystore is used:

Further steps can be added, if further details of your setup/configuration are provided.

Glen Best
  • 22,769
  • 3
  • 58
  • 74