Accessing Web service under SSL CXF SOAP client

Question

This is a question in connection with my question here. When I tried to add SSL with a self-signed certificate, I get the following error.

org.springframework.web.util.NestedServletException: Request processing failed; nested 
exception is javax.xml.ws.soap.SOAPFaultException: Error reading XMLStreamReader.
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.jav

a:656)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

root cause

javax.xml.ws.soap.SOAPFaultException: Error reading XMLStreamReader.
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
$Proxy107.getEmployee(Unknown Source)
org.samith.web.controller.FrontController.frontRequestHandler(FrontController.java:27)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176)
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426)
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414)
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

root cause

com.ctc.wstx.exc.WstxEOFException: Unexpected EOF in prolog
at [row,col {unknown-source}]: [1,0]
com.ctc.wstx.sr.StreamScanner.throwUnexpectedEOF(StreamScanner.java:682)
com.ctc.wstx.sr.BasicStreamReader.handleEOF(BasicStreamReader.java:2090)
com.ctc.wstx.sr.BasicStreamReader.nextFromProlog(BasicStreamReader.java:1996)
com.ctc.wstx.sr.BasicStreamReader.next(BasicStreamReader.java:1100)
com.ctc.wstx.sr.BasicStreamReader.nextTag(BasicStreamReader.java:1123)
org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor.handleMessage(ReadHeadersInterceptor.java:122)
org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor.handleMessage(ReadHeadersInterceptor.java:60)
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:755)
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2335)
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2193)
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:2037)
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:188)
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:697)
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.h  andleMessage(MessageSenderInterceptor.java:62)
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:516)
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:265)
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
$Proxy107.getEmployee(Unknown Source)
org.samith.web.controller.FrontController.frontRequestHandler(FrontController.java:27)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176)
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426)
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414)
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

And my client configuration file has this xml segment,

<http-conf:conduit name="*.http-conduit">
    <http-conf:tlsClientParameters secureSocketProtocol="SSL">
        <sec:keyManagers keyPassword="*****">
            <sec:keyStore type="JKS" password="welcome" file="full_path_to_employee_auth.jks" />
        </sec:keyManagers>
    </http-conf:tlsClientParameters>
    <http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http-conf:conduit>

I added the reference to conf/server.xml tomcat file with the correct path to employee_auth.jks file. By the way web xml file of the service side has this entry

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Restricted web services</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <user-data-constraint>
         require SSL 
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Client server communication happens very well when SSL is not enabled on the service side.I am researching this to get hang on CXF. Any help will be appreciated.

Answer 1

It's the self-signed certificate causing your software indigestion; the two sides are failing to do a full SSL handshake and that's making things fall apart before the SOAP message is transferred.

You need to tell the client to trust the self-signed certificate, i.e., you need to add it to the trustManagers, and not the keyManagers (that's where you'd put the identity for the client to use to prove who it is to the server). You probably also need to disable the check for whether the server's CN matches the desired address, via:

<http-conf:tlsClientParameters disableCNcheck="true" />

But be aware that this is potentially dangerous.

Ultimately, you're best off getting a proper CA-signed host certificate instead, as that's far less hassle than getting every damn client working with half-assed security. Single host certificates are very cheap (possibly even free to you; your organization – like mine – might have an existing deal in place).