My goal was to make a web service that calls another web service using Soap (SAAJ). User calls my web service and sends XML file (string) which I sign and then send to target web service. Target web service replies with a signed XML whose signature I have to verify in my web service and if everything is well send that reply back to my user. Target web service also requires that I use HTTPS/one way ssl handshake.
Below is the code I wrote and everything worked when I tested it as a regular program. After that I made slight changes and tried to test it as a web service using Eclipse and local Tomcat server and it also worked - I could call methods using WSDL and got results as expected. Here's the problem - I have to deploy my web service on standalone Weblogic (10.3.6) server and it just doesn't work anymore. I followed tutorials for creating web service in JDeveloper and I've deployed it to(both integrated and standalone) server but method calls don't work properly. I suspect the problem is somewhere in Weblogic security and the way it uses certificates, I've added keystore I have to use for ssl handshake to Weblogic keystore configuration but it didn't help.
@WebService
public class Test {
// Keystore containing multiple certificates I am using to sign xml which I send to target web service
private static final String KEY_STORE_TYPE = "JKS";
private static final String KEY_STORE_FILE = "C:\\Certificates\\mycert.jks";
private static final String KEY_STORE_PASS = "mypass";
// Keystore which I use to validate the signed message I receive from target web service
private static final String TARGET_KEY_STORE_TYPE = "JKS";
private static final String TARGET_KEY_STORE_FILE = "C:\\Certificates\\othercert.jks";
private static final String TARGET_KEY_STORE_PASS = "otherpass";
private static final String TARGET_KEY_ALIAS = "othercert";
// Keystore which I use for one way ssl handshake when connecting to target web service
private static final String TRUSTED_STORE_TYPE = "JKS";
private static final String TRUSTED_STORE_FILE = "C:\\Certificates\\truststore.jks";
private static final String TRUSTED_STORE_PASS = "trustpass";
// Target web service which I'm connecting to
private static final String SERVICE_URL = "https://service.i-am.using:1111/AnotherWebService";
// Attribute used in signing xml
private static final String ID = "testId";
// Method which user calls to sign and send his message to target web service which returns signed reply with data. Since there are multiple certificates (for multiple users) in keystore user must supply certificate alias and password
@WebMethod
public String getData(String user_message, String alias, String passwd) {
String reply = "Unexpected error";
SOAPMessage message = null;
try {
message = createSoapMessage(user_message);
message = signMessage(message, alias, passwd);
message = sendSoapMessage(message);
Boolean value = false;
value = verifyMessage(message);
if (value == false) throw new Exception ("Message received from target web service is not correctly signed!");
reply = stringFromSoap(message);
} catch (Exception e) {
reply = "Error! "+e.toString();
}
return reply;
}
// Method for testing whether target web service is available
@WebMethod
public String testResponse(){
String reply = "Unexpected error";
SOAPMessage response = null;
try {
response = createEchoMessage();
// THIS CALL DOESN'T WORK WHEN EVEN WHEN I ADD KEYSTORE TO WEBLOGIC KEYSTORE CONFIGURATION
response = sendSoapMessage(response);
reply = stringFromSoap(response);
} catch (Exception e) {
reply = "Error! "+e.toString();
}
return reply;
}
// Method for creating Soap message used in testResponse method. Implementation is not important, here it is only as a signature.
private SOAPMessage createEchoMessage();
// Method for creating Soap message from string. Implementation is not important, here it is only as a signature.
private SOAPMessage createSoapMessage(String input_msg);
// Method for creating string from Soap message. Implementation is not important, here it is only as a signature.
private String stringFromSoap(SOAPMessage message);
// Method that sends Soap message to target server and receives reply
private SOAPMessage sendSoapMessage(SOAPMessage message) throws Exception {
// Key used for one way ssl
KeyStore keyStore = KeyStore.getInstance(TRUSTED_STORE_TYPE);
keyStore.load(
new FileInputStream(TRUSTED_STORE_FILE),
TRUSTED_STORE_PASS.toCharArray()
);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
tmf.init(keyStore);
SSLContext sslctx = SSLContext.getInstance("SSL");
sslctx.init(null, tmf.getTrustManagers(), null);
HttpsURLConnection.setDefaultSSLSocketFactory(sslctx.getSocketFactory());
SOAPConnectionFactory sfc = SOAPConnectionFactory.newInstance();
SOAPConnection connection = sfc.createConnection();
SOAPMessage response = null;
try{
URL endpoint =
new URL(new URL(SERVICE_URL),
"",
new URLStreamHandler() {
@Override
protected URLConnection openConnection(URL url) {
URLConnection dummy = null;
try{
URL target = new URL(url.toString());
URLConnection connection = target.openConnection();
// Timeout settings
connection.setConnectTimeout(1000); // 1 sec
connection.setReadTimeout(5000); // 5 sec
return(connection);
}
catch (Exception e){
return dummy;
}
}
});
response = connection.call(message, endpoint);
}
catch (Exception e){
throw e;
}
connection.close();
return response;
}
// Method for signing xml
@SuppressWarnings({ "unchecked", "rawtypes", "serial" })
private static SOAPMessage signMessage(SOAPMessage message, String alias, String passwd) throws Exception {
// Read SOAP message
SOAPMessage doc = message;
SOAPPart soapPart = doc.getSOAPPart();
// Find id for signing
Node nodeToSign = null;
Node sigParent = null;
String referenceURI = null;
XPathExpression expr = null;
NodeList nodes;
List transforms = null;
XPathFactory factory = XPathFactory.newInstance();
XPath xpath = factory.newXPath();
expr = xpath.compile(
String.format("//*[@Id='%s']", ID)
);
nodes = (NodeList) expr.evaluate(soapPart, XPathConstants.NODESET);
if (nodes.getLength() == 0) {
throw new Exception("No node with id: " + ID);
}
nodeToSign = nodes.item(0);
sigParent = nodeToSign;
referenceURI = "#" + ID;
// Prepare signature
String providerName = System.getProperty(
"jsr105Provider",
"org.jcp.xml.dsig.internal.dom.XMLDSigRI"
);
final XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance(
"DOM",
(Provider) Class.forName(providerName).newInstance()
);
// Transformations used for signing
transforms = new ArrayList<Transform>(){{
add(sigFactory.newTransform(
Transform.ENVELOPED,
(TransformParameterSpec) null )
);
add(sigFactory.newTransform(CanonicalizationMethod.EXCLUSIVE, (TransformParameterSpec) null
)
);
}};
// Get key for signing
KeyStore keyStore = KeyStore.getInstance(KEY_STORE_TYPE);
keyStore.load(
new FileInputStream(KEY_STORE_FILE),
KEY_STORE_PASS.toCharArray()
);
PrivateKey privateKey = (PrivateKey) keyStore.getKey(
alias,
passwd.toCharArray()
);
X509Certificate cert = (X509Certificate) keyStore.getCertificate(alias);
// Create a reference to enveloped document
Reference ref = sigFactory.newReference(
referenceURI,
sigFactory.newDigestMethod(DigestMethod.SHA1, null),
transforms,
null,
null
);
// Create SignedInfo
SignedInfo signedInfo = sigFactory.newSignedInfo(
sigFactory.newCanonicalizationMethod(
CanonicalizationMethod.EXCLUSIVE,
(C14NMethodParameterSpec) null
),
sigFactory.newSignatureMethod(
SignatureMethod.RSA_SHA1,
null
),
Collections.singletonList(ref)
);
// Create KeyInfo
KeyInfoFactory keyinfoFactory = sigFactory.getKeyInfoFactory();
X509IssuerSerial issuer= keyinfoFactory.newX509IssuerSerial(cert.getIssuerX500Principal().getName(), cert.getSerialNumber());
List x509Content = new ArrayList();
x509Content.add(cert);
x509Content.add(cert.getSubjectX500Principal().getName());
x509Content.add(issuer);
X509Data xd = keyinfoFactory.newX509Data(x509Content);
KeyInfo keyInfo = keyinfoFactory.newKeyInfo(Collections.singletonList(xd));
// Create DOMSignContext
DOMSignContext dsc = new DOMSignContext(
privateKey,
sigParent
);
System.out.println(dsc.toString());
// Create XMLSignature
XMLSignature signature = sigFactory.newXMLSignature(signedInfo, keyInfo);
// Generate and sign - THIS IS WHERE THE PROGRAM FAILS WHEN I CONVERT IT TO WEBLOGIC WEBSERVICE
signature.sign(dsc);
// Save changes on Soap message
doc.saveChanges();
return doc;
}
// Method used to verify message received from targer server
private Boolean verifyMessage(SOAPMessage message) throws Exception{
Boolean verified = false;
// Create xml from Soap message
SOAPMessage msg = message;
ByteArrayOutputStream out = new ByteArrayOutputStream();
msg.writeTo(out);
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
Document doc = dbf.newDocumentBuilder().parse(new ByteArrayInputStream(out.toByteArray()));
// Check whether Signature element exists in XML message
NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS,"Signature");
if (nl.getLength() == 0) {
throw new Exception("Signature element doesn't exist!");
}
// Get key which will be used for verification
KeyStore keyStore = KeyStore.getInstance(TARGET_KEY_STORE_TYPE);
keyStore.load(
new FileInputStream(TARGET_KEY_STORE_FILE),
TARGET_KEY_STORE_PASS.toCharArray()
);
X509Certificate cert = (X509Certificate) keyStore.getCertificate(TARGET_KEY_ALIAS);
PublicKey publicKey = cert.getPublicKey();
// Create validation context and signature
DOMValidateContext valContext = new DOMValidateContext(publicKey, nl.item(0));
XMLSignature signature = fac.unmarshalXMLSignature(valContext);
// Check whether the document is properly signed
verified = signature.validate(valContext);
return verified;
}
}
This is the error I get when calling testResponse method:
com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl:com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
After I added keystore to Weblogic keystore configuration error message changed to:
<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope">
<S:Body>
<S:Fault>
<S:Code>
<S:Value>S:Receiver</S:Value>
</S:Code>
<S:Reason>
<S:Text xml:lang="en">502 HTTP Analyzer Bad Gateway Connection refused: connect</S:Text>
</S:Reason>
<S:Detail>
<ns2:exception xmlns:ns2="http://jax-ws.dev.java.net/"
class="java.net.ConnectException" note="An exception occured while connecting to https://localhost:7202/test/TestPort.">
<message>Connection refused: connect</message>
<ns2:stackTrace>
<ns2:frame class="java.net.PlainSocketImpl"
file="PlainSocketImpl.java" line="-2" method="socketConnect"/>
<ns2:frame class="java.net.PlainSocketImpl"
file="PlainSocketImpl.java" line="351" method="doConnect"/>
<ns2:frame class="java.net.PlainSocketImpl"
file="PlainSocketImpl.java" line="213" method="connectToAddress"/>
<ns2:frame class="java.net.PlainSocketImpl"
file="PlainSocketImpl.java" line="200" method="connect"/>
<ns2:frame class="java.net.SocksSocketImpl"
file="SocksSocketImpl.java" line="366" method="connect"/>
<ns2:frame class="java.net.Socket"
file="Socket.java" line="529" method="connect"/>
<ns2:frame class="java.net.Socket"
file="Socket.java" line="478" method="connect"/>
<ns2:frame class="java.net.Socket"
file="Socket.java" line="375" method="<init>"/>
<ns2:frame class="java.net.Socket"
file="Socket.java" line="218" method="<init>"/>
<ns2:frame
class="javax.net.DefaultSocketFactory"
file="SocketFactory.java" line="212" method="createSocket"/>
<ns2:frame class="HTTPClient.HTTPConnection"
file="HTTPConnection.java" line="3606" method="getSocket"/>
<ns2:frame class="HTTPClient.HTTPConnection"
file="HTTPConnection.java" line="4364" method="doConnect"/>
<ns2:frame class="HTTPClient.HTTPConnection"
file="HTTPConnection.java" line="3358" method="sendRequest"/>
<ns2:frame class="HTTPClient.HTTPConnection"
file="HTTPConnection.java" line="3281" method="handleRequest"/>
<ns2:frame class="HTTPClient.HTTPConnection$9"
file="HTTPConnection.java" line="3032" method="run"/>
<ns2:frame class="HTTPClient.HTTPConnection$9"
file="HTTPConnection.java" line="3023" method="run"/>
<ns2:frame
class="HTTPClient.HttpClientConfiguration"
file="HttpClientConfiguration.java"
line="666" method="doAction"/>
<ns2:frame class="HTTPClient.HTTPConnection"
file="HTTPConnection.java" line="5401" method="doAction"/>
<ns2:frame class="HTTPClient.HTTPConnection"
file="HTTPConnection.java" line="3023" method="setupRequest"/>
<ns2:frame class="HTTPClient.HTTPConnection"
file="HTTPConnection.java" line="1524" method="ExtensionMethod"/>
<ns2:frame
class="oracle.jdevimpl.webservices.tcpmonitor.config.NetworkAccessRule"
file="NetworkAccessRule.java" line="1403" method="getResponseDefault"/>
<ns2:frame
class="oracle.jdevimpl.webservices.tcpmonitor.config.NetworkAccessRule"
file="NetworkAccessRule.java" line="325" method="getResponse"/>
<ns2:frame
class="oracle.jdevimpl.webservices.tcpmonitor.config.PassThroughRule"
file="PassThroughRule.java" line="135" method="execute"/>
<ns2:frame
class="oracle.jdevimpl.webservices.tcpmonitor.config.Rule"
file="Rule.java" line="473" method="fire"/>
<ns2:frame
class="oracle.jdevimpl.webservices.tcpmonitor.ConnectionHandler"
file="ConnectionHandler.java" line="558" method="getResponse"/>
<ns2:frame
class="oracle.jdevimpl.webservices.tcpmonitor.ConnectionHandler"
file="ConnectionHandler.java" line="412" method="run"/>
<ns2:frame
class="java.util.concurrent.Executors$RunnableAdapter"
file="Executors.java" line="441" method="call"/>
<ns2:frame
class="java.util.concurrent.FutureTask$Sync"
file="FutureTask.java" line="303" method="innerRun"/>
<ns2:frame
class="java.util.concurrent.FutureTask"
file="FutureTask.java" line="138" method="run"/>
<ns2:frame
class="java.util.concurrent.ThreadPoolExecutor$Worker"
file="ThreadPoolExecutor.java" line="886" method="runTask"/>
<ns2:frame
class="java.util.concurrent.ThreadPoolExecutor$Worker"
file="ThreadPoolExecutor.java" line="908" method="run"/>
<ns2:frame class="java.lang.Thread"
file="Thread.java" line="662" method="run"/>
</ns2:stackTrace>
</ns2:exception>
</S:Detail>
</S:Fault>
</S:Body>
I get following error message when calling getData method:
<S:Envelope>
<S:Body>
<S:Fault>
<faultcode>S:Server</faultcode>
<faultstring>UNIMPLEMENTED</faultstring>
<detail>
<ns2:exception class="java.lang.AssertionError" note="To disable this feature, set com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace system property to false">
<message>UNIMPLEMENTED</message>
<ns2:stackTrace>
<ns2:frame class="weblogic.xml.domimpl.DocumentImpl" file="DocumentImpl.java" line="407" method="getElementById" />
<ns2:frame class="com.sun.org.apache.xml.internal.security.utils.IdResolver" file="IdResolver.java" line="146" method="getElementByIdUsingDOM" />
<ns2:frame class="com.sun.org.apache.xml.internal.security.utils.IdResolver" file="IdResolver.java" line="113" method="getElementById" />
<ns2:frame class="com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverFragment" file="ResolverFragment.java" line="92" method="engineResolve" />
<ns2:frame class="com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver" file="ResourceResolver.java" line="263" method="resolve" />
<ns2:frame class="org.jcp.xml.dsig.internal.dom.DOMURIDereferencer" file="DOMURIDereferencer.java" line="95" method="dereference" />
<ns2:frame class="org.jcp.xml.dsig.internal.dom.DOMReference" file="DOMReference.java" line="370" method="dereference" />
<ns2:frame class="org.jcp.xml.dsig.internal.dom.DOMReference" file="DOMReference.java" line="304" method="digest" />
<ns2:frame class="org.jcp.xml.dsig.internal.dom.DOMXMLSignature" file="DOMXMLSignature.java" line="470" method="digestReference" />
<ns2:frame class="org.jcp.xml.dsig.internal.dom.DOMXMLSignature" file="DOMXMLSignature.java" line="366" method="sign" />
<ns2:frame class="test.WebServis" file="WebServis.java" line="391" method="signMessage" />
<ns2:frame class="test.WebServis" file="WebServis.java" line="117" method="getJIR" />
<ns2:frame class="sun.reflect.NativeMethodAccessorImpl" file="NativeMethodAccessorImpl.java" line="native" method="invoke0" />
<ns2:frame class="sun.reflect.NativeMethodAccessorImpl" file="NativeMethodAccessorImpl.java" line="57" method="invoke" />
<ns2:frame class="sun.reflect.DelegatingMethodAccessorImpl" file="DelegatingMethodAccessorImpl.java" line="43" method="invoke" />
<ns2:frame class="java.lang.reflect.Method" file="Method.java" line="601" method="invoke" />
<ns2:frame class="weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker" file="WLSInstanceResolver.java" line="92" method="invoke" />
<ns2:frame class="weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker" file="WLSInstanceResolver.java" line="74" method="invoke" />
<ns2:frame class="com.sun.xml.ws.server.InvokerTube$2" file="InvokerTube.java" line="151" method="invoke" />
<ns2:frame class="com.sun.xml.ws.server.sei.EndpointMethodHandlerImpl" file="EndpointMethodHandlerImpl.java" line="268" method="invoke" />
<ns2:frame class="com.sun.xml.ws.server.sei.SEIInvokerTube" file="SEIInvokerTube.java" line="100" method="processRequest" />
<ns2:frame class="com.sun.xml.ws.api.pipe.Fiber" file="Fiber.java" line="866" method="__doRun" />
<ns2:frame class="com.sun.xml.ws.api.pipe.Fiber" file="Fiber.java" line="815" method="_doRun" />
<ns2:frame class="com.sun.xml.ws.api.pipe.Fiber" file="Fiber.java" line="778" method="doRun" />
<ns2:frame class="com.sun.xml.ws.api.pipe.Fiber" file="Fiber.java" line="680" method="runSync" />
<ns2:frame class="com.sun.xml.ws.server.WSEndpointImpl$2" file="WSEndpointImpl.java" line="403" method="process" />
<ns2:frame class="com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit" file="HttpAdapter.java" line="539" method="handle" />
<ns2:frame class="com.sun.xml.ws.transport.http.HttpAdapter" file="HttpAdapter.java" line="253" method="handle" />
<ns2:frame class="com.sun.xml.ws.transport.http.servlet.ServletAdapter" file="ServletAdapter.java" line="140" method="handle" />
<ns2:frame class="weblogic.wsee.jaxws.WLSServletAdapter" file="WLSServletAdapter.java" line="171" method="handle" />
<ns2:frame class="weblogic.wsee.jaxws.HttpServletAdapter$AuthorizedInvoke" file="HttpServletAdapter.java" line="708" method="run" />
<ns2:frame class="weblogic.security.acl.internal.AuthenticatedSubject" file="AuthenticatedSubject.java" line="363" method="doAs" />
<ns2:frame class="weblogic.security.service.SecurityManager" file="SecurityManager.java" line="146" method="runAs" />
<ns2:frame class="weblogic.wsee.util.ServerSecurityHelper" file="ServerSecurityHelper.java" line="103" method="authenticatedInvoke" />
<ns2:frame class="weblogic.wsee.jaxws.HttpServletAdapter$3" file="HttpServletAdapter.java" line="311" method="run" />
<ns2:frame class="weblogic.wsee.jaxws.HttpServletAdapter" file="HttpServletAdapter.java" line="336" method="post" />
<ns2:frame class="weblogic.wsee.jaxws.JAXWSServlet" file="JAXWSServlet.java" line="99" method="doRequest" />
<ns2:frame class="weblogic.servlet.http.AbstractAsyncServlet" file="AbstractAsyncServlet.java" line="99" method="service" />
<ns2:frame class="javax.servlet.http.HttpServlet" file="HttpServlet.java" line="820" method="service" />
<ns2:frame class="weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction" file="StubSecurityHelper.java" line="227" method="run" />
<ns2:frame class="weblogic.servlet.internal.StubSecurityHelper" file="StubSecurityHelper.java" line="125" method="invokeServlet" />
<ns2:frame class="weblogic.servlet.internal.ServletStubImpl" file="ServletStubImpl.java" line="301" method="execute" />
<ns2:frame class="weblogic.servlet.internal.TailFilter" file="TailFilter.java" line="26" method="doFilter" />
<ns2:frame class="weblogic.servlet.internal.FilterChainImpl" file="FilterChainImpl.java" line="56" method="doFilter" />
<ns2:frame class="oracle.security.jps.ee.http.JpsAbsFilter$1" file="JpsAbsFilter.java" line="119" method="run" />
<ns2:frame class="java.security.AccessController" file="AccessController.java" line="native" method="doPrivileged" />
<ns2:frame class="oracle.security.jps.util.JpsSubject" file="JpsSubject.java" line="315" method="doAsPrivileged" />
<ns2:frame class="oracle.security.jps.ee.util.JpsPlatformUtil" file="JpsPlatformUtil.java" line="442" method="runJaasMode" />
<ns2:frame class="oracle.security.jps.ee.http.JpsAbsFilter" file="JpsAbsFilter.java" line="103" method="runJaasMode" />
<ns2:frame class="oracle.security.jps.ee.http.JpsAbsFilter" file="JpsAbsFilter.java" line="171" method="doFilter" />
<ns2:frame class="oracle.security.jps.ee.http.JpsFilter" file="JpsFilter.java" line="71" method="doFilter" />
<ns2:frame class="weblogic.servlet.internal.FilterChainImpl" file="FilterChainImpl.java" line="56" method="doFilter" />
<ns2:frame class="oracle.dms.servlet.DMSServletFilter" file="DMSServletFilter.java" line="139" method="doFilter" />
<ns2:frame class="weblogic.servlet.internal.FilterChainImpl" file="FilterChainImpl.java" line="56" method="doFilter" />
<ns2:frame class="weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction" file="WebAppServletContext.java" line="3730" method="wrapRun" />
<ns2:frame class="weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction" file="WebAppServletContext.java" line="3696" method="run" />
<ns2:frame class="weblogic.security.acl.internal.AuthenticatedSubject" file="AuthenticatedSubject.java" line="321" method="doAs" />
<ns2:frame class="weblogic.security.service.SecurityManager" file="SecurityManager.java" line="120" method="runAs" />
<ns2:frame class="weblogic.servlet.internal.WebAppServletContext" file="WebAppServletContext.java" line="2273" method="securedExecute" />
<ns2:frame class="weblogic.servlet.internal.WebAppServletContext" file="WebAppServletContext.java" line="2179" method="execute" />
<ns2:frame class="weblogic.servlet.internal.ServletRequestImpl" file="ServletRequestImpl.java" line="1490" method="run" />
<ns2:frame class="weblogic.work.ExecuteThread" file="ExecuteThread.java" line="256" method="execute" />
<ns2:frame class="weblogic.work.ExecuteThread" file="ExecuteThread.java" line="221" method="run" />
</ns2:stackTrace>
</ns2:exception>
</detail>
</S:Fault>
</S:Body>
I've read some Weblogic documentation regarding web services and security but it seems I can't see the wood for the trees. I would be very grateful if somebody could give me a few pointers. Also, as a last resort, would it help if I rewrote code using Axis2 and could such web service be deployed to Weblogic successfully?