users@glassfish.java.net

Securing a webservice with certificates

From: <glassfish_at_javadesktop.org>
Date: Tue, 05 Jun 2007 15:01:52 PDT

So after a week, I finally gave up on using webservice extensions to secure my webservice and now am trying to secure it with certificates. Before I even mess with my actual webservice, I'm trying to prove that it can even be done with by getting it working with a simple webservice that has an echo method. To test that it is secure, i'm using a web browser to access the WSDL. I will know that it is properly secured when:

1. the browser is given some sort of "unauthorized" message like "access denied" or "an untrusted certificate was given" before configuring the webservice server to trust a client certificate that I create and install on the browser. And...
2. The browser get fetch the WSDL after I install the above mentioned certificate and configure the webservice server to trust said certificate.

Before trying to set this up, I'll note the following:
* I have ant, jdk1.5, and jdk1.6 installed.
* I have netbeans 5.5.1 release installed
* JAVA_HOME is set to C:\Program Files\Java\jdk1.6.0\jre
* AS_HOME is set to c:\sun\glassfish
* my path includes c:\program files\java\jdk1.6.0\bin and c:\sun\glassfish\bin

Here is my procedure for setting this up:

1. Download glassfish2 build 49 to c:\sun

2. start->run->cmd

3. cd c:\sun

4. java -jar glassfish-installer-v2-b49.jar

5. accept agreement

6. cd glassfish

7. ant -f setup.xml

8. asadmin change-master-password (setting password to mySecret)

9. cd domains\domain1\config

10. keytool -delete -keystore keystore.jks -alias s1as

11. enter mySecret

12. keytool -genkey -dname "cn=myWebServiceHost9000, ou=myApplication, o=myOrg, c=US" -alias myWebServiceHost9000 -keystore keystore.jks

13. enter mySecret

14. do not enter a key password and hit enter

15. open domain.xml in a text editor and replace all instances of s1as with myWebServiceHost9000

16. asadmin start-domain

17. visit http://localhost:4848

18. login as admin with password adminadmin

19. change administrator password to myOtherSecret

20. lauch netbeans

21. File->New Project->Web Application->Next

22. set project name to myWebService (Glassfish is already added to my server list and
is already selected)

23. Next->Finish

24. Right-click myWebService project node->new->web service

25. Leave name as NewWebService, set package name to pkg

26. Finish

27. Expand "Web Services" node->right-click NewWebService->add operation

28. Set name to echo, click add button in parameters tab

29. Leave type as String, set name to input, click ok, click ok again

30. In NewWebService.java implement the echo method by replacing "return null;" with "return input;"

31. expand "Configuration Files" node and open web.xml

32. click Security button, click Add Security Constraint

33. Set display name to "Secure Everything", click Add button in the Web Resource Collection section.

34. set resource name to "everything", set URL pattern to /* and click ok

35. check "Enable User Data Constraint", set Transport Guarantee to CONFIDENTIAL

36. expand Login Configuration, select Client Certificate radio button

37. File->Save All

38. Run->Run Main Project (entering master password and administrator passwords if prompted)



The result: the server redirects from http://localhost:8080/myWebService to https://localhost:8181/myWebService/ and the browser display an error loading the page. Internet explorer 7 says "Internet Explorer cannot display the webpage" and firefox 2 says "The connection was interrupted". The glassfish console says:

JACC Policy Provider: PolicyWrapper.implies, context(myWebService/myWebService)- permission((javax.security.jacc.WebUserDataPermission GET)) domain that failed(ProtectionDomain (file:/myWebService/myWebService <no signer certificates>)
 null
 <no principals>
 java.security.Permissions_at_1bc475 (
 (javax.management.MBeanTrustPermission register)
 (java.net.SocketPermission localhost:1024- listen,resolve)
 (java.net.SocketPermission * connect,resolve)
 (java.util.PropertyPermission line.separator read)
 (java.util.PropertyPermission java.vm.version read)
 (java.util.PropertyPermission java.vm.specification.version read)
 (java.util.PropertyPermission java.vm.specification.vendor read)
 (java.util.PropertyPermission java.vendor.url read)
 (java.util.PropertyPermission java.vm.name read)
 (java.util.PropertyPermission * read,write)
 (java.util.PropertyPermission os.name read)
 (java.util.PropertyPermission java.vm.vendor read)
 (java.util.PropertyPermission path.separator read)
 (java.util.PropertyPermission java.specification.name read)
 (java.util.PropertyPermission os.version read)
 (java.util.PropertyPermission os.arch read)
 (java.util.PropertyPermission java.class.version read)
 (java.util.PropertyPermission java.version read)
 (java.util.PropertyPermission file.separator read)
 (java.util.PropertyPermission java.vendor read)
 (java.util.PropertyPermission java.vm.specification.name read)
 (java.util.PropertyPermission java.specification.version read)
 (java.util.PropertyPermission java.specification.vendor read)
 (unresolved javax.security.jacc.WebUserDataPermission /* DELETE,GET,HEAD,OPTIONS,POST,PUT,TRACE:CONFIDENTIAL)
 (unresolved javax.security.jacc.WebUserDataPermission /* !DELETE,GET,HEAD,OPTIONS,POST,PUT,TRACE)
 (unresolved com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access null)
 (unresolved javax.security.jacc.WebResourcePermission /* null)
 (unresolved com.sun.enterprise.security.CORBAObjectPermission * *)
 (java.io.FilePermission C:\DOCUME~1\atappert\LOCALS~1\Temp\\- delete)
 (java.io.FilePermission C:/Sun/glassfish/domains/domain1\lib\databases\- delete)
 (java.io.FilePermission <<ALL FILES>> read,write)
 (java.lang.RuntimePermission getClassLoader)
 (java.lang.RuntimePermission loadLibrary.*)
 (java.lang.RuntimePermission accessDeclaredMembers)
 (java.lang.RuntimePermission getProtectionDomain)
 (java.lang.RuntimePermission modifyThreadGroup)
 (java.lang.RuntimePermission stopThread)
 (java.lang.RuntimePermission setContextClassLoader)
 (java.lang.RuntimePermission queuePrintJob)
 (javax.security.auth.PrivateCredentialPermission javax.resource.spi.security.PasswordCredential * "*" read)
 (javax.management.MBeanPermission [com.sun.messaging.jms.*:*] *)
)
)

whatever all that means. I see <no signer certificate> in there, does that mean this has worked? That isn't exactly the "unauthorized" message i would expect. What am I to conclude from this?

Assuming that this (in some world) means that the client is unathorized because it is not providing a trusted certificate (or any?), my next set of steps is to get the browser sending a certificate that the server authenticates as valid.

Here is my procedure for this:
1. go back to my command prompt

2. keytool -genkey -dname "cn=myWebServiceConsumer, ou=myApplication, o=myOrg, c=US" -alias myWebServiceConsumer -keystore keystore.jks

3. enter mySecret

4. keytool -export -alias myWebServiceConsumer -file myWebServiceConsumer.cer -keystore keystore.jks

5. enter mySecret

6. Open explorer and browse to c:\sun\glassfish\domains\domain1\config

7. right-click myWebServiceConsumer.cer and choose "install"

8. click next, next, finish, yes, ok

9. back in my command prompt, asadmin stop-domain, asadmin start-domain

10. go back to my browser and refresh




Result: no different, I still get the same browser errors

Am I doing things correctly (i'm assuming not), or does glassfish not actually not support this configuration I'm trying to setup?
[Message sent by forum member 'atappert' (atappert)]

http://forums.java.net/jive/thread.jspa?messageID=220673
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.