users@glassfish.java.net

Re: IIOP and SSL

From: <glassfish_at_javadesktop.org>
Date: Mon, 10 Mar 2008 04:18:31 PST

Hi dkoper,

I have one project in Eclipse for my bean:
This project contains the following class, interface and xml:

---------- class ----------
import java.util.Date;

import javax.annotation.security.RolesAllowed;
import javax.ejb.Stateless;

@Stateless
@RolesAllowed("appuser")
public class JustABean implements IJustABean {

        public String aMethod() {
                return "the date/time of JustABean = " + new Date().toString();
        }

}

---------- interface ----------
import javax.ejb.Remote;

@Remote
public interface IJustABean {

        public String aMethod();
}


---------- META-INF/sun-ejb-jar.xml ----------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 EJB 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-ejb-jar_3_0-0.dtd" >
<sun-ejb-jar>
  <security-role-mapping>
        <role-name>appuser</role-name>
        <group-name>appuser</group-name>
  </security-role-mapping>
  <enterprise-beans>
           <ejb>
                  <ejb-name>JustABean</ejb-name>
                  <ior-security-config>
                          <transport-config>
                            <integrity>required</integrity>
                            <confidentiality>required</confidentiality>
                            <establish-trust-in-target>supported</establish-trust-in-target>
                            <establish-trust-in-client>none</establish-trust-in-client>
                          </transport-config>
                          <as-context>
                                  <auth-method>username_password</auth-method>
                                  <realm>default</realm>
                                  <required>true</required>
                          </as-context>
                  </ior-security-config>
          </ejb>
  
  </enterprise-beans>
</sun-ejb-jar>


The structure of the .jar (called JustABean.jar) deployed to SJSAS contains the following structure and files:
META-INF/MANIFEST.MF (containing Manifest-Version:1.0 Sealed: true)
META-INF/sun-ejb-jar.xml
nl/teamsoft/sjsas/ejb/IJustABean.class
nl/teamsoft/sjsas/ejb/JustABean.class


I have another project in Eclipse for my application client:
This project contains (only) 1 class

---------- Main ----------
import javax.ejb.EJB;
import javax.swing.JOptionPane;

import nl.teamsoft.sjsas.ejb.IJustABean;


public class Main {
        
        @EJB
        private static IJustABean aBean = null;
        
        public static void main(String[] args) {
                
                System.setProperty("javax.net.ssl.trustStore", "c:/jssecacerts");
                System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
                System.setProperty("javax.net.ssl.keyStore", "c:/jssecacerts");
                System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
                System.setProperty("org.omg.CORBA.ORBInitialHost","PCUP");
// System.setProperty("org.omg.CORBA.ORBInitialHost","192.168.1.136");
// System.setProperty("org.omg.CORBA.ORBInitialHost","localhost");
// System.setProperty("org.omg.CORBA.ORBInitialHost","127.0.0.1");
                System.setProperty("org.omg.CORBA.ORBInitialPort","3700");

                
                JOptionPane.showMessageDialog(null, "starting... ");
                
                boolean bValid = false;
                int iTries = 0;

                while (bValid == false) {
                        
                        JOptionPane.showMessageDialog(null, "while " + iTries);
                        
                        try {
                                
                                JOptionPane.showMessageDialog(null, "justABean says: " + aBean.aMethod());

                    bValid = true;
                } catch(Exception e) {
                        
                        JOptionPane.showMessageDialog(null, "catch exception " + e.getLocalizedMessage());
                        
                        iTries++;
                } finally {
                        if (iTries == 3 ) {
                                JOptionPane.showMessageDialog(null, "too many tries ");
                                break;
                        }
                }
            }

        }
}


the structure of the .jar (called JustAnAppClient.jar) for my application client contains the following structure and files:
META-INF/MANIFEST.MF (containing Manifest-Version:1.0 Sealed: true Main-Class: nl.teamsoft.sjsas.acc.Main
nl/teamsoft/sjsas/acc/Main.class
nl/teamsoft/sjsas/ejb/IJustABean.class

This example is based on the example given on the GlassFish site: https://glassfish.dev.java.net/javaee5/ejb/examples/Sless.html

I've generated the jssecacerts certificate (used in the System.setProperty in my client program) using the following java programm:
---------- certificate program ----------
import java.io.*;
import java.net.URL;

import java.security.*;
import java.security.cert.*;

import javax.net.ssl.*;

public class InstallCert {

    public static void main(String[] args) throws Exception {
        String host;
        int port;
        char[] passphrase;
        if ((args.length == 1) || (args.length == 2)) {
            String[] c = args[0].split(":");
            host = c[0];
            port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
            String p = (args.length == 1) ? "changeit" : args[1];
            passphrase = p.toCharArray();
        } else {
            System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");
            return;
        }

        File file = new File("jssecacerts");
        if (file.isFile() == false) {
            char SEP = File.separatorChar;
            File dir = new File(System.getProperty("java.home") + SEP
                    + "lib" + SEP + "security");
            file = new File(dir, "jssecacerts");
            if (file.isFile() == false) {
                file = new File(dir, "cacerts");
            }
        }
        System.out.println("Loading KeyStore " + file + "...");
        InputStream in = new FileInputStream(file);
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(in, passphrase);
        in.close();

        SSLContext context = SSLContext.getInstance("TLS");
        TrustManagerFactory tmf =
            TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ks);
        X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];
        SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
        context.init(null, new TrustManager[] {tm}, null);
        SSLSocketFactory factory = context.getSocketFactory();

        System.out.println("Opening connection to " + host + ":" + port + "...");
        SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
        socket.setSoTimeout(10000);
        try {
            System.out.println("Starting SSL handshake...");
            socket.startHandshake();
            socket.close();
            System.out.println();
            System.out.println("No errors, certificate is already trusted");
        } catch (SSLException e) {
            System.out.println();
            e.printStackTrace(System.out);
        }

        X509Certificate[] chain = tm.chain;
        if (chain == null) {
            System.out.println("Could not obtain server certificate chain");
            return;
        }

        BufferedReader reader =
                new BufferedReader(new InputStreamReader(System.in));

        System.out.println();
        System.out.println("Server sent " + chain.length + " certificate(s):");
        System.out.println();
        MessageDigest sha1 = MessageDigest.getInstance("SHA1");
        MessageDigest md5 = MessageDigest.getInstance("MD5");
        for (int i = 0; i < chain.length; i++) {
            X509Certificate cert = chain[i];
            System.out.println
                    (" " + (i + 1) + " Subject " + cert.getSubjectDN());
            System.out.println(" Issuer " + cert.getIssuerDN());
            sha1.update(cert.getEncoded());
            System.out.println(" sha1 " + toHexString(sha1.digest()));
            md5.update(cert.getEncoded());
            System.out.println(" md5 " + toHexString(md5.digest()));
            System.out.println();
        }

        System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
        String line = reader.readLine().trim();
        int k;
        try {
            k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
        } catch (NumberFormatException e) {
            System.out.println("KeyStore not changed");
            return;
        }

        X509Certificate cert = chain[k];
        //String alias = host + "-" + (k + 1);
        String alias = "s1as";
        ks.setCertificateEntry(alias, cert);

        OutputStream out = new FileOutputStream("c:/jssecacerts");
        ks.store(out, passphrase);
        out.close();

        System.out.println();
        System.out.println(cert);
        System.out.println();
        System.out.println
                ("Added certificate to keystore 'jssecacerts' using alias '"
                + alias + "'");
    }

    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

    private static String toHexString(byte[] bytes) {
        StringBuilder sb = new StringBuilder(bytes.length * 3);
        for (int b : bytes) {
            b &= 0xff;
            sb.append(HEXDIGITS[b >> 4]);
            sb.append(HEXDIGITS[b & 15]);
            sb.append(' ');
        }
        return sb.toString();
    }

    private static class SavingTrustManager implements X509TrustManager {

        private final X509TrustManager tm;
        private X509Certificate[] chain;

        SavingTrustManager(X509TrustManager tm) {
            this.tm = tm;
        }

        public X509Certificate[] getAcceptedIssuers() {
            throw new UnsupportedOperationException();
        }

        public void checkClientTrusted(X509Certificate[] chain, String authType)
                throws CertificateException {
            throw new UnsupportedOperationException();
        }

        public void checkServerTrusted(X509Certificate[] chain, String authType)
                throws CertificateException {
            this.chain = chain;
            tm.checkServerTrusted(chain, authType);
        }
    }

}

I found this routine in blog: http://blogs.sun.com/andreas/entry/no_more_unable_to_find
Following in this blog I have a certificate for the client that contains the default self-signed
certificate of the server (nickname = s1as)


The deployment of the ejb and appclient finishes successfull

The URL of the appclient = http://localhost:8080/JustAnAppClient

I start the client using my internet browser and typing the URL of the appclient in the addressbar.
The login window asking for username + password.
But after entering some correct values the only thing that's happening is loglines being written.

(I also tried starting the client using the following command:
javaws -import -silent -shortcut http://localhost:8080/JustAnAppClient
This results in a shortcut being created on the desktop.
But when launching the appclient via this shortcut the same problem results)

I've attached the first part of the server.log (in 2 files) just as it is after restarting the server and directly starting the JustAnAppClient program.
Debugging on the server is set to -Djavax.net.debug=ssl,handshake,verbose

The log is repeatedly being loaded with the same cluster of lines.
The only way to stop my AppClient is to kill the javaw executable via the PC's taskmanager (which I've done so far).

I really hope this info gives you a clue to help me any further.
If you need more info, please let me know.

Anyway thanks in advance for your response.


Bart.

p.s. (maybe it helps)
I'm running WinXP Pro SP2
Both client and server are on the same PC.
[Message sent by forum member 'bertusdotcom' (bertusdotcom)]

http://forums.java.net/jive/thread.jspa?messageID=263156