Jitendra,
Thank you for the response. This is what I have figured as well, that all
that is required for the client side is to set the appropriate JVM-system
properties. However, when using static stubs there is the
Stub.USERNAME_PROPERTY and Stub.PASSWORD_PROPERTY. I believe these two are
used for http basic level authentication, correct? I've always wondered if
these two needed to be set explicitly on the stub object even when the
username/password is supplied in the URL that the static uses via the
ENDPOINT_ADDRESS_PROPERTY...
-- Ryan
-----Original Message-----
From: Jitendra Kotamraju [mailto:Jitendra.Kotamraju_at_Sun.COM]
Sent: Thursday, November 18, 2004 9:43 PM
To: users_at_jax-rpc.dev.java.net
Subject: Re: Mutual SSL authentication with JAX-RPC
Ryan LeCompte wrote:
> Sharib,
>
> Thank you for your response. I was actually able to the mutual
> authentication working under Tomcat today. However, I didn't have to
> see the <login-config> and <user-data-constraint> fields as you
> mentioned. You mentioned that this is only for the server side? My
> client is a standalone JAX-RPC client that doesn't run within a web
> container, so there is no web.xml file associated with the standalone
> JAX-RPC client. However, the remote web service implementation that
> runs within Tomcat has a web.xml file. Is that where you want me to
specify the settings that you mentioned?
> I haven't set them at this point and I am able to get mutual SSL
> communication to happen without any problems. I have done the correct
> importing of the certificates for the client/server, and also set
> clientAuth=true in Tomcat. I'm now trying to do the same experiment
> with the same web service deployed on the .Net platform in IIS. It
> seems as though the only thing that I really have to set on my JAX-RPC
> client to get it to work with all flavors of SSL (including mutual
> authentication) is to set the following system properties to the correct
values:
>
> System.setProperty("javax.net.ssl.trustStore",
trustStorePath);
> System.setProperty("javax.net.ssl.trustStorePassword",
> trustStorePassword);
> System.setProperty("javax.net.ssl.trustStoreType",
> trustStoreType);
> System.setProperty("javax.net.ssl.keyStore", keyStorePath);
> System.setProperty("javax.net.ssl.keyStorePassword",
> keyStorePassword);
> System.setProperty("javax.net.ssl.keyStoreType",
keyStoreType);
> System.setProperty("java.protocol.handler.pkgs",
> "com.sun.net.ssl.internal.www.protocol");
> Security.addProvider(new
> com.sun.net.ssl.internal.ssl.Provider());
>
> There should be nothing else to set on the JAX-RPC client side to get
> all flavors of SSL to work, correct?
JAXRPC client just does URLConnection to your endpoint. Everything is
handled by the JVM. All these properties are used by JVM to establish HTTPS
connection. So check with JVM documentation to see if you require anything.
Thanks,
Jitu
>
> Thanks,
> -- Ryan
>
> -----Original Message-----
> From: Sharib Anis [mailto:sharib.anis_at_wilabs.com]
> Sent: Thursday, November 18, 2004 9:12 PM
> To: users_at_jax-rpc.dev.java.net
> Subject: RE: Mutual SSL authentication with JAX-RPC
>
> Hi Ryan,
>
> First you have to decide what kind of authentication you want to use.
> Three types are common:
>
> * HTTP basic authentication--The Web server authenticates a principal
> using the username and password obtained from the Web client. The
> username and password are included in the HTTP headers and are handled
> at the transport layer.
> * Form-based authentication--A developer can customize a form for
> entering username and password information, and then use this form to
> pass the information to the J2EE Web container. This type of
> authentication, geared toward Web page presentation applications, is not
used for Web services.
> * HTTPS mutual authentication--Both the client and the server use
> digital certificates to establish their identity, and authentication
> occurs over a channel protected by Secure Sockets Layer.
>
> It seems to me you're trying to use the last one. If yes, then 1. You
> do need to set this:
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
> and this:
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> in the <security-constraint/>.
> These settings are only on the server side.
> 2. Import the server cert into client keystore AND vice versa.
> 3. In Tomcat, you may set the clientAuth="true". It's not a must, you
> may also set it to "want", if you want Tomcat to request a client
> Certificate, but not fail if one isn't presented.
>
> Thanks and Regards,
> Sharib Anis
> Senior Research Engineer
> Wireless Intellect Labs Pte Ltd
> A MobileOne Company
> http://www.wilabs.com
> sharib.anis_at_wilabs.com
> DID: +65-6843 8672; Fax: +65-6560-4950 (TZ: +0800 GMT)
>
> There are 10 kinds of people in the world, those who understand binary
> and those who don't.
>
> DISCLAIMER: This email (including any attachments) is intended for the
> recipient(s) named above and may contain information that is
> confidential to Wireless Intellect Labs Pte Ltd. Any use of the
> information (including, but not limited to, total or partial
> reproduction, distribution or dissemination in any form) by persons other
than the intended recepient(s) is prohibited.
> If you are not an intended recipient of this email, please notify the
> sender immediately and delete it. Any views expressed in this message
> are those of the individual sender, except where the sender states
> them, with requisite authority, to be those of Wireless Intellect Labs Pte
Ltd.
>
> -----Original Message-----
> From: Ryan LeCompte [mailto:ryan.lecompte_at_pangonetworks.com]
> Sent: 19 November 2004 01:33
> To: users_at_jax-rpc.dev.java.net
> Subject: Mutual SSL authentication with JAX-RPC
>
>
> Hello,
>
> I'm trying to have my static stub JAX-RPC client communicate via SSL
> with a remote web service. I'm setting the two system properties for
> specifying the SSL trust store path and trust store password. The
> client is able to successfully communicate via SSL when the remote web
> service's web server is configured to not require client-side
> authentication (for example in tomcat the configuration attribute
> 'clientAuth="false"' would be used). However, when I turn on this
> attribute and require client-side authentication, the JAX-RPC client
> fails to communicate successfully with the web service. Is there
> anything else that must occur on the JAX-RPC client side when the
> remote web server requires a client-side certification authentication?
> I'm still new to SSL, so perhaps I have the basic concept confused. Do
> I have to import another certification in the client-side keystore for
> this to work? I looked in the java web services tutorial and they say that
you need to specify the following in web.xml:
>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
>
> However, this is a standalone JAX-RPC client that isn't running within
> a web container (thus there is no web.xml).
>
> Am I missing something here? Thank you for any suggestions...
>
> -- Ryan
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jax-rpc.dev.java.net
> For additional commands, e-mail: users-help_at_jax-rpc.dev.java.net
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jax-rpc.dev.java.net
> For additional commands, e-mail: users-help_at_jax-rpc.dev.java.net
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_jax-rpc.dev.java.net
For additional commands, e-mail: users-help_at_jax-rpc.dev.java.net
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_jax-rpc.dev.java.net
For additional commands, e-mail: users-help_at_jax-rpc.dev.java.net