堆栈内存溢出
  简体   繁体   English

Apache CXF SOAP客户端,使用https中生成的存根

[英]Apache CXF SOAP client , using generated stubs in https

 原文  2011-11-03 19:45:21       java/ web-services/ soap/ cxf

问题描述

I am generating a SOAP client for a SOAP webservice. 我正在为SOAP Web服务生成SOAP客户端。 I created Java stubs and when I tried executing I got an error: 我创建了Java存根,并在尝试执行时遇到错误: 

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:`

I tried running InstallCert but it didn't work even after that. 我尝试运行InstallCert,但即使在那之后也无法正常工作。 

INFO: The cipher suite filters have not been configured, falling back to default filters.
4 Nov, 2011 1:07:52 AM org.apache.cxf.transport.https.SSLUtils getCiphersFromList
INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.  
4 Nov, 2011 1:07:53 AM org.apache.cxf.phase.PhaseInterceptorChain doIntercept
INFO: Interceptor has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
    at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:296)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:242)
    at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:178)
    at $Proxy36.updateValues(Unknown Source)
    at com.siebel.customui.UpdateStatus_UpdateStatus_Client.main(UpdateStatus_UpdateStatus_Client.java:62)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1834)
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1792)
    at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
    at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1852)
    at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
    at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:593)
    at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
    ... 7 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
    ... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
    ... 32 more
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: Could not send Message.
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:199)
    at $Proxy36.updateValues(Unknown Source)
    at com.siebel.customui.UpdateStatus_UpdateStatus_Client.main(UpdateStatus_UpdateStatus_Client.java:62)
Caused by: org.apache.cxf.interceptor.Fault: Could not send Message.
    at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:296)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:242)
    at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:178)
    ... 2 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1834)
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1792)
    at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
    at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1852)
    at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
    at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:593)
    at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
    ... 7 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
    ... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
    ... 32 more

1 个解决方案

解决方案1
 6 已采纳  2011-11-04 09:29:59

Buried inside that stack trace (near the end) is this critical information: 关键信息包括在堆栈跟踪中(接近尾声):

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target sun.security.validator.ValidatorException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到到请求目标的有效认证路径

This indicates that the exception is due to the server certificate not being trusted. 这表明异常是由于服务器证书不受信任而导致的。 X.509 certificates contain a description of a chain of trust (eg, A signed the certificate of B, B signed the server certificate) where each part is done as a certificate (yes, they nest). X.509证书包含对信任链的描述(例如,A签署了B的证书,B签署了服务器证书),其中每个部分都作为证书完成(是的,它们嵌套)。 For that chain to be valid, some certificate on the chain (typically the root one, A in my example above) must be trusted by the client , as that protects against a whole class of trivial attacks (anyone at all can create a certificate or certificate chain; the software to do so is freely available). 为了使该链有效,该链上的某些证书​​(通常是根证书,在我的上例中为A)必须由客户端信任,因为它可以抵御一类微不足道的攻击(任何人都可以创建证书或证书链;这样做的软件是免费的)。

The documentation on how to configure CXF with trust information is a little sparse, but here's the summary. 有关如何使用信任信息配置CXF的文档很少,但这是摘要。 First, put the server certificate (or the topmost certificate upstream of it if it isn't self-signed) in a JKS-format keystore (eg, serverIdentity.jks , secured with password jkspass ). 首先,将服务器证书(如果不是自签名的,则放在证书的最上面)放在JKS格式的密钥库中(例如, serverIdentity.jks ,使用密码jkspass )。 Secondly, configure CXF's http conduit with the information about what to trust: 其次,使用有关信任内容的信息配置CXF的http管道: 

<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:sec="http://cxf.apache.org/configuration/security"
  xmlns:http="http://cxf.apache.org/transports/http/configuration"
  xsi:schemaLocation="
      http://cxf.apache.org/configuration/security
      http://cxf.apache.org/schemas/configuration/security.xsd
      http://cxf.apache.org/transports/http/configuration
      http://cxf.apache.org/schemas/configuration/http-conf.xsd
      http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

   <http:conduit name="*.http-conduit"> <!-- replace with real conduit name -->
       <http:tlsClientParameters>
          <sec:trustManagers>
              <sec:keyStore type="JKS" password="jkspass"
                   file="my/file/dir/serverIdentity.jks"/>
          </sec:trustManagers>
      </http:tlsClientParameters>

      <!-- assume user/pass over https; common case -->
      <http:authorization>
         <sec:UserName>foo</sec:UserName>
         <sec:Password>bar</sec:Password>
      </http:authorization>

      <!-- Below is where normal http control goes -->
      <http:client AutoRedirect="true" Connection="Keep-Alive"/>
   </http:conduit>
</beans>

The above is based on the examples in the CXF documentation which also describes many other options you might need. 上面的内容基于CXF文档中的示例,该示例还描述了您可能需要的许多其他选项。 For example, you might need to add the disableCNcheck="true" attribute definition to the <http:tlsClientParameters> element; 例如,您可能需要将disableCNcheck="true"属性定义添加到<http:tlsClientParameters>元素。 if you're using directly-known-and-trusted self-signed certificates, you've very little need to ensure that the expected hostname of the service matches the relevant sub-field of the server certificate's common name (CN) field. 如果您使用的是直接已知且受信任的自签名证书,则几乎不需要确保服务的预期主机名与服务器证书的公用名(CN)字段的相关子字段匹配。 Or maybe you need to provide a cryptographic client identity (for which, see the examples in that link). 或者,也许您需要提供一个加密的客户端身份(为此,请参阅该链接中的示例)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用Apache CXF为SOAP客户端指定SSLContext - Specify SSLContext for SOAP Client Using Apache CXF 在 Java 中使用 CXF 生成的存根调试 SOAP Web 服务调用会给某些人带来 SSL 异常 - Debugging SOAP webservice calls using CXF generated stubs in Java gives SSL Exceptions for some people 使用Apache CXF客户端传递SOAP标头的问题 - Problem with passing SOAP headers using Apache CXF client 使用wsdl2java和Apache CXF的SOAP客户端 - SOAP client using wsdl2java and Apache CXF soap webservice client使用apache cxf,用于ntlm身份验证 - soap webservice client using apache cxf, for ntlm authentication 如何测试cxf生成的SOAP客户端? - How to test cxf generated SOAP client? 使用CXF的ExactTarget SOAP客户端 - ExactTarget SOAP Client Using CXF 使用Apache CXF 3.1.1生成SOAP客户端 - Generating a SOAP client with Apache CXF 3.1.1 Apache CXF客户端soap故障处理 - Apache CXF client soap fault handling 从不正确的WSDL生成的Apache CXF客户端 - Apache CXF Client generated from inaccurate WSDL
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM