AliasSelector Runtime Properties Not Passed In

Hello all,

I'm trying to implement an AliasSelector for use with a KeyStoreCallbackHandler.

Using <sc:KeyStore wspp:visibility="private"  callbackHandler="my.KeyStoreCallbackHandler" aliasSelector="my.AliasSelectorImpl"/> in my wsit-client.xml file however the runtime properties passed in from the container are all null and get an error WSS1512: An Error occurred while locating default certificate and privateKey in KeyStore.

Using alias instead of aliasSelector as in
<sc:KeyStore wspp:visibility="private"  callbackHandler="my.KeyStoreCallbackHandler" alias="xws-security-client"/>
works fine.

I have tried metro 1.5 and metro 2.0 EA.

Any assistance is greatly appreciated.

Barb
[Message sent by forum member 'kellerbb' (kellerbb)]

http://forums.java.net/jive/thread.jspa?messageID=353249

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Are you looking for the RuntimeProperties on the client side or server side ?.  I checked the code and i see properties being passed.

If it is on the client side then you may see some properties by default, but you can set some properties of your own on the BindingProvider.RequestContext and you should see those properties being sent to the select() method of the AliasSelector.

On the server side an application developer generally does not have the scope to set any properties anywhere that could endup as  RuntimeProperties in your aliasselector.

If you still think there is problem please do the following :

put the following line of code

 Thread.dumpStack();

as the first line of your select method and send me the output stacktrace i will take a look to see if there is problem.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=353341

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Hi Kumar,  thanks for your quick reply.

This is on the client side.  I do see a bunch of "default" properties that are not mine and are all null. The my client code is putting properties on the request context using BindingProvider.RequestContext. None of them exist though when i print them out in the aliasSelector.  I am also experiencing the same problem when using a certSelector in the wsit-client.xml no runtime properties are passed in.

Here is the stack dump. .. Thanks for your time and great work!

[#|2009-06-29T22:39:07.765-0400|WARNING|sun-appserver2.1|javax.enterprise.system.stream.err|_ThreadID=19;_ThreadName=httpSSLWorkerThread-8181-0;_RequestID=03b6bbf2-9cbd-4b41-bba3-b000a0eec4b9;|java.lang.Exception: Stack trace
        at java.lang.Thread.dumpStack(Thread.java:1158)
        at mil.army.train.catalog.common.util.AliasSelectorImpl.select(AliasSelectorImpl.java:23)
        at com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getDefaultPrivKeyCert(DefaultCallbackHandler.java:1312)
        at com.sun.xml.wss.impl.misc.DefaultCallbackHandler.handle(DefaultCallbackHandler.java:528)
        at com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getDefaultPrivKeyCertRequest(DefaultSecurityEnvironmentImpl.java:228)
        at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:199)
        at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
        at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
        at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:189)
        at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:150)
        at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTubeBase.java:391)
        at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(SecurityClientTube.java:237)
        at com.sun.xml.ws.security.secconv.WSSCPlugin.sendRequest(WSSCPlugin.java:397)
        at com.sun.xml.ws.security.secconv.WSSCPlugin.process(WSSCPlugin.java:260)
        at com.sun.xml.ws.security.secconv.impl.client.SCTokenProviderImpl.issue(SCTokenProviderImpl.java:129)
        at com.sun.xml.ws.api.security.trust.client.IssuedTokenManager.getIssuedToken(IssuedTokenManager.java:79)
        at com.sun.xml.wss.jaxws.impl.SecurityClientTube.startSecureConversation(SecurityClientTube.java:457)
        at com.sun.xml.ws.rx.util.Communicator.tryStartSecureConversation(Communicator.java:273)
        at com.sun.xml.ws.rx.rm.runtime.ClientTube.createSequences(ClientTube.java:286)
        at com.sun.xml.ws.rx.rm.runtime.ClientTube.openRmSession(ClientTube.java:270)
        at com.sun.xml.ws.rx.rm.runtime.ClientTube.processRequest(ClientTube.java:167)
        at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
        at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
        at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
        at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
        at com.sun.xml.ws.client.Stub.process(Stub.java:235)
        at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:147)
        at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
        at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
        at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:130)
        at $Proxy77.deleteRegistration(Unknown Source)
        at mil.army.train.catalog.server.servlet.DeleteRegistration.processRequest(DeleteRegistration.java:132)
        at mil.army.train.catalog.server.servlet.DeleteRegistration.doPost(DeleteRegistration.java:176)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
        at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:427)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:315)
        at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:287)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:218)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
        at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
        at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:98)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:222)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1096)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:166)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1096)
        at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:288)
        at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:647)
        at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:579)
        at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:831)
        at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
        at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.process(SSLReadTask.java:440)
        at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doTask(SSLReadTask.java:228)
        at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
        at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
|#]
[Message sent by forum member 'kellerbb' (kellerbb)]

http://forums.java.net/jive/thread.jspa?messageID=353503

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Thanks for the stacktrace. It looks like you have RM and SecureConversation enabled and it appears in this path the RuntimeProperties are not being passed onto the Packet which is used for securing the RM protocol messages.

I can fix it in a day or two. Meantime try disabling RM and i am sure (we have tests) you will see the RuntimeProperties (if you can verify that for me then it would good).

Thanks for reporting the issue.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=353538

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Hi Kumar,

I have taken out both the RM and SecureConversation from the service implementation.

Unfortunately logging shows the client does not call the aliasSelector at all. It does calll the trustStoreCallback and keyStoreCallbacks and only loads the stores and the handle method is not executed so the privateKeyCallback is never called.

It also appears that both the trustStore and KeyStore callbacks are called twice in the client.

Thanks for your time.

Barb
[Message sent by forum member 'kellerbb' (kellerbb)]

http://forums.java.net/jive/thread.jspa?messageID=353851

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Now i am getting a doubt as to what is your runtime. Are you using Metro 1.5 or Metro 2.0. If you are using older builds (what is available out-of-box in GlassFish) then there was probably a bug.

But i don't understand how AliasSelector was never called when you removed both RM and SC.  Does the secure message get sent to the server in this case. Show me the policy of your service.

I will try to fix your original bug very soon so you don't have to make changes to your app.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=353866

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Hi Kumar,

I have tried metro 1.5, metro 2.0 EA and metro 2.0 nightly from 1 July.

The only time the AliasSelector "select" method is not called is when SecureConversation is removed. The AliasSelector code is called when RM is enabled however the runtime properties are all null. This is the case for all 3 builds.
The keyStoreCallback and trustStoreCallback are called however only the stores get loaded but the handle methods never execute. Plus they are called twice.

Attached is an excerpt of my wsdl that includes all the policies used.

Thanks again for your time.

Barb
[Message sent by forum member 'kellerbb' (kellerbb)]

http://forums.java.net/jive/thread.jspa?messageID=353917

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Ok, i believe when you removed both SC and RM the client actually did not send any secured message, because when you remove SC you have to put something else as the binding.

Anyway i will fix the bug soon.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=353964

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Great! Thanks Kumar!
[Message sent by forum member 'kellerbb' (kellerbb)]

http://forums.java.net/jive/thread.jspa?messageID=354005

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

I did fix an issue related to runtime props but it was not exactly on the path that your client is going into.  And in the path shown  by your thread dump i see that we do copy properties so i am a bit confused.

I wanted to make a Netbeans test project but did not get time yet. Will try to do next week since i am held up on a deadline this week.

But if you can also send me your client code and webservice if that is possible.

Here is a link where the use of AliasSelector is explained :  
http://blogs.sun.com/harsha/entry/selecting_certificates_programmatically_in_wsit
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=354829

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Hi Kumar,

The link you mention is what I based my implementation on. However the aliasSelector does not receive the runtime properties and neither does the certSelector running with the service implementation.  I will package up a client and service and send it separtely.

Thanks,

Barb
[Message sent by forum member 'kellerbb' (kellerbb)]

http://forums.java.net/jive/thread.jspa?messageID=356544

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

If you can send me a client and server that would be great. but otherwise Just show me the client code where you are setting the properties and then how you are accessing them in the CBH.

thanks.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=356600

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Hi Kumar,

Here is some stripped down bare bones server and client code. They are ant buildable. The server should not need building. I have removed the any externally configured properties files and jvm options.  I also removed aliasSelector and certSelector from the server implementation however the server is not receiving runtime properties either. My apologies for taking so long to get it to you. See the notes.txt in te register-wsClient.zip for more info.

Thanks,

Barb
[Message sent by forum member 'kellerbb' (kellerbb)]

http://forums.java.net/jive/thread.jspa?messageID=357132

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Thanks. I should get back to you by monday....
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=357139

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Thanks Kumar.

I reloaded register-wsClient.zip removing an extra copy of aliasSelector and fixed web.xml file removing non-existant servlet reference.

Barb
[Message sent by forum member 'kellerbb' (kellerbb)]

http://forums.java.net/jive/thread.jspa?messageID=357231

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Hi Kumar,

In doing some further research on this issue I have ran into your blogs http://weblogs.java.net/blog/kumarjayanti/archive/2009/06/security_token_1.html
and continued http://weblogs.java.net/blog/kumarjayanti/archive/2009/07/security_token.html

I now know that my client is a Non-JSR 109 deployment. Which from what I understand Metro will use the DefaultCallbackHandler. So this raises a few questions.

1. Do I need to place the gf-196-hook.jar in lib folder of GlassFish?
2. If yes to #1, do I still need to write my own callback handlers?
3. If No to #2 what does the wsit-client use for configuration of callbacks relating to alias and cert selectors and truststore and keystore handlers?

On a different note relating to the server how does the service implementation bind the incoming  data for processing in an alias selector or cert selector if you wanted to lookup the incoming client?

Thanks,

Barb
[Message sent by forum member 'kellerbb' (kellerbb)]

http://forums.java.net/jive/thread.jspa?messageID=357773

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Hi,

  I was able to debug the problem with the projects that you provided thanks for that.

There are two problems :
1.  Your client code sets properties on the BindingProvider but then down the line it discards the original port and creates a new port to invoke the service that is the main reason the Properties set were not being seen in the AliasSelector and CertSelector's.


               
                service = new RegisterService(wsdlURL,REGISTER_SERVICE_NAME);
                port = service.getRegisterServiceSoap11(features);
               
                BindingProvider bp  = (BindingProvider) port;
                Map<String,Object> requestContext = bp.getRequestContext();

                // Set operation action
                requestContext.put(JAXWSProperties.ADDRESSING_ACTION,"deleteRegistration");
       
                // Set endpoint address URL
                requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, ENDPOINT);
               
                // Set service's certificate
                requestContext.put("service.certSubject", "CN=xwssecurityserver");
                requestContext.put("peerentity.alias", "xws-security-server");
               
                // Set my certificate alias
                requestContext.put("my.alias","xws-security-client");

                try {
            out.println("<html>");
            out.println("<head>");
            out.println("<title>Servlet deleteRegistration</title>");
            out.println("</head>");
            out.println("<body>");
            out.println("<h1>Results</h1>");

             
            try { // Call Web Service Operation

    /********************I commented the port redefinition below******************/  
   //           mil.army.train.catalog.services.register._1.RegisterServiceSoap11 port = service.getRegisterServiceSoap11();


 After making that change i saw another problem which only happens when RM is enabled. The interaction between RM and Security Layers is currently not copying over the Properties set on BindingProvider. I have a Fix for that which i will checkin after the RM Lead reviews the change (since the code change is in RM area).

 But in the mean time like i said initially, if you disable RM then you should see atleast that your AliasSelectors and CertSlectors are all working fine. Eventually if you upgrade to latest metro you should be able to enable RM back again.

I shall let you know as soon as i make a checkin.  I hope you know where to pick up the latest Metro 2.0 nightlies right  ?.  

https://metro.dev.java.net/servlets/ProjectDocumentList?expandFolder=7638&folderID=10314


Thanks.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=358024

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Just FYI: the change in RM Kumar was mentioning in his last post are  
already in the main trunk. By tomorrow, the Metro 2.0 nightly build  
should reflect the changes.

Thanks,
Marek

On 29.7.2009, at 12:14, metro@... wrote:


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

I have downloaded the nightlybuild dated 31July it. I am unable to build now due to com.sun.xml.wss.impl.callback.KeyStoreCallback and
com.sun.xml.wss.impl.callback.PrivateKeyCallback are no longer in the webservices-rt.jar

Thanks,

Barb
[Message sent by forum member 'kellerbb' (kellerbb)]

http://forums.java.net/jive/thread.jspa?messageID=358377

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Hey Kumar thanks so much.

So far things are looking good. I am using the nightly build from 31 July 1:54 am.

Will this fix make it to Metro 2.0 final release? If so do you have a timeframe when it maybe released?

I remember awhile back somewhere someone mentioned that Reliable Messaging was going to have some kind of persistence or recovery capability in Metro 2.0 if the container went down. Is this feature in 2.0? If not is there some work around?

Thanks so much for all your efforts!!
[Message sent by forum member 'kellerbb' (kellerbb)]

http://forums.java.net/jive/thread.jspa?messageID=358397

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...