Results 1 to 2 of 2

Thread: [RESOLVED] SOAP problem

  1. #1

    Thread Starter
    Don't Panic! Ecniv's Avatar
    Join Date
    Nov 2000
    Location
    Amsterdam...
    Posts
    5,343

    Resolved [RESOLVED] SOAP problem

    Hi


    Headachy here. sigh. I have a problem with some code utilising the SOAP.

    When connecting to a webservice http works fine. When connecting to a https, immediately errors with
    java.security.PrivilegedActionException: com.sun.xml.messaging.saaj.SOAPExceptionImpl: Message send failed
    This is on the javax.xml.soap.SOAPMessage soapResponse = soapConnection.call(soapMessage, interfaceURL);
    (.call).

    Note I am not calling SAAJ although I believe the saaj api and impl are being connected to at the beginning.

    Whilst browsing lots of sites for an answer, i found some source code that has both this error and one other I encountered (server responding 302) with what looked like exactly the same code. In the comments were a note stating to come to https to deal with it later...

    Now perhaps it that there is a better/newer/fixed version out there. But I havent found it. I did find a v1.3.4 or v1.3.5 saaj; the methods seem to have been changed though and the coding I have at the moment doesnt work.

    So to the question:
    Are there any better SOAP connection jars out there the can work with http and https

    * note - i have been asked to try and get it working without resorting to certificates being trust key stored thing...

    Any pointers appreciated

    BOFH Now, BOFH Past, Information on duplicates

    Feeling like a fly on the inside of a closed window (Thunk!)
    If I post a lot, it is because I am bored at work! ;D Or stuck...
    * Anything I post can be only my opinion. Advice etc is up to you to persue...

  2. #2

    Thread Starter
    Don't Panic! Ecniv's Avatar
    Join Date
    Nov 2000
    Location
    Amsterdam...
    Posts
    5,343

    Re: SOAP problem

    Hi

    Well I found a solution, probably not the best one but it will do for now.

    The problem is that the SAAJ doesn't deal with https when you don't have the certificates stored in the key/trust store.
    This is required for the security for cliente, browser and server to validate who is requesting what and that they are who they say they are.

    Only it doesn't have a nice error message.

    Source url
    interfaceURL is the https url string you are trying to connect to.
    Code:
    // fixo https... quebra certificados...
    import java.io.InputStreamReader;
    import java.io.Reader;
    import java.net.URL;
    import java.net.URLConnection;
    
    import javax.net.ssl.HostnameVerifier;
    import javax.net.ssl.HttpsURLConnection;
    import javax.net.ssl.SSLContext;
    import javax.net.ssl.SSLSession;
    import javax.net.ssl.TrustManager;
    import javax.net.ssl.X509TrustManager;
    import java.security.cert.X509Certificate;
    
    
    
    
    if( interfaceURL.indexOf("https") > -1 ){
        /*
         *  fix for
         *    Exception in thread "main" javax.net.ssl.SSLHandshakeException:
         *       sun.security.validator.ValidatorException:
         *           PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
         *               unable to find valid certification path to requested target
    */
        TrustManager[] trustAllCerts = new TrustManager[] {
            new X509TrustManager() {
                public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                    return null;
                }
    
                public void checkClientTrusted(X509Certificate[] certs, String authType) {  }
    
                public void checkServerTrusted(X509Certificate[] certs, String authType) {  }
    
            }
        };
    
        SSLContext sc = SSLContext.getInstance("SSL");
        sc.init(null, trustAllCerts, new java.security.SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    
        // Create all-trusting host name verifier
        HostnameVerifier allHostsValid = new HostnameVerifier() {
            public boolean verify(String hostname, SSLSession session) {
                return true;
            }
        };
        // Install the all-trusting host verifier
        HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
        /*
         * end of the fix / fim do fixo
    */
    }
    Essentially it replaces the trust manager with a version that allows anything. Yes I know not secure, but for the time being will do the job... Plus you don't need to add all the certificates from servers to your trust store... for each developer here...

    It's a sticky patch to be ripped off later on

    BOFH Now, BOFH Past, Information on duplicates

    Feeling like a fly on the inside of a closed window (Thunk!)
    If I post a lot, it is because I am bored at work! ;D Or stuck...
    * Anything I post can be only my opinion. Advice etc is up to you to persue...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width