I need to call Solr Rest services from Java, basically I need to be able to call such things: /solr4/alfresco/admin/plugins?wt=json and so on.
I always get 401 error code with No client certificate chain in this request. I run my Java program simply with:
java -jar myJar.jar.
The question is what certificate should I provide? browser.p12 or some other? And preferably would be to add it as a Java option.
Related
I'm trying to call an Italian webservice, but I'm getting an SSLHandshakeException exception. I know this is a security trust problem and I should have a certificate to allow me to communicate using SSL. I would like to know if someone can help me to understand what should be the next steps and how can I generate a valid certificate to communicate with the webservice. Security is not my beach :)
The Italian webservice has a zip folder with a tool for developers and they have there two certificates, but I don't know what I should do with them. YOu can see here: https://sistemats1.sanita.finanze.it/portale/spese-sanitarie/documenti-e-specifiche-tecniche-strumenti-per-lo-sviluppo
Link to the Zip file: (https://sistemats1.sanita.finanze.it/portale/documents/20182/34450/kit730P_ver_20210301.zip/027086e7-385a-6071-ca86-f52077923a85)
You can see my experimental code here: https://github.com/nbentoneves/ws-spring-sts/blob/main/src/main/java/com/github/STSClient.java, feel free to clone and try it.
Note: In the development kit they have a soap project and I was able to call the webservice without needing anything.
STS Test Environment: https://invioSS730pTest.sanita.finanze.it/DocumentoSpesa730pWeb/DocumentoSpesa730pPort
Thanks,
Have a nice code time :)
You need to create a Trust Manager which does not validate certificate chains like the default ones.
Check this:
(How to solve javax.net.ssl.SSLHandshakeException Error?)
I have a SOAP webservice made in Java, running on Oracle Weblogic. And I need to get the certificate which is supposed to be provided by the client connecting, and extract some information (IssuerDN). How would I go about this?
Edit: I think the 1st thing I am stuck on, is how do I get the input-stream/connection? Then how would I get the certificate?
This depends what implementation you are running. I some cases the request certificate may be put on the SOAPMessageContext. If that is the case you can implement a SOAPhandler to get hold of the certificate used in the request.
For example, in the IBM Websphere´s Axis2 based implementation of JAX-WS the following code will retrieve the certificate:
public X509Certificate getRequestCertificate(SOAPMessageContext aMessageContext) {
return ((java.security.cert.X509Certificate) aMessageContext.get("com.ibm.xml.soapsec.RequestCert"));
}
Notice, be aware of the following. The code above may not be supported by the vendor of the web service container implementation.
I have made a web application using Java EE 6 (using reference implementations) and I want to expose it as a REST web service.
The background is that I want to be able to retrieve data from the web application to a iOS app I made. The question is how would I secure the application? I only want my application to use the web service. Is that possible and how would I do this? I only need to know what I should search for and read and not the actual code.
Unfortunately, your webservice will never be completely secure but here are few of the basic things you can do:
Use SSL
Wrap all your (app) outbound payloads in POST requests. This will prevent casual snooping to find out how your webservice works (in order to reverse engineer the protocol).
Somehow validate your app's users. Ideally this will involve OAUTH for example using Google credentials, but you get the idea.
Now I'm going to point out why this won't be completely secure:
If someone gets a hold of your app and reverse engineers it, everything you just did is out the window. The only thing that will hold is your user validation.
Embedding a client certificate (as other people have pointed out) does nothing to help you in this scenario. If I just reverse enginneered your app, I also have your client certificate.
What can you do?
Validate the accounts on your backend and monitor them for anomalous usage.
Of course this all goes out the window when someone comes along, reverse engineers your app, builds another one to mimic it, and you wouldn't (generally) know any better. These are all just points to keep in mind.
Edit: Also, if it wasn't already obvious, use POST (or GET) requests for all app queries (to your server). This, combined with the SSL should thwart your casual snoopers.
Edit2: Seems as if I'm wrong re: POST being more secure than GET. This answer was quite useful in pointing that out. So I suppose you can use GET or POST interchangeably here.
Depends on how secure you want to make it.
If you don't really care, just embed a secret word in your application and include in all the requests.
If you care a little more do the above and only expose the service via https.
If you want it to be secure, issue a client certificate to your app and require a
valid client certificate to be present when the service is accessed.
my suggestions are:
use https instead of http. there are free ssl certificate avaliable,
get one and install.
use a complex path such as 4324234AA_fdfsaf/ as the root end point.
due to the nature of http protocol, the path part is encrypted in the https request. therefore it's very safe. there are ways to decrypt the request through man-in-the-middle attack but it requires full control over the client device including install an ilegal ssl certificate. but, i'd spend more time on my app to make it successful.
Create a rule on the machine which hosts your Web Service to only allow your application to access it through some port. In Amazon EC2, this is done creating a rule in the instance Security Group.
We have used RestEasy as a part to securing our exposed RESTful webservices. There should be lot of example out there but here is the one which might get you started.
http://howtodoinjava.com/2013/06/26/jax-rs-resteasy-basic-authentication-and-authorization-tutorial/
You can also use OAUTH:
http://oltu.apache.org/index.html
I'm trying to generate a web service client with eclipse (I also tried with jdeveloper and netbeans). The WSDL is behind a https server with client certificate request.
I can connect and generate the classes with this command:
java -Djavax.net.ssl.trustStore=testes.keystore -Djavax.net.ssl.keyStore=testes.keystore -Djavax.net.ssl.trustStorePassword=123 -Djavax.net.ssl.keyStorePassword=123 -Dsun.security.ssl.allowUnsafeRenegotiation=true -jar D:\Java\jdevstudio10134\webservices\lib\wsa.jar -genProxy -wsdl https://urlxpto?wsdl
But then I get an error about a ActionMismatch. Probably this error comes from the library I'm using so I want to try with axis. If I use the wizard in eclipse it gives an error when trying to connect. The same happens with jdeveloper or netbeans.
So the question is: How do I do it? How to generate a web service proxy with an IDE?
Or the question can be: how do I change the message part to match the action part in a soap request?
Thanks!
I guess I can't use the classic wizard to generate a web service client that is behind https with client certificate request.
The only way I can think of and that worked for me was:
install the needed certificates in a browser;
manually download the WSDL xml document;
manually download every xml documents that the WSDL refers to, that are in the same domain;
alter the WSDL to point to the xml files on disk instead of pointing to urls where those documents are;
build the client with genproxy or WSDL2Java or with a wizard against the WSDL on disk
alter the code to point to the original URLs;
finally add the keystore details to the generated client;
I still have some problems but I can now connect and "talk" with the server.
I am currently accepting the parameters login and password in my servlet, but logs are storing this info when using wget (as long as it is GET method, and apache is in the middle)
Instead of this I want to enhance my servlet's authentication accepting:
wget --http-user=login --http-password=password http://myhost/myServlet
How can I read, in my servlet, the server side, the login and the password user is sending, in java code?
Can you not persuade your servlet clients to use POST instead of GET? wget has --post-data and --post-file options which might do what you need it.
wget's --http-user and --http-password options cause it to send HTTP Basic authentication. They are normally used for simple access control enforced by the web server itself, typically mediated by a .htaccess file; you'll have to consult your servlet framework documentation to find out whether that is available to you.