You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cxf.apache.org by Fred Dushin <fr...@dushin.net> on 2007/05/04 04:16:22 UTC

Initializing a Proxy with a "secure" URL

(I hesitate to utter "secure" and "https" in the same breath, but  
here we go...)

What is the expected behavior of the following code fragment?

java.net.URL url = new java.net.URL("https://...");
javax.xml.ws.Service svc = new javax.xml.ws.Service.createService 
(url, qname);

(where qname is a QName appropriate for the occasion) ?

I'm finding that our WSDLManagerImpl is eventually trying to load the  
WSDL behind the URL through a javax.wsdl.xml.WSDLReader, which it  
gets off a WSDLFactory, another javax object (WSDLManagerImpl.java: 
177).  (Eclipse tells me that this implementation is provided  
courtesy of IBM, but that's about all I get get out of the debugger).

In any event, there is really no provision for the specification of  
key and certificate material for the call out to acquire the WSDL off  
the "secure" https URL, in which case the SSL handshake is doomed to  
failure, as it clearly does in my debugger.

Looks like a gaping hole in the spec, if not the javax implementation  
we are using.  I suppose it could be an "implementation specific"  
detail -- how to configure said key and certificate material, but no  
provision seems to be made by the underlying implementation of these  
javax classes, unless anyone here knows any differently.  And there's  
clearly no way to specify this material programmatically, which is  
pretty much the kiss o' death, anyway.  Unless there is some kind of  
contextual API outside of the creation of the Service I

Rats.

-Fred

Re: Initializing a Proxy with a "secure" URL

Posted by Daniel Kulp <dk...@apache.org>.

Polar,

On Friday 04 May 2007 09:51, Polar Humenn wrote:
> Opps, I'm sorry, I got confused thinking it was a secure way of
> picking up the WSDL file,
> not the actual address of the service itself. Sorry for the confusion.
> I shouldn't answer emails when I'm tired. :)

You weren't confused.  (sounds like you are now though. :-)  We are 
talking about how to get the WSDL document.     The URL to the WSDL that 
is passed in is just "toString()" and that string is passed around 
through much of the code.   The actual URL object is not used at all. 
Thus, setting stream handlers or whatever on that URL object would be 
irrelevant.

That string goes through a bunch of code to figure out how to create the 
InputStream for it.   One is all the URI resolver code for files, 
classpath,etc...   The next is the JAXWS catalog stuff.   Finally, it 
checks the Bus's ResourceManager.   At this point, nothing in that path 
would allow for a "secure" connection to the wsdl.

Dan



> Cheers,
> -Polar
>
> Daniel Kulp wrote:
> > On Thursday 03 May 2007 22:36, Polar Humenn wrote:
> >> Fred Dushin wrote:
> >>> On May 3, 2007, at 10:16 PM, Fred Dushin wrote:
> >>>> What is the expected behavior of the following code fragment?
> >>>>
> >>>> java.net.URL url = new java.net.URL("https://...");
> >>>> javax.xml.ws.Service svc = new
> >>>> javax.xml.ws.Service.createService(url, qname);
> >>>
> >>> Before too much confusion arises, just let me clarify that this is
> >>> /client-side/ code -- i.e., the "Service" in the above is
> >>> logically associated with a fragment of WSDL, not a remote service
> >>> in the process of being created.  It may not have been clear from
> >>> what I initially wrote.
> >>
> >> Fred, in order to do this programatically as above, you would
> >> supply a URLStreamHandler with the URL constructor, or it can be
> >> set after construction. This sets up the URLConnection for the URL.
> >> So, you would supply a HttpsURLConnection for this particular URL
> >> in which you may set the certificates, trust points, by way of the
> >> socket factory, etc.
> >
> > I don't think that will work.   We just record the string form of
> > the URL internally and use that.
> >
> > To get this to work, you'd probably need to register a
> > ResorceResolver with the Bus's ResourceManager.  Even then, I'm not
> > sure what would happen.   I think we check the "default" stuff
> > first.

-- 
J. Daniel Kulp
Principal Engineer
IONA
P: 781-902-8727    C: 508-380-7194
daniel.kulp@iona.com
http://www.dankulp.com/blog

Re: Initializing a Proxy with a "secure" URL

Posted by Daniel Kulp <dk...@apache.org>.

I'll fix the thread safety issue.   That's a problem.

Dan

On Friday 04 May 2007 10:26, Fred Dushin wrote:
> It looks like when you add a ResourceResolver, it's added to the
> first in the list, so it should probably work.  It doesn't look like
> adding resolvers is thread-safe, so I'll need to exercise caution, by
> maybe doing the add in initialization code, which presumably is
> unithreaded.
>
> On May 4, 2007, at 9:29 AM, Daniel Kulp wrote:
> > To get this to work, you'd probably need to register a
> > ResorceResolver with the Bus's ResourceManager.  Even then, I'm not
> > sure what would happen.   I think we check the "default" stuff
> > first.

-- 
J. Daniel Kulp
Principal Engineer
IONA
P: 781-902-8727    C: 508-380-7194
daniel.kulp@iona.com
http://www.dankulp.com/blog

Re: Initializing a Proxy with a "secure" URL

Posted by Fred Dushin <fr...@dushin.net>.

It looks like when you add a ResourceResolver, it's added to the  
first in the list, so it should probably work.  It doesn't look like  
adding resolvers is thread-safe, so I'll need to exercise caution, by  
maybe doing the add in initialization code, which presumably is  
unithreaded.

On May 4, 2007, at 9:29 AM, Daniel Kulp wrote:

> To get this to work, you'd probably need to register a ResorceResolver
> with the Bus's ResourceManager.  Even then, I'm not sure what would
> happen.   I think we check the "default" stuff first.

Re: Initializing a Proxy with a "secure" URL

Posted by Polar Humenn <ph...@iona.com>.

Opps, I'm sorry, I got confused thinking it was a secure way of picking 
up the WSDL file,
not the actual address of the service itself. Sorry for the confusion. I 
shouldn't answer emails when I'm tired. :)

Cheers,
-Polar

Daniel Kulp wrote:
> On Thursday 03 May 2007 22:36, Polar Humenn wrote:
>   
>> Fred Dushin wrote:
>>     
>>> On May 3, 2007, at 10:16 PM, Fred Dushin wrote:
>>>       
>>>> What is the expected behavior of the following code fragment?
>>>>
>>>> java.net.URL url = new java.net.URL("https://...");
>>>> javax.xml.ws.Service svc = new
>>>> javax.xml.ws.Service.createService(url, qname);
>>>>         
>>> Before too much confusion arises, just let me clarify that this is
>>> /client-side/ code -- i.e., the "Service" in the above is logically
>>> associated with a fragment of WSDL, not a remote service in the
>>> process of being created.  It may not have been clear from what I
>>> initially wrote.
>>>       
>> Fred, in order to do this programatically as above, you would supply a
>> URLStreamHandler with the URL constructor, or it can be set after
>> construction. This sets up the URLConnection for the URL. So, you
>> would supply a HttpsURLConnection for this particular URL in which you
>> may set the certificates, trust points, by way of the socket factory,
>> etc.
>>
>>     
>
> I don't think that will work.   We just record the string form of the URL 
> internally and use that.
>
> To get this to work, you'd probably need to register a ResorceResolver 
> with the Bus's ResourceManager.  Even then, I'm not sure what would 
> happen.   I think we check the "default" stuff first.  
>
>
>
>

Re: Initializing a Proxy with a "secure" URL

Posted by Daniel Kulp <dk...@apache.org>.

On Thursday 03 May 2007 22:36, Polar Humenn wrote:
> Fred Dushin wrote:
> > On May 3, 2007, at 10:16 PM, Fred Dushin wrote:
> >> What is the expected behavior of the following code fragment?
> >>
> >> java.net.URL url = new java.net.URL("https://...");
> >> javax.xml.ws.Service svc = new
> >> javax.xml.ws.Service.createService(url, qname);
> >
> > Before too much confusion arises, just let me clarify that this is
> > /client-side/ code -- i.e., the "Service" in the above is logically
> > associated with a fragment of WSDL, not a remote service in the
> > process of being created.  It may not have been clear from what I
> > initially wrote.
>
> Fred, in order to do this programatically as above, you would supply a
> URLStreamHandler with the URL constructor, or it can be set after
> construction. This sets up the URLConnection for the URL. So, you
> would supply a HttpsURLConnection for this particular URL in which you
> may set the certificates, trust points, by way of the socket factory,
> etc.
>

I don't think that will work.   We just record the string form of the URL 
internally and use that.

To get this to work, you'd probably need to register a ResorceResolver 
with the Bus's ResourceManager.  Even then, I'm not sure what would 
happen.   I think we check the "default" stuff first.  



-- 
J. Daniel Kulp
Principal Engineer
IONA
P: 781-902-8727    C: 508-380-7194
daniel.kulp@iona.com
http://www.dankulp.com/blog

Re: Initializing a Proxy with a "secure" URL

Posted by Polar Humenn <ph...@iona.com>.

Fred Dushin wrote:
>
> On May 3, 2007, at 10:16 PM, Fred Dushin wrote:
>
>> What is the expected behavior of the following code fragment?
>>
>> java.net.URL url = new java.net.URL("https://...");
>> javax.xml.ws.Service svc = new 
>> javax.xml.ws.Service.createService(url, qname);
>
> Before too much confusion arises, just let me clarify that this is 
> /client-side/ code -- i.e., the "Service" in the above is logically 
> associated with a fragment of WSDL, not a remote service in the 
> process of being created.  It may not have been clear from what I 
> initially wrote.
>
Fred, in order to do this programatically as above, you would supply a 
URLStreamHandler with the URL constructor, or it can be set after 
construction. This sets up the URLConnection for the URL. So, you would 
supply a HttpsURLConnection for this particular URL in which you may set 
the certificates, trust points, by way of the socket factory, etc.

Cheers,
-Polar
> -Fred

Re: Initializing a Proxy with a "secure" URL

Posted by Fred Dushin <fr...@dushin.net>.

On May 3, 2007, at 10:16 PM, Fred Dushin wrote:

> What is the expected behavior of the following code fragment?
>
> java.net.URL url = new java.net.URL("https://...");
> javax.xml.ws.Service svc = new javax.xml.ws.Service.createService 
> (url, qname);

Before too much confusion arises, just let me clarify that this is / 
client-side/ code -- i.e., the "Service" in the above is logically  
associated with a fragment of WSDL, not a remote service in the  
process of being created.  It may not have been clear from what I  
initially wrote.

-Fred