PDA

View Full Version : HttpInvoker Security Issues

bthh78
Dec 25th, 2004, 11:06 AM
hi,

we are in the process of developing a warehouse management system using spring + hibernate + swing.

we are very please with using httpInvoker as a remoting solution.

however, my boss have raised a question regarding the security of using such remoting technique.

we are already using acegi security with basic authentication to filter access to remote services.

however, since it is using http for transport, could the data in transit be possibly be compromised, as in being evesdropped etc, since it is not being encrypted to the best of my understanding.

if this is really the case, is it possible for us to use maybe ssl (i.e over https) to rectify this situation.

we would be very grateful for any advice given.

thank you
aaime
Dec 27th, 2004, 07:08 AM
I'm interested in this too... I'm writing a rich client and for intranet usage http is fine, but for remote users I really need ssl encryption... I can't find anything on the user guide about this matter...
irbouho
Dec 27th, 2004, 12:40 PM
httpInvoker has support for Jakarta Commons HttpClient. You can configure the later using CommonsHttpInvokerRequestExecutor.
HTH
aaime
Dec 28th, 2004, 04:26 AM
Nice. Just for the record, is it possible to use ssl along with burlap or hessian?
bthh78
Dec 28th, 2004, 04:51 AM
hi Omar,

i have tried out your suggestions. below i have detailed what i have done.

enable ssl on tomcat
--------------------------
keytool -genkey -alias tomcat -keyalg RSA -keystore D:/jakarta-tomcat-4.1.29/keystore -storepass changeit

uncommented https support in tomcat's server.xml

client side (bean definition)
--------------------------------
<bean id="importBookingFinderService" class="org.springframework.remoting.httpinvoker.HttpInvok erProxyFactoryBean">
<property name="serviceInterface">
<value>com.wms.services.booking.importBooking.importBooki ngFinder.ImportBookingFinder</value>
</property>
<property name="serviceUrl">
<value>https://localhost:8443/wms/remoting/ImportBookingFinderService-httpinvoker</value>
</property>
<property name="httpInvokerRequestExecutor">
<bean class="org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor"/>
</property>
</bean>

Exception Occurred
----------------------
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(U nknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
...

somehow i feel that i'm closer to getting it to work. but i may have missed out something important.

we are very grateful for any help u can give.

thank you
lblaauw
Dec 28th, 2004, 05:23 AM
Well,

Judging by the Exception you are getting your truststore is not setup
correctly. Make sure the servers ssl certificate is in your client ssl truststore. You can specify the truststore to use on the cmd line or in
a properties file i believe.

Greetings
Leo

hi Omar,

i have tried out your suggestions. below i have detailed what i have done.

enable ssl on tomcat
--------------------------
keytool -genkey -alias tomcat -keyalg RSA -keystore D:/jakarta-tomcat-4.1.29/keystore -storepass changeit

uncommented https support in tomcat's server.xml

client side (bean definition)
--------------------------------
<bean id="importBookingFinderService" class="org.springframework.remoting.httpinvoker.HttpInvok erProxyFactoryBean">
<property name="serviceInterface">
<value>com.wms.services.booking.importBooking.importBooki ngFinder.ImportBookingFinder</value>
</property>
<property name="serviceUrl">
<value>https://localhost:8443/wms/remoting/ImportBookingFinderService-httpinvoker</value>
</property>
<property name="httpInvokerRequestExecutor">
<bean class="org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor"/>
</property>
</bean>

Exception Occurred
----------------------
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(U nknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
...

somehow i feel that i'm closer to getting it to work. but i may have missed out something important.

we are very grateful for any help u can give.

thank you
bthh78
Dec 28th, 2004, 05:39 AM
hi leo,

thank you for your valuable advice.

i have tried to import the server certificate as a trusted keystore. but i am not too sure what i am doing is correct.

Steps
-------
Open "https://localhost:8443/wms/jsp/index.jsp" in IE.
Click on the "Lock" icon found on the bottom right corner
Export the certificate as "tomcat.cer"
Run the cmd "keytool -import -alias tomcat -file tomcat.cer"

However, i still have the same exception so most problem what i am doing isn't correct at all.

we would be grateful if you show us how we can install the certificate in the client keystore correctly.

thank you very much.
lblaauw
Dec 28th, 2004, 08:55 AM
Hi,

Well I am not fully aware of where the exception you have happened,
maybe post the whole stacktrace of the exception for clarification.

Secondly the exception is not caused by IE so therefore importing it
into the key/trust store of IE is not going to help. My guess is you have
to import it into the trust store file used by the Java VM wich is running
your program. You can do this by setting the property on startup or
trough your code.

Greetz
Leo

hi leo,

thank you for your valuable advice.

i have tried to import the server certificate as a trusted keystore. but i am not too sure what i am doing is correct.

Steps
-------
Open "https://localhost:8443/wms/jsp/index.jsp" in IE.
Click on the "Lock" icon found on the bottom right corner
Export the certificate as "tomcat.cer"
Run the cmd "keytool -import -alias tomcat -file tomcat.cer"

However, i still have the same exception so most problem what i am doing isn't correct at all.

we would be grateful if you show us how we can install the certificate in the client keystore correctly.

thank you very much.
bthh78
Dec 28th, 2004, 09:42 AM
hi leo,

thank you for your prompt reply.

i guess my problem is that i do not know how to get the certificate from the server and add it to the keystore that will be used by java on the client side.

if you could tell me how it could be done, i would be most grateful.

below is a stack trace of another similar service

thank you very much

org.springframework.remoting.RemoteAccessException : Cannot access HTTP invoker remote service at [https://localhost:8443/wms/remoting/UserService-httpinvoker]; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(U nknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write (Unknown Source)
at org.apache.commons.httpclient.HttpConnection$Wrapp edOutputStream.write(HttpConnection.java:1344)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at org.apache.commons.httpclient.HttpConnection.flush RequestOutputStream(HttpConnection.java:775)
at org.apache.commons.httpclient.MultiThreadedHttpCon nectionManager$HttpConnectionAdapter.flushRequestO utputStream(MultiThreadedHttpConnectionManager.jav a:1356)
at org.apache.commons.httpclient.HttpMethodBase.write Request(HttpMethodBase.java:2252)
at org.apache.commons.httpclient.HttpMethodBase.proce ssRequest(HttpMethodBase.java:2632)
at org.apache.commons.httpclient.HttpMethodBase.execu te(HttpMethodBase.java:1065)
at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:643)
at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:497)
at org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor.executePostMethod(Commons HttpInvokerRequestExecutor.java:120)
at org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor.doExecuteRequest(CommonsH ttpInvokerRequestExecutor.java:87)
at org.springframework.remoting.httpinvoker.AbstractH ttpInvokerRequestExecutor.executeRequest(AbstractH ttpInvokerRequestExecutor.java:67)
at org.springframework.remoting.httpinvoker.HttpInvok erClientInterceptor.executeRequest(HttpInvokerClie ntInterceptor.java:86)
at org.springframework.remoting.httpinvoker.HttpInvok erClientInterceptor.invoke(HttpInvokerClientInterc eptor.java:60)
at org.springframework.aop.framework.ReflectiveMethod Invocation.proceed(ReflectiveMethodInvocation.java :138)
at org.springframework.aop.framework.JdkDynamicAopPro xy.invoke(JdkDynamicAopProxy.java:152)
at $Proxy0.findUserById(Unknown Source)
at test.com.wmsClient.UserTest.testUserFind(UserTest. java:24)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknow n Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Un known Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at junit.framework.TestCase.runTest(TestCase.java:154 )
at junit.framework.TestCase.runBare(TestCase.java:127 )
at junit.framework.TestResult$1.protect(TestResult.ja va:106)
at junit.framework.TestResult.runProtected(TestResult .java:124)
at junit.framework.TestResult.run(TestResult.java:109 )
at junit.framework.TestCase.run(TestCase.java:118)
at junit.framework.TestSuite.runTest(TestSuite.java:2 08)
at junit.framework.TestSuite.run(TestSuite.java:203)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.runTests(RemoteTestRunner.java:421)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.run(RemoteTestRunner.java:305)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.main(RemoteTestRunner.java:186)
Caused by: sun.security.validator.ValidatorException: No trusted certificate found
at sun.security.validator.SimpleValidator.buildTruste dChain(Unknown Source)
at sun.security.validator.SimpleValidator.engineValid ate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(Unknown Source)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager. checkServerTrusted(Unknown Source)
... 41 more
lblaauw
Dec 28th, 2004, 11:55 AM
Ok,

Yes definitely you need a server ssl certificate somehow and the client
needs to know about it. For some more info on ssl in java aplications
check out the bottom of the page on this link :

http://forum.java.sun.com/thread.jspa?threadID=526676&tstart=270

Greetz
Leo

hi leo,

thank you for your prompt reply.

i guess my problem is that i do not know how to get the certificate from the server and add it to the keystore that will be used by java on the client side.

if you could tell me how it could be done, i would be most grateful.

below is a stack trace of another similar service

thank you very much

org.springframework.remoting.RemoteAccessException : Cannot access HTTP invoker remote service at [https://localhost:8443/wms/remoting/UserService-httpinvoker]; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(U nknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unkno wn Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write (Unknown Source)
at org.apache.commons.httpclient.HttpConnection$Wrapp edOutputStream.write(HttpConnection.java:1344)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at org.apache.commons.httpclient.HttpConnection.flush RequestOutputStream(HttpConnection.java:775)
at org.apache.commons.httpclient.MultiThreadedHttpCon nectionManager$HttpConnectionAdapter.flushRequestO utputStream(MultiThreadedHttpConnectionManager.jav a:1356)
at org.apache.commons.httpclient.HttpMethodBase.write Request(HttpMethodBase.java:2252)
at org.apache.commons.httpclient.HttpMethodBase.proce ssRequest(HttpMethodBase.java:2632)
at org.apache.commons.httpclient.HttpMethodBase.execu te(HttpMethodBase.java:1065)
at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:643)
at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:497)
at org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor.executePostMethod(Commons HttpInvokerRequestExecutor.java:120)
at org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor.doExecuteRequest(CommonsH ttpInvokerRequestExecutor.java:87)
at org.springframework.remoting.httpinvoker.AbstractH ttpInvokerRequestExecutor.executeRequest(AbstractH ttpInvokerRequestExecutor.java:67)
at org.springframework.remoting.httpinvoker.HttpInvok erClientInterceptor.executeRequest(HttpInvokerClie ntInterceptor.java:86)
at org.springframework.remoting.httpinvoker.HttpInvok erClientInterceptor.invoke(HttpInvokerClientInterc eptor.java:60)
at org.springframework.aop.framework.ReflectiveMethod Invocation.proceed(ReflectiveMethodInvocation.java :138)
at org.springframework.aop.framework.JdkDynamicAopPro xy.invoke(JdkDynamicAopProxy.java:152)
at $Proxy0.findUserById(Unknown Source)
at test.com.wmsClient.UserTest.testUserFind(UserTest. java:24)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknow n Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Un known Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at junit.framework.TestCase.runTest(TestCase.java:154 )
at junit.framework.TestCase.runBare(TestCase.java:127 )
at junit.framework.TestResult$1.protect(TestResult.ja va:106)
at junit.framework.TestResult.runProtected(TestResult .java:124)
at junit.framework.TestResult.run(TestResult.java:109 )
at junit.framework.TestCase.run(TestCase.java:118)
at junit.framework.TestSuite.runTest(TestSuite.java:2 08)
at junit.framework.TestSuite.run(TestSuite.java:203)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.runTests(RemoteTestRunner.java:421)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.run(RemoteTestRunner.java:305)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.main(RemoteTestRunner.java:186)
Caused by: sun.security.validator.ValidatorException: No trusted certificate found
at sun.security.validator.SimpleValidator.buildTruste dChain(Unknown Source)
at sun.security.validator.SimpleValidator.engineValid ate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(Unknown Source)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager. checkServerTrusted(Unknown Source)
... 41 more
bthh78
Dec 28th, 2004, 10:06 PM
hi leo,

thanks again for you reply.

will try it out and if successful will post the result here.

thanks you.
Ben Alex
Dec 29th, 2004, 01:03 AM
Use HTTPS for your transport-layer security. Use Acegi Security and BASIC authentication for your application-layer security.

No need to use Jakarta Commons HttpInvoker. I looked at it when writing some integration, but personally found it added too much complexity for the expected benefit.

I assume you're already doing so, but CVS has a class, net.sf.acegisecurity.ui.httpinvoker.Authentication SimplehttpInvoker, which will help set the BASIC authentication headers.
aaime
Dec 29th, 2004, 03:15 AM
Ben, thank you, in fact that's exactly what I'm doing (trying to do, at least). I'll look at the class in CVS, in fact I'm using a version that uses the commons http client that has been posted on the forums some time ago.
bthh78
Dec 29th, 2004, 09:45 AM
hi,

just like to thank all of you who have replied to my queries.

i finally got it to work. just as i promised, i have listed down when is to be done to get ssl working for httpInvoker.

enable ssl on tomcat
--------------------------
keytool -genkey -alias tomcat -keyalg RSA -keystore D:/jakarta-tomcat-4.1.29/keystore -storepass changeit

uncommented https support in tomcat's server.xml

client side (bean definition)
--------------------------------
<bean id="importBookingFinderService" class="org.springframework.remoting.httpinvoker.HttpInvok erProxyFactoryBean">
<property name="serviceInterface">
<value>com.wms.services.booking.importBooking.importBooki ngFinder.ImportBookingFinder</value>
</property>
<property name="serviceUrl">
<value>https://localhost:8443/wms/remoting/ImportBookingFinderService-httpinvoker</value>
</property>
<property name="httpInvokerRequestExecutor">
<bean class="org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor"/>
</property>
</bean>

Export the server certificate
---------------------------------
Open "https://localhost:8443/wms/jsp/index.jsp" in IE.
Click on the "Lock" icon found on the bottom right corner
Export the certificate as "tomcat.cer"

Import the server certificate into client
---------------------------------------------
Run the cmd "keytool -import -keystore C:/j2sdk1.4.2_06/jre/lib/security/cacerts -alias tomcat -file tomcat.cer"

UnitTestCase Setup
-----------------------
public class UserTest extends ContextAwareTestCase{
public void testUserFind(){
System.setProperty("javax.net.ssl.trustStore","C:/j2sdk1.4.2_06/jre/lib/security/cacerts");

UserService userService = (UserService)this.context.getBean("httpInvokerProxy");
try {
userService.findUserById(new Integer(1));
} catch (FindException e) {
// TODO Auto-generated catch block
e.printStackTrace();
Assert.fail();
}catch(Exception e){
e.printStackTrace();
Assert.fail();
}
}
}

Important Notes
-------------------
- CommonsHttpInvokerRequestExecutor is required to support ssl
- System.setProperty("javax.net.ssl.trustStore","C:/j2sdk1.4.2_06/jre/lib/security/cacerts"); is required to tell the jvm where to look for the trustStore, mine was defaulted to null.


Further Queries
------------------
- Would it still work if i have installed a real server certificate from a CA like versign etc, without specifying System.setProperty("javax.net.ssl.trustStore","C:/j2sdk1.4.2_06/jre/lib/security/cacerts");
- Also is there a better way to get the certificate from the server instead of using IE

thank all of you for your help.
Ben Alex
Dec 30th, 2004, 01:37 AM
To avoid sun.security.validator.ValidatorException, your server SSL certificate must be signed by a certificate already trusted by the client-side $JAVA_HOME\lib\security\cacerts. You can add a self-signed certificate (as your docs described) or have your server certificate signed by a CA already in the cacerts file (eg Verisign).

You might find this file helpful, as it uses keytool rather than IE (BTW, try FireFox instead!): http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/xdocs/ssl/howto.txt?rev=1.1&view=auto
bthh78
Dec 30th, 2004, 10:01 AM
hi ben,

thanks again. now i know enough to get the project going again.

well, i think that about wraps up this post.

thank all of you. once again, this has proven that the spring community is one of the best!

cheers
sumesh_ps@hotmail.com
Sep 1st, 2007, 07:22 AM
Hi All,


I have followed the above steps to to generate self signed certificate using keytool.

I am getting different error now.

If any body faced similar problem pls give me hints to solve this issue.


2007-09-01 16:48:44,603 [main] INFO <<>>Proxy - truststore D:/jdk1.5.0_07/jre/lib/security/cacerts
2007-09-01 16:48:44,712 [main] ERROR <<>>.Collector - Error happened in the collection -
org.springframework.remoting.RemoteAccessException : Cannot access HTTP invoker remote service at [https://sumesh-new:8443/<<>>ProxyService]; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
Caused by:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(S SLSocketImpl.java:1518)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:174)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:168)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:848)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.proc essMessage(ClientHandshaker.java:106)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoo p(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_re cord(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:818)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1030)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRe cord(SSLSocketImpl.java:622)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write (AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedO utputStream.java:65)
at java.io.BufferedOutputStream.write(BufferedOutputS tream.java:104)
at java.io.FilterOutputStream.write(FilterOutputStrea m.java:80)
at org.apache.commons.httpclient.methods.ByteArrayReq uestEntity.writeRequest(ByteArrayRequestEntity.jav a:89)
at org.apache.commons.httpclient.methods.EntityEnclos ingMethod.writeRequestBody(EntityEnclosingMethod.j ava:495)
at org.apache.commons.httpclient.HttpMethodBase.write Request(HttpMethodBase.java:1973)
at org.apache.commons.httpclient.HttpMethodBase.execu te(HttpMethodBase.java:993)
at org.apache.commons.httpclient.HttpMethodDirector.e xecuteWithRetry(HttpMethodDirector.java:397)
at org.apache.commons.httpclient.HttpMethodDirector.e xecuteMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:324)
at org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor.executePostMethod(Commons HttpInvokerRequestExecutor.java:164)
at org.springframework.remoting.httpinvoker.CommonsHt tpInvokerRequestExecutor.doExecuteRequest(CommonsH ttpInvokerRequestExecutor.java:102)
at org.springframework.remoting.httpinvoker.AbstractH ttpInvokerRequestExecutor.executeRequest(AbstractH ttpInvokerRequestExecutor.java:134)
at org.springframework.remoting.httpinvoker.HttpInvok erClientInterceptor.executeRequest(HttpInvokerClie ntInterceptor.java:177)
at org.springframework.remoting.httpinvoker.HttpInvok erClientInterceptor.invoke(HttpInvokerClientInterc eptor.java:154)
at <<>>.communication.ConfigurableHttpInvokerProxyFactory Bean.invoke(ConfigurableHttpInvokerProxyFactoryBea n.java:45)
at org.springframework.aop.framework.ReflectiveMethod Invocation.proceed(ReflectiveMethodInvocation.java :161)
at org.springframework.aop.framework.JdkDynamicAopPro xy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy0.runCommands(Unknown Source)
at <<>>.communication.Proxy.runCommands(Proxy.java:150)
at <<>>.communication.WMI.runCommands(WMI.java:132)
at <<>>.collector.Collector.runCommands(Collector.java:79 2)
at gjdk.<<>>.collectors.WindowsDiscoveryCollector_GroovyReflec tor.invoke(Unknown Source)
at groovy.lang.MetaMethod.invoke(MetaMethod.java:115)
at org.codehaus.groovy.runtime.MetaClassHelper.doMeth odInvoke(MetaClassHelper.java:713)
at groovy.lang.MetaClassImpl.invokeMethod(MetaClassIm pl.java:560)
at org.codehaus.groovy.runtime.ScriptBytecodeAdapter. invokeMethodOnCurrentN(ScriptBytecodeAdapter.java: 97)
at <<>>.collectors.WindowsDiscoveryCollector.collect(Wind owsDiscoveryCollector.groovy:38)
at <<>>.collector.Collector.run(Collector.java:639)
at <<>>.collector.CollectionService.collectNowFile(Collec tionService.java:259)
at <<>>.collector.CollectionService.collectNow(Collection Service.java:201)
at <<>>.proxy.ProxyClientTest.testWindowsCollection(Proxy ClientTest.java:48)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at junit.framework.TestCase.runTest(TestCase.java:154 )
at junit.framework.TestCase.runBare(TestCase.java:127 )
at junit.framework.TestResult$1.protect(TestResult.ja va:106)
at junit.framework.TestResult.runProtected(TestResult .java:124)
at junit.framework.TestResult.run(TestResult.java:109 )
at junit.framework.TestCase.run(TestCase.java:118)
at junit.framework.TestSuite.runTest(TestSuite.java:2 08)
at junit.framework.TestSuite.run(TestSuite.java:203)
at org.eclipse.jdt.internal.junit.runner.junit3.JUnit 3TestReference.run(JUnit3TestReference.java:128)
at org.eclipse.jdt.internal.junit.runner.TestExecutio n.run(TestExecution.java:38)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.runTests(RemoteTestRunner.java:460)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.runTests(RemoteTestRunner.java:673)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.run(RemoteTestRunner.java:386)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.main(RemoteTestRunner.java:196)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:221)
at sun.security.validator.PKIXValidator.engineValidat e(PKIXValidator.java:145)
at sun.security.validator.Validator.validate(Validato r.java:203)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(X509TrustManagerImpl.java:172)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager. checkServerTrusted(SSLContextImpl.java:320)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:841)
... 58 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder. engineBuild(SunCertPathBuilder.java:236)
at java.security.cert.CertPathBuilder.build(CertPathB uilder.java:194)
at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:216)
... 63 more
2007-09-01 16:48:44,884 [main] INFO <<>>.collector.Collector - Collection Done 5 DISCOVERY WINDOWS:192.168.40.67

Thanks in Advance
Sumesh
mohan_spring
Apr 28th, 2008, 08:21 AM
hi,

we are in the process of developing a warehouse management system using spring + hibernate + swing.

we are very please with using httpInvoker as a remoting solution.

however, my boss have raised a question regarding the security of using such remoting technique.

we are already using acegi security with basic authentication to filter access to remote services.

however, since it is using http for transport, could the data in transit be possibly be compromised, as in being evesdropped etc, since it is not being encrypted to the best of my understanding.

if this is really the case, is it possible for us to use maybe ssl (i.e over https) to rectify this situation.

we would be very grateful for any advice given.

thank you


hi,

can you suggest me how to implement the basic authentication ?. if you have example it will help me lot.

thanks
Mohan