STS CRMService On Tomcat

Anonymous · ‎2011-05-20

Hi Team,
on customer side we try to implement the CRMService on tomcat 6.0 using the sts configuration/setup of the sts osgi example.
-
In the catalina.out the following exception was logged:
org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: are not understood.
What are we doing wrong?
Thanks and regards,
Robert
Professional Services, Talend AI

p.s.: catalina.out:
May 17, 2011 3:49:43 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging
WARNING: Interceptor for {http://services.talend.org/CRMService}CRMServiceProvider#{http://services.talend.org/CRMService}getC... has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: are not understood.
at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.checkUltimateReceiverHeaders(MustUnderstandInterceptor.java:150)
at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:96)
at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:49)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:118)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:208)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:166)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:113)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:184)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:107)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:163)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:662)
May 17, 2011 3:49:43 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging
WARNING: Interceptor for {http://services.talend.org/CRMService}CRMServiceProvider#{http://services.talend.org/CRMService}getC... has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Marshalling Error: null
at org.apache.cxf.jaxb.JAXBEncoderDecoder.marshall(JAXBEncoderDecoder.java:258)
at org.apache.cxf.jaxb.io.DataWriterImpl.write(DataWriterImpl.java:169)
at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.writeSoapEnvelopeStart(SoapOutInterceptor.java:156)
at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.handleMessage(SoapOutInterceptor.java:81)
at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.handleMessage(SoapOutInterceptor.java:61)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:104)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:323)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:118)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:208)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:166)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:113)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:184)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:107)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:163)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:662)
Caused by: java.lang.IllegalArgumentException
at javax.xml.bind.JAXBElement.(JAXBElement.java:91)
at javax.xml.bind.JAXBElement.(JAXBElement.java:105)
at org.apache.cxf.jaxb.JAXBEncoderDecoder.marshall(JAXBEncoderDecoder.java:244)
... 28 more

dkulp · ‎2011-05-20

How are you consructing the war going into tomcat? Maven?
If so, are you including the cxf-rt-ws-security, cxf-rt-ws-addr, and cxf-rt-ws-policy modules? Basically, what cxf-* jars are being included in the war?
In OSGi, all of that is in the bundle jar that is deployed. Outside OSGi, you may need to pull in the functionality you need OR pull in cxf-bundle to grab everything.

Anonymous · ‎2011-05-23

Thanks Dan,
... added the missing dependencies ... but I got the same exception in catalina.out.
(all cxf jars are provided with the service war file.)
Here are my dependencies:
<DEPENDENCIES>
<DEPENDENCY>
<GROUPID>org.talend.esb.examples.rent-a-car</GROUPID>
<ARTIFACTID>crmservice-common-lab1</ARTIFACTID>
<VERSION>${project.version}</VERSION>
</DEPENDENCY>

<DEPENDENCY>
<GROUPID>log4j</GROUPID>
<ARTIFACTID>log4j</ARTIFACTID>
<VERSION>1.2.16</VERSION>
</DEPENDENCY>
<DEPENDENCY>
<GROUPID>org.talend.esb</GROUPID>
<ARTIFACTID>locator</ARTIFACTID>
<VERSION>4.0</VERSION>
</DEPENDENCY>
<DEPENDENCY>
<GROUPID>org.talend.esb</GROUPID>
<ARTIFACTID>sam-agent</ARTIFACTID>
<VERSION>4.0</VERSION>
</DEPENDENCY>

<DEPENDENCY>
<GROUPID>org.apache.cxf</GROUPID>
<ARTIFACTID>cxf-rt-ws-security</ARTIFACTID>
<VERSION>${cxf.version}</VERSION>
</DEPENDENCY>
<DEPENDENCY>
<GROUPID>org.apache.cxf</GROUPID>
<ARTIFACTID>cxf-rt-ws-addr</ARTIFACTID>
<VERSION>${cxf.version}</VERSION>
</DEPENDENCY>
<DEPENDENCY>
<GROUPID>org.apache.cxf</GROUPID>
<ARTIFACTID>cxf-rt-ws-policy</ARTIFACTID>
<VERSION>${cxf.version}</VERSION>
</DEPENDENCY>

dkulp · ‎2011-05-24

Hmm... I'm not really sure. It looks like the service isn't finding a policy that would enable the security processing. If you scroll up the logs, does it say it's creating the service from a WSDL or from a Class? I assume the wsdl has the security policies defined that it needs picking up.
Can I also assume this is CXF 2.4.0 and not 2.3.x?

Any chance of a testcase?

Anonymous · ‎2011-05-24

There was a change with respect to processing mustunderstand headers in 2.3 which is described in "Runtime changes" here:
http://cxf.apache.org/23-migration-guide.html
To debug this, I'd recommend to deploy the DemoInterceptor of the TSF example "interceptors" which shows the whole interceptor chain. I'm wondering whether the WSS4JInInterceptor is called at all.
You could also add a typo in the CRMService-sts.wsdl to see whether this WSDL is read/parsed at all. If you don't get a different exception (parsing exception), the wsdl is ignored and therefore the defined security policy.

Anonymous · ‎2011-05-25

THANKS !!!
The WSDL hint was the right one ...
(On startup the wrong wsdl was referenced ...)
Now the service seens to run fine, but on client side I get the following exception:
Exception in thread "AWT-EventQueue-0" javax.xml.ws.WebServiceException: The signature or decryption was invalid; nested exception is:
org.apache.ws.security.WSSecurityException: Cannot find key for alias:

My example service is just a copy of the getting started crmservice ...
Also I'm using the 'getting started' crmservice client in the OSGI car application.
Any hints?

Anonymous · ‎2011-05-30

It looks like the public key of the service is not in the truststore of the client; alternatively, the client has not been configured to use the correct truststore (perhaps it's relying on the JRE default "cacerts" one as a result.) Working backwards, first confirm myservicekey is in the client's truststore, then confirm that the client is indeed pointing to that truststore. For the first part the keytool -list command is your friend, for the second part look at how you're configuring the truststore for the client, either or will work depending on the type of configuration you're doing.
http://www.jroller.com/gmazza/entry/using_openssl_to_create_certificates
http://www.jroller.com/gmazza/entry/cxf_x509_profile
http://www.jroller.com/gmazza/entry/cxf_x509_profile_secpol
HTH,
Glen

Anonymous · ‎2011-05-31

Hi,
just to explain the scenario in detail:
1. Created the 'Getting Started' Rent-a-Car Example with STS Profile.
2. Started the STS Rent-a-Car example app and run it successfully!
3. Created a crmservice webservice project to provide the crmservice by war deployment.(same buisnes code)
4. Defined the Service Locator, SAM features in the beans.xml and tested it successfully with rent-a-car (without sts)
5. Added the STS configuration in the crmservice (war)..(using the same callbackhandler)
6. Changed the crmservice endpoint to new one deployed on tomcat .
7. In karaf: switch back / redeploy rent-a-car app (with sts)
8. Test failed (wrong wsdl) and fixed wsdl location (to CRMServiceSTS.wsdl)
9. Tested the crmservice with Rent-a-Car (STS)
=> on the tomcat server erverything looks good! The request was processed successfully
=> in the Rent-a-Car karaf container the 'javax.xml.ws.WebServiceException: The signature or decryption was invalid' was thrown.
The tomcat based crmservice uses the same keystore like karaf/osgi based crmservice.
It's just a copy ...
The crmservice (war) security configuration is the same like the one of 'Getting Started'
So, if I run the crmservice on osgi => Test OK
If the tomcat crmservice (war) is in use => Client Fails.
... I will check the points you mentioned.
Regards,
Robert

ESB

Other