• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How to config Tomcat to avoid 403

 
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello!

I use axis for a secure web service but I keep getting 403 when i try to access it.

My Client looks like below. And when i run with user/pass like tomcat/tomcat I just get 403 all the time.

If I try other user/pass I get 401.

I guess I need to config Tomcat for the axis app in some way.

If I try to access it with a browser i get a login-poup and the result is the same, 403, 401.

My Client:

import java.net.*;
import org.apache.axis.client.*;
import javax.xml.namespace.*;
import javax.net.ssl.*;
import java.security.*;
import localhost.axis.SSLSoapWsdlServer_jws.*;
import org.apache.ws.axis.security.*;
import org.apache.axis.*;
import org.apache.axis.configuration.*;

public class SSLSoapWsdlClient
{
public SSLSoapWsdlClient()
{
try
{
System.setProperty("javax.net.ssl.keyStore", "client.ks");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStoreType", "JKS");
System.setProperty("javax.net.ssl.trustStore", "client.ts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

System.setProperty( "java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol" );
Security.addProvider( new com.sun.net.ssl.internal.ssl.Provider() );

SSLSoapWsdlServerServiceLocator sslSoapWsdlServerServiceLocator = new SSLSoapWsdlServerServiceLocator();
SSLSoapWsdlServerSoapBindingStub sslSoapWsdlServerSoapBindingStub = (SSLSoapWsdlServerSoapBindingStub) sslSoapWsdlServerServiceLocator.getSSLSoapWsdlServer(new URL("https://localhost:8443/axis/services/SSLSoapWsdlServer"));
sslSoapWsdlServerSoapBindingStub.setUsername("tomcat");
sslSoapWsdlServerSoapBindingStub.setPassword("tomcat");
String returned = (String)sslSoapWsdlServerSoapBindingStub.getPrime("2isAnOddPrime");
System.out.println( "Soap returned: " + returned );

}
catch (Exception e)
{
e.printStackTrace();
}
}

public static void main(String[] args)
{
SSLSoapWsdlClient sslSoapWsdlClient = new SSLSoapWsdlClient();
}
}
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have done some with SSL on Tomcat - it was a real pain getting everything configured right. How are you configuring certificates on the Tomcat side?
Are you sure the Tomcat side is working right?
Also - which Tomcat version? which Java version? source of certificates?
Bill
 
Fredrik Andersson
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My Tomcat config looks like:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
keystoreFile="D:\Fredrik\Kurser\DSV\int_4\assignments\assignments2\java_233\server.ks"
keystorePass="changeit"
keystoreType="JKS"
truststoreFile="D:\Fredrik\Kurser\DSV\int_4\assignments\assignments2\java_233\server.ts"
truststorePass="changeit"
truststoreType="JKS"
clientAuth="false" sslProtocol="TLS" />

And I have created the keystores and certificates like:
set SERVER_DN="CN=localhost, OU=localhost, O=x, L=y, S=sverige, C=se"
set CLIENT_DN="CN=localhost, OU=localhost, O=x, L=y, S=sverige, C=se"
set KSDEFAULTS=-storepass changeit -storetype JKS
set KEYINFO=-keyalg RSA

keytool -genkey -dname %SERVER_DN% %KSDEFAULTS% -keystore server.ks %KEYINFO% -keypass changeit
keytool -export -file temp$.cer %KSDEFAULTS% -keystore server.ks
keytool -import -file temp$.cer %KSDEFAULTS% -keystore client.ts -alias serverkey -noprompt
keytool -genkey -dname %CLIENT_DN% %KSDEFAULTS% -keystore client.ks\ %KEYINFO% -keypass changeit
keytool -export -file temp$.cer %KSDEFAULTS% -keystore client.ks
keytool -import -file temp$.cer %KSDEFAULTS% -keystore server.ts\ -alias clientkey -noprompt

I use Tomcat 5.5.9 and Java 1.5

Do you see anything wrong?
/Fredrik
 
William Brogden
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Using Tomcat 5.0.x I found that I also had to include declaration of the locations of the keys in the JAVA_OPTS for Tomcat. I dunno why the declaration in the Connector was not enough but thats what it took to get Tomcat happy. In Catalina.bat I have:

(actually all on one line)
Bill
 
Fredrik Andersson
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello!

I tried what you said, I put this into catalina.bat befors start tomcat:


I maded sure that I now used the same keystore for both the client and server.

I changed my Connector-settings in server.xml to:


And I also started my client with:


But I still get 403 as a response.

How did you create your keystore?

Best regards
Fredrik
 
William Brogden
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I just used the keytool.exe that comes in the Java SDK. As I recall, you should be seeing some sort of server log messages related to sending the 403 error that might help.
Bill
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic