Skip to main content

How to set the right Security Header in a kSOAP envelope in Android

No replies
ESer
Offline
Joined: 2012-11-10
Points: 0

Hi there,

Like you can see in the title I want to create a web service which I'm developing with NetBeans 7 and which should run on the integrated GlassFish 3.1 server. The web service should then be called from an android app over a SSL secured connection. In the android app I am using the SOAP library ksoap2 to get this done.

After a while I was able to establish a HTTPS connection whereas the client authenticates himself with a username and a password. So I was just using the default "file" as the standard-realm on my GlassFish server.
In my android app I therefore had to add a security header to the SOAP envelope I'm sending which contained the username and password of the user which I created in the GlassFish Administration Tool.

Everything worked fine and I could reach the WSDL file of my web service with my browser under the following address.
https://192.168.1.214:8181/STAwebservice_ssl/stawebservice?wsdl
So my Netbeans Web Application Project has the name STAwebservice_ssl and my web service is the class stawebservice.java in the package de.stapf.staws.stawebservice

Now I want the client rather to use a certificate than the username/password credentials to authenticate himself.
So I used the following documentations to set this up.
http://docs.oracle.com/cd/E19798-01/821-1841/gijrp/index.html
http://m7mdali.blogspot.de/2010/03/client-certificate-authentication.html

So I expected that when I try to reach the WSDL file with my web brower I would get some warning from the server because I haven't imported my own certificate in the browser yet.
But instead I was just getting an Error 324 ERR_EMPTY_RESPONSE from the server. There are no Exceptions thrown in the GlassFish console. So I would be glad if someone could take a look at the configuration steps I took if those where the right ones and if I just set a wrong path and thats why I am getting nothing from the server or if am missing something important here.

Configuration Steps

1. In the GlassFish Administration Tool (config -> server-config -> security) I set the standard-realm to certificate

2. Under confi -> server-config -> security -> realms -> certificate, I assigend it to the group User and added the property Name=clientAuth Value=true

3. I went to my Web Application Project in Netbeans , right clicked on the web service (stawebservice) -> Edit Web Service Attributes and in the Secure Service Section where I chose Transport Security (SSL) -> Configure, I checked Require Client Certificate

4. Now I set all the attributes in the web.xml file of my web application project like in the tutorial I posted. I guesst it's best if I just post the web.xml file here .

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <servlet>
        <servlet-name>STAwebservice_ssl</servlet-name>
        <servlet-class>de.stapf.staws.stawebservice.stawebservice</servlet-class>
        <run-as>
            <role-name>User</role-name>
        </run-as>
    </servlet>
    <servlet-mapping>
        <servlet-name>STAwebservice_ssl</servlet-name>
        <url-pattern>/STAwebservice_ssl/stawebservice</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
    <security-constraint>
        <display-name>Constraint1</display-name>
        <web-resource-collection>
            <web-resource-name>User</web-resource-name>
            <description/>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>User</role-name>
        </auth-constraint>
        <user-data-constraint>
            <description/>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>CLIENT-CERT</auth-method>
        <realm-name>certificate</realm-name>
    </login-config>
    <security-role>
        <description/>
        <role-name>User</role-name>
    </security-role>
</web-app>

5. Now I thought the next step would be the mapping of the created security role to a group. Since I had no sun-web.xml file in my projekt I created a glassfish-web.xml in the WEB-INF folder to set the mapping and I think its working because before I did that the glassfish server gave me a warning that there is nothing assigned to the role User.
Anyway, this is how my glassfish-web.xml file looks like

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
  <security-role-mapping>
    <role-name>User</role-name>
    <principal-name>EmmanuelSP</principal-name>
    <group-name>User</group-name>
  </security-role-mapping>
  <servlet>
    <servlet-name>STAwebservice_ssl</servlet-name>
    <principal-name>EmmanuelSP</principal-name>
  </servlet>
  <class-loader delegate="true"/>
  <jsp-config>
    <property name="keepgenerated" value="true">
      <description>Keep a copy of the generated servlet class' java code.</description>
    </property>
  </jsp-config>
</glassfish-web-app>

By the way, what exactly is the
tag for? I didnt't really get that.
I thought the value entered here is the Common Name (CN) the client certificate has to have. This is why I entered EmmanuelSP because thats the CN of my selfsigned certificate which I imported in cacerts.jks and which wanted to import in the browser to test the connection.
If its not like that, how does the server actually check if the certificate the client presents is the right one? Does is just take a look if the same certificate is available in the cacerts.jsk keystore?

So these are the configuration steps I took. Did I miss something? I got a little bit confused with all the configuration stuff.

Thanks to everyone who read my post, maybe someone can give me a hint.

Regards,
Emmanuel