This week's book giveaway is in the Design and Architecture forum.
We're giving away four copies of Communication Patterns: A Guide for Developers and Architects and have Jacqui Read on-line!
See this thread for details.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Tim Moores
  • Carey Brown
  • Mikalai Zaikin
Bartenders:
  • Lou Hamers
  • Piet Souris
  • Frits Walraven

How to config Tomcat to avoid 403

 
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello!

I use axis for a secure web service but I keep getting 403 when i try to access it.

My Client looks like below. And when i run with user/pass like tomcat/tomcat I just get 403 all the time.

If I try other user/pass I get 401.

I guess I need to config Tomcat for the axis app in some way.

If I try to access it with a browser i get a login-poup and the result is the same, 403, 401.

My Client:

import java.net.*;
import org.apache.axis.client.*;
import javax.xml.namespace.*;
import javax.net.ssl.*;
import java.security.*;
import localhost.axis.SSLSoapWsdlServer_jws.*;
import org.apache.ws.axis.security.*;
import org.apache.axis.*;
import org.apache.axis.configuration.*;

public class SSLSoapWsdlClient
{
public SSLSoapWsdlClient()
{
try
{
System.setProperty("javax.net.ssl.keyStore", "client.ks");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStoreType", "JKS");
System.setProperty("javax.net.ssl.trustStore", "client.ts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

System.setProperty( "java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol" );
Security.addProvider( new com.sun.net.ssl.internal.ssl.Provider() );

SSLSoapWsdlServerServiceLocator sslSoapWsdlServerServiceLocator = new SSLSoapWsdlServerServiceLocator();
SSLSoapWsdlServerSoapBindingStub sslSoapWsdlServerSoapBindingStub = (SSLSoapWsdlServerSoapBindingStub) sslSoapWsdlServerServiceLocator.getSSLSoapWsdlServer(new URL("https://localhost:8443/axis/services/SSLSoapWsdlServer"));
sslSoapWsdlServerSoapBindingStub.setUsername("tomcat");
sslSoapWsdlServerSoapBindingStub.setPassword("tomcat");
String returned = (String)sslSoapWsdlServerSoapBindingStub.getPrime("2isAnOddPrime");
System.out.println( "Soap returned: " + returned );

}
catch (Exception e)
{
e.printStackTrace();
}
}

public static void main(String[] args)
{
SSLSoapWsdlClient sslSoapWsdlClient = new SSLSoapWsdlClient();
}
}
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have done some with SSL on Tomcat - it was a real pain getting everything configured right. How are you configuring certificates on the Tomcat side?
Are you sure the Tomcat side is working right?
Also - which Tomcat version? which Java version? source of certificates?
Bill
 
Fredrik Andersson
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My Tomcat config looks like:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
keystoreFile="D:\Fredrik\Kurser\DSV\int_4\assignments\assignments2\java_233\server.ks"
keystorePass="changeit"
keystoreType="JKS"
truststoreFile="D:\Fredrik\Kurser\DSV\int_4\assignments\assignments2\java_233\server.ts"
truststorePass="changeit"
truststoreType="JKS"
clientAuth="false" sslProtocol="TLS" />

And I have created the keystores and certificates like:
set SERVER_DN="CN=localhost, OU=localhost, O=x, L=y, S=sverige, C=se"
set CLIENT_DN="CN=localhost, OU=localhost, O=x, L=y, S=sverige, C=se"
set KSDEFAULTS=-storepass changeit -storetype JKS
set KEYINFO=-keyalg RSA

keytool -genkey -dname %SERVER_DN% %KSDEFAULTS% -keystore server.ks %KEYINFO% -keypass changeit
keytool -export -file temp$.cer %KSDEFAULTS% -keystore server.ks
keytool -import -file temp$.cer %KSDEFAULTS% -keystore client.ts -alias serverkey -noprompt
keytool -genkey -dname %CLIENT_DN% %KSDEFAULTS% -keystore client.ks\ %KEYINFO% -keypass changeit
keytool -export -file temp$.cer %KSDEFAULTS% -keystore client.ks
keytool -import -file temp$.cer %KSDEFAULTS% -keystore server.ts\ -alias clientkey -noprompt

I use Tomcat 5.5.9 and Java 1.5

Do you see anything wrong?
/Fredrik
 
William Brogden
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Using Tomcat 5.0.x I found that I also had to include declaration of the locations of the keys in the JAVA_OPTS for Tomcat. I dunno why the declaration in the Connector was not enough but thats what it took to get Tomcat happy. In Catalina.bat I have:

(actually all on one line)
Bill
 
Fredrik Andersson
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello!

I tried what you said, I put this into catalina.bat befors start tomcat:


I maded sure that I now used the same keystore for both the client and server.

I changed my Connector-settings in server.xml to:


And I also started my client with:


But I still get 403 as a response.

How did you create your keystore?

Best regards
Fredrik
 
William Brogden
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I just used the keytool.exe that comes in the Java SDK. As I recall, you should be seeing some sort of server log messages related to sending the 403 error that might help.
Bill
 
eat bricks! HA! And here's another one! And a tiny ad!
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic