Java CXF 客户端:无法找到到请求目标的有效认证路径
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20554567/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
CXF client: unable to find valid certification path to requested target
提问by Withheld
I am trying to implement a client for a CXF-based web service that I also wrote.
我正在尝试为我也编写的基于 CXF 的 Web 服务实现一个客户端。
My web service works great (tested working fine via soapUI), but running the client fails with the following:
我的 Web 服务运行良好(通过soapUI 测试运行良好),但运行客户端失败,出现以下情况:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
The message clearly points at a certificate problem, so I did a quick search and found the correct approach to supporting SSL in CXFand added the following to my Spring application context config XML:
该消息明确指出了证书问题,因此我进行了快速搜索,找到了在 CXF 中支持 SSL的正确方法,并将以下内容添加到我的 Spring 应用程序上下文配置 XML 中:
<http:conduit name="https://myserver/myws/register/soap?wsdl:{http://glob.reg.com/myws}.http-conduit">
<http:tlsClientParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password"
file="my/file/dir/Morpit.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="my/file/dir/Truststore.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:authorization>
<sec:UserName>Betty</sec:UserName>
<sec:Password>password</sec:Password>
</http:authorization>
<http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http:conduit>
And rebuilt the client. The client built successfully but I am still getting the same exact error and same exact stack trace, as if I never added this http:conduitthing.
并重建客户端。客户端成功构建,但我仍然收到相同的错误和相同的堆栈跟踪,就好像我从未添加过这个http:conduit东西一样。
I have not added the certificate to the store yet, and the path to the store is incorrect, but this is intentional as I just wanted to see how the re-built client reports this problem, adjusting to the new http:conduitinformation.
我还没有将证书添加到商店,商店的路径不正确,但这是故意的,因为我只是想看看重建的客户端如何报告这个问题,适应新的http:conduit信息。
Instead, I was surprised to see that it was ignored altogether.
相反,我惊讶地发现它被完全忽略了。
What have I missed?
我错过了什么?
What is the correct way of approaching this?
解决这个问题的正确方法是什么?
Update:I just noticed my applicationcontext.xml underlining http:conduitwith this error message:
更新:我刚刚注意到我的 applicationcontext.xmlhttp:conduit带有以下错误消息的下划线:
The prefix "http" for element "http:conduit" is not bound.
So I did a quick search and found a threadthat suggests:
所以我进行了快速搜索并找到了一个建议:
The client needs to configure the HTTP conduit with the keystore that contains the certificate of the STS, e.g.:
客户端需要使用包含 STS 证书的密钥库配置 HTTP 管道,例如:
<http:conduit name="https://localhost:.*">
<http:tlsClientParameters disableCNCheck="true">
<sec:trustManagers>
<sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/>
</sec:trustManagers>
</http:tlsClientParameters>
</http:conduit>
Which reinforces what @GreyBeardedGeek wrote. Going to work on thisnow...
这加强了@GreyBeardedGeek 所写的内容。现在开始做这件事...
采纳答案by Withheld
Problem solved!
问题解决了!
I followed this magicmonster articlecarefully (note the highlights on "older version of java", and the default password 'changeit'), to import the entire self signed certificate chainto the list of trusted certificates of the Java:
我仔细阅读了这篇magicmonster文章(注意“旧版java”的亮点,以及默认密码“changeit”),将整个自签名证书链导入到Java的可信证书列表中:
http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html
http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html
With one very important additionaltwist: Do it for all certificates in the chain, not only the root!(in my case there were three: my organization's, the intermediate, and the root)
还有一个非常重要的额外转折:对链中的所有证书都这样做,而不仅仅是根!(就我而言,有三个:我的组织的、中间的和根的)
Then... go to the Spring application context config XMLand modify the <http:conduitsection to have the correct path (and password) for Java's cacertsfile:
然后...转到Spring 应用程序上下文配置 XML并修改该<http:conduit部分以获得 Java 的cacerts文件的正确路径(和密码):
<http:tlsClientParameters>
<sec:keyManagers keyPassword="changeit">
<sec:keyStore type="JKS" password="changeit"
file="C:\Program Files (x86)\Java\jdk1.6.0_45\jre\lib\security\cacerts"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="changeit"
file="C:\Program Files (x86)\Java\jdk1.6.0_45\jre\lib\security\cacerts"/>
</sec:trustManagers>
