WebObjects/Web Services/Web Service Consumer
SSL WebServices Problems
[edit | edit source]1. WOWebServiceClient class can't access to a secure HTTP Web service provider (WO 5.2.2):
Problem: The com.webobjects.webservices.client.WOWebServiceClient class just throws exception like this one when it tries to read the WSDL from a secure HTTP Web service provider:
java.lang.IllegalArgumentException: Unable to open url: https://localhost/cgi-bin/WebObjects/Test-Server.woa/ws/Test?wsdl at com.webobjects.webservices.client.WOWebServiceClient. initializeFromURL(WOWebServiceClient.java:72) at com.webobjects.webservices.client.WOWebServiceClient. <init>(WOWebServiceClient.java:59)
This problem doesn't seem related to self signed certificate, since I've performed tests with trusted certificate as well.
Patrick Robinson
[edit | edit source]That's strange . . .
I had the same problem when I was trying to run both service and client on my development machine (which has only a self-signed cert), and specifying an HTTPS WSDL address. But after adding my cert to /Library/Java/Home/lib/security/cacerts:
cd /Library/Java/Home/lib/security sudo keytool -import -keystore cacerts -alias myalias -file mycert.pem
(The default password for the cacerts keystore is "changeit")
everything works fine.
I also had no trouble accessing either the WSDL or the service, via HTTPS, when the service was run on a system with a valid, trusted cert.
Francis Labrie
[edit | edit source]It's finally not a real bug, thanks to PatrickRobinson and to the JAD tool. This exception is typically thrown when the server certificate is not trusted, i.e. the certificate is self-signed and not stored in the Java trusted keystore, or the hostname is not the same on the server and in the certificate, etc.
The problem is that the initializeFromURL() method of the com.webobjects.webservices.client.WOWebServiceClient class doesn't wrap and forward the catched exceptions, it only throws IllegalArgumentException with a simple " Unable to open url" or " Unable to create service from url" message, without any details.
To avoid such problem, just relax the Java security manager using code like one described here: How to Trust Any SSL Certificate.