在 Tomcat 上干净安装 Axis2 时出现版本服务错误
我是一名正在实习的工科学生。我必须创建一个网络服务。它必须:
- 使用 HTTPS
- 使用 Gzip 来压缩 HTTPS 数据
- 使用 SOAP/ WSDL
我以前从未开发过 Web 服务。我选择了Tomcat + Axis来开发这个项目。
我的操作系统是Windows 7,我已经安装了Tomcat 6.0并配置了HTTPS,当我尝试使用浏览器访问Tomcat时工作正常。我还配置了 Gzip 压缩服务器。
接下来,我尝试安装 Axis,因此我下载了 axis1.5.4.war 并将其部署在服务器上。使用我的浏览器,我能够成功访问 Axis“欢迎页面”,但是当我单击“验证”时,我得到了以下信息:
Axis2版本服务出现问题,可能是服务不可用或出现问题。但这并不意味着系统无法正常工作!尝试上传其他服务并检查其是否正常工作。 [原文如此]
为了解决这个问题,我根据 此文档。
我在 Eclipse 控制台上得到了这个:
[INFO] 无法将 ViaPost 发送到 url[https://localhost/axis2/services/Version] org.apache.axis2.AxisFault:连接已关闭:javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到有效的证书路径到请求的目标
我该如何解决这个问题?
I am an engineering student doing an internship. I must create a web service. It must:
- use HTTPS
- use Gzip in order to compress HTTPS data
- use SOAP/ WSDL
I've never developed a web service before. I have chosen Tomcat + Axis for developing this project.
My OS is Windows 7, I have installed Tomcat 6.0 and configured HTTPS, and it works fine when I try to access Tomcat with a browser. I also configured the server for Gzip compression.
Next, I tried to install Axis, so I downloaded axis1.5.4.war and deployed it on the server. With my browser, I was able to access the Axis "welcome page" successfully, but when I clicked on "Validate," I got this:
There was a problem in Axis2 version service , may be the service not available or some thing has gone wrong. But this does not mean system is not working ! Try to upload some other service and check to see whether it is working. [sic]
To address this, I modified the Axis conf file on my server per this documentation.
I got this on my Eclipse console:
[INFO] Unable to sendViaPost to url[https://localhost/axis2/services/Version]
org.apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
How do I resolve this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
首先,问题几乎可以肯定是您用于保护 Tomcat 的证书不是由标准 CA 签名的。这可能会产生成本,但实际上并不多,而且可以让客户工作得更好。如果您在客户端证书模式下使用 SSL(不是默认模式,但很容易启用),那么您还必须配置 Tomcat 以了解客户端证书的签名者(或多个签名者) ,除非他们使用标准 CA。
如果我这样解释的话也许会更容易。当 SSL(或 HTTPS)连接的一端使用加密证书来证明自己是谁时(服务器总是这样做,并且可以请求客户端也这样做),另一端会获得一整包签名的证书关于它是谁的断言,但仍需要独立检查这些断言是否属实。这是通过检查谁签署了断言(以及其他一些事情)来完成的;如果它是由受信任的人(即证书颁发机构)签名的,那么加密身份的接收者就可以知道他们真正在与谁交谈。
但这过于简单化了:证书会过期、存在使用限制、可能存在信任链,并且对于 HTTPS 还存在额外的检查。但最终一切都必须归结为“我在和谁说话,我真的信任他们吗?”密码学对此有很大帮助,但这确实意味着需要信任根。默认情况下,客户端需要信任根(或多个根),但使用客户端验证的 SSL 时,双方都需要。
First off, the problem is almost certainly that the certificate you used to secure Tomcat is not signed by a standard CA. This can cost, but it's really not much and it makes the clients work much better. If you're using SSL in client-certificate mode (not the default, but easy to turn on) then you must also configure Tomcat to know about the signer (or signers) of the client certificates — well, unless they use standard CAs.
Perhaps it's easier if I explain it this way. When one end of an SSL (or HTTPS) connection uses a cryptographic certificate to prove who they are — servers always do this, and can request that clients do too — the other end gets a whole bag of signed assertions about who it is, but still needs to independently check that those assertions are true. This is done by checking who signed the assertions (and a few other things); if it was signed by someone who is trusted, i.e., a Certificate Authority, then the receiver of the crypto identity can know who they are really talking to.
That's an oversimplification though: certificates expire, there are usage restrictions, there can be chains of trust, and for HTTPS there are additional checks too. Yet ultimately it's all got to come down to “who am I talking to, and do I really trust them?” Cryptography helps a lot with that, but that does mean the trust root is required. By default, it's the client that needs the trust root (or roots), but with client-authenticated SSL it's both sides.
版本服务错误很常见,我在全新安装 axis2 和 axis2 时遇到了完全相同的问题。雄猫也是。
无论如何,要修复版本服务错误,请打开 axis2-web/HappyAxis.jsp 并找到以下代码行:
将上面的行修改为以下内容:
The version service error is pretty common, and I encountered the exact same problem on my fresh install of axis2 & tomcat too.
Anways, to fix the Version Service error, open the axis2-web/HappyAxis.jsp and find the following line of code:
Modify the above line to the following:
参考链接: http://axis.apache.org/axis2/ java/core/docs/servlet-transport.html
对于每个协议(HTTP 和/或 HTTPS),必须在 axis2.xml 中声明 AxisServletListener 实例。如果仅使用单一协议,则无需进一步配置。例如,如果仅使用 HTTP,则 axis2.xml 中必须存在以下声明:
如果同时使用 HTTP 和 HTTPS,则事情会变得有点复杂。原因是,为了使用正确的端点 URI 公开 WSDL,AxisServlet 必须知道 HTTP 和 HTTPS 使用的端口。遗憾的是,Servlet API 不允许 Web 应用程序发现所有已配置的协议。它仅提供有关当前请求的协议、主机名和端口的信息。如果仅配置了一个 AxisServletListener,则此信息足以让 AxisServlet 自动检测端口号。如果同时使用 HTTP 和 HTTPS(或者如果通过 AxisServlet 以外的传输方式检索 WSDL),则 AxisServlet 在处理了每种协议的至少一个请求之前无法获知端口号。为了使 WSDL 生成在此场景中可预测,需要在 axis2.xml 中显式配置端口号,如下例所示:
Refer Link: http://axis.apache.org/axis2/java/core/docs/servlet-transport.html
For each protocol (HTTP and/or HTTPS), an AxisServletListener instance must be declared in axis2.xml. If only a single protocol is used, no further configuration is required. For example, if only HTTP is used, the following declaration must be present in axis2.xml:
If both HTTP and HTTPS are used, then things become a bit more complicated. The reason is that in order to expose WSDLs with correct endpoint URIs, AxisServlet must know the ports used by HTTP and HTTPS. Unfortunately the servlet API doesn't allow a Web application to discover all configured protocols. It only provides information about the protocol, host name and port for the current request. If only a single AxisServletListener is configured, then this information is enough to let AxisServlet auto-detect the port number. If both HTTP and HTTPS are used (or if WSDLs are retrieved through transports other than AxisServlet), then AxisServlet has no way of knowing the port numbers until it has processed at least one request for each protocol. To make WSDL generation predictable in this scenario, it is necessary to explicitly configure the port numbers in axis2.xml, such as in the following example:
您收到此消息是因为您用于保护 axis2 服务的证书不受信任。您需要导入该公共证书或将其签名到密钥存储的 CA 证书,并在客户端代码中设置以下两个系统属性
You get this because the certificate you used to secure the axis2 service is not trusted. You need to import that public certificate or the CA cert that signed it to a key store and set the following two system properties - in your client code