JAX-WS: ORA-31011

Today, I tried to do something useful for my bachelor thesis. I tried to query a Oracle 11G DBMS via a SOAP-based Webservice. Using the instruction from Andrea and Oracle I got the service up and running. The Webservice was reachable under http://localhost:8080/orawsv and presented it's wsdl via http://localhost:8080/orawsv?wsdl.

Now the trouble started:
The URL from the Oracle HTTP-Server is secured via HTTP-Authentification. Ok so I downloaded the WSDL and created the stubs from a local file with the JDK's wsimport. Now I needed to tell the Webservice Client Provider to authenticate if necessary:

ORAWSVPortType port = new ORAWSVService().getORAWSVPort();
Map<String, Object> requestCtx = ((BindingProvider) port).getRequestContext();
requestCtx.put(BindingProvider.USERNAME_PROPERTY, "user");
requestCtx.put(BindingProvider.PASSWORD_PROPERTY, "password");

The first test ended with a desaster:

Exception in thread "main" java.lang.IllegalArgumentException: faultCode argument for createFault was passed NULL
at com.sun.xml.messaging.saaj.soap.ver1_1.SOAPFactory1_1Impl.createFault(SOAPFactory1_1Impl.java:56)
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:108)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:254)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:224)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:117)
at $Proxy32.xmlFromQuery(Unknown Source)
at productcatalogws.Main.main(Main.java:49)
Java Result: 1

I couldn't make anything useful out of these messages. The only thing I found was a dead end: bug_id=6587659.

So I started debugging:

First view the SOAPMessages:
I used the cool charles proxy.
Configuration for JAVA:

System.getProperties().put("proxySet", "true");
System.getProperties().put("proxyHost", "localhost");
System.getProperties().put("proxyPort", "8888");

After viewing the messages without noticing anything of interesst except:
ORA-31011: XML parsing error, but without any reference to the Webservice.

I found a cool tool to use webservices: soapUI (you can do everything I needed using it!!) and queried the Oracle Webservice by hand. And it worked!

The problem was that the default JAX-WS Provider does send:
Content-Type: text/xml;charset="utf-8"

And the Oracle HTTP Server expects:
Content-Type: text/xml;charset=UTF-8

An example SOAPMessage (including the header):

Authorization: Basic XXXXX
Host: localhost:8080
Content-Length: 314
SOAPAction: "http://localhost:8080/orawsv"
User-Agent: Jakarta Commons-HttpClient/3.0.1
Content-Type: text/xml;charset=UTF-8

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:oraw="http://xmlns.oracle.com/orawsv">
<soapenv:Header/>
<soapenv:Body>
<oraw:query>
<oraw:query_text type="SQL">SELECT * FROM PRODUCT</oraw:query_text>
</oraw:query>
</soapenv:Body>
</soapenv:Envelope>

The questions are:
Does JAX-WS something wrong during the request or is the DB Webservice the bad guy?
And why doesn't JAX-WS handle the SOAPfault correctly?

Used software:

javac --version:

java version "1.6.0_04"
Java(TM) SE Runtime Environment (build 1.6.0_04-b12)
Java HotSpot(TM) Client VM (build 10.0-b19, mixed mode)

Oracle 11G DBMS:

Oracle Database 11g Release 1 for 32-bit Windows.

OpenSSH using Kerberos via GSSAPI

I missed to activate a small and tiny feature during the update to Debian Etch: OpenSSH with GSSAPI support. What does sat mean?

1. g00se.org uses Kerberos for authentification.
   
2. Kerberos offers Single-Sign-On.

I missed to upload my subversion working copies over ssh without typping my password everytime. So I installed ssh-krb5 to add the cool behavior.

Cyrus and Exim4 authentification using Kerberos via GSSAPI

Today I used my spare time to let the SMTP and the IMAP server of g00se.org using the GSSAPI for authentification.
The necessary cyrus-sasl libaries were already installed. So I really don't know which are exactly required. I suppose the cyrus-sasl gssapi libary should meet all requirements. I needed to install the exi4-daemon-heavy instead of the light one. The the heavy one does support authentification using the cyrus-sasl libary.
I created the principals imap/g00se.org and smtp/g00se.org and put them into the default keytab.
And modified the configuration files of both services to let them propose GSSAPI as alternate authentification mechanism:
(cyrus): imapd.conf:
sasl_mech_list: PLAIN GSSAPI
and
(exim4): [/etc/exim4/conf.d/auth/01_exim4-config_gssapi]
gssapi_server:
driver = cyrus_sasl
public_name = GSSAPI
server_mech = gssapi
server_hostname = g00se.org
#server_realm = G00SE.ORG
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
Thanks to Sean for a short and easy description.
PS: Exim4 does use the splitted configuration file option of Debian. So you can put the lines anywhere into the authentification section.

Apache with Kerberos authentification

Special thanks to the guys who invented mod_auth_kerb. I removed the PAM authentification modules, which I only used as wrapper to get Kerberos auth through PAM and replaced it with mod_auth_kerb.
Here is the small configuration:

Krb5Keytab /etc/apache2/krb5.keytab
KrbAuthRealms G00SE.ORG
KrbServiceName HTTP
<Directory /x>
AuthType Kerberos
Require valid-user
</Directory>
That's all! Cool.

The Firefox bundled into my OpenSUSE 10.3 does already contain all necessary configurations. I only needed to add g00se.org to network.negotiate-auth.trusted-uris in about:config. So he does accept the offer to do GSSAPI authentification  with these URIS. And that's pretty cool. At least I need to figure a way to get my M$ system use such cool stuff.