Buscar este blog

sábado, 27 de agosto de 2016

Java applets security considerations

First of all, What are you doing here? Applets are absolutely deprecated and they will disappear definitely with Java 9.
Having said that, I´m currently working with some applets and java web start components, and very often we found with security issues and warnings coming  from de Java configuration.

The common errors I usually get are:
Your security settings have blocked an application from running due to missing a 'Permissions' manifest attribute in the main jar
Your security settings have blocked an untrusted application from running
The first one is easy to solve. Just add de permissions attribute in the manifest, usually with value "all-permissions".


For the second one you need to sign de applet (jarsigner) and to do one of the following things:
a) Add your site to the trusted sites of Java.
Go to Configure Java > Security > Edit list of sites. Add the one hosting your applet, for example http://localhost:8080.

b) Add the CA of the signer certificate to the trusted Authorities of Java.
Go to Configure Java > Security > Manage Certificates > CA of Signer.


I created two simple java project to play with these problems:

  • simple-applet. This is the applet project. In the pom.xml file you can see the plugins to insert de manifest entries and the signer.
  • simpe-boot-applet. This is the web app which uses the applet. You need to open http://localhost:8080/applet

Windows Server - Spring Security Kerberos authentication example

This post is a step by step guide to configure a Kerberos service which is accesible for human users (by using a web browser) and for other java applications (by using a HTTP client).
This post is almost entirely based in the Spring Security Kerberos reference documentation. I just have taken the parts I needed to develop a funcionality in one of my applications.

The overview of the solution is as follows:
  • There is a Windows Server 2008 R2 machine called WIN-GG8QUO4LVI8.test.com.
  • In this server the Active Directory and KDC (Key Distribution Center) are running.
  • The AD has three users: tomcat, user1 and humanUser1.
  • The root domain (and forest, as there is just one domain) is TEST.COM.
  • There is a second machine outside the domain. A Windows 7 machine.
  • In this PC, the sec-server-spnego-form-auth application is deployed.
  • This service will be called neo.example.org.
  • In this PC, the rest client sc-client-rest-template will also be "deployed".


The objectives are:
  • When humanUser is logged in WIN-GG8QUO4LVI8.test.com, he can access the tomcat app without introducing his username neither password. His identity is loaded from the windows session.
  • When humanUser is logged in the other PC, he can access the tomcat app by introducing his username and password.
  • The rest client can access the tomcat app by identifying itself with a username (user1) and his keytab file.


This image summarize this infrastructure:


So, I have my Active Directory configured with de domain "test.com" in a computer named "WIN-GG8QUO4LVI8", ie, my Domain Controller.


Based on this information, I can create a kerberos conf file (or .ini). The content of krb5.conf file is:
[libdefaults]
 default_realm = TEST.COM
 default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
 default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
 permitted_enctypes   = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

[realms]
 TEST.COM  = {
  kdc = WIN-GG8QUO4LVI8.test.com
  default_domain = TEST.COM
 }

[domain_realm]
 .TEST.COM = TEST.COM

In the Active Directory I have the three necessary users. For example:



The steps  I'll follow to complete the deployments are as follow:
  1. Configure and install sec-server-spnego-form-auth
  2. Test the tomcat app from the Other PC with humanUser1
  3. Test the tomcat app from WIN-GG8QUO4LVI8 with humanUser1
  4. Configure and install sec-client-rest-template

1. Configure and install sec-server-spnego-form-auth

Configuration in WIN-GG8QUO4LVI8
First we need to setup a Service Principal Name (SPN) for the sec-server-spnego-form-auth.
A service is any process that do something, in this case, the tomcat app. Services are identified uniquely in the form of "<service class>/<host>:<port>[/<service name>]", and are they asociated with a login account name.

Our SPN will be "HTTP/neo.example.org" and the user associated will be "tomcat".
> setspn -A HTTP/neo.example.org tomcat

> setspn -L tomcat
Registered ServicePrincipalNames for CN=tomcat tomcat.,CN=Users,DC=test,DC=com:
        HTTP/neo.example.org

Now we need to generate a keytab file for this service and map the SPN created previously. Basically, we are saying that this keytab file belongs to this SPN, which is also asociated with a user.
You need to use the ktpass command:
> ktpass -out ./tomcat.keytab -mapuser tomcat@TEST.COM -princ HTTP/neo.example.org@TEST.COM -pass Password# -ptype KRB5_NT_PRINCIPAL -crypto ALL


> "c:\Program Files (x86)\Java\jre1.8.0_101\bin\klist.exe" -k -t -k tomcat.keytab

Key tab: tomcat.keytab, 5 entries found.

[1] Service principal: HTTP/neo.example.org@TEST.COM
         KVNO: 3
         Time stamp: Jan 01, 1970 01:00:00
[2] Service principal: HTTP/neo.example.org@TEST.COM
         KVNO: 3
         Time stamp: Jan 01, 1970 01:00:00
[3] Service principal: HTTP/neo.example.org@TEST.COM
         KVNO: 3
         Time stamp: Jan 01, 1970 01:00:00
[4] Service principal: HTTP/neo.example.org@TEST.COM
         KVNO: 3
         Time stamp: Jan 01, 1970 01:00:00
[5] Service principal: HTTP/neo.example.org@TEST.COM
         KVNO: 3
         Time stamp: Jan 01, 1970 01:00:00

The java klist command allows to list the entries in the keytab file. A keytab file contains pairs of kerberos principals an encrypted keys. In this case, the principal is the service.

Configuration in the Other PC
Once we have all the kerberos configuration done, we can start to prepare our tomcat application sec-server-spnego-form-auth.
This spring boot application has a configuration file, application.yml, with two importan keys:
  • service-principal. The name of the service that this application is providing.
  • keytab-localtion. The path to the keytab file which contains the keys wich authenticate this application in the KDC.

With de information above, the application.yml file would be:
server:
    port: 8080
app:
    service-principal: HTTP/neo.example.org@TEST.COM
    keytab-location: D:/kerberos/tomcat.keytab

Remember that we also have the krb5.conf with de global configuration. We can tell our app to use it with the argument -Djava.security.krb5.conf=/path/to/krb5.conf.

In order to start this application you have to execute the following command:
java -Djava.security.krb5.conf=D:/kerberos/krb5.conf -jar sec-server-spnego-form-auth-1.0.2.BUILD-SNAPSHOT.jar

Ok. Our tomcat app is up and running.

2. Test the tomcat app from the Other PC with humanUser1

In the Other PC, I had the following IPs in my hosts file:
127.0.0.1   neo.example.org

192.168.65.129 WIN-GG8QUO4LVI8
192.168.65.129 WIN-GG8QUO4LVI8.test.com

When a user tries to access to http://neo.example.org:8080/hello, he will get the auth form. This is because this user is outside the domain.


3. Test the tomcat app from WIN-GG8QUO4LVI8 with humanUser1

Now, humanUser1 logs in WIN-GG8QUO4LVI8, which is a PC inside the domain (well, it is the server domain...).
When this user tries to access to http://neo.example.org:8080/hello, he will enter automatically.

I will use firefox, so you need to configure the following:
  • Open Firefox.
  • At address field, type about:config.
  • In filter/search, type negotiate.
  • Set parameter network.negotiate-auth.trusted-uris to http://neo.example.org:8080 (if you already have other URL, you need to separate them by using ",").

I also added this URL to my local intranet sites in the Internet Explorer configuration.

4. Configure and install sec-client-rest-template

Fine. The human users have access to the web application. If the user is loged in inside the domain, he doesn´t need to autenticate again (Single Sign On), but if the user try to access from outside, he needs to use his login and password.

Now I want to authenticate a java application which will make a http connection (a GET request) to the secure page in the sec-server-spnego-form-auth application.

Configuration in WIN-GG8QUO4LVI8
You need to create a second keytab file. In this case, this file will contain the keys for user1, which will be the user used by the sec-client-rest-template.
Previously we created a keytabfile for the tomcat user, which is the acconut name asociated with the service, by using the ktpass command. Now we just need to create the ketabfile for a external user, without to associate this user with any service.

We use the ktab tool, shipped with Java.
> "c:\Program Files (x86)\Java\jre1.8.0_101\bin\ktab.exe" -a user1 Password# -k user1.keytab

> "c:\Program Files (x86)\Java\jre1.8.0_101\bin\klist.exe" -k -t -K user1.keytab

Key tab: user1.keytab, 3 entries found.

[1] Service principal: user1@TEST.COM
         KVNO: 1
         Key: 0x97bb5f77eb114814e2c1e639ec914429
         Time stamp: Aug 26,  2016 16:09:43
[2] Service principal: user1@TEST.COM
         KVNO: 1
         Key: 0x4f5ea81531e5136807d9fe9d75d0f2e6cbd9b6eacd546d7f
         Time stamp: Aug 26,  2016 16:09:43
[3] Service principal: user1@TEST.COM
         KVNO: 1
         Key: 0x63245e61ad75fbc0b9360b4e380d83d8
         Time stamp: Aug 26,  2016 16:09:43

Configuration in the Other PC
Once we have keytab file we can start to prepare our tomcat application sec-client-rest-template.
This spring boot application has a configuration file, application.yml, with two important keys:
  • user-principal. The user that this application will use to authenticate itself.
  • keytab-localtion. The path to the keytab file wich contains the keys wich authenticate this application in the KDC.
  • access-url: The URL of our service.

With the information above, the application.yml file would be:
app:
    user-principal: user1@TEST.COM
    keytab-location: D:/kerberos/user1.keytab
    access-url: http://neo.example.org:8080/hello


Remember that we also have the krb5.conf with de global configuration. We can tell our app to use it with de argument -Djava.security.krb5.conf=/path/to/krb5.conf.

In order to start this application you have to execute the following command:
java -Djava.security.krb5.conf=D:/kerberos/krb5.conf -jar sec-client-rest-template-1.0.2.BUILD-SNAPSHOT.jar

domingo, 21 de agosto de 2016

CXF - Determine conduit name

If you need to know the conduit name that Apache CXF uses with some webservice, the easiest way is to let him to tell you.
Conduit configuration allows you to define some useful parameters, like proxy configuration, http authentication, SSL configuration, etc.

For example, I want to determine the condouit name for the currency convertor service http://www.webservicex.com/CurrencyConvertor.asmx. My CXF configuration looks like this:

<jaxws:client id="currencyConversorClient"
 name="{http://www.webserviceX.NET}CurrencyConvertorSoap12" 
 serviceClass="net.webservicex.CurrencyConvertorSoap"
 address="http://www.webservicex.com/CurrencyConvertor.asmx"> 
</jaxws:client>


<http:conduit name="???????.http-conduit">
 <http:client ReceiveTimeout="60000" ConnectionTimeout="30000">
 (...)
</http:conduit>

So, how do I know the conduit name? Just put CXF in debug I look for a message like "Could not find a definition for bean with id ...". This is the name CXF is trying to use.

17:23:35,516 INFO  [stdout] (http-localhost/127.0.0.1:8080-5) [2016-08-21 17:23:35,515] (ConfigurerImpl.java:179) DEBUG http-localhost/127.0.0.1:8080-5 org.apache.cxf.configuration.spring.ConfigurerImpl Could not find a definition for bean with id {http://www.webserviceX.NET/}CurrencyConvertorSoapPort.http-conduit - no injection will be performed.

17:23:35,517 INFO  [stdout] (http-localhost/127.0.0.1:8080-5) [2016-08-21 17:23:35,516] (ConfigurerImpl.java:179) DEBUG http-localhost/127.0.0.1:8080-5 org.apache.cxf.configuration.spring.ConfigurerImpl Could not find a definition for bean with id http://www.webservicex.com/CurrencyConvertor.asmx - no injection will be performed.

sábado, 20 de agosto de 2016

Apache HTTP Server - My mini cheat sheet

Not big deal. Just in case I need it someday.

Redirect from HTTP to HTTPS

<VirtualHost *:80>
 Servername cool.sisifo.es

 RewriteEngine on
 RewriteCond %{SERVER_PORT} !^443$
 RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]

 (...)

</VirtualHost>


<VirtualHost *:443>
 Servername cool.sisifo.es

 (...)

</VirtualHost>

Remove "WWW" from domain

<VirtualHost *:443>
 Servername cool.sisifo.es

 RewriteEngine on
 RewriteCond %{HTTP_HOST} ^www\.
 RewriteRule ^(.*)$ https://cool.sisifo.es/$1 [R=301,L]
   
 (...)

</VirtualHost>

Restrict access in certain application paths

Remember, the last one match location has precedence over the others.
<VirtualHost *:443>
 Servername cool.sisifo.es

 <Location />
    Order Deny,Allow
           Allow from all
 </Location>


 <location /myApp/secure/path>
           Order Allow,Deny
           Allow from 127.0.0.1
 </location>

 <location /myApp/othersecure/path>
           Order Allow,Deny
           Allow from 127.0.0.1
 </location>

 (...)
</VirtualHost>

lunes, 15 de agosto de 2016

JBoss - Virtual Servers - Mod_cluster

In JBoss, a virtual server is like a virtual host in apache (httpd). There is always a default virtual server that handles all requests received by the server. So, for each request this is what can happend:
  1. If the request points to the root context ("/"), you get the default welcome application. In this case the ROOT.war
  2. If the request points to a valid context (i.e, the context of a deployed web app), you get the response of this web app.
  3. If the request points to a invalid context, you get a 404

Besides the default virtual server, you can also define your own, by specifying a group of alias (domains) which will be handled in this virtual server.

For example, I have two web apps, /app1 and /app2 deployed, each one in its own context, among other webapps (/app3, /app4, etc.). The absolute URL would by:
  • app1: https://domain1/app1
  • app2: https://domain2/app2
  • app3: https://domain3/app3
  • app4: https://domain4/apps
There is a apache front-end configured with mod cluster. Each domain is a apache virtual host with forward the requests to the JBoss backends (a server cluster).

Now, I want to reconfigure this situation in order to get the following URLs:
  • app1: https://myCommonDomain/
  • app2: https://myCommonDomain/app2
  • app3: https://domain3/app3
  • app4: https://domain4/apps
So, app1 and app2 will be in the same domain, and app1 will be the root context of this domain. In this way, a user will think that both applications are just the same. In other way, I´m merging two web apps in one.

JBoss configuration

The first step is to create a new virtual server in JBoss, in the web subsystem:
<subsystem xmlns="urn:jboss:domain:web:1.5"
 default-virtual-server="default-host" native="false">
 <configuration>
  <jsp-configuration development="true"
   check-interval="2000" />
 </configuration>
 <connector name="http" protocol="HTTP/1.1" scheme="http"
  socket-binding="http" />
 <connector name="ajp" protocol="AJP/1.3" scheme="http"
  socket-binding="ajp" />
 <virtual-server name="default-host"
  enable-welcome-root="true">
  <alias name="localhost" />
  <alias name="example.com" />
 </virtual-server>
 <virtual-server name="myNewVirtualServer" default-web-module="app1.war">
  <alias name="myCommonDomain"/>
 </virtual-server>
</subsystem>

I created a virtual server named myNewVirtualServer, which default root will be app1.war (this is de runtime name of the deployment). This virtual server will be "listening" in myCommonDomain.

Web apps configuration

Inside app1 and app2, you need to include a jboss-web.xml file. In this file, each application declares its root context and references the virtual server created before.

jboss-web.xml in app1.war:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
 <context-root>/</context-root>
 <virtual-host>myNewVirtualServer</virtual-host>
</jboss-web>

jboss-web.xml in app2.war:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
 <context-root>/app2</context-root>
 <virtual-host>myNewVirtualServer</virtual-host>
</jboss-web>

Web apps configuration

Finally, you need to declare a new apache virtual host for this domain.
<VirtualHost *:443> 
 ServerName myCommonDomain
 (...) 
</VirtualHost>


domingo, 7 de agosto de 2016

JBoss - IllegalArgumentException: warning no match for this type name - Error creating bean with name 'dataSource'

I had a JEE 6 application using JPA in persistence tier, Spring in business tier, and that was being deployed in JBoss. Everything was working fine.

Then, I configured a business cache as explained in one of my previous posts, http://trabajosdesisifo.blogspot.com.es/2016/07/jboss-spring-infinispan-cache.html (well, at that time it was not a distributed cache, but that doesn't matter). Everything was working fine, too.

My application had a web service client, so I configured a web service cache as explained in other of my previous posts, http://trabajosdesisifo.blogspot.com.es/2016/07/web-service-client-spring-cache.html.  And this didn't work.

When I tried to deploy the application, I got this error:
10:32:35,429 ERROR [org.springframework.web.context.ContextLoader] (ServerService Thread Pool -- 232) Context initialization failed: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'entityManagerFactory' defined in ServletContext resource [/WEB-INF/config/data-access-config.xml]: Cannot resolve reference to bean 'dataSource' while setting bean property 'dataSource'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'dataSource': Post-processing of the FactoryBean's object failed; nested exception is java.lang.IllegalArgumentException: warning no match for this type name: org.tempuri.EntradaSoap [Xlint:invalidAbsoluteTypeName]
 at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:329) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:107) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1387) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1128) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:458) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:295) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:292) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1117) [spring-context-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:922) [spring-context-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479) [spring-context-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:389) [spring-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:294) [spring-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112) [spring-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.apache.catalina.core.StandardContext.contextListenerStart(StandardContext.java:3339) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
 at org.apache.catalina.core.StandardContext.start(StandardContext.java:3777) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
 at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:156) [jboss-as-web-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
 at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:60) [jboss-as-web-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
 at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:93) [jboss-as-web-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
 at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) [rt.jar:1.7.0_21]
 at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) [rt.jar:1.7.0_21]
 at java.util.concurrent.FutureTask.run(FutureTask.java:166) [rt.jar:1.7.0_21]
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_21]
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_21]
 at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_21]
 at org.jboss.threads.JBossThread.run(JBossThread.java:122)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'dataSource': Post-processing of the FactoryBean's object failed; nested exception is java.lang.IllegalArgumentException: warning no match for this type name: org.tempuri.EntradaSoap [Xlint:invalidAbsoluteTypeName]
 at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:165) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:102) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1454) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:306) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:323) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 ... 27 more
Caused by: java.lang.IllegalArgumentException: warning no match for this type name: org.tempuri.EntradaSoap [Xlint:invalidAbsoluteTypeName]
 at org.aspectj.weaver.tools.PointcutParser.parsePointcutExpression(PointcutParser.java:301) [aspectjweaver-1.6.11.jar:1.6.11]
 at org.springframework.aop.aspectj.AspectJExpressionPointcut.buildPointcutExpression(AspectJExpressionPointcut.java:208) [spring-aop-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.aop.aspectj.AspectJExpressionPointcut.getFallbackPointcutExpression(AspectJExpressionPointcut.java:359) [spring-aop-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.aop.aspectj.AspectJExpressionPointcut.matches(AspectJExpressionPointcut.java:256) [spring-aop-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:208) [spring-aop-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:262) [spring-aop-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.aop.support.AopUtils.findAdvisorsThatCanApply(AopUtils.java:294) [spring-aop-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findAdvisorsThatCanApply(AbstractAdvisorAutoProxyCreator.java:118) [spring-aop-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findEligibleAdvisors(AbstractAdvisorAutoProxyCreator.java:88) [spring-aop-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.getAdvicesAndAdvisorsForBean(AbstractAdvisorAutoProxyCreator.java:69) [spring-aop-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.wrapIfNecessary(AbstractAutoProxyCreator.java:359) [spring-aop-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:322) [spring-aop-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:409) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.postProcessObjectFromFactoryBean(AbstractAutowireCapableBeanFactory.java:1625) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:162) [spring-beans-3.2.3.RELEASE.jar:3.2.3.RELEASE]
 ... 32 more

The first error that I tried to solve was this:
java.lang.IllegalArgumentException: warning no match for this type name: org.tempuri.EntradaSoap [Xlint:invalidAbsoluteTypeName]
Note: org.tempuri.EntradaSoap was the web service interface which had the method that I was trying to add to the cache.
This problem was related with Spring AOP configuration, like my pointcut was wrong. But after a while, I didn't discover anything.


Then I focused on the second error:
Error creating bean with name 'dataSource': Post-processing of the FactoryBean's object failed;
My datasource was defined as follows:
<bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
 <property name="jndiName">
  <value>java:jboss/datasources/myAppDS</value>
 </property>
</bean>
So, it was created by JBoss and the application retrieves it via JNDI.

As I found in this stackoverflow answer, http://stackoverflow.com/questions/12804049/warning-no-match-for-this-type-name-when-deploying-to-jboss-dispite-deploying, When spring aop tried to inspect this class, it was not able to load it.

The solution is to add the a dependency with the module org.jboss.ironjacamar.jdbcadapters in the META-INF/jboss-deployment-structure.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-deployment-structure>
 <deployment>
  <dependencies>
   <module name="org.infinispan"/>
   <module name="org.jboss.ironjacamar.jdbcadapters"/>   
  </dependencies>
 
 </deployment>
</jboss-deployment-structure>