使用Apache CXF客户端插件进行双向(双向)SSL身份验证
[英]Two-way (mutual) SSL authentication with the Apache CXF client plugin for grails
问题描述
I have been unable to make the Apache CXF client grails plugin work with two-way SSL authentication. 
我无法使Apache CXF客户端grails插件与双向SSL身份验证一起使用。 The web service I am calling provides a development environment URL, which does not require two-way authentication, and everything works fine. 我正在调用的Web服务提供了一个开发环境URL,它不需要双向身份验证,并且一切正常。 However, the test environment URL they provide does require two-way authentication, and I have not been able to make it work. 但是,他们提供的测试环境URL确实需要双向身份验证,因此我无法使其正常工作。
The grails app is running in Tomcat on a Windows server. grails应用程序正在Windows服务器上的Tomcat中运行。
I have written a stand-alone Java test app to test-out the 2-way authentication. 我已经编写了一个独立的Java测试应用程序来测试2路身份验证。 I call it with the appropriate keystore, truststore, etc., and it works fine. 我用适当的密钥库,信任库等来称呼它,并且工作正常。 (This is a pure Java app -- no CXF.) I have imported this same Java class into the grails app running on Tomcat, and that also works. (这是一个纯Java应用程序,没有CXF。)我已经将同一Java类导入到在Tomcat上运行的grails应用程序中,并且也可以使用。 However, as previously stated, when calling using CXF, it does not work. 但是,如前所述,使用CXF调用时,它不起作用。
I have turned on -Djavax.net.debug=ssl in Tomcat and can see that the client is not sending back a certificate when the server sends the CertificateRequest message. 我已在Tomcat中打开-Djavax.net.debug = ssl,可以看到当服务器发送CertificateRequest消息时,客户端没有在发送回证书。 (When using the Java class, the client does respond with the correct cert.) (使用Java类时,客户端会使用正确的证书进行响应。)
I have tried several different ways of setting the keystore and truststore parameters. 我尝试了几种不同的方式来设置密钥库和信任库参数。 I am currently setting them by using ++JvmOptions when I start Tomcat: 我目前在启动Tomcat时使用++ JvmOptions设置它们:
++JvmOptions
-Xrs;
-Djavax.net.debug=ssl;
-Djavax.net.ssl.trustStore=C:\path\to\truststore.jks;
-Djavax.net.ssl.keyStore=C:\path\to\keystore.jks;
-Dhttps.cipherSuites=SSL_RSA_WITH_3DES_EDE_CBC_SHA;
-Djavax.net.ssl.keyStorePassword=password;
-Djavax.net.ssl.trustStorePassword=password
I am currently using cxf-client:2.0.3, although I have also tried with cxf-client:1.5.6. 我目前正在使用cxf-client:2.0.3,尽管我也尝试过使用cxf-client:1.5.6。
1 个解决方案
解决方案1
1 2014-12-10 10:57:53
I'm not that familar with grails, but how looks your cxf client call? 我并不熟悉grails,但是您的cxf客户端调用看起来如何? Do you add the keystore/truststore to the http conduit? 您是否将密钥库/信任库添加到http管道?
example: 例:
<http:conduit name="https:...">
<http:tlsClientParameters>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password" file="..."/>
</sec:trustManagers>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password" file="..."/>
</sec:keyManagers>
<sec:cipherSuitesFilter>
...
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http:conduit>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.