堆栈内存溢出
  简体   繁体   English

如何在Java,Spring / CXF中为Web服务启用TLS / SSL?

[英]How to enable TLS/SSL in java, Spring / CXF for Web Service?

 原文  2011-09-22 15:34:02       java/ web-services/ spring/ ssl/ cxf

问题描述

I have a simple WebService defined in Spring config: 我在Spring配置中定义了一个简单的WebService: 

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cxf="http://cxf.apache.org/core"
xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:wsa="http://cxf.apache.org/ws/addressing"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:wsrm-policy="http://schemas.xmlsoap.org/ws/2005/02/rm/policy"
xmlns:wsrm-mgr="http://cxf.apache.org/ws/rm/manager"
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xsi:schemaLocation="
    http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
    http://schemas.xmlsoap.org/ws/2005/02/rm/policy http://schemas.xmlsoap.org/ws/2005/02/rm/wsrm-policy.xsd
    http://cxf.apache.org/ws/rm/manager http://cxf.apache.org/schemas/configuration/wsrm-manager.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
    http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
    http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd">

<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-*.xml" />

<bean id="logInbound" class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean id="logOutbound" class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>

<bean id="cxf" class="org.apache.cxf.bus.CXFBusImpl">
    <property name="inInterceptors">
        <list>
            <ref bean="logInbound"/>
        </list>
    </property>
    <property name="outInterceptors">
        <list>
            <ref bean="logOutbound"/>
        </list>
    </property>
    <property name="outFaultInterceptors">
        <list>
            <ref bean="logOutbound"/>
        </list>
    </property>
    <property name="inFaultInterceptors">
        <list>
            <ref bean="logInbound"/>
        </list>
    </property>
</bean>

<httpj:engine-factory bus="cxf">
    <httpj:engine port="9001">
        <httpj:threadingParameters minThreads="10" maxThreads="100" />
        <httpj:connector>
            <bean class="org.eclipse.jetty.server.bio.SocketConnector">
                <property name="port" value="9001" />
            </bean>
        </httpj:connector>
        <httpj:handlers>
            <bean class="org.eclipse.jetty.server.handler.DefaultHandler" />
        </httpj:handlers>
        <httpj:sessionSupport>true</httpj:sessionSupport>
    </httpj:engine>
</httpj:engine-factory>

<bean id="serviceFactory" class="org.apache.cxf.jaxws.support.JaxWsServiceFactoryBean"
    scope="prototype">
    <property name="serviceConfigurations">
        <list>
            <bean class="org.apache.cxf.jaxws.support.JaxWsServiceConfiguration" />
            <bean
                class="org.apache.cxf.aegis.databinding.XFireCompatibilityServiceConfiguration" />
            <bean class="org.apache.cxf.service.factory.DefaultServiceConfiguration" />
        </list>
    </property>
</bean>

<bean id="eventWebService" class="org.myapp.EventWS">
    <property name="timeout" value="${timeoutWS}" />
</bean>

<jaxws:endpoint id="event" implementor="#eventWebService"
    address="${event.endpoint}">
    <jaxws:serviceFactory>
        <ref bean="serviceFactory" />
    </jaxws:serviceFactory>
</jaxws:endpoint>

It works like a simple WS at event.endpoint=http://localhost:9001/event 它像event.endpoint = http:// localhost:9001 / event上的简单WS一样工作

But now, I want to secure that connection with TLS using server private key. 但是现在,我想使用服务器私钥通过TLS保护该连接。 I know how to do this using SSLContext ( http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLContext.html ), but Spring is something new to me. 我知道如何使用SSLContext( http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLContext.html )执行此操作,但是Spring对我来说是新事物。 I guess I need to create a new Endpoint with another configuration? 我想我需要使用其他配置创建新的端点吗? Or use another ServiceFactory? 还是使用另一个ServiceFactory?

3 个解决方案

解决方案1
 1  2011-09-22 15:52:01

You must configure the engine factory with an SSL enabled connector. 您必须使用启用SSL的连接器配置引擎工厂。 Maybe this helps: http://docs.codehaus.org/display/JETTY/How+to+configure+SSL 也许这会有所帮助: http : //docs.codehaus.org/display/JETTY/How+to+configure+SSL

解决方案2
 0  2012-06-25 14:03:02

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="
    http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
    http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd
    http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">

<context:property-placeholder location="classpath:override.properties" ignore-resource-not-found="true" properties-ref="defaultProperties"/>
<util:properties id="defaultProperties">
    <prop key="keyManager.keystore">certs/localhost.jks</prop>
</util:properties>

<http:destination name="yourDestination" /> 

<httpj:engine-factory>
    <httpj:engine port="yourPort">
        <httpj:tlsServerParameters>
            <sec:keyManagers keyPassword="password">
                <sec:keyStore type="JKS" password="password" file="${keys.keystore}"/>
            </sec:keyManagers>
            <sec:trustManagers>
                <sec:keyStore type="JKS" password="password" file="certs/keystore.jks"/>
            </sec:trustManagers>
            <sec:cipherSuitesFilter>
                <!-- these filters ensure that a ciphersuite with
                    export-suitable or null encryption is used,
                    but exclude anonymous Diffie-Hellman key change as
                    this is vulnerable to man-in-the-middle attacks -->
                <sec:include>.*_EXPORT_.*</sec:include>
                <sec:include>.*_EXPORT1024_.*</sec:include>
                <sec:include>.*_WITH_DES_.*</sec:include>
                <sec:include>.*_WITH_DES40_.*</sec:include>
                <sec:include>.*_WITH_AES_.*</sec:include>
                <sec:exclude>.*_DH_anon_.*</sec:exclude>
            </sec:cipherSuitesFilter>
            <!-- ### HIL 
            <sec:clientAuthentication want="true" required="true"/>
            ### HIL ENDE --> 
        </httpj:tlsServerParameters>
    </httpj:engine>
</httpj:engine-factory>

You need to have a keystore file such as shown on line 17. You also should have a properites file with the necessary credentials to validate against the keystore. 您需要具有一个密钥库文件,如第17行所示。您还应该具有一个属性文件,该文件具有必要的凭据,可以针对密钥库进行验证。 (For a introduction into keystore and keystore authentication see here: http://en.wikipedia.org/wiki/Keystore ) (有关密钥库和密钥库身份验证的介绍,请参见此处: http : //en.wikipedia.org/wiki/Keystore

解决方案3
 0  2011-09-22 17:32:48

I've managed to create a new engine with SSL 我设法用SSL创建了一个新引擎 

<httpj:engine port="9101">
        <httpj:tlsServerParameters>
            <sec:clientAuthentication want="true"
                required="true" />
        </httpj:tlsServerParameters>

        <httpj:threadingParameters minThreads="10"
            maxThreads="100" />
        <httpj:connector>
            <bean class="org.eclipse.jetty.server.ssl.SslSocketConnector">
                <property name="port" value="9101" />
                <property name="keystore" value= "./config/keystore-gateway" />
                <property name="password" value= "pass" />
                <property name="keyPassword" value= "pass" />
            </bean>
        </httpj:connector>
        <httpj:handlers>
            <bean class="org.eclipse.jetty.server.handler.DefaultHandler" />
        </httpj:handlers>
        <httpj:sessionSupport>true</httpj:sessionSupport>
    </httpj:engine>

It works in browser with SSL. 它可以在具有SSL的浏览器中使用。

How to enable mutual authentication now ? 现在如何启用相互认证?

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何将CXF客户端的TLS / SSL Http身份验证用于Web服务? - How do you use TLS/SSL Http Authentication with a CXF client to a web service? 如何在Java Spring中使用Azure应用服务证书来启用SSL - How to use an Azure App Service Certificate with Java Spring to enable SSL Spring Tool Suite 4(JAVA)上的“ Web Service Client(CXF 2.)”问题 - Problems with “Web Service Client (CXF 2.)” on Spring Tool Suite 4 (JAVA) 用于soap web服务的Spring Boot + Apache CXF - Spring boot + Apache CXF for soap web service 使用CXF,Jetty和Spring的Web服务 - Web service using CXF, Jetty and Spring 在Spring Framework中部署CXF Web服务 - Deploying a CXF web service in Spring Framework 如何在 Java 中启用 TLS 1.2 7 - How to enable TLS 1.2 in Java 7 Spring 启动 / Java, mongodb ZEA52C36203C5F99C3CE2Z/TLS 连接性 - Spring boot / Java, mongodb SSL / TLS connectivity 如何在Java中启用SSL 3 - How to enable SSL 3 in Java 如何在服务器端为使用Grails和CXF发布的Web服务启用MTOM? - How do I enable MTOM on the server side for a Web Service published using Grails with CXF?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM