stackoom
  简体   繁体   中英

Two-way (mutual) SSL authentication with the Apache CXF client plugin for grails

 原文  2014-12-09 21:08:06       java/ tomcat/ grails/ ssl/ cxf

Question

I have been unable to make the Apache CXF client grails plugin work with two-way SSL authentication. The web service I am calling provides a development environment URL, which does not require two-way authentication, and everything works fine. However, the test environment URL they provide does require two-way authentication, and I have not been able to make it work.

The grails app is running in Tomcat on a Windows server.

I have written a stand-alone Java test app to test-out the 2-way authentication. I call it with the appropriate keystore, truststore, etc., and it works fine. (This is a pure Java app -- no CXF.) I have imported this same Java class into the grails app running on Tomcat, and that also works. However, as previously stated, when calling using CXF, it does not work.

I have turned on -Djavax.net.debug=ssl in Tomcat and can see that the client is not sending back a certificate when the server sends the CertificateRequest message. (When using the Java class, the client does respond with the correct cert.)

I have tried several different ways of setting the keystore and truststore parameters. I am currently setting them by using ++JvmOptions when I start Tomcat: 

++JvmOptions
-Xrs;
-Djavax.net.debug=ssl;
-Djavax.net.ssl.trustStore=C:\path\to\truststore.jks;
-Djavax.net.ssl.keyStore=C:\path\to\keystore.jks;
-Dhttps.cipherSuites=SSL_RSA_WITH_3DES_EDE_CBC_SHA;
-Djavax.net.ssl.keyStorePassword=password;
-Djavax.net.ssl.trustStorePassword=password

I am currently using cxf-client:2.0.3, although I have also tried with cxf-client:1.5.6.

1 answers

solution1
 1  2014-12-10 10:57:53

I'm not that familar with grails, but how looks your cxf client call? Do you add the keystore/truststore to the http conduit?

example: 

<http:conduit name="https:...">
    <http:tlsClientParameters>
        <sec:trustManagers>
                <sec:keyStore type="JKS" password="password" file="..."/>
            </sec:trustManagers>
            <sec:keyManagers keyPassword="password">
                <sec:keyStore type="JKS" password="password" file="..."/>
            </sec:keyManagers>
        <sec:cipherSuitesFilter>
        ...
        </sec:cipherSuitesFilter>
    </http:tlsClientParameters>
    <http:client AutoRedirect="true" Connection="Keep-Alive"/>   
</http:conduit>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Two-way mutual SSL authentication Two way mutual SSL authentication Mutual Authentication(Two-Way TLS/SSL) with cloud residing KeyStores and TrustStores(Secret Manager) -Spring boot Apache Thrift 2-way SSL mutual authentication Enforce Two-Way SSL in Java CXF clients SSL Handshake_failure in Java test client while connecting to server with two-way authentication Apache CXF issue while using mutual SSL Jersey Client with SSL Mutual Authentication Jersey client SSL mutual authentication Two-way (mutual) SSL with Glassfish3/4 or Tomcat 8 and self-signed certificates
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM