I have a simple WebService defined in Spring config:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cxf="http://cxf.apache.org/core"
xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:wsa="http://cxf.apache.org/ws/addressing"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:wsrm-policy="http://schemas.xmlsoap.org/ws/2005/02/rm/policy"
xmlns:wsrm-mgr="http://cxf.apache.org/ws/rm/manager"
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xsi:schemaLocation="
http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://schemas.xmlsoap.org/ws/2005/02/rm/policy http://schemas.xmlsoap.org/ws/2005/02/rm/wsrm-policy.xsd
http://cxf.apache.org/ws/rm/manager http://cxf.apache.org/schemas/configuration/wsrm-manager.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-*.xml" />
<bean id="logInbound" class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean id="logOutbound" class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
<bean id="cxf" class="org.apache.cxf.bus.CXFBusImpl">
<property name="inInterceptors">
<list>
<ref bean="logInbound"/>
</list>
</property>
<property name="outInterceptors">
<list>
<ref bean="logOutbound"/>
</list>
</property>
<property name="outFaultInterceptors">
<list>
<ref bean="logOutbound"/>
</list>
</property>
<property name="inFaultInterceptors">
<list>
<ref bean="logInbound"/>
</list>
</property>
</bean>
<httpj:engine-factory bus="cxf">
<httpj:engine port="9001">
<httpj:threadingParameters minThreads="10" maxThreads="100" />
<httpj:connector>
<bean class="org.eclipse.jetty.server.bio.SocketConnector">
<property name="port" value="9001" />
</bean>
</httpj:connector>
<httpj:handlers>
<bean class="org.eclipse.jetty.server.handler.DefaultHandler" />
</httpj:handlers>
<httpj:sessionSupport>true</httpj:sessionSupport>
</httpj:engine>
</httpj:engine-factory>
<bean id="serviceFactory" class="org.apache.cxf.jaxws.support.JaxWsServiceFactoryBean"
scope="prototype">
<property name="serviceConfigurations">
<list>
<bean class="org.apache.cxf.jaxws.support.JaxWsServiceConfiguration" />
<bean
class="org.apache.cxf.aegis.databinding.XFireCompatibilityServiceConfiguration" />
<bean class="org.apache.cxf.service.factory.DefaultServiceConfiguration" />
</list>
</property>
</bean>
<bean id="eventWebService" class="org.myapp.EventWS">
<property name="timeout" value="${timeoutWS}" />
</bean>
<jaxws:endpoint id="event" implementor="#eventWebService"
address="${event.endpoint}">
<jaxws:serviceFactory>
<ref bean="serviceFactory" />
</jaxws:serviceFactory>
</jaxws:endpoint>
It works like a simple WS at event.endpoint=http://localhost:9001/event
But now, I want to secure that connection with TLS using server private key. I know how to do this using SSLContext ( http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLContext.html ), but Spring is something new to me. I guess I need to create a new Endpoint with another configuration? Or use another ServiceFactory?
You must configure the engine factory with an SSL enabled connector. Maybe this helps: http://docs.codehaus.org/display/JETTY/How+to+configure+SSL
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="
http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd
http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<context:property-placeholder location="classpath:override.properties" ignore-resource-not-found="true" properties-ref="defaultProperties"/>
<util:properties id="defaultProperties">
<prop key="keyManager.keystore">certs/localhost.jks</prop>
</util:properties>
<http:destination name="yourDestination" />
<httpj:engine-factory>
<httpj:engine port="yourPort">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password" file="${keys.keystore}"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password" file="certs/keystore.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_DES40_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
<!-- ### HIL
<sec:clientAuthentication want="true" required="true"/>
### HIL ENDE -->
</httpj:tlsServerParameters>
</httpj:engine>
</httpj:engine-factory>
You need to have a keystore file such as shown on line 17. You also should have a properites file with the necessary credentials to validate against the keystore. (For a introduction into keystore and keystore authentication see here: http://en.wikipedia.org/wiki/Keystore )
I've managed to create a new engine with SSL
<httpj:engine port="9101">
<httpj:tlsServerParameters>
<sec:clientAuthentication want="true"
required="true" />
</httpj:tlsServerParameters>
<httpj:threadingParameters minThreads="10"
maxThreads="100" />
<httpj:connector>
<bean class="org.eclipse.jetty.server.ssl.SslSocketConnector">
<property name="port" value="9101" />
<property name="keystore" value= "./config/keystore-gateway" />
<property name="password" value= "pass" />
<property name="keyPassword" value= "pass" />
</bean>
</httpj:connector>
<httpj:handlers>
<bean class="org.eclipse.jetty.server.handler.DefaultHandler" />
</httpj:handlers>
<httpj:sessionSupport>true</httpj:sessionSupport>
</httpj:engine>
It works in browser with SSL.
How to enable mutual authentication now ?
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.