You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by qu...@aol.com on 2008/02/05 18:44:35 UTC

Ensuring CXF soap is behind SSL

I want to make sure any messages not encrypted with SSL are rejected by the CXF container. What configuration is neccessary for this?

I've tried setting the location to an https address but this is unsufficient. The only documentation I've found on the subject refers to client, not server, configuration.

? <wsdl:service name="HelloWorldService">
??? <wsdl:port binding="impl:HelloWorldServiceSoapBinding" name="HelloWorldService">
????? <wsdlsoap:address location="https://localhost:8080/HelloWorldService"/>
??? </wsdl:port>
? </wsdl:service>

Thanks!



________________________________________________________________________
More new features than ever.  Check out the new AOL Mail ! - http://webmail.aol.com

Re: Ensuring CXF soap is behind SSL

Posted by Fred Dushin <fr...@dushin.net>.

Apropos to that, the TLSSessionInfo structure on the message should  
give you everything you want:

http://svn.apache.org/repos/asf/incubator/cxf/trunk/api/src/main/java/org/apache/cxf/security/transport/TLSSessionInfo.java

Currently this is plumbed through only for HTTP, though it should work  
in both transports (jetty and servlet)

-Fred

On Feb 5, 2008, at 2:28 PM, Daniel Kulp wrote:

>
> You may need to write a simple interceptor that would grab the
> HttpServletRequest object out  of the message and checks the security
> stuff.   It shouldn't be too hard to write.
>
> There might be some policy things along with the ws-security stuff  
> that
> could enforce it with the ws-security module, but that would  
> definitely
> cause a performance hit due to the security module dropping to saaj
> mode.   I'm not really sure anyway.   Fred may need to answer that  
> one.
>
>
> Dan
>
>
> On Tuesday 05 February 2008, quakexpert@aol.com wrote:
>> I want to make sure any messages not encrypted with SSL are rejected
>> by the CXF container. What configuration is neccessary for this?
>>
>> I've tried setting the location to an https address but this is
>> unsufficient. The only documentation I've found on the subject refers
>> to client, not server, configuration.
>>
>> ? <wsdl:service name="HelloWorldService">
>> ??? <wsdl:port binding="impl:HelloWorldServiceSoapBinding"
>> name="HelloWorldService"> ????? <wsdlsoap:address
>> location="https://localhost:8080/HelloWorldService"/> ??? </ 
>> wsdl:port>
>> ? </wsdl:service>
>>
>> Thanks!
>>
>>
>>
>> ______________________________________________________________________
>> __ More new features than ever.  Check out the new AOL Mail ! -
>> http://webmail.aol.com
>
>
>
> -- 
> J. Daniel Kulp
> Principal Engineer, IONA
> dkulp@apache.org
> http://www.dankulp.com/blog
>

Re: Ensuring CXF soap is behind SSL

Posted by Daniel Kulp <dk...@apache.org>.

You may need to write a simple interceptor that would grab the 
HttpServletRequest object out  of the message and checks the security 
stuff.   It shouldn't be too hard to write.

There might be some policy things along with the ws-security stuff that 
could enforce it with the ws-security module, but that would definitely 
cause a performance hit due to the security module dropping to saaj 
mode.   I'm not really sure anyway.   Fred may need to answer that one.

Dan

On Tuesday 05 February 2008, quakexpert@aol.com wrote:
> I want to make sure any messages not encrypted with SSL are rejected
> by the CXF container. What configuration is neccessary for this?
>
> I've tried setting the location to an https address but this is
> unsufficient. The only documentation I've found on the subject refers
> to client, not server, configuration.
>
> ? <wsdl:service name="HelloWorldService">
> ??? <wsdl:port binding="impl:HelloWorldServiceSoapBinding"
> name="HelloWorldService"> ????? <wsdlsoap:address
> location="https://localhost:8080/HelloWorldService"/> ??? </wsdl:port>
> ? </wsdl:service>
>
> Thanks!
>
>
>
> ______________________________________________________________________
>__ More new features than ever.  Check out the new AOL Mail ! -
> http://webmail.aol.com

-- 
J. Daniel Kulp
Principal Engineer, IONA
dkulp@apache.org
http://www.dankulp.com/blog

Re: Ensuring CXF soap is behind SSL

Posted by qu...@aol.com.

 


 thanks ill try this out


 

-----Original Message-----
From: Glen Mazza <gl...@verizon.net>
To: cxf-user@incubator.apache.org
Sent: Tue, 5 Feb 2008 8:51 pm
Subject: Re: Ensuring CXF soap is behind SSL










I believe that can be enforced in the web.xml file that you distribute
your WAR with.  For example, (another web app unrelated to web
services), line 41-51 of web.xml:  http://tinyurl.com/yp6faz

Glen


Am Dienstag, den 05.02.2008, 12:44 -0500 schrieb quakexpert@aol.com:
> I want to make sure any messages not encrypted with SSL are rejected by the 
CXF container. What configuration is neccessary for this?
> 
> I've tried setting the location to an https address but this is unsufficient. 
The only documentation I've found on the subject refers to client, not server, 
configuration.
> 
> ? <wsdl:service name="HelloWorldService">
> ??? <wsdl:port binding="impl:HelloWorldServiceSoapBinding" 
name="HelloWorldService">
> ????? <wsdlsoap:address location="https://localhost:8080/HelloWorldService"/>
> ??? </wsdl:port>
> ? </wsdl:service>
> 
> Thanks!
> 
> 
> 
> ________________________________________________________________________
> More new features than ever.  Check out the new AOL Mail ! - 
http://webmail.aol.com




 


________________________________________________________________________
More new features than ever.  Check out the new AOL Mail ! - http://webmail.aol.com

Re: Ensuring CXF soap is behind SSL

Posted by Glen Mazza <gl...@verizon.net>.

I believe that can be enforced in the web.xml file that you distribute
your WAR with.  For example, (another web app unrelated to web
services), line 41-51 of web.xml:  http://tinyurl.com/yp6faz

Glen


Am Dienstag, den 05.02.2008, 12:44 -0500 schrieb quakexpert@aol.com:
> I want to make sure any messages not encrypted with SSL are rejected by the CXF container. What configuration is neccessary for this?
> 
> I've tried setting the location to an https address but this is unsufficient. The only documentation I've found on the subject refers to client, not server, configuration.
> 
> ? <wsdl:service name="HelloWorldService">
> ??? <wsdl:port binding="impl:HelloWorldServiceSoapBinding" name="HelloWorldService">
> ????? <wsdlsoap:address location="https://localhost:8080/HelloWorldService"/>
> ??? </wsdl:port>
> ? </wsdl:service>
> 
> Thanks!
> 
> 
> 
> ________________________________________________________________________
> More new features than ever.  Check out the new AOL Mail ! - http://webmail.aol.com

Re: Ensuring CXF soap is behind SSL

Posted by Eric Miles <er...@kronos.com>.

If you're using Spring and Acegi, you could use a secure channel filter.


On Tue, 2008-02-05 at 12:44 -0500, quakexpert@aol.com wrote:
> I want to make sure any messages not encrypted with SSL are rejected by the CXF container. What configuration is neccessary for this?
> 
> I've tried setting the location to an https address but this is unsufficient. The only documentation I've found on the subject refers to client, not server, configuration.
> 
> ? <wsdl:service name="HelloWorldService">
> ??? <wsdl:port binding="impl:HelloWorldServiceSoapBinding" name="HelloWorldService">
> ????? <wsdlsoap:address location="https://localhost:8080/HelloWorldService"/>
> ??? </wsdl:port>
> ? </wsdl:service>
> 
> Thanks!
> 
> 
> 
> ________________________________________________________________________
> More new features than ever.  Check out the new AOL Mail ! - http://webmail.aol.com