You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by gm...@apache.org on 2012/03/22 23:54:00 UTC
svn commit: r1304120 - in
/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https: ./
src/main/java/demo/hw_https/client/
Author: gmazza
Date: Thu Mar 22 22:54:00 2012
New Revision: 1304120
URL: http://svn.apache.org/viewvc?rev=1304120&view=rev
Log:
Clean up of wsdl_first_https sample.
Added:
cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/SecureClient.xml
Removed:
cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/WibbleClient.xml
Modified:
cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/README.txt
cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/pom.xml
cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/Client.java
Modified: cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/README.txt
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/README.txt?rev=1304120&r1=1304119&r2=1304120&view=diff
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/README.txt (original)
+++ cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/README.txt Thu Mar 22 22:54:00 2012
@@ -1,96 +1,96 @@
Hello World Demo using HTTPS communications
=============================================
-
-This demo takes the hello world demo a step further
-by doing the communication using HTTPS.
+This demo provides a "hello world" example of making
+SOAP calls with HTTPS.
Please review the README in the samples directory before
continuing.
Building and running the demo using Maven
-----------------------------------------
-
From the base directory of this sample (i.e., where this README file is
located), the Maven pom.xml file can be used to build and run the demo.
- mvn install (builds the demo)
+ mvn clean install (builds the demo)
-In separate windows:
+In the first terminal windows:
mvn -Pserver (starts the server)
- mvn -Pinsecure.client (runs the client in insecure mode, Scenario 1)
- mvn -Psecure.client (runs the client in secure mode, Scenario 2)
- mvn -Pinsecure.client.non.spring (runs the client in insecure mode without Spring configuration, Scenario 3)
- mvn -Psecure.client.non.spring (runs the client in secure mode without Spring configuration, Scenario 4)
- mvn clean (removes all generated and compiled classes)"
+
+Sequentially, in the second terminal window:
+ mvn -Pinsecure.client (Scenario 1, will fail due to no credentials provided)
+ mvn -Psecure.client (Scenario 2, runs successfully)
+ mvn -Pinsecure.client.non.spring (Scenario 3, will fail due to no credentials provided)
+ mvn -Psecure.client.non.spring (Scenario 4, runs successfully)
+
+Later, when desired:
+ mvn clean (removes all generated and compiled classes)
The demo illustrates how authentication can be achieved through
-configuration using 3 different scenarios. The non-defaulted security
-policy values are be specified via configuration files or programmatically.
+configuration using two different scenarios, via configuration files
+or using the CXF Java API.
+
+For all four scenarios, the same HTTPS listener (activated above via
+mvn -Pserver) is used. This listener requires client authentication
+so the client must provide suitable credentials. The listener configuration
+is given in the "CherryServer.xml" file located in the /server folder.
Scenario 1: (-Pinsecure.client)
-A HTTPS listener is started up. The listener requires
-client authentication so the client must provide suitable credentials.
-The listener configuration is taken from the "CherryServer.cxf" file
-located in this directory. The client's security data is taken from
-from the "InsecureClient.cxf" file in this directory, using the bean name:
-"{http://apache.org/hello_world_soap_http}SoapPort.http-conduit". The
-client does NOT provide the appropriate credentials and so the
-invocation on the server fails.
+The client's security data is taken from from the "InsecureClient.xml" file
+in the /client directory, using the bean name:
+"{http://apache.org/hello_world_soap_http}SoapPort.http-conduit".
+This file does not have any credential information so the SOAP call
+ton the server fails.
Scenario 2: (-Psecure.client)
-The same HTTPS listener is used. The client's security data is taken
-from the "WibbleClient.cxf" configuration file in this directory,
-using the bean name:
-"{http://apache.org/hello_world_soap_http}SoapPort.http-conduit".
-The client is configured to provide its certificate "CN=Wibble" and
-chain stored in the Java KeyStore "certs/wibble.jks" to the server. The
-server authenticates the client's certificate using its trust store
+Same as above, except this time "SecureClient.xml", which contains the
+appropriate credential information. This SOAP call will succeed here.
+
+In this configuration file, the client provides its certificate "CN=Wibble"
+and chain stored in the Java KeyStore "certs/wibble.jks" to the server. The
+server authenticates the client's certificate using its truststore
"certs/truststore.jks", which holds the Certificate Authorities'
certificates.
Likewise the client authenticates the server's certificate "CN=Cherry"
-and chain against the same trust store. Note also the usage of the
+and chain against the same trust store. Note the usage of the
cipherSuitesFilter configuration in the configuration files,
-where each party imposes different ciphersuites contraints, so that the
+where each party imposes different ciphersuites constraints, so that the
ciphersuite eventually negotiated during the TLS handshake is acceptable
to both sides. This may be viewed by adding a -Djavax.net.debug=all
argument to the JVM.
But please note that it is not advisable to store sensitive data such
-as passwords stored in a clear text configuration file, unless the
+as passwords in clear text configuration files, unless the
file is sufficiently protected by OS level permissions. The KeyStores
-may be configured programmatically so using user interaction may be
+may be configured programmatically so user interaction may be
employed to keep passwords from being stored in configuration files.
-The approach taken here is for demonstration reasons only.
+The approach taken here is for demonstration purposes only.
Scenario 3: (-Pinsecure.client.non.spring)
-A HTTPS listener is started up. The client does NOT provide the appropriate
-credentials programmatically and so the invocation on the server fails.
+Here, configuration is done via Java API (in ClientSpring.java) and not
+Spring XML files. The client does NOT provide the appropriate credentials
+programmatically and so the invocation on the server fails.
Scenario 4: (-Psecure.client.non.spring)
-A HTTPS listener is started up. The client's security data
-is in essence the same as for scenario 2, however this time it
-is provided programmatically in the client code, ClientNonSpring.java.
-
-But please note that it is not advisable to store sensitive data such
-as passwords stored directly in java code as the code could possibly be
-disassembled. Typically the password would be obtained at runtime by
-prompting for the password.
-The approach taken here is for demonstration reasons only.
-
+Same Java class as in Scenario #3 is used, however the class is coded
+to configure TLS appropriately in this circumstance, so the SOAP call
+will succeed. Please note that it is not advisable to store sensitive
+data such as passwords directly in java code as the code could
+possibly be disassembled. Typically the password would be obtained at
+runtime by prompting for the password. The approach taken here is for
+demonstration purposes only.
Certificates:
-If the certificates are expired for some reason, a shell script in
-bin/gencerts.sh will generate the set of certificates needed for
-this sample. Just do the following:
+If the certificates have expired, a shell script in bin/gencerts.sh
+will generate a new set of certificates needed for this sample.
+Just do the following:
cd certs
sh ../bin/gencerts.sh
-
Modified: cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/pom.xml?rev=1304120&r1=1304119&r2=1304120&view=diff
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/pom.xml (original)
+++ cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/pom.xml Thu Mar 22 22:54:00 2012
@@ -75,7 +75,7 @@
<configuration>
<tasks>
<copy file="${basedir}/src/main/java/demo/hw_https/server/CherryServer.xml" todir="${basedir}/target/classes/demo/hw_https/server" />
- <copy file="${basedir}/src/main/java/demo/hw_https/client/WibbleClient.xml" todir="${basedir}/target/classes/demo/hw_https/client" />
+ <copy file="${basedir}/src/main/java/demo/hw_https/client/SecureClient.xml" todir="${basedir}/target/classes/demo/hw_https/client" />
<copy file="${basedir}/src/main/java/demo/hw_https/client/InsecureClient.xml" todir="${basedir}/target/classes/demo/hw_https/client" />
<copy todir="${basedir}/target/classes/certs">
<fileset dir="${basedir}/certs" />
Modified: cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/Client.java
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/Client.java?rev=1304120&r1=1304119&r2=1304120&view=diff
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/Client.java (original)
+++ cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/Client.java Thu Mar 22 22:54:00 2012
@@ -58,7 +58,7 @@ public final class Client {
SpringBusFactory bf = new SpringBusFactory();
URL busFile = null;
if ("secure".equals(args[1])) {
- busFile = Client.class.getResource("WibbleClient.xml");
+ busFile = Client.class.getResource("SecureClient.xml");
} else if ("insecure".equals(args[1])) {
busFile = Client.class.getResource("InsecureClient.xml");
} else {
Added: cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/SecureClient.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/SecureClient.xml?rev=1304120&view=auto
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/SecureClient.xml (added)
+++ cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/SecureClient.xml Thu Mar 22 22:54:00 2012
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+<!--
+ ** This file configures the Wibble Client
+ -->
+
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:sec="http://cxf.apache.org/configuration/security"
+ xmlns:http="http://cxf.apache.org/transports/http/configuration"
+ xsi:schemaLocation="
+ http://cxf.apache.org/configuration/security
+ http://cxf.apache.org/schemas/configuration/security.xsd
+ http://cxf.apache.org/transports/http/configuration
+ http://cxf.apache.org/schemas/configuration/http-conf.xsd
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+ <http:conduit name="{http://apache.org/hello_world_soap_http}SoapPort.http-conduit">
+ <http:tlsClientParameters disableCNCheck="true">
+ <sec:trustManagers>
+ <sec:keyStore type="JKS" password="password"
+ file="certs/truststore.jks"/>
+ </sec:trustManagers>
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="JKS" password="password"
+ file="certs/wibble.jks"/>
+ </sec:keyManagers>
+ <sec:cipherSuitesFilter>
+ <!-- these filters ensure that a ciphersuite with
+ export-suitable or null encryption is used,
+ but exclude anonymous Diffie-Hellman key change as
+ this is vulnerable to man-in-the-middle attacks -->
+ <sec:include>.*_EXPORT_.*</sec:include>
+ <sec:include>.*_EXPORT1024_.*</sec:include>
+ <sec:include>.*_WITH_DES_.*</sec:include>
+ <sec:include>.*_WITH_AES_.*</sec:include>
+ <sec:include>.*_WITH_NULL_.*</sec:include>
+ <sec:exclude>.*_DH_anon_.*</sec:exclude>
+ </sec:cipherSuitesFilter>
+ </http:tlsClientParameters>
+ </http:conduit>
+</beans>
+