You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Stepan Seycek <St...@boc-eu.com> on 2013/05/16 12:31:54 UTC
Re: Overriding TLSClientParameters after overriding endpoint address -
SOLVED
Hallo CXF users,
if anybody runs into the same problem - I managed to fix it by moving the
HTPConduit manipulation to an interceptor:
Interceptor code:
public class TrustAllSslCertsOutInterceptor extends
AbstractPhaseInterceptor<Message> {
public TrustAllSslCertsOutInterceptor() {
super(Phase.SETUP);
}
public void handleMessage(Message message) throws Fault {
Conduit conduit = message.getExchange().getConduit(message);
if (conduit instanceof HTTPConduit) {
HTTPConduit httpConduit = (HTTPConduit)conduit;
TLSClientParameters tlsClientParameters =
httpConduit.getTlsClientParameters();
if (null == tlsClientParameters) {
tlsClientParameters = new TLSClientParameters();
httpConduit.setTlsClientParameters(tlsClientParameters);
}
TrustManager[] trustAllCerts = new TrustManager[]{
new javax.net.ssl.X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String
authType) {
}
public void checkServerTrusted(X509Certificate[] certs, String
authType) {
}
}
};
tlsClientParameters.setTrustManagers(trustAllCerts);
tlsClientParameters.setDisableCNCheck(true);
httpConduit.setTlsClientParameters(tlsClientParameters);
}
}
}
Br,
Stepan
From: Stepan Seycek <St...@boc-eu.com>
To: users@cxf.apache.org
Date: 16.05.2013 10:53
Subject: Re: Overriding TLSClientParameters after overriding
endpoint address
Hi Ted,
thank you for your response. Unfortunately neither of the suggested
approaches works for me whenever I additionally set a custom endpoint URL
that differs from the one in WSDL. Also setting the "trust-all" manager on
HttpsURLConection would in my opinion totally disable server certificate
validation while I want it only for the given web service port.
According to the observed behavior I assume that setting a custom endpoint
URL results in a different HTTPConduit being used, which does not have the
custom LSClientParameters set.
Br,
Stepan
From: Ted <r6...@gmail.com>
To: users@cxf.apache.org
Date: 16.05.2013 02:14
Subject: Re: Overriding TLSClientParameters after overriding
endpoint address
oh one thing you might want to check, since you're trying to
"trustall" in your certificates, in addition to the above, I had to
setup another bit some where else (context startup listener for the
webapp)
TrustAllManager[] tam = { new
TrustAllManager() };
SSLContext ctx =
SSLContext.getInstance("TLS");
ctx.init(null, tam, new SecureRandom());
SSLSocketFactory sslSocketFactory =
ctx.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
HostnameVerifier hostNameVerifier = new
HostnameVerifier()
{
@Override
public boolean
verify(String host, SSLSession sslSession)
{
return(true);
}
};
HttpsURLConnection.setDefaultHostnameVerifier(hostNameVerifier);
On 5/16/13, Ted <r6...@gmail.com> wrote:
> I do that in cxf 2.7.4 and oracle jdk1.7, it looks very similar to
> what you're doing although maybe in a different order :
>
> AccountWsService service = new
AccountWsService(myServiceUrl);
> AccountWs wsPort = service.getAccountWsPort();
>
> Client cxfClient = ClientProxy.getClient(wsPort);
> HTTPConduit httpConduit = (HTTPConduit)
cxfClient.getConduit();
>
> TLSClientParameters tslClientParameters =
> httpConduit.getTlsClientParameters();
> if (tslClientParameters == null) tslClientParameters =
new
> TLSClientParameters();
> tslClientParameters.setDisableCNCheck(true);
> TrustAllManager[] tam = { new TrustAllManager() };
> tslClientParameters.setTrustManagers(tam);
> tslClientParameters.setSecureSocketProtocol("SSLv3");
> httpConduit.setTlsClientParameters(tslClientParameters);
>
> HTTPClientPolicy httpClientPolicy = new
HTTPClientPolicy();
> httpClientPolicy.setConnection(ConnectionType.KEEP_ALIVE);
> httpClientPolicy.setConnectionTimeout(connectionTimeout);
> httpClientPolicy.setAllowChunking(false);
> httpClientPolicy.setReceiveTimeout(receiveTimeout);
> httpConduit.setClient(httpClientPolicy);
>
>
> On 5/15/13, Stepan Seycek <St...@boc-eu.com> wrote:
>> Hallo,
>>
>> I run into problems when I try to set TLSClientParameters ond the HTTP
>> Conduit of a client where I also override the ENDPOINT_ADDRESS. The
>> result
>> is that my TLSClientParameters are not considered at all (certificate
>> validation error). If I do not override the ENDPOINT_ADDRESS, it works
as
>> expected. Could anybody point me to a solution that allows me to set
>> both,
>> the endpoint and a cutstom trust manager?
>>
>> Code (tested with CXF 2.7.4, Java 7):
>>
>> private <PortT> void setupSoapPort(PortT soapPort) {
>> Client soapClient = ClientProxy.getClient(soapPort);
>>
>> // set endpoint and timeouts
>> soapClient.getRequestContext().put(Message.ENDPOINT_ADDRESS,
>> this.endpoint);
>> HTTPConduit conduit = (HTTPConduit) soapClient.getConduit();
>> HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
>> httpClientPolicy.setConnectionTimeout(this.connectTimeout);
>> httpClientPolicy.setReceiveTimeout(this.receiveTimeout);
>> conduit.setClient(httpClientPolicy);
>>
>> // enable cookie based sessions
>> ((BindingProvider)soapPort).getRequestContext().put(
>> BindingProvider.SESSION_MAINTAIN_PROPERTY, "true");
>>
>> // disable server certificate validation if requested
>> if (false == this.sslValidateServerCert &&
>> this.endpoint.toLowerCase().startsWith("https://")) {
>> TrustManager[] trustAllCerts = new TrustManager[]{
>> new javax.net.ssl.X509TrustManager() {
>> public X509Certificate[] getAcceptedIssuers() {return null;}
>> public void checkClientTrusted(X509Certificate[] certs, String
>> authType) {}
>> public void checkServerTrusted(X509Certificate[] certs, String
>> authType) {}
>> }
>> };
>> TLSClientParameters tlsParams = new TLSClientParameters();
>> tlsParams.setTrustManagers(trustAllCerts);
>> tlsParams.setDisableCNCheck(true);
>> conduit.setTlsClientParameters(tlsParams);
>> }
>> }
>>
>> Thanks in advance,
>> Stepan
>>
>
>
> --
> Ted.
>
--
Ted.