You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Colm O hEigeartaigh <co...@progress.com> on 2009/03/23 13:33:30 UTC
CXF 2.2 TLS issue
Hi,
I have a test-scenario with an endpoint with no TLS configuration, and a
client with a http conduit configured with a trust manager, e.g:
<http:tlsClientParameters>
<cxfsec:trustManagers>
<cxfsec:certStore resource="... "/>
</cxfsec:trustManagers>
</http:tlsClientParameters>
With CXF 2.1, an invocation fails with:
Caused by: java.io.IOException: Illegal Protocol http for HTTPS
URLConnection Factory.
In other words, the tlsClientParameters configuration is taken as
requiring that communication takes place with the endpoint over TLS, and
as the endpoint has no TLS configuration the invocation fails.
However, with CXF 2.2 this invocation passes with no exception. Is this
a deliberate or inadvertent change? How does the client enforce that TLS
is used?
Colm.
Re: CXF 2.2 TLS issue
Posted by Daniel Kulp <dk...@apache.org>.
Colm,
BTW: I believe 2.1.5 will also exhibit this.
Basically, what is the "policy" vs what is the "configuration"?
With <2.1.3, both the protocol (http or https in the url) AND the TLS params
were basically policy. Both had to be specified or not specified.
With 2.1.3, in the https case, the TLS params became optional. If the
protocol was https and no tls params, we just used the "defaults" of the JRE.
Thus, it became more "configuration" than policy. However, if TLS stuff was
configured, it wouldn't allow http. Thus it was a sort of mixed thing.
This made it impossible to use a TLS configured client to talk to http
services which we've had a bunch of users asking for.
With 2.2 (and 2.1.5), it's really just configuration. The URL protocol
dictates whether HTTP or HTTPs is used. That's the policy. If the protocol
is https, the TLS params are the configuration for it, if specified.
If you need to assert https, you would probably need to write an interceptor
for it. OR, use WS-SecurityPolicy with TransportBinding/HttpsToken to assert
it.
Dan
On Mon March 23 2009 8:33:30 am Colm O hEigeartaigh wrote:
> Hi,
>
> I have a test-scenario with an endpoint with no TLS configuration, and a
> client with a http conduit configured with a trust manager, e.g:
>
> <http:tlsClientParameters>
> <cxfsec:trustManagers>
> <cxfsec:certStore resource="... "/>
> </cxfsec:trustManagers>
> </http:tlsClientParameters>
>
> With CXF 2.1, an invocation fails with:
>
> Caused by: java.io.IOException: Illegal Protocol http for HTTPS
> URLConnection Factory.
>
> In other words, the tlsClientParameters configuration is taken as
> requiring that communication takes place with the endpoint over TLS, and
> as the endpoint has no TLS configuration the invocation fails.
>
> However, with CXF 2.2 this invocation passes with no exception. Is this
> a deliberate or inadvertent change? How does the client enforce that TLS
> is used?
>
> Colm.
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog