You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Stefan Müller <st...@it.nrw.de> on 2015/08/18 15:08:04 UTC
Mutual authentication with Dispatch API
Hi,
we are using the dispatch API to invoke a remote WebService. This works fine
until the remoter service requires mutual authentication (aka 2Way SSL).
This is our spring configuration:
<jaxws:client id="{http://example.com}ws-dispatch"
name="{http://example.com}ws-dispatch"
createdFromAPI="true">
<jaxws:outInterceptors>
<ref bean="setPolicyOutInterceptor"/>
</jaxws:outInterceptors>
<jaxws:inInterceptors>
<ref bean="setSignatureAlgorithmInInterceptor"/>
</jaxws:inInterceptors>
<jaxws:handlers>
<bean class="com.example.FaultOutHandler"/>
</jaxws:handlers>
<jaxws:properties>
<entry key="ws-security.signature.properties"
value-ref="keystoreProperties"/>
<entry key="ws-security.callback-handler"
value-ref="keystorePasswordCallback"/>
<entry key="ws-security.encryption.properties"
value-ref="truststoreProperties"/>
<entry key="faultStackTraceEnabled" value="false"/>
<entry key="exceptionMessageCauseEnabled" value="false"/>
</jaxws:properties>
</jaxws:client>
<http-conf:conduit name="{http://example.com}ws-dispatch.http-conduit">
<http-conf:tlsClientParameters disableCNCheck="true"
secureSocketProtocol="TLS">
<security:trustManagers>
<security:keyStore type="JKS" password="****"
file="${config.location}/ssl_keys/truststore.jks"/>
</security:trustManagers>
<security:keyManagers keyPassword="****">
<security:keyStore type="JKS" password="****"
file="${config.location}/ssl_keys/keystore.jks"/>
</security:keyManagers>
</http-conf:tlsClientParameters>
<http-conf:client AutoRedirect="true" Connection="Keep-Alive"/>
</http-conf:conduit>
THis is our Dispatch implementation:
public SOAPMessage dispatch(final SOAPMessage soapMessage) {
final QName serviceName = new QName("http://example.com",
"ws-dispatch-service");
final QName portName = new QName("http://example.com",
"ws-dispatch");
final javax.xml.ws.Service service =
javax.xml.ws.Service.create(serviceName);
service.addPort(portName, SOAPBinding.SOAP12HTTP_BINDING,
getEndpoint());
Dispatch<SOAPMessage> dispatch = service.createDispatch(portName,
SOAPMessage.class, javax.xml.ws.Service.Mode.MESSAGE);
dispatch.getRequestContext().put(PolicyConstants.POLICY_OVERRIDE,
getPolicy());
dispatch.getRequestContext().put(ASYMMETRIC_SIG_ALGO_PROPERTY,
getAlgorithm());
SOAPMessage result = dispatch.invoke(soapMessage);
return result;
}
This does not work and we do not get any useable exceptions. Any help is
highly appreciated.
Greets
Stefan
--
View this message in context: http://cxf.547215.n5.nabble.com/Mutual-authentication-with-Dispatch-API-tp5760231.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Mutual authentication with Dispatch API
Posted by Colm O hEigeartaigh <co...@apache.org>.
What I did was look at the TransportBindingTest in the STS basic systests:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java;h=1e6cebdceef33c016d38ee803e0c0da8e4407b37;hb=HEAD
There is a test called "testSAML2Dispatch" in here which uses the Dispatch
API to make a service request. The TLS configuration is at the bottom of
this file:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-client.xml;h=44795974144782dc9b80db65ca6437f83395a6b5;hb=HEAD
If you comment it out the test fails at the STSClient stage, meaning that
the client must have correctly picked up the TLS configuration before.
Colm.
On Tue, Aug 18, 2015 at 5:52 PM, Stefan Müller <st...@it.nrw.de>
wrote:
> Colm,
>
> could you please post your working spring + dispatch example, as our config
> does not work. We think that in our config the conduit is not picked up
> correctly (maybe a naming problem) as it does not even load the keystore.
>
> Greets,
> Stefan
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Mutual-authentication-with-Dispatch-API-tp5760231p5760262.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Mutual authentication with Dispatch API
Posted by Stefan Müller <st...@it.nrw.de>.
Colm,
could you please post your working spring + dispatch example, as our config
does not work. We think that in our config the conduit is not picked up
correctly (maybe a naming problem) as it does not even load the keystore.
Greets,
Stefan
--
View this message in context: http://cxf.547215.n5.nabble.com/Mutual-authentication-with-Dispatch-API-tp5760231p5760262.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Mutual authentication with Dispatch API
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Stefan,
I think you have two options here. The first is to combine spring + the
Dispatch API - just leave your TLS configuration in the spring
configuration + load this as normal. The TLS settings should get picked up
CXF when using the Dispatch API - I experimented with this and it appeared
to work.
The second alternative is to configure TLS programatically. I haven't tried
this with the Dispatch API so I'm not sure if it works.
Configure TLS, e.g.:
TLSClientParameters tlsParams = new TLSClientParameters();
X509TrustManager trustManager = new NoOpX509TrustManager();
TrustManager[] trustManagers = new TrustManager[1];
trustManagers[0] = trustManager;
tlsParams.setTrustManagers(trustManagers);
tlsParams.setDisableCNCheck(true);
Then set it on the Dispatch object:
Client client = ((DispatchImpl<SOAPMessage>) dispatch).getClient();
HTTPConduit http = (HTTPConduit) client.getConduit();
http.setTlsClientParameters(tlsParams);
Colm.
On Tue, Aug 18, 2015 at 2:08 PM, Stefan Müller <st...@it.nrw.de>
wrote:
> Hi,
>
> we are using the dispatch API to invoke a remote WebService. This works
> fine
> until the remoter service requires mutual authentication (aka 2Way SSL).
> This is our spring configuration:
>
>
> <jaxws:client id="{http://example.com}ws-dispatch"
> name="{http://example.com}ws-dispatch"
> createdFromAPI="true">
> <jaxws:outInterceptors>
> <ref bean="setPolicyOutInterceptor"/>
> </jaxws:outInterceptors>
> <jaxws:inInterceptors>
> <ref bean="setSignatureAlgorithmInInterceptor"/>
> </jaxws:inInterceptors>
> <jaxws:handlers>
> <bean class="com.example.FaultOutHandler"/>
> </jaxws:handlers>
> <jaxws:properties>
> <entry key="ws-security.signature.properties"
> value-ref="keystoreProperties"/>
> <entry key="ws-security.callback-handler"
> value-ref="keystorePasswordCallback"/>
> <entry key="ws-security.encryption.properties"
> value-ref="truststoreProperties"/>
> <entry key="faultStackTraceEnabled" value="false"/>
> <entry key="exceptionMessageCauseEnabled" value="false"/>
> </jaxws:properties>
> </jaxws:client>
>
> <http-conf:conduit name="{http://example.com
> }ws-dispatch.http-conduit">
> <http-conf:tlsClientParameters disableCNCheck="true"
> secureSocketProtocol="TLS">
> <security:trustManagers>
> <security:keyStore type="JKS" password="****"
> file="${config.location}/ssl_keys/truststore.jks"/>
> </security:trustManagers>
> <security:keyManagers keyPassword="****">
> <security:keyStore type="JKS" password="****"
> file="${config.location}/ssl_keys/keystore.jks"/>
> </security:keyManagers>
> </http-conf:tlsClientParameters>
> <http-conf:client AutoRedirect="true" Connection="Keep-Alive"/>
> </http-conf:conduit>
>
>
> THis is our Dispatch implementation:
>
> public SOAPMessage dispatch(final SOAPMessage soapMessage) {
> final QName serviceName = new QName("http://example.com",
> "ws-dispatch-service");
> final QName portName = new QName("http://example.com",
> "ws-dispatch");
> final javax.xml.ws.Service service =
> javax.xml.ws.Service.create(serviceName);
> service.addPort(portName, SOAPBinding.SOAP12HTTP_BINDING,
> getEndpoint());
> Dispatch<SOAPMessage> dispatch = service.createDispatch(portName,
> SOAPMessage.class, javax.xml.ws.Service.Mode.MESSAGE);
> dispatch.getRequestContext().put(PolicyConstants.POLICY_OVERRIDE,
> getPolicy());
> dispatch.getRequestContext().put(ASYMMETRIC_SIG_ALGO_PROPERTY,
> getAlgorithm());
> SOAPMessage result = dispatch.invoke(soapMessage);
> return result;
> }
>
> This does not work and we do not get any useable exceptions. Any help is
> highly appreciated.
>
> Greets
> Stefan
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Mutual-authentication-with-Dispatch-API-tp5760231.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com