You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Tính Trương Xuân <ti...@evolus.vn> on 2009/04/07 09:18:21 UTC

CXF 2.2 problem with SSL (*.http-conduit)

    Hello everyone,
I use Spring 2.5.6 with CXF 2.2 create web services with Tomcat 6.0.18.
Everything is fine with HTTP, but with HTTPS, there are a lot of problems.
I've configured Tomcat to serve request with SSL like this:
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="${catalina.home}/conf/cis-server.jks"
keystorePass="mypass"/>
I can access the WSDL with Firefox just fine (after adding my server
certificate to the trusted certificate list of Firefox, because it's a
self-signed certificate). Here is client configuration file:

<bean class="vn.evolus.hippocrate.core.service.ISecurityService"
        factory-bean="securityServiceClientFactory" factory-method="create"
/>

<bean id="securityServiceClientFactory"
        class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
        <property name="serviceClass"
            value="vn.evolus.hippocrate.core.service.ISecurityService" />
        <property name="address"
           value="http://cishost:8080/cis-services/SecurityService" />
    </bean>

<http:conduit name="*.http-conduit">
        <http:tlsClientParameters secureSocketProtocol="SSL"
disableCNCheck="true">
            <sec:keyManagers keyPassword="mypass">
                    <sec:keyStore type="JKS" password="mypass"

file="/data/Evolus/Projects/Java/Hippocrate/trunk/cis-client.jks"/>
            </sec:keyManagers>
            <sec:trustManagers>
                <sec:keyStore type="JKS" password="mypass"

file="/data/Evolus/Projects/Java/Hippocrate/trunk/cis-client-truststore.jks"/>
            </sec:trustManagers>
            <sec:cipherSuitesFilter>
              <!-- these filters ensure that a ciphersuite with
                export-suitable or null encryption is used,
                but exclude anonymous Diffie-Hellman key change as
                this is vulnerable to man-in-the-middle attacks -->
              <sec:include>.*_EXPORT_.*</sec:include>
              <sec:include>.*_EXPORT1024_.*</sec:include>
              <sec:include>.*_WITH_DES_.*</sec:include>
              <sec:include>.*_WITH_NULL_.*</sec:include>
              <sec:exclude>.*_DH_anon_.*</sec:exclude>
            </sec:cipherSuitesFilter>
        </http:tlsClientParameters>I turn on the debug log of CXF and found
that my service endpoint is not wrapped by the http conduit I've configured:

2009-04-07 14:09:54,232 DEBUG - Could not find a definition for bean with id
{http://service.core.hippocrate.evolus.vn/}ISecurityServicePort.http-conduit-
no injection will be performed.
2009-04-07 14:09:54,233 DEBUG - Could not find a definition for bean with id
https://localhost:8443/cis-services//SecurityService - no injection will be
performed.
2009-04-07 14:09:54,238 DEBUG - No Trust Decider configured for Conduit '{
http://service.core.hippocrate.evolus.vn/}ISecurityServicePort.http-conduit'
2009-04-07 14:09:54,239 DEBUG - No Auth Supplier configured for Conduit '{
http://service.core.hippocrate.evolus.vn/}ISecurityServicePort.http-conduit'
2009-04-07 14:09:54,239 DEBUG - Conduit '{
http://service.core.hippocrate.evolus.vn/}ISecurityServicePort.http-conduit'
has been configured for plain http.
    </http:conduit>

I'm using JDK 6 update 10, I also imported the certificate of the server
into JAVA_HOME/jre/lib/security/cacerts. Here is the error I've got:

Caused by: java.io.IOException: The https URL hostname does not match the
Common Name (CN) on the server certificate.  To disable this check
 (NOT recommended for production) set the CXF client TLS configuration
property "disableCNCheck" to true.

I turn on the debug log of CXF and found that my service endpoint is not
wrapped by the http conduit I've configured:

2009-04-07 14:09:54,232 DEBUG - Could not find a definition for bean with id
{http://service.core.hippocrate.evolus.vn/}ISecurityServicePort.http-conduit-
no injection will be performed.
2009-04-07 14:09:54,233 DEBUG - Could not find a definition for bean with id
https://localhost:8443/cis-services//SecurityService - no injection will be
performed.
2009-04-07 14:09:54,238 DEBUG - No Trust Decider configured for Conduit '{
http://service.core.hippocrate.evolus.vn/}ISecurityServicePort.http-conduit'
2009-04-07 14:09:54,239 DEBUG - No Auth Supplier configured for Conduit '{
http://service.core.hippocrate.evolus.vn/}ISecurityServicePort.http-conduit'
2009-04-07 14:09:54,239 DEBUG - Conduit '{
http://service.core.hippocrate.evolus.vn/}ISecurityServicePort.http-conduit'
has been configured for plain http.

Am I missing something in the configuration or is a bug in 2.2 of CXF?
Any help are appreciated.