You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Martin Nielsen <mn...@gmail.com> on 2016/09/16 06:42:44 UTC
Configuring 2way SSL on a REST endpoint in an OSGi container
Hello everyone.
I have a question about using CXF in an OSGi container. More specifically
using it via Declarative Services.
I need to create a REST endpoint, that is secured by 2way SSL, as well as
an interceptor which can read the incomming client certificate after the
handshake in order to perform authentication inside the application itself.
But how do i do this? I found a demo to make CXF register a component as a
rest service here. http://cxf.apache.org/dosgi-ds-demo-page.html
But i still can't resources on how to do the 2way ssl part.
I know i need to setup trust and keystores on the HTTPConduit, but i have
no idea how or where to do that in an OSGi environment.
I am using Karaf for the OSGi container, if that has any relevance.
Thank you in advance
-Martin
RE: Configuring 2way SSL on a REST endpoint in an OSGi container
Posted by Martin Nielsen <mn...@gmail.com>.
I dont want to force 2way authentication on the entire container, only on
select endpoints.
My preliminary idea is to allow client authentication and capture the
client certificate in an interceptor if it is needed and present.
So the question is if clientauthwanted will make clients attempt the 2way
auth, if they can, or if i will have to force the client side somehow.
On 17 Sep 2016 18:55, "Andrei Shakirin" <as...@talend.com> wrote:
> Hi,
>
> If you would like to force client authentication, the property
> org.ops4j.pax.web.ssl.clientauthneeded is more appropriate, I guess.
>
> That means, the OSGi container will accept only client calls containing
> certificate trusted on container side.
> The property will activate client authentication for all SSL endpoints are
> registered with relative URLs.
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: Martin Nielsen [mailto:mnybon@gmail.com]
> > Sent: Freitag, 16. September 2016 21:18
> > To: users@cxf.apache.org
> > Subject: Re: Configuring 2way SSL on a REST endpoint in an OSGi container
> >
> > I think I figured that out myself actually. Setting
> > org.ops4j.pax.web.ssl.clientauthwanted = true Should enable two way ssl
> if the
> > client has anything to send.
> > At least that is what I am hoping. Does anyone have any experience about
> > whether this is a correct assumption?
> >
> > If that is correctly understood, I can just reject all calls without a
> valid client
> > cert in that specific endpoint.
> >
> > On 16 Sep 2016 8:45 p.m., "Martin Nielsen" <mn...@gmail.com> wrote:
> >
> > > That looks very much like what I would need. The only issue is that I
> > > will need 2way ssl for only a select few endpoints. It looks to me
> > > like the pax web configuration is global. Is that right?
> > >
> > > On 16 Sep 2016 10:21, "Christian Schneider" <ch...@die-schneider.net>
> > > wrote:
> > >
> > >> I am not sure about reading the client certificate in an interceptor
> > >> but that part should be for the most part unrelated to OSGi. Maybe
> > >> you can ask that as a separate question so people without OSGi
> > >> knowledge tune in.
> > >>
> > >> Christian
> > >>
> > >> On 16.09.2016 08:42, Martin Nielsen wrote:
> > >>
> > >>> Hello everyone.
> > >>>
> > >>> I have a question about using CXF in an OSGi container. More
> > >>> specifically using it via Declarative Services.
> > >>>
> > >>> I need to create a REST endpoint, that is secured by 2way SSL, as
> > >>> well as an interceptor which can read the incomming client
> > >>> certificate after the handshake in order to perform authentication
> > >>> inside the application itself.
> > >>>
> > >>> But how do i do this? I found a demo to make CXF register a
> > >>> component as a rest service here.
> > >>> http://cxf.apache.org/dosgi-ds-demo-page.html
> > >>>
> > >>> But i still can't resources on how to do the 2way ssl part.
> > >>> I know i need to setup trust and keystores on the HTTPConduit, but i
> > >>> have no idea how or where to do that in an OSGi environment.
> > >>>
> > >>> I am using Karaf for the OSGi container, if that has any relevance.
> > >>>
> > >>> Thank you in advance
> > >>>
> > >>> -Martin
> > >>>
> > >>>
> > >>
> > >> --
> > >> Christian Schneider
> > >> http://www.liquid-reality.de
> > >>
> > >> Open Source Architect
> > >> http://www.talend.com
> > >>
> > >>
>
RE: Configuring 2way SSL on a REST endpoint in an OSGi container
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
If you would like to force client authentication, the property org.ops4j.pax.web.ssl.clientauthneeded is more appropriate, I guess.
That means, the OSGi container will accept only client calls containing certificate trusted on container side.
The property will activate client authentication for all SSL endpoints are registered with relative URLs.
Regards,
Andrei.
> -----Original Message-----
> From: Martin Nielsen [mailto:mnybon@gmail.com]
> Sent: Freitag, 16. September 2016 21:18
> To: users@cxf.apache.org
> Subject: Re: Configuring 2way SSL on a REST endpoint in an OSGi container
>
> I think I figured that out myself actually. Setting
> org.ops4j.pax.web.ssl.clientauthwanted = true Should enable two way ssl if the
> client has anything to send.
> At least that is what I am hoping. Does anyone have any experience about
> whether this is a correct assumption?
>
> If that is correctly understood, I can just reject all calls without a valid client
> cert in that specific endpoint.
>
> On 16 Sep 2016 8:45 p.m., "Martin Nielsen" <mn...@gmail.com> wrote:
>
> > That looks very much like what I would need. The only issue is that I
> > will need 2way ssl for only a select few endpoints. It looks to me
> > like the pax web configuration is global. Is that right?
> >
> > On 16 Sep 2016 10:21, "Christian Schneider" <ch...@die-schneider.net>
> > wrote:
> >
> >> I am not sure about reading the client certificate in an interceptor
> >> but that part should be for the most part unrelated to OSGi. Maybe
> >> you can ask that as a separate question so people without OSGi
> >> knowledge tune in.
> >>
> >> Christian
> >>
> >> On 16.09.2016 08:42, Martin Nielsen wrote:
> >>
> >>> Hello everyone.
> >>>
> >>> I have a question about using CXF in an OSGi container. More
> >>> specifically using it via Declarative Services.
> >>>
> >>> I need to create a REST endpoint, that is secured by 2way SSL, as
> >>> well as an interceptor which can read the incomming client
> >>> certificate after the handshake in order to perform authentication
> >>> inside the application itself.
> >>>
> >>> But how do i do this? I found a demo to make CXF register a
> >>> component as a rest service here.
> >>> http://cxf.apache.org/dosgi-ds-demo-page.html
> >>>
> >>> But i still can't resources on how to do the 2way ssl part.
> >>> I know i need to setup trust and keystores on the HTTPConduit, but i
> >>> have no idea how or where to do that in an OSGi environment.
> >>>
> >>> I am using Karaf for the OSGi container, if that has any relevance.
> >>>
> >>> Thank you in advance
> >>>
> >>> -Martin
> >>>
> >>>
> >>
> >> --
> >> Christian Schneider
> >> http://www.liquid-reality.de
> >>
> >> Open Source Architect
> >> http://www.talend.com
> >>
> >>
Re: Configuring 2way SSL on a REST endpoint in an OSGi container
Posted by Martin Nielsen <mn...@gmail.com>.
I think I figured that out myself actually. Setting
org.ops4j.pax.web.ssl.clientauthwanted = true
Should enable two way ssl if the client has anything to send.
At least that is what I am hoping. Does anyone have any experience about
whether this is a correct assumption?
If that is correctly understood, I can just reject all calls without a
valid client cert in that specific endpoint.
On 16 Sep 2016 8:45 p.m., "Martin Nielsen" <mn...@gmail.com> wrote:
> That looks very much like what I would need. The only issue is that I
> will need 2way ssl for only a select few endpoints. It looks to me like the
> pax web configuration is global. Is that right?
>
> On 16 Sep 2016 10:21, "Christian Schneider" <ch...@die-schneider.net>
> wrote:
>
>> I am not sure about reading the client certificate in an interceptor but
>> that part should be for the most part unrelated to
>> OSGi. Maybe you can ask that as a separate question so people without
>> OSGi knowledge tune in.
>>
>> Christian
>>
>> On 16.09.2016 08:42, Martin Nielsen wrote:
>>
>>> Hello everyone.
>>>
>>> I have a question about using CXF in an OSGi container. More specifically
>>> using it via Declarative Services.
>>>
>>> I need to create a REST endpoint, that is secured by 2way SSL, as well as
>>> an interceptor which can read the incomming client certificate after the
>>> handshake in order to perform authentication inside the application
>>> itself.
>>>
>>> But how do i do this? I found a demo to make CXF register a component as
>>> a
>>> rest service here. http://cxf.apache.org/dosgi-ds-demo-page.html
>>>
>>> But i still can't resources on how to do the 2way ssl part.
>>> I know i need to setup trust and keystores on the HTTPConduit, but i have
>>> no idea how or where to do that in an OSGi environment.
>>>
>>> I am using Karaf for the OSGi container, if that has any relevance.
>>>
>>> Thank you in advance
>>>
>>> -Martin
>>>
>>>
>>
>> --
>> Christian Schneider
>> http://www.liquid-reality.de
>>
>> Open Source Architect
>> http://www.talend.com
>>
>>
Re: Configuring 2way SSL on a REST endpoint in an OSGi container
Posted by Martin Nielsen <mn...@gmail.com>.
That looks very much like what I would need. The only issue is that I will
need 2way ssl for only a select few endpoints. It looks to me like the pax
web configuration is global. Is that right?
On 16 Sep 2016 10:21, "Christian Schneider" <ch...@die-schneider.net> wrote:
> I am not sure about reading the client certificate in an interceptor but
> that part should be for the most part unrelated to
> OSGi. Maybe you can ask that as a separate question so people without OSGi
> knowledge tune in.
>
> Christian
>
> On 16.09.2016 08:42, Martin Nielsen wrote:
>
>> Hello everyone.
>>
>> I have a question about using CXF in an OSGi container. More specifically
>> using it via Declarative Services.
>>
>> I need to create a REST endpoint, that is secured by 2way SSL, as well as
>> an interceptor which can read the incomming client certificate after the
>> handshake in order to perform authentication inside the application
>> itself.
>>
>> But how do i do this? I found a demo to make CXF register a component as a
>> rest service here. http://cxf.apache.org/dosgi-ds-demo-page.html
>>
>> But i still can't resources on how to do the 2way ssl part.
>> I know i need to setup trust and keystores on the HTTPConduit, but i have
>> no idea how or where to do that in an OSGi environment.
>>
>> I am using Karaf for the OSGi container, if that has any relevance.
>>
>> Thank you in advance
>>
>> -Martin
>>
>>
>
> --
> Christian Schneider
> http://www.liquid-reality.de
>
> Open Source Architect
> http://www.talend.com
>
>
Re: Configuring 2way SSL on a REST endpoint in an OSGi container
Posted by Christian Schneider <ch...@die-schneider.net>.
I am not sure about reading the client certificate in an interceptor but
that part should be for the most part unrelated to
OSGi. Maybe you can ask that as a separate question so people without
OSGi knowledge tune in.
Christian
On 16.09.2016 08:42, Martin Nielsen wrote:
> Hello everyone.
>
> I have a question about using CXF in an OSGi container. More specifically
> using it via Declarative Services.
>
> I need to create a REST endpoint, that is secured by 2way SSL, as well as
> an interceptor which can read the incomming client certificate after the
> handshake in order to perform authentication inside the application itself.
>
> But how do i do this? I found a demo to make CXF register a component as a
> rest service here. http://cxf.apache.org/dosgi-ds-demo-page.html
>
> But i still can't resources on how to do the 2way ssl part.
> I know i need to setup trust and keystores on the HTTPConduit, but i have
> no idea how or where to do that in an OSGi environment.
>
> I am using Karaf for the OSGi container, if that has any relevance.
>
> Thank you in advance
>
> -Martin
>
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
http://www.talend.com
Re: Configuring 2way SSL on a REST endpoint in an OSGi container
Posted by Christian Schneider <ch...@die-schneider.net>.
You are lucky :-)
I just created such an example for CXF-DOSGi 2.
See:
https://github.com/apache/cxf-dosgi/tree/master/samples/ssl
Christian
On 16.09.2016 08:42, Martin Nielsen wrote:
> Hello everyone.
>
> I have a question about using CXF in an OSGi container. More specifically
> using it via Declarative Services.
>
> I need to create a REST endpoint, that is secured by 2way SSL, as well as
> an interceptor which can read the incomming client certificate after the
> handshake in order to perform authentication inside the application itself.
>
> But how do i do this? I found a demo to make CXF register a component as a
> rest service here. http://cxf.apache.org/dosgi-ds-demo-page.html
>
> But i still can't resources on how to do the 2way ssl part.
> I know i need to setup trust and keystores on the HTTPConduit, but i have
> no idea how or where to do that in an OSGi environment.
>
> I am using Karaf for the OSGi container, if that has any relevance.
>
> Thank you in advance
>
> -Martin
>
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
http://www.talend.com