1. 首頁
  2. 問答
  3. 如何在Java中啓用TLS/SSL,用於Web服務的Spring/CXF?

如何在Java中啓用TLS/SSL,用於Web服務的Spring/CXF?

2011-09-22 27 views
1

我在Spring配置中定義一個簡單的WebService:如何在Java中啓用TLS/SSL,用於Web服務的Spring/CXF?

<beans xmlns="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cxf="http://cxf.apache.org/core" 
xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:wsa="http://cxf.apache.org/ws/addressing" 
xmlns:http="http://cxf.apache.org/transports/http/configuration" 
xmlns:wsrm-policy="http://schemas.xmlsoap.org/ws/2005/02/rm/policy" 
xmlns:wsrm-mgr="http://cxf.apache.org/ws/rm/manager" 
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" 
xsi:schemaLocation=" 
    http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd 
    http://schemas.xmlsoap.org/ws/2005/02/rm/policy http://schemas.xmlsoap.org/ws/2005/02/rm/wsrm-policy.xsd 
    http://cxf.apache.org/ws/rm/manager http://cxf.apache.org/schemas/configuration/wsrm-manager.xsd 
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd 
    http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd 
    http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd 
    http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd"> 

<import resource="classpath:META-INF/cxf/cxf.xml" /> 
<import resource="classpath:META-INF/cxf/cxf-extension-*.xml" /> 

<bean id="logInbound" class="org.apache.cxf.interceptor.LoggingInInterceptor"/> 
<bean id="logOutbound" class="org.apache.cxf.interceptor.LoggingOutInterceptor"/> 

<bean id="cxf" class="org.apache.cxf.bus.CXFBusImpl"> 
    <property name="inInterceptors"> 
     <list> 
      <ref bean="logInbound"/> 
     </list> 
    </property> 
    <property name="outInterceptors"> 
     <list> 
      <ref bean="logOutbound"/> 
     </list> 
    </property> 
    <property name="outFaultInterceptors"> 
     <list> 
      <ref bean="logOutbound"/> 
     </list> 
    </property> 
    <property name="inFaultInterceptors"> 
     <list> 
      <ref bean="logInbound"/> 
     </list> 
    </property> 
</bean> 

<httpj:engine-factory bus="cxf"> 
    <httpj:engine port="9001"> 
     <httpj:threadingParameters minThreads="10" maxThreads="100" /> 
     <httpj:connector> 
      <bean class="org.eclipse.jetty.server.bio.SocketConnector"> 
       <property name="port" value="9001" /> 
      </bean> 
     </httpj:connector> 
     <httpj:handlers> 
      <bean class="org.eclipse.jetty.server.handler.DefaultHandler" /> 
     </httpj:handlers> 
     <httpj:sessionSupport>true</httpj:sessionSupport> 
    </httpj:engine> 
</httpj:engine-factory> 

<bean id="serviceFactory" class="org.apache.cxf.jaxws.support.JaxWsServiceFactoryBean" 
    scope="prototype"> 
    <property name="serviceConfigurations"> 
     <list> 
      <bean class="org.apache.cxf.jaxws.support.JaxWsServiceConfiguration" /> 
      <bean 
       class="org.apache.cxf.aegis.databinding.XFireCompatibilityServiceConfiguration" /> 
      <bean class="org.apache.cxf.service.factory.DefaultServiceConfiguration" /> 
     </list> 
    </property> 
</bean> 

<bean id="eventWebService" class="org.myapp.EventWS"> 
    <property name="timeout" value="${timeoutWS}" /> 
</bean> 

<jaxws:endpoint id="event" implementor="#eventWebService" 
    address="${event.endpoint}"> 
    <jaxws:serviceFactory> 
     <ref bean="serviceFactory" /> 
    </jaxws:serviceFactory> 
</jaxws:endpoint>

它像一個簡單的WS在event.endpoint = HTTP \://本地主機\:9001 /事件

但現在,我想使用服務器私鑰確保與TLS的連接。 我知道如何使用SSLContext(http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLContext.html)來做到這一點,但Spring對我來說是新事物。 我想我需要用另一種配置創建一個新的端點?或使用另一個ServiceFactory?

問候, 剃刀

來源

2011-09-22 razor

回答

1

您必須使用SSL啓用的連接配置的發動機廠。也許這可以幫助: http://docs.codehaus.org/display/JETTY/How+to+configure+SSL

來源

2011-09-22 15:52:01

+0

奇怪的是,我必須配置連接器,tlsServerParameters不起作用。 \t \t \t \t \t \t \t \t \t <屬性名= 「端口」 值= 「9101」/> \t \t \t \t \t <屬性名= 「密鑰庫」 值= 「./config/keystore-gateway」/> \t \t \t \t \t <屬性名= 「密碼」 的值= 「通」/> <屬性南E = 「keyPassword」 值= 「通」/> <屬性名= 「needClientAuth」 值= 「真」/> <屬性名= 「wantClientAuth」 值= 「真」/> \t \t \t \t \t \t \t razor

+0

不好意思,我在這裏忍不住詳細點 –

0

我已經成功地創建一個新的引擎與SSL

<httpj:engine port="9101"> 
     <httpj:tlsServerParameters> 
      <sec:clientAuthentication want="true" 
       required="true" /> 
     </httpj:tlsServerParameters> 

     <httpj:threadingParameters minThreads="10" 
      maxThreads="100" /> 
     <httpj:connector> 
      <bean class="org.eclipse.jetty.server.ssl.SslSocketConnector"> 
       <property name="port" value="9101" /> 
       <property name="keystore" value= "./config/keystore-gateway" /> 
       <property name="password" value= "pass" /> 
       <property name="keyPassword" value= "pass" /> 
      </bean> 
     </httpj:connector> 
     <httpj:handlers> 
      <bean class="org.eclipse.jetty.server.handler.DefaultHandler" /> 
     </httpj:handlers> 
     <httpj:sessionSupport>true</httpj:sessionSupport> 
    </httpj:engine>

它可以在瀏覽器的SSL。

如何現在啓用相互認證?

來源

2011-09-22 17:32:48 razor

+0

奇怪,httpj:tlsServerParameters沒有用,我不得不把整個配置放到httpj:連接器中。相互驗證的附加參數: razor

0 
<beans xmlns="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:sec="http://cxf.apache.org/configuration/security" 
xmlns:http="http://cxf.apache.org/transports/http/configuration" 
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" 
xmlns:context="http://www.springframework.org/schema/context" 
xmlns:util="http://www.springframework.org/schema/util" 
xsi:schemaLocation=" 
    http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd 
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd 
    http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd 
    http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd 
    http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd 
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd"> 

<context:property-placeholder location="classpath:override.properties" ignore-resource-not-found="true" properties-ref="defaultProperties"/> 
<util:properties id="defaultProperties"> 
    <prop key="keyManager.keystore">certs/localhost.jks</prop> 
</util:properties> 

<http:destination name="yourDestination" /> 

<httpj:engine-factory> 
    <httpj:engine port="yourPort"> 
     <httpj:tlsServerParameters> 
      <sec:keyManagers keyPassword="password"> 
       <sec:keyStore type="JKS" password="password" file="${keys.keystore}"/> 
      </sec:keyManagers> 
      <sec:trustManagers> 
       <sec:keyStore type="JKS" password="password" file="certs/keystore.jks"/> 
      </sec:trustManagers> 
      <sec:cipherSuitesFilter> 
       <!-- these filters ensure that a ciphersuite with 
        export-suitable or null encryption is used, 
        but exclude anonymous Diffie-Hellman key change as 
        this is vulnerable to man-in-the-middle attacks --> 
       <sec:include>.*_EXPORT_.*</sec:include> 
       <sec:include>.*_EXPORT1024_.*</sec:include> 
       <sec:include>.*_WITH_DES_.*</sec:include> 
       <sec:include>.*_WITH_DES40_.*</sec:include> 
       <sec:include>.*_WITH_AES_.*</sec:include> 
       <sec:exclude>.*_DH_anon_.*</sec:exclude> 
      </sec:cipherSuitesFilter> 
      <!-- ### HIL 
      <sec:clientAuthentication want="true" required="true"/> 
      ### HIL ENDE --> 
     </httpj:tlsServerParameters> 
    </httpj:engine> 
</httpj:engine-factory>

你需要有一個密鑰文件,例如在第17行如你也應該有一個性質在必要的證書文件來驗證密鑰庫。 (關於keystore和keystore身份驗證的介紹,請參閱:http://en.wikipedia.org/wiki/Keystore

來源

2012-06-25 14:03:02

相關問題

 相關問題