cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > Client HTTP Transport (including SSL support)
Date Tue, 02 Mar 2010 14:59:00 GMT
<html>
<head>
    <base href="http://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
     <h2><a href="http://cwiki.apache.org/confluence/display/CXF20DOC/Client+HTTP+Transport+%28including+SSL+support%29">Client
HTTP Transport (including SSL support)</a></h2>
     <h4>Page <b>edited</b> by             <a href="http://cwiki.apache.org/confluence/display/~cleclerc">Cyrille
Le Clerc</a>
    </h4>
     
          <br/>
     <div class="notificationGreySide">
         <h1><a name="ClientHTTPTransport%28includingSSLsupport%29-ConfiguringSSLSupport"></a>Configuring
SSL Support</h1>

<p>To configure your client to use SSL, you'll need to add an &lt;http:conduit&gt;
definition to your XML configuration file. See the <a href="/confluence/display/CXF20DOC/Configuration"
title="Configuration">Configuration</a> guide to learn how to supply your own XML
configuration file to CXF. If you are already using Spring, this can be added to your existing
beans definitions.</p>

<p>A <a href="http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/"
rel="nofollow">wsdl_first_https</a> sample can be found in the CXF distribution with
more detail. Also see this <a href="http://techpolesen.blogspot.com/2007/08/using-ssl-with-xfirecxf-battling.html"
rel="nofollow">blog entry</a> for another example.</p>

<p>Here is a sample of what your conduit definition might look like:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
&lt;beans xmlns=<span class="code-quote">"http://www.springframework.org/schema/beans"</span>
  <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>
  <span class="code-keyword">xmlns:sec</span>=<span class="code-quote">"http://cxf.apache.org/configuration/security"</span>
  <span class="code-keyword">xmlns:http</span>=<span class="code-quote">"http://cxf.apache.org/transports/http/configuration"</span>
  <span class="code-keyword">xmlns:jaxws</span>=<span class="code-quote">"http://java.sun.com/xml/ns/jaxws"</span>
  xsi:schemaLocation="
  		   http://cxf.apache.org/configuration/security
  		      http://cxf.apache.org/schemas/configuration/security.xsd
           http://cxf.apache.org/transports/http/configuration
              http://cxf.apache.org/schemas/configuration/http-conf.xsd
           http://www.springframework.org/schema/beans
              http://www.springframework.org/schema/beans/spring-beans-2.0.xsd"&gt;

   <span class="code-tag">&lt;http:conduit name=<span class="code-quote">"{http://apache.org/hello_world}HelloWorld.http-conduit"</span>&gt;</span>

	   <span class="code-tag">&lt;http:tlsClientParameters&gt;</span>
	      <span class="code-tag">&lt;sec:keyManagers keyPassword=<span class="code-quote">"password"</span>&gt;</span>
	           &lt;sec:keyStore type=<span class="code-quote">"JKS"</span> password=<span
class="code-quote">"password"</span>
	                file=<span class="code-quote">"src/test/java/org/apache/cxf/systest/http/resources/Morpit.jks"</span>/&gt;
	      <span class="code-tag">&lt;/sec:keyManagers&gt;</span>
	      <span class="code-tag">&lt;sec:trustManagers&gt;</span>
	          &lt;sec:keyStore type=<span class="code-quote">"JKS"</span> password=<span
class="code-quote">"password"</span>
	               file=<span class="code-quote">"src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"</span>/&gt;
	      <span class="code-tag">&lt;/sec:trustManagers&gt;</span>
	      <span class="code-tag">&lt;sec:cipherSuitesFilter&gt;</span>
	        &lt;!-- these filters ensure that a ciphersuite with
	          export-suitable or null encryption is used,
	          but exclude anonymous Diffie-Hellman key change as
	          this is vulnerable to man-in-the-middle attacks --&gt;
	        <span class="code-tag">&lt;sec:include&gt;</span>.*_EXPORT_.*<span
class="code-tag">&lt;/sec:include&gt;</span>
	        <span class="code-tag">&lt;sec:include&gt;</span>.*_EXPORT1024_.*<span
class="code-tag">&lt;/sec:include&gt;</span>
	        <span class="code-tag">&lt;sec:include&gt;</span>.*_WITH_DES_.*<span
class="code-tag">&lt;/sec:include&gt;</span>
	        <span class="code-tag">&lt;sec:include&gt;</span>.*_WITH_NULL_.*<span
class="code-tag">&lt;/sec:include&gt;</span>
	        <span class="code-tag">&lt;sec:exclude&gt;</span>.*_DH_anon_.*<span
class="code-tag">&lt;/sec:exclude&gt;</span>
	      <span class="code-tag">&lt;/sec:cipherSuitesFilter&gt;</span>
	  <span class="code-tag">&lt;/http:tlsClientParameters&gt;</span>
	  <span class="code-tag">&lt;http:authorization&gt;</span>
	     <span class="code-tag">&lt;sec:UserName&gt;</span>Betty<span
class="code-tag">&lt;/sec:UserName&gt;</span>
	     <span class="code-tag">&lt;sec:Password&gt;</span>password<span
class="code-tag">&lt;/sec:Password&gt;</span>
	  <span class="code-tag">&lt;/http:authorization&gt;</span>
      <span class="code-tag">&lt;http:client AutoRedirect=<span class="code-quote">"true"</span>
Connection=<span class="code-quote">"Keep-Alive"</span>/&gt;</span>

   <span class="code-tag">&lt;/http:conduit&gt;</span>

<span class="code-tag">&lt;/beans&gt;</span>
</pre>
</div></div>
<p>The first thing to notice is the "name" attribute on &lt;http:conduit&gt;.
This allows CXF to associate this HTTP Conduit configuration with a particular WSDL Port.
The name includes the service's namespace, the WSDL port name (as found in the wsdl:service
section of the WSDL), and ".http-conduit". It follows this template: "{WSDL Namespace}portName.http-conduit".
  Note:  it's the PORT name, not the service name.   Thus, it's likely something like "MyServicePort",
not "MyService".   If you are having trouble getting the template to work, another (temporary)
option for the name value is simply "*.http-conduit". </p>

<p>Another option for the name attribute is a reg-ex expression for the ORIGINAL URL
of the endpoint.   The configuration is matched at conduit creation so the address used in
the WSDL or used for the JAX-WS Service.create(...) call can be used for the name.   For example,
you can do:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
   <span class="code-tag">&lt;http:conduit name=<span class="code-quote">"http://localhost:8080/.*"</span>&gt;</span>
       ......
   <span class="code-tag">&lt;/http:conduit&gt;</span>
</pre>
</div></div>
<p>to configure a conduit for all interactions on localhost:8080.  If you have multiple
clients interacting with different services on the same server, this is probably the easiest
way to configure it.</p>


<h1><a name="ClientHTTPTransport%28includingSSLsupport%29-AdvancedConfiguration"></a>Advanced
Configuration</h1>

<p>HTTP client endpoints can specify a number of HTTP connection attributes including
whether the endpoint automatically accepts redirect responses, whether the endpoint can use
chunking, whether the endpoint will request a keep-alive, and how the endpoint interacts with
proxies.</p>

<p>A client endpoint can be configured using three mechanisms:</p>
<ul>
	<li>Configuration</li>
	<li>WSDL</li>
	<li>Java code</li>
</ul>


<h2><a name="ClientHTTPTransport%28includingSSLsupport%29-UsingConfiguration"></a>Using
Configuration</h2>


<h3><a name="ClientHTTPTransport%28includingSSLsupport%29-Namespace"></a>Namespace</h3>

<p>The elements used to configure an HTTP client are defined in the namespace <tt><a
href="http://cxf.apache.org/transports/http/configuration" rel="nofollow">http://cxf.apache.org/transports/http/configuration</a></tt>.
It is commonly referred to using the prefix <tt>http-conf</tt>. In order to use
the HTTP configuration elements you will need to add the lines shown below to the beans element
of your endpoint's configuration file. In addition, you will need to add the configuration
elements' namespace to the <tt>xsi:schemaLocation</tt> attribute.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>HTTP Consumer Configuration Namespace</b></div><div
class="codeContent panelContent">
<pre class="code-xml">
&lt;beans ...
       <span class="code-keyword">xmlns:http-conf</span>="http://cxf.apache.org/transports/http/configuration
       ...
       xsi:schemaLocation="...
                           http://cxf.apache.org/transports/http/configuration
                           http://cxf.apache.org/schemas/configuration/http-conf.xsd
                          ...&gt;
</pre>
</div></div>

<h3><a name="ClientHTTPTransport%28includingSSLsupport%29-The%7B%7Bconduit%7D%7Delement"></a>The
<tt>conduit</tt> element</h3>

<p>You configure an HTTP client using the <tt>http-conf:conduit</tt> element
and its children. The <tt>http-conf:conduit</tt> element takes a single attribute,
<tt>name</tt>, that specifies the WSDL port element that corresponds to the endpoint.
The value for the <tt>name</tt> attribute takes the form <em>portQName</em><tt>.http-conduit</tt>.
For example, the code below shows the <tt>http-conf:conduit</tt> element that
would be used to add configuration for an endpoint that was specified by the WSDL fragment
<tt>&lt;port binding="widgetSOAPBinding" name="widgetSOAPPort&gt;</tt>
if the endpoint's target namespace was <tt><a href="http://widgets.widgetvendor.net"
rel="nofollow">http://widgets.widgetvendor.net</a></tt>.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>http-conf:conduit Element</b></div><div
class="codeContent panelContent">
<pre class="code-xml">
...
  <span class="code-tag">&lt;http-conf:conduit name=<span class="code-quote">"{http://widgets/widgetvendor.net}widgetSOAPPort.http-conduit"</span>&gt;</span>
    ...
  <span class="code-tag">&lt;/http-conf:conduit&gt;</span>

  <span class="code-tag">&lt;http-conf:conduit name=<span class="code-quote">"*.http-conduit"</span>&gt;</span>
  <span class="code-tag"><span class="code-comment">&lt;!-- you can also using
the wild card to specify the http-conduit that you want to configure --&gt;</span></span>
    ...
  <span class="code-tag">&lt;/http-conf:conduit&gt;</span>
...
</pre>
</div></div>
<p>The <tt>http-conf:conduit</tt> element has a number of child elements
that specify configuration information. They are described below.  See also Sun's <a href="http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html"
rel="nofollow">JSSE Guide</a> for more information on configuring SSL.</p>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Element </th>
<th class='confluenceTh'> Description </th>
</tr>
<tr>
<td class='confluenceTd'> <tt>http-conf:client</tt> </td>
<td class='confluenceTd'> Specifies the HTTP connection properties such as timeouts,
keep-alive requests, content types, etc. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>http-conf:authorization</tt> </td>
<td class='confluenceTd'> Specifies the the parameters for configuring the basic authentication
method that the endpoint uses preemptively. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>http-conf:proxyAuthorization</tt> </td>
<td class='confluenceTd'> Specifies the parameters for configuring basic authentication
against outgoing HTTP proxy servers. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>http-conf:tlsClientParameters</tt> </td>
<td class='confluenceTd'> Specifies the parameters used to configure SSL/TLS. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>http-conf:basicAuthSupplier</tt> </td>
<td class='confluenceTd'> Specifies the bean reference or class name of the object that
supplies the the basic authentication information used by the endpoint both preemptively or
in response to a 401 HTTP challenge. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>http-conf:trustDecider</tt> </td>
<td class='confluenceTd'> Specifies the bean reference or class name of the object that
checks the HTTP(S) URLConnection object in order to establish trust for a connection with
an HTTPS service provider before any information is transmitted. </td>
</tr>
</tbody></table>

<h3><a name="ClientHTTPTransport%28includingSSLsupport%29-The%7B%7Bclient%7D%7Delement"></a>The
<tt>client</tt> element</h3>

<p>The <tt>http-conf:client</tt> element is used to configure the non-security
properties of a client's HTTP connection. Its attributes, described below, specify the connection's
properties.</p>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Attribute </th>
<th class='confluenceTh'> Description </th>
</tr>
<tr>
<td class='confluenceTd'> <tt>ConnectionTimeout</tt> </td>
<td class='confluenceTd'> Specifies the amount of time, in milliseconds, that the client
will attempt to establish a connection before it times out. The default is 30000 (30 seconds).
<br clear="all" />
0 specifies that the client will continue to attempt to open a connection indefinitely. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>ReceiveTimeout</tt> </td>
<td class='confluenceTd'> Specifies the amount of time, in milliseconds, that the client
will wait for a response before it times out. The default is 60000. <br clear="all" />
0 specifies that the client will wait indefinitely. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>AutoRedirect</tt> </td>
<td class='confluenceTd'> Specifies if the client will automatically follow a server
issued redirection. The default is false. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>MaxRetransmits</tt> </td>
<td class='confluenceTd'> Specifies the maximum number of times a client will retransmit
a request to satisfy a redirect. The default is &#45;1 which specifies that unlimited
retransmissions are allowed. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>AllowChunking</tt> </td>
<td class='confluenceTd'> Specifies whether the client will send requests using chunking.
The default is true which specifies that the client will use chunking when sending requests.
<br clear="all" />
Chunking cannot be used used if either of the following are true:
<ul>
	<li><tt>http-conf:basicAuthSupplier</tt> is configured to provide credentials
preemptively.</li>
	<li><tt>AutoRedirect</tt> is set to true. <br clear="all" />
In both cases the value of <tt>AllowChunking</tt> is ignored and chunking is disallowed.
<br clear="all" />
See note about chunking below.</li>
</ul>
</td>
</tr>
<tr>
<td class='confluenceTd'> <tt>Accept</tt> </td>
<td class='confluenceTd'> Specifies what media types the client is prepared to handle.
The value is used as the value of the HTTP <tt>Accept</tt> property. The value
of the attribute is specified using as multipurpose internet mail extensions (MIME) types.
</td>
</tr>
<tr>
<td class='confluenceTd'> <tt>AcceptLanguage</tt> </td>
<td class='confluenceTd'> Specifies what language (for example, American English) the
client prefers for the purposes of receiving a response. The value is used as the value of
the HTTP AcceptLanguage property. <br clear="all" />
Language tags are regulated by the International Organization for Standards (ISO) and are
typically formed by combining a language code, determined by the ISO-639 standard, and country
code, determined by the ISO-3166 standard, separated by a hyphen. For example, en-US represents
American English. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>AcceptEncoding</tt> </td>
<td class='confluenceTd'> Specifies what content encodings the client is prepared to
handle. Content encoding labels are regulated by the Internet Assigned Numbers Authority (IANA).
The value is used as the value of the HTTP <tt>AcceptEncoding</tt> property. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>ContentType</tt> </td>
<td class='confluenceTd'> Specifies the media type of the data being sent in the body
of a message. Media types are specified using multipurpose internet mail extensions (MIME)
types. The value is used as the value of the HTTP <tt>ContentType</tt> property.
The default is <tt>text/xml</tt>. <br clear="all" />
<b>Tip:</b> For web services, this should be set to <tt>text/xml</tt>.
If the client is sending HTML form data to a CGI script, this should be set to application/x-www-form-urlencoded.
If the HTTP POST request is bound to a fixed payload format (as opposed to SOAP), the content
type is typically set to application/octet-stream. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>Host</tt> </td>
<td class='confluenceTd'> Specifies the Internet host and port number of the resource
on which the request is being invoked. The value is used as the value of the HTTP <tt>Host</tt>
property. <br clear="all" />
<b>Tip:</b> This attribute is typically not required. It is only required by certain
DNS scenarios or application designs. For example, it indicates what host the client prefers
for clusters (that is, for virtual servers mapping to the same Internet protocol (IP) address).
</td>
</tr>
<tr>
<td class='confluenceTd'> <tt>Connection</tt> </td>
<td class='confluenceTd'> Specifies whether a particular connection is to be kept open
or closed after each request/response dialog. There are two valid values:
<ul>
	<li><tt>Keep-Alive</tt> specifies that the client wants to keep its connection
open after the initial request/response sequence. If the server honors it, the connection
is kept open until the consumer closes it.</li>
	<li><tt>close</tt>(default) specifies that the connection to the server
is closed after each request/response sequence.</li>
</ul>
</td>
</tr>
<tr>
<td class='confluenceTd'> <tt>CacheControl</tt> </td>
<td class='confluenceTd'> Specifies directives about the behavior that must be adhered
to by caches involved in the chain comprising a request from a client to a server. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>Cookie</tt> </td>
<td class='confluenceTd'> Specifies a static cookie to be sent with all requests. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>BrowserType</tt> </td>
<td class='confluenceTd'> Specifies information about the browser from which the request
originates. In the HTTP specification from the World Wide Web consortium (W3C) this is also
known as the <em>user-agent</em>. Some servers optimize based upon the client
that is sending the request. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>Referer</tt> </td>
<td class='confluenceTd'> Specifies the URL of the resource that directed the consumer
to make requests on a particular service. The value is used as the value of the HTTP Referer
property. <br clear="all" />
<b>Note:</b> This HTTP property is used when a request is the result of a browser
user clicking on a hyperlink rather than typing a URL. This can allow the server to optimize
processing based upon previous task flow, and to generate lists of back-links to resources
for the purposes of logging, optimized caching, tracing of obsolete or mistyped links, and
so on. However, it is typically not used in web services applications. <br clear="all"
/>
<b>Important:</b> If the AutoRedirect attribute is set to true and the request
is redirected, any value specified in the Refererattribute is overridden. The value of the
HTTP Referer property will be set to the URL of the service who redirected the consumer's
original request. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>DecoupledEndpoint</tt> </td>
<td class='confluenceTd'> Specifies the URL of a decoupled endpoint for the receipt
of responses over a separate server-&gt;client connection. <br clear="all" />
<b>Warning:</b> You must configure both the client and server to use WS-Addressing
for the decoupled endpoint to work. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>ProxyServer</tt> </td>
<td class='confluenceTd'> Specifies the URL of the proxy server through which requests
are routed. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>ProxyServerPort</tt> </td>
<td class='confluenceTd'> Specifies the port number of the proxy server through which
requests are routed. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>ProxyServerType</tt> </td>
<td class='confluenceTd'> Specifies the type of proxy server used to route requests.
Valid values are:
<ul>
	<li>HTTP(default)</li>
	<li>SOCKS</li>
</ul>
</td>
</tr>
</tbody></table>

<h4><a name="ClientHTTPTransport%28includingSSLsupport%29-Exampleusingthe%7B%7BClient%7D%7DElement"></a>Example
using the <tt>Client</tt> Element</h4>

<p>The example below shows a the configuration for an HTTP client that wants to keep
its connection to the server open between requests, will only retransmit requests once per
invocation, and cannot use chunking streams.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>HTTP Consumer Endpoint Configuration</b></div><div
class="codeContent panelContent">
<pre class="code-xml">
&lt;beans xmlns=<span class="code-quote">"http://www.springframework.org/schema/beans"</span>
       <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>
       <span class="code-keyword">xmlns:http-conf</span>=<span class="code-quote">"http://cxf.apache.org/transports/http/configuration"</span>
       xsi:schemaLocation="http://cxf.apache.org/transports/http/configuration
                           http://cxf.apache.org/schemas/configuration/http-conf.xsd
                           http://www.springframework.org/schema/beans
                             http://www.springframework.org/schema/beans/spring-beans.xsd"&gt;

  <span class="code-tag">&lt;http-conf:conduit name=<span class="code-quote">"{http://apache.org/hello_world_soap_http}SoapPort.http-conduit"</span>&gt;</span>
    &lt;http-conf:client Connection=<span class="code-quote">"Keep-Alive"</span>
                      MaxRetransmits=<span class="code-quote">"1"</span>
                      AllowChunking=<span class="code-quote">"false"</span> /&gt;
  <span class="code-tag">&lt;/http-conf:conduit&gt;</span>
<span class="code-tag">&lt;/beans&gt;</span>
</pre>
</div></div>
<p>Again, see the <a href="http://cwiki.apache.org/CXF20DOC/configuration.html" rel="nofollow">Configuration
page</a> for information on how to get CXF to detect your configuration file.</p>

<h3><a name="ClientHTTPTransport%28includingSSLsupport%29-The%7B%7BtlsClientParameters%7D%7Delement"></a>The
<tt>tlsClientParameters</tt> element</h3>

<p>The TLSClientParameters are listed <a href="https://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java"
rel="nofollow">here</a> and <a href="https://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java"
rel="nofollow">here</a>.  </p>

<p><b><tt>trustAllCertificates</tt>: SSL X509 certificate verification
deactivation</b></p>

<p>A new feature starting in CXF 2.2.7 is the <tt>trustAllCertificates</tt>
attribute for this element.  It defaults to <tt>false</tt>, indicating that the
SSL certificate will be checked against the <a href="http://java.sun.com/javase/6/docs/api/javax/net/ssl/X509TrustManager.html"
rel="nofollow">X509TrustManager</a> (if none is configured, the JVM's keystore is
used), and failing if the certificate is not trusted (unknown <a href="http://en.wikipedia.org/wiki/Certificate_authority"
rel="nofollow">Certificate Authority</a>, etc).  If set to <tt>true</tt>
(not recommended for production use), such checks will be bypassed. That will allow you, for
example, to easily use a <a href="http://en.wikipedia.org/wiki/Self-signed_certificate"
rel="nofollow">self-signed certificate</a> during development.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
 ...
 &lt;http-conf:conduit name=<span class="code-quote">"{http:<span class="code-comment">//example.com/}HelloWorldServicePort.http-conduit"</span>&gt;
</span>
  &lt;!-- trust all certificates (self-signed certificate, etc)                --&gt;
  &lt;!-- WARNING ! trustAllCertificates=<span class="code-keyword">true</span>
should NOT be used in production --&gt;
  &lt;http-conf:tlsClientParameters trustAllCertificates=<span class="code-quote">"<span
class="code-keyword">true</span>"</span> /&gt;
  ...
 &lt;/http-conf:conduit&gt;
 ...
</pre>
</div></div>

<p><b><tt>disableCNcheck</tt>: SSL hostname verification</b></p>

<p>A new feature starting in CXF 2.0.5 is the <tt>disableCNcheck</tt> attribute
for this element.  It defaults to <tt>false</tt>, indicating that the hostname
given in the HTTPS URL will be checked against the service's Common Name (CN) given in its
certificate during SOAP client requests, and failing if there is a mismatch.  If set to <tt>true</tt>
(not recommended for production use), such checks will be bypassed.  That will allow you,
for example, to use a URL such as <tt>localhost</tt> during development.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
 ...
 &lt;http-conf:conduit name=<span class="code-quote">"{http:<span class="code-comment">//example.com/}HelloWorldServicePort.http-conduit"</span>&gt;
</span>
   &lt;!-- deactivate HTTPS url hostname verification (localhost, etc)    --&gt;
   &lt;!-- WARNING ! disableCNcheck=<span class="code-keyword">true</span>
should NOT be used in production --&gt;
   &lt;http-conf:tlsClientParameters disableCNcheck=<span class="code-quote">"<span
class="code-keyword">true</span>"</span> /&gt;
   ...
 &lt;/http-conf:conduit&gt;
 ...
</pre>
</div></div>

<h2><a name="ClientHTTPTransport%28includingSSLsupport%29-UsingWSDL"></a>Using
WSDL</h2>


<h3><a name="ClientHTTPTransport%28includingSSLsupport%29-Namespace"></a>Namespace</h3>

<p>The WSDL extension elements used to configure an HTTP client are defined in the namespace
<tt><a href="http://cxf.apache.org/transports/http/configuration" rel="nofollow">http://cxf.apache.org/transports/http/configuration</a></tt>.
It is commonly referred to using the prefix <tt>http-conf</tt>. In order to use
the HTTP configuration elements you will need to add the line shown below to the <tt>definitions</tt>
element of your endpoint's WSDL document.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>HTTP Consumer WSDL Element's Namespace</b></div><div
class="codeContent panelContent">
<pre class="code-xml">
&lt;definitions ...
       <span class="code-keyword">xmlns:http-conf</span>="http://cxf.apache.org/transports/http/configuration
</pre>
</div></div>

<h3><a name="ClientHTTPTransport%28includingSSLsupport%29-The%7B%7Bclient%7D%7Delement"></a>The
<tt>client</tt> element</h3>

<p>The <tt>http-conf:client</tt> element is used to specify the connection
properties of an HTTP client in a WSDL document. The <tt>http-conf:client</tt>
element is a child of the WSDL <tt>port</tt> element. It has the same attributes
as the <tt>client</tt> element used in the configuration file.</p>

<h3><a name="ClientHTTPTransport%28includingSSLsupport%29-Example"></a>Example</h3>

<p>The example below shows a WSDL fragment that configures an HTTP clientto specify
that it will not interact with caches.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>WSDL to Configure an HTTP Consumer Endpoint</b></div><div
class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;service ...&gt;</span>
  <span class="code-tag">&lt;port ...&gt;</span>
    <span class="code-tag">&lt;soap:address ... /&gt;</span>
    <span class="code-tag">&lt;http-conf:client CacheControl=<span class="code-quote">"no-cache"</span>
/&gt;</span>
  <span class="code-tag">&lt;/port&gt;</span>
<span class="code-tag">&lt;/service&gt;</span>
</pre>
</div></div>

<h2><a name="ClientHTTPTransport%28includingSSLsupport%29-Usingjavacode"></a>Using
java code</h2>

<h3><a name="ClientHTTPTransport%28includingSSLsupport%29-HowtoconfiguretheHTTPConduitfortheSOAPClient%3F"></a>How
to configure the HTTPConduit for the SOAP Client?</h3>
<p>First you need get the <a href="http://tinyurl.com/285zll" rel="nofollow">HTTPConduit</a>
from the Proxy object or Client, then you can set the <a href="https://svn.apache.org/repos/asf/cxf/trunk/rt/transports/http/src/main/resources/schemas/configuration/http-conf.xsd"
rel="nofollow">HTTPClientPolicy</a>, AuthorizationPolicy, ProxyAuthorizationPolicy,
<a href="https://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java"
rel="nofollow">TLSClientParameters</a>, and/or <a href="https://svn.apache.org/repos/asf/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HttpBasicAuthSupplier.java"
rel="nofollow">HttpBasicAuthSupplier</a>.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
  <span class="code-keyword">import</span> org.apache.cxf.endpoint.Client;
  <span class="code-keyword">import</span> org.apache.cxf.frontend.ClientProxy;
  <span class="code-keyword">import</span> org.apache.cxf.transport.http.HTTPConduit;
  <span class="code-keyword">import</span> org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
  ...

  URL wsdl = getClass().getResource(<span class="code-quote">"wsdl/greeting.wsdl"</span>);
  SOAPService service = <span class="code-keyword">new</span> SOAPService(wsdl,
serviceName);
  Greeter greeter = service.getPort(portName, Greeter.class);

  <span class="code-comment">// Okay, are you sick of configuration files ?
</span>  <span class="code-comment">// This will show you how to configure the
http conduit dynamically
</span>  Client client = ClientProxy.getClient(greeter);
  HTTPConduit http = (HTTPConduit) client.getConduit();

  HTTPClientPolicy httpClientPolicy = <span class="code-keyword">new</span> HTTPClientPolicy();

  httpClientPolicy.setConnectionTimeout(36000);
  httpClientPolicy.setAllowChunking(<span class="code-keyword">false</span>);
  httpClientPolicy.setReceiveTimeout(32000);

  http.setClient(httpClientPolicy);

  ...
  greeter.sayHi(<span class="code-quote">"Hello"</span>);
</pre>
</div></div>

<h3><a name="ClientHTTPTransport%28includingSSLsupport%29-Howtooverridetheserviceaddress%3F"></a>How
to override the service address ?</h3>

<p>If you are using JAXWS API to create the proxy obejct, here is an example which is
complete JAX-WS compliant code</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
   URL wsdlURL = MyService.class.getClassLoader
            .getResource (<span class="code-quote">"myService.wsdl"</span>);
   QName serviceName = <span class="code-keyword">new</span> QName(<span class="code-quote">"urn:myService"</span>,
<span class="code-quote">"MyService"</span>);
   MyService service = <span class="code-keyword">new</span> MyService(wsdlURL,
serviceName);
   ServicePort client = service.getServicePort();
   BindingProvider provider = (BindingProvider)client;
   <span class="code-comment">// You can set the address per request here
</span>   provider.getRequestContext().put(
        BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
        <span class="code-quote">"http:<span class="code-comment">//my/<span
class="code-keyword">new</span>/url/to/the/service"</span>);
</span>
</pre>
</div></div>

<p>If you are using CXF ProxyFactoryBean to create the proxy object , you can do like
this</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">   
   JaxWsProxyFactoryBean proxyFactory = <span class="code-keyword">new</span>
JaxWsProxyFactoryBean();
   poxyFactory.setServiceClass(ServicePort.class);
   <span class="code-comment">// you could set the service address with <span class="code-keyword">this</span>
method
</span>   proxyFactory.setAddress(<span class="code-quote">"theUrlyouwant"</span>);
   ServicePort client = (ServicePort) proxyFactory.create();    
</pre>
</div></div>

<p>Here is another way which takes advantage of JAXWS's Service.addPort() API</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
   URL wsdlURL = MyService.class.getClassLoader.getResource(<span class="code-quote">"service2.wsdl"</span>);
   QName serviceName = <span class="code-keyword">new</span> QName(<span class="code-quote">"urn:service2"</span>,
<span class="code-quote">"MyService"</span>);
   QName portName = <span class="code-keyword">new</span> QName(<span class="code-quote">"urn:service2"</span>,
<span class="code-quote">"ServicePort"</span>);
   MyService service = <span class="code-keyword">new</span> MyService(wsdlURL,
serviceName);
   <span class="code-comment">// You can add whatever address as you want
</span>   service.addPort(portName, <span class="code-quote">"http:<span class="code-comment">//schemas.xmlsoap.org/soap/"</span>,
<span class="code-quote">"http://the/<span class="code-keyword">new</span>/url/myService"</span>);
</span>   <span class="code-comment">// Passing the SEI class that is generated
by wsdl2java      
</span>   ServicePort proxy = service.getPort(portName, SEI.class);
</pre>
</div></div> 

<h2><a name="ClientHTTPTransport%28includingSSLsupport%29-ClientCacheControlDirectives"></a>Client
Cache Control Directives</h2>

<p>The following table lists the cache control directives supported by an HTTP client.</p>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Directive </th>
<th class='confluenceTh'> Behavior </th>
</tr>
<tr>
<td class='confluenceTd'> no-cache </td>
<td class='confluenceTd'> Caches cannot use a particular response to satisfy subsequent
requests without first revalidating that response with the server. If specific response header
fields are specified with this value, the restriction applies only to those header fields
within the response. If no response header fields are specified, the restriction applies to
the entire response. </td>
</tr>
<tr>
<td class='confluenceTd'> no-store </td>
<td class='confluenceTd'> Caches must not store any part of a response or any part of
the request that invoked it. </td>
</tr>
<tr>
<td class='confluenceTd'> max-age </td>
<td class='confluenceTd'> The consumer can accept a response whose age is no greater
than the specified time in seconds. </td>
</tr>
<tr>
<td class='confluenceTd'> max-stale </td>
<td class='confluenceTd'> The consumer can accept a response that has exceeded its expiration
time. If a value is assigned to max-stale, it represents the number of seconds beyond the
expiration time of a response up to which the consumer can still accept that response. If
no value is assigned, it means the consumer can accept a stale response of any age. </td>
</tr>
<tr>
<td class='confluenceTd'> min-fresh </td>
<td class='confluenceTd'> The consumer wants a response that will be still be fresh
for at least the specified number of seconds indicated. </td>
</tr>
<tr>
<td class='confluenceTd'> no-transform </td>
<td class='confluenceTd'> Caches must not modify media type or location of the content
in a response between a provider and a consumer. </td>
</tr>
<tr>
<td class='confluenceTd'> only-if-cached </td>
<td class='confluenceTd'> Caches should return only responses that are currently stored
in the cache, and not responses that need to be reloaded or revalidated. </td>
</tr>
<tr>
<td class='confluenceTd'> cache-extension </td>
<td class='confluenceTd'> Specifies additional extensions to the other cache directives.
Extensions might be informational or behavioral. An extended directive is specified in the
context of a standard directive, so that applications not understanding the extended directive
can at least adhere to the behavior mandated by the standard directive. </td>
</tr>
</tbody></table>

<h1><a name="ClientHTTPTransport%28includingSSLsupport%29-ANoteAboutChunking"></a>A
Note About Chunking</h1>

<p>There are two ways of putting a body into an HTTP stream:</p>
<ul>
	<li>The "standard" way used by most browsers is to specify a Content-Length header
in the HTTP headers.   This allows the receiver to know how much data is coming and when to
stop reading.   The problem with this approach is that the length needs to be pre-determined.
  The data cannot be streamed as generated as the length needs to be calculated upfront. 
 Thus, if chunking is turned off, we need to buffer the data in a byte buffer (or temp file
if too large) so that the Content-Length can be calculated.</li>
	<li>Chunked - with this mode, the data is sent to the receiver in chunks.   Each chunk
is preceded by a hexidecimal chunk size.   When a chunk size is 0, the receiver knows all
the data has been received.   This mode allows better streaming as we just need to buffer
a small amount, up to 8K by default, and when the buffer fills, write out the chunk.</li>
</ul>


<p>In general, Chunked will perform better as the streaming can take place directly.
  HOWEVER, there are some problems with chunking:</p>

<ul>
	<li>Many proxy servers don't understand it, especially older proxy servers.   Many
proxy servers want the Content-Length up front so they can allocate a buffer to store the
request before passing it onto the real server.</li>
	<li>Some of the older WebServices stacks also have problems with Chunking.  Specifically,
older versions of .NET.</li>
</ul>


<p>If you are getting strang errors (generally not soap faults, but other HTTP type
errors) when trying to interact with a service, try turning off chunking to see if that helps.</p>



<h1><a name="ClientHTTPTransport%28includingSSLsupport%29-NTLMAuthentication"></a>NTLM
Authentication</h1>

<p>CXF doesn't support NTLM authentication "out of the box" on Java 5, but with some
additional libraries and configuration, the standard HttpURLConnection objects that we use
can do the NTLM authentication.    On Java 6, NTLM authentication is built into the Java runtime
and you don't need to do anything special.  </p>

<p>On Java 5, you need a library that will augment the HttpURLConnection to do it. 
See: <a href="http://jcifs.samba.org/src/docs/httpclient.html" rel="nofollow">http://jcifs.samba.org/src/docs/httpclient.html</a>
   Note: jcifs is LGPL licensed, not Apache licensed.</p>

<p>Next, you need to configure jcifs to use the correct domains, wins servers, etc...
 Notice that the<br/>
bit which sets the username/password to use for NTLM is commented out.  If credentials are<br/>
missing jcifs will use the underlying NT credentials.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<span class="code-comment">//Set the jcifs properties
</span>jcifs.Config.setProperty(<span class="code-quote">"jcifs.smb.client.domain"</span>,
<span class="code-quote">"ben.com"</span>);
jcifs.Config.setProperty(<span class="code-quote">"jcifs.netbios.wins"</span>,
<span class="code-quote">"xxx.xxx.xxx.xxx"</span>);
jcifs.Config.setProperty(<span class="code-quote">"jcifs.smb.client.soTimeout"</span>,
<span class="code-quote">"300000"</span>); <span class="code-comment">//5
</span>minutes
jcifs.Config.setProperty(<span class="code-quote">"jcifs.netbios.cachePolicy"</span>,
<span class="code-quote">"1200"</span>); <span class="code-comment">//20
minutes
</span><span class="code-comment">//jcifs.Config.setProperty(<span class="code-quote">"jcifs.smb.client.username"</span>,
<span class="code-quote">"myNTLogin"</span>);
</span><span class="code-comment">//jcifs.Config.setProperty(<span class="code-quote">"jcifs.smb.client.password"</span>,
<span class="code-quote">"secret"</span>);
</span>
<span class="code-comment">//Register the jcifs URL handler to enable NTLM
</span>jcifs.Config.registerSmbURLHandler();
</pre>
</div></div>

<p>Finally, you need to setup the CXF client to turn off chunking.   The reason is that
the NTLM authentication requires a 3 part handshake which breaks the streaming.  </p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<span class="code-comment">//Turn off chunking so that NTLM can occur
</span>Client client = ClientProxy.getClient(port);
HTTPConduit http = (HTTPConduit) client.getConduit();
HTTPClientPolicy httpClientPolicy = <span class="code-keyword">new</span> HTTPClientPolicy();
httpClientPolicy.setConnectionTimeout(36000);
httpClientPolicy.setAllowChunking(<span class="code-keyword">false</span>);
http.setClient(httpClientPolicy);
</pre>
</div></div>

     </div>
     <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>

       <a href="http://cwiki.apache.org/confluence/display/CXF20DOC/Client+HTTP+Transport+%28including+SSL+support%29">View
Online</a>
       |
       <a href="http://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=49941&revisedVersion=40&originalVersion=39">View
Change</a>
              |
       <a href="http://cwiki.apache.org/confluence/display/CXF20DOC/Client+HTTP+Transport+%28including+SSL+support%29?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message