cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gma...@apache.org
Subject svn commit: r1304120 - in /cxf/trunk/distribution/src/main/release/samples/wsdl_first_https: ./ src/main/java/demo/hw_https/client/
Date Thu, 22 Mar 2012 22:54:00 GMT
Author: gmazza
Date: Thu Mar 22 22:54:00 2012
New Revision: 1304120

URL: http://svn.apache.org/viewvc?rev=1304120&view=rev
Log:
Clean up of wsdl_first_https sample.

Added:
    cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/SecureClient.xml
Removed:
    cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/WibbleClient.xml
Modified:
    cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/README.txt
    cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/pom.xml
    cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/Client.java

Modified: cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/README.txt
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/README.txt?rev=1304120&r1=1304119&r2=1304120&view=diff
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/README.txt (original)
+++ cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/README.txt Thu Mar 22
22:54:00 2012
@@ -1,96 +1,96 @@
 Hello World Demo using HTTPS communications
 =============================================
-
-This demo takes the hello world demo a step further 
-by doing the communication using HTTPS.
+This demo provides a "hello world" example of making
+SOAP calls with HTTPS.
 
 Please review the README in the samples directory before
 continuing.
 
 Building and running the demo using Maven
 -----------------------------------------
-
 From the base directory of this sample (i.e., where this README file is
 located), the Maven pom.xml file can be used to build and run the demo. 
 
-  mvn install (builds the demo)
+  mvn clean install (builds the demo)
 
-In separate windows:
+In the first terminal windows:
   mvn -Pserver (starts the server)
-  mvn -Pinsecure.client (runs the client in insecure mode, Scenario 1)
-  mvn -Psecure.client (runs the client in secure mode, Scenario 2)
-  mvn -Pinsecure.client.non.spring (runs the client in insecure mode without Spring configuration,
Scenario 3)
-  mvn -Psecure.client.non.spring (runs the client in secure mode without Spring configuration,
Scenario 4)
-  mvn clean (removes all generated and compiled classes)"
+
+Sequentially, in the second terminal window:
+  mvn -Pinsecure.client (Scenario 1, will fail due to no credentials provided)
+  mvn -Psecure.client (Scenario 2, runs successfully)
+  mvn -Pinsecure.client.non.spring (Scenario 3, will fail due to no credentials provided)
+  mvn -Psecure.client.non.spring (Scenario 4, runs successfully)
+
+Later, when desired:
+  mvn clean (removes all generated and compiled classes)
 
 
 The demo illustrates how authentication can be achieved through
-configuration using 3 different scenarios. The non-defaulted security
-policy values are be specified via configuration files or programmatically.
+configuration using two different scenarios, via configuration files
+or using the CXF Java API.
+
+For all four scenarios, the same HTTPS listener (activated above via
+mvn -Pserver) is used.  This listener requires client authentication
+so the client must provide suitable credentials.  The listener configuration 
+is given in the "CherryServer.xml" file located in the /server folder.
 
 Scenario 1:  (-Pinsecure.client)
 
-A HTTPS listener is started up. The listener requires
-client authentication so the client must provide suitable credentials.
-The listener configuration is taken from the "CherryServer.cxf" file
-located in this directory.  The client's security data is taken from
-from the "InsecureClient.cxf" file in this directory, using the bean name:
-"{http://apache.org/hello_world_soap_http}SoapPort.http-conduit". The
-client does NOT provide the appropriate credentials and so the
-invocation on the server fails.
+The client's security data is taken from from the "InsecureClient.xml" file 
+in the /client directory, using the bean name: 
+"{http://apache.org/hello_world_soap_http}SoapPort.http-conduit". 
+This file does not have any credential information so the SOAP call
+ton the server fails.
 
 Scenario 2:  (-Psecure.client)
-The same HTTPS listener is used. The client's security data is taken
-from the "WibbleClient.cxf" configuration file in this directory, 
-using the bean name:
-"{http://apache.org/hello_world_soap_http}SoapPort.http-conduit". 
 
-The client is configured to provide its certificate "CN=Wibble" and
-chain stored in the Java KeyStore "certs/wibble.jks" to the server. The
-server authenticates the client's certificate using its trust store
+Same as above, except this time "SecureClient.xml", which contains the
+appropriate credential information.  This SOAP call will succeed here.
+
+In this configuration file, the client provides its certificate "CN=Wibble" 
+and chain stored in the Java KeyStore "certs/wibble.jks" to the server. The
+server authenticates the client's certificate using its truststore
 "certs/truststore.jks", which holds the Certificate Authorities'
 certificates.
 
 Likewise the client authenticates the server's certificate "CN=Cherry"
-and chain against the same trust store.  Note also the usage of the
+and chain against the same trust store.  Note the usage of the
 cipherSuitesFilter configuration in the configuration files,
-where each party imposes different ciphersuites contraints, so that the
+where each party imposes different ciphersuites constraints, so that the
 ciphersuite eventually negotiated during the TLS handshake is acceptable
 to both sides. This may be viewed by adding a -Djavax.net.debug=all 
 argument to the JVM.
 
 But please note that it is not advisable to store sensitive data such
-as passwords stored in a clear text configuration file, unless the
+as passwords in clear text configuration files, unless the
 file is sufficiently protected by OS level permissions. The KeyStores
-may be configured programmatically so using user interaction may be
+may be configured programmatically so user interaction may be
 employed to keep passwords from being stored in configuration files.
-The approach taken here is for demonstration reasons only. 
+The approach taken here is for demonstration purposes only.
 
 Scenario 3: (-Pinsecure.client.non.spring)
 
-A HTTPS listener is started up.  The client does NOT provide the appropriate 
-credentials programmatically and so the invocation on the server fails.
+Here, configuration is done via Java API (in ClientSpring.java) and not
+Spring XML files.  The client does NOT provide the appropriate credentials 
+programmatically and so the invocation on the server fails.
 
   
 Scenario 4: (-Psecure.client.non.spring)
 
-A HTTPS listener is started up. The client's security data
-is in essence the same as for scenario 2, however this time it 
-is provided programmatically in the client code, ClientNonSpring.java. 
-
-But please note that it is not advisable to store sensitive data such
-as passwords stored directly in java code as the code could possibly be 
-disassembled. Typically the password would be obtained at runtime by 
-prompting for the password. 
-The approach taken here is for demonstration reasons only. 
-
+Same Java class as in Scenario #3 is used, however the class is coded 
+to configure TLS appropriately in this circumstance, so the SOAP call
+will succeed.  Please note that it is not advisable to store sensitive 
+data such as passwords directly in java code as the code could
+possibly be disassembled. Typically the password would be obtained at 
+runtime by prompting for the password.  The approach taken here is for
+demonstration purposes only.
 
 Certificates:
-If the certificates are expired for some reason, a shell script in 
-bin/gencerts.sh will generate the set of certificates needed for
-this sample. Just do the following:
+If the certificates have expired, a shell script in bin/gencerts.sh 
+will generate a new set of certificates needed for this sample. 
+Just do the following:
 
         cd certs
         sh ../bin/gencerts.sh
-       
 

Modified: cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/pom.xml?rev=1304120&r1=1304119&r2=1304120&view=diff
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/pom.xml (original)
+++ cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/pom.xml Thu Mar 22 22:54:00
2012
@@ -75,7 +75,7 @@
                         <configuration>
                             <tasks>
                                 <copy file="${basedir}/src/main/java/demo/hw_https/server/CherryServer.xml"
todir="${basedir}/target/classes/demo/hw_https/server" />
-                                <copy file="${basedir}/src/main/java/demo/hw_https/client/WibbleClient.xml"
todir="${basedir}/target/classes/demo/hw_https/client" />
+                                <copy file="${basedir}/src/main/java/demo/hw_https/client/SecureClient.xml"
todir="${basedir}/target/classes/demo/hw_https/client" />
                                 <copy file="${basedir}/src/main/java/demo/hw_https/client/InsecureClient.xml"
todir="${basedir}/target/classes/demo/hw_https/client" />
                                 <copy todir="${basedir}/target/classes/certs">
                                     <fileset dir="${basedir}/certs" />

Modified: cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/Client.java
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/Client.java?rev=1304120&r1=1304119&r2=1304120&view=diff
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/Client.java
(original)
+++ cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/Client.java
Thu Mar 22 22:54:00 2012
@@ -58,7 +58,7 @@ public final class Client {
         SpringBusFactory bf = new SpringBusFactory();
         URL busFile = null;
         if ("secure".equals(args[1])) {
-            busFile = Client.class.getResource("WibbleClient.xml");
+            busFile = Client.class.getResource("SecureClient.xml");
         } else if ("insecure".equals(args[1])) {
             busFile = Client.class.getResource("InsecureClient.xml");
         } else {

Added: cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/SecureClient.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/SecureClient.xml?rev=1304120&view=auto
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/SecureClient.xml
(added)
+++ cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/SecureClient.xml
Thu Mar 22 22:54:00 2012
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+  
+  http://www.apache.org/licenses/LICENSE-2.0
+  
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+
+<!-- 
+  ** This file configures the Wibble Client
+  -->
+
+<beans xmlns="http://www.springframework.org/schema/beans"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xmlns:sec="http://cxf.apache.org/configuration/security"
+  xmlns:http="http://cxf.apache.org/transports/http/configuration"
+  xsi:schemaLocation="
+           http://cxf.apache.org/configuration/security
+           http://cxf.apache.org/schemas/configuration/security.xsd
+           http://cxf.apache.org/transports/http/configuration
+           http://cxf.apache.org/schemas/configuration/http-conf.xsd
+           http://www.springframework.org/schema/beans
+           http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+  <http:conduit name="{http://apache.org/hello_world_soap_http}SoapPort.http-conduit">
+    <http:tlsClientParameters disableCNCheck="true">
+      <sec:trustManagers>
+          <sec:keyStore type="JKS" password="password"
+               file="certs/truststore.jks"/>
+      </sec:trustManagers>
+      <sec:keyManagers keyPassword="password">
+           <sec:keyStore type="JKS" password="password" 
+                file="certs/wibble.jks"/>
+      </sec:keyManagers>
+      <sec:cipherSuitesFilter>
+        <!-- these filters ensure that a ciphersuite with
+          export-suitable or null encryption is used,
+          but exclude anonymous Diffie-Hellman key change as
+          this is vulnerable to man-in-the-middle attacks -->
+        <sec:include>.*_EXPORT_.*</sec:include>
+        <sec:include>.*_EXPORT1024_.*</sec:include>
+        <sec:include>.*_WITH_DES_.*</sec:include>
+        <sec:include>.*_WITH_AES_.*</sec:include>
+        <sec:include>.*_WITH_NULL_.*</sec:include>
+        <sec:exclude>.*_DH_anon_.*</sec:exclude>
+      </sec:cipherSuitesFilter>
+    </http:tlsClientParameters>
+   </http:conduit>
+</beans> 
+



Mime
View raw message