cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r874693 - in /websites/production/cxf/content: cache/docs.pageCache docs/tls-configuration.html
Date Thu, 15 Aug 2013 10:47:59 GMT
Author: buildbot
Date: Thu Aug 15 10:47:58 2013
New Revision: 874693

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/tls-configuration.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/tls-configuration.html
==============================================================================
--- websites/production/cxf/content/docs/tls-configuration.html (original)
+++ websites/production/cxf/content/docs/tls-configuration.html Thu Aug 15 10:47:58 2013
@@ -128,7 +128,7 @@ Apache CXF -- TLS Configuration
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><div>
-<ul><li><a shape="rect" href="#TLSConfiguration-TLSParameterscommontobothClientsandServers">TLS
Parameters common to both Clients and Servers</a></li><li><a shape="rect"
href="#TLSConfiguration-ClientTLSParameters">Client TLS Parameters</a></li><li><a
shape="rect" href="#TLSConfiguration-ServerTLSParameters">Server TLS Parameters</a></li></ul></div>
+<ul><li><a shape="rect" href="#TLSConfiguration-TLSParameterscommontobothClientsandServers">TLS
Parameters common to both Clients and Servers</a></li><ul><li><a
shape="rect" href="#TLSConfiguration-KeyManagers">Key Managers</a></li><li><a
shape="rect" href="#TLSConfiguration-TrustManagers">Trust Managers</a></li><li><a
shape="rect" href="#TLSConfiguration-CipherSuitesFilter">CipherSuites Filter</a></li><li><a
shape="rect" href="#TLSConfiguration-CertConstraints">Cert Constraints</a></li></ul><li><a
shape="rect" href="#TLSConfiguration-ClientTLSParameters">Client TLS Parameters</a></li><ul><li><a
shape="rect" href="#TLSConfiguration-DisableCNCheck">Disable CN Check</a></li></ul><li><a
shape="rect" href="#TLSConfiguration-ServerTLSParameters">Server TLS Parameters</a></li><ul><li><a
shape="rect" href="#TLSConfiguration-ClientAuthentication">Client Authentication</a></li></ul></ul></div>
 
 <h1><a shape="rect" name="TLSConfiguration-TLSParameterscommontobothClientsandServers"></a>TLS
Parameters common to both Clients and Servers</h1>
 
@@ -139,6 +139,82 @@ Apache CXF -- TLS Configuration
 </div>
 
 
+<h2><a shape="rect" name="TLSConfiguration-KeyManagers"></a>Key Managers</h2>
+
+<p>The Key Managers configuration item is used to retrieve key information. It is required
for a Server, but is only required for a Client when the Server requires Client Authentication.</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>Key Manager sample</b></div><div
class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+    &lt;httpj:tlsServerParameters&gt;
+        ...
+        &lt;sec:keyManagers keyPassword="stskpass"&gt;
+            &lt;sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" /&gt;
+        &lt;/sec:keyManagers&gt;
+        ...
+    &lt;/httpj:tlsServerParameters&gt;
+]]></script>
+</div></div>
+
+<h2><a shape="rect" name="TLSConfiguration-TrustManagers"></a>Trust Managers</h2>
+
+<p>The Trust Managers configuration item is used to validate trust in peer X.509 certificates.
It is required for both Servers and Clients. </p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>Trust Manager sample</b></div><div
class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+    &lt;httpj:tlsServerParameters&gt;
+        ...
+        &lt;sec:trustManagers&gt;
+            &lt;sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" /&gt;
+        &lt;/sec:trustManagers&gt;
+        ...
+    &lt;/httpj:tlsServerParameters&gt;
+]]></script>
+</div></div>
+
+<h2><a shape="rect" name="TLSConfiguration-CipherSuitesFilter"></a>CipherSuites
Filter</h2>
+
+<p>The CipherSuites Filter is used to either include or exclude particular CipherSuites.</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>CipherSuites Filter sample</b></div><div
class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+    &lt;httpj:tlsServerParameters&gt;
+        ...
+        &lt;sec:cipherSuitesFilter&gt;
+            &lt;sec:include&gt;.*_EXPORT_.*&lt;/sec:include&gt;
+            &lt;sec:include&gt;.*_EXPORT1024_.*&lt;/sec:include&gt;
+            &lt;sec:include&gt;.*_WITH_DES_.*&lt;/sec:include&gt;
+            &lt;sec:include&gt;.*_WITH_AES_.*&lt;/sec:include&gt;
+            &lt;sec:include&gt;.*_WITH_NULL_.*&lt;/sec:include&gt;
+            &lt;sec:exclude&gt;.*_DH_anon_.*&lt;/sec:exclude&gt;
+        &lt;/sec:cipherSuitesFilter&gt;
+        ...
+    &lt;/httpj:tlsServerParameters&gt;
+]]></script>
+</div></div>
+
+<h2><a shape="rect" name="TLSConfiguration-CertConstraints"></a>Cert Constraints</h2>
+
+<p>Cert constraints can be used by either the client or server to impose constraints
on the peer certificates. This can be done by specifying a set of regular expressions on either
the Subject DN (Distinguished Name) or the Issuer DN (or both) of the certificate. A "combinator"
attribute can also be specified for either the SubjectDNConstraints or IssuerDNConstraints
Elements. This attribute can be either "ANY" or "ALL", and refers to whether any or all of
the defined regular expressions should apply. The default value is "ALL".</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>CipherSuites Filter sample</b></div><div
class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+    &lt;httpj:tlsServerParameters&gt;
+        ...
+        &lt;sec:certConstraints&gt;
+            &lt;sec:SubjectDNConstraints&gt;
+                &lt;sec:RegularExpression&gt;.*OU=Morpit.*&lt;/sec:RegularExpression&gt;
+            &lt;/sec:SubjectDNConstraints&gt;
+            &lt;sec:IssuerDNConstraints combinator="ALL"&gt;
+                &lt;sec:RegularExpression&gt;.*O=ApacheTest.*&lt;/sec:RegularExpression&gt;
+                &lt;sec:RegularExpression&gt;.*O=OtherApacheTest.*&lt;/sec:RegularExpression&gt;
+            &lt;/sec:IssuerDNConstraints&gt;
+        &lt;/sec:certConstraints&gt;
+        ...
+    &lt;/httpj:tlsServerParameters&gt;
+]]></script>
+</div></div>
+
+
 <h1><a shape="rect" name="TLSConfiguration-ClientTLSParameters"></a>Client
TLS Parameters</h1>
 
 <p>In addition to the TLS Parameters common to both Clients and Servers, there are
some parameters that are <a shape="rect" class="external-link" href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java">specific</a>
to Clients:</p>
@@ -148,22 +224,16 @@ Apache CXF -- TLS Configuration
 </div>
 
 
-<p>Note :  <tt>disableCNCheck</tt> is a parameterized boolean, you can
use a fixed variable <tt>true</tt>|<tt>false</tt> as well as a <a
shape="rect" class="external-link" href="http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/beans.html#beans-factory-placeholderconfigurer"
rel="nofollow">Spring externalized property</a> variable (e.g. <tt>${disable-https-hostname-verification</tt>})
or a <a shape="rect" class="external-link" href="http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/expressions.html#expressions-beandef"
rel="nofollow">Spring expression</a> (e.g. <tt>#{systemProperties['dev-mode']</tt>}).</p>
+<h2><a shape="rect" name="TLSConfiguration-DisableCNCheck"></a>Disable
CN Check</h2>
 
-<p>Sample : </p>
+<p><tt>disableCNCheck</tt> is a parameterized boolean, you can use a fixed
variable <tt>true</tt>|<tt>false</tt> as well as a <a shape="rect"
class="external-link" href="http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/beans.html#beans-factory-placeholderconfigurer"
rel="nofollow">Spring externalized property</a> variable (e.g. <tt>${disable-https-hostname-verification</tt>})
or a <a shape="rect" class="external-link" href="http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/expressions.html#expressions-beandef"
rel="nofollow">Spring expression</a> (e.g. <tt>#{systemProperties['dev-mode']</tt>}).</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>HTTP conduit configuration disabling HTTP URL
hostname verification (usage of localhost, etc)</b></div><div class="codeContent
panelContent">
 <script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
- ...
- &lt;http-conf:conduit 
-     name="{http://example.com/}HelloWorldServicePort.http-conduit"&gt;
-
    &lt;!-- deactivate HTTPS url hostname verification (localhost, etc)    --&gt;
    &lt;!-- WARNING ! disableCNcheck=true should NOT be used in production --&gt;
    &lt;http-conf:tlsClientParameters disableCNCheck="true" /&gt;
    ...
- &lt;/http-conf:conduit&gt;
- ...
 ]]></script>
 </div></div>
 
@@ -175,7 +245,20 @@ Apache CXF -- TLS Configuration
 <table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"> Attribute </th><th colspan="1" rowspan="1" class="confluenceTh">
Default </th><th colspan="1" rowspan="1" class="confluenceTh"> Description </th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> <tt>clientAuthentication</tt>
</td><td colspan="1" rowspan="1" class="confluenceTd"> Not "wanted" or "required"
</td><td colspan="1" rowspan="1" class="confluenceTd"> Allows you to configure
whether client authentication is "wanted" and/or "required. </td></tr></tbody></table>
 </div>
 
-</div>
+
+<h2><a shape="rect" name="TLSConfiguration-ClientAuthentication"></a>Client
Authentication</h2>
+
+<p>This allows you to define whether client authentication is wanted and/or required.</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>Client Authentication sample</b></div><div
class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+    &lt;httpj:tlsServerParameters&gt;
+        ...
+        &lt;sec:clientAuthentication want="true" required="true" /&gt;
+        ...
+    &lt;/httpj:tlsServerParameters&gt;
+]]></script>
+</div></div></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message