cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/4] cxf git commit: [CXF-6414] - Add a way of including TLS protocols in the Jetty server
Date Tue, 19 May 2015 16:09:53 GMT
[CXF-6414] - Add a way of including TLS protocols in the Jetty server

Conflicts:
	rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/575095a1
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/575095a1
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/575095a1

Branch: refs/heads/3.0.x-fixes
Commit: 575095a1abd5190ac4e8d1db73973e5b300a33e2
Parents: 153ddff
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue May 19 16:36:57 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue May 19 16:52:38 2015 +0100

----------------------------------------------------------------------
 .../configuration/jsse/TLSServerParameters.java |  18 ++
 .../jsse/TLSServerParametersConfig.java         |   3 +
 .../schemas/configuration/security.xsd          |  20 ++
 .../http_jetty/JettyHTTPServerEngine.java       | 268 +++++++++++++++++++
 ...ttyHTTPServerEngineBeanDefinitionParser.java |   4 +
 .../org/apache/cxf/https/ssl3/SSLv3Test.java    |  47 ++++
 .../org/apache/cxf/https/ssl3/sslv3-server.xml  |  27 ++
 7 files changed, 387 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/575095a1/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
index 52884c3..fe7806e 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
@@ -32,6 +32,7 @@ public class TLSServerParameters extends TLSParameterBase {
 
     ClientAuthentication clientAuthentication;
     List<String> excludeProtocols = new ArrayList<String>();
+    List<String> includeProtocols = new ArrayList<String>();
     
     /**
      * This parameter configures the server side to request and/or
@@ -64,5 +65,22 @@ public class TLSServerParameters extends TLSParameterBase {
         }
         return excludeProtocols;
     }
+    
+    /**
+     * This parameter sets the protocol list to include.
+     */
+    public final void setIncludeProtocols(List<String> protocols) {
+        includeProtocols = protocols;
+    }
+    
+    /**
+     * Returns the protocols to include that are associated with this endpoint.
+     */
+    public List<String> getIncludeProtocols() {
+        if (includeProtocols == null) {
+            includeProtocols = new ArrayList<String>();
+        }
+        return includeProtocols;
+    }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/575095a1/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
index a9c9cd6..137e80d 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
@@ -57,6 +57,9 @@ public class TLSServerParametersConfig
         if (params.isSetExcludeProtocols()) {
             this.setExcludeProtocols(params.getExcludeProtocols().getExcludeProtocol());
         }
+        if (params.isSetIncludeProtocols()) {
+            this.setIncludeProtocols(params.getIncludeProtocols().getIncludeProtocol());
+        }
         if (params.isSetJsseProvider()) {
             this.setJsseProvider(params.getJsseProvider());
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/575095a1/core/src/main/resources/schemas/configuration/security.xsd
----------------------------------------------------------------------
diff --git a/core/src/main/resources/schemas/configuration/security.xsd b/core/src/main/resources/schemas/configuration/security.xsd
index 56fe888..2a2c9de 100644
--- a/core/src/main/resources/schemas/configuration/security.xsd
+++ b/core/src/main/resources/schemas/configuration/security.xsd
@@ -353,6 +353,19 @@
         </xs:sequence>
     </xs:complexType>
     
+    <xs:complexType name="IncludeProtocols">
+      <xs:annotation>
+        <xs:documentation>
+        This structure holds a list of protocols that are to be included.
+        Sometimes we want to include more protocols than the secure socket protocol, for
example
+        "SSLv2Hello".
+        </xs:documentation>
+      </xs:annotation>
+        <xs:sequence>
+           <xs:element name="includeProtocol" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+        </xs:sequence>
+    </xs:complexType>
+    
     <xs:complexType name="SecureRandomParameters">
       <xs:annotation>
         <xs:documentation>
@@ -557,6 +570,13 @@
                 </xs:documentation>
               </xs:annotation>
            </xs:element>
+           <xs:element name="includeProtocols" type="tns:IncludeProtocols" minOccurs="0">
+              <xs:annotation>
+                <xs:documentation>
+                This element contains the the Protocols that will be included
+                </xs:documentation>
+              </xs:annotation>
+           </xs:element>
            <xs:element name="secureRandomParameters" 
                        type="tns:SecureRandomParameters" minOccurs="0">
               <xs:annotation>

http://git-wip-us.apache.org/repos/asf/cxf/blob/575095a1/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
index 87f313d..740e588 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
@@ -490,6 +490,274 @@ public class JettyHTTPServerEngine implements ServerEngine {
         }
     }
 
+<<<<<<< HEAD
+=======
+    private void addServerMBean() {
+        if (mBeanContainer == null) {
+            return;
+        }        
+        
+        try {
+            Object o = getContainer(server);
+            o.getClass().getMethod("addEventListener", Container.Listener.class).invoke(o,
mBeanContainer);
+            if (Server.getVersion().startsWith("8")) {
+                return;
+            }
+            mBeanContainer.getClass().getMethod("beanAdded", Container.class, Object.class)
+                .invoke(mBeanContainer, null, server);
+        } catch (RuntimeException rex) {
+            throw rex;
+        } catch (Exception r) {
+            throw new RuntimeException(r);
+        }
+    }
+    private void removeServerMBean() {
+        try {
+            mBeanContainer.getClass().getMethod("beanRemoved", Container.class, Object.class)
+                .invoke(mBeanContainer, null, server);
+        } catch (RuntimeException rex) {
+            throw rex;
+        } catch (Exception r) {
+            throw new RuntimeException(r);
+        }
+    }
+
+    private Connector createConnector(String hosto, int porto) {
+        // now we just use the SelectChannelConnector as the default connector
+        SslContextFactory sslcf = null;
+        if (tlsServerParameters != null) { 
+            sslcf = new SslContextFactory() {
+                protected void doStart() throws Exception {
+                    setSslContext(createSSLContext(this));
+                    super.doStart();
+                }
+                public void checkKeyStore() {
+                    //we'll handle this later
+                }
+            };
+            decorateCXFJettySslSocketConnector(sslcf);
+        }
+        AbstractConnector result = null;
+        if (!Server.getVersion().startsWith("8")) {
+            result = createConnectorJetty9(sslcf, hosto, porto);
+        } else {
+            result = createConnectorJetty8(sslcf, hosto, porto);
+        }        
+        
+        try {
+            result.getClass().getMethod("setPort", Integer.TYPE).invoke(result, porto);
+            if (hosto != null) {
+                result.getClass().getMethod("setHost", String.class).invoke(result, hosto);
+            }
+            result.getClass().getMethod("setReuseAddress", Boolean.TYPE).invoke(result, isReuseAddress());
+        } catch (RuntimeException rex) {
+            throw rex;
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        }        
+        
+        return result;
+    }
+    
+    AbstractConnector createConnectorJetty9(SslContextFactory sslcf, String hosto, int porto)
{
+        //Jetty 9
+        AbstractConnector result = null;
+        try {
+            Class<?> configClass = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConfiguration",

+                                                              Server.class); 
+            Object httpConfig = configClass.newInstance();
+            httpConfig.getClass().getMethod("setSendServerVersion", Boolean.TYPE)
+                .invoke(httpConfig, getSendServerVersion());
+            
+            Object httpFactory = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConnectionFactory",

+                                                            Server.class)
+                                                            .getConstructor(configClass).newInstance(httpConfig);

+
+            Collection<Object> connectionFactories = new ArrayList<Object>();
+            result = (AbstractConnector)ClassLoaderUtils.loadClass("org.eclipse.jetty.server.ServerConnector",

+                                                                   Server.class)
+                                                                   .getConstructor(Server.class)
+                                                                   .newInstance(server);
+            
+            if (tlsServerParameters != null) {
+                Class<?> src = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SecureRequestCustomizer",
+                                                          Server.class);
+                httpConfig.getClass().getMethod("addCustomizer", src.getInterfaces()[0])
+                    .invoke(httpConfig, src.newInstance());
+                Object scf = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SslConnectionFactory",
+                                                        Server.class).getConstructor(SslContextFactory.class,
+                                                                                     String.class)
+                                                        .newInstance(sslcf, "HTTP/1.1");
+                connectionFactories.add(scf);
+                result.getClass().getMethod("setDefaultProtocol", String.class).invoke(result,
"SSL-HTTP/1.1");
+            }
+            connectionFactories.add(httpFactory);
+            result.getClass().getMethod("setConnectionFactories", Collection.class)
+                .invoke(result, connectionFactories);
+            
+            if (getMaxIdleTime() > 0) {
+                result.getClass().getMethod("setIdleTimeout", Long.TYPE).invoke(result, Long.valueOf(getMaxIdleTime()));
+            }
+
+        } catch (RuntimeException rex) {
+            throw rex;
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        }
+        return result;
+    }
+    AbstractConnector createConnectorJetty8(SslContextFactory sslcf, String hosto, int porto)
{
+        //Jetty 8
+        AbstractConnector result = null;
+        try {
+            if (sslcf == null) { 
+                result = (AbstractConnector)ClassLoaderUtils
+                    .loadClass("org.eclipse.jetty.server.nio.SelectChannelConnector",
+                               Server.class).newInstance();
+            } else {
+                result = (AbstractConnector)ClassLoaderUtils
+                    .loadClass("org.eclipse.jetty.server.ssl.SslSelectChannelConnector",
+                               Server.class).getConstructor(SslContextFactory.class)
+                               .newInstance(sslcf);
+            }
+            Server.class.getMethod("setSendServerVersion", Boolean.TYPE).invoke(server, getSendServerVersion());
+            if (getMaxIdleTime() > 0) {
+                result.getClass().getMethod("setMaxIdleTime", Integer.TYPE).invoke(result,
getMaxIdleTime());
+            }
+        } catch (RuntimeException rex) {
+            throw rex;
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        }
+        return result;
+    }
+    
+    
+    protected SSLContext createSSLContext(SslContextFactory scf) throws Exception  {
+        String proto = tlsServerParameters.getSecureSocketProtocol() == null
+            ? "TLS" : tlsServerParameters.getSecureSocketProtocol();
+        
+        // Jetty 9 excludes SSLv3 by default. So if we want it then we need to 
+        // remove it from the default excluded protocols
+        boolean allowSSLv3 = "SSLv3".equals(proto);
+        if (allowSSLv3 || !tlsServerParameters.getIncludeProtocols().isEmpty()) {
+            List<String> excludedProtocols = new ArrayList<String>();
+            for (String excludedProtocol : scf.getExcludeProtocols()) {
+                if (!(tlsServerParameters.getIncludeProtocols().contains(excludedProtocol)
+                    || (allowSSLv3 && ("SSLv3".equals(excludedProtocol) 
+                        || "SSLv2Hello".equals(excludedProtocol))))) {
+                    excludedProtocols.add(excludedProtocol);
+                }
+            }
+            String[] revisedProtocols = new String[excludedProtocols.size()];
+            excludedProtocols.toArray(revisedProtocols);
+            scf.setExcludeProtocols(revisedProtocols);
+        }
+        
+        for (String p : tlsServerParameters.getExcludeProtocols()) {
+            scf.addExcludeProtocols(p);
+        }
+        
+        SSLContext context = tlsServerParameters.getJsseProvider() == null
+            ? SSLContext.getInstance(proto)
+                : SSLContext.getInstance(proto, tlsServerParameters.getJsseProvider());
+            
+        KeyManager keyManagers[] = tlsServerParameters.getKeyManagers();
+        if (tlsServerParameters.getCertAlias() != null) {
+            keyManagers = getKeyManagersWithCertAlias(keyManagers);
+        }
+        context.init(tlsServerParameters.getKeyManagers(), 
+                     tlsServerParameters.getTrustManagers(),
+                     tlsServerParameters.getSecureRandom());
+
+        // Set the CipherSuites
+        final String[] supportedCipherSuites = 
+            SSLUtils.getServerSupportedCipherSuites(context);
+
+        if (tlsServerParameters.getCipherSuitesFilter() != null
+            && tlsServerParameters.getCipherSuitesFilter().isSetExclude()) {
+            String[] excludedCipherSuites = 
+                SSLUtils.getFilteredCiphersuites(tlsServerParameters.getCipherSuitesFilter(),
+                                                 supportedCipherSuites,
+                                                 LOG, 
+                                                 true);
+            scf.setExcludeCipherSuites(excludedCipherSuites);
+        }
+        
+        String[] includedCipherSuites = 
+            SSLUtils.getCiphersuitesToInclude(tlsServerParameters.getCipherSuites(), 
+                                              tlsServerParameters.getCipherSuitesFilter(),

+                                              context.getServerSocketFactory().getDefaultCipherSuites(),
+                                              supportedCipherSuites, 
+                                              LOG);
+        scf.setIncludeCipherSuites(includedCipherSuites);
+        
+        return context;
+    }
+    protected KeyManager[] getKeyManagersWithCertAlias(KeyManager keyManagers[]) throws Exception
{
+        if (tlsServerParameters.getCertAlias() != null) {
+            for (int idx = 0; idx < keyManagers.length; idx++) {
+                if (keyManagers[idx] instanceof X509KeyManager) {
+                    keyManagers[idx] = new AliasedX509ExtendedKeyManager(
+                        tlsServerParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]);
+                }
+            }
+        }
+        return keyManagers;
+    }
+    protected void setClientAuthentication(SslContextFactory con,
+                                           ClientAuthentication clientAuth) {
+        con.setWantClientAuth(true);
+        if (clientAuth != null) {
+            if (clientAuth.isSetWant()) {
+                con.setWantClientAuth(clientAuth.isWant());
+            }
+            if (clientAuth.isSetRequired()) {
+                con.setNeedClientAuth(clientAuth.isRequired());
+            }
+        }
+    }    
+    /**
+     * This method sets the security properties for the CXF extension
+     * of the JettySslConnector.
+     */
+    private void decorateCXFJettySslSocketConnector(
+            SslContextFactory con
+    ) {
+        setClientAuthentication(con,
+                                tlsServerParameters.getClientAuthentication());
+        con.setCertAlias(tlsServerParameters.getCertAlias());
+    }
+    
+
+    private static Container getContainer(Object server) {
+        if (server instanceof Container) {
+            return (Container)server;
+        }
+        try {
+            return (Container)server.getClass().getMethod("getContainer").invoke(server);
+        } catch (RuntimeException t) {
+            throw t;
+        } catch (Throwable t) {
+            throw new RuntimeException(t);
+        }
+    }
+
+    private static void logConnector(Connector connector) {
+        try {
+            String h = (String)connector.getClass().getMethod("getHost").invoke(connector);
+            int port = (Integer)connector.getClass().getMethod("getPort").invoke(connector);
+            LOG.finer("connector.host: " 
+                + h == null 
+                  ? "null" 
+                  : "\"" + h + "\"");
+            LOG.finer("connector.port: " + port);
+        } catch (Throwable t) {
+            //ignore
+        }
+    }
+
+>>>>>>> 96f7367... [CXF-6414] - Add a way of including TLS protocols
in the Jetty server
     protected void setupThreadPool() {
         AbstractConnector aconn = (AbstractConnector) connector;
         if (isSetThreadingParameters()) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/575095a1/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java
b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java
index 9ee06a0..bcafe89 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java
@@ -40,6 +40,7 @@ import org.apache.cxf.configuration.security.CipherSuites;
 import org.apache.cxf.configuration.security.ClientAuthentication;
 import org.apache.cxf.configuration.security.ExcludeProtocols;
 import org.apache.cxf.configuration.security.FiltersType;
+import org.apache.cxf.configuration.security.IncludeProtocols;
 import org.apache.cxf.configuration.security.KeyManagersType;
 import org.apache.cxf.configuration.security.SecureRandomParameters;
 import org.apache.cxf.configuration.security.TLSServerParametersType;
@@ -199,6 +200,9 @@ public class JettyHTTPServerEngineBeanDefinitionParser extends AbstractBeanDefin
             } else if ("excludeProtocols".equals(ename)) {
                 mapElementToJaxbProperty((Element)n, paramsbean, ename,
                                          ExcludeProtocols.class);
+            } else if ("includeProtocols".equals(ename)) {
+                mapElementToJaxbProperty((Element)n, paramsbean, ename,
+                                         IncludeProtocols.class);
             } else if ("secureRandomParameters".equals(ename)) {
                 mapElementToJaxbProperty((Element)n, paramsbean, ename,
                                          SecureRandomParameters.class);

http://git-wip-us.apache.org/repos/asf/cxf/blob/575095a1/systests/transports-ssl3/src/test/java/org/apache/cxf/https/ssl3/SSLv3Test.java
----------------------------------------------------------------------
diff --git a/systests/transports-ssl3/src/test/java/org/apache/cxf/https/ssl3/SSLv3Test.java
b/systests/transports-ssl3/src/test/java/org/apache/cxf/https/ssl3/SSLv3Test.java
index df5dc19..44b5e4e 100644
--- a/systests/transports-ssl3/src/test/java/org/apache/cxf/https/ssl3/SSLv3Test.java
+++ b/systests/transports-ssl3/src/test/java/org/apache/cxf/https/ssl3/SSLv3Test.java
@@ -47,6 +47,7 @@ public class SSLv3Test extends AbstractBusClientServerTestBase {
     static final String PORT = allocatePort(SSLv3Server.class);
     static final String PORT2 = allocatePort(SSLv3Server.class, 2);
     static final String PORT3 = allocatePort(SSLv3Server.class, 3);
+    static final String PORT4 = allocatePort(SSLv3Server.class, 4);
     
     @BeforeClass
     public static void startServers() throws Exception {
@@ -243,6 +244,52 @@ public class SSLv3Test extends AbstractBusClientServerTestBase {
         ((java.io.Closeable)port).close();
         bus.shutdown(true);
     }
+ 
+    @org.junit.Test
+    public void testTLSClientToEndpointWithSSL3Allowed() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SSLv3Test.class.getResource("sslv3-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL url = SOAPService.WSDL_LOCATION;
+        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+        assertNotNull("Service is null", service);   
+        final Greeter port = service.getHttpsPort();
+        assertNotNull("Port is null", port);
+        
+        updateAddressPort(port, PORT4);
+        
+        port.greetMe("Kitty");
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+    
+    @org.junit.Test
+    public void testSSL3ClientToEndpointWithSSL3Allowed() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SSLv3Test.class.getResource("sslv3-client-allow.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL url = SOAPService.WSDL_LOCATION;
+        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+        assertNotNull("Service is null", service);   
+        final Greeter port = service.getHttpsPort();
+        assertNotNull("Port is null", port);
+        
+        updateAddressPort(port, PORT4);
+        
+        port.greetMe("Kitty");
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
     
     private static final class DisableCNCheckVerifier implements HostnameVerifier {
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/575095a1/systests/transports-ssl3/src/test/resources/org/apache/cxf/https/ssl3/sslv3-server.xml
----------------------------------------------------------------------
diff --git a/systests/transports-ssl3/src/test/resources/org/apache/cxf/https/ssl3/sslv3-server.xml
b/systests/transports-ssl3/src/test/resources/org/apache/cxf/https/ssl3/sslv3-server.xml
index 02f9f59..1df2fda 100644
--- a/systests/transports-ssl3/src/test/resources/org/apache/cxf/https/ssl3/sslv3-server.xml
+++ b/systests/transports-ssl3/src/test/resources/org/apache/cxf/https/ssl3/sslv3-server.xml
@@ -96,5 +96,32 @@
                      address="https://localhost:${testutil.ports.SSLv3Server.3}/SoapContext/HttpsPort"

                      serviceName="s:SOAPService" 
                      endpointName="e:HttpsPort" depends-on="disallow-tls-via-configuration"/>
+                
+    <httpj:engine-factory id="tls-but-allow-ssl3">
+        <httpj:engine port="${testutil.ports.SSLv3Server.4}">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+                    <sec:keyStore type="jks" password="password" resource="keys/Bethal.jks"/>
+                </sec:keyManagers>
+                <sec:trustManagers>
+                    <sec:keyStore type="jks" password="password" resource="keys/Truststore.jks"/>
+                </sec:trustManagers>
+                <sec:clientAuthentication want="true" required="false"/>
+                <sec:includeProtocols>
+                    <sec:includeProtocol>SSLv3</sec:includeProtocol>
+                    <sec:includeProtocol>SSLv2Hello</sec:includeProtocol>
+                </sec:includeProtocols>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
+    <jaxws:endpoint xmlns:e="http://apache.org/hello_world/services" 
+                     xmlns:s="http://apache.org/hello_world/services" 
+                     id="TLSAllowSSLv3Endpoint" 
+                     implementor="org.apache.cxf.https.ssl3.GreeterImpl" 
+                     address="https://localhost:${testutil.ports.SSLv3Server.4}/SoapContext/HttpsPort"

+                     serviceName="s:SOAPService" 
+                     endpointName="e:HttpsPort" depends-on="tls-but-allow-ssl3"/>
+    
     
 </beans>


Mime
View raw message