cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jana Weschenfelder" <jana.weschenfel...@student.HTW-Berlin.de>
Subject Re: Problems with configuring the Jetty Runtime (SSL)
Date Fri, 13 Jun 2014 00:30:04 GMT
Me again.

This configuration seems to work as well... shortened a bit...

<beans ...>

<httpj:engine-factory id="https" bus="cxf">
    <httpj:identifiedTLSServerParameters id="secure">
        <httpj:tlsServerParameters>
        </httpj:tlsServerParameters>
    </httpj:identifiedTLSServerParameters>
    <httpj:engine port="9001">
        <httpj:tlsServerParametersRef id="secure"/>
        <httpj:threadingParameters minThreads="5" maxThreads="15"/>
        <httpj:connector>
            <bean
class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
                <property name="port" value="9001"/>
                <constructor-arg>
                    <bean
class="org.eclipse.jetty.http.ssl.SslContextFactory">
                        <property name="keyStore" value=""/>
                        <property name="keyStoreType" value="..."/>
                        <property name="keyStorePassword" value="..."/>
                        <property name="trustStore" value="..."/>
                        <property name="trustStoreType" value="..."/>
                        <property name="trustStorePassword" value="..."/>
                        <property name="wantClientAuth" value="..."/>
                        <property name="needClientAuth" value="..."/>
                        <property name="excludeCipherSuites" ref="banned"/>
                    </bean>
                </constructor-arg>
            </bean>
        </httpj:connector>
        <httpj:handlers>
            <bean class="org.eclipse.jetty.server.handler.DefaultHandler"/>
        </httpj:handlers>
        <httpj:sessionSupport>true</httpj:sessionSupport>
    </httpj:engine>
</httpj:engine-factory>

<bean id="banned" class="..." factory-method="...">
    <constructor-arg value="..."/>
</bean>

</beans>

And again, I repeat:
More/other properties can be set as specified in
http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty.

Not sure if the keyPassword for keyManagers is really needed, more info
here:
http://stackoverflow.com/questions/10847983/what-is-the-difference-between-keystorepassword-and-keymanagerpassword-in-jetty.

And I believe, instead of
org.eclipse.jetty.server.ssl.SslSelectChannelConnector, the class
org.eclipse.jetty.server.ssl.SslSocketConnector can be used as well...
looked very similar and worked, too.

Jana


Am Fr, 13.06.2014, 01:47 schrieb Jana Weschenfelder:
> I forgot something:
> More info:
> http://cxf.apache.org/docs/secure-jax-rs-services.html#SecureJAX-RSServices-Configuringendpoints
> (till the end of the page)
>
> And:
> <bean id="banned" class="..." factory-method="...">
>     <constructor-arg value="...">
> </bean>
>
> Should be:
> <bean id="banned" class="..." factory-method="...">
>     <constructor-arg value="..."/>
> </bean>
>
> I just forgot a slash there. ;-)
>
> Jana
>
>
> Am Fr, 13.06.2014, 01:30 schrieb Jana Weschenfelder:
>> Hello, I think I got it working...
>>
>> With the following configuration, it seems to work... I haven't found
>> online references for it, and it looks twice configured, but it seems to
>> work correctly... I have invented it right now, thanks to the Spring IoC
>> documentation.
>>
>> <beans ...>
>>
>> <httpj:engine-factory id="https" bus="cxf">
>>     <httpj:identifiedTLSServerParameters id="secure">
>>         <httpj:tlsServerParameters>
>>             <sec:keyManagers>
>>                 <sec:keyStore type="..." password="..." file="..."/>
>>             </sec:keyManagers>
>>             <sec:trustManagers>
>>                 <sec:keyStore type="..." password="..." file="..."/>
>>             </sec:trustManagers>
>>             <sec:cipherSuitesFilter>
>>                 <sec:include>.*_EXPORT_.*</sec:include>
>>                 <sec:include>.*_EXPORT1024_.*</sec:include>
>>                 <sec:include>.*_WITH_DES_.*</sec:include>
>>                 <sec:include>.*_WITH_NULL_.*</sec:include>
>>                 <sec:exclude>.*_DH_anon_.*</sec:exclude>
>>             </sec:cipherSuitesFilter>
>>         </httpj:tlsServerParameters>
>>     </httpj:identifiedTLSServerParameters>
>>     <httpj:engine port="9001">
>>         <httpj:tlsServerParametersRef id="secure"/>
>>         <httpj:threadingParameters minThreads="5" maxThreads="15"/>
>>         <httpj:connector>
>>             <bean
>> class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
>>                 <property name="port" value="9001"/>
>>                 <constructor-arg>
>>                     <bean
>> class="org.eclipse.jetty.http.ssl.SslContextFactory">
>>                         <property name="keyStore" value=""/>
>>                         <property name="keyStoreType" value="..."/>
>>                         <property name="keyStorePassword" value="..."/>
>>                         <property name="trustStore" value="..."/>
>>                         <property name="trustStoreType" value="..."/>
>>                         <property name="trustStorePassword"
>> value="..."/>
>>                         <property name="wantClientAuth" value="..."/>
>>                         <property name="needClientAuth" value="..."/>
>>                         <property name="excludeCipherSuites"
>> ref="banned"/>
>>                     </bean>
>>                 </constructor-arg>
>>             </bean>
>>         </httpj:connector>
>>         <httpj:handlers>
>>             <bean
>> class="org.eclipse.jetty.server.handler.DefaultHandler"/>
>>         </httpj:handlers>
>>         <httpj:sessionSupport>true</httpj:sessionSupport>
>>     </httpj:engine>
>> </httpj:engine-factory>
>>
>> <bean id="banned" class="..." factory-method="...">
>>     <constructor-arg value="...">
>> </bean>
>>
>> </beans>
>>
>> The configuration looks really twice now... but without the lower
>> configuration, you will get an error message that a .keystore file is
>> missing. And without the upper configuration, you will get the error
>> message "java.lang.RuntimeException: Connector
>> SslSelectChannelConnector@0.0.0.0:9001 for JettyServerEngine Port 9001
>> does not support non-SSL connections.".
>>
>> If you configure it twice as above, it seems to work without any
>> problems.
>> I can connect to the service after I confirmed that I trust the web
>> site,
>> as it should be. It will need more tests to be very sure.
>>
>> More/other properties can be set as specified in
>> http://cxf.apache.org/docs/jetty-configuration.html and
>> http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty. I
>> think the configuration needs to be done twice at the moment so that it
>> works, on CXF side and on Jetty side (the Jetty side uses Spring IoC).
>>
>> Not sure if the keyPassword for keyManagers is really needed, more info
>> here:
>> http://stackoverflow.com/questions/10847983/what-is-the-difference-between-keystorepassword-and-keymanagerpassword-in-jetty.
>>
>> If the configuration above is correct, either Apache or Eclipse will
>> have
>> to update their documentation. I would think that Eclipse made a change
>> sometime and Apache still doesn't know about it. As I said, I also have
>> to
>> test the configuration first. It looks very good so far, but it still
>> can
>> be wrong somewhere.
>>
>> I believe, instead of
>> org.eclipse.jetty.server.ssl.SslSelectChannelConnector, the class
>> org.eclipse.jetty.server.ssl.SslSocketConnector can be used as well...
>> looked very similar and worked, too.
>>
>> Thanks, Jana
>>
>>
>> Am Do, 12.06.2014, 23:45 schrieb Jana Weschenfelder:
>>> Dear Ladies and Gentlemen,
>>>
>>> I have exactly the problem of
>>> http://mail-archives.apache.org/mod_mbox/cxf-users/201403.mbox/%3C5316440E.4020709@serotoninsoftware.com%3E.
>>> I don't know if there existed a solution already.
>>>
>>> I followed the instructions of
>>> http://cxf.apache.org/docs/jetty-configuration.html and I don't have
>>> any
>>> success by using org.eclipse.jetty.server.bio.SocketConnector here. I
>>> receive the error message then that the port (HTTP) wouldn't be
>>> configured
>>> for HTTPS.
>>>
>>> Regarding to Eclipse, org.eclipse.jetty.server.bio.SocketConnector is
>>> configured for HTTP and is not a SSLConnector, and it also doesn't
>>> accept
>>> any SSL Configuration if I look into the code there.
>>>
>>> If I read the instructions of
>>> http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty,
>>> org.eclipse.jetty.server.ssl.SslSelectChannelConnector should be used
>>> as
>>> SSLConnector instead. But if I just replace
>>> org.eclipse.jetty.server.bio.SocketConnector in the example of
>>> http://cxf.apache.org/docs/jetty-configuration.html, I receive the
>>> error
>>> message "java.io.FileNotFoundException: /home/user/.keystore" as
>>> described
>>> in
>>> http://mail-archives.apache.org/mod_mbox/cxf-users/201403.mbox/%3C5316440E.4020709@serotoninsoftware.com%3E.
>>>
>>> I would think that something like this would be more correct, regarding
>>> to
>>> Eclipse:
>>> <httpj:engine-factory id="https" bus="cxf">
>>>     <httpj:engine port="${cdmi.net.ssl.port}">
>>>         <httpj:threadingParameters minThreads="5" maxThreads="15" />
>>>         <httpj:connector>
>>>             <bean
>>> class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
>>>                 <property name = "port" value="9001"/>
>>>                 <bean
>>> class="org.eclipse.jetty.http.ssl.SslContextFactory">
>>>                     <property name="keyStore" value="..."/>
>>>                     <property name="keystoreType" value="..."/>
>>>                     <property name="keyStorePassword" value="..."/>
>>>                     ...
>>>                     <property name="excludeCipherSuites" ref="..."/>
>>>                 </bean>
>>>             </bean>
>>>         </httpj:connector>
>>>         <httpj:handlers>
>>>             <bean
>>> class="org.eclipse.jetty.server.handler.DefaultHandler"/>
>>>         </httpj:handlers>
>>>         <httpj:sessionSupport>true</httpj:sessionSupport>
>>>     </httpj:engine>
>>> </httpj:engine-factory>
>>>
>>> But it doesn't work. It doesn't accept the part <bean
>>> class="org.eclipse.jetty.http.ssl.SslContextFactory">...</bean> within
>>> of
>>> <bean
>>> class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">...</bean>.
>>> The error message is "Invalid content was found starting with element
>>> 'bean'.".
>>>
>>> A similar configuration was found here:
>>> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory
>>>
>>> But I need it for httpj:engine-factory.
>>>
>>> What is the right way to configure the Jetty Runtime with SSLConnector?
>>> Is Jetty still supported by Apache CXF? Btw, HTTP works fine, but I
>>> need
>>> HTTPS because of certificates.
>>>
>>> Many thanks in advance!!!
>>>
>>> Jana
>>>
>>>
>>
>>
>>
>
>
>



Mime
View raw message