cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jana Weschenfelder" <jana.weschenfel...@student.HTW-Berlin.de>
Subject Re: Problems with configuring the Jetty Runtime (SSL)
Date Thu, 12 Jun 2014 23:30:35 GMT
Hello, I think I got it working...

With the following configuration, it seems to work... I haven't found
online references for it, and it looks twice configured, but it seems to
work correctly... I have invented it right now, thanks to the Spring IoC
documentation.

<beans ...>

<httpj:engine-factory id="https" bus="cxf">
    <httpj:identifiedTLSServerParameters id="secure">
        <httpj:tlsServerParameters>
            <sec:keyManagers>
                <sec:keyStore type="..." password="..." file="..."/>
            </sec:keyManagers>
            <sec:trustManagers>
                <sec:keyStore type="..." password="..." file="..."/>
            </sec:trustManagers>
            <sec:cipherSuitesFilter>
                <sec:include>.*_EXPORT_.*</sec:include>
                <sec:include>.*_EXPORT1024_.*</sec:include>
                <sec:include>.*_WITH_DES_.*</sec:include>
                <sec:include>.*_WITH_NULL_.*</sec:include>
                <sec:exclude>.*_DH_anon_.*</sec:exclude>
            </sec:cipherSuitesFilter>
        </httpj:tlsServerParameters>
    </httpj:identifiedTLSServerParameters>
    <httpj:engine port="9001">
        <httpj:tlsServerParametersRef id="secure"/>
        <httpj:threadingParameters minThreads="5" maxThreads="15"/>
        <httpj:connector>
            <bean
class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
                <property name="port" value="9001"/>
                <constructor-arg>
                    <bean
class="org.eclipse.jetty.http.ssl.SslContextFactory">
                        <property name="keyStore" value=""/>
                        <property name="keyStoreType" value="..."/>
                        <property name="keyStorePassword" value="..."/>
                        <property name="trustStore" value="..."/>
                        <property name="trustStoreType" value="..."/>
                        <property name="trustStorePassword" value="..."/>
                        <property name="wantClientAuth" value="..."/>
                        <property name="needClientAuth" value="..."/>
                        <property name="excludeCipherSuites" ref="banned"/>
                    </bean>
                </constructor-arg>
            </bean>
        </httpj:connector>
        <httpj:handlers>
            <bean class="org.eclipse.jetty.server.handler.DefaultHandler"/>
        </httpj:handlers>
        <httpj:sessionSupport>true</httpj:sessionSupport>
    </httpj:engine>
</httpj:engine-factory>

<bean id="banned" class="..." factory-method="...">
    <constructor-arg value="...">
</bean>

</beans>

The configuration looks really twice now... but without the lower
configuration, you will get an error message that a .keystore file is
missing. And without the upper configuration, you will get the error
message "java.lang.RuntimeException: Connector
SslSelectChannelConnector@0.0.0.0:9001 for JettyServerEngine Port 9001
does not support non-SSL connections.".

If you configure it twice as above, it seems to work without any problems.
I can connect to the service after I confirmed that I trust the web site,
as it should be. It will need more tests to be very sure.

More/other properties can be set as specified in
http://cxf.apache.org/docs/jetty-configuration.html and
http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty. I
think the configuration needs to be done twice at the moment so that it
works, on CXF side and on Jetty side (the Jetty side uses Spring IoC).

Not sure if the keyPassword for keyManagers is really needed, more info
here:
http://stackoverflow.com/questions/10847983/what-is-the-difference-between-keystorepassword-and-keymanagerpassword-in-jetty.

If the configuration above is correct, either Apache or Eclipse will have
to update their documentation. I would think that Eclipse made a change
sometime and Apache still doesn't know about it. As I said, I also have to
test the configuration first. It looks very good so far, but it still can
be wrong somewhere.

I believe, instead of
org.eclipse.jetty.server.ssl.SslSelectChannelConnector, the class
org.eclipse.jetty.server.ssl.SslSocketConnector can be used as well...
looked very similar and worked, too.

Thanks, Jana


Am Do, 12.06.2014, 23:45 schrieb Jana Weschenfelder:
> Dear Ladies and Gentlemen,
>
> I have exactly the problem of
> http://mail-archives.apache.org/mod_mbox/cxf-users/201403.mbox/%3C5316440E.4020709@serotoninsoftware.com%3E.
> I don't know if there existed a solution already.
>
> I followed the instructions of
> http://cxf.apache.org/docs/jetty-configuration.html and I don't have any
> success by using org.eclipse.jetty.server.bio.SocketConnector here. I
> receive the error message then that the port (HTTP) wouldn't be configured
> for HTTPS.
>
> Regarding to Eclipse, org.eclipse.jetty.server.bio.SocketConnector is
> configured for HTTP and is not a SSLConnector, and it also doesn't accept
> any SSL Configuration if I look into the code there.
>
> If I read the instructions of
> http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty,
> org.eclipse.jetty.server.ssl.SslSelectChannelConnector should be used as
> SSLConnector instead. But if I just replace
> org.eclipse.jetty.server.bio.SocketConnector in the example of
> http://cxf.apache.org/docs/jetty-configuration.html, I receive the error
> message "java.io.FileNotFoundException: /home/user/.keystore" as described
> in
> http://mail-archives.apache.org/mod_mbox/cxf-users/201403.mbox/%3C5316440E.4020709@serotoninsoftware.com%3E.
>
> I would think that something like this would be more correct, regarding to
> Eclipse:
> <httpj:engine-factory id="https" bus="cxf">
>     <httpj:engine port="${cdmi.net.ssl.port}">
>         <httpj:threadingParameters minThreads="5" maxThreads="15" />
>         <httpj:connector>
>             <bean
> class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
>                 <property name = "port" value="9001"/>
>                 <bean
> class="org.eclipse.jetty.http.ssl.SslContextFactory">
>                     <property name="keyStore" value="..."/>
>                     <property name="keystoreType" value="..."/>
>                     <property name="keyStorePassword" value="..."/>
>                     ...
>                     <property name="excludeCipherSuites" ref="..."/>
>                 </bean>
>             </bean>
>         </httpj:connector>
>         <httpj:handlers>
>             <bean
> class="org.eclipse.jetty.server.handler.DefaultHandler"/>
>         </httpj:handlers>
>         <httpj:sessionSupport>true</httpj:sessionSupport>
>     </httpj:engine>
> </httpj:engine-factory>
>
> But it doesn't work. It doesn't accept the part <bean
> class="org.eclipse.jetty.http.ssl.SslContextFactory">...</bean> within of
> <bean
> class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">...</bean>.
> The error message is "Invalid content was found starting with element
> 'bean'.".
>
> A similar configuration was found here:
> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory
>
> But I need it for httpj:engine-factory.
>
> What is the right way to configure the Jetty Runtime with SSLConnector?
> Is Jetty still supported by Apache CXF? Btw, HTTP works fine, but I need
> HTTPS because of certificates.
>
> Many thanks in advance!!!
>
> Jana
>
>



Mime
View raw message