Return-Path: 
 <dev-return-14762-apmail-cxf-dev-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-dev-archive@www.apache.org
Delivered-To: apmail-cxf-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 6F84310079
	for <apmail-cxf-dev-archive@www.apache.org>;
 Fri, 13 Jun 2014 00:30:31 +0000 (UTC)
Received: (qmail 20173 invoked by uid 500); 13 Jun 2014 00:30:31 -0000
Delivered-To: apmail-cxf-dev-archive@cxf.apache.org
Received: (qmail 20100 invoked by uid 500); 13 Jun 2014 00:30:31 -0000
Mailing-List: contact dev-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cxf.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cxf.apache.org>
List-Post: <mailto:dev@cxf.apache.org>
List-Id: <dev.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list dev@cxf.apache.org
Received: (qmail 20084 invoked by uid 99); 13 Jun 2014 00:30:31 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Jun 2014 00:30:31 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=RCVD_IN_DNSWL_NONE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of s0525775@htw-berlin.de
 designates 141.45.10.101 as permitted sender)
Received: from [141.45.10.101] (HELO mail1.rz.htw-berlin.de) (141.45.10.101)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Jun 2014 00:30:28 +0000
Envelope-to: dev@cxf.apache.org
Received: from webmail.htw-berlin.de ([141.45.7.66])
	by mail1.rz.htw-berlin.de with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.82 (FreeBSD))
	(envelope-from <s0525775@htw-berlin.de>)
	id 1WvFNb-000GWo-Jb
	for dev@cxf.apache.org; Fri, 13 Jun 2014 02:30:04 +0200
Received: from 77.186.27.112
        (SquirrelMail authenticated user s0525775)
        by webmail.htw-berlin.de with HTTP;
        Fri, 13 Jun 2014 02:30:04 +0200
Message-ID: <01104d4e09582a6a1f0094572209c3fb.squirrel@webmail.htw-berlin.de>
In-Reply-To: 
 <6d88312a13a99342c5bd5e0f1a50e6a0.squirrel@webmail.htw-berlin.de>
References: <e4e7c36df14c125ffd10c1d53a6f4c7f.squirrel@webmail.htw-berlin.de>
    <b159ef961560d00e5690d34936e8964d.squirrel@webmail.htw-berlin.de>
    <6d88312a13a99342c5bd5e0f1a50e6a0.squirrel@webmail.htw-berlin.de>
Date: Fri, 13 Jun 2014 02:30:04 +0200
Subject: Re: Problems with configuring the Jetty Runtime (SSL)
From: "Jana Weschenfelder" <jana.weschenfelder@student.HTW-Berlin.de>
To: dev@cxf.apache.org
User-Agent: SquirrelMail/1.4.19
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-HTW-SPAMINFO: this message was scanned by eXpurgate (http://www.eleven.de)
X-HTW-DELIVERED-TO: dev@cxf.apache.org
X-Virus-Checked: Checked by ClamAV on apache.org

Me again.

This configuration seems to work as well... shortened a bit...

<beans ...>

<httpj:engine-factory id="https" bus="cxf">
    <httpj:identifiedTLSServerParameters id="secure">
        <httpj:tlsServerParameters>
        </httpj:tlsServerParameters>
    </httpj:identifiedTLSServerParameters>
    <httpj:engine port="9001">
        <httpj:tlsServerParametersRef id="secure"/>
        <httpj:threadingParameters minThreads="5" maxThreads="15"/>
        <httpj:connector>
            <bean
class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
                <property name="port" value="9001"/>
                <constructor-arg>
                    <bean
class="org.eclipse.jetty.http.ssl.SslContextFactory">
                        <property name="keyStore" value=""/>
                        <property name="keyStoreType" value="..."/>
                        <property name="keyStorePassword" value="..."/>
                        <property name="trustStore" value="..."/>
                        <property name="trustStoreType" value="..."/>
                        <property name="trustStorePassword" value="..."/>
                        <property name="wantClientAuth" value="..."/>
                        <property name="needClientAuth" value="..."/>
                        <property name="excludeCipherSuites" ref="banned"/>
                    </bean>
                </constructor-arg>
            </bean>
        </httpj:connector>
        <httpj:handlers>
            <bean class="org.eclipse.jetty.server.handler.DefaultHandler"/>
        </httpj:handlers>
        <httpj:sessionSupport>true</httpj:sessionSupport>
    </httpj:engine>
</httpj:engine-factory>

<bean id="banned" class="..." factory-method="...">
    <constructor-arg value="..."/>
</bean>

</beans>

And again, I repeat:
More/other properties can be set as specified in
http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty.

Not sure if the keyPassword for keyManagers is really needed, more info
here:
http://stackoverflow.com/questions/10847983/what-is-the-difference-between-keystorepassword-and-keymanagerpassword-in-jetty.

And I believe, instead of
org.eclipse.jetty.server.ssl.SslSelectChannelConnector, the class
org.eclipse.jetty.server.ssl.SslSocketConnector can be used as well...
looked very similar and worked, too.

Jana


Am Fr, 13.06.2014, 01:47 schrieb Jana Weschenfelder:
> I forgot something:
> More info:
> http://cxf.apache.org/docs/secure-jax-rs-services.html#SecureJAX-RSServices-Configuringendpoints
> (till the end of the page)
>
> And:
> <bean id="banned" class="..." factory-method="...">
>     <constructor-arg value="...">
> </bean>
>
> Should be:
> <bean id="banned" class="..." factory-method="...">
>     <constructor-arg value="..."/>
> </bean>
>
> I just forgot a slash there. ;-)
>
> Jana
>
>
> Am Fr, 13.06.2014, 01:30 schrieb Jana Weschenfelder:
>> Hello, I think I got it working...
>>
>> With the following configuration, it seems to work... I haven't found
>> online references for it, and it looks twice configured, but it seems to
>> work correctly... I have invented it right now, thanks to the Spring IoC
>> documentation.
>>
>> <beans ...>
>>
>> <httpj:engine-factory id="https" bus="cxf">
>>     <httpj:identifiedTLSServerParameters id="secure">
>>         <httpj:tlsServerParameters>
>>             <sec:keyManagers>
>>                 <sec:keyStore type="..." password="..." file="..."/>
>>             </sec:keyManagers>
>>             <sec:trustManagers>
>>                 <sec:keyStore type="..." password="..." file="..."/>
>>             </sec:trustManagers>
>>             <sec:cipherSuitesFilter>
>>                 <sec:include>.*_EXPORT_.*</sec:include>
>>                 <sec:include>.*_EXPORT1024_.*</sec:include>
>>                 <sec:include>.*_WITH_DES_.*</sec:include>
>>                 <sec:include>.*_WITH_NULL_.*</sec:include>
>>                 <sec:exclude>.*_DH_anon_.*</sec:exclude>
>>             </sec:cipherSuitesFilter>
>>         </httpj:tlsServerParameters>
>>     </httpj:identifiedTLSServerParameters>
>>     <httpj:engine port="9001">
>>         <httpj:tlsServerParametersRef id="secure"/>
>>         <httpj:threadingParameters minThreads="5" maxThreads="15"/>
>>         <httpj:connector>
>>             <bean
>> class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
>>                 <property name="port" value="9001"/>
>>                 <constructor-arg>
>>                     <bean
>> class="org.eclipse.jetty.http.ssl.SslContextFactory">
>>                         <property name="keyStore" value=""/>
>>                         <property name="keyStoreType" value="..."/>
>>                         <property name="keyStorePassword" value="..."/>
>>                         <property name="trustStore" value="..."/>
>>                         <property name="trustStoreType" value="..."/>
>>                         <property name="trustStorePassword"
>> value="..."/>
>>                         <property name="wantClientAuth" value="..."/>
>>                         <property name="needClientAuth" value="..."/>
>>                         <property name="excludeCipherSuites"
>> ref="banned"/>
>>                     </bean>
>>                 </constructor-arg>
>>             </bean>
>>         </httpj:connector>
>>         <httpj:handlers>
>>             <bean
>> class="org.eclipse.jetty.server.handler.DefaultHandler"/>
>>         </httpj:handlers>
>>         <httpj:sessionSupport>true</httpj:sessionSupport>
>>     </httpj:engine>
>> </httpj:engine-factory>
>>
>> <bean id="banned" class="..." factory-method="...">
>>     <constructor-arg value="...">
>> </bean>
>>
>> </beans>
>>
>> The configuration looks really twice now... but without the lower
>> configuration, you will get an error message that a .keystore file is
>> missing. And without the upper configuration, you will get the error
>> message "java.lang.RuntimeException: Connector
>> SslSelectChannelConnector@0.0.0.0:9001 for JettyServerEngine Port 9001
>> does not support non-SSL connections.".
>>
>> If you configure it twice as above, it seems to work without any
>> problems.
>> I can connect to the service after I confirmed that I trust the web
>> site,
>> as it should be. It will need more tests to be very sure.
>>
>> More/other properties can be set as specified in
>> http://cxf.apache.org/docs/jetty-configuration.html and
>> http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty. I
>> think the configuration needs to be done twice at the moment so that it
>> works, on CXF side and on Jetty side (the Jetty side uses Spring IoC).
>>
>> Not sure if the keyPassword for keyManagers is really needed, more info
>> here:
>> http://stackoverflow.com/questions/10847983/what-is-the-difference-between-keystorepassword-and-keymanagerpassword-in-jetty.
>>
>> If the configuration above is correct, either Apache or Eclipse will
>> have
>> to update their documentation. I would think that Eclipse made a change
>> sometime and Apache still doesn't know about it. As I said, I also have
>> to
>> test the configuration first. It looks very good so far, but it still
>> can
>> be wrong somewhere.
>>
>> I believe, instead of
>> org.eclipse.jetty.server.ssl.SslSelectChannelConnector, the class
>> org.eclipse.jetty.server.ssl.SslSocketConnector can be used as well...
>> looked very similar and worked, too.
>>
>> Thanks, Jana
>>
>>
>> Am Do, 12.06.2014, 23:45 schrieb Jana Weschenfelder:
>>> Dear Ladies and Gentlemen,
>>>
>>> I have exactly the problem of
>>> http://mail-archives.apache.org/mod_mbox/cxf-users/201403.mbox/%3C5316440E.4020709@serotoninsoftware.com%3E.
>>> I don't know if there existed a solution already.
>>>
>>> I followed the instructions of
>>> http://cxf.apache.org/docs/jetty-configuration.html and I don't have
>>> any
>>> success by using org.eclipse.jetty.server.bio.SocketConnector here. I
>>> receive the error message then that the port (HTTP) wouldn't be
>>> configured
>>> for HTTPS.
>>>
>>> Regarding to Eclipse, org.eclipse.jetty.server.bio.SocketConnector is
>>> configured for HTTP and is not a SSLConnector, and it also doesn't
>>> accept
>>> any SSL Configuration if I look into the code there.
>>>
>>> If I read the instructions of
>>> http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty,
>>> org.eclipse.jetty.server.ssl.SslSelectChannelConnector should be used
>>> as
>>> SSLConnector instead. But if I just replace
>>> org.eclipse.jetty.server.bio.SocketConnector in the example of
>>> http://cxf.apache.org/docs/jetty-configuration.html, I receive the
>>> error
>>> message "java.io.FileNotFoundException: /home/user/.keystore" as
>>> described
>>> in
>>> http://mail-archives.apache.org/mod_mbox/cxf-users/201403.mbox/%3C5316440E.4020709@serotoninsoftware.com%3E.
>>>
>>> I would think that something like this would be more correct, regarding
>>> to
>>> Eclipse:
>>> <httpj:engine-factory id="https" bus="cxf">
>>>     <httpj:engine port="${cdmi.net.ssl.port}">
>>>         <httpj:threadingParameters minThreads="5" maxThreads="15" />
>>>         <httpj:connector>
>>>             <bean
>>> class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
>>>                 <property name = "port" value="9001"/>
>>>                 <bean
>>> class="org.eclipse.jetty.http.ssl.SslContextFactory">
>>>                     <property name="keyStore" value="..."/>
>>>                     <property name="keystoreType" value="..."/>
>>>                     <property name="keyStorePassword" value="..."/>
>>>                     ...
>>>                     <property name="excludeCipherSuites" ref="..."/>
>>>                 </bean>
>>>             </bean>
>>>         </httpj:connector>
>>>         <httpj:handlers>
>>>             <bean
>>> class="org.eclipse.jetty.server.handler.DefaultHandler"/>
>>>         </httpj:handlers>
>>>         <httpj:sessionSupport>true</httpj:sessionSupport>
>>>     </httpj:engine>
>>> </httpj:engine-factory>
>>>
>>> But it doesn't work. It doesn't accept the part <bean
>>> class="org.eclipse.jetty.http.ssl.SslContextFactory">...</bean> within
>>> of
>>> <bean
>>> class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">...</bean>.
>>> The error message is "Invalid content was found starting with element
>>> 'bean'.".
>>>
>>> A similar configuration was found here:
>>> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory
>>>
>>> But I need it for httpj:engine-factory.
>>>
>>> What is the right way to configure the Jetty Runtime with SSLConnector?
>>> Is Jetty still supported by Apache CXF? Btw, HTTP works fine, but I
>>> need
>>> HTTPS because of certificates.
>>>
>>> Many thanks in advance!!!
>>>
>>> Jana
>>>
>>>
>>
>>
>>
>
>
>