CXF web 服务客户端忽略 ssl 配置 http-conf:tlsClientParameters
CXF webservice client ignores ssl configuration http-conf:tlsClientParameters
我正在尝试在 cxf 客户端和网络服务之间建立 SSL 连接。
对于概念验证,我 运行 使用 SpringJunit4TestRunner 进行了测试。
在我的 spring 客户端配置中,我使用以下内容:
<jaxws:client id="wsClient" address="${webservice.endpoint.url}" serviceClass="MyServiceClass"/>
<http-conf:conduit name="${webservice.endpoint.url}">
<http-conf:client ConnectionTimeout="${webservice.connectionTimeout}" />
<http-conf:tlsClientParameters>
<sec:keyManagers keyPassword="changeit">
<sec:keyStore type="JKS" password="changeit" file="c:\temp\keystore\myKeyStore.jks" />
</sec:keyManagers>
<sec:trustManagers >
<sec:keyStore type="JKS" password="changeit" file="c:\temp\keystore\myKeyStore.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http-conf:tlsClientParameters>
</http-conf:conduit>
但是 cxf 似乎没有选择我的配置。在启动期间的日志中,我看到
10:38:58.581 [ProofOfConceptTaskExecutor-1] DEBUG o.a.c.t.h.HttpsURLConnectionFactory - The location of the key store has not been set via a system parameter or through configuration so the default value of MYHOMEFOLDER.keystore will be used.
10:38:58.581 [ProofOfConceptTaskExecutor-1] DEBUG o.a.c.t.h.HttpsURLConnectionFactory - The key store password has not been set via a system property or through configuration, reading data from the keystore will fail.
10:38:58.581 [ProofOfConceptTaskExecutor-1] DEBUG o.a.c.t.h.HttpsURLConnectionFactory - The key password has not been set via a system property or through configuration, reading data from the keystore will fail.
10:38:59.252 [ProofOfConceptTaskExecutor-1] WARN o.a.c.t.h.HttpsURLConnectionFactory - Default key managers cannot be initialized: Password must not be null
java.security.UnrecoverableKeyException: Password must not be null
此后 SSL 连接失败并显示 sun.security.provider.certpath.SunCertPathBuilderException:无法找到到所请求目标的有效证书路径
但是,密钥库及其证书链似乎是正确的,就好像我从命令行执行测试一样,传递了密钥库和信任库的参数:
mvn clean test -Dtest=MyTestClass -Djavax.net.ssl.trustStore=C:\temp\keystore\myKeyStore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=C:\temp\keystore\myKeyStore.jks -Djavax.net.ssl.keyStorePassword=changeit
一切正常,SSL 连接正常。所以我的结论是 CXF 忽略了 tlsClientParameters。非常感谢任何帮助。
编辑:如果我删除自己的 TaskExecutor,问题仍然存在,但在日志中我看到
DEBUG o.a.c.t.h.HttpsURLConnectionFactory The location of the key store has not been set via a system parameter or through configuration so the default value will be used
您应该为 http-conf:conduit name 属性使用具有限定名称空间的端口名称。检查 Apache CXF 文档。
我正在尝试在 cxf 客户端和网络服务之间建立 SSL 连接。 对于概念验证,我 运行 使用 SpringJunit4TestRunner 进行了测试。 在我的 spring 客户端配置中,我使用以下内容:
<jaxws:client id="wsClient" address="${webservice.endpoint.url}" serviceClass="MyServiceClass"/>
<http-conf:conduit name="${webservice.endpoint.url}">
<http-conf:client ConnectionTimeout="${webservice.connectionTimeout}" />
<http-conf:tlsClientParameters>
<sec:keyManagers keyPassword="changeit">
<sec:keyStore type="JKS" password="changeit" file="c:\temp\keystore\myKeyStore.jks" />
</sec:keyManagers>
<sec:trustManagers >
<sec:keyStore type="JKS" password="changeit" file="c:\temp\keystore\myKeyStore.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http-conf:tlsClientParameters>
</http-conf:conduit>
但是 cxf 似乎没有选择我的配置。在启动期间的日志中,我看到
10:38:58.581 [ProofOfConceptTaskExecutor-1] DEBUG o.a.c.t.h.HttpsURLConnectionFactory - The location of the key store has not been set via a system parameter or through configuration so the default value of MYHOMEFOLDER.keystore will be used.
10:38:58.581 [ProofOfConceptTaskExecutor-1] DEBUG o.a.c.t.h.HttpsURLConnectionFactory - The key store password has not been set via a system property or through configuration, reading data from the keystore will fail.
10:38:58.581 [ProofOfConceptTaskExecutor-1] DEBUG o.a.c.t.h.HttpsURLConnectionFactory - The key password has not been set via a system property or through configuration, reading data from the keystore will fail.
10:38:59.252 [ProofOfConceptTaskExecutor-1] WARN o.a.c.t.h.HttpsURLConnectionFactory - Default key managers cannot be initialized: Password must not be null
java.security.UnrecoverableKeyException: Password must not be null
此后 SSL 连接失败并显示 sun.security.provider.certpath.SunCertPathBuilderException:无法找到到所请求目标的有效证书路径
但是,密钥库及其证书链似乎是正确的,就好像我从命令行执行测试一样,传递了密钥库和信任库的参数:
mvn clean test -Dtest=MyTestClass -Djavax.net.ssl.trustStore=C:\temp\keystore\myKeyStore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=C:\temp\keystore\myKeyStore.jks -Djavax.net.ssl.keyStorePassword=changeit
一切正常,SSL 连接正常。所以我的结论是 CXF 忽略了 tlsClientParameters。非常感谢任何帮助。
编辑:如果我删除自己的 TaskExecutor,问题仍然存在,但在日志中我看到
DEBUG o.a.c.t.h.HttpsURLConnectionFactory The location of the key store has not been set via a system parameter or through configuration so the default value will be used
您应该为 http-conf:conduit name 属性使用具有限定名称空间的端口名称。检查 Apache CXF 文档。