CXF/Jetty/Jax-WS 的 SSL 侦听器问题 - 端口为 "https://0.0.0.0:9227/v1" 配置了错误的协议 "http"

Issue with SSL listener for CXF/Jetty/Jax-WS - Port is configured with wrong protocol "http" for "https://0.0.0.0:9227/v1"

尝试将使用 CXF 2.2.10/Jetty 6 和 8 的现有应用程序修改为 CXF 3.3.2/Jetty 9,我在设置 SSL 侦听器时遇到了问题。不幸的是,我对 CXF 的经验很少,而且我 运行 遇到了问题。

这是 Linux 上的 运行,使用 Java 1.8,我们看到的错误是:

java.lang.IllegalStateException:端口 9227 为“https://0.0.0.0:9227/v1”配置了错误的协议 "http"

这是我们的 cxf.xml 文件:

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:sec="http://cxf.apache.org/configuration/security"
       xmlns:http="http://cxf.apache.org/transports/http/configuration"
       xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
       xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"
       xsi:schemaLocation="http://cxf.apache.org/configuration/security
                      http://cxf.apache.org/schemas/configuration/security.xsd
            http://cxf.apache.org/transports/http/configuration
            http://cxf.apache.org/schemas/configuration/http-conf.xsd
            http://cxf.apache.org/transports/http-jetty/configuration
            http://cxf.apache.org/schemas/configuration/http-jetty.xsd
            http://www.springframework.org/schema/beans
            http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

    <beans:bean name="connectorThreadPool" class="org.eclipse.jetty.util.thread.QueuedThreadPool">
        <beans:constructor-arg value="72"/>
    </beans:bean>

    <beans:bean name="server" class="org.eclipse.jetty.server.Server">
        <constructor-arg ref="connectorThreadPool" />
    </beans:bean>

    <beans:bean name="sslConnectionFactory" class="org.eclipse.jetty.server.SslConnectionFactory" />

    <httpj:engine-factory bus="cxf">
        <httpj:engine port="9127">
            <httpj:threadingParameters minThreads="5" maxThreads="200"/>
            <httpj:connector>
                <beans:bean class="org.eclipse.jetty.server.ServerConnector">
                    <constructor-arg ref="server" />
                    <beans:property name="port" value="9127"/>
                </beans:bean>
            </httpj:connector>
        </httpj:engine>
    </httpj:engine-factory>

    <httpj:engine-factory bus="cxf">
        <httpj:identifiedTLSServerParameters id="secure">
            <httpj:tlsServerParameters secureSocketProtocol="TLSv1">
                <sec:keyManagers keyPassword="keyPassword">
                    <sec:keyStore type="JKS" password="keyPassword" file="keystore-lab.jks"/>
                </sec:keyManagers>
                <sec:trustManagers>
                    <sec:keyStore type="JKS" password="password" file="cacerts.jks"/>
                </sec:trustManagers>
                <sec:cipherSuitesFilter>
                    <sec:include>.*_EXPORT_.*</sec:include>
                    <sec:include>.*_EXPORT1024_.*</sec:include>
                    <sec:include>.*_WITH_DES_.*</sec:include>
                    <sec:include>.*_WITH_DES40_.*</sec:include>
                    <sec:include>.*_WITH_AES_.*</sec:include>
                    <sec:exclude>.*_DH_anon_.*</sec:exclude>
                </sec:cipherSuitesFilter>
            </httpj:tlsServerParameters>
        </httpj:identifiedTLSServerParameters>
        <httpj:engine port="9227">
            <httpj:tlsServerParametersRef id="secure" />
            <httpj:threadingParameters minThreads="5" maxThreads="200"/>
            <httpj:connector>
                <beans:bean class="org.eclipse.jetty.server.ServerConnector">
                    <constructor-arg ref="server" />
                    <constructor-arg ref="sslConnectionFactory" />
                    <beans:property name="port" value="9227"/>
                </beans:bean>
            </httpj:connector>
        </httpj:engine>
    </httpj:engine-factory>
</beans>

我注意到的一件事是 CXF 的 SslConnectionFactory 使用 "SSL" 作为协议调用它的超类构造函数,而 JettyHTTPServerEngine 检查 "https" 的值作为协议值。我无法想象以前没有找到这个,所以我觉得我一定是错过了什么。

但是当我扩展 SslConnectionFactory 并修改该构造函数以传递 "https" 而不是 "SSL" 作为协议时,它没有抛出此异常。它确实在稍后尝试连接时抛出了另一个:

java.lang.NullPointerException
        at com.mypackage.util.CustomSslConnectionFactory.newConnection(CustomSslConnectionFactory.java:108)
        at org.eclipse.jetty.server.ServerConnector$ServerConnectorManager.newConnection(ServerConnector.java:550)
        at org.eclipse.jetty.io.ManagedSelector.createEndPoint(ManagedSelector.java:263)
        at org.eclipse.jetty.io.ManagedSelector.access00(ManagedSelector.java:61)
        at org.eclipse.jetty.io.ManagedSelector$Accept.run(ManagedSelector.java:747)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:698)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:804)
        at java.lang.Thread.run(Thread.java:748)

我认为这与 "nextProtocol" 值有关。但是找不到这个,我觉得我用这个方法走错了路。

我真的只是希望让这个升级同时适用于 http(这似乎工作正常!)和 SSL。

更新:

Eddo 的 post 让我走上了正确的方向,但我需要服务器详细信息而不是客户端。

我还能够删除很多我不需要的无关垃圾。最终 cxf.xml 基于 http://cxf.apache.org/docs/standalone-http-transport.html :

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:sec="http://cxf.apache.org/configuration/security"
       xmlns:http="http://cxf.apache.org/transports/http/configuration"
       xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
       xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"
       xsi:schemaLocation="http://cxf.apache.org/configuration/security
                      http://cxf.apache.org/schemas/configuration/security.xsd
            http://cxf.apache.org/transports/http/configuration
            http://cxf.apache.org/schemas/configuration/http-conf.xsd
            http://cxf.apache.org/transports/http-jetty/configuration
            http://cxf.apache.org/schemas/configuration/http-jetty.xsd
            http://www.springframework.org/schema/beans
            http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

    <http:destination name="{http://WsdlHost}WsdlPort.http-destination">
    </http:destination>

    <httpj:engine-factory bus="cxf">
        <httpj:engine port="9127">
            <httpj:threadingParameters minThreads="5" maxThreads="200"/>
            <httpj:connector>
                <beans:bean class="org.eclipse.jetty.server.ServerConnector">
                    <constructor-arg ref="server" />
                    <beans:property name="port" value="9127"/>
                </beans:bean>
            </httpj:connector>
        </httpj:engine>
    </httpj:engine-factory>

    <httpj:engine-factory bus="cxf">
        <httpj:engine port="9227">
            <httpj:tlsServerParameters>
                <sec:keyManagers keyPassword="keyPassword">
                    <sec:keyStore type="JKS" password="keyPassword" file="keystore-lab.jks"/>
                </sec:keyManagers>
                <sec:trustManagers>
                    <sec:keyStore type="JKS" password="password" file="cacerts.jks"/>
                </sec:trustManagers>
                <sec:cipherSuitesFilter>
                    <sec:include>.*_EXPORT_.*</sec:include>
                    <sec:include>.*_EXPORT1024_.*</sec:include>
                    <sec:include>.*_WITH_DES_.*</sec:include>
                    <sec:include>.*_WITH_DES40_.*</sec:include>
                    <sec:include>.*_WITH_AES_.*</sec:include>
                    <sec:exclude>.*_DH_anon_.*</sec:exclude>
                </sec:cipherSuitesFilter>
            </httpj:tlsServerParameters>
        </httpj:engine>
    </httpj:engine-factory>
</beans>

这是我如何使用 https 进行设置的示例,因此您可以将其用作参考,请注意我使用的是蓝图(不是 spring DSL)以及 JBoss 但我知道这种方法也适用于 spring DSL,因此您可以尝试一下。

<?xml version="1.0" encoding="UTF-8" ?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
    xmlns:bp="http://camel.apache.org/schema/blueprint"
    xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.1.0"
    xmlns:cxf="http://camel.apache.org/schema/blueprint/cxf" 
    xmlns:http="http://cxf.apache.org/transports/http/configuration"
    xmlns:sec="http://cxf.apache.org/configuration/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
      http://camel.apache.org/schema/blueprint
         http://camel.apache.org/schema/blueprint/camel-blueprint-2.16.4.xsd
      http://www.osgi.org/xmlns/blueprint/v1.0.0
         https://osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
      http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.1.0
         http://aries.apache.org/schemas/blueprint-ext/blueprint-ext-1.1.xsd
      http://camel.apache.org/schema/blueprint/cxf
         http://camel.apache.org/schema/blueprint/cxf/camel-cxf.xsd
      http://cxf.apache.org/transports/http/configuration 
         http://cxf.apache.org/schemas/configuration/http-conf.xsd
      http://cxf.apache.org/configuration/security 
         http://cxf.apache.org/schemas/configuration/security.xsd
      ">

    <cxf:cxfEndpoint id="myService"
        address="https://localhost:8443/MyWebService/"
        wsdlURL="https://localhost:8443/MyWebService?wsdl"
        loggingFeatureEnabled="true">
    </cxf:cxfEndpoint>

    <http:conduit name="*.http-conduit">
        <http:tlsClientParameters disableCNCheck="true">
            <sec:keyManagers keyPassword="$RF[trustStore.password]">
                <sec:keyStore type="JKS" password="yourpassgoeshere"
                    file="/var/app/security/my-trust.jks" />
            </sec:keyManagers>
            <sec:trustManagers>
                <sec:keyStore type="JKS" password="yourpassgoeshere"
                    file="/var/app/security/my-trust.jks" />
            </sec:trustManagers>
        </http:tlsClientParameters>
    </http:conduit>

</blueprint>

除此之外,请查看详细解释的文档,以便您可以根据自己的需要进行调整。

http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html