使用 CXF 通过 SSL 保护 Web 服务通信

发布于 2024-08-24 18:21:36 字数 4118 浏览 4 评论 0原文

我正在尝试使用 CXF 2.2.5 通过 SSL/TLS 保护我们的 Web 服务之一的通信。我想知道如何更新客户端和服务器 Spring 配置文件来激活此功能。我在CXF的网站上找到了一些信息（CXF Wiki) 对于客户端配置，这里是给定的示例：

 <http:conduit name="{http://apache.org/hello_world}HelloWorld.http-conduit">
   <http:tlsClientParameters>
      <sec:keyManagers keyPassword="password">
           <sec:keyStore type="JKS" password="password"
                file="src/test/java/org/apache/cxf/systest/http/resources/Morpit.jks"/>
      </sec:keyManagers>
      <sec:trustManagers>
          <sec:keyStore type="JKS" password="password"
               file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
      </sec:trustManagers>
      <sec:cipherSuitesFilter>
        <!-- these filters ensure that a ciphersuite with
          export-suitable or null encryption is used,
          but exclude anonymous Diffie-Hellman key change as
          this is vulnerable to man-in-the-middle attacks -->
        <sec:include>.*_EXPORT_.*</sec:include>
        <sec:include>.*_EXPORT1024_.*</sec:include>
        <sec:include>.*_WITH_DES_.*</sec:include>
        <sec:include>.*_WITH_NULL_.*</sec:include>
        <sec:exclude>.*_DH_anon_.*</sec:exclude>
      </sec:cipherSuitesFilter>
  </http:tlsClientParameters>
  <http:authorization>
     <sec:UserName>Betty</sec:UserName>
     <sec:Password>password</sec:Password>
  </http:authorization>
  <http:client AutoRedirect="true" Connection="Keep-Alive"/>
 </http:conduit>

关于此配置，

关于服务器端配置，我无法正确启动服务器，这是我的配置：

<http:destination name="{urn:ihe:iti:xds-b:2007}DocumentRepository_Port_Soap12.http-destination">
    </http:destination>

    <httpj:engine-factory>
            <httpj:engine port="9043">
                    <httpj:tlsServerParameters>
                            <sec:keyManagers keyPassword="changeit">
                                    <sec:keyStore type="JKS" password="changeit" file="security/keystore.jks" />
                            </sec:keyManagers>
                            <sec:trustManagers>
                                    <sec:keyStore type="JKS" password="changeit" file="security/cacerts.jks" />
                            </sec:trustManagers>
                            <sec:cipherSuitesFilter>
                                    <!--
                                            these filters ensure that a ciphersuite with export-suitable or null encryption is used, but exclude
                                            anonymous Diffie-Hellman key change as this is vulnerable to man-in-the-middle attacks
                                    -->
                                    <sec:include>.*_EXPORT_.*</sec:include>
                                    <sec:include>.*_EXPORT1024_.*</sec:include>
                                    <sec:include>.*_WITH_DES_.*</sec:include>
                                    <sec:include>.*_WITH_NULL_.*</sec:include>
                                    <sec:exclude>.*_DH_anon_.*</sec:exclude>
                            </sec:cipherSuitesFilter>
                            <sec:clientAuthentication want="true" required="true" />
                    </httpj:tlsServerParameters>
            </httpj:engine>
    </httpj:engine-factory>

但是当我使用此配置运行我的应用程序服务器（JOnas）时，我收到以下错误消息：

Line 20 in XML document from ServletContext resource [/WEB-INF/beans.xml] is invalid; nested exception is org.xml.sax.SAXParseException: cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'httpj:engine-factory'.

你们知道如何解决这个问题吗？？

提前致谢，

原文

I am trying to secure communications via SSL/TLS for one of our Web Service using CXF 2.2.5.
I am wondering how to update client and server Spring configuration file to activate this feature.
I found some information on CXF's website (CXF Wiki) for the client configuration, here is the given example:

 <http:conduit name="{http://apache.org/hello_world}HelloWorld.http-conduit">
   <http:tlsClientParameters>
      <sec:keyManagers keyPassword="password">
           <sec:keyStore type="JKS" password="password"
                file="src/test/java/org/apache/cxf/systest/http/resources/Morpit.jks"/>
      </sec:keyManagers>
      <sec:trustManagers>
          <sec:keyStore type="JKS" password="password"
               file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
      </sec:trustManagers>
      <sec:cipherSuitesFilter>
        <!-- these filters ensure that a ciphersuite with
          export-suitable or null encryption is used,
          but exclude anonymous Diffie-Hellman key change as
          this is vulnerable to man-in-the-middle attacks -->
        <sec:include>.*_EXPORT_.*</sec:include>
        <sec:include>.*_EXPORT1024_.*</sec:include>
        <sec:include>.*_WITH_DES_.*</sec:include>
        <sec:include>.*_WITH_NULL_.*</sec:include>
        <sec:exclude>.*_DH_anon_.*</sec:exclude>
      </sec:cipherSuitesFilter>
  </http:tlsClientParameters>
  <http:authorization>
     <sec:UserName>Betty</sec:UserName>
     <sec:Password>password</sec:Password>
  </http:authorization>
  <http:client AutoRedirect="true" Connection="Keep-Alive"/>
 </http:conduit>

Concerning this configuration, the

Concerning the server side configuration I am unable to launch the server properly, here is the configuration I have:

<http:destination name="{urn:ihe:iti:xds-b:2007}DocumentRepository_Port_Soap12.http-destination">
    </http:destination>

    <httpj:engine-factory>
            <httpj:engine port="9043">
                    <httpj:tlsServerParameters>
                            <sec:keyManagers keyPassword="changeit">
                                    <sec:keyStore type="JKS" password="changeit" file="security/keystore.jks" />
                            </sec:keyManagers>
                            <sec:trustManagers>
                                    <sec:keyStore type="JKS" password="changeit" file="security/cacerts.jks" />
                            </sec:trustManagers>
                            <sec:cipherSuitesFilter>
                                    <!--
                                            these filters ensure that a ciphersuite with export-suitable or null encryption is used, but exclude
                                            anonymous Diffie-Hellman key change as this is vulnerable to man-in-the-middle attacks
                                    -->
                                    <sec:include>.*_EXPORT_.*</sec:include>
                                    <sec:include>.*_EXPORT1024_.*</sec:include>
                                    <sec:include>.*_WITH_DES_.*</sec:include>
                                    <sec:include>.*_WITH_NULL_.*</sec:include>
                                    <sec:exclude>.*_DH_anon_.*</sec:exclude>
                            </sec:cipherSuitesFilter>
                            <sec:clientAuthentication want="true" required="true" />
                    </httpj:tlsServerParameters>
            </httpj:engine>
    </httpj:engine-factory>

But when I run my application server (JOnas) with this configuration I have the following error message:

Line 20 in XML document from ServletContext resource [/WEB-INF/beans.xml] is invalid; nested exception is org.xml.sax.SAXParseException: cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'httpj:engine-factory'.

Do you guys know how to solve this issue?

Thanks in advance,

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

岁月如刀 2024-08-31 18:21:36

听起来您好像缺少名称空间声明或者您对 XML 进行了错误的操作。这可能更多是与 Spring 相关的问题，而不是 CXF 问题。

检查以下项目是否出现在声明 httj:engine-factory 的 beans 元素上：

<beans
  ...
  xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
  ...
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="
      http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd
      ...">
  <import resource="classpath:META-INF/cxf/cxf-extension-http.xml" />
  <import resource="classpath:META-INF/cxf/cxf-extension-http-jetty.xml" />

检查运行时 CXF Jetty Transport JAR 是否位于类路径中。

如果您将声明和模式位置添加到 IDE 中的上下文文件中（至少在带有 Spring 插件和 IDEA 的 Eclipse 中），您应该在 IDE 中正确进行模式验证，这样您就可以轻松地找到您犯下的任何错误自动完成的优点。

It sounds like you are missing a namespace declaration or you have fat-fingered your XML. This is likely more of a Spring related issue than a CXF issue.

Check that the following items appear on your beans element where you declare httj:engine-factory:

<beans
  ...
  xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
  ...
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="
      http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd
      ...">
  <import resource="classpath:META-INF/cxf/cxf-extension-http.xml" />
  <import resource="classpath:META-INF/cxf/cxf-extension-http-jetty.xml" />

Check that the CXF Jetty Transport JAR is in your classpath at runtime.

If you add the declaration and the schema location to your context file in your IDE (at least in Eclipse with the Spring plug-ins and IDEA) you should get schema validation right in your IDE so you can easily find any mistakes you make and take advantage of auto-completion.

回复收藏 0 原文

~没有更多了~