Author: gmazza
Date: Thu Aug 2 15:39:59 2012
New Revision: 1368552
URL: http://svn.apache.org/viewvc?rev=1368552&view=rev
Log:
Removed DisableCNCheck from configuration in basic_https sample.
Added:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/config/
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/config/KeyREADME.txt
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/config/clientKeystore.jks
(with props)
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/config/serviceKeystore.jks
(with props)
Removed:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/
Modified:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/README.txt
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/httpsdemo/client/Client.java
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ServerConfig.xml
Modified:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/README.txt
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/README.txt?rev=1368552&r1=1368551&r2=1368552&view=diff
==============================================================================
---
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/README.txt
(original)
+++
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/README.txt
Thu Aug 2 15:39:59 2012
@@ -56,10 +56,6 @@ To remove the target dir, run "mvn clean
Certificates
------------
+See the src/main/config folder for the sample keys used (don't use
+these keys in production!) as well as scripts used for their creation.
-If the certificates are expired or unusable for some reason, a shell
-script in the certs folder will generate a new set of certificates
-needed for this sample. Just do the following:
-
- cd certs
- sh gencerts.sh
Added:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/config/KeyREADME.txt
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/config/KeyREADME.txt?rev=1368552&view=auto
==============================================================================
---
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/config/KeyREADME.txt
(added)
+++
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/config/KeyREADME.txt
Thu Aug 2 15:39:59 2012
@@ -0,0 +1,20 @@
+# The below scripts show the commands used to generate the self-signed keys
for this sample.
+# If you use the below script to create your own keys be sure to change the
passwords used here
+# DO NOT USE THE SUPPLIED KEYS IN PRODUCTION--everyone has them!!
+# For production recommended to use keys signed by a third-party certificate
authority (CA)
+
+# Create the combination keystore/truststore for the client and service.
+# Note you can create separate keystores/truststores for both if desired
+keytool -genkeypair -validity 730 -alias myservicekey -keystore
serviceKeystore.jks -dname "cn=localhost" -keypass skpass -storepass sspass
+keytool -genkeypair -validity 730 -alias myclientkey -keystore
clientKeystore.jks -keypass ckpass -storepass cspass
+
+# Place server public cert in client key/truststore
+keytool -export -rfc -keystore serviceKeystore.jks -alias myservicekey -file
MyService.cer -storepass sspass
+keytool -import -noprompt -trustcacerts -file MyService.cer -alias
myservicekey -keystore clientKeystore.jks -storepass cspass
+
+# Place client public cert in service key/truststore
+# Note this needs to be done only if you're requiring client authentication
+# as configured in resources/ServerConfig.xml
+keytool -export -rfc -keystore clientKeystore.jks -alias myclientkey -file
MyClient.cer -storepass cspass
+keytool -import -noprompt -trustcacerts -file MyClient.cer -alias myclientkey
-keystore serviceKeystore.jks -storepass sspass
+
Added:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/config/clientKeystore.jks
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/config/clientKeystore.jks?rev=1368552&view=auto
==============================================================================
Binary file - no diff available.
Propchange:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/config/clientKeystore.jks
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/config/serviceKeystore.jks
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/config/serviceKeystore.jks?rev=1368552&view=auto
==============================================================================
Binary file - no diff available.
Propchange:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/config/serviceKeystore.jks
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Modified:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/httpsdemo/client/Client.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/httpsdemo/client/Client.java?rev=1368552&r1=1368551&r2=1368552&view=diff
==============================================================================
---
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/httpsdemo/client/Client.java
(original)
+++
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/httpsdemo/client/Client.java
Thu Aug 2 15:39:59 2012
@@ -41,14 +41,14 @@ public final class Client {
public static void main(String args[]) throws Exception {
- File clientKeystore = new File("certs/clientKeystore.jks");
- File truststore = new File("certs/commonTruststore.jks");
+ File clientKeystore = new File("src/main/config/clientKeystore.jks");
+ File truststore = new File("src/main/config/clientKeystore.jks");
// Send HTTP GET request to query customer info - using portable
HttpClient method
Protocol authhttps = new Protocol("https",
- new
AuthSSLProtocolSocketFactory(clientKeystore.toURI().toURL(), "password",
- truststore.toURI().toURL(), "password"),
- 9000);
+ new AuthSSLProtocolSocketFactory(clientKeystore.toURI().toURL(),
"cspass",
+ "ckpass", truststore.toURI().toURL(), "cspass"),
+ 9000);
Protocol.registerProtocol("https", authhttps);
System.out.println("Sending HTTPS GET request to query customer info");
Modified:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?rev=1368552&r1=1368551&r2=1368552&view=diff
==============================================================================
---
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java
(original)
+++
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java
Thu Aug 2 15:39:59 2012
@@ -170,6 +170,7 @@ public class AuthSSLProtocolSocketFactor
private URL keystoreUrl = null;
private String keystorePassword = null;
+ private String keyPassword = null;
private URL truststoreUrl = null;
private String truststorePassword = null;
private SSLContext sslcontext = null;
@@ -180,17 +181,19 @@ public class AuthSSLProtocolSocketFactor
*
* @param keystoreUrl URL of the keystore file. May be <tt>null</tt> if
HTTPS client
* authentication is not to be used.
- * @param keystorePassword Password to unlock the keystore. IMPORTANT:
this implementation
- * assumes that the same password is used to protect the key and
the keystore itself.
+ * @param keystorePassword Password to unlock the keystore.
+ * @param keyPassword Password to unlock any private key in the keystore.
* @param truststoreUrl URL of the truststore file. May be <tt>null</tt>
if HTTPS server
* authentication is not to be used.
* @param truststorePassword Password to unlock the truststore.
*/
public AuthSSLProtocolSocketFactory(final URL keystoreUrl, final String
keystorePassword,
+ final String keyPassword,
final URL truststoreUrl, final String
truststorePassword) {
super();
this.keystoreUrl = keystoreUrl;
this.keystorePassword = keystorePassword;
+ this.keyPassword = keyPassword;
this.truststoreUrl = truststoreUrl;
this.truststorePassword = truststorePassword;
}
@@ -213,14 +216,14 @@ public class AuthSSLProtocolSocketFactor
return keystore;
}
- private static KeyManager[] createKeyManagers(final KeyStore keystore,
final String password)
+ private static KeyManager[] createKeyManagers(final KeyStore keystore,
final String keyPassword)
throws KeyStoreException, NoSuchAlgorithmException,
UnrecoverableKeyException {
if (keystore == null) {
throw new IllegalArgumentException("Keystore may not be null");
}
LOG.debug("Initializing key manager");
KeyManagerFactory kmfactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
- kmfactory.init(keystore, password != null ? password.toCharArray() :
null);
+ kmfactory.init(keystore, keyPassword != null ?
keyPassword.toCharArray() : null);
return kmfactory.getKeyManagers();
}
@@ -269,7 +272,7 @@ public class AuthSSLProtocolSocketFactor
}
}
}
- keymanagers = createKeyManagers(keystore,
this.keystorePassword);
+ keymanagers = createKeyManagers(keystore, this.keyPassword);
}
if (this.truststoreUrl != null) {
KeyStore keystore = createKeyStore(this.truststoreUrl,
this.truststorePassword);
Modified:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml?rev=1368552&r1=1368551&r2=1368552&view=diff
==============================================================================
---
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml
(original)
+++
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml
Thu Aug 2 15:39:59 2012
@@ -35,16 +35,15 @@ under the License.
<!-- -->
<http:conduit name="https://localhost:.*/customerservice/.*";>
<http:client ConnectionTimeout="3000000" ReceiveTimeout="3000000"/>
- <http:tlsClientParameters disableCNCheck="true">
- <sec:keyManagers keyPassword="password">
- <sec:keyStore type="JKS" password="password"
- file="certs/clientKeystore.jks"/>
- </sec:keyManagers>
- <sec:trustManagers>
- <sec:keyStore type="JKS" password="password"
- file="certs/commonTruststore.jks"/>
- </sec:trustManagers>
+ <http:tlsClientParameters>
+ <sec:keyManagers keyPassword="ckpass">
+ <sec:keyStore file="src/main/config/clientKeystore.jks"
password="cspass" type="JKS"/>
+ </sec:keyManagers>
+ <sec:trustManagers>
+ <sec:keyStore file="src/main/config/clientKeystore.jks"
password="cspass" type="JKS"/>
+ </sec:trustManagers>
</http:tlsClientParameters>
</http:conduit>
</beans>
+
Modified:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ServerConfig.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ServerConfig.xml?rev=1368552&r1=1368551&r2=1368552&view=diff
==============================================================================
---
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ServerConfig.xml
(original)
+++
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ServerConfig.xml
Thu Aug 2 15:39:59 2012
@@ -19,33 +19,31 @@
-->
<!--
- ** This file configures the Cherry Server.
- -->
-
+ ** This file configures the Server which exposes the REST endpoint.
+-->
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:sec="http://cxf.apache.org/configuration/security";
xmlns:http="http://cxf.apache.org/transports/http/configuration";
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration";
xsi:schemaLocation="
- http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
- http://cxf.apache.org/transports/http/configuration
- http://cxf.apache.org/schemas/configuration/http-conf.xsd
- http://cxf.apache.org/transports/http-jetty/configuration
- http://cxf.apache.org/schemas/configuration/http-jetty.xsd
- http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans.xsd";>
+ http://cxf.apache.org/configuration/security
+ http://cxf.apache.org/schemas/configuration/security.xsd
+ http://cxf.apache.org/transports/http/configuration
+ http://cxf.apache.org/schemas/configuration/http-conf.xsd
+ http://cxf.apache.org/transports/http-jetty/configuration
+ http://cxf.apache.org/schemas/configuration/http-jetty.xsd
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans.xsd";>
<httpj:engine-factory bus="cxf">
<httpj:engine port="9000">
<httpj:tlsServerParameters>
- <sec:keyManagers keyPassword="password">
- <sec:keyStore type="JKS" password="password"
- file="certs/serverKeystore.jks"/>
+ <sec:keyManagers keyPassword="skpass">
+ <sec:keyStore file="src/main/config/serviceKeystore.jks"
password="sspass" type="JKS"/>
</sec:keyManagers>
<sec:trustManagers>
- <sec:keyStore type="JKS" password="password"
- file="certs/commonTruststore.jks"/>
+ <sec:keyStore file="src/main/config/serviceKeystore.jks"
password="sspass" type="JKS"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
