Hi Dan,
Thanks for adding the feature.
Meanwhile, I started to use spring configuration. The server is configured for
X.509 Client certificate authentication to STS, and the client cert is added to
server truststore.
I followed the STSClient sample in http://cxf.apache.org/docs/ws-trust.html
But I get the following exception:
--
Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
RequireClientCertificate is set, but no local certificates were negotiated. Is
the server set to ask for client authorization?
at
org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:118)
at
org.apache.cxf.transport.http.TrustDecisionUtil.makeTrustDecision(TrustDecisionUtil.java:80)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1299)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1264)
at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
at
org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1342)
---
My conf:
---
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:sec="http://cxf.apache.org/configuration/security";
xmlns:http="http://cxf.apache.org/transports/http/configuration";
xmlns:jaxws="http://java.sun.com/xml/ns/jaxws";
xsi:schemaLocation="
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>
<http:conduit
name="{http://docs.oasis-open.org/ws-sx/ws-trust/200512}X5092.http-conduit";>
<http:tlsClientParameters disableCNCheck="true">
<sec:keyManagers keyPassword="password1">
<sec:keyStore type="JKS" password="password"
file="client.jks" />
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="client_trust.jks" />
</sec:trustManagers>
</http:tlsClientParameters>
<http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http:conduit>
<bean id="stsclient" class="org.apache.cxf.ws.security.trust.STSClient" >
<constructor-arg ref="cxf" />
<property name="requiresEntropy" value="false" />
<property name="wsdlLocation"
value="<wsdl>" />
<property name="serviceName"
value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512}STS"; />
<property name="endpointName"
value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512}X5092";
/>
<property name="properties">
<map>
<entry key="ws-security.username" value="wsclient"/>
<entry key="ws-security.signature.properties"
value="wss40_client.properties" />
<entry key="ws-security.encryption.properties"
value="wss40_idp.properties" />
<entry key="ws-security.encryption.username"
value="idp" />
</map>
</property>
</bean>
</beans>
---
SpringBusFactory bf = new SpringBusFactory();
URL busFile = Client.class.getResource("cxf-client.xml");
Bus bus = bf.createBus(busFile.toString());
BusFactory.setDefaultBus(bus);
STSClient stsClient =
(STSClient)bus.getExtension(BusApplicationContext.class).getBean("stsclient");
stsClient.requestSecurityToken();
---
The server truststore has the client cert. What might be the reason for this
exception?
-Vinay
-----Original Message-----
From: Daniel Kulp [mailto:[email protected]]
Sent: Monday, August 08, 2011 12:30 PM
To: [email protected]
Cc: Penmatsa, Vinay
Subject: Re: TLSClientParameters
On Monday, August 08, 2011 8:42:53 AM Penmatsa, Vinay wrote:
> Hi Dan,
> Thanks.
> How can I set the TLS params in the STSClient? Is there an example of using
> STSClient this way?
I just checked the code and there isn't a way to access the underlying client
from the STSClient. I just added a getClient call which can be used in the
future and that will be in CXF 2.4.2, but right now, the only way is through
configuration. :-( (or use some reflection magic to call the private
createClient() call and grab the client field, but that really sucks)
Dan
> -Vinay
>
>
>
> -----Original Message-----
> From: Daniel Kulp [mailto:[email protected]]
> Sent: Friday, August 05, 2011 5:29 PM
> To: [email protected]
> Cc: Penmatsa, Vinay
> Subject: Re: TLSClientParameters
>
> > Client client = ClientProxy.getClient(port);
> > STSClient stsClient = new STSClient(client.getBus());
>
> You have two separate clients there.... the client from the port and an
> STSClient. You are setting the TLS stuff on the port's client, but not the
> STSClient. That's likely the issue.
>
> Dan
>
> On Friday, August 05, 2011 12:11:43 PM Penmatsa, Vinay wrote:
> > Hi Dan,
> > No. But not sure if I'm affecting it somehow. Here's my code:
> >
> > ------
> > Client client = ClientProxy.getClient(port);
> > STSClient stsClient = new STSClient(client.getBus());
> > HTTPConduit http = (HTTPConduit) client.getConduit();
> > TLSClientParameters param = new TLSClientParameters();
> > param.setDisableCNCheck(true);
> > Properties cProps = new Properties();
> > cProps.load(new FileReader("client.properties"));
> > Merlin m = new Merlin(cProps);
> > KeyManagerFactory kmf =
> > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
> > TrustManagerFactory tmf =
> > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm(
> > )); kmf.init(m.getKeyStore(), "password1".toCharArray());
> > tmf.init(m.getTrustStore());
> > param.setKeyManagers(kmf.getKeyManagers());
> > param.setTrustManagers(tmf.getTrustManagers());
> > http.setTlsClientParameters(param);
> >
> > stsClient.setWsdlLocation("<wsdl url>");
> > stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200
> > 512} STS");
> > stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/20
> > 051 2}UT"); Map<String,Object> stsProps = new HashMap<String,Object>();
> > stsProps.put("ws-security.username", "user");
> > stsProps.put("ws-security.password", "password");
> > stsClient.setProperties(stsProps);
> > SecurityToken st = stsClient.requestSecurityToken();
> > -----
> >
> > I'm using cxf 2.4.
> >
> >
> >
> >
> > -----Original Message-----
> > From: Daniel Kulp [mailto:[email protected]]
> > Sent: Friday, August 05, 2011 11:49 AM
> > To: [email protected]
> > Cc: Penmatsa, Vinay
> > Subject: Re: TLSClientParameters
> >
> > On Friday, August 05, 2011 11:32:08 AM Penmatsa, Vinay wrote:
> > > Hi Prisca,
> > > Thanks for the link.
> > > This can be fallback solution, but I prefer to do it
> > > programmatically.
> > > While debugging the source, it seems a new conduit object is created
> > > in
> > > HttpTransportFactory.getConduit(). So, the client.getConduit() in my
> > > code
> > > is ignored. Not sure how to fix that
> >
> > Do you have a different ConduitSelector installed on the client? The
> > default one should just be creating a single Conduit for the client and
> > re-using it. I'm not sure why a second call to
> > HttpTransportFactory.getConduit would be occuring.
> >
> > Dan
> >
> > > Regards,
> > > Vinay
> > >
> > > -----Original Message-----
> > > From: Prisca POLYTE [mailto:[email protected]]
> > > Sent: Friday, August 05, 2011 11:18 AM
> > > To: [email protected]
> > > Subject: Re: TLSClientParameters
> > >
> > > Hey,
> > >
> > > is it possible for you to use Spring for instance ?
> > >
> > > If it is then you should have a look to
> > > http://cxf.apache.org/docs/client-http-transport-including-ssl-suppo
> > > rt.h tml#
> > > ClientHTTPTransport%28includingSSLsupport%29-ConfiguringSSLSupport
> > >
> > > HTH
> > >
> > > Regards
> > > --
> > > Prisca
> > >
> > > On Fri, Aug 5, 2011 at 5:10 PM, Penmatsa, Vinay
> >
> > <[email protected]>wrote:
> > > > I'm unable to set the 'disableCNCheck' programmatically as
> > > > below:
> > > >
> > > > HTTPConduit http = (HTTPConduit) client.getConduit();
> > > > TLSClientParameters param = new TLSClientParameters();
> > > > param.setDisableCNCheck(true);
> > > > http.setTlsClientParameters(param);
> > > >
> > > >
> > > > What's the correct way to do this?
> > > >
> > > >
> > > > Thanks,
> > > > Vinay
--
Daniel Kulp
[email protected]
http://dankulp.com/blog
Talend - http://www.talend.com
