But AFAIK for Tomcat the SSL is enforced at the servlet-level
(http://www.jroller.com/gmazza/entry/ssl_for_web_services#SSL4), or more
accurately, via a url-pattern, which in turn gets mapped to a servlet or
multiple servlets. So even if you have multiple paths/contexts being
routed to a single servlet, so long as you know the servlet it's being
routed to you'll know whether SSL is being enforced for all of those
paths/contexts.
Glen
On 01/20/2012 12:19 PM, Sven Zethelius wrote:
I don't think its something you can necessarily determine at the Servlet /
ServletContext. Since multiple pathes / Context can be routed to a single
servlet instance, it makes sense that you ask the request
(http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#isSecure())
________________________________________
From: Glen Mazza [gma...@talend.com]
Sent: Friday, January 20, 2012 9:15 AM
To: users@cxf.apache.org
Subject: Re: Https policy with spring
I don't know how accurate that is, that's why I was recommending asking
the Tomcat User's list. For what XiLai is asking for, 98% accurate
might not be good enough.
Glen
On 01/20/2012 12:02 PM, Sergey Beryozkin wrote:
On 20/01/12 16:35, Glen Mazza wrote:
I'm not sure here--if I understand you correctly, a more generic version
of the question you're asking is "How can a servlet determine whether it
is being run over https:// or not?" This might be a question better
asked on the Tomcat user's list. If it is not possible for a servlet to
be able to determine that in a formal, rigorous manner (i.e., perhaps
servlets are sandboxed by the servlet container so they can't know
whether they're running over https), then at the web service provider
level I don't see how it can make that determination either.
Would checking the request URI and seeing if it starts with 'https' do ?
Sergey
Glen
On 01/19/2012 08:35 PM, XiLai Dai wrote:
Thanks Colm and Glen!
but maybe my question was not clear, what we want to do was checking
if the Endpoint secured by policy after adding https policy to
the<jaxws:endpoint>.
the java codes used for checking looks like:
private boolean isSecuredByPolicy(Server server) {
boolean isSecured = false;
EndpointInfo ei = server.getEndpoint().getEndpointInfo();
PolicyEngine pe = bus.getExtension(PolicyEngine.class);
if (null == pe) {
LOG.finest("No Policy engine found");
return isSecured;
}
Destination destination = server.getDestination();
EndpointPolicy ep = pe.getServerEndpointPolicy(ei, destination);
Collection<Assertion> assertions = ep.getChosenAlternative();
for (Assertion a : assertions) {
if (a instanceof TransportBinding) {
TransportBinding tb = (TransportBinding)a;
TransportToken tt = tb.getTransportToken();
Token t = tt.getTransportToken();
if (t instanceof HttpsToken) {
isSecured = true;
break;
}
}
}
Policy policy = ep.getPolicy();
List<PolicyComponent> pcList = policy.getPolicyComponents();
for (PolicyComponent a : pcList) {
if (a instanceof TransportBinding) {
TransportBinding tb = (TransportBinding)a;
TransportToken tt = tb.getTransportToken();
Token t = tt.getTransportToken();
if (t instanceof HttpsToken) {
isSecured = true;
break;
}
}
}
return isSecured;
}
but the return value always false :(
Thanks!
Xilai
________________________________________
Information on setting up Tomcat for SSL is here:
http://www.jroller.com/gmazza/entry/ssl_for_web_services
HTH,
Glen
On 01/19/2012 05:42 AM, Colm O hEigeartaigh wrote:
Hi,
It can be published with no error, but from the debugging there is
no any Assertion found, so the Https transport didn't take effect.
The policy looks ok - how are you setting up the TLS endpoint though?
Adding a TransportBinding policy does not set up TLS, it's up to the
container to do that, or else you can add a "httpj:engine-factory"
configuration if using Jetty.
Colm.
On Thu, Jan 19, 2012 at 4:00 AM, XiLai Dai<xl...@talend.com> wrote:
Hello,
We have a jaxws:endpoint defined like this:
<jaxws:endpoint xmlns:tns="http://my.org/examples/";
id="greeter_Https"
implementor="demo.service.Greeter_HttpsImpl"
serviceName="tns:Greeter_HttpsService"
address="/Greeter_HttpsService">
<jaxws:features>
<p:policies>
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
</wsp:Policy>
</sp:TransportBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</p:policies>
</jaxws:features>
</jaxws:endpoint>
It can be published with no error, but from the debugging there is
no any Assertion found, so the Https transport didn't take effect.
Can someone take a look what's wrong with the definition of policy?
Thanks in advance.
Regards.
Xilai
--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza
--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza
--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza
