I think I figured that out myself actually. Setting
org.ops4j.pax.web.ssl.clientauthwanted = true
Should enable two way ssl if the client has anything to send.
At least that is what I am hoping. Does anyone have any experience about
whether this is a correct assumption?

If that is correctly understood,  I can just reject all calls without a
valid client cert in that specific endpoint.

On 16 Sep 2016 8:45 p.m., "Martin Nielsen" <mny...@gmail.com> wrote:

> That looks very much like what I would need.  The only issue is that I
> will need 2way ssl for only a select few endpoints. It looks to me like the
> pax web configuration is global. Is that right?
>
> On 16 Sep 2016 10:21, "Christian Schneider" <ch...@die-schneider.net>
> wrote:
>
>> I am not sure about reading the client certificate in an interceptor but
>> that part should be for the most part unrelated to
>> OSGi. Maybe you can ask that as a separate question so people without
>> OSGi knowledge tune in.
>>
>> Christian
>>
>> On 16.09.2016 08:42, Martin Nielsen wrote:
>>
>>> Hello everyone.
>>>
>>> I have a question about using CXF in an OSGi container. More specifically
>>> using it via Declarative Services.
>>>
>>> I need to create a REST endpoint, that is secured by 2way SSL, as well as
>>> an interceptor which can read the incomming client certificate after the
>>> handshake in order to perform authentication inside the application
>>> itself.
>>>
>>> But how do i do this? I found a demo to make CXF register a component as
>>> a
>>> rest service here. http://cxf.apache.org/dosgi-ds-demo-page.html
>>>
>>> But i still can't resources on how to do the 2way ssl part.
>>> I know i need to setup trust and keystores on the HTTPConduit, but i have
>>> no idea how or where to do that in an OSGi environment.
>>>
>>> I am using Karaf for the OSGi container, if that has any relevance.
>>>
>>> Thank you in advance
>>>
>>> -Martin
>>>
>>>
>>
>> --
>> Christian Schneider
>> http://www.liquid-reality.de
>>
>> Open Source Architect
>> http://www.talend.com
>>
>>

Reply via email to