CXF simple frontend, allow all SSL certificates and set basic authentication cre

(转自http://blog.progs.be/71/cxf-simple-frontend-allow-all-ssl-certificates-and-set-basic-authentication-credentials)

CXF is a wonderful web services framework. It is mostly configured using spring, however, this falls short when trying to assure that all SSL certificates are accepted. In this case, programmatic configuration is needed.
In the case where I needed this, SSL was used only to assure that the communication is encrypted at the transport level. Though the server certificate is normally used to assure the that it cannot be replaced without being noticed, this was not our concern. Specifically, self signed certificates are used, and there is no guarantee that they will not be changed.
In CXF the configuration of the transport is done by the conduit. The following snippet indicates how this can be accessed for the simple frontend.
     ClientProxyFactoryBean factory = new ClientProxyFactoryBean();
factory.setServiceClass( PingService.class );
factory.setAddress( "https://localhost:8443/ca/pxws/1.0/ping" );
PingService client = (PingService) factory.create();

Client proxy = ClientProxy.getClient( client );
HTTPConduit conduit = (HTTPConduit) proxy.getConduit();
TLSClientParameters tcp = new TLSClientParameters();
tcp.setTrustManagers( new TrustManager[]{ new TrustAllX509TrustManager() } );
conduit.setTlsClientParameters( tcp );

Similarly, the conduit can also be used to set the credentials which may be needed when the service is secured using basic authentication (as can be configured in web.xml).
The full code for the test is

package example.ws10.test;

import example.ws10.PingService;
import junit.framework.TestCase;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.frontend.ClientProxyFactoryBean;
import org.apache.cxf.transport.http.HTTPConduit;
import org.equanda.util.security.SslUtil;

import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.security.cert.X509Certificate;

/**
* Test the Ping service
*
* @author <a href="mailto:joachim@progs.be">Joachim Van der Auwera</a>
*/
public class PingTest
extends TestCase
{
public void testPingService()
throws Exception
{
ClientProxyFactoryBean factory = new ClientProxyFactoryBean();
factory.setServiceClass( PingService.class );
factory.setAddress( "https://localhost:8443/ca/pxws/1.0/ping" );
PingService client = (PingService) factory.create();
Client proxy = ClientProxy.getClient( client );

HTTPConduit conduit = (HTTPConduit) proxy.getConduit();
TLSClientParameters tcp = new TLSClientParameters();
tcp.setTrustManagers( new TrustManager[]{ new SslUtil.TrustAllX509TrustManager() } );
conduit.setTlsClientParameters( tcp );
AuthorizationPolicy auth = conduit.getAuthorization();
if ( null == auth ) auth = new AuthorizationPolicy();
auth.setUserName( "local" );
auth.setPassword( "local" );

String res = client.getPing();
assertTrue( res.startsWith( "Ping back @" ) );
}

/**
* This class allow any X509 certificates to be used to authenticate the remote side of a secure socket, including
* self-signed certificates.
*/
public static class TrustAllX509TrustManager
implements X509TrustManager
{

/** Empty array of certificate authority certificates. */
private static final X509Certificate[] acceptedIssuers = new X509Certificate[]{ };

/**
* Always trust for client SSL chain peer certificate chain with any authType authentication types.
*
* @param chain the peer certificate chain.
* @param authType the authentication type based on the client certificate.
*/
public void checkClientTrusted( X509Certificate[] chain, String authType )
{}

/**
* Always trust for server SSL chain peer certificate chain with any authType exchange algorithm types.
*
* @param chain the peer certificate chain.
* @param authType the key exchange algorithm used.
*/
public void checkServerTrusted( X509Certificate[] chain, String authType )
{}

/**
* Return an empty array of certificate authority certificates which are trusted for authenticating peers.
*
* @return a empty array of issuer certificates.
*/
public X509Certificate[] getAcceptedIssuers()
{
return ( acceptedIssuers );
}
}
}
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值