还是使用上一篇文章中生成的四个证书文件,以Tomcat 为运行环境来部署支持SSL的CXF应用。
首先在Tomcat的conf目录中找到server.xml文件,需要在该文件中加上SSL配置,如下
<Connector SSLEnabled="true"
acceptCount="100"
algorithm="SunX509"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
maxSpareThreads="75"
maxThreads="150"
minSpareThreads="25"
port="8443"
scheme="https"
secure="true"
sslProtocol="TLS"
clientAuth="true"
keystoreFile="conf/server-keystore.jks"
keystorePass="myPassword"
truststoreFile="conf/server-truststore.jks"
truststorePass="myPassword"
truststoreType="jks"/>
其中,keystoreFile是服务器私钥的jks文件,keystorePass是私钥jks的密码,如果部署的是单向认证的SSL,那么只配置这两项就足够了。
如果要部署双向SSL认证,那么请继续将truststoreFile,truststorePass,truststoreType配置上,truststoreFile是储存客户端公钥证书的文件。
并将上面涉及到的两个jks文件放入到conf目录。此时服务端配置就好了。
接着是客户端配置,请看spring的配置文件,如下:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:http="http://cxf.apache.org/transports/http/configuration"
xsi:schemaLocation="
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<jaxws:client id="helloClient"
serviceClass="com.demo.cxf.helloword.HelloWord"
address="https://localhost:8443/web_service/services/HelloWorld">
</jaxws:client>
<http:conduit name="*.http-conduit">
<http:tlsClientParameters disableCNCheck="true">
<!-- 服务端公钥 -->
<sec:trustManagers>
<sec:keyStore type="JKS" password="myPassword"
file="client-truststore.jks" />
</sec:trustManagers>
<!-- 客户端私钥 -->
<sec:keyManagers keyPassword="myPassword">
<sec:keyStore type="JKS" password="myPassword"
file="client-keystore.jks" />
</sec:keyManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with export-suitable or
null encryption is used, but exclude anonymous Diffie-Hellman key change
as this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
</beans>
同上面,如果只要单向认证,请删除sec:keyManagers客户端私钥配置即可。
client端调用代码同Hello World示例代码:
ApplicationContext context = new ClassPathXmlApplicationContext("cxf/cxf-client-ssl.xml");
HelloWord helloWord = (HelloWord)context.getBean("helloClient");
System.out.println(helloWord.sayHello("Bruce"));
附上完成代码。