配置apache cxf 客户端支持https

包括CXF官网在内的的网上所有示例配置中,都把CA证书配置为jks或者p12格式的,由于这两种格式都是同时包含了公钥和私钥的keyStore,所以这么配置相当于向客户端暴露了CA的私钥。。。瞬间让https的存在失去了意义,还徒增一层加解密耗时操作。。

解决方案简单到哭(忽略熬夜一晚上尝试keyStore去私钥等操作),就是配置trustManagers节点(也即CA节点)的时候不用keyStore,改用certStore,而certStore仅仅存放公钥,保证了CA信息的安全

下面附上cxf client完整配置:


<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security"
    xmlns:http="http://cxf.apache.org/transports/http/configuration"
    xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"
    xsi:schemaLocation="
      http://cxf.apache.org/configuration/security
      http://cxf.apache.org/schemas/configuration/security.xsd
      http://cxf.apache.org/transports/http/configuration
      http://cxf.apache.org/schemas/configuration/http-conf.xsd
      http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

    <http:conduit name="*.http-conduit">

        <http:tlsClientParameters>
            <sec:keyManagers>
                <sec:keyStore type="PKCS12" password="" file="/my/certs/path/client.p12" />
            </sec:keyManagers>
            <sec:trustManagers>
                <!-- 
                <sec:keyStore type="PKCS12" password="" file="/my/certs/path/ca.p12" />
                     -->
                <sec:certStore file="/my/certs/path/ca.cer" />
            </sec:trustManagers>
            <sec:cipherSuitesFilter>
                <!-- these filters ensure that a ciphersuite with export-suitable 
                    or null encryption is used, but exclude anonymous Diffie-Hellman key change 
                    as this is vulnerable to man-in-the-middle attacks -->
                <sec:include>.*_EXPORT_.*</sec:include>
                <sec:include>.*_EXPORT1024_.*</sec:include>
                <sec:include>.*_WITH_DES_.*</sec:include>
                <sec:include>.*_WITH_AES_.*</sec:include>
                <sec:include>.*_WITH_NULL_.*</sec:include>
                <sec:exclude>.*_DH_anon_.*</sec:exclude>
            </sec:cipherSuitesFilter>
        </http:tlsClientParameters>
        <!-- 
        <http:authorization>
            <sec:UserName>Betty</sec:UserName>
            <sec:Password>password</sec:Password>
        </http:authorization>
         -->
         <!-- 
        <http:client AutoRedirect="true" Connection="Keep-Alive" />
         -->

    </http:conduit>

</beans>

补充:

最近给tomcat部署https双向验证的时候,发现jks格式支持仅添加ca证书(pkcs12格式仅添加ca证书后keystore不支持),所以上面在配置trustManagers的时候也可以用keystore配置jks格式的证书,里面仅包含ca证书,示例如下:

<sec:trustManagers>
    <sec:keyStore type="JKS" password="defaultpwd" file="/my/certs/path/ca_only.jks" />
</sec:trustManagers>

附上ca.crt转jks方法:

keytool -import -v -trustcacerts -storepass defaultpwd -keypass defaultpwd -file ca.crt -keystore ca_only.jks


评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值