4.CXF安全访问之单向SSL或者双向SSL（三）

还是使用上一篇文章中生成的四个证书文件，以Tomcat 为运行环境来部署支持SSL的CXF应用。

首先在Tomcat的conf目录中找到server.xml文件，需要在该文件中加上SSL配置，如下

 

<Connector SSLEnabled="true" 
					acceptCount="100" 
					algorithm="SunX509" 
					disableUploadTimeout="true" 
					enableLookups="false" 
					maxHttpHeaderSize="8192" 
					maxSpareThreads="75" 
					maxThreads="150" 
					minSpareThreads="25" 
					port="8443" 
					scheme="https" 
					secure="true" 
					sslProtocol="TLS"
					clientAuth="true" 
					keystoreFile="conf/server-keystore.jks" 
					keystorePass="myPassword" 
					truststoreFile="conf/server-truststore.jks" 
					truststorePass="myPassword" 
					truststoreType="jks"/>

 其中，keystoreFile是服务器私钥的jks文件，keystorePass是私钥jks的密码，如果部署的是单向认证的SSL，那么只配置这两项就足够了。

如果要部署双向SSL认证，那么请继续将truststoreFile，truststorePass，truststoreType配置上，truststoreFile是储存客户端公钥证书的文件。

并将上面涉及到的两个jks文件放入到conf目录。此时服务端配置就好了。

 

接着是客户端配置，请看spring的配置文件，如下：

 

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws"
	xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:http="http://cxf.apache.org/transports/http/configuration"
	xsi:schemaLocation="
		http://cxf.apache.org/configuration/security
		http://cxf.apache.org/schemas/configuration/security.xsd
		http://cxf.apache.org/transports/http/configuration
		http://cxf.apache.org/schemas/configuration/http-conf.xsd
		http://www.springframework.org/schema/beans
		http://www.springframework.org/schema/beans/spring-beans.xsd
		http://cxf.apache.org/jaxws 
		http://cxf.apache.org/schemas/jaxws.xsd">

	<jaxws:client id="helloClient"
		serviceClass="com.demo.cxf.helloword.HelloWord"
		address="https://localhost:8443/web_service/services/HelloWorld">
	</jaxws:client>

	<http:conduit name="*.http-conduit">
		<http:tlsClientParameters disableCNCheck="true">
			<!-- 服务端公钥 -->
			<sec:trustManagers>
				<sec:keyStore type="JKS" password="myPassword"
					file="client-truststore.jks" />
			</sec:trustManagers>
			<!-- 客户端私钥 -->
            <sec:keyManagers keyPassword="myPassword">
                <sec:keyStore type="JKS" password="myPassword"
                    file="client-keystore.jks" />
            </sec:keyManagers>
			<sec:cipherSuitesFilter>
				<!-- these filters ensure that a ciphersuite with export-suitable or 
					null encryption is used, but exclude anonymous Diffie-Hellman key change 
					as this is vulnerable to man-in-the-middle attacks -->
				<sec:include>.*_EXPORT_.*</sec:include>
				<sec:include>.*_EXPORT1024_.*</sec:include>
				<sec:include>.*_WITH_DES_.*</sec:include>
				<sec:include>.*_WITH_NULL_.*</sec:include>
				<sec:exclude>.*_DH_anon_.*</sec:exclude>
			</sec:cipherSuitesFilter>
		</http:tlsClientParameters>
	</http:conduit>
</beans>

 同上面，如果只要单向认证，请删除sec:keyManagers客户端私钥配置即可。

 

client端调用代码同Hello World示例代码：

 

ApplicationContext context = new ClassPathXmlApplicationContext("cxf/cxf-client-ssl.xml");
		HelloWord helloWord = (HelloWord)context.getBean("helloClient");
		System.out.println(helloWord.sayHello("Bruce"));

 

附上完成代码。

 

评论

2 楼 xujialei2007 2013-12-13  

  <!--APR library loader. Documentation at /docs/apr.html
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />-->

1 楼 sthyuhao 2013-07-11  

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
我这边握手失败了，请问怎样才能解决问题！