2 Replies Latest reply: Dec 12, 2011 6:34 AM by Tao Sang RSS

cxf.xml doesn't work under JBoss 6.1

Tao Sang Newbie

Dear Forum,

 

Currently under JBoss 6.1, I have a problem by calling web service over https (SSL), which has a self-signed certificate. By using a dummy (certificate)TrustManager, I got one step further with following errors:

 

Caused by: java.io.IOException: The https URL hostname does not match the Common Name (CN) on the server certificate.  To

disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true.

 

I googled and found that I need to set a cxf client configuration file with the project. Then I created a cxf.xml with following content and left it in the folder: myProject-ejb\src\main\resources\ :

 

 

<beans xmlns="http://www.springframework.org/schema/beans"

      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

      xmlns:http-conf="http://cxf.apache.org/transports/http/configuration"     

      xsi:schemaLocation="

          http://cxf.apache.org/configuration/security

          http://cxf.apache.org/schemas/configuration/security.xsd

          http://cxf.apache.org/transports/http/configuration

          http://cxf.apache.org/schemas/configuration/http-conf.xsd

          http://www.springframework.org/schema/beans

          http://www.springframework.org/schema/beans/spring-beans.xsd">

 

<http-conf:conduit name="{https://server.company.com:8443/}WebService.http-conduit">

    <http-conf:tlsClientParameters  secureSocketProtocol="SSL" disableCNCheck="true"/>

</http-conf:conduit>

 

<http-conf:conduit name="*.http-conduit">

    <http-conf:tlsClientParameters  disableCNCheck="true" secureSocketProtocol="SSL"/>

</http-conf:conduit>

</beans>

 

However, I always get the above errors. Did I do something wrong? I saw that the cxf.xml file has been copied into the root folder of the myProject-ejb.jar file, but I don't know if the cxf.file really works. How can I check if the cxf.xml is working?

 

Thanks in advance!

 

Tao

  • 1. Re: cxf.xml doesn't work under JBoss 6.1
    Alessio Soldano Master

    In the JBossWS-CXF integration, you can also turn on the disableCNCheck flag by setting the org.jboss.security.ignoreHttpsHost sys property (-Dorg.jboss.security.ignoreHttpsHost=true)

  • 2. Re: cxf.xml doesn't work under JBoss 6.1
    Tao Sang Newbie

    Hello Soldano, thanks a lot for your tipp! I solved the problem with the following line:

     

    System.setProperty("org.jboss.security.ignoreHttpsHost", "true");

     

    Another way to solve the problem is to use the JaxWsProxyFactoryBean method:

     

     

     

    ---------------------------------------------------------------------------------------------------------------------------------------

    import javax.net.ssl.HttpsURLConnection;

    import javax.net.ssl.SSLContext;

    import javax.net.ssl.TrustManager;

    import javax.net.ssl.X509TrustManager;

    import java.security.cert.X509Certificate;

     

    import org.apache.cxf.configuration.jsse.TLSClientParameters;

    import org.apache.cxf.configuration.security.AuthorizationPolicy;

    import org.apache.cxf.endpoint.Client;

    import org.apache.cxf.frontend.ClientProxy;

    import org.apache.cxf.transport.http.HTTPConduit;

    import org.apache.cxf.interceptor.*;

    import org.apache.cxf.jaxws.JaxWsProxyFactoryBean;

     

    MyWebServiceEndpoint port = null;

     

    JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();

    factory.setServiceClass(MyWebServiceEndpoint.class);

    factory.setAddress(MyWebServiceURL());

    port = (MyWebServiceEndpoint) factory.create();

    configHttpConduit(port);

     

    BindingProvider bp = (BindingProvider)port;

    bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, username);

    bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, password);

    ...

     

     

    private void configHttpConduit(Object service) {

            Client clientProxy = ClientProxy.getClient(service);

     

            HTTPConduit conduit = (HTTPConduit) clientProxy.getConduit();

            String targetAddr = conduit.getTarget().getAddress().getValue();

            if (targetAddr.toLowerCase().startsWith("https:")) {

                TrustManager[] simpleTrustManager = new TrustManager[] { new X509TrustManager() {

                    public java.security.cert.X509Certificate[] getAcceptedIssuers() {

                        return null;

                    }

     

                    public void checkClientTrusted(

                            java.security.cert.X509Certificate[] certs, String authType) {

                    }

     

                    public void checkServerTrusted(

                            java.security.cert.X509Certificate[] certs, String authType) {

                    }

                } };

                TLSClientParameters tlsParams = new TLSClientParameters();

                tlsParams.setTrustManagers(simpleTrustManager);

                tlsParams.setDisableCNCheck(true);

                tlsParams.setSecureSocketProtocol("SSL"); // This line is not very necessary.

                conduit.setTlsClientParameters(tlsParams);

     

            }

        }