6 Replies Latest reply on May 20, 2011 2:37 AM by petitgitan_g.atala

    JAX-RS Endpoints over SSL

    petitgitan_g.atala

      Hello,

       

      We're trying to add client authentication to certain JAX-RS endpoints.  It is fairly easy to enable HTTPS for all endpoints for target (server) authentication, and somewhat more complicated to make client authentication mandatory.  However, we couldn't figure out how to enable client authentication selectively for some endpoints, but not others, on the same server.

       

      The environment is as follows: Fuse ESB 4.3.1, JAX-RS endpoints are configured via <jaxrs:server> entries, SSL is enabled in the following config file <$KARAF_HOME/etc/org.ops4j.pax.web.cfg>

       

      Is this possible?  What's the trick?!

       

      Regards,

      George

       

      Edited by: petitgitan on May 20, 2011 3:26 AM

        • 1. Re: JAX-RS Endpoints over SSL
          ffang

          Hi,

           

          I don't think it's possible with cxf http-osgi transport.

          As the SSL transport level configuration is per port, so if your services are using cxf http-osgi transport(pax-web underlying), which means it will use same port, then you can't achieve such per-service/endpoint basis configuration.

          However, if your services are using cxf http-jetty transport directly, which means each service can listen on different port, then  you can configure different port with different keystore/truststore/client auth policy, from this way, you can achieve kind of per-service/endpoint configuration.

           

           

          Freeman

          • 2. Re: JAX-RS Endpoints over SSL
            petitgitan_g.atala

            Freeman,

             

            Thank you for the quick response.  Is it possible to deploy the bundles relevant to a RESTful endpoint to the OSGI container, and still use the http-jetty transport?  How is this done?  I'd appreciate a reference to any examples.

             

            George

            • 3. Re: JAX-RS Endpoints over SSL
              ffang

              Hi,

               

              yeah, just simply set address="http://urlyouwant", but not use address="/url", the http:// prefix will make cxf to load http-jetty transport.

               

              Also

              use

               

               

              Freeman

              • 4. Re: JAX-RS Endpoints over SSL
                petitgitan_g.atala

                Thanks again.  So to configure TLS, would you recommend the approach described here: <http://is.gd/aSAuv4>, that is, using something like:

                 

                <httpj:engine-factory id="port-9095-tls-config">

                        <httpj:engine port="9095">

                            <httpj:tlsServerParameters>

                            ....

                          </httpj:tlsServerParameters>

                        </httpj:engine>

                    </httpj:engine-factory>

                 

                Regards,

                George

                • 5. Re: JAX-RS Endpoints over SSL
                  ffang

                  Him

                   

                  Yeah, if you really wanna using different SSL configuration for different endpoint, as the SSL configuration is per port.

                   

                  Freeman

                  • 6. Re: JAX-RS Endpoints over SSL
                    petitgitan_g.atala

                    Freeman,

                     

                    One more question: I can configure the server's keystore using the following:

                    org.ops4j.pax.web.ssl.keystore=/path/server-keystore.jks


                    org.ops4j.pax.web.ssl.keystore.type=JKS

                     

                    What about a truststore?  I tried putting trusted certs in the same keystore (and they're labeled as trusted inside the store), but that doesn't seem to work.  Is there another way to configure or point to a truststore?

                     

                    Many thanks,

                    George