1 Reply Latest reply on Sep 26, 2018 7:45 AM by chatrfb

    Setting up mutual authentication without Spring and Apache CXF

    chatrfb

      Hi,

       

      I'm migrating an application from JBoss EAP 6.4 to Wildfly 10. In the migration guide it says:

       

      The setup of web service's endpoints and clients, through a Spring XML descriptor, driving a CXF bus creation, is no longer supported in WildFly.

      Any application containing a jbossws-cxf.xml must migrate all functionality specified in such XML descriptor, mostly already supported by the JAX-WS specification, included in Java EE 7. It is still possible to rely on direct Apache CXF API usage, loosing the Java EE portability of the application, for instance when specific Apache CXF functionalities are needed. Please refer to the Apache CXF Integration document for further information.

       

      My application has a jbossws-cxf.xml file with the following content:

       

      <?xml version="1.0" encoding="UTF-8"?>
      
      <beans xmlns="http://www.springframework.org/schema/beans" 
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
             xmlns:sec="http://cxf.apache.org/configuration/security" 
             xmlns:http="http://cxf.apache.org/transports/http/configuration" 
             xmlns:jaxws="http://cxf.apache.org/jaxws" 
             xsi:schemaLocation="http://cxf.apache.org/configuration/security
                         http://cxf.apache.org/schemas/configuration/security.xsd
                         http://cxf.apache.org/transports/http/configuration
                             http://cxf.apache.org/schemas/configuration/http-conf.xsd
                             http://cxf.apache.org/jaxws 
                             http://cxf.apache.org/schemas/jaxws.xsd
                             http://www.springframework.org/schema/beans
                             http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
            
          <bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer" />  
      
              <!-- webservice i need to call -->
          <http:conduit name="https://webservice.com/webmethod" depends-on="propertyConfigurer">
              <http:tlsClientParameters disableCNCheck="true">
                  <sec:keyManagers keyPassword="keypass">
                      <sec:keyStore type="JKS" password="keystorepassword" url="file://${jboss.server.config.dir}/keystore.jks" />
                  </sec:keyManagers>
                  <sec:trustManagers>
                      <sec:keyStore type="JKS" password="otherkeystorepassword" url="file://${jboss.server.config.dir}/truststore.jks" />
                  </sec:trustManagers>
                  <sec:cipherSuitesFilter>
                      <!-- these filters ensure that a ciphersuite with export-suitable or null encryption is used, but exclude anonymous Diffie-Hellman key change as this is vulnerable to man-in-the-middle attacks -->
                      <sec:include>.*_AES_.*</sec:include>
                      <sec:include>.*_EXPORT_.*</sec:include>
                      <sec:include>.*_EXPORT1024_.*</sec:include>
                      <sec:include>.*_WITH_DES_.*</sec:include>
                      <sec:include>.*_WITH_NULL_.*</sec:include>
                      <sec:include>SSL_RSA_WITH_3DES_EDE_CBC_SHA</sec:include>
                      <sec:exclude>.*_DH_anon_.*</sec:exclude>
                  </sec:cipherSuitesFilter>
              </http:tlsClientParameters>
              <http:client AutoRedirect="true" Connection="Keep-Alive" />
          </http:conduit>
      
          <jaxws:client name="webserviceClient"
                 serviceClass="my.package.ClientService" address="https://webservice.com/webmethod/">
              <jaxws:outInterceptors>
                  <bean class="my.package.MyInterceptor" />
              </jaxws:outInterceptors>
          </jaxws:client>
      
          <bean id="myClient" class="my.package.MyClient" scope="prototype">
              <property name="clientServico">
                  <ref bean="webserviceClient" />
              </property>
          </bean>
      
      </beans>
      

       

      I'm having trouble finding examples to achieve the same goal using only JAX-WS spec.

       

      I'd really appreciate it if you guys pointed me in the right direction.

        • 1. Re: Setting up mutual authentication without Spring and Apache CXF
          chatrfb

          Solved it.

           

          Had to add keystore and truststore in standalone.xml:

           

          <system-properties>
            <property name="javax.net.ssl.keyStore" value="/path/to/keystore.jks"/>
            <property name="javax.net.ssl.keyStorePassword" value="keystorePassword"/>
            <property name="javax.net.ssl.trustStore" value="/path/to/truststore.jks"/>
            <property name="javax.net.ssl.trustStorePassword" value="truststorePassword"/>
          </system-properties>
          
          

           

          Then I downloaded the WSDL file (since I couldn't get wsimport working under SSL).

           

          Ran wsimport:

           

          wsimport path/to/webservice.wsdl -p com.my.package.client -keep

           

          Added this dependency in pom.xml:

           

          <dependency>
              <groupId>org.jboss.ws</groupId>
              <artifactId>jbossws-api</artifactId>
              <version>1.1.1.Final</version>
              <scope>provided</scope>
          </dependency>
          


          And to use the service, I injected it using @WebServiceRef:

           

          @WebServiceRef(wsdlLocation = "https://path.to/ws/WebService?wsdl")
          private MyService myService;