samedi 2 février 2013

Configuring TLS on the client with CXF

When your web service is secured using TLS (this is generally done at the web container level, e.g. Tomcat), your client has to be configured to work properly.

Here, I briefly describe how to configure a CXF client to work with TLS.

When TLS is used, the server must be authenticated by the client. Optionnaly, the client may also be authenticated by the server.

This configuration is done through the HTTPConduit instance associated with your client. The HTTPConduit is obtained as follows:

Client client = ClientProxy.getClient(proxy);

HTTPConduit httpConduit = (HTTPConduit) client.getConduit();

Then, you need to create a TLSClientParameters instance that will wrap the TLS configuration. There are two ways to provision the TLSClientParameters with TLS configuration:
  • using an SSLSocketFactory instance
  • or, by provisioning the TLS configuration using the multiple properties of the TLSClientParameters instance

Here, I will describe the second way.

First, for the client to authenticate the server, instances of TrustManager should be provided. One possibility is to use a TrustManagerFactory initialized using a truststore. A truststore is a container for the security data (e.g. a file that contains certificates of trusted entities). In Java, it is represented by an instance of the KeyStore class. Assume you have a truststore that contains the trusted certificate of the server, you can initialize a TrustManagerFactory as follows:

// A specific algorithm may be provided or the default algorithm may 

// be obtained using TrustManagerFactory.getDefaultAlgorithm() 

TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(algorithm);


When your TrustManagerFactory is initialized, you can obtain the TrustManager instances as follows:

TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();

Then, you provision your TLSClientParameters instance as follows:
TLSClientParameters tlsClientParams = new TLSClientParameters();


Finally, you provision the HTTPConduit with the TLSClientParameters:

If you are using mutual authentication (i.e. the client is also authenticated by the server), the client authentication part must also be configured. For this purpose, a class "symmetric" to TrustManager is used: KeyManager. As for TrustManager instances, a KeyManagerFactory is initialized using a keystore, also represented by a KeyStore instance.

// A specific algorithm may be provided or the default algorithm may 

// be obtained using KeyManagerFactory.getDefaultAlgorithm() 

KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(algorithm);

keyManagerFactory.init(keystore, password); // The password is required since sensible data is accessed

As for TrustManager, KeyManager instances are obtained and provisioned to the TLSClientParameters instances:

KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();


Aucun commentaire:

Enregistrer un commentaire