Ensuring CXF soap is behind SSL
I want to make sure any messages not encrypted with SSL are rejected by the CXF container. What configuration is neccessary for this? I've tried setting the location to an https address but this is unsufficient. The only documentation I've found on the subject refers to client, not server, configuration. ? ??? ? https://localhost:8080/HelloWorldService"/> ??? ? Thanks! More new features than ever. Check out the new AOL Mail ! - http://webmail.aol.com
Re: Ensuring CXF soap is behind SSL
If you're using Spring and Acegi, you could use a secure channel filter. On Tue, 2008-02-05 at 12:44 -0500, [EMAIL PROTECTED] wrote: > I want to make sure any messages not encrypted with SSL are rejected by the > CXF container. What configuration is neccessary for this? > > I've tried setting the location to an https address but this is unsufficient. > The only documentation I've found on the subject refers to client, not > server, configuration. > > ? > ??? name="HelloWorldService"> > ? https://localhost:8080/HelloWorldService"/> > ??? > ? > > Thanks! > > > > > More new features than ever. Check out the new AOL Mail ! - > http://webmail.aol.com
Re: Ensuring CXF soap is behind SSL
You may need to write a simple interceptor that would grab the HttpServletRequest object out of the message and checks the security stuff. It shouldn't be too hard to write. There might be some policy things along with the ws-security stuff that could enforce it with the ws-security module, but that would definitely cause a performance hit due to the security module dropping to saaj mode. I'm not really sure anyway. Fred may need to answer that one. Dan On Tuesday 05 February 2008, [EMAIL PROTECTED] wrote: > I want to make sure any messages not encrypted with SSL are rejected > by the CXF container. What configuration is neccessary for this? > > I've tried setting the location to an https address but this is > unsufficient. The only documentation I've found on the subject refers > to client, not server, configuration. > > ? > ??? name="HelloWorldService"> ? location="https://localhost:8080/HelloWorldService"/> ??? > ? > > Thanks! > > > > __ >__ More new features than ever. Check out the new AOL Mail ! - > http://webmail.aol.com -- J. Daniel Kulp Principal Engineer, IONA [EMAIL PROTECTED] http://www.dankulp.com/blog
Re: Ensuring CXF soap is behind SSL
I believe that can be enforced in the web.xml file that you distribute your WAR with. For example, (another web app unrelated to web services), line 41-51 of web.xml: http://tinyurl.com/yp6faz Glen Am Dienstag, den 05.02.2008, 12:44 -0500 schrieb [EMAIL PROTECTED]: > I want to make sure any messages not encrypted with SSL are rejected by the > CXF container. What configuration is neccessary for this? > > I've tried setting the location to an https address but this is unsufficient. > The only documentation I've found on the subject refers to client, not > server, configuration. > > ? > ??? name="HelloWorldService"> > ? https://localhost:8080/HelloWorldService"/> > ??? > ? > > Thanks! > > > > > More new features than ever. Check out the new AOL Mail ! - > http://webmail.aol.com
Re: Ensuring CXF soap is behind SSL
thanks ill try this out -Original Message- From: Glen Mazza <[EMAIL PROTECTED]> To: cxf-user@incubator.apache.org Sent: Tue, 5 Feb 2008 8:51 pm Subject: Re: Ensuring CXF soap is behind SSL I believe that can be enforced in the web.xml file that you distribute your WAR with. For example, (another web app unrelated to web services), line 41-51 of web.xml: http://tinyurl.com/yp6faz Glen Am Dienstag, den 05.02.2008, 12:44 -0500 schrieb [EMAIL PROTECTED]: > I want to make sure any messages not encrypted with SSL are rejected by the CXF container. What configuration is neccessary for this? > > I've tried setting the location to an https address but this is unsufficient. The only documentation I've found on the subject refers to client, not server, configuration. > > ? > ??? > ? https://localhost:8080/HelloWorldService"/> > ??? > ? > > Thanks! > > > > > More new features than ever. Check out the new AOL Mail ! - http://webmail.aol.com More new features than ever. Check out the new AOL Mail ! - http://webmail.aol.com
Re: Ensuring CXF soap is behind SSL
Apropos to that, the TLSSessionInfo structure on the message should give you everything you want: http://svn.apache.org/repos/asf/incubator/cxf/trunk/api/src/main/java/org/apache/cxf/security/transport/TLSSessionInfo.java Currently this is plumbed through only for HTTP, though it should work in both transports (jetty and servlet) -Fred On Feb 5, 2008, at 2:28 PM, Daniel Kulp wrote: You may need to write a simple interceptor that would grab the HttpServletRequest object out of the message and checks the security stuff. It shouldn't be too hard to write. There might be some policy things along with the ws-security stuff that could enforce it with the ws-security module, but that would definitely cause a performance hit due to the security module dropping to saaj mode. I'm not really sure anyway. Fred may need to answer that one. Dan On Tuesday 05 February 2008, [EMAIL PROTECTED] wrote: I want to make sure any messages not encrypted with SSL are rejected by the CXF container. What configuration is neccessary for this? I've tried setting the location to an https address but this is unsufficient. The only documentation I've found on the subject refers to client, not server, configuration. ? ??? ? location="https://localhost:8080/HelloWorldService"/> ??? wsdl:port> ? Thanks! __ __ More new features than ever. Check out the new AOL Mail ! - http://webmail.aol.com -- J. Daniel Kulp Principal Engineer, IONA [EMAIL PROTECTED] http://www.dankulp.com/blog
