I dont want to force 2way authentication on the entire container, only on select endpoints.
My preliminary idea is to allow client authentication and capture the client certificate in an interceptor if it is needed and present. So the question is if clientauthwanted will make clients attempt the 2way auth, if they can, or if i will have to force the client side somehow. On 17 Sep 2016 18:55, "Andrei Shakirin" <ashaki...@talend.com> wrote: > Hi, > > If you would like to force client authentication, the property > org.ops4j.pax.web.ssl.clientauthneeded is more appropriate, I guess. > > That means, the OSGi container will accept only client calls containing > certificate trusted on container side. > The property will activate client authentication for all SSL endpoints are > registered with relative URLs. > > Regards, > Andrei. > > > -----Original Message----- > > From: Martin Nielsen [mailto:mny...@gmail.com] > > Sent: Freitag, 16. September 2016 21:18 > > To: users@cxf.apache.org > > Subject: Re: Configuring 2way SSL on a REST endpoint in an OSGi container > > > > I think I figured that out myself actually. Setting > > org.ops4j.pax.web.ssl.clientauthwanted = true Should enable two way ssl > if the > > client has anything to send. > > At least that is what I am hoping. Does anyone have any experience about > > whether this is a correct assumption? > > > > If that is correctly understood, I can just reject all calls without a > valid client > > cert in that specific endpoint. > > > > On 16 Sep 2016 8:45 p.m., "Martin Nielsen" <mny...@gmail.com> wrote: > > > > > That looks very much like what I would need. The only issue is that I > > > will need 2way ssl for only a select few endpoints. It looks to me > > > like the pax web configuration is global. Is that right? > > > > > > On 16 Sep 2016 10:21, "Christian Schneider" <ch...@die-schneider.net> > > > wrote: > > > > > >> I am not sure about reading the client certificate in an interceptor > > >> but that part should be for the most part unrelated to OSGi. Maybe > > >> you can ask that as a separate question so people without OSGi > > >> knowledge tune in. > > >> > > >> Christian > > >> > > >> On 16.09.2016 08:42, Martin Nielsen wrote: > > >> > > >>> Hello everyone. > > >>> > > >>> I have a question about using CXF in an OSGi container. More > > >>> specifically using it via Declarative Services. > > >>> > > >>> I need to create a REST endpoint, that is secured by 2way SSL, as > > >>> well as an interceptor which can read the incomming client > > >>> certificate after the handshake in order to perform authentication > > >>> inside the application itself. > > >>> > > >>> But how do i do this? I found a demo to make CXF register a > > >>> component as a rest service here. > > >>> http://cxf.apache.org/dosgi-ds-demo-page.html > > >>> > > >>> But i still can't resources on how to do the 2way ssl part. > > >>> I know i need to setup trust and keystores on the HTTPConduit, but i > > >>> have no idea how or where to do that in an OSGi environment. > > >>> > > >>> I am using Karaf for the OSGi container, if that has any relevance. > > >>> > > >>> Thank you in advance > > >>> > > >>> -Martin > > >>> > > >>> > > >> > > >> -- > > >> Christian Schneider > > >> http://www.liquid-reality.de > > >> > > >> Open Source Architect > > >> http://www.talend.com > > >> > > >> >
