I have found what I believe to be the problem:
ProducerCache.doGetProducer does not compare the Endpoint contained in the
Producer returned by its producers Map with the endpoint supplied by
RecipientList.resolveEndpoint. ProducerCache keys its Producers by endpoint URI
but this does not allow for the creation of Endpoints that have the same URI
but a different configuration e.g. a different SSL certificate. Here is the
piece of code I think is erroneous:
protected synchronized Producer doGetProducer(Endpoint endpoint, boolean
pooled) {
String key = endpoint.getEndpointUri();
Producer answer = producers.get(key);
if (pooled && answer == null) {
// try acquire from connection pool
answer = pool.acquire(endpoint);
}
if (answer == null) {
// create a new producer
....
If this were changed to something like the following it would allow for
endpoints with the same URI but different configs:
protected synchronized Producer doGetProducer(Endpoint endpoint, boolean
pooled) {
String key = endpoint.getEndpointUri();
Producer answer = producers.get(key);
if (pooled && answer == null) {
// try acquire from connection pool
answer = pool.acquire(endpoint);
}
// CHANGE TO COMPARE ENDPOINT IN CACHE WITH PROVIDED ENDPOINT
if (answer == null || answer.getEndpoint() != endpoint) {
// create a new producer
I have done a simple test and it works fine for my use case i.e. using the same
Endpoint URI but having a different keystore attached to its config. Not sure
what side effects it may have but on the face of it I would say it's pretty
harmless. I guess it needs approval and testing.
-----Original Message-----
From: users-return-67968-Richard.Davis=boots.co...@camel.apache.org
[mailto:users-return-67968-Richard.Davis=boots.co...@camel.apache.org]
Sent: 03 December 2018 16:04
To: users@camel.apache.org
Subject: [CAUTION] Configuring a CFXEndPoint with multiple certificates
We are trying to make client requests to a SOAP web service using the Apache
CXF component from a central Camel server. The endpoint is always the same
address, however, the owner of the endpoint wants a different SSL certificate
depending on which of our high street stores the request originates from.
We have created one CFXEndpoint per store, each with its own
CxfEndpointConfigurer that sets up the conduit's TlsClientParameters with the
correct certificate store information. Then we've used a RecipientList in the
route to dynamically select the correct endpoint with the relevant certificate.
Unfortunately, because the endpoints all share the same address, the
configureClient method on the CxfEndpointConfigurer is only ever called once,
even though each endpoint has a different instance containing different SSL
configuration info. This results in all the endpoint instances sharing the same
certificate. As a test we changed the endpoint address for one of the
CFXEndpoint instances and saw that its related configureClient was called
correctly.
So it appears that if CFXEndPoints have different addresses then their
CxfEndpointConfigurer will be called, but if 2 or more endpoint instances share
the same address then the CxfEndpointConfigurer is only called once even though
those configurers are different instances with different configurations.
Does anyone have any advice on how we can dynamically allocate certificates to
the same endpoint based on message content (store id effectively)?
Richard Davis | Architect | Healthcare | Boots IT
D90 East EG03| 1 Thane Road | Nottingham | NG90 1BS
* Internal: 725481 | * External: +44(0) 115 959 5481 | * Email:
richard.da...@boots.co.uk<mailto:richard.da...@boots.co.uk>
Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including
any attachments) is confidential. It may be read, copied and used only by the
intended recipient. If you are not the intended recipient you should not copy
it or use it for any purpose or disclose its contents to any other person. If
you have received this message in error, please notify us and remove it from
your system. We cannot accept liability for any damage you incur as a result of
virus infection.
Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including
any attachments) is confidential. It may be read, copied and used only by the
intended recipient. If you are not the intended recipient you should not copy
it or use it for any purpose or disclose its contents to any other person. If
you have received this message in error, please notify us and remove it from
your system. We cannot accept liability for any damage you incur as a result of
virus infection.
