如何让cxf客户端简单支持ssl

首先生成自我签名的证书,关于如何使用keytool生成证书网上文章很多,这里不做介绍。

假如我们生成好了mas3server.jks和mas3Trust.jks

先是服务器端tomcat的配置,这里clientAuth默认为false表示不需要双向验证,即服务器端不需要知道客户端的身份,故这里不用配置truststoreFile和truststorePass:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 
               maxThreads="150" scheme="https" secure="true" 
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="conf/mas3server.jks" 
      keystorePass="ccc123" />

这里是cxf的webservice客户端,用spring管理,对应的只需在xml中配置对应的可信任证书即可,例如

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:http="http://cxf.apache.org/transports/http/configuration"
xsi:schemaLocation=" 
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" /> 
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" /> 
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" /> 
<bean id="clientFactory" class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean"> 
  <property name="serviceClass" value="com.mas.service.webservice.DataSyncSkeleton" />
  <property name="address" value="https://localhost:8443/DataSync/DataSyncServer" />
</bean> 
<bean id="dataSyncSkeletonClient" class="com.mas.service.webservice.DataSyncSkeleton" factory-bean="clientFactory" factory-method="create" />

<!--*.http-conduit的*代表对所有创建的client生效,若需要自定义可查cxf官网--> 
<http:conduit name="*.http-conduit"> 
  <http:tlsClientParameters disableCNCheck="true"> 
   <sec:trustManagers> 
    <sec:keyStore type="JKS" password="ccc123" file="/tmp/mas3Trust.jks" /> 
   </sec:trustManagers> 
   <!--不需要双向认证 -->

    <!-- 
     <sec:keyManagers keyPassword="password"> 
            <sec:keyStore type="JKS" password="password" 
                 file="/tmp/ossServer.jks"/> 
        </sec:keyManagers> 
        --> 
   <sec:cipherSuitesFilter> 
    <!-- these filters ensure that a ciphersuite with export-suitable or null encryption is used, but exclude anonymous Diffie-Hellman key change as this is vulnerable to man-in-the-middle attacks -->
    <sec:include>.*_EXPORT_.*</sec:include> 
    <sec:include>.*_EXPORT1024_.*</sec:include> 
    <sec:include>.*_WITH_DES_.*</sec:include> 
    <sec:include>.*_WITH_NULL_.*</sec:include> 
    <sec:exclude>.*_DH_anon_.*</sec:exclude> 
   </sec:cipherSuitesFilter> 
  </http:tlsClientParameters> 
</http:conduit>

</beans>

若不是通过spring配置而直接在代码中设置,也比较简单:

//.....获得dataSyncSkeletonClient

org.apache.cxf.endpoint.Client client = ClientProxy.getClient(dataSyncSkeletonClient);  
    HTTPConduit conduit = (HTTPConduit) client.getConduit();  
     TLSClientParameters tlscp = conduit.getTlsClientParameters(); 
     if (tlscp == null) 
   tlscp = new TLSClientParameters(); 
     tlscp.setSecureSocketProtocol("SSL"); 
     try { 
   TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
   InputStream fp = ClassLoader.class.getResourceAsStream("mas3Trust.jks"); 
   KeyStore ks = KeyStore.getInstance("JKS"); 
   ks.load(fp, "ccc123".toCharArray()); 
   fp.close(); 
   factory.init(ks); 
   tlscp.setTrustManagers(factory.getTrustManagers());  
  } catch (Exception e) { 
   e.printStackTrace(); 
  } 
    conduit.setTlsClientParameters(tlscp);

//....对dataSyncSkeletonClient的调用底层网络传输均是通过ssl加密

你可能感兴趣的:(CXF)