I wonder which TLS version does GAE/J is using?
It's very important for me since we use OAuth2 and TLS 1.0 is no longer supported, thus we want to make sure we use TLS 1.1 or TLS 1.2.
In addition, do you know if you can pass JVM params to GAE/J? I know that they use Java7 and if possible we could add these JVM params to enable TLS1.1/1.2
-Ddeployment.security.SSLv2Hello=false -Ddeployment.security.SSLv3=false -Ddeployment.security.TLSv1=false -D\
deployment.security.TLSv1.1=true -Ddeployment.security.TLSv1.2=true
Update
I added the following code to use TLS 1.1/1.2 (instead of using JVM params)
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
SSLContexts.custom().useTLS().build(),
new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"},
null,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
CloseableHttpClient client = HttpClients.custom()
.setSSLSocketFactory(sf)
.build();
HttpClient httpClient = HttpClients.custom()
.setSSLSocketFactory(sf)
.build();
Related
I am getting the CloudSolrClient connection object using the below statement
CloudSolrClient client = new CloudSolrClient.Builder().withZkHost(zkHost).withHttpClient(getSolrHttpClient()).build();
But i can see CloudSolrClient.Builder() method is deprecated.
What is the alternative way to get the CloudSolrClient object using zookeeper host and withhttpclient authentication?
In response to a security advisory (see http://cxf.apache.org/note-on-cve-2011-1096.html) regarding the RSA v1.5 key transport algorithm, both CXF and WSS4J projects have disallowed use of all related algorithms by default.
They have however supplied a configuration tag "ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM" which should re-allow these algorithms (see https://ws.apache.org/wss4j/config.html)
Our problem is getting these frameworks (JBossWS / CXF / WSS4J) to accept/use this configuration setting. We have tried using:
jboss-webservice.xml
custom CXF interceptor (setting the param after CXF creates its WSS4J interceptor)
custom "hacked" WSS4J build (hardcoding the parameter to "true")
But none of these options seem to actually re-enable support for the RSA v1.5 key transport algorithms.
Does anyone have any idea as to how we could/should specify this configuration parameter?
Here's a test I added to CXF:
https://git1-us-west.apache.org/repos/asf?p=cxf.git;a=commit;h=a73effb5
Note the server has set "allowRSA15KeyTransportAlgorithm" to "true".
This setting is only applied if the WSHandlerConstants.ENCRYPT action is included in the actions for the interceptor.
For instance:
Map<String, Object> inProps = new HashMap<>();
inProps.put(WSHandlerConstants.ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM, "true");
inProps.put(WSHandlerConstants.ACTION,
WSHandlerConstants.ENCRYPT + " " +
WSHandlerConstants.SIGNATURE);
WSS4JInInterceptor wss4JInInterceptor = new WSS4JInInterceptor(inProps);
Objective: Get information (using Apache CXF) from a third party (thus no control or access to the service backend) web service
which use WS-Trust i.e. it authenticates the user using a Secure Token Service in this case with UsernameToken authentication.
I have spent a LONG time trying to learn about the WS-* security standards and at the same time trying out different frameworks and
tools (Axis, Apache CXF, METRO with NetBeans, Microsoft .net, SoapUI plugin for Eclipse etc.) to connect to a specific service in
the cloud. I am trying to develop a backend client that fetch information from the service. Apache CXF is attractive here
because it seems to be the only Java framework which does not assume that everyone connecting to web services use clients deployed on a web application server.
The service providers have provided the necessary certificates and user credentials to connect to the service using STS.
They have also provided a detailed user guide using NetBeans and METRO to create a web application that is deployed on a GlassFish server.
I have followed this guide and managed to get data from the web service. Conclusion so far: The certificates are valid.
There are three certificates stored in a keystore (including chains):
webservice-encryption-certificate.cer (keystore alias: webservice-encryption)
token-signing-certificate.cer (keystore alias:
token-signing)
token-encryption-certificate.cer (keystore alias: token-encryption)
=================================================================
NetBeans configuration:
Service client:
Keystore -> token-signing-certificate.cer
Truststore -> webservice-encryption-certificate.cer
STS client:
Truststore -> token-encryption-certificate.cer
Username -> user
Password -> xxx
=================================================================
THE BIG QUESTION: How can I make a similar configuration in CXF as in NetBeans?
I'm using CXF version: 3.0.2
"Translating" this to CXF gives me the follownig exception:
WARNING: Interceptor for {http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService#{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}Trust13IssueAsync has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: The signature or decryption was invalid
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:841)
Here is what i tried in CXF (amongst MANY other things):
MyService service = new MyService(); // Stub created from WSDL (real service name has been renamed to MyService)
MyServiceInterface port = service.getPort();
org.apache.cxf.endpoint.Client client = ClientProxy.getClient(port);
Bus bus = ((EndpointImpl) client.getEndpoint()).getBus();
STSClient stsClient = new STSClient(bus);
stsClient.setWsdlLocation("https://login.some-domain.com/adfs/services/trust/mex"); // Web service is using ADFS 2.0 with MEX
stsClient.setServiceQName(new QName("http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice", "SecurityTokenService"));
stsClient.setEndpointQName(new QName("http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice", "UserNameWSTrustBinding_IWSTrust13Async"));
stsClient.setSendRenewing(false);
stsClient.getRequestContext().put("ws-security.sts.token.properties", "clientTruststore.properties");
stsClient.getRequestContext().put("ws-security.sts.token.username", "webservice-encryption"); // MOST LIKELY WRONG - WHERE DO I PUT THIS CERTIFICATE?
Map<String, Object> ctx = ((BindingProvider) port).getRequestContext();
ctx.put("ws-security.sts.prefer-wsmex", true); // If set to false some policies will not be satisfied
ctx.put("ws-security.username", "user"); // REQUIRED OR FAIL WITH: No username available
ctx.put("ws-security.password", "xxx"); // REQUIRED OR FAIL: No username available
ctx.put("ws-security.encryption.properties", "clientTruststore.properties"); // REQUIRED OR FAIL WITH: A encryption username needs to be declared
ctx.put("ws-security.encryption.username", "token-encryption"); // REQUIRED OR FAIL WITH: A encryption username needs to be declared
ctx.put("ws-security.signature.properties", "clientTruststore.properties");
ctx.put("ws-security.signature.username", "token-signing");
ctx.put("ws-security.is-bsp-compliant", "false");
ctx.put("ws-security.sts.client", stsClient);
port.callSomething(createMyRequestObject());
I have tried to "decrypt" the meaning of the properties used in the code snippet above based on the following link (along many other tutorials and articles on the subject) to make sense in relation to WS-Trust and the certificates at hand.
http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html
I have tried all sorts of combinations using the constants but with no success.
How do I "pass" the service certificate (webservice-encryption) to the STS to tell it "this is the service that I want to use"?
By the way I have captured the traffic with Fiddler, and the request looks perfectly right compared to traffic captured with the NetBeans solution i.e. it contains timestamp, encrypted sections etc.
I KEEP GETTING "The signature or decryption was invalid"
Can anyone help please?
What does the response method from the STS look like? Is it an error message or does it look like the call succeeded? If it is an error message then it looks like you may be using the wrong certificates...you will need to enable logging on the service to figure out what the exact error is. If the call succeeded, then enable DEBUG logging on the client side and see what the problem is.
Colm.
We had a similar problem. Perhaps you must add JCE Unlimited Strength Policy jar files to JDK?
Hi I have a Webservice exposed in FUSE ESB using Apache CXF endpoint. Client is required to pass the user name as password as below. Please advice How I can read this in my server from the Camel Exchange object.
((BindingProvider) serviceMnmtApi).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "admin");
((BindingProvider) serviceMnmtApi).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "password");
If you are using JBoss Fuse 6.1, you should be able to setup the the username and password from the endpoint URI option. It is addressed in CAMEL-7145.
Although I do think Cloud Endpoints are quite nifty, it would be great if I could use them directly in my GWT application in Java code, rather than writing masses of JSNI. Is this possible? I cannot find a way.
In other words, I would like to NOT use the Javascript Endpoints client, but all the endpoint methods using Java inside GWT.
I think you could use a simple request using Java's built-in HttpURLConnection object. Something like this:
//The URL would be the one you see when you execute the method from APIs Explorer...
String stringURL = "https://YOUR_APP_ID.appspot.com/_ah/api/API_NAME/VERSION/METHOD_PATH?param1=xxx¶m2=yyy";
URL url = new URL(stringURL);
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("GET");
conn.setRequestProperty("Accept", "application/json");
BufferedReader br = new BufferedReader(new InputStreamReader(conn.getInputStream()));
And then you could parse the response, using Google's Gson library for example (but that would be another question...).
Note: I've never tried this, but I understand it should be working... If you eventually try it, please comment...