CXF 2.4 Migration - removal of cxf*.xml - 2way SSL errors

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

CXF 2.4 Migration - removal of cxf*.xml - 2way SSL errors

jaybytez
So awhile ago we migrated from 2.2.12 to the latest of 2.4.* and on the migration guide is the following statement:

Faster startup and reduced spring configuration. The Spring support has been redone to be based on the ExtensionManagerBus. This results in much faster startup. It also means that all of the imports of META-INF/cxf/cxf-extension-*.xml are no longer needed and are deprecated.

So this in my head translated to removing the following from my configurations:

<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />

So now when we test 2way SSL, I get handshake errors and if I put the 3 imports back in...I don't.

So was the recommendation up above to just remove cxf-extension-soap.xml (it seems pretty obvious), but in CXF 2.4.1 I should leave the cxf.xml and cxf-servlet.xml import?  Just looking for confirmation.

Thanks for the help...jay
Reply | Threaded
Open this post in threaded view
|

Re: CXF 2.4 Migration - removal of cxf*.xml - 2way SSL errors

Daniel  Kulp
Administrator
On Friday, March 09, 2012 11:13:23 AM jaybytez wrote:

> So awhile ago we migrated from 2.2.12 to the latest of 2.4.* and on the
> migration guide is the following statement:
>
> /Faster startup and reduced spring configuration. The Spring support has
> been redone to be based on the ExtensionManagerBus. This results in much
> faster startup. It also means that all of the imports of
> META-INF/cxf/cxf-extension-*.xml are no longer needed and are deprecated./
>
> So this in my head translated to removing the following from my
> configurations:
>
> &lt;import resource="classpath:META-INF/cxf/cxf.xml" />
> &lt;import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
> &lt;import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
>
> So now when we test 2way SSL, I get handshake errors and if I put the 3
> imports back in...I don't.
>
> So was the recommendation up above to just remove cxf-extension-soap.xml
> (it seems pretty obvious), but in CXF 2.4.1 I should leave the cxf.xml
> and cxf-servlet.xml import?  Just looking for confirmation.

Yep.  Just the cxf-extention*.xml imports thould be removed.

With 2.5.x, you can remove the cxf-servlet.xml as well.

Dan




>
> Thanks for the help...jay
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-2-4-Migration-removal-of-cxf-xml-2way
> -SSL-errors-tp5551465p5551465.html Sent from the cxf-user mailing list
> archive at Nabble.com.
--
Daniel Kulp
[hidden email] - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com

Reply | Threaded
Open this post in threaded view
|

2way SSL errors - http conduit

jaybytez
One last question with regards to http:conduit:

I can only get the following to work with 2way SSL
<http:conduit name="*.http-conduit">

The documentation says to use the WSDL port with QName to make it specific instead of "*":

<http:conduit name="{https://foo.com}FooPort.http-conduit">

That doesn't seem to work for me...

<service name="Foo">
    <port name="FooPort" binding="tns:FooPortBinding">
      <soap:address location="REPLACE_WITH_ACTUAL_URL"/>
    </port>
</service>

Is the FooPort above the port name from the WSDL that is supposed to used in http:conduit and just apply the targetNamespace?
Reply | Threaded
Open this post in threaded view
|

Re: 2way SSL errors - http conduit

Glen Mazza (Talend)
What you have should work--does your namespace really start with
"https://" and not just "http://"?

Glen

On 03/09/2012 04:48 PM, jaybytez wrote:

> One last question with regards to http:conduit:
>
> I can only get the following to work with 2way SSL
> <http:conduit name="*.http-conduit">
>
> The documentation says to use the WSDL port with QName to make it specific
> instead of "*":
>
> <http:conduit name="{https://foo.com}FooPort.http-conduit">
>
> That doesn't seem to work for me...
>
> &lt;service name="Foo">
>      &lt;port *name="FooPort"* binding="tns:FooPortBinding">
>        &lt;soap:address location="REPLACE_WITH_ACTUAL_URL"/>
>      &lt;/port>
> &lt;/service>
>
> Is the FooPort above the port name from the WSDL that is supposed to used in
> http:conduit and just apply the targetNamespace?
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-4-Migration-removal-of-cxf-xml-2way-SSL-errors-tp5551465p5551804.html
> Sent from the cxf-user mailing list archive at Nabble.com.


--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza

Reply | Threaded
Open this post in threaded view
|

Re: 2way SSL errors - http conduit

Glen Mazza (Talend)
This blog entry might help:
http://www.jroller.com/gmazza/entry/cxf_x509_profile_secpol

Glen

On 03/09/2012 06:47 PM, Glen Mazza wrote:

> What you have should work--does your namespace really start with
> "https://" and not just "http://"?
>
> Glen
>
> On 03/09/2012 04:48 PM, jaybytez wrote:
>> One last question with regards to http:conduit:
>>
>> I can only get the following to work with 2way SSL
>> <http:conduit name="*.http-conduit">
>>
>> The documentation says to use the WSDL port with QName to make it
>> specific
>> instead of "*":
>>
>> <http:conduit name="{https://foo.com}FooPort.http-conduit">
>>
>> That doesn't seem to work for me...
>>
>> &lt;service name="Foo">
>> &lt;port *name="FooPort"* binding="tns:FooPortBinding">
>> &lt;soap:address location="REPLACE_WITH_ACTUAL_URL"/>
>> &lt;/port>
>> &lt;/service>
>>
>> Is the FooPort above the port name from the WSDL that is supposed to
>> used in
>> http:conduit and just apply the targetNamespace?
>>
>> --
>> View this message in context:
>> http://cxf.547215.n5.nabble.com/CXF-2-4-Migration-removal-of-cxf-xml-2way-SSL-errors-tp5551465p5551804.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>
>


--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza

Reply | Threaded
Open this post in threaded view
|

Re: 2way SSL errors - http conduit

jaybytez
Thanks, I will take a look at the blog entry.

And unfortunately, yes...the namespace contains a https (it's a goverment web service).  I tried putting the portName in multiple variations and none work for me.

So we have been using the *.http-conduit, but the funny thing that happened when we went into production awhile ago is that we have two service callouts in a war and one requires the 2 way SSL while the other doesn't.  So the *.http-conduit was wildcarding and applying to all callouts, so the service that didn't require it was failing because it was expecting this certificate exchange (and the whole time we thought it was a VIP problem).  Anyways, that is why I am trying to constrain the http-conduit to a specific service.

I will read the blog entry and then give a few more tries.  I tried the URL regular expression except the problem is that part of the urls are different for prod and test, like:

https://prod.gov/service
https://test.gov/service

And I would need to regular expression a part in the URL (not sure if that is possible).

Thanks for the help!
Reply | Threaded
Open this post in threaded view
|

Re: 2way SSL errors - http conduit

Daniel  Kulp
Administrator
On Friday, March 09, 2012 08:16:21 PM jaybytez wrote:

> Thanks, I will take a look at the blog entry.
>
> And unfortunately, yes...the namespace contains a https (it's a goverment
> web service).  I tried putting the portName in multiple variations and
> none work for me.
>
> So we have been using the *.http-conduit, but the funny thing that
> happened when we went into production awhile ago is that we have two
> service callouts in a war and one requires the 2 way SSL while the other
> doesn't.  So the *.http-conduit was wildcarding and applying to all
> callouts, so the service that didn't require it was failing because it
> was expecting this certificate exchange (and the whole time we thought it
> was a VIP problem).  Anyways, that is why I am trying to constrain the
> http-conduit to a specific service.
>
> I will read the blog entry and then give a few more tries.  I tried the
> URL regular expression except the problem is that part of the urls are
> different for prod and test, like:
>
> https://prod.gov/service
> https://test.gov/service
>
> And I would need to regular expression a part in the URL (not sure if that
> is possible).

Yes.  That is possible.   name="https://.*\.gov/service"  could do it.  
However, you can also even use separate conduit settings.   One for
"test.gov" and another for "prod.gov".   That can allow for separate
settings for production and testings.



--
Daniel Kulp
[hidden email] - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com

Reply | Threaded
Open this post in threaded view
|

Re: 2way SSL errors - http conduit

jaybytez
Woohoo, the regular expression worked!!!

I obviously didn't right my url regex correctly.

Thanks a ton for the help!