Authentication
Basic Authentication
| Code Block |
|---|
|
<conduit name="{http://example.com/}HelloWorldServicePort.http-conduit"
xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns="http://cxf.apache.org/transports/http/configuration">
<authorization>
<sec:UserName>myuser</sec:UserName>
<sec:Password>mypasswd</sec:Password>
<sec:AuthorizationType>Basic</sec:AuthorizationType>
</authorization>
</conduit>
|
...
The file should contain:
| Code Block |
|---|
CXFClient {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true;
};
|
...
| Code Block |
|---|
| xml |
|---|
| title | HTTP conduit configuration for spnego with single sign on |
|---|
| xml |
|---|
|
...
<conduit name="{http://example.com/}HelloWorldServicePort.http-conduit"
xmlns="http://cxf.apache.org/transports/http/configuration">
<authorization>
<AuthorizationType>Negotiate</AuthorizationType>
<Authorization>CXFClient</Authorization>
</authorization>
</conduit>
...
|
...
| Code Block |
|---|
| xml |
|---|
| title | Switching to Kerberos OID instead of Spnego |
|---|
| xml |
|---|
|
...
<jaxws:client>
<jaxws:properties>
<entry key="auth.spnego.useKerberosOid" value="true"/>
</jaxws:properties>
</jaxws:client>
...
|
...
| Code Block |
|---|
| xml |
|---|
| title | HTTP conduit configuration for spnego with single sign on |
|---|
| xml |
|---|
|
...
<conduit name="{http://example.com/}HelloWorldServicePort.http-conduit"
xmlns="http://cxf.apache.org/transports/http/configuration">
<authorization>
<AuthorizationType>Negotiate</AuthorizationType>
</authorization>
</conduit>
...
|
...
Next, you need to configure jcifs to use the correct domains, wins servers, etc... Notice that the
bit which sets the username/password to use for NTLM is commented out. If credentials are
missing jcifs will use the underlying NT credentials.
| Code Block |
|---|
|
//Set the jcifs properties
jcifs.Config.setProperty("jcifs.smb.client.domain", "ben.com");
jcifs.Config.setProperty("jcifs.netbios.wins", "xxx.xxx.xxx.xxx");
jcifs.Config.setProperty("jcifs.smb.client.soTimeout", "300000"); // 5 minutes
jcifs.Config.setProperty("jcifs.netbios.cachePolicy", "1200"); // 20 minutes
//jcifs.Config.setProperty("jcifs.smb.client.username", "myNTLogin");
//jcifs.Config.setProperty("jcifs.smb.client.password", "secret");
//Register the jcifs URL handler to enable NTLM
jcifs.Config.registerSmbURLHandler();
|
Finally, you need to setup the CXF client to turn off chunking. The reason is that the NTLM authentication requires a 3 part handshake which breaks the streaming.
| Code Block |
|---|
//Turn off chunking so that NTLM can occur
Client client = ClientProxy.getClient(port);
HTTPConduit http = (HTTPConduit) client.getConduit();
HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
httpClientPolicy.setConnectionTimeout(36000);
httpClientPolicy.setAllowChunking(false);
http.setClient(httpClientPolicy);
|
...
Here is a sample of what your conduit definition might look like:
| Code Block |
|---|
|
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"
xsi:schemaLocation="
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
<http:conduit name="{http://apache.org/hello_world}HelloWorld.http-conduit">
<http:tlsClientParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password"
file="my/file/dir/Morpit.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="my/file/dir/Truststore.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:authorization>
<sec:UserName>Betty</sec:UserName>
<sec:Password>password</sec:Password>
</http:authorization>
<http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http:conduit>
</beans>
|
...
Another option for the name attribute is a reg-ex expression (e.g., "http://localhost:*") for the ORIGINAL URL of the endpoint. The configuration is matched at conduit creation so the address used in the WSDL or used for the JAX-WS Service.create(...) call can be used for the name. For example, you can do:
| Code Block |
|---|
|
<http:conduit name="http://localhost:8080/.*">
......
</http:conduit>
|
...
| Code Block |
|---|
| xml |
|---|
| title | HTTP Consumer Configuration Namespace |
|---|
| xml |
|---|
|
<beans ...
xmlns:http-conf="http://cxf.apache.org/transports/http/configuration
...
xsi:schemaLocation="...
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
...">
|
...
| Code Block |
|---|
| xml |
|---|
| title | http-conf:conduit Element |
|---|
| xml |
|---|
|
...
<http-conf:conduit name="{http://widgets/widgetvendor.net}widgetSOAPPort.http-conduit">
...
</http-conf:conduit>
<http-conf:conduit name="*.http-conduit">
<!-- you can also using the wild card to specify
the http-conduit that you want to configure -->
...
</http-conf:conduit>
<http-conf:conduit name="http://localhost:8080/.*">
<!-- you can also using the reg-ex URL matching for
the http-conduit that you want to configure -->
...
</http-conf:conduit>
...
|
...
| Code Block |
|---|
| xml |
|---|
| title | HTTP Consumer Endpoint Configuration |
|---|
| xml |
|---|
|
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:http-conf="http://cxf.apache.org/transports/http/configuration"
xsi:schemaLocation="http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<http-conf:conduit name="{http://apache.org/hello_world_soap_http}SoapPort.http-conduit">
<http-conf:client Connection="Keep-Alive"
MaxRetransmits="1"
AllowChunking="false" />
</http-conf:conduit>
</beans>
|
...
The tlsClientParameters element
Please see TLS Configuration page for more information.
...
| Code Block |
|---|
| xml |
|---|
| title | HTTP Consumer WSDL Element's Namespace |
|---|
| xml |
|---|
|
<definitions ...
xmlns:http-conf="http://cxf.apache.org/transports/http/configuration
|
...
| Code Block |
|---|
| xml |
|---|
| title | WSDL to Configure an HTTP Consumer Endpoint |
|---|
| xml |
|---|
|
<service ...>
<port ...>
<soap:address ... />
<http-conf:client CacheControl="no-cache" />
</port>
</service>
|
...
First you need get the HTTPConduit from the Proxy object or Client, then you can set the HTTPClientPolicy, AuthorizationPolicy, ProxyAuthorizationPolicy, TLSClientParameters, and/or HttpBasicAuthSupplier.
| Code Block |
|---|
|
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.transport.http.HTTPConduit;
import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
...
URL wsdl = getClass().getResource("wsdl/greeting.wsdl");
SOAPService service = new SOAPService(wsdl, serviceName);
Greeter greeter = service.getPort(portName, Greeter.class);
// Okay, are you sick of configuration files ?
// This will show you how to configure the http conduit dynamically
Client client = ClientProxy.getClient(greeter);
HTTPConduit http = (HTTPConduit) client.getConduit();
HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
httpClientPolicy.setConnectionTimeout(36000);
httpClientPolicy.setAllowChunking(false);
httpClientPolicy.setReceiveTimeout(32000);
http.setClient(httpClientPolicy);
...
greeter.sayHi("Hello");
|
...
If you are using JAXWS API to create the proxy obejct, here is an example which is complete JAX-WS compliant code
| Code Block |
|---|
|
URL wsdlURL = MyService.class.getClassLoader
.getResource ("myService.wsdl");
QName serviceName = new QName("urn:myService", "MyService");
MyService service = new MyService(wsdlURL, serviceName);
ServicePort client = service.getServicePort();
BindingProvider provider = (BindingProvider)client;
// You can set the address per request here
provider.getRequestContext().put(
BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
"http://my/new/url/to/the/service");
|
...
Here is another way which takes advantage of JAXWS's Service.addPort() API
| Code Block |
|---|
|
URL wsdlURL = MyService.class.getClassLoader.getResource("service2.wsdl");
QName serviceName = new QName("urn:service2", "MyService");
QName portName = new QName("urn:service2", "ServicePort");
MyService service = new MyService(wsdlURL, serviceName);
// You can add whatever address as you want
service.addPort(portName, "http://schemas.xmlsoap.org/soap/", "http://the/new/url/myService");
// Passing the SEI class that is generated by wsdl2java
ServicePort proxy = service.getPort(portName, SEI.class);
|
...
Asynchronous HTTP Conduit
Please see Asynchronous HTTP Conduit page for more information.
