Skip to content

Instantly share code, notes, and snippets.

@cgorshing
Created July 24, 2014 19:32
Show Gist options
  • Save cgorshing/ff6933dfbb9c47f38c20 to your computer and use it in GitHub Desktop.
Save cgorshing/ff6933dfbb9c47f38c20 to your computer and use it in GitHub Desktop.
Example showing how to override CXF for which certificates to trust.
<?xml version="1.0" encoding="UTF-8"?>
<beans
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns="http://www.springframework.org/schema/beans"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:sec="http://cxf.apache.org/configuration/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd
">
<!-- http://techpolesen.blogspot.com/2007/08/using-ssl-with-xfirecxf-battling.html -->
<!-- http://cxf.apache.org/docs/configuration.html -->
<!--<http:conduit name="*.http-conduit">-->
<!--<http:conduit name="https://localhost:8081/.*">-->
<!-- Found debugging HTTPTransportFactory -->
<!--{http://cxf.apache.org}TransportURIResolver.http-conduit-->
<http:conduit name=".*">
<http:tlsClientParameters secureSocketProtocol="SSL" useHttpsURLConnectionDefaultSslSocketFactory="false">
<sec:keyManagers keyPassword="confluex">
<sec:keyStore type="JKS" password="confluex" resource="/confluex-mock.keystore"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="confluex" resource="/confluex-mock.keystore"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:authorization>
<sec:UserName>${username}</sec:UserName>
<sec:Password>${password}</sec:Password>
</http:authorization>
<http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http:conduit>
</beans>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment