codehaus


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Configuring a CFXEndPoint with multiple certificates


I have found what I believe to be the problem:

ProducerCache.doGetProducer does not compare the Endpoint contained in the Producer returned by its producers Map with the endpoint supplied by RecipientList.resolveEndpoint. ProducerCache keys its Producers by endpoint URI but this does not allow for the creation of Endpoints that have the same URI but a different configuration e.g. a different SSL certificate. Here is the piece of code I think is erroneous:

    protected synchronized Producer doGetProducer(Endpoint endpoint, boolean pooled) {
        String key = endpoint.getEndpointUri();
        Producer answer = producers.get(key);
        if (pooled && answer == null) {
            // try acquire from connection pool
            answer = pool.acquire(endpoint);
        }

        if (answer == null) {
            // create a new producer
....

If this were changed to something like the following it would allow for endpoints with the same URI but different configs:

    protected synchronized Producer doGetProducer(Endpoint endpoint, boolean pooled) {
        String key = endpoint.getEndpointUri();
        Producer answer = producers.get(key);

        if (pooled && answer == null) {
            // try acquire from connection pool
            answer = pool.acquire(endpoint);
        }
        // CHANGE TO COMPARE ENDPOINT IN CACHE WITH PROVIDED ENDPOINT
        if (answer == null || answer.getEndpoint() != endpoint) {
            // create a new producer

I have done a simple test and it works fine for my use case i.e. using the same Endpoint URI but having a different keystore attached to its config. Not sure what side effects it may have but on the face of it I would say it's pretty harmless. I guess it needs approval and testing.


-----Original Message-----
From: users-return-67968-Richard.Davis=boots.co.uk@xxxxxxxxxxxxxxxx [mailto:users-return-67968-Richard.Davis=boots.co.uk@xxxxxxxxxxxxxxxx]
Sent: 03 December 2018 16:04
To: users@xxxxxxxxxxxxxxxx
Subject: [CAUTION] Configuring a CFXEndPoint with multiple certificates

We are trying to make client requests to a SOAP web service using the Apache CXF component from a central Camel server. The endpoint is always the same address, however, the owner of the endpoint wants a different SSL certificate depending on which of our high street stores the request originates from.
We have created one CFXEndpoint per store, each with its own CxfEndpointConfigurer that sets up the conduit's TlsClientParameters with the correct certificate store information. Then we've used a RecipientList in the route to dynamically select the correct endpoint with the relevant certificate.
Unfortunately, because the endpoints all share the same address, the configureClient method on the CxfEndpointConfigurer is only ever called once, even though each endpoint has a different instance containing different SSL configuration info. This results in all the endpoint instances sharing the same certificate. As a test we changed the endpoint address for one of the CFXEndpoint instances and saw that its related configureClient was called correctly.
So it appears that if CFXEndPoints have different addresses then their CxfEndpointConfigurer will be called, but if 2 or more endpoint instances share the same address then the CxfEndpointConfigurer is only called once even though those configurers are different instances with different configurations.
Does anyone have any advice on how we can dynamically allocate certificates to the same endpoint based on message content (store id effectively)?

Richard Davis | Architect | Healthcare | Boots IT
D90 East EG03| 1 Thane Road | Nottingham | NG90 1BS
* Internal: 725481 | * External: +44(0) 115 959 5481 | * Email: richard.davis@xxxxxxxxxxx<mailto:richard.davis@xxxxxxxxxxx>



Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including any attachments) is confidential. It may be read, copied and used only by the intended recipient. If you are not the intended recipient you should not copy it or use it for any purpose or disclose its contents to any other person. If you have received this message in error, please notify us and remove it from your system. We cannot accept liability for any damage you incur as a result of virus infection.
Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including any attachments) is confidential. It may be read, copied and used only by the intended recipient. If you are not the intended recipient you should not copy it or use it for any purpose or disclose its contents to any other person. If you have received this message in error, please notify us and remove it from your system. We cannot accept liability for any damage you incur as a result of virus infection.