Unable to use https URL scheme in CXF consumer

[jochenr]

Hello,

If I try to configure a CxfEndpoint (consumer) with protocol "https", I get this Exception:

Caused by: java.lang.IllegalArgumentException: Unsupported protocol: https
at org.apache.cxf.transport.undertow.AbstractHTTPServerEngineFactory.getHTTPServerEngine(AbstractHTTPServerEngineFactory.java:38)

IMHO "https" should be allowed in
org.apache.cxf.transport.undertow.AbstractHTTPServerEngineFactory

I want to explicitely have an endpoint that uses https, because iI want to use SSL mutual authentication /client-certificate authentication for it. See: https://github.com/jochenr/wildfly-camel-examples/blob/master/camel-cxf-jaxws-security-cdi/src/main/java/org/wildfly/camel/examples/cxf/jaxws/JavaDSLRouteBuilder.java

Actually it should even prevent the use of http, if I have https specified.

To reproduce it, you can just use the "camel-cxf-jaxws" example and change the file "cxfws-camel-context.xml" to use https

<cxf:cxfEndpoint id="cxfConsumer"
                     address="https://localhost:8443/webservices/greeting"
                     serviceClass="org.wildfly.camel.examples.cxf.jaxws.GreetingService" />

Best regards,
Jochen

[jamesnetherton]

Do you have WildFly configured for SSL? There's no magic in our camel-cxf stuff that auto-enables SSL. It's assumed the container is already set up to serve HTTPS traffic.

[jochenr]

yes, sure I have.
And it does work with https, but I it is not "clean" to write "http://" in the route configuration, because I also configure the SSL parameters for client-cert authentication on this endpoint.

If I have a "classic" webservice based on servlet with web.xml I can put
CONFIDENTIAL

Or if I use SWITCHYARD in FUSEonEAP, I can ensure confidentiality like that
<sca:service sy:security="default" name="LoanContractWS_WS_IN" requires="clientAuthentication propagatesTransaction confidentiality">

So what I want is to enforce https for a cxfConsumer endpoint
(because a http endpoint makes no sense with client-certificate authentication)

[jamesnetherton]

Ok, thanks for the info. We'll take a look into it.

[jamesnetherton]

Removing the https restriction is simple enough.....

Internally, the camel subsystem deploys CXF consumer endpoints on undertow as individual servlet deployments. For https endpoints I can programmatically force a security-constraint of CONFIDENTIAL.

So if I define the CXF consumer URL as http://localhost:8443/my/service and hit http://localhost:8080/my/service, the server will respond with an HTTP 302 and a Location header with the secure endpoint URL.

Does that satisfy your requirement?

[jochenr]

Yes, sounds perfect🙂
Thank you