You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/12/12 16:28:18 UTC
[4/5] cxf git commit: Another refactor of systests/transports to make
the https tests more manageable
http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/SSLv3Test.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/SSLv3Test.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/SSLv3Test.java
deleted file mode 100644
index 99381e7..0000000
--- a/systests/transports/src/test/java/org/apache/cxf/systest/https/SSLv3Test.java
+++ /dev/null
@@ -1,204 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.systest.https;
-
-import java.io.IOException;
-import java.net.URL;
-
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.TrustManager;
-import javax.xml.ws.BindingProvider;
-
-import org.apache.cxf.Bus;
-import org.apache.cxf.bus.spring.SpringBusFactory;
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.configuration.jsse.SSLUtils;
-import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
-import org.apache.hello_world.Greeter;
-import org.apache.hello_world.services.SOAPService;
-import org.junit.AfterClass;
-import org.junit.BeforeClass;
-
-/**
- * A set of tests SSL v3 protocol support. It should be disallowed by default on both the
- * (Jetty) server and CXF client side.
- */
-public class SSLv3Test extends AbstractBusClientServerTestBase {
- static final String PORT = allocatePort(SSLv3Server.class);
- static final String PORT2 = allocatePort(SSLv3Server.class, 2);
- static final String PORT3 = allocatePort(SSLv3Server.class, 3);
-
- @BeforeClass
- public static void startServers() throws Exception {
- assertTrue(
- "Server failed to launch",
- // run the server in the same process
- // set this to false to fork
- launchServer(SSLv3Server.class, true)
- );
- }
-
- @AfterClass
- public static void cleanup() throws Exception {
- stopAllServers();
- }
-
- @org.junit.Test
- public void testSSLv3ServerNotAllowedByDefault() throws Exception {
-
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = SSLv3Test.class.getResource("sslv3-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- System.setProperty("https.protocols", "SSLv3");
-
- URL service = new URL("https://localhost:" + PORT);
- HttpsURLConnection connection = (HttpsURLConnection) service.openConnection();
-
- connection.setHostnameVerifier(new DisableCNCheckVerifier());
-
- SSLContext sslContext = SSLContext.getInstance("SSL");
- URL keystore = SSLv3Test.class.getResource("../../../../../keys/Truststore.jks");
- TrustManager[] trustManagers =
- SSLUtils.getTrustStoreManagers(false, "jks", keystore.getPath(),
- "PKIX", LogUtils.getL7dLogger(SSLv3Test.class));
- sslContext.init(null, trustManagers, new java.security.SecureRandom());
-
- connection.setSSLSocketFactory(sslContext.getSocketFactory());
-
- try {
- connection.connect();
- fail("Failure expected on an SSLv3 connection attempt");
- } catch (IOException ex) {
- // expected
- }
-
- System.clearProperty("https.protocols");
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testSSLv3ServerAllowed() throws Exception {
-
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = SSLv3Test.class.getResource("sslv3-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- System.setProperty("https.protocols", "SSLv3");
-
- URL service = new URL("https://localhost:" + PORT2);
- HttpsURLConnection connection = (HttpsURLConnection) service.openConnection();
-
- connection.setHostnameVerifier(new DisableCNCheckVerifier());
-
- SSLContext sslContext = SSLContext.getInstance("SSL");
- URL keystore = SSLv3Test.class.getResource("../../../../../keys/Truststore.jks");
- TrustManager[] trustManagers =
- SSLUtils.getTrustStoreManagers(false, "jks", keystore.getPath(),
- "PKIX", LogUtils.getL7dLogger(SSLv3Test.class));
- sslContext.init(null, trustManagers, new java.security.SecureRandom());
-
- connection.setSSLSocketFactory(sslContext.getSocketFactory());
-
- connection.connect();
-
- connection.disconnect();
-
- System.clearProperty("https.protocols");
-
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testClientSSL3NotAllowed() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = SSLv3Test.class.getResource("sslv3-client.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- URL url = SOAPService.WSDL_LOCATION;
- SOAPService service = new SOAPService(url, SOAPService.SERVICE);
- assertNotNull("Service is null", service);
- final Greeter port = service.getHttpsPort();
- assertNotNull("Port is null", port);
-
- BindingProvider provider = (BindingProvider)port;
- provider.getRequestContext().put("use.async.http.conduit", Boolean.FALSE);
-
- updateAddressPort(port, PORT3);
-
- try {
- port.greetMe("Kitty");
- fail("Failure expected on the client not supporting SSLv3 by default");
- } catch (Exception ex) {
- // expected
- }
-
- ((java.io.Closeable)port).close();
- bus.shutdown(true);
- }
-
- @org.junit.Test
- public void testClientSSL3Allowed() throws Exception {
- SpringBusFactory bf = new SpringBusFactory();
- URL busFile = SSLv3Test.class.getResource("sslv3-client-allow.xml");
-
- Bus bus = bf.createBus(busFile.toString());
- SpringBusFactory.setDefaultBus(bus);
- SpringBusFactory.setThreadDefaultBus(bus);
-
- URL url = SOAPService.WSDL_LOCATION;
- SOAPService service = new SOAPService(url, SOAPService.SERVICE);
- assertNotNull("Service is null", service);
- final Greeter port = service.getHttpsPort();
- assertNotNull("Port is null", port);
-
- BindingProvider provider = (BindingProvider)port;
- provider.getRequestContext().put("use.async.http.conduit", Boolean.FALSE);
-
- updateAddressPort(port, PORT3);
-
- assertEquals(port.greetMe("Kitty"), "Hello Kitty");
-
- ((java.io.Closeable)port).close();
- bus.shutdown(true);
- }
-
- private static final class DisableCNCheckVerifier implements HostnameVerifier {
-
- @Override
- public boolean verify(String arg0, SSLSession arg1) {
- return true;
- }
-
- };
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/Server.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/Server.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/Server.java
deleted file mode 100644
index 12f3bbd..0000000
--- a/systests/transports/src/test/java/org/apache/cxf/systest/https/Server.java
+++ /dev/null
@@ -1,100 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.systest.https;
-
-import java.net.URL;
-
-import javax.xml.namespace.QName;
-
-import org.apache.cxf.bus.spring.SpringBusFactory;
-import org.apache.cxf.jaxws.EndpointImpl;
-import org.apache.cxf.systest.http.GreeterImpl;
-import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
-
-public class Server extends AbstractBusTestServerBase {
- public static final String PORT = allocatePort(Server.class);
-
- private String name;
- private String address;
- private URL configFileURL;
- private EndpointImpl ep;
-
- public Server(String[] args) throws Exception {
- this(args[0], args[1], args[2]);
- }
-
- public Server(String n, String addr, String conf) throws Exception {
- name = n;
- address = addr;
- configFileURL = new URL(conf);
- //System.out.println("Starting " + name
- // + " Server at " + address
- // + " with config " + configFileURL);
-
- }
- public void tearDown() throws Exception {
- if (ep != null) {
- ep.stop();
- ep = null;
- }
- }
-
- protected void run() {
- // We use a null binding id in the call to EndpointImpl
- // constructor. Why?
- final String nullBindingID = null;
-
- // We need to specify to use defaults on constructing the
- // bus, because our configuration file doesn't have
- // everything needed.
- final boolean useDefaults = true;
-
- // We configure a new bus for this server.
- setBus(new SpringBusFactory().createBus(configFileURL, useDefaults));
-
- // This impl class must have the appropriate annotations
- // to match the WSDL file that we are using.
- Object implementor = new GreeterImpl(name);
-
- // I don't know why this works.
- ep =
- new EndpointImpl(
- getBus(),
- implementor,
- nullBindingID,
- this.getClass().getResource("greeting.wsdl").toString());
- // How the hell do I know what the name of the
- // http-destination is from using this call?
- ep.setEndpointName(new QName("http://apache.org/hello_world", name));
- ep.publish(address);
- }
-
-
- public static void main(String[] args) {
- try {
- Server s = new Server(args);
- s.start();
- } catch (Exception ex) {
- ex.printStackTrace();
- System.exit(-1);
- }
- }
-}
-
http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/clientauth/ClientAuthServer.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/clientauth/ClientAuthServer.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/clientauth/ClientAuthServer.java
new file mode 100644
index 0000000..203527c
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/clientauth/ClientAuthServer.java
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.clientauth;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class ClientAuthServer extends AbstractBusTestServerBase {
+
+ public ClientAuthServer() {
+
+ }
+
+ protected void run() {
+ URL busFile = ClientAuthServer.class.getResource("client-auth-server.xml");
+ Bus busLocal = new SpringBusFactory().createBus(busFile);
+ BusFactory.setDefaultBus(busLocal);
+ setBus(busLocal);
+
+ try {
+ new ClientAuthServer();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/clientauth/ClientAuthTest.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/clientauth/ClientAuthTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/clientauth/ClientAuthTest.java
new file mode 100644
index 0000000..4493d53
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/clientauth/ClientAuthTest.java
@@ -0,0 +1,246 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.clientauth;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.hello_world.Greeter;
+import org.apache.hello_world.services.SOAPService;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+
+/**
+ * A set of tests for TLS client authentication.
+ */
+public class ClientAuthTest extends AbstractBusClientServerTestBase {
+ static final String PORT = allocatePort(ClientAuthServer.class);
+ static final String PORT2 = allocatePort(ClientAuthServer.class, 2);
+
+ @BeforeClass
+ public static void startServers() throws Exception {
+ assertTrue(
+ "Server failed to launch",
+ // run the server in the same process
+ // set this to false to fork
+ launchServer(ClientAuthServer.class, true)
+ );
+ }
+
+ @AfterClass
+ public static void cleanup() throws Exception {
+ stopAllServers();
+ }
+
+ // Server directly trusts the client cert
+ @org.junit.Test
+ public void testDirectTrust() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = ClientAuthTest.class.getResource("client-auth.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ updateAddressPort(port, PORT);
+
+ assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Server does not (directly) trust the client cert
+ @org.junit.Test
+ public void testInvalidDirectTrust() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = ClientAuthTest.class.getResource("client-auth-invalid.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ updateAddressPort(port, PORT);
+
+ try {
+ port.greetMe("Kitty");
+ fail("Failure expected on an untrusted cert");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Client does not specify a KeyStore, only a TrustStore
+ @org.junit.Test
+ public void testNoClientCert() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = ClientAuthTest.class.getResource("../ssl3/sslv3-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ updateAddressPort(port, PORT);
+
+ try {
+ port.greetMe("Kitty");
+ fail("Failure expected on no trusted cert");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Server trusts the issuer of the client cert
+ @org.junit.Test
+ public void testChainTrust() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = ClientAuthTest.class.getResource("client-auth-chain.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ updateAddressPort(port, PORT2);
+
+ assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Server does not trust the issuer of the client cert
+ @org.junit.Test
+ public void testInvalidChainTrust() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = ClientAuthTest.class.getResource("client-auth-invalid2.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ updateAddressPort(port, PORT2);
+
+ try {
+ port.greetMe("Kitty");
+ fail("Failure expected on no trusted cert");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Client does not trust the issuer of the server cert
+ @org.junit.Test
+ public void testClientInvalidCertChain() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = ClientAuthTest.class.getResource("client-auth-invalid2.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ updateAddressPort(port, PORT);
+
+ try {
+ port.greetMe("Kitty");
+ fail("Failure expected on no trusted cert");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Client does not directly trust the server cert
+ @org.junit.Test
+ public void testClientInvalidDirectTrust() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = ClientAuthTest.class.getResource("client-auth-invalid.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ updateAddressPort(port, PORT2);
+
+ try {
+ port.greetMe("Kitty");
+ fail("Failure expected on no trusted cert");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSClientTest.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSClientTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSClientTest.java
new file mode 100644
index 0000000..af7d702
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSClientTest.java
@@ -0,0 +1,250 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.conduit;
+
+import java.net.URL;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.TrustManager;
+import javax.xml.ws.BindingProvider;
+
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.configuration.Configurer;
+import org.apache.cxf.configuration.jsse.TLSParameterJaxBUtils;
+import org.apache.cxf.configuration.security.KeyManagersType;
+import org.apache.cxf.configuration.security.KeyStoreType;
+import org.apache.cxf.configuration.security.TrustManagersType;
+import org.apache.cxf.jaxws.endpoint.dynamic.JaxWsDynamicClientFactory;
+import org.apache.cxf.systest.https.BusServer;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.hello_world.Greeter;
+import org.apache.hello_world.services.SOAPService;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+/**
+ * This test is meant to run against a spring-loaded
+ * HTTP/S service.
+ */
+public class HTTPSClientTest extends AbstractBusClientServerTestBase {
+ //
+ // data
+ //
+
+ /**
+ * the package path used to locate resources specific to this test
+ */
+ private void setTheConfiguration(String config) {
+ //System.setProperty("javax.net.debug", "all");
+ try {
+ System.setProperty(
+ Configurer.USER_CFG_FILE_PROPERTY_URL,
+ HTTPSClientTest.class.getResource(config).toString()
+ );
+ } catch (final Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ @BeforeClass
+ public static void setupPorts() {
+ BusServer.resetPortMap();
+ }
+
+ public void startServers() throws Exception {
+ assertTrue(
+ "Server failed to launch",
+ // run the server in the same process
+ // set this to false to fork a new process
+ launchServer(BusServer.class, true)
+ );
+ }
+
+
+ public void stopServers() throws Exception {
+ stopAllServers();
+ System.clearProperty(Configurer.USER_CFG_FILE_PROPERTY_URL);
+ BusFactory.setDefaultBus(null);
+ BusFactory.setThreadDefaultBus(null);
+ }
+
+
+ //
+ // tests
+ //
+ public final void testSuccessfulCall(String configuration,
+ String address) throws Exception {
+ testSuccessfulCall(configuration, address, null);
+ }
+ public final void testSuccessfulCall(String configuration,
+ String address,
+ URL url) throws Exception {
+ testSuccessfulCall(configuration, address, url, false);
+ }
+ public final void testSuccessfulCall(String configuration,
+ String address,
+ URL url,
+ boolean dynamicClient) throws Exception {
+ setTheConfiguration(configuration);
+ startServers();
+ if (url == null) {
+ url = SOAPService.WSDL_LOCATION;
+ }
+
+ //CXF-4037 - dynamic client isn't using the conduit settings to resolve schemas
+ if (dynamicClient) {
+ ClassLoader loader = Thread.currentThread().getContextClassLoader();
+ JaxWsDynamicClientFactory.newInstance(BusFactory.getDefaultBus())
+ .createClient(url.toExternalForm());
+ Thread.currentThread().setContextClassLoader(loader);
+ }
+
+
+
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ BindingProvider provider = (BindingProvider)port;
+ provider.getRequestContext().put(
+ BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
+ address);
+
+ //provider.getRequestContext().put("use.async.http.conduit", Boolean.TRUE);
+ //for (int x = 0; x < 100000; x++) {
+ assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+ //}
+
+
+ stopServers();
+ }
+
+ @Test
+ public final void testJaxwsServer() throws Exception {
+ testSuccessfulCall("jaxws-server.xml",
+ "https://localhost:" + BusServer.getPort(2) + "/SoapContext/HttpsPort");
+ }
+ @Test
+ public final void testJaxwsServerChangeHttpsToHttp() throws Exception {
+ testSuccessfulCall("jaxws-server.xml",
+ "http://localhost:" + BusServer.getPort(3) + "/SoapContext/HttpPort");
+ }
+ @Test
+ public final void testJaxwsEndpoint() throws Exception {
+ testSuccessfulCall("jaxws-publish.xml",
+ "https://localhost:" + BusServer.getPort(1) + "/SoapContext/HttpsPort");
+ }
+ @Test
+ public final void testJaxwsEndpointCallback() throws Exception {
+ testSuccessfulCall("jaxws-publish-callback.xml",
+ "https://localhost:" + BusServer.getPort(1) + "/SoapContext/HttpsPort");
+ }
+ @Test
+ public final void testJaxwsTLSRefsEndpoint() throws Exception {
+ testSuccessfulCall("jaxws-tlsrefs-publish.xml",
+ "https://localhost:" + BusServer.getPort(1) + "/SoapContext/HttpsPort");
+ }
+ @Test
+ public final void testPKCS12Endpoint() throws Exception {
+ testSuccessfulCall("pkcs12.xml",
+ "https://localhost:" + BusServer.getPort(6) + "/SoapContext/HttpsPort");
+ }
+
+ @Test
+ public final void testResourceKeySpecEndpoint() throws Exception {
+ testSuccessfulCall("resource-key-spec.xml",
+ "https://localhost:" + BusServer.getPort(4) + "/SoapContext/HttpsPort");
+ }
+ @Test
+ public final void testResourceKeySpecEndpointURL() throws Exception {
+ testSuccessfulCall("resource-key-spec-url.xml",
+ "https://localhost:" + BusServer.getPort(5) + "/SoapContext/HttpsPort",
+ new URL("https://localhost:" + BusServer.getPort(5) + "/SoapContext/HttpsPort?wsdl"),
+ true);
+
+ }
+
+ public static class ServerManagersFactory {
+ public static KeyManager[] getKeyManagers() {
+ KeyManagersType kmt = new KeyManagersType();
+ KeyStoreType kst = new KeyStoreType();
+ kst.setFile("src/test/resources/keys/Bethal.jks");
+ kst.setPassword("password");
+ kst.setType("JKS");
+
+ kmt.setKeyStore(kst);
+ kmt.setKeyPassword("password");
+ try {
+ return TLSParameterJaxBUtils.getKeyManagers(kmt);
+ } catch (Exception e) {
+ throw new RuntimeException("failed to retrieve key managers", e);
+ }
+ }
+
+ public static TrustManager[] getTrustManagers() {
+ TrustManagersType tmt = new TrustManagersType();
+ KeyStoreType kst = new KeyStoreType();
+ kst.setFile("src/test/resources/keys/Truststore.jks");
+ kst.setPassword("password");
+ kst.setType("JKS");
+
+ tmt.setKeyStore(kst);
+ try {
+ return TLSParameterJaxBUtils.getTrustManagers(tmt);
+ } catch (Exception e) {
+ throw new RuntimeException("failed to retrieve trust managers", e);
+ }
+ }
+ }
+
+ public static class ClientManagersFactory {
+ public static KeyManager[] getKeyManagers() {
+ KeyManagersType kmt = new KeyManagersType();
+ KeyStoreType kst = new KeyStoreType();
+ kst.setFile("src/test/resources/keys/Morpit.jks");
+ kst.setPassword("password");
+ kst.setType("JKS");
+
+ kmt.setKeyStore(kst);
+ kmt.setKeyPassword("password");
+ try {
+ return TLSParameterJaxBUtils.getKeyManagers(kmt);
+ } catch (Exception e) {
+ throw new RuntimeException("failed to retrieve key managers", e);
+ }
+ }
+
+ public static TrustManager[] getTrustManagers() {
+ TrustManagersType tmt = new TrustManagersType();
+ KeyStoreType kst = new KeyStoreType();
+ kst.setFile("src/test/resources/keys/Truststore.jks");
+ kst.setPassword("password");
+ kst.setType("JKS");
+
+ tmt.setKeyStore(kst);
+ try {
+ return TLSParameterJaxBUtils.getTrustManagers(tmt);
+ } catch (Exception e) {
+ throw new RuntimeException("failed to retrieve trust managers", e);
+ }
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSConduitTest.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSConduitTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSConduitTest.java
new file mode 100644
index 0000000..c754f99
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSConduitTest.java
@@ -0,0 +1,761 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.conduit;
+
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.TreeMap;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.BusApplicationContext;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.common.util.Base64Utility;
+import org.apache.cxf.configuration.jsse.TLSClientParameters;
+import org.apache.cxf.configuration.security.AuthorizationPolicy;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.systest.https.BusServer;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.transport.http.HTTPConduit;
+import org.apache.cxf.transport.http.MessageTrustDecider;
+import org.apache.cxf.transport.http.URLConnectionInfo;
+import org.apache.cxf.transport.http.UntrustedURLConnectionIOException;
+import org.apache.cxf.transport.http.auth.HttpAuthHeader;
+import org.apache.cxf.transport.http.auth.HttpAuthSupplier;
+import org.apache.cxf.transport.https.HttpsURLConnectionInfo;
+import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
+import org.apache.hello_world.Greeter;
+import org.apache.hello_world.services.SOAPService;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.springframework.context.ApplicationContext;
+
+/**
+ * This class tests several issues and Conduit policies based
+ * on a set up of redirecting servers.
+ * <pre>
+ *
+ * Http Redirection:
+ *
+ * Poltim(https:9005) ----> Mortimer (http:9000)
+ *
+ * HttpS redirection/Trust:
+ *
+ * Tarpin(https:9003) ----> Gordy(https:9001) ----> Bethal(https:9002)
+ *
+ * Hostname Verifier Test
+ *
+ * Morpit (https:9008)
+ *
+ * </pre>HTTPConduitTest
+ * The Bethal server issues 401 with differing realms depending on the
+ * User name given in the authorization header.
+ * <p>
+ * The Morpit has a CN that is not equal to "localhost" to kick in
+ * the Hostname Verifier.
+ */
+public class HTTPSConduitTest extends AbstractBusClientServerTestBase {
+ private static final boolean IN_PROCESS = true;
+
+ private static TLSClientParameters tlsClientParameters = new TLSClientParameters();
+ private static List<String> servers = new ArrayList<String>();
+
+ private static Map<String, String> addrMap = new TreeMap<String, String>();
+
+ static {
+ try {
+ //System.setProperty("javax.net.debug", "all");
+ URL key = Server.class.getResource("../../../../../../keys/Morpit.jks");
+ String keystore = new File(key.toURI()).getAbsolutePath();
+ //System.out.println("Keystore: " + keystore);
+ KeyManager[] kmgrs = getKeyManagers(getKeyStore("JKS", keystore, "password"), "password");
+
+ key = Server.class.getResource("../../../../../../keys/Truststore.jks");
+
+ String truststore = new File(key.toURI()).getAbsolutePath();
+ //System.out.println("Truststore: " + truststore);
+ TrustManager[] tmgrs = getTrustManagers(getKeyStore("JKS", truststore, "password"));
+
+ tlsClientParameters.setKeyManagers(kmgrs);
+ tlsClientParameters.setTrustManagers(tmgrs);
+ } catch (Exception e) {
+ throw new RuntimeException("Static initialization failed", e);
+ }
+ }
+
+ private final QName serviceName =
+ new QName("http://apache.org/hello_world", "SOAPService");
+ private final QName bethalQ =
+ new QName("http://apache.org/hello_world", "Bethal");
+ private final QName gordyQ =
+ new QName("http://apache.org/hello_world", "Gordy");
+ private final QName tarpinQ =
+ new QName("http://apache.org/hello_world", "Tarpin");
+ private final QName poltimQ =
+ new QName("http://apache.org/hello_world", "Poltim");
+
+ public HTTPSConduitTest() {
+ }
+
+
+ public static String getPort(String s) {
+ return BusServer.PORTMAP.get(s);
+ }
+
+ @BeforeClass
+ public static void allocatePorts() {
+ BusServer.resetPortMap();
+ addrMap.clear();
+ addrMap.put("Mortimer", "http://localhost:" + getPort("PORT0") + "/");
+ addrMap.put("Tarpin", "https://localhost:" + getPort("PORT1") + "/");
+ addrMap.put("Poltim", "https://localhost:" + getPort("PORT2") + "/");
+ addrMap.put("Gordy", "https://localhost:" + getPort("PORT3") + "/");
+ addrMap.put("Bethal", "https://localhost:" + getPort("PORT4") + "/");
+ addrMap.put("Morpit", "https://localhost:" + getPort("PORT5") + "/");
+ tlsClientParameters.setDisableCNCheck(true);
+ servers.clear();
+ }
+
+
+ /**
+ * This function is used to start up a server. It only "starts" a
+ * server if it hasn't been started before, hence its static nature.
+ * <p>
+ * This approach is used to start the needed servers for a particular test
+ * instead of starting them all in "startServers". This single needed
+ * server approach allieviates the pain in starting them all just to run
+ * a particular test in the debugger.
+ */
+ public synchronized boolean startServer(String name) {
+ if (servers.contains(name)) {
+ return true;
+ }
+ Bus bus = BusFactory.getThreadDefaultBus(false);
+ URL serverC =
+ Server.class.getResource(name + ".cxf");
+ BusFactory.setDefaultBus(null);
+ BusFactory.setThreadDefaultBus(null);
+ boolean server = launchServer(Server.class, null,
+ new String[] {
+ name,
+ addrMap.get(name),
+ serverC.toString() },
+ IN_PROCESS);
+ if (server) {
+ servers.add(name);
+ }
+ BusFactory.setDefaultBus(null);
+ BusFactory.setThreadDefaultBus(bus);
+ return server;
+ }
+
+ @AfterClass
+ public static void cleanUp() {
+ Bus b = BusFactory.getDefaultBus(false);
+ if (b != null) {
+ b.shutdown(true);
+ }
+ b = BusFactory.getThreadDefaultBus(false);
+ if (b != null) {
+ b.shutdown(true);
+ }
+ }
+
+ public static KeyStore getKeyStore(String ksType, String file, String ksPassword)
+ throws GeneralSecurityException,
+ IOException {
+
+ String type = ksType != null
+ ? ksType
+ : KeyStore.getDefaultType();
+
+ char[] password = ksPassword != null
+ ? ksPassword.toCharArray()
+ : null;
+
+ // We just use the default Keystore provider
+ KeyStore keyStore = KeyStore.getInstance(type);
+
+ keyStore.load(new FileInputStream(file), password);
+
+ return keyStore;
+ }
+
+ public static KeyManager[] getKeyManagers(KeyStore keyStore, String keyPassword)
+ throws GeneralSecurityException,
+ IOException {
+ // For tests, we just use the default algorithm
+ String alg = KeyManagerFactory.getDefaultAlgorithm();
+
+ char[] keyPass = keyPassword != null
+ ? keyPassword.toCharArray()
+ : null;
+
+ // For tests, we just use the default provider.
+ KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
+
+ fac.init(keyStore, keyPass);
+
+ return fac.getKeyManagers();
+ }
+
+ public static TrustManager[] getTrustManagers(KeyStore keyStore)
+ throws GeneralSecurityException,
+ IOException {
+ // For tests, we just use the default algorithm
+ String alg = TrustManagerFactory.getDefaultAlgorithm();
+
+ // For tests, we just use the default provider.
+ TrustManagerFactory fac = TrustManagerFactory.getInstance(alg);
+
+ fac.init(keyStore);
+
+ return fac.getTrustManagers();
+ }
+
+ //methods that a subclass can override to inject a Proxy into the flow
+ //and assert the proxy was appropriately called
+ public void configureProxy(Client c) {
+ }
+ public void resetProxyCount() {
+ }
+ public void assertProxyRequestCount(int i) {
+ }
+
+ /**
+ * We use this class to reset the default bus.
+ * Note: This may not always work in the future.
+ * I was lucky in that "defaultBus" is actually a
+ * protected static.
+ */
+ class DefaultBusFactory extends SpringBusFactory {
+ public Bus createBus(URL config) {
+ Bus bus = super.createBus(config, true);
+ BusFactory.setDefaultBus(bus);
+ BusFactory.setThreadDefaultBus(bus);
+ return bus;
+ }
+ }
+
+ /**
+ * This methods tests a basic https connection to Bethal.
+ * It supplies an authorization policy with preemptive user/pass
+ * to avoid the 401.
+ */
+ @Test
+ public void testHttpsBasicConnectionWithConfig() throws Exception {
+ startServer("Bethal");
+
+ URL config = getClass().getResource("BethalClientConfig.cxf");
+
+ // We go through the back door, setting the default bus.
+ new DefaultBusFactory().createBus(config);
+ URL wsdl = getClass().getResource("greeting.wsdl");
+ assertNotNull("WSDL is null", wsdl);
+
+ SOAPService service = new SOAPService(wsdl, serviceName);
+ assertNotNull("Service is null", service);
+
+ Greeter bethal = service.getPort(bethalQ, Greeter.class);
+
+ assertNotNull("Port is null", bethal);
+ updateAddressPort(bethal, getPort("PORT4"));
+ verifyBethalClient(bethal);
+ }
+
+ @Test
+ public void testGetClientFromSpringContext() throws Exception {
+ startServer("Bethal");
+
+ BusFactory.setDefaultBus(null);
+ // The client bean configuration file
+ URL beans = getClass().getResource("BethalClientBeans.xml");
+ // We go through the back door, setting the default bus.
+ Bus bus = new DefaultBusFactory().createBus(beans);
+
+ ApplicationContext context = bus.getExtension(BusApplicationContext.class);
+ Greeter bethal = (Greeter)context.getBean("Bethal");
+ updateAddressPort(bethal, getPort("PORT4"));
+ // verify the client side's setting
+ verifyBethalClient(bethal);
+ }
+
+ // we just verify the configurations are loaded successfully
+ private void verifyBethalClient(Greeter bethal) {
+ Client client = ClientProxy.getClient(bethal);
+
+ HTTPConduit http =
+ (HTTPConduit) client.getConduit();
+
+ HTTPClientPolicy httpClientPolicy = http.getClient();
+ assertEquals("the httpClientPolicy's autoRedirect should be true",
+ true, httpClientPolicy.isAutoRedirect());
+ TLSClientParameters tlsParameters = http.getTlsClientParameters();
+ assertNotNull("the http conduit's tlsParameters should not be null", tlsParameters);
+
+
+ // If we set any name, but Edward, Mary, or George,
+ // and a password of "password" we will get through
+ // Bethal.
+ AuthorizationPolicy authPolicy = http.getAuthorization();
+ assertEquals("Set the wrong user name from the configuration",
+ "Betty", authPolicy.getUserName());
+ assertEquals("Set the wrong pass word form the configuration",
+ "password", authPolicy.getPassword());
+
+ configureProxy(ClientProxy.getClient(bethal));
+
+ String answer = bethal.sayHi();
+ answer = bethal.sayHi();
+ answer = bethal.sayHi();
+ answer = bethal.sayHi();
+ answer = bethal.sayHi();
+ assertTrue("Unexpected answer: " + answer,
+ "Bonjour from Bethal".equals(answer));
+
+ //With HTTPS, it will just be a CONNECT to the proxy and all the
+ //data is encrypted. Thus, the proxy cannot distinquish the requests
+ assertProxyRequestCount(0);
+ }
+
+ /**
+ * This methods tests a basic https connection to Bethal.
+ * It supplies an authorization policy with premetive user/pass
+ * to avoid the 401.
+ */
+ @Test
+ public void testHttpsBasicConnection() throws Exception {
+ startServer("Bethal");
+
+ URL wsdl = getClass().getResource("greeting.wsdl");
+ assertNotNull("WSDL is null", wsdl);
+
+ SOAPService service = new SOAPService(wsdl, serviceName);
+ assertNotNull("Service is null", service);
+
+ Greeter bethal = service.getPort(bethalQ, Greeter.class);
+ assertNotNull("Port is null", bethal);
+ updateAddressPort(bethal, getPort("PORT4"));
+
+ // Okay, I'm sick of configuration files.
+ // This also tests dynamic configuration of the conduit.
+ Client client = ClientProxy.getClient(bethal);
+ HTTPConduit http =
+ (HTTPConduit) client.getConduit();
+
+ HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
+
+ httpClientPolicy.setAutoRedirect(false);
+ // If we set any name, but Edward, Mary, or George,
+ // and a password of "password" we will get through
+ // Bethal.
+ AuthorizationPolicy authPolicy = new AuthorizationPolicy();
+ authPolicy.setUserName("Betty");
+ authPolicy.setPassword("password");
+
+ http.setClient(httpClientPolicy);
+ http.setTlsClientParameters(tlsClientParameters);
+ http.setAuthorization(authPolicy);
+
+ configureProxy(client);
+ String answer = bethal.sayHi();
+ assertTrue("Unexpected answer: " + answer,
+ "Bonjour from Bethal".equals(answer));
+ assertProxyRequestCount(0);
+ }
+
+
+ @Test
+ public void testHttpsRedirectToHttpFail() throws Exception {
+ startServer("Mortimer");
+ startServer("Poltim");
+
+ URL wsdl = getClass().getResource("greeting.wsdl");
+ assertNotNull("WSDL is null", wsdl);
+
+ SOAPService service = new SOAPService(wsdl, serviceName);
+ assertNotNull("Service is null", service);
+
+ Greeter poltim = service.getPort(poltimQ, Greeter.class);
+ assertNotNull("Port is null", poltim);
+ updateAddressPort(poltim, getPort("PORT2"));
+
+ // Okay, I'm sick of configuration files.
+ // This also tests dynamic configuration of the conduit.
+ Client client = ClientProxy.getClient(poltim);
+ HTTPConduit http =
+ (HTTPConduit) client.getConduit();
+
+ HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
+
+ httpClientPolicy.setAutoRedirect(true);
+
+ http.setClient(httpClientPolicy);
+ http.setTlsClientParameters(tlsClientParameters);
+ configureProxy(client);
+ poltim.sayHi();
+ //client -> poltim is https and thus not recorded but then redirected to mortimer
+ //client -> mortimer is http and recoreded
+ assertProxyRequestCount(1);
+ }
+
+ class MyHttpsTrustDecider extends MessageTrustDecider {
+
+ private String[] trustName;
+ private int called;
+
+ MyHttpsTrustDecider(String name) {
+ trustName = new String[] {name};
+ }
+
+ MyHttpsTrustDecider(String[] name) {
+ trustName = name;
+ }
+
+ public int wasCalled() {
+ return called;
+ }
+
+ public void establishTrust(
+ String conduitName,
+ URLConnectionInfo cinfo,
+ Message message
+ ) throws UntrustedURLConnectionIOException {
+
+ called++;
+
+ HttpsURLConnectionInfo ci = (HttpsURLConnectionInfo) cinfo;
+ boolean trusted = false;
+ for (int i = 0; i < trustName.length; i++) {
+ trusted = trusted
+ || ci.getPeerPrincipal()
+ .toString().contains("OU=" + trustName[i]);
+ }
+ if (!trusted) {
+ throw new UntrustedURLConnectionIOException(
+ "Peer Principal \""
+ + ci.getPeerPrincipal()
+ + "\" does not contain "
+ + getTrustNames());
+ }
+ }
+
+ private String getTrustNames() {
+ StringBuffer sb = new StringBuffer();
+ for (int i = 0; i < trustName.length; i++) {
+ sb.append("\"OU=");
+ sb.append(trustName[i]);
+ sb.append("\"");
+ if (i < trustName.length - 1) {
+ sb.append(", ");
+ }
+ }
+ return sb.toString();
+ }
+ }
+
+ @Test
+ public void testHttpsTrust() throws Exception {
+ startServer("Bethal");
+
+ URL wsdl = getClass().getResource("greeting.wsdl");
+ assertNotNull("WSDL is null", wsdl);
+
+ SOAPService service = new SOAPService(wsdl, serviceName);
+ assertNotNull("Service is null", service);
+
+ Greeter bethal = service.getPort(bethalQ, Greeter.class);
+ assertNotNull("Port is null", bethal);
+ updateAddressPort(bethal, getPort("PORT4"));
+
+ // Okay, I'm sick of configuration files.
+ // This also tests dynamic configuration of the conduit.
+ Client client = ClientProxy.getClient(bethal);
+ HTTPConduit http =
+ (HTTPConduit) client.getConduit();
+
+ HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
+
+ httpClientPolicy.setAutoRedirect(false);
+ // If we set any name, but Edward, Mary, or George,
+ // and a password of "password" we will get through
+ // Bethal.
+ AuthorizationPolicy authPolicy = new AuthorizationPolicy();
+ authPolicy.setUserName("Betty");
+ authPolicy.setPassword("password");
+
+ http.setClient(httpClientPolicy);
+ http.setTlsClientParameters(tlsClientParameters);
+ http.setAuthorization(authPolicy);
+
+ // Our expected server should be OU=Bethal
+ http.setTrustDecider(new MyHttpsTrustDecider("Bethal"));
+
+ configureProxy(client);
+ String answer = bethal.sayHi();
+ assertTrue("Unexpected answer: " + answer,
+ "Bonjour from Bethal".equals(answer));
+ assertProxyRequestCount(0);
+
+
+ // Nobody will not equal OU=Bethal
+ MyHttpsTrustDecider trustDecider =
+ new MyHttpsTrustDecider("Nobody");
+ http.setTrustDecider(trustDecider);
+ try {
+ answer = bethal.sayHi();
+ fail("Unexpected answer from Bethal: " + answer);
+ } catch (Exception e) {
+ //e.printStackTrace();
+ //assertTrue("Trust Decider was not called",
+ // 0 > trustDecider.wasCalled());
+ }
+ assertProxyRequestCount(0);
+ }
+
+ @Test
+ public void testHttpsTrustRedirect() throws Exception {
+ startServer("Tarpin");
+ startServer("Gordy");
+ startServer("Bethal");
+
+ URL wsdl = getClass().getResource("greeting.wsdl");
+ assertNotNull("WSDL is null", wsdl);
+
+ SOAPService service = new SOAPService(wsdl, serviceName);
+ assertNotNull("Service is null", service);
+
+ Greeter tarpin = service.getPort(tarpinQ, Greeter.class);
+ assertNotNull("Port is null", tarpin);
+ updateAddressPort(tarpin, getPort("PORT1"));
+
+ // Okay, I'm sick of configuration files.
+ // This also tests dynamic configuration of the conduit.
+ Client client = ClientProxy.getClient(tarpin);
+ HTTPConduit http =
+ (HTTPConduit) client.getConduit();
+
+ HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
+
+ httpClientPolicy.setAutoRedirect(true);
+ // If we set any name, but Edward, Mary, or George,
+ // and a password of "password" we will get through
+ // Bethal.
+ AuthorizationPolicy authPolicy = new AuthorizationPolicy();
+ authPolicy.setUserName("Betty");
+ authPolicy.setPassword("password");
+
+ http.setClient(httpClientPolicy);
+ http.setTlsClientParameters(tlsClientParameters);
+ http.setAuthorization(authPolicy);
+
+ // We get redirected from Tarpin, to Gordy, to Bethal.
+ MyHttpsTrustDecider trustDecider =
+ new MyHttpsTrustDecider(
+ new String[] {"Tarpin", "Gordy", "Bethal"});
+ http.setTrustDecider(trustDecider);
+
+ // We actually get our answer from Bethal at the end of the
+ // redirects.
+ configureProxy(ClientProxy.getClient(tarpin));
+ String answer = tarpin.sayHi();
+ assertProxyRequestCount(0);
+
+ assertTrue("Trust Decider wasn't called correctly",
+ 3 == trustDecider.wasCalled());
+ assertTrue("Unexpected answer: " + answer,
+ "Bonjour from Bethal".equals(answer));
+
+ // Limit the redirects to 1, since there are two, this should fail.
+ http.getClient().setMaxRetransmits(1);
+
+ try {
+ answer = tarpin.sayHi();
+ fail("Unexpected answer from Tarpin: " + answer);
+ } catch (Exception e) {
+ //e.printStackTrace();
+ }
+ assertProxyRequestCount(0);
+
+ // Set back to unlimited.
+ http.getClient().setMaxRetransmits(-1);
+
+ // Effectively we will not trust Gordy in the middle.
+ trustDecider =
+ new MyHttpsTrustDecider(
+ new String[] {"Tarpin", "Bethal"});
+ http.setTrustDecider(trustDecider);
+
+ try {
+ answer = tarpin.sayHi();
+ fail("Unexpected answer from Tarpin: " + answer);
+ } catch (Exception e) {
+ //e.printStackTrace();
+ assertTrue("Trust Decider wasn't called correctly",
+ 2 == trustDecider.wasCalled());
+ }
+ assertProxyRequestCount(0);
+ }
+
+ public class MyBasicAuthSupplier implements HttpAuthSupplier {
+
+ String realm;
+ String user;
+ String pass;
+
+ /**
+ * This will loop from Cronus, to Andromeda, to Zorantius
+ */
+ MyBasicAuthSupplier() {
+ }
+
+ MyBasicAuthSupplier(String r, String u, String p) {
+ realm = r;
+ user = u;
+ pass = p;
+ }
+
+ /**
+ * If we don't have the realm set, then we loop
+ * through the realms.
+ */
+ public String getAuthorization(
+ AuthorizationPolicy authPolicy,
+ URI currentURI,
+ Message message,
+ String fullHeader
+ ) {
+ String reqestedRealm = new HttpAuthHeader(fullHeader).getRealm();
+ if (realm != null && realm.equals(reqestedRealm)) {
+ return createUserPass(user, pass);
+ }
+ if ("Andromeda".equals(reqestedRealm)) {
+ // This will get us another 401 to Zorantius
+ return createUserPass("Edward", "password");
+ }
+ if ("Zorantius".equals(reqestedRealm)) {
+ // George will get us another 401 to Cronus
+ return createUserPass("George", "password");
+ }
+ if ("Cronus".equals(reqestedRealm)) {
+ // Mary will get us another 401 to Andromeda
+ return createUserPass("Mary", "password");
+ }
+ return null;
+ }
+
+ private String createUserPass(String usr, String pwd) {
+ String userpass = usr + ":" + pwd;
+ String token = Base64Utility.encode(userpass.getBytes());
+ return "Basic " + token;
+ }
+
+ public boolean requiresRequestCaching() {
+ return false;
+ }
+
+ }
+
+ /**
+ * This tests redirects through Gordy to Bethal. Bethal will
+ * supply a series of 401s. See PushBack401.
+ */
+ @Test
+ public void testHttpsRedirect401Response() throws Exception {
+ startServer("Gordy");
+ startServer("Bethal");
+
+ URL wsdl = getClass().getResource("greeting.wsdl");
+ assertNotNull("WSDL is null", wsdl);
+
+ SOAPService service = new SOAPService(wsdl, serviceName);
+ assertNotNull("Service is null", service);
+
+ Greeter gordy = service.getPort(gordyQ, Greeter.class);
+ assertNotNull("Port is null", gordy);
+ updateAddressPort(gordy, getPort("PORT3"));
+
+ // Okay, I'm sick of configuration files.
+ // This also tests dynamic configuration of the conduit.
+ Client client = ClientProxy.getClient(gordy);
+
+ BindingProvider provider = (BindingProvider)gordy;
+ provider.getRequestContext().put("use.async.http.conduit", Boolean.FALSE);
+
+ HTTPConduit http =
+ (HTTPConduit) client.getConduit();
+
+ HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
+
+ httpClientPolicy.setAutoRedirect(true);
+ http.setClient(httpClientPolicy);
+ http.setTlsClientParameters(tlsClientParameters);
+
+ // We get redirected from Gordy, to Bethal.
+ http.setTrustDecider(
+ new MyHttpsTrustDecider(
+ new String[] {"Gordy", "Bethal"}));
+
+ // Without preemptive user/pass Bethal returns a
+ // 401 for realm Cronus. If we supply any name other
+ // than Edward, George, or Mary, with the pass of "password"
+ // we should succeed.
+ http.setAuthSupplier(
+ new MyBasicAuthSupplier("Cronus", "Betty", "password"));
+
+ // We actually get our answer from Bethal at the end of the
+ // redirects.
+ String answer = gordy.sayHi();
+ assertTrue("Unexpected answer: " + answer,
+ "Bonjour from Bethal".equals(answer));
+
+ // The loop auth supplier,
+ // We should die with looping realms.
+ http.setAuthSupplier(new MyBasicAuthSupplier());
+
+ try {
+ answer = gordy.sayHi();
+ fail("Unexpected answer from Gordy: " + answer);
+ } catch (Exception e) {
+ //e.printStackTrace();
+ }
+ }
+
+}
+
http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSProxyAuthConduitTest.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSProxyAuthConduitTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSProxyAuthConduitTest.java
new file mode 100644
index 0000000..82369df
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSProxyAuthConduitTest.java
@@ -0,0 +1,111 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.conduit;
+
+import java.util.HashMap;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import org.apache.cxf.configuration.security.ProxyAuthorizationPolicy;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.transport.http.HTTPConduit;
+import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
+
+import org.jboss.netty.handler.codec.http.HttpRequest;
+
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+
+import org.littleshoot.proxy.DefaultHttpProxyServer;
+import org.littleshoot.proxy.HttpFilter;
+import org.littleshoot.proxy.HttpRequestFilter;
+import org.littleshoot.proxy.ProxyAuthorizationHandler;
+
+
+/**
+ *
+ */
+public class HTTPSProxyAuthConduitTest extends HTTPSConduitTest {
+ static final int PROXY_PORT = Integer.parseInt(allocatePort(HTTPSProxyAuthConduitTest.class));
+ static DefaultHttpProxyServer proxy;
+ static CountingFilter requestFilter = new CountingFilter();
+
+ static class CountingFilter implements HttpRequestFilter {
+ AtomicInteger count = new AtomicInteger();
+ public void filter(HttpRequest httpRequest) {
+ count.incrementAndGet();
+ }
+
+ public void reset() {
+ count.set(0);
+ }
+ public int getCount() {
+ return count.get();
+ }
+ }
+
+ public HTTPSProxyAuthConduitTest() {
+ }
+
+
+ @AfterClass
+ public static void stopProxy() {
+ proxy.stop();
+ proxy = null;
+ }
+
+ @BeforeClass
+ public static void startProxy() {
+ proxy = new DefaultHttpProxyServer(PROXY_PORT, requestFilter, new HashMap<String, HttpFilter>());
+ proxy.addProxyAuthenticationHandler(new ProxyAuthorizationHandler() {
+ public boolean authenticate(String userName, String password) {
+ return "password".equals(password) && "CXF".equals(userName);
+ }
+ });
+ proxy.start();
+ }
+ @Before
+ public void resetCount() {
+ requestFilter.reset();
+ }
+
+ public void configureProxy(Client client) {
+ HTTPConduit cond = (HTTPConduit)client.getConduit();
+ HTTPClientPolicy pol = cond.getClient();
+ if (pol == null) {
+ pol = new HTTPClientPolicy();
+ cond.setClient(pol);
+ }
+ pol.setProxyServer("localhost");
+ pol.setProxyServerPort(PROXY_PORT);
+ ProxyAuthorizationPolicy auth = new ProxyAuthorizationPolicy();
+ auth.setUserName("CXF");
+ auth.setPassword("password");
+ cond.setProxyAuthorization(auth);
+ }
+
+ public void resetProxyCount() {
+ requestFilter.reset();
+ }
+ public void assertProxyRequestCount(int i) {
+ assertEquals("Unexpected request count", i, requestFilter.getCount());
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSProxyConduitTest.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSProxyConduitTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSProxyConduitTest.java
new file mode 100644
index 0000000..2338c16
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSProxyConduitTest.java
@@ -0,0 +1,100 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.conduit;
+
+import java.util.HashMap;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.transport.http.HTTPConduit;
+import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
+
+import org.jboss.netty.handler.codec.http.HttpRequest;
+
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+
+import org.littleshoot.proxy.DefaultHttpProxyServer;
+import org.littleshoot.proxy.HttpFilter;
+import org.littleshoot.proxy.HttpRequestFilter;
+
+
+/**
+ *
+ */
+public class HTTPSProxyConduitTest extends HTTPSConduitTest {
+ static final int PROXY_PORT = Integer.parseInt(allocatePort(HTTPSProxyConduitTest.class));
+ static DefaultHttpProxyServer proxy;
+ static CountingFilter requestFilter = new CountingFilter();
+
+ static class CountingFilter implements HttpRequestFilter {
+ AtomicInteger count = new AtomicInteger();
+ public void filter(HttpRequest httpRequest) {
+ count.incrementAndGet();
+ }
+
+ public void reset() {
+ count.set(0);
+ }
+ public int getCount() {
+ return count.get();
+ }
+ }
+
+ public HTTPSProxyConduitTest() {
+ }
+
+
+ @AfterClass
+ public static void stopProxy() {
+ proxy.stop();
+ proxy = null;
+ }
+
+ @BeforeClass
+ public static void startProxy() {
+ proxy = new DefaultHttpProxyServer(PROXY_PORT, requestFilter, new HashMap<String, HttpFilter>());
+ proxy.start();
+ }
+ @Before
+ public void resetCount() {
+ requestFilter.reset();
+ }
+
+ public void configureProxy(Client client) {
+ HTTPConduit cond = (HTTPConduit)client.getConduit();
+ HTTPClientPolicy pol = cond.getClient();
+ if (pol == null) {
+ pol = new HTTPClientPolicy();
+ cond.setClient(pol);
+ }
+ pol.setProxyServer("localhost");
+ pol.setProxyServerPort(PROXY_PORT);
+ }
+
+ public void resetProxyCount() {
+ requestFilter.reset();
+ }
+ public void assertProxyRequestCount(int i) {
+ assertEquals("Unexpected request count", i, requestFilter.getCount());
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/KeyPasswordCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/KeyPasswordCallbackHandler.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/KeyPasswordCallbackHandler.java
new file mode 100644
index 0000000..403917e
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/KeyPasswordCallbackHandler.java
@@ -0,0 +1,39 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.https.conduit;
+
+import java.io.IOException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+public class KeyPasswordCallbackHandler implements CallbackHandler {
+
+ @Override
+ public void handle(Callback[] callbacks) throws IOException,
+ UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ PasswordCallback pc = (PasswordCallback)callbacks[i];
+ pc.setPassword("password".toCharArray());
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/PushBack401.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/PushBack401.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/PushBack401.java
new file mode 100644
index 0000000..b9503ab
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/PushBack401.java
@@ -0,0 +1,223 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.conduit;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.net.HttpURLConnection;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.cxf.common.util.Base64Utility;
+import org.apache.cxf.endpoint.Endpoint;
+import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.Exchange;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.transport.Conduit;
+import org.apache.cxf.transport.http.Headers;
+
+/*
+ * This interceptor will issue 401s
+ * No Authorization Header --> 401 Realm=Cronus
+ * Username Mary --> 401 Realm=Andromeda
+ * Username Edward --> 401 Realm=Zorantius
+ * Username George --> 401 Realm=Cronus
+ * If the password is not "password" a 401 is issued without
+ * realm.
+ */
+public class PushBack401 extends AbstractPhaseInterceptor<Message> {
+
+ PushBack401() {
+ super(Phase.RECEIVE);
+ }
+
+ /**
+ * This function extracts the user:pass token from
+ * the Authorization:Basic header. It returns a two element
+ * String array, the first being the userid, the second
+ * being the password. It returns null, if it cannot parse.
+ */
+ private String[] extractUserPass(String token) {
+ try {
+ byte[] userpass = Base64Utility.decode(token);
+ String up = IOUtils.newStringFromBytes(userpass);
+ String user = up.substring(0, up.indexOf(':'));
+ String pass = up.substring(up.indexOf(':') + 1);
+ return new String[] {user, pass};
+ } catch (Exception e) {
+ return null;
+ }
+
+ }
+
+ /**
+ * This function returns the realm which depends on
+ * the user name, as follows:
+ * <pre>
+ * Username Mary --> Andromeda
+ * Username Edward --> Zorantius
+ * Username George --> Cronus
+ * </pre>
+ * However, if the password is not "password" this function
+ * throws an exception, regardless.
+ */
+ private String checkUserPass(
+ String user,
+ String pass
+ ) throws Exception {
+ //System.out.println("Got user: " + user + " pass: " + pass);
+ if (!"password".equals(pass)) {
+ throw new Exception("bad password");
+ }
+ if ("Mary".equals(user)) {
+ return "Andromeda";
+ }
+ if ("Edward".equals(user)) {
+ return "Zorantius";
+ }
+ if ("George".equals(user)) {
+ return "Cronus";
+ }
+ return null;
+ }
+
+ @SuppressWarnings("unchecked")
+ public void handleMessage(Message message) throws Fault {
+
+ Map<String, List<String>> headers =
+ (Map<String, List<String>>)
+ message.get(Message.PROTOCOL_HEADERS);
+
+ List<String> auth = headers.get("Authorization");
+ if (auth == null) {
+ // No Auth Header, respond with 401 Realm=Cronus
+ replyUnauthorized(message, "Cronus");
+ return;
+ } else {
+ for (String a : auth) {
+ if (a.startsWith("Basic ")) {
+ String[] userpass =
+ extractUserPass(a.substring("Basic ".length()));
+ if (userpass != null) {
+ try {
+ String realm =
+ checkUserPass(userpass[0], userpass[1]);
+ if (realm != null) {
+ replyUnauthorized(message, realm);
+ return;
+ } else {
+ // Password is good and no realm
+ // We just return for successful fall thru.
+ return;
+ }
+ } catch (Exception e) {
+ // Bad Password
+ replyUnauthorized(message, null);
+ return;
+ }
+ }
+ }
+ }
+ // No Authorization: Basic
+ replyUnauthorized(message, null);
+ return;
+ }
+ }
+
+ /**
+ * This function issues a 401 response back down the conduit.
+ * If the realm is not null, a WWW-Authenticate: Basic realm=
+ * header is sent. The interceptor chain is aborted stopping
+ * the Message from going to the servant.
+ */
+ private void replyUnauthorized(Message message, String realm) {
+ Message outMessage = getOutMessage(message);
+ outMessage.put(Message.RESPONSE_CODE,
+ HttpURLConnection.HTTP_UNAUTHORIZED);
+
+ if (realm != null) {
+ setHeader(outMessage,
+ "WWW-Authenticate", "Basic realm=" + realm);
+ }
+ message.getInterceptorChain().abort();
+ try {
+ getConduit(message).prepare(outMessage);
+ close(outMessage);
+ } catch (IOException e) {
+ //System.out.println("Prepare of message not working." + e);
+ e.printStackTrace();
+ }
+ }
+
+ /**
+ * Retrieves/creates the corresponding Outbound Message.
+ */
+ private Message getOutMessage(Message message) {
+ Exchange exchange = message.getExchange();
+ Message outMessage = exchange.getOutMessage();
+ if (outMessage == null) {
+ Endpoint endpoint = exchange.get(Endpoint.class);
+ outMessage = new MessageImpl();
+ outMessage.putAll(message);
+ outMessage.remove(Message.PROTOCOL_HEADERS);
+ outMessage.setExchange(exchange);
+ outMessage = endpoint.getBinding().createMessage(outMessage);
+ exchange.setOutMessage(outMessage);
+ }
+ return outMessage;
+ }
+
+ /**
+ * This function sets the header in the PROTOCO_HEADERS of
+ * the message.
+ */
+ private void setHeader(Message message, String key, String value) {
+ Map<String, List<String>> responseHeaders = Headers.getSetProtocolHeaders(message);
+ responseHeaders.put(key, Arrays.asList(new String[] {value}));
+ }
+
+ /**
+ * This method retrieves/creates the conduit for the response
+ * message.
+ */
+ private Conduit getConduit(Message message) throws IOException {
+ Exchange exchange = message.getExchange();
+ Conduit conduit =
+ exchange.getDestination().getBackChannel(message);
+ exchange.setConduit(conduit);
+ return conduit;
+ }
+
+ /**
+ * This method closes the output stream associated with the
+ * message.
+ */
+ private void close(Message message) throws IOException {
+ OutputStream os = message.getContent(OutputStream.class);
+ os.flush();
+ os.close();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/Server.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/Server.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/Server.java
new file mode 100644
index 0000000..db00b72
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/Server.java
@@ -0,0 +1,100 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.conduit;
+
+import java.net.URL;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.jaxws.EndpointImpl;
+import org.apache.cxf.systest.http.GreeterImpl;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class Server extends AbstractBusTestServerBase {
+ public static final String PORT = allocatePort(Server.class);
+
+ private String name;
+ private String address;
+ private URL configFileURL;
+ private EndpointImpl ep;
+
+ public Server(String[] args) throws Exception {
+ this(args[0], args[1], args[2]);
+ }
+
+ public Server(String n, String addr, String conf) throws Exception {
+ name = n;
+ address = addr;
+ configFileURL = new URL(conf);
+ //System.out.println("Starting " + name
+ // + " Server at " + address
+ // + " with config " + configFileURL);
+
+ }
+ public void tearDown() throws Exception {
+ if (ep != null) {
+ ep.stop();
+ ep = null;
+ }
+ }
+
+ protected void run() {
+ // We use a null binding id in the call to EndpointImpl
+ // constructor. Why?
+ final String nullBindingID = null;
+
+ // We need to specify to use defaults on constructing the
+ // bus, because our configuration file doesn't have
+ // everything needed.
+ final boolean useDefaults = true;
+
+ // We configure a new bus for this server.
+ setBus(new SpringBusFactory().createBus(configFileURL, useDefaults));
+
+ // This impl class must have the appropriate annotations
+ // to match the WSDL file that we are using.
+ Object implementor = new GreeterImpl(name);
+
+ // I don't know why this works.
+ ep =
+ new EndpointImpl(
+ getBus(),
+ implementor,
+ nullBindingID,
+ this.getClass().getResource("greeting.wsdl").toString());
+ // How the hell do I know what the name of the
+ // http-destination is from using this call?
+ ep.setEndpointName(new QName("http://apache.org/hello_world", name));
+ ep.publish(address);
+ }
+
+
+ public static void main(String[] args) {
+ try {
+ Server s = new Server(args);
+ s.start();
+ } catch (Exception ex) {
+ ex.printStackTrace();
+ System.exit(-1);
+ }
+ }
+}
+