You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2009/08/27 19:13:04 UTC
svn commit: r808542 - in /cxf/branches/2.2.x-fixes: ./
common/common/src/main/java/org/apache/cxf/helpers/
rt/transports/http/src/main/java/org/apache/cxf/transport/http/
rt/ws/security/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/bu...
Author: dkulp
Date: Thu Aug 27 17:13:03 2009
New Revision: 808542
URL: http://svn.apache.org/viewvc?rev=808542&view=rev
Log:
Merged revisions 808464 via svnmerge from
https://svn.apache.org/repos/asf/cxf/trunk
........
r808464 | dkulp | 2009-08-27 11:38:42 -0400 (Thu, 27 Aug 2009) | 1 line
[CXF-2406] Fix issues with HttpsToken RequireClientCertificate
........
Modified:
cxf/branches/2.2.x-fixes/ (props changed)
cxf/branches/2.2.x-fixes/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java
cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml
cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java
cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Aug 27 17:13:03 2009
@@ -1 +1 @@
-/cxf/trunk:782728-782730,783097,783294,783396,784059,784181-784184,784893,784895,785279-785282,785468,785621,785624,785651,785734,785866,786142,786271-786272,786395,786512,786514,786582-786583,786638,786647,786850,787200,787269,787277-787279,787290-787291,787305,787323,787366,787849,788030,788060,788187,788444,788451,788703,788752,788774,788819-788820,789013,789371,789387,789420,789527-789530,789704-789705,789788,789811,789896-789901,790074,790094,790134,790188,790294,790553,790637-790644,790868,791301,791354,791538,791753,791947,792007,792096,792183,792261-792265,792271,792604,792683-792685,792975,792985,793059,793570,794297,794396,794680,794728,794771,794778-794780,794892,795044,795104,795160,795583,795907,796022-796023,796352,796593,796741,796780,796994-796997,797117,797159,797192,797194,797231-797233,797442,797505,797517,797534,797581-797583,797587,797640,797651,797699,797882-797883,798344-798346,798363,798461,798479,798533,798551,798557,798561-798562,798570,798573,79858
4,798654,798748-798749,798816,798891,798929-798930,799245,799267,799439,799448,799637,799723-799724,799792,800453,800497-800498,801380-801381,801447,801962,802892,803056,803129,803419,803460,803493,803689,804002,804175,804276,805784,805907,805909,806020-806021,806023,806405-806406,806576,806602-806604,806620,806627,806631,806633,806638,806687,806876,806922,806979-806982,807181,807205,807295,807748,807807,808035,808069,808085,808107
+/cxf/trunk:782728-782730,783097,783294,783396,784059,784181-784184,784893,784895,785279-785282,785468,785621,785624,785651,785734,785866,786142,786271-786272,786395,786512,786514,786582-786583,786638,786647,786850,787200,787269,787277-787279,787290-787291,787305,787323,787366,787849,788030,788060,788187,788444,788451,788703,788752,788774,788819-788820,789013,789371,789387,789420,789527-789530,789704-789705,789788,789811,789896-789901,790074,790094,790134,790188,790294,790553,790637-790644,790868,791301,791354,791538,791753,791947,792007,792096,792183,792261-792265,792271,792604,792683-792685,792975,792985,793059,793570,794297,794396,794680,794728,794771,794778-794780,794892,795044,795104,795160,795583,795907,796022-796023,796352,796593,796741,796780,796994-796997,797117,797159,797192,797194,797231-797233,797442,797505,797517,797534,797581-797583,797587,797640,797651,797699,797882-797883,798344-798346,798363,798461,798479,798533,798551,798557,798561-798562,798570,798573,79858
4,798654,798748-798749,798816,798891,798929-798930,799245,799267,799439,799448,799637,799723-799724,799792,800453,800497-800498,801380-801381,801447,801962,802892,803056,803129,803419,803460,803493,803689,804002,804175,804276,805784,805907,805909,806020-806021,806023,806405-806406,806576,806602-806604,806620,806627,806631,806633,806638,806687,806876,806922,806979-806982,807181,807205,807295,807748,807807,808035,808069,808085,808107,808464
Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.
Modified: cxf/branches/2.2.x-fixes/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java?rev=808542&r1=808541&r2=808542&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java (original)
+++ cxf/branches/2.2.x-fixes/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java Thu Aug 27 17:13:03 2009
@@ -175,7 +175,13 @@
}
public static String getAttribute(Element element, QName attName) {
- return element.getAttributeNS(attName.getNamespaceURI(), attName.getLocalPart());
+ Attr attr;
+ if (StringUtils.isEmpty(attName.getNamespaceURI())) {
+ attr = element.getAttributeNode(attName.getLocalPart());
+ } else {
+ attr = element.getAttributeNodeNS(attName.getNamespaceURI(), attName.getLocalPart());
+ }
+ return attr == null ? null : attr.getValue();
}
public static void setAttribute(Node node, String attName, String val) {
Modified: cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java?rev=808542&r1=808541&r2=808542&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java (original)
+++ cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java Thu Aug 27 17:13:03 2009
@@ -650,22 +650,39 @@
HttpURLConnection connection =
(HttpURLConnection) message.get(KEY_HTTP_CONNECTION);
- if (trustDecider != null) {
+ MessageTrustDecider decider2 = message.get(MessageTrustDecider.class);
+ if (trustDecider != null || decider2 != null) {
try {
// We must connect or we will not get the credentials.
// The call is (said to be) ingored internally if
// already connected.
connection.connect();
- trustDecider.establishTrust(
- getConduitName(),
- getConnectionFactory(connection.getURL()).getConnectionInfo(connection),
- message);
- if (LOG.isLoggable(Level.FINE)) {
- LOG.log(Level.FINE, "Trust Decider "
- + trustDecider.getLogicalName()
- + " considers Conduit "
- + getConduitName()
- + " trusted.");
+ URLConnectionInfo info = getConnectionFactory(connection.getURL())
+ .getConnectionInfo(connection);
+ if (trustDecider != null) {
+ trustDecider.establishTrust(
+ getConduitName(),
+ info,
+ message);
+ if (LOG.isLoggable(Level.FINE)) {
+ LOG.log(Level.FINE, "Trust Decider "
+ + trustDecider.getLogicalName()
+ + " considers Conduit "
+ + getConduitName()
+ + " trusted.");
+ }
+ }
+ if (decider2 != null) {
+ decider2.establishTrust(getConduitName(),
+ info,
+ message);
+ if (LOG.isLoggable(Level.FINE)) {
+ LOG.log(Level.FINE, "Trust Decider "
+ + decider2.getLogicalName()
+ + " considers Conduit "
+ + getConduitName()
+ + " trusted.");
+ }
}
} catch (UntrustedURLConnectionIOException untrustedEx) {
// This cast covers HttpsURLConnection as well.
Modified: cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml?rev=808542&r1=808541&r2=808542&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml (original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml Thu Aug 27 17:13:03 2009
@@ -82,6 +82,12 @@
<scope>provided</scope>
</dependency>
<dependency>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-rt-transports-http</artifactId>
+ <version>${project.version}</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
<groupId>javax.xml.soap</groupId>
<artifactId>saaj-api</artifactId>
</dependency>
Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java?rev=808542&r1=808541&r2=808542&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java (original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java Thu Aug 27 17:13:03 2009
@@ -76,7 +76,7 @@
if (attr != null) {
httpsToken.setRequireClientCertificate("true".equals(attr));
}
- } else if (consts.getVersion() == SPConstants.Version.SP_V11) {
+ } else {
Element polEl = PolicyConstants.findPolicyElement(element);
if (polEl != null) {
Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java?rev=808542&r1=808541&r2=808542&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java (original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java Thu Aug 27 17:13:03 2009
@@ -34,6 +34,10 @@
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.security.transport.TLSSessionInfo;
+import org.apache.cxf.transport.http.MessageTrustDecider;
+import org.apache.cxf.transport.http.URLConnectionInfo;
+import org.apache.cxf.transport.http.UntrustedURLConnectionIOException;
+import org.apache.cxf.transport.https.HttpsURLConnectionInfo;
import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
@@ -46,7 +50,7 @@
*
*/
public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProvider {
-
+
public HttpsTokenInterceptorProvider() {
super(Arrays.asList(SP11Constants.HTTPS_TOKEN, SP12Constants.HTTPS_TOKEN));
this.getOutInterceptors().add(new HttpsTokenOutInterceptor());
@@ -67,7 +71,7 @@
static class HttpsTokenOutInterceptor extends AbstractPhaseInterceptor<Message> {
public HttpsTokenOutInterceptor() {
- super(Phase.PREPARE_SEND);
+ super(Phase.PRE_STREAM);
}
public void handleMessage(Message message) throws Fault {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
@@ -96,11 +100,29 @@
ai.setAsserted(true);
Map<String, List<String>> headers = getSetProtocolHeaders(message);
+
if (connection instanceof HttpsURLConnection) {
- HttpsURLConnection https = (HttpsURLConnection)connection;
- if (token.isRequireClientCertificate()
- && https.getLocalCertificates().length == 0) {
- ai.setNotAsserted("RequireClientCertificate is set, but no local certificates");
+ if (token.isRequireClientCertificate()) {
+ final MessageTrustDecider orig = message.get(MessageTrustDecider.class);
+ MessageTrustDecider trust = new MessageTrustDecider() {
+ public void establishTrust(String conduitName,
+ URLConnectionInfo connectionInfo,
+ Message message)
+ throws UntrustedURLConnectionIOException {
+ if (orig != null) {
+ orig.establishTrust(conduitName, connectionInfo, message);
+ }
+ HttpsURLConnectionInfo info = (HttpsURLConnectionInfo)connectionInfo;
+ if (info.getLocalCertificates() == null
+ || info.getLocalCertificates().length == 0) {
+ throw new UntrustedURLConnectionIOException(
+ "RequireClientCertificate is set, "
+ + "but no local certificates we negotiated. Is"
+ + " the server set to ask for client authorization?");
+ }
+ }
+ };
+ message.put(MessageTrustDecider.class, trust);
}
if (token.isHttpBasicAuthentication()) {
List<String> auth = headers.get("Authorization");
@@ -174,7 +196,8 @@
TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
if (tlsInfo != null) {
if (token.isRequireClientCertificate()
- && tlsInfo.getPeerCertificates().length == 0) {
+ && (tlsInfo.getPeerCertificates() == null
+ || tlsInfo.getPeerCertificates().length == 0)) {
asserted = false;
}
} else {