You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by cl...@apache.org on 2010/03/09 10:01:18 UTC
svn commit: r920741 - in /cxf/trunk:
api/src/main/java/org/apache/cxf/configuration/jsse/
common/schemas/src/main/resources/schemas/configuration/
rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/
rt/transports/http/src/main/ja...
Author: cleclerc
Date: Tue Mar 9 09:01:17 2010
New Revision: 920741
URL: http://svn.apache.org/viewvc?rev=920741&view=rev
Log:
[CXF-2693] Allow to use HttpsURLConnection's defaultSSLSocketFactory and defaultHostnameVerifier in CXF client
Modified:
cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd
cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
Modified: cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
URL: http://svn.apache.org/viewvc/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java?rev=920741&r1=920740&r2=920741&view=diff
==============================================================================
--- cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java (original)
+++ cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java Tue Mar 9 09:01:17 2010
@@ -27,7 +27,9 @@ import javax.net.ssl.SSLSocketFactory;
*/
public class TLSClientParameters extends TLSParameterBase {
private boolean disableCNCheck;
- private SSLSocketFactory sslSocketFactory;
+ private SSLSocketFactory sslSocketFactory;
+ private boolean useHttpsURLConnectionDefaultSslSocketFactory;
+ private boolean useHttpsURLConnectionDefaultHostnameVerifier;
/**
* Set whether or not JSEE should omit checking if the host name
@@ -62,5 +64,46 @@ public class TLSClientParameters extends
*/
public final SSLSocketFactory getSSLSocketFactory() {
return sslSocketFactory;
- }
+ }
+
+ /**
+ * Returns whether or not {@link javax.net.ssl.HttpsURLConnection#getDefaultSSLSocketFactory()}Êshould be
+ * used to create https connections. If <code>true</code> , {@link #getJsseProvider()} ,
+ * {@link #getSecureSocketProtocol()}, {@link #getTrustManagers()}, {@link #getKeyManagers()},
+ * {@link #getSecureRandom()}, {@link #getCipherSuites()} and {@link #getCipherSuitesFilter()} are
+ * ignored.
+ */
+ public boolean isUseHttpsURLConnectionDefaultSslSocketFactory() {
+ return useHttpsURLConnectionDefaultSslSocketFactory;
+ }
+
+ /**
+ * Sets whether or not {@link javax.net.ssl.HttpsURLConnection#getDefaultSSLSocketFactory()}Êshould be
+ * used to create https connections.
+ *
+ * @see #isUseHttpsURLConnectionDefaultSslSocketFactory()
+ */
+ public void setUseHttpsURLConnectionDefaultSslSocketFactory(
+ boolean useHttpsURLConnectionDefaultSslSocketFactory) {
+ this.useHttpsURLConnectionDefaultSslSocketFactory = useHttpsURLConnectionDefaultSslSocketFactory;
+ }
+
+ /**
+ * Returns whether or not {@link javax.net.ssl.HttpsURLConnection#getDefaultHostnameVerifier()} should be
+ * used to create https connections. If <code>true</code>, {@link #isDisableCNCheck()} is ignored.
+ */
+ public boolean isUseHttpsURLConnectionDefaultHostnameVerifier() {
+ return useHttpsURLConnectionDefaultHostnameVerifier;
+ }
+
+ /**
+ * Sets whether or not {@link javax.net.ssl.HttpsURLConnection#getDefaultHostnameVerifier()} should be
+ * used to create https connections.
+ *
+ * @see #isUseHttpsURLConnectionDefaultHostnameVerifier()
+ */
+ public void setUseHttpsURLConnectionDefaultHostnameVerifier(
+ boolean useHttpsURLConnectionDefaultHostnameVerifier) {
+ this.useHttpsURLConnectionDefaultHostnameVerifier = useHttpsURLConnectionDefaultHostnameVerifier;
+ }
}
Modified: cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd
URL: http://svn.apache.org/viewvc/cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd?rev=920741&r1=920740&r2=920741&view=diff
==============================================================================
--- cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd (original)
+++ cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd Tue Mar 9 09:01:17 2010
@@ -433,6 +433,27 @@
</xs:annotation>
</xs:element>
</xs:all>
+ <xs:attribute name="useHttpsURLConnectionDefaultSslSocketFactory" type="pt:ParameterizedBoolean" default="false">
+ <xs:annotation>
+ <xs:documentation>
+ This attribute specifies if HttpsURLConnection.defaultSslSocketFactory
+ should be used to create https connections. If 'true', 'jsseProvider',
+ 'secureSocketProtocol', 'trustManagers', 'keyManagers', 'secureRandom',
+ 'cipherSuites' and 'cipherSuitesFilter' are ignored.
+ Since 2.2.7.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:attribute>
+ <xs:attribute name="useHttpsURLConnectionDefaultHostnameVerifier" type="pt:ParameterizedBoolean" default="false">
+ <xs:annotation>
+ <xs:documentation>
+ This attribute specifies if HttpsURLConnection.defaultHostnameVerifier
+ should be used to create https connections. If 'true', 'disableCNCheck'
+ is ignored.
+ Since 2.2.7.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:attribute>
<xs:attribute name="disableCNCheck" type="pt:ParameterizedBoolean" default="false">
<xs:annotation>
<xs:documentation>
Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java?rev=920741&r1=920740&r2=920741&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java (original)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java Tue Mar 9 09:01:17 2010
@@ -65,6 +65,12 @@ public final class TLSClientParametersCo
if (params.isDisableCNCheck()) {
ret.setDisableCNCheck(true);
}
+ if (params.isUseHttpsURLConnectionDefaultHostnameVerifier()) {
+ ret.setUseHttpsURLConnectionDefaultHostnameVerifier(true);
+ }
+ if (params.isUseHttpsURLConnectionDefaultSslSocketFactory()) {
+ ret.setUseHttpsURLConnectionDefaultSslSocketFactory(true);
+ }
if (params.isSetSecureSocketProtocol()) {
ret.setSecureSocketProtocol(params.getSecureSocketProtocol());
}
Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java?rev=920741&r1=920740&r2=920741&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java (original)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java Tue Mar 9 09:01:17 2010
@@ -26,18 +26,14 @@ import java.lang.reflect.Method;
import java.net.HttpURLConnection;
import java.net.Proxy;
import java.net.URL;
-import java.security.KeyManagementException;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
+import java.security.GeneralSecurityException;
import java.util.logging.Handler;
import java.util.logging.Logger;
-import javax.imageio.IIOException;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.TrustManager;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.ReflectionInvokationHandler;
@@ -134,7 +130,7 @@ public final class HttpsURLConnectionFac
if (ex instanceof IOException) {
throw (IOException) ex;
}
- throw new IIOException("Error while initializing secure socket", ex);
+ throw new IOException("Error while initializing secure socket", ex);
}
}
}
@@ -148,71 +144,55 @@ public final class HttpsURLConnectionFac
* which allows internal cast to potentially divergent subtype (https) implementations.
*/
protected synchronized void decorateWithTLS(HttpURLConnection connection)
- throws NoSuchAlgorithmException,
- NoSuchProviderException,
- KeyManagementException {
-
- // First see if an SSLSocketFactory was set. This allows easy interop
- // with not-yet-commons-ssl.jar, or even just people who like doing their
- // own JSSE.
- if (socketFactory == null) {
- SSLSocketFactory preSetFactory = tlsClientParameters.getSSLSocketFactory();
- if (preSetFactory != null) {
- socketFactory = preSetFactory;
- }
- }
+ throws GeneralSecurityException {
- // Okay, no SSLSocketFactory available in TLSClientParameters. Maybe
- // TrustManagers, KeyManagers, etc?
- if (socketFactory == null) {
- String provider = tlsClientParameters.getJsseProvider();
+ // always reload socketFactory from HttpsURLConnection.defaultSSLSocketFactory and
+ // tlsClientParameters.sslSocketFactory to allow runtime configuration change
+ if (tlsClientParameters.isUseHttpsURLConnectionDefaultSslSocketFactory()) {
+ socketFactory = HttpsURLConnection.getDefaultSSLSocketFactory();
- String protocol = tlsClientParameters.getSecureSocketProtocol() != null
- ? tlsClientParameters.getSecureSocketProtocol()
- : "TLS";
-
- SSLContext ctx = provider == null
- ? SSLContext.getInstance(protocol)
- : SSLContext.getInstance(protocol, provider);
+ } else if (tlsClientParameters.getSSLSocketFactory() != null) {
+ // see if an SSLSocketFactory was set. This allows easy interop
+ // with not-yet-commons-ssl.jar, or even just people who like doing their
+ // own JSSE.
+ socketFactory = tlsClientParameters.getSSLSocketFactory();
-
+ } else if (socketFactory == null) {
+ // ssl socket factory not yet instantiated, create a new one with tlsClientParameters's Trust
+ // Managers, Key Managers, etc
+
+ String provider = tlsClientParameters.getJsseProvider();
+
+ String protocol = tlsClientParameters.getSecureSocketProtocol() != null ? tlsClientParameters
+ .getSecureSocketProtocol() : "TLS";
+
+ SSLContext ctx = provider == null ? SSLContext.getInstance(protocol) : SSLContext
+ .getInstance(protocol, provider);
+
+ ctx.init(tlsClientParameters.getKeyManagers(), tlsClientParameters.getTrustManagers(),
+ tlsClientParameters.getSecureRandom());
- TrustManager[] trustAllCerts = tlsClientParameters.getTrustManagers();
- /*
- TrustManager[] trustAllCerts = new TrustManager[] {
- new javax.net.ssl.X509TrustManager() {
- public java.security.cert.X509Certificate[] getAcceptedIssuers() {
- return null;
- }
- public void checkClientTrusted(
- java.security.cert.X509Certificate[] certs, String authType) {
- }
- public void checkServerTrusted(
- java.security.cert.X509Certificate[] certs, String authType) {
- }
- }
- };
- */
- ctx.init(
- tlsClientParameters.getKeyManagers(),
- trustAllCerts,
- tlsClientParameters.getSecureRandom());
-
// The "false" argument means opposite of exclude.
- String[] cipherSuites =
- SSLUtils.getCiphersuites(tlsClientParameters.getCipherSuites(),
- SSLUtils.getSupportedCipherSuites(ctx),
- tlsClientParameters.getCipherSuitesFilter(),
- LOG, false);
+ String[] cipherSuites = SSLUtils.getCiphersuites(tlsClientParameters.getCipherSuites(), SSLUtils
+ .getSupportedCipherSuites(ctx), tlsClientParameters.getCipherSuitesFilter(), LOG, false);
// The SSLSocketFactoryWrapper enables certain cipher suites
// from the policy.
- socketFactory = new SSLSocketFactoryWrapper(ctx.getSocketFactory(),
- cipherSuites,
+ socketFactory = new SSLSocketFactoryWrapper(ctx.getSocketFactory(), cipherSuites,
tlsClientParameters.getSecureSocketProtocol());
+ } else {
+ // ssl socket factory already initialized, reuse it to benefit of keep alive
+ }
+
+
+ HostnameVerifier verifier;
+ if (tlsClientParameters.isUseHttpsURLConnectionDefaultHostnameVerifier()) {
+ verifier = HttpsURLConnection.getDefaultHostnameVerifier();
+ } else if (tlsClientParameters.isDisableCNCheck()) {
+ verifier = CertificateHostnameVerifier.ALLOW_ALL;
+ } else {
+ verifier = CertificateHostnameVerifier.DEFAULT;
}
- HostnameVerifier verifier = tlsClientParameters.isDisableCNCheck()
- ? CertificateHostnameVerifier.ALLOW_ALL : CertificateHostnameVerifier.DEFAULT;
if (connection instanceof HttpsURLConnection) {
// handle the expected case (javax.net.ssl)
HttpsURLConnection conn = (HttpsURLConnection) connection;