You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Jason Pell (JIRA)" <ji...@apache.org> on 2012/10/23 04:20:11 UTC
[jira] [Created] (CXF-4595) RequireClientCertificate is not
validated
Jason Pell created CXF-4595:
-------------------------------
Summary: RequireClientCertificate is not validated
Key: CXF-4595
URL: https://issues.apache.org/jira/browse/CXF-4595
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.7.0
Reporter: Jason Pell
I can execute a web service which has a RequireClientCertificate="true" policy in the transport binding, the problem is that my client is not providing a certificate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4595) RequireClientCertificate is not
validated
Posted by "Jason Pell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13482112#comment-13482112 ]
Jason Pell commented on CXF-4595:
---------------------------------
The HttpsTokenInInterceptor is PRE-STREAM
The PolicyBasedWSS4JInInterceptor is PRE-PROTOCOL
So according to http://cxf.apache.org/docs/interceptors.html, the HttpsTokenInInterceptor executes first. So TransportBindingPolicyValidator is definately
overriding what has already been set in HttpsTokenInInterceptor.
Should it not be ignoring anything that has already been checked by HttpsTokenInInterceptor?
In fact should the following code:
if (binding.getTransportToken() != null) {
assertPolicy(aim, binding.getTransportToken());
assertPolicy(aim, binding.getTransportToken().getToken());
}
be removed from TransportBindingPolicyValidator????
> RequireClientCertificate is not validated
> -----------------------------------------
>
> Key: CXF-4595
> URL: https://issues.apache.org/jira/browse/CXF-4595
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.0
> Reporter: Jason Pell
> Attachments: PolicySample.tar.gz
>
>
> I can execute a web service which has a RequireClientCertificate="true" policy in the transport binding, the problem is that my client is not providing a certificate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4595) RequireClientCertificate is not
validated
Posted by "Jason Pell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13482201#comment-13482201 ]
Jason Pell commented on CXF-4595:
---------------------------------
cool i will provide patch and test cases for option you have indicated
> RequireClientCertificate is not validated
> -----------------------------------------
>
> Key: CXF-4595
> URL: https://issues.apache.org/jira/browse/CXF-4595
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.0
> Reporter: Jason Pell
> Attachments: patch.txt, PolicySample.tar.gz
>
>
> I can execute a web service which has a RequireClientCertificate="true" policy in the transport binding, the problem is that my client is not providing a certificate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4595) RequireClientCertificate is not
validated
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13482197#comment-13482197 ]
Colm O hEigeartaigh commented on CXF-4595:
------------------------------------------
Hi Jason,
I don't like the approach you've taken in the patch - the HttpsTokenInInterceptor should not throw an exception in case there are other policy alternatives that may work.
I think the best approach is just to remove the assertPolicy(aim, binding.getTransportToken().getToken()); line from the TransportBindingPolicyValidator.
Colm.
> RequireClientCertificate is not validated
> -----------------------------------------
>
> Key: CXF-4595
> URL: https://issues.apache.org/jira/browse/CXF-4595
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.0
> Reporter: Jason Pell
> Attachments: patch.txt, PolicySample.tar.gz
>
>
> I can execute a web service which has a RequireClientCertificate="true" policy in the transport binding, the problem is that my client is not providing a certificate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-4595) RequireClientCertificate is not
validated
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4595?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp updated CXF-4595:
-----------------------------
Fix Version/s: 2.5.7
> RequireClientCertificate is not validated
> -----------------------------------------
>
> Key: CXF-4595
> URL: https://issues.apache.org/jira/browse/CXF-4595
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.0
> Reporter: Jason Pell
> Assignee: Daniel Kulp
> Fix For: 2.5.7, 2.6.4, 2.7.1
>
> Attachments: patch.txt, patch.txt, PolicySample.tar.gz
>
>
> I can execute a web service which has a RequireClientCertificate="true" policy in the transport binding, the problem is that my client is not providing a certificate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4595) RequireClientCertificate is not
validated
Posted by "Jason Pell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13482170#comment-13482170 ]
Jason Pell commented on CXF-4595:
---------------------------------
I can see that the HttpsTokenOutInterceptor actually throwns an exception upon a policy error. So should this bit of code be at the bottom of the the handleMessage in HttpsTokenInInterceptor?
if (!ai.isAsserted()) {
throw new PolicyException(ai);
}
> RequireClientCertificate is not validated
> -----------------------------------------
>
> Key: CXF-4595
> URL: https://issues.apache.org/jira/browse/CXF-4595
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.0
> Reporter: Jason Pell
> Attachments: PolicySample.tar.gz
>
>
> I can execute a web service which has a RequireClientCertificate="true" policy in the transport binding, the problem is that my client is not providing a certificate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4595) RequireClientCertificate is not
validated
Posted by "Jason Pell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13482137#comment-13482137 ]
Jason Pell commented on CXF-4595:
---------------------------------
To provide further clarification. The binding.getTransportToken().getToken() returns the HttpsToken
> RequireClientCertificate is not validated
> -----------------------------------------
>
> Key: CXF-4595
> URL: https://issues.apache.org/jira/browse/CXF-4595
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.0
> Reporter: Jason Pell
> Attachments: PolicySample.tar.gz
>
>
> I can execute a web service which has a RequireClientCertificate="true" policy in the transport binding, the problem is that my client is not providing a certificate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4595) RequireClientCertificate is not
validated
Posted by "Jason Pell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13482157#comment-13482157 ]
Jason Pell commented on CXF-4595:
---------------------------------
This is the code in HttpsTokenInInterceptor that does actually check for the client certificate. And in my case, my debugging tells me that the setAsserted is false, which is a good thing, but then gets overriden.
TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
if (tlsInfo != null) {
if (token.isRequireClientCertificate()
&& (tlsInfo.getPeerCertificates() == null
|| tlsInfo.getPeerCertificates().length == 0)) {
asserted = false;
}
} else {
asserted = false;
}
ai.setAsserted(asserted);
> RequireClientCertificate is not validated
> -----------------------------------------
>
> Key: CXF-4595
> URL: https://issues.apache.org/jira/browse/CXF-4595
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.0
> Reporter: Jason Pell
> Attachments: PolicySample.tar.gz
>
>
> I can execute a web service which has a RequireClientCertificate="true" policy in the transport binding, the problem is that my client is not providing a certificate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-4595) RequireClientCertificate is not
validated
Posted by "Jason Pell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4595?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jason Pell updated CXF-4595:
----------------------------
Attachment: patch.txt
Patch based on Colm feedback plus system test
> RequireClientCertificate is not validated
> -----------------------------------------
>
> Key: CXF-4595
> URL: https://issues.apache.org/jira/browse/CXF-4595
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.0
> Reporter: Jason Pell
> Attachments: patch.txt, patch.txt, PolicySample.tar.gz
>
>
> I can execute a web service which has a RequireClientCertificate="true" policy in the transport binding, the problem is that my client is not providing a certificate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-4595) RequireClientCertificate is not
validated
Posted by "Jason Pell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4595?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jason Pell updated CXF-4595:
----------------------------
Attachment: PolicySample.tar.gz
Run the test case SecurityServiceTest, the test fails because no Policy Exception is returned even though i do have a RequireClientCertificate="true"
> RequireClientCertificate is not validated
> -----------------------------------------
>
> Key: CXF-4595
> URL: https://issues.apache.org/jira/browse/CXF-4595
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.0
> Reporter: Jason Pell
> Attachments: PolicySample.tar.gz
>
>
> I can execute a web service which has a RequireClientCertificate="true" policy in the transport binding, the problem is that my client is not providing a certificate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CXF-4595) RequireClientCertificate is not
validated
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4595?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp resolved CXF-4595.
------------------------------
Resolution: Fixed
Fix Version/s: 2.7.1
2.6.4
Assignee: Daniel Kulp
> RequireClientCertificate is not validated
> -----------------------------------------
>
> Key: CXF-4595
> URL: https://issues.apache.org/jira/browse/CXF-4595
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.0
> Reporter: Jason Pell
> Assignee: Daniel Kulp
> Fix For: 2.6.4, 2.7.1
>
> Attachments: patch.txt, patch.txt, PolicySample.tar.gz
>
>
> I can execute a web service which has a RequireClientCertificate="true" policy in the transport binding, the problem is that my client is not providing a certificate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CXF-4595) RequireClientCertificate is not
validated
Posted by "Jason Pell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13482170#comment-13482170 ]
Jason Pell edited comment on CXF-4595 at 10/23/12 7:16 AM:
-----------------------------------------------------------
I can see that the HttpsTokenOutInterceptor actually throwns an exception upon a policy error. So should this bit of code be at the bottom of the the assertHttps in HttpsTokenInInterceptor?
if (!ai.isAsserted()) {
throw new PolicyException(ai);
}
was (Author: pellcorp):
I can see that the HttpsTokenOutInterceptor actually throwns an exception upon a policy error. So should this bit of code be at the bottom of the the handleMessage in HttpsTokenInInterceptor?
if (!ai.isAsserted()) {
throw new PolicyException(ai);
}
> RequireClientCertificate is not validated
> -----------------------------------------
>
> Key: CXF-4595
> URL: https://issues.apache.org/jira/browse/CXF-4595
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.0
> Reporter: Jason Pell
> Attachments: PolicySample.tar.gz
>
>
> I can execute a web service which has a RequireClientCertificate="true" policy in the transport binding, the problem is that my client is not providing a certificate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-4595) RequireClientCertificate is not
validated
Posted by "Jason Pell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4595?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jason Pell updated CXF-4595:
----------------------------
Attachment: patch.txt
proposed patch to HttpsTokenInInterceptor to behave like the HttpsTokenOutInterceptor.
I will add test cases around this patch if it is acceptable. No point doing that until developers indicate the approach is ok.
> RequireClientCertificate is not validated
> -----------------------------------------
>
> Key: CXF-4595
> URL: https://issues.apache.org/jira/browse/CXF-4595
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.0
> Reporter: Jason Pell
> Attachments: patch.txt, PolicySample.tar.gz
>
>
> I can execute a web service which has a RequireClientCertificate="true" policy in the transport binding, the problem is that my client is not providing a certificate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4595) RequireClientCertificate is not
validated
Posted by "Jason Pell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13482066#comment-13482066 ]
Jason Pell commented on CXF-4595:
---------------------------------
Related email trail
http://cxf.547215.n5.nabble.com/RequireClientCertificate-confusion-td5717199.html
I am happy to contribute a patch as discussed in the email, but I need some advice from the devs as to why the code is in TransportBindingPolicyValidator
> RequireClientCertificate is not validated
> -----------------------------------------
>
> Key: CXF-4595
> URL: https://issues.apache.org/jira/browse/CXF-4595
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.0
> Reporter: Jason Pell
> Attachments: PolicySample.tar.gz
>
>
> I can execute a web service which has a RequireClientCertificate="true" policy in the transport binding, the problem is that my client is not providing a certificate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira