You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by cl...@apache.org on 2010/03/02 06:32:27 UTC
svn commit: r917884 - in /cxf/trunk:
api/src/main/java/org/apache/cxf/configuration/jsse/
common/schemas/src/main/resources/schemas/configuration/
rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/
rt/transports/http/src/main/ja...
Author: cleclerc
Date: Tue Mar 2 05:32:27 2010
New Revision: 917884
URL: http://svn.apache.org/viewvc?rev=917884&view=rev
Log:
[CXF-2688] Allow deactivation of SSL X509 Certificates validation
Modified:
cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd
cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
Modified: cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
URL: http://svn.apache.org/viewvc/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java?rev=917884&r1=917883&r2=917884&view=diff
==============================================================================
--- cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java (original)
+++ cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java Tue Mar 2 05:32:27 2010
@@ -28,6 +28,7 @@
public class TLSClientParameters extends TLSParameterBase {
private boolean disableCNCheck;
private SSLSocketFactory sslSocketFactory;
+ private boolean trustAllCertificates;
/**
* Set whether or not JSEE should omit checking if the host name
@@ -49,6 +50,22 @@
}
/**
+ * Returns whether or not JSSE omits checking X509 certificates
+ * validity (using an 'accept all' X509TrustManager).
+ */
+ public boolean isTrustAllCertificates() {
+ return trustAllCertificates;
+ }
+
+ /**
+ * Set whether or not JSSE should omit checking X509 certificates
+ * validity (using an 'accept all' {@link javax.net.ssl.X509TrustManager}).
+ */
+ public void setTrustAllCertificates(boolean trustAllCertificates) {
+ this.trustAllCertificates = trustAllCertificates;
+ }
+
+ /**
* This sets the SSLSocketFactory to use, causing all other properties of
* this bean (and its superclass) to get ignored (this takes precendence).
*/
Modified: cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd
URL: http://svn.apache.org/viewvc/cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd?rev=917884&r1=917883&r2=917884&view=diff
==============================================================================
--- cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd (original)
+++ cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd Tue Mar 2 05:32:27 2010
@@ -443,6 +443,16 @@
</xs:documentation>
</xs:annotation>
</xs:attribute>
+ <xs:attribute name="trustAllCertificates" type="pt:ParameterizedBoolean" default="false">
+ <xs:annotation>
+ <xs:documentation>
+ This attribute specifies if JSSE should omit checking X509
+ certificates validity (using an 'accept all X509TrustManager').
+ Default is false; this attribute should not be set to true during
+ production use. Since 2.2.7.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:attribute>
<xs:attribute name="jsseProvider" type="xs:string">
<xs:annotation>
<xs:documentation>
Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java?rev=917884&r1=917883&r2=917884&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java (original)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java Tue Mar 2 05:32:27 2010
@@ -65,6 +65,9 @@
if (params.isDisableCNCheck()) {
ret.setDisableCNCheck(true);
}
+ if (params.isTrustAllCertificates()) {
+ ret.setTrustAllCertificates(true);
+ }
if (params.isSetSecureSocketProtocol()) {
ret.setSecureSocketProtocol(params.getSecureSocketProtocol());
}
Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java?rev=917884&r1=917883&r2=917884&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java (original)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java Tue Mar 2 05:32:27 2010
@@ -175,27 +175,30 @@
? SSLContext.getInstance(protocol)
: SSLContext.getInstance(protocol, provider);
-
+ TrustManager[] trustManagers;
+ if (tlsClientParameters.isTrustAllCertificates()) {
+ trustManagers = new TrustManager[] {
+ new javax.net.ssl.X509TrustManager() {
+ public java.security.cert.X509Certificate[] getAcceptedIssuers() {
+ return null;
+ }
- TrustManager[] trustAllCerts = tlsClientParameters.getTrustManagers();
- /*
- TrustManager[] trustAllCerts = new TrustManager[] {
- new javax.net.ssl.X509TrustManager() {
- public java.security.cert.X509Certificate[] getAcceptedIssuers() {
- return null;
- }
- public void checkClientTrusted(
- java.security.cert.X509Certificate[] certs, String authType) {
- }
- public void checkServerTrusted(
- java.security.cert.X509Certificate[] certs, String authType) {
+ public void checkClientTrusted(java.security.cert.X509Certificate[] certs,
+ String authType) {
+ }
+
+ public void checkServerTrusted(java.security.cert.X509Certificate[] certs,
+ String authType) {
+ }
}
- }
- };
- */
+ };
+ } else {
+ trustManagers = tlsClientParameters.getTrustManagers();
+ }
+
ctx.init(
tlsClientParameters.getKeyManagers(),
- trustAllCerts,
+ trustManagers,
tlsClientParameters.getSecureRandom());
// The "false" argument means opposite of exclude.
@@ -211,12 +214,13 @@
tlsClientParameters.getSecureSocketProtocol());
}
- HostnameVerifier verifier = tlsClientParameters.isDisableCNCheck()
- ? CertificateHostnameVerifier.ALLOW_ALL : CertificateHostnameVerifier.DEFAULT;
+ HostnameVerifier hostnameVerifier = tlsClientParameters.isDisableCNCheck()
+ || tlsClientParameters.isTrustAllCertificates() ? CertificateHostnameVerifier.ALLOW_ALL
+ : CertificateHostnameVerifier.DEFAULT;
if (connection instanceof HttpsURLConnection) {
// handle the expected case (javax.net.ssl)
HttpsURLConnection conn = (HttpsURLConnection) connection;
- conn.setHostnameVerifier(verifier);
+ conn.setHostnameVerifier(hostnameVerifier);
conn.setSSLSocketFactory(socketFactory);
} else {
// handle the deprecated sun case and other possible hidden API's
@@ -224,7 +228,7 @@
try {
Method method = connection.getClass().getMethod("getHostnameVerifier");
- InvocationHandler handler = new ReflectionInvokationHandler(verifier) {
+ InvocationHandler handler = new ReflectionInvokationHandler(hostnameVerifier) {
public Object invoke(Object proxy,
Method method,
Object[] args) throws Throwable {