You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cxf.apache.org by co...@apache.org on 2019/05/13 16:59:07 UTC

[cxf] branch 3.2.x-fixes updated (71f519b -> 426e4b2)

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a change to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git.


    from 71f519b  Recording .gitmergeinfo Changes
     new 161260b  Adding support to configure the cert constaints separator.
     new 426e4b2  Recording .gitmergeinfo Changes

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 .gitmergeinfo                                                |  2 ++
 .../java/org/apache/cxf/rt/security/SecurityConstants.java   | 12 +++++++++---
 .../cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java      |  6 ++++++
 .../cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java  | 12 +++++++++---
 .../test/resources/org/apache/cxf/systest/ws/x509/server.xml |  3 ++-
 5 files changed, 28 insertions(+), 7 deletions(-)

[cxf] 02/02: Recording .gitmergeinfo Changes

Posted by co...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 426e4b2c52962471ddda40d8bf4d5f7cfca23ddd
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Mon May 13 17:45:28 2019 +0100

    Recording .gitmergeinfo Changes
---
 .gitmergeinfo | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitmergeinfo b/.gitmergeinfo
index d640d3a..9558075 100644
--- a/.gitmergeinfo
+++ b/.gitmergeinfo
@@ -121,6 +121,7 @@ B 39af827a897824749f269a3dffc2db920e6b8216
 B 3a0b939b04d5e59388ff536ac93e7cf3f8793571
 B 3a99c26ad254f34525837ceaf0c8baaac24f4336
 B 3c1b69e419333e7c49209bb72f7da79d3ee019cd
+B 3c82c9da13a616c0da987063841980d9c61e4840
 B 3d2185bb289b4b873a388e5a41fd3bac891c3354
 B 3d2f090f40825cd19ff5d1cf9b360625a39b0264
 B 3d34da3e1385fbd50c22e7168278101b94ef2a60
@@ -189,6 +190,7 @@ B 59a74cf86b42143a71b23c6e67a494a57dc645e7
 B 5a5d6eab2748d03508d51ee036701244ad0cfe25
 B 5a72b4170110d58fb6186fd7ce9f5339b9550f5e
 B 5b11f39743278a06fdf174e89b0178a7f9d86fbb
+B 5cf3301c9bbf655a05cb7fcc0ed29d5cc2269142
 B 5d164a22c1934f6c499d12146c6ab9d59b13e6ee
 B 5d27ba4cb9864335424504387ffc08a013ad3f49
 B 5d43800e5a3b8d65e97b8c5c3262e81c11070edb

[cxf] 01/02: Adding support to configure the cert constaints separator.

Posted by co...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 161260bc40a7b9b09ff16a83fea4260a9a36eca3
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Jan 22 11:55:47 2019 +0000

    Adding support to configure the cert constaints separator.
    
    (cherry picked from commit 23bd1b8a54ceefbd771108dfc815d61d7185a869)
---
 .../java/org/apache/cxf/rt/security/SecurityConstants.java   | 12 +++++++++---
 .../cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java      |  6 ++++++
 .../cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java  | 12 +++++++++---
 .../test/resources/org/apache/cxf/systest/ws/x509/server.xml |  3 ++-
 4 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
index 66b848a..113780f 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
@@ -197,12 +197,18 @@ public class SecurityConstants {
     public static final String SAML_ROLE_ATTRIBUTENAME = "security.saml-role-attributename";
 
     /**
-     * A comma separated String of regular expressions which will be applied to the subject DN of
-     * the certificate used for signature validation, after trust verification of the certificate
-     * chain associated with the certificate.
+     * A String of regular expressions (separated by the value specified for CERT_CONSTRAINTS_SEPARATOR)
+     * which will be applied to the subject DN of the certificate used for signature validation, after trust
+     * verification of the certificate chain associated with the certificate.
      */
     public static final String SUBJECT_CERT_CONSTRAINTS = "security.subject.cert.constraints";
 
+    /**
+     * The separator that is used to parse certificate constraints configured in the SUBJECT_CERT_CONSTRAINTS
+     * tag. By default it is a comma - ",".
+     */
+    public static final String CERT_CONSTRAINTS_SEPARATOR = "security.cert.constraints.separator";
+
     //
     // STS Client Configuration tags
     //
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
index e222faa..fcc4295 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
@@ -179,6 +179,12 @@ public abstract class AbstractWSS4JInterceptor extends WSHandler implements Soap
             msg.put(ConfigurationConstants.SIG_SUBJECT_CERT_CONSTRAINTS, certConstraints);
         }
 
+        String certConstraintsSeparator =
+            (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.CERT_CONSTRAINTS_SEPARATOR, msg);
+        if (certConstraintsSeparator != null && !certConstraintsSeparator.isEmpty()) {
+            msg.put(ConfigurationConstants.SIG_CERT_CONSTRAINTS_SEPARATOR, certConstraintsSeparator);
+        }
+
         // Now set SAML SenderVouches + Holder Of Key requirements
         String valSAMLSubjectConf =
             (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION,
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
index 299efe0..55338a4 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
@@ -149,7 +149,13 @@ public abstract class AbstractWSS4JStaxInterceptor implements SoapInterceptor,
         String certConstraints =
             (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SUBJECT_CERT_CONSTRAINTS, msg);
         if (certConstraints != null && !"".equals(certConstraints)) {
-            securityProperties.setSubjectCertConstraints(convertCertConstraints(certConstraints));
+            String certConstraintsSeparator =
+                (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.CERT_CONSTRAINTS_SEPARATOR, msg);
+            if (certConstraintsSeparator == null || certConstraintsSeparator.isEmpty()) {
+                certConstraintsSeparator = ",";
+            }
+            securityProperties.setSubjectCertConstraints(
+                convertCertConstraints(certConstraints, certConstraintsSeparator));
         }
 
         // Now set SAML SenderVouches + Holder Of Key requirements
@@ -174,8 +180,8 @@ public abstract class AbstractWSS4JStaxInterceptor implements SoapInterceptor,
         securityProperties.setDisableSchemaValidation(!validateSchemas);
     }
 
-    private Collection<Pattern> convertCertConstraints(String certConstraints) {
-        String[] certConstraintsList = certConstraints.split(",");
+    private Collection<Pattern> convertCertConstraints(String certConstraints, String separator) {
+        String[] certConstraintsList = certConstraints.split(separator);
         if (certConstraintsList.length > 0) {
             Collection<Pattern> subjectCertConstraints = new ArrayList<>(certConstraintsList.length);
             for (String certConstraint : certConstraintsList) {
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml
index 2191e44..27462d4 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml
@@ -344,7 +344,8 @@
     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="TransportSupportingSignedCertConstraints" address="https://localhost:${testutil.ports.x509.Server.2}/DoubleItX509TransportSupportingSignedCertConstraints" serviceName="s:DoubleItService" endpointName="s:DoubleItTransportSupportingSignedCertConstraintsPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl" depends-on="tls-settings">
         <jaxws:properties>
             <entry key="security.signature.properties" value="cxfca.properties"/>
-            <entry key="security.subject.cert.constraints" value=".*CN=alice.*"/>
+            <entry key="security.cert.constraints.separator" value=";"/>
+            <entry key="security.subject.cert.constraints" value=".*CN=alice.*;.*CN=dave.*"/>
         </jaxws:properties>
     </jaxws:endpoint>
     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="TransportKVT" address="https://localhost:${testutil.ports.x509.Server.2}/DoubleItX509TransportKVT" serviceName="s:DoubleItService" endpointName="s:DoubleItTransportKVTPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl" depends-on="tls-settings">