You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by ja...@apache.org on 2007/04/17 00:46:28 UTC

svn commit: r529423 - in /ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control: ConfigXMLReader.java RequestHandler.java

Author: jaz
Date: Mon Apr 16 15:46:24 2007
New Revision: 529423

URL: http://svn.apache.org/viewvc?view=rev&rev=529423
Log:
x509 required SSL to function; added code to make sure you can't slip by the security by using HTTP (instead of HTTPS)

Modified:
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java?view=diff&rev=529423&r1=529422&r2=529423
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java Mon Apr 16 15:46:24 2007
@@ -213,6 +213,12 @@
                 String securityKeystore = securityElement.getAttribute(SECURITY_KEYSTORE);
                 String securityExtView = securityElement.getAttribute(SECURITY_EXTVIEW);
                 String securityDirectRequest = securityElement.getAttribute(SECURITY_DIRECT);
+
+                // if x509 is required so is https
+                if ("true".equalsIgnoreCase(securityCert)) {
+                    securityHttps = "true";
+                }
+                
                 uriMap.put(SECURITY_HTTPS, securityHttps);
                 uriMap.put(SECURITY_AUTH, securityAuth);
                 uriMap.put(SECURITY_CERT, securityCert);

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?view=diff&rev=529423&r1=529422&r2=529423
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Mon Apr 16 15:46:24 2007
@@ -135,6 +135,11 @@
                 }
             }
 
+            // Check if X509 is required and we are not secure; throw exception
+            if (!request.isSecure() && requestManager.requiresHttpsClientCert(requestUri)) {
+                throw new RequestHandlerException("Unknown request [" + requestUri + "]; this request does not exist or cannot be called directly.");
+            }            
+
             // Check for HTTPS client (x.509) security
             if (request.isSecure() && requestManager.requiresHttpsClientCert(requestUri)) {            
                 X509Certificate[] clientCerts = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); // 2.2 spec
@@ -183,6 +188,7 @@
 
                         for (int ci = 0; ci < clientCerts.length; ci++) {                            
                             if (!foundValidCert && trustedCert.equals(clientCerts[ci])) {
+                                Debug.log("Found valid certificate for request; allowing: " + clientCerts[ci].getSerialNumber().toString(16), module);
                                 foundValidCert = true;
                                 break;
                             }