You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2019/05/13 16:59:08 UTC
[cxf] 01/02: Adding support to configure the cert constaints
separator.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 161260bc40a7b9b09ff16a83fea4260a9a36eca3
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Jan 22 11:55:47 2019 +0000
Adding support to configure the cert constaints separator.
(cherry picked from commit 23bd1b8a54ceefbd771108dfc815d61d7185a869)
---
.../java/org/apache/cxf/rt/security/SecurityConstants.java | 12 +++++++++---
.../cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java | 6 ++++++
.../cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java | 12 +++++++++---
.../test/resources/org/apache/cxf/systest/ws/x509/server.xml | 3 ++-
4 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
index 66b848a..113780f 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
@@ -197,12 +197,18 @@ public class SecurityConstants {
public static final String SAML_ROLE_ATTRIBUTENAME = "security.saml-role-attributename";
/**
- * A comma separated String of regular expressions which will be applied to the subject DN of
- * the certificate used for signature validation, after trust verification of the certificate
- * chain associated with the certificate.
+ * A String of regular expressions (separated by the value specified for CERT_CONSTRAINTS_SEPARATOR)
+ * which will be applied to the subject DN of the certificate used for signature validation, after trust
+ * verification of the certificate chain associated with the certificate.
*/
public static final String SUBJECT_CERT_CONSTRAINTS = "security.subject.cert.constraints";
+ /**
+ * The separator that is used to parse certificate constraints configured in the SUBJECT_CERT_CONSTRAINTS
+ * tag. By default it is a comma - ",".
+ */
+ public static final String CERT_CONSTRAINTS_SEPARATOR = "security.cert.constraints.separator";
+
//
// STS Client Configuration tags
//
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
index e222faa..fcc4295 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
@@ -179,6 +179,12 @@ public abstract class AbstractWSS4JInterceptor extends WSHandler implements Soap
msg.put(ConfigurationConstants.SIG_SUBJECT_CERT_CONSTRAINTS, certConstraints);
}
+ String certConstraintsSeparator =
+ (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.CERT_CONSTRAINTS_SEPARATOR, msg);
+ if (certConstraintsSeparator != null && !certConstraintsSeparator.isEmpty()) {
+ msg.put(ConfigurationConstants.SIG_CERT_CONSTRAINTS_SEPARATOR, certConstraintsSeparator);
+ }
+
// Now set SAML SenderVouches + Holder Of Key requirements
String valSAMLSubjectConf =
(String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION,
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
index 299efe0..55338a4 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
@@ -149,7 +149,13 @@ public abstract class AbstractWSS4JStaxInterceptor implements SoapInterceptor,
String certConstraints =
(String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SUBJECT_CERT_CONSTRAINTS, msg);
if (certConstraints != null && !"".equals(certConstraints)) {
- securityProperties.setSubjectCertConstraints(convertCertConstraints(certConstraints));
+ String certConstraintsSeparator =
+ (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.CERT_CONSTRAINTS_SEPARATOR, msg);
+ if (certConstraintsSeparator == null || certConstraintsSeparator.isEmpty()) {
+ certConstraintsSeparator = ",";
+ }
+ securityProperties.setSubjectCertConstraints(
+ convertCertConstraints(certConstraints, certConstraintsSeparator));
}
// Now set SAML SenderVouches + Holder Of Key requirements
@@ -174,8 +180,8 @@ public abstract class AbstractWSS4JStaxInterceptor implements SoapInterceptor,
securityProperties.setDisableSchemaValidation(!validateSchemas);
}
- private Collection<Pattern> convertCertConstraints(String certConstraints) {
- String[] certConstraintsList = certConstraints.split(",");
+ private Collection<Pattern> convertCertConstraints(String certConstraints, String separator) {
+ String[] certConstraintsList = certConstraints.split(separator);
if (certConstraintsList.length > 0) {
Collection<Pattern> subjectCertConstraints = new ArrayList<>(certConstraintsList.length);
for (String certConstraint : certConstraintsList) {
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml
index 2191e44..27462d4 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml
@@ -344,7 +344,8 @@
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="TransportSupportingSignedCertConstraints" address="https://localhost:${testutil.ports.x509.Server.2}/DoubleItX509TransportSupportingSignedCertConstraints" serviceName="s:DoubleItService" endpointName="s:DoubleItTransportSupportingSignedCertConstraintsPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl" depends-on="tls-settings">
<jaxws:properties>
<entry key="security.signature.properties" value="cxfca.properties"/>
- <entry key="security.subject.cert.constraints" value=".*CN=alice.*"/>
+ <entry key="security.cert.constraints.separator" value=";"/>
+ <entry key="security.subject.cert.constraints" value=".*CN=alice.*;.*CN=dave.*"/>
</jaxws:properties>
</jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="TransportKVT" address="https://localhost:${testutil.ports.x509.Server.2}/DoubleItX509TransportKVT" serviceName="s:DoubleItService" endpointName="s:DoubleItTransportKVTPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl" depends-on="tls-settings">