You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2019/05/13 16:59:08 UTC

[cxf] 01/02: Adding support to configure the cert constaints separator.

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 161260bc40a7b9b09ff16a83fea4260a9a36eca3
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Jan 22 11:55:47 2019 +0000

    Adding support to configure the cert constaints separator.
    
    (cherry picked from commit 23bd1b8a54ceefbd771108dfc815d61d7185a869)
---
 .../java/org/apache/cxf/rt/security/SecurityConstants.java   | 12 +++++++++---
 .../cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java      |  6 ++++++
 .../cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java  | 12 +++++++++---
 .../test/resources/org/apache/cxf/systest/ws/x509/server.xml |  3 ++-
 4 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
index 66b848a..113780f 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
@@ -197,12 +197,18 @@ public class SecurityConstants {
     public static final String SAML_ROLE_ATTRIBUTENAME = "security.saml-role-attributename";
 
     /**
-     * A comma separated String of regular expressions which will be applied to the subject DN of
-     * the certificate used for signature validation, after trust verification of the certificate
-     * chain associated with the certificate.
+     * A String of regular expressions (separated by the value specified for CERT_CONSTRAINTS_SEPARATOR)
+     * which will be applied to the subject DN of the certificate used for signature validation, after trust
+     * verification of the certificate chain associated with the certificate.
      */
     public static final String SUBJECT_CERT_CONSTRAINTS = "security.subject.cert.constraints";
 
+    /**
+     * The separator that is used to parse certificate constraints configured in the SUBJECT_CERT_CONSTRAINTS
+     * tag. By default it is a comma - ",".
+     */
+    public static final String CERT_CONSTRAINTS_SEPARATOR = "security.cert.constraints.separator";
+
     //
     // STS Client Configuration tags
     //
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
index e222faa..fcc4295 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
@@ -179,6 +179,12 @@ public abstract class AbstractWSS4JInterceptor extends WSHandler implements Soap
             msg.put(ConfigurationConstants.SIG_SUBJECT_CERT_CONSTRAINTS, certConstraints);
         }
 
+        String certConstraintsSeparator =
+            (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.CERT_CONSTRAINTS_SEPARATOR, msg);
+        if (certConstraintsSeparator != null && !certConstraintsSeparator.isEmpty()) {
+            msg.put(ConfigurationConstants.SIG_CERT_CONSTRAINTS_SEPARATOR, certConstraintsSeparator);
+        }
+
         // Now set SAML SenderVouches + Holder Of Key requirements
         String valSAMLSubjectConf =
             (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION,
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
index 299efe0..55338a4 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
@@ -149,7 +149,13 @@ public abstract class AbstractWSS4JStaxInterceptor implements SoapInterceptor,
         String certConstraints =
             (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SUBJECT_CERT_CONSTRAINTS, msg);
         if (certConstraints != null && !"".equals(certConstraints)) {
-            securityProperties.setSubjectCertConstraints(convertCertConstraints(certConstraints));
+            String certConstraintsSeparator =
+                (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.CERT_CONSTRAINTS_SEPARATOR, msg);
+            if (certConstraintsSeparator == null || certConstraintsSeparator.isEmpty()) {
+                certConstraintsSeparator = ",";
+            }
+            securityProperties.setSubjectCertConstraints(
+                convertCertConstraints(certConstraints, certConstraintsSeparator));
         }
 
         // Now set SAML SenderVouches + Holder Of Key requirements
@@ -174,8 +180,8 @@ public abstract class AbstractWSS4JStaxInterceptor implements SoapInterceptor,
         securityProperties.setDisableSchemaValidation(!validateSchemas);
     }
 
-    private Collection<Pattern> convertCertConstraints(String certConstraints) {
-        String[] certConstraintsList = certConstraints.split(",");
+    private Collection<Pattern> convertCertConstraints(String certConstraints, String separator) {
+        String[] certConstraintsList = certConstraints.split(separator);
         if (certConstraintsList.length > 0) {
             Collection<Pattern> subjectCertConstraints = new ArrayList<>(certConstraintsList.length);
             for (String certConstraint : certConstraintsList) {
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml
index 2191e44..27462d4 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml
@@ -344,7 +344,8 @@
     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="TransportSupportingSignedCertConstraints" address="https://localhost:${testutil.ports.x509.Server.2}/DoubleItX509TransportSupportingSignedCertConstraints" serviceName="s:DoubleItService" endpointName="s:DoubleItTransportSupportingSignedCertConstraintsPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl" depends-on="tls-settings">
         <jaxws:properties>
             <entry key="security.signature.properties" value="cxfca.properties"/>
-            <entry key="security.subject.cert.constraints" value=".*CN=alice.*"/>
+            <entry key="security.cert.constraints.separator" value=";"/>
+            <entry key="security.subject.cert.constraints" value=".*CN=alice.*;.*CN=dave.*"/>
         </jaxws:properties>
     </jaxws:endpoint>
     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="TransportKVT" address="https://localhost:${testutil.ports.x509.Server.2}/DoubleItX509TransportKVT" serviceName="s:DoubleItService" endpointName="s:DoubleItTransportKVTPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl" depends-on="tls-settings">