cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gma...@apache.org
Subject svn commit: r642095 - in /incubator/cxf/trunk: api/src/main/java/org/apache/cxf/configuration/jsse/ common/schemas/src/main/resources/schemas/configuration/ rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ rt/transports/http/src/...
Date Fri, 28 Mar 2008 06:18:20 GMT
Author: gmazza
Date: Thu Mar 27 23:18:19 2008
New Revision: 642095

URL: http://svn.apache.org/viewvc?rev=642095&view=rev
Log:
Reactivating hostname = SSL certificate common name (CN) check for https:// based SOAP client
requests.  The cxf.xml config property I chose to disable this option is "disableCNCheck".
 I'm open to other names if anyone can think of something better.

Modified:
    incubator/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
    incubator/cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd
    incubator/cxf/trunk/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java
    incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
    incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
    incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java

Modified: incubator/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java?rev=642095&r1=642094&r2=642095&view=diff
==============================================================================
--- incubator/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
(original)
+++ incubator/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
Thu Mar 27 23:18:19 2008
@@ -24,5 +24,24 @@
  * 
  */
 public class TLSClientParameters extends TLSParameterBase {
-    
+    private boolean disableCNCheck;
+
+    /**
+     * Set whether or not JSEE should omit checking if the host name
+     * specified in the URL matches that of the Common Name
+     * (CN) on the server's certificate. Default is false;  
+     * this attribute should not be set to true during production use.
+     */
+    public void setDisableCNCheck(boolean disableCNCheck) {
+        this.disableCNCheck = disableCNCheck;
+    }
+
+    /**
+     * Returns whether or not JSSE omits checking if the
+     * host name specified in the URL matches that of the Common Name
+     * (CN) on the server's certificate.
+     */
+    public boolean isDisableCNCheck() {
+        return disableCNCheck;
+    }
 }

Modified: incubator/cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd
URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd?rev=642095&r1=642094&r2=642095&view=diff
==============================================================================
--- incubator/cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd
(original)
+++ incubator/cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd
Thu Mar 27 23:18:19 2008
@@ -380,6 +380,16 @@
               </xs:annotation>
            </xs:element>
         </xs:all>
+           <xs:attribute name="disableCNCheck" type="xs:boolean" default="false">
+             <xs:annotation>
+                <xs:documentation>
+                This attribute specifies if JSSE should omit checking if the
+                host name specified in the URL matches that of the Common Name
+                (CN) on the server's certificate.  Default is false; this attribute 
+                should not be set to true during production use.
+                </xs:documentation>
+             </xs:annotation>
+           </xs:attribute>
            <xs:attribute name="jsseProvider"          type="xs:string">
               <xs:annotation>
                 <xs:documentation>

Modified: incubator/cxf/trunk/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java
URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java?rev=642095&r1=642094&r2=642095&view=diff
==============================================================================
--- incubator/cxf/trunk/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java
(original)
+++ incubator/cxf/trunk/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java
Thu Mar 27 23:18:19 2008
@@ -76,7 +76,7 @@
         if (xmlReader == null) {
             InputStream in = (InputStream)message.getContent(InputStream.class);
             if (in == null) {
-                throw new RuntimeException("Can't found input stream in message");
+                throw new RuntimeException("Can't find input stream in message");
             }
             xmlReader = StaxUtils.createXMLStreamReader(in);
         }

Modified: incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java?rev=642095&r1=642094&r2=642095&view=diff
==============================================================================
--- incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
(original)
+++ incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
Thu Mar 27 23:18:19 2008
@@ -38,6 +38,9 @@
         throws GeneralSecurityException,
                IOException {
 
+        if (params.isDisableCNCheck()) {
+            this.setDisableCNCheck(true);
+        }
         if (params.isSetCipherSuitesFilter()) {
             this.setCipherSuitesFilter(params.getCipherSuitesFilter());
         }

Modified: incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java?rev=642095&r1=642094&r2=642095&view=diff
==============================================================================
--- incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
(original)
+++ incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
Thu Mar 27 23:18:19 2008
@@ -402,7 +402,8 @@
                     + "' has been configured for TLS "
                     + "keyManagers " + tlsClientParameters.getKeyManagers()
                     + "trustManagers " + tlsClientParameters.getTrustManagers()
-                    + "secureRandom " + tlsClientParameters.getSecureRandom());
+                    + "secureRandom " + tlsClientParameters.getSecureRandom()
+                    + "Disable Common Name (CN) Check: " + tlsClientParameters.isDisableCNCheck());
             }
         } else {
             if (LOG.isLoggable(Level.FINE)) {
@@ -1752,7 +1753,18 @@
          */
         @Override
         protected void onFirstWrite() throws IOException {
-            handleHeadersTrustCaching();
+            try {
+                handleHeadersTrustCaching();
+            } catch (IOException e) {
+                if (e.getMessage() != null && e.getMessage().contains("HTTPS hostname
wrong:")) {
+                    throw new IOException("The https URL hostname does not match the " 
+                        + "Common Name (CN) on the server certificate.  To disable this check
" 
+                        + "(NOT recommended for production) set the CXF client TLS configuration
" 
+                        + "property \"disableCNCheck\" to true.");
+                } else {
+                    throw e;
+                }
+            }
         }
         
         protected void handleHeadersTrustCaching() throws IOException {

Modified: incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java?rev=642095&r1=642094&r2=642095&view=diff
==============================================================================
--- incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
(original)
+++ incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
Thu Mar 27 23:18:19 2008
@@ -60,7 +60,7 @@
     private static final Logger LOG =
         LogUtils.getL7dLogger(HttpsURLConnectionFactory.class);
     
-    private static final HostnameVerifier VERIFIER = new AlwaysTrueHostnameVerifier();
+    private static final HostnameVerifier DISABLE_HOSTNAME_VERIFIER = new AlwaysTrueHostnameVerifier();
     
     /*
      *  For development and testing only
@@ -105,7 +105,7 @@
     }
     
     /**
-     * Create a HttpURLConnection, proxified if neccessary.
+     * Create a HttpURLConnection, proxified if necessary.
      * 
      * 
      * @param proxy This parameter is non-null if connection should be proxied.
@@ -153,17 +153,12 @@
     }
 
     /**
-     * This class is the default hostname verifier that the
-     * HttpsURLConnection implementation uses to verify that
-     * a hostname belongs to a particular verified key/certificate
-     * pair. 
-     * <p>
-     * The default is to make sure that "CN=<hostname>", which
-     * isn't always desired. The MessageTrustDecider is
-     * the point at which an application can place trust in the
-     * certificate and target URL. We use this default of always
-     * returning true, delegating the trust decision to the 
-     * MessageTrustDecider.
+     * This "accept all" hostname verifier is activated when the 
+     * disableCNCheck TLS client configuration parameter is set to 
+     * true (not recommended for production use).  The default of
+     * false makes sure the Common Name (CN) on the server 
+     * certificate equals that of the https:// URL provided by
+     * the SOAP client.
      */
     private static class AlwaysTrueHostnameVerifier implements HostnameVerifier {
 
@@ -212,7 +207,9 @@
             socketFactory = new SSLSocketFactoryWrapper(ctx.getSocketFactory(),
                                                         cipherSuites);
         }
-        connection.setHostnameVerifier(VERIFIER);        
+        if (tlsClientParameters.isDisableCNCheck()) {
+            connection.setHostnameVerifier(DISABLE_HOSTNAME_VERIFIER);
+        }
         connection.setSSLSocketFactory(socketFactory);
     }
 



Mime
View raw message