cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject svn commit: r808542 - in /cxf/branches/2.2.x-fixes: ./ common/common/src/main/java/org/apache/cxf/helpers/ rt/transports/http/src/main/java/org/apache/cxf/transport/http/ rt/ws/security/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/bu...
Date Thu, 27 Aug 2009 17:13:04 GMT
Author: dkulp
Date: Thu Aug 27 17:13:03 2009
New Revision: 808542

URL: http://svn.apache.org/viewvc?rev=808542&view=rev
Log:
Merged revisions 808464 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/trunk

........
  r808464 | dkulp | 2009-08-27 11:38:42 -0400 (Thu, 27 Aug 2009) | 1 line
  
  [CXF-2406] Fix issues with HttpsToken RequireClientCertificate
........

Modified:
    cxf/branches/2.2.x-fixes/   (props changed)
    cxf/branches/2.2.x-fixes/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java
    cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
    cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml
    cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java
    cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java

Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Aug 27 17:13:03 2009
@@ -1 +1 @@
-/cxf/trunk:782728-782730,783097,783294,783396,784059,784181-784184,784893,784895,785279-785282,785468,785621,785624,785651,785734,785866,786142,786271-786272,786395,786512,786514,786582-786583,786638,786647,786850,787200,787269,787277-787279,787290-787291,787305,787323,787366,787849,788030,788060,788187,788444,788451,788703,788752,788774,788819-788820,789013,789371,789387,789420,789527-789530,789704-789705,789788,789811,789896-789901,790074,790094,790134,790188,790294,790553,790637-790644,790868,791301,791354,791538,791753,791947,792007,792096,792183,792261-792265,792271,792604,792683-792685,792975,792985,793059,793570,794297,794396,794680,794728,794771,794778-794780,794892,795044,795104,795160,795583,795907,796022-796023,796352,796593,796741,796780,796994-796997,797117,797159,797192,797194,797231-797233,797442,797505,797517,797534,797581-797583,797587,797640,797651,797699,797882-797883,798344-798346,798363,798461,798479,798533,798551,798557,798561-798562,798570,798573,79858
 4,798654,798748-798749,798816,798891,798929-798930,799245,799267,799439,799448,799637,799723-799724,799792,800453,800497-800498,801380-801381,801447,801962,802892,803056,803129,803419,803460,803493,803689,804002,804175,804276,805784,805907,805909,806020-806021,806023,806405-806406,806576,806602-806604,806620,806627,806631,806633,806638,806687,806876,806922,806979-806982,807181,807205,807295,807748,807807,808035,808069,808085,808107
+/cxf/trunk:782728-782730,783097,783294,783396,784059,784181-784184,784893,784895,785279-785282,785468,785621,785624,785651,785734,785866,786142,786271-786272,786395,786512,786514,786582-786583,786638,786647,786850,787200,787269,787277-787279,787290-787291,787305,787323,787366,787849,788030,788060,788187,788444,788451,788703,788752,788774,788819-788820,789013,789371,789387,789420,789527-789530,789704-789705,789788,789811,789896-789901,790074,790094,790134,790188,790294,790553,790637-790644,790868,791301,791354,791538,791753,791947,792007,792096,792183,792261-792265,792271,792604,792683-792685,792975,792985,793059,793570,794297,794396,794680,794728,794771,794778-794780,794892,795044,795104,795160,795583,795907,796022-796023,796352,796593,796741,796780,796994-796997,797117,797159,797192,797194,797231-797233,797442,797505,797517,797534,797581-797583,797587,797640,797651,797699,797882-797883,798344-798346,798363,798461,798479,798533,798551,798557,798561-798562,798570,798573,79858
 4,798654,798748-798749,798816,798891,798929-798930,799245,799267,799439,799448,799637,799723-799724,799792,800453,800497-800498,801380-801381,801447,801962,802892,803056,803129,803419,803460,803493,803689,804002,804175,804276,805784,805907,805909,806020-806021,806023,806405-806406,806576,806602-806604,806620,806627,806631,806633,806638,806687,806876,806922,806979-806982,807181,807205,807295,807748,807807,808035,808069,808085,808107,808464

Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Modified: cxf/branches/2.2.x-fixes/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java?rev=808542&r1=808541&r2=808542&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java
(original)
+++ cxf/branches/2.2.x-fixes/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java
Thu Aug 27 17:13:03 2009
@@ -175,7 +175,13 @@
     }
 
     public static String getAttribute(Element element, QName attName) {
-        return element.getAttributeNS(attName.getNamespaceURI(), attName.getLocalPart());
+        Attr attr;
+        if (StringUtils.isEmpty(attName.getNamespaceURI())) {
+            attr = element.getAttributeNode(attName.getLocalPart());
+        } else {
+            attr = element.getAttributeNodeNS(attName.getNamespaceURI(), attName.getLocalPart());
+        }
+        return attr == null ? null : attr.getValue();
     }
 
     public static void setAttribute(Node node, String attName, String val) {

Modified: cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java?rev=808542&r1=808541&r2=808542&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
Thu Aug 27 17:13:03 2009
@@ -650,22 +650,39 @@
         HttpURLConnection connection = 
             (HttpURLConnection) message.get(KEY_HTTP_CONNECTION);
         
-        if (trustDecider != null) {
+        MessageTrustDecider decider2 = message.get(MessageTrustDecider.class);
+        if (trustDecider != null || decider2 != null) {
             try {
                 // We must connect or we will not get the credentials.
                 // The call is (said to be) ingored internally if
                 // already connected.
                 connection.connect();
-                trustDecider.establishTrust(
-                    getConduitName(), 
-                    getConnectionFactory(connection.getURL()).getConnectionInfo(connection),
-                    message);
-                if (LOG.isLoggable(Level.FINE)) {
-                    LOG.log(Level.FINE, "Trust Decider "
-                        + trustDecider.getLogicalName()
-                        + " considers Conduit "
-                        + getConduitName() 
-                        + " trusted.");
+                URLConnectionInfo info = getConnectionFactory(connection.getURL())
+                    .getConnectionInfo(connection);
+                if (trustDecider != null) {
+                    trustDecider.establishTrust(
+                        getConduitName(), 
+                        info,
+                        message);
+                    if (LOG.isLoggable(Level.FINE)) {
+                        LOG.log(Level.FINE, "Trust Decider "
+                            + trustDecider.getLogicalName()
+                            + " considers Conduit "
+                            + getConduitName() 
+                            + " trusted.");
+                    }
+                }
+                if (decider2 != null) {
+                    decider2.establishTrust(getConduitName(), 
+                                            info,
+                                            message);
+                    if (LOG.isLoggable(Level.FINE)) {
+                        LOG.log(Level.FINE, "Trust Decider "
+                            + decider2.getLogicalName()
+                            + " considers Conduit "
+                            + getConduitName() 
+                            + " trusted.");
+                    }
                 }
             } catch (UntrustedURLConnectionIOException untrustedEx) {
                 // This cast covers HttpsURLConnection as well.

Modified: cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml?rev=808542&r1=808541&r2=808542&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml (original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml Thu Aug 27 17:13:03 2009
@@ -82,6 +82,12 @@
             <scope>provided</scope>
         </dependency>
         <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-transports-http</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
             <groupId>javax.xml.soap</groupId>
             <artifactId>saaj-api</artifactId>
         </dependency>

Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java?rev=808542&r1=808541&r2=808542&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java
Thu Aug 27 17:13:03 2009
@@ -76,7 +76,7 @@
             if (attr != null) {
                 httpsToken.setRequireClientCertificate("true".equals(attr));
             }
-        } else if (consts.getVersion() == SPConstants.Version.SP_V11) {
+        } else {
             Element polEl = PolicyConstants.findPolicyElement(element);
              
             if (polEl != null) {

Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java?rev=808542&r1=808541&r2=808542&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
Thu Aug 27 17:13:03 2009
@@ -34,6 +34,10 @@
 import org.apache.cxf.phase.AbstractPhaseInterceptor;
 import org.apache.cxf.phase.Phase;
 import org.apache.cxf.security.transport.TLSSessionInfo;
+import org.apache.cxf.transport.http.MessageTrustDecider;
+import org.apache.cxf.transport.http.URLConnectionInfo;
+import org.apache.cxf.transport.http.UntrustedURLConnectionIOException;
+import org.apache.cxf.transport.https.HttpsURLConnectionInfo;
 import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
@@ -46,7 +50,7 @@
  * 
  */
 public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProvider {
-
+    
     public HttpsTokenInterceptorProvider() {
         super(Arrays.asList(SP11Constants.HTTPS_TOKEN, SP12Constants.HTTPS_TOKEN));
         this.getOutInterceptors().add(new HttpsTokenOutInterceptor());
@@ -67,7 +71,7 @@
 
     static class HttpsTokenOutInterceptor extends AbstractPhaseInterceptor<Message>
{
         public HttpsTokenOutInterceptor() {
-            super(Phase.PREPARE_SEND);
+            super(Phase.PRE_STREAM);
         }
         public void handleMessage(Message message) throws Fault {
             AssertionInfoMap aim = message.get(AssertionInfoMap.class);
@@ -96,11 +100,29 @@
                 
                 ai.setAsserted(true);
                 Map<String, List<String>> headers = getSetProtocolHeaders(message);
+                
                 if (connection instanceof HttpsURLConnection) {
-                    HttpsURLConnection https = (HttpsURLConnection)connection;
-                    if (token.isRequireClientCertificate()
-                        && https.getLocalCertificates().length == 0) {
-                        ai.setNotAsserted("RequireClientCertificate is set, but no local
certificates");
+                    if (token.isRequireClientCertificate()) {
+                        final MessageTrustDecider orig = message.get(MessageTrustDecider.class);
+                        MessageTrustDecider trust = new MessageTrustDecider() {
+                            public void establishTrust(String conduitName,
+                                                       URLConnectionInfo connectionInfo,
+                                                       Message message)
+                                throws UntrustedURLConnectionIOException {
+                                if (orig != null) {
+                                    orig.establishTrust(conduitName, connectionInfo, message);
+                                }
+                                HttpsURLConnectionInfo info = (HttpsURLConnectionInfo)connectionInfo;
+                                if (info.getLocalCertificates() == null 
+                                    || info.getLocalCertificates().length == 0) {
+                                    throw new UntrustedURLConnectionIOException(
+                                        "RequireClientCertificate is set, "
+                                        + "but no local certificates we negotiated.  Is"
+                                        + " the server set to ask for client authorization?");
+                                }
+                            }
+                        };
+                        message.put(MessageTrustDecider.class, trust);
                     }
                     if (token.isHttpBasicAuthentication()) {
                         List<String> auth = headers.get("Authorization");
@@ -174,7 +196,8 @@
                 TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);             
  
                 if (tlsInfo != null) {
                     if (token.isRequireClientCertificate()
-                        && tlsInfo.getPeerCertificates().length == 0) {
+                        && (tlsInfo.getPeerCertificates() == null 
+                            || tlsInfo.getPeerCertificates().length == 0)) {
                         asserted = false;
                     }
                 } else {



Mime
View raw message