Return-Path: 
 <commits-return-9434-apmail-cxf-commits-archive=cxf.apache.org@cxf.apache.org>
Delivered-To: apmail-cxf-commits-archive@www.apache.org
Received: (qmail 93360 invoked from network); 27 Aug 2009 15:39:15 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 27 Aug 2009 15:39:15 -0000
Received: (qmail 28588 invoked by uid 500); 27 Aug 2009 15:39:15 -0000
Delivered-To: apmail-cxf-commits-archive@cxf.apache.org
Received: (qmail 28470 invoked by uid 500); 27 Aug 2009 15:39:14 -0000
Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cxf.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cxf.apache.org>
List-Post: <mailto:commits@cxf.apache.org>
List-Id: <commits.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list commits@cxf.apache.org
Received: (qmail 28461 invoked by uid 99); 27 Aug 2009 15:39:14 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Aug 2009 15:39:14 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=10.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Aug 2009 15:39:11 +0000
Received: by eris.apache.org (Postfix, from userid 65534)
	id 03D1123888FC; Thu, 27 Aug 2009 15:38:50 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r808464 - in /cxf/trunk:
 common/common/src/main/java/org/apache/cxf/helpers/
 rt/transports/http/src/main/java/org/apache/cxf/transport/http/
 rt/ws/security/
 rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/
 rt/ws/secu...
Date: Thu, 27 Aug 2009 15:38:46 -0000
To: commits@cxf.apache.org
From: dkulp@apache.org
X-Mailer: svnmailer-1.0.8
Message-Id: <20090827153850.03D1123888FC@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: dkulp
Date: Thu Aug 27 15:38:42 2009
New Revision: 808464

URL: http://svn.apache.org/viewvc?rev=808464&view=rev
Log:
[CXF-2406] Fix issues with HttpsToken RequireClientCertificate

Modified:
    cxf/trunk/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java
    cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
    cxf/trunk/rt/ws/security/pom.xml
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java

Modified: cxf/trunk/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java?rev=808464&r1=808463&r2=808464&view=diff
==============================================================================
--- cxf/trunk/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java (original)
+++ cxf/trunk/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java Thu Aug 27 15:38:42 2009
@@ -175,7 +175,13 @@
     }
 
     public static String getAttribute(Element element, QName attName) {
-        return element.getAttributeNS(attName.getNamespaceURI(), attName.getLocalPart());
+        Attr attr;
+        if (StringUtils.isEmpty(attName.getNamespaceURI())) {
+            attr = element.getAttributeNode(attName.getLocalPart());
+        } else {
+            attr = element.getAttributeNodeNS(attName.getNamespaceURI(), attName.getLocalPart());
+        }
+        return attr == null ? null : attr.getValue();
     }
 
     public static void setAttribute(Node node, String attName, String val) {

Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java?rev=808464&r1=808463&r2=808464&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java (original)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java Thu Aug 27 15:38:42 2009
@@ -650,22 +650,39 @@
         HttpURLConnection connection = 
             (HttpURLConnection) message.get(KEY_HTTP_CONNECTION);
         
-        if (trustDecider != null) {
+        MessageTrustDecider decider2 = message.get(MessageTrustDecider.class);
+        if (trustDecider != null || decider2 != null) {
             try {
                 // We must connect or we will not get the credentials.
                 // The call is (said to be) ingored internally if
                 // already connected.
                 connection.connect();
-                trustDecider.establishTrust(
-                    getConduitName(), 
-                    getConnectionFactory(connection.getURL()).getConnectionInfo(connection),
-                    message);
-                if (LOG.isLoggable(Level.FINE)) {
-                    LOG.log(Level.FINE, "Trust Decider "
-                        + trustDecider.getLogicalName()
-                        + " considers Conduit "
-                        + getConduitName() 
-                        + " trusted.");
+                URLConnectionInfo info = getConnectionFactory(connection.getURL())
+                    .getConnectionInfo(connection);
+                if (trustDecider != null) {
+                    trustDecider.establishTrust(
+                        getConduitName(), 
+                        info,
+                        message);
+                    if (LOG.isLoggable(Level.FINE)) {
+                        LOG.log(Level.FINE, "Trust Decider "
+                            + trustDecider.getLogicalName()
+                            + " considers Conduit "
+                            + getConduitName() 
+                            + " trusted.");
+                    }
+                }
+                if (decider2 != null) {
+                    decider2.establishTrust(getConduitName(), 
+                                            info,
+                                            message);
+                    if (LOG.isLoggable(Level.FINE)) {
+                        LOG.log(Level.FINE, "Trust Decider "
+                            + decider2.getLogicalName()
+                            + " considers Conduit "
+                            + getConduitName() 
+                            + " trusted.");
+                    }
                 }
             } catch (UntrustedURLConnectionIOException untrustedEx) {
                 // This cast covers HttpsURLConnection as well.

Modified: cxf/trunk/rt/ws/security/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/pom.xml?rev=808464&r1=808463&r2=808464&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/pom.xml (original)
+++ cxf/trunk/rt/ws/security/pom.xml Thu Aug 27 15:38:42 2009
@@ -82,6 +82,12 @@
             <scope>provided</scope>
         </dependency>
         <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-transports-http</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
             <groupId>javax.xml.soap</groupId>
             <artifactId>saaj-api</artifactId>
         </dependency>

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java?rev=808464&r1=808463&r2=808464&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java Thu Aug 27 15:38:42 2009
@@ -76,7 +76,7 @@
             if (attr != null) {
                 httpsToken.setRequireClientCertificate("true".equals(attr));
             }
-        } else if (consts.getVersion() == SPConstants.Version.SP_V11) {
+        } else {
             Element polEl = PolicyConstants.findPolicyElement(element);
              
             if (polEl != null) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java?rev=808464&r1=808463&r2=808464&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java Thu Aug 27 15:38:42 2009
@@ -34,6 +34,10 @@
 import org.apache.cxf.phase.AbstractPhaseInterceptor;
 import org.apache.cxf.phase.Phase;
 import org.apache.cxf.security.transport.TLSSessionInfo;
+import org.apache.cxf.transport.http.MessageTrustDecider;
+import org.apache.cxf.transport.http.URLConnectionInfo;
+import org.apache.cxf.transport.http.UntrustedURLConnectionIOException;
+import org.apache.cxf.transport.https.HttpsURLConnectionInfo;
 import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
@@ -46,7 +50,7 @@
  * 
  */
 public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProvider {
-
+    
     public HttpsTokenInterceptorProvider() {
         super(Arrays.asList(SP11Constants.HTTPS_TOKEN, SP12Constants.HTTPS_TOKEN));
         this.getOutInterceptors().add(new HttpsTokenOutInterceptor());
@@ -67,7 +71,7 @@
 
     static class HttpsTokenOutInterceptor extends AbstractPhaseInterceptor<Message> {
         public HttpsTokenOutInterceptor() {
-            super(Phase.PREPARE_SEND);
+            super(Phase.PRE_STREAM);
         }
         public void handleMessage(Message message) throws Fault {
             AssertionInfoMap aim = message.get(AssertionInfoMap.class);
@@ -96,11 +100,29 @@
                 
                 ai.setAsserted(true);
                 Map<String, List<String>> headers = getSetProtocolHeaders(message);
+                
                 if (connection instanceof HttpsURLConnection) {
-                    HttpsURLConnection https = (HttpsURLConnection)connection;
-                    if (token.isRequireClientCertificate()
-                        && https.getLocalCertificates().length == 0) {
-                        ai.setNotAsserted("RequireClientCertificate is set, but no local certificates");
+                    if (token.isRequireClientCertificate()) {
+                        final MessageTrustDecider orig = message.get(MessageTrustDecider.class);
+                        MessageTrustDecider trust = new MessageTrustDecider() {
+                            public void establishTrust(String conduitName,
+                                                       URLConnectionInfo connectionInfo,
+                                                       Message message)
+                                throws UntrustedURLConnectionIOException {
+                                if (orig != null) {
+                                    orig.establishTrust(conduitName, connectionInfo, message);
+                                }
+                                HttpsURLConnectionInfo info = (HttpsURLConnectionInfo)connectionInfo;
+                                if (info.getLocalCertificates() == null 
+                                    || info.getLocalCertificates().length == 0) {
+                                    throw new UntrustedURLConnectionIOException(
+                                        "RequireClientCertificate is set, "
+                                        + "but no local certificates we negotiated.  Is"
+                                        + " the server set to ask for client authorization?");
+                                }
+                            }
+                        };
+                        message.put(MessageTrustDecider.class, trust);
                     }
                     if (token.isHttpBasicAuthentication()) {
                         List<String> auth = headers.get("Authorization");
@@ -174,7 +196,8 @@
                 TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);                
                 if (tlsInfo != null) {
                     if (token.isRequireClientCertificate()
-                        && tlsInfo.getPeerCertificates().length == 0) {
+                        && (tlsInfo.getPeerCertificates() == null 
+                            || tlsInfo.getPeerCertificates().length == 0)) {
                         asserted = false;
                     }
                 } else {