Return-Path: Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: (qmail 49435 invoked from network); 27 Aug 2009 17:13:26 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 27 Aug 2009 17:13:26 -0000 Received: (qmail 77284 invoked by uid 500); 27 Aug 2009 17:13:26 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 77196 invoked by uid 500); 27 Aug 2009 17:13:26 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 77187 invoked by uid 99); 27 Aug 2009 17:13:26 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Aug 2009 17:13:26 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Aug 2009 17:13:24 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 4A1EE23888FC; Thu, 27 Aug 2009 17:13:04 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r808542 - in /cxf/branches/2.2.x-fixes: ./ common/common/src/main/java/org/apache/cxf/helpers/ rt/transports/http/src/main/java/org/apache/cxf/transport/http/ rt/ws/security/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/bu... Date: Thu, 27 Aug 2009 17:13:04 -0000 To: commits@cxf.apache.org From: dkulp@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20090827171304.4A1EE23888FC@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: dkulp Date: Thu Aug 27 17:13:03 2009 New Revision: 808542 URL: http://svn.apache.org/viewvc?rev=808542&view=rev Log: Merged revisions 808464 via svnmerge from https://svn.apache.org/repos/asf/cxf/trunk ........ r808464 | dkulp | 2009-08-27 11:38:42 -0400 (Thu, 27 Aug 2009) | 1 line [CXF-2406] Fix issues with HttpsToken RequireClientCertificate ........ Modified: cxf/branches/2.2.x-fixes/ (props changed) cxf/branches/2.2.x-fixes/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java Propchange: cxf/branches/2.2.x-fixes/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Thu Aug 27 17:13:03 2009 @@ -1 +1 @@ -/cxf/trunk:782728-782730,783097,783294,783396,784059,784181-784184,784893,784895,785279-785282,785468,785621,785624,785651,785734,785866,786142,786271-786272,786395,786512,786514,786582-786583,786638,786647,786850,787200,787269,787277-787279,787290-787291,787305,787323,787366,787849,788030,788060,788187,788444,788451,788703,788752,788774,788819-788820,789013,789371,789387,789420,789527-789530,789704-789705,789788,789811,789896-789901,790074,790094,790134,790188,790294,790553,790637-790644,790868,791301,791354,791538,791753,791947,792007,792096,792183,792261-792265,792271,792604,792683-792685,792975,792985,793059,793570,794297,794396,794680,794728,794771,794778-794780,794892,795044,795104,795160,795583,795907,796022-796023,796352,796593,796741,796780,796994-796997,797117,797159,797192,797194,797231-797233,797442,797505,797517,797534,797581-797583,797587,797640,797651,797699,797882-797883,798344-798346,798363,798461,798479,798533,798551,798557,798561-798562,798570,798573,79858 4,798654,798748-798749,798816,798891,798929-798930,799245,799267,799439,799448,799637,799723-799724,799792,800453,800497-800498,801380-801381,801447,801962,802892,803056,803129,803419,803460,803493,803689,804002,804175,804276,805784,805907,805909,806020-806021,806023,806405-806406,806576,806602-806604,806620,806627,806631,806633,806638,806687,806876,806922,806979-806982,807181,807205,807295,807748,807807,808035,808069,808085,808107 +/cxf/trunk:782728-782730,783097,783294,783396,784059,784181-784184,784893,784895,785279-785282,785468,785621,785624,785651,785734,785866,786142,786271-786272,786395,786512,786514,786582-786583,786638,786647,786850,787200,787269,787277-787279,787290-787291,787305,787323,787366,787849,788030,788060,788187,788444,788451,788703,788752,788774,788819-788820,789013,789371,789387,789420,789527-789530,789704-789705,789788,789811,789896-789901,790074,790094,790134,790188,790294,790553,790637-790644,790868,791301,791354,791538,791753,791947,792007,792096,792183,792261-792265,792271,792604,792683-792685,792975,792985,793059,793570,794297,794396,794680,794728,794771,794778-794780,794892,795044,795104,795160,795583,795907,796022-796023,796352,796593,796741,796780,796994-796997,797117,797159,797192,797194,797231-797233,797442,797505,797517,797534,797581-797583,797587,797640,797651,797699,797882-797883,798344-798346,798363,798461,798479,798533,798551,798557,798561-798562,798570,798573,79858 4,798654,798748-798749,798816,798891,798929-798930,799245,799267,799439,799448,799637,799723-799724,799792,800453,800497-800498,801380-801381,801447,801962,802892,803056,803129,803419,803460,803493,803689,804002,804175,804276,805784,805907,805909,806020-806021,806023,806405-806406,806576,806602-806604,806620,806627,806631,806633,806638,806687,806876,806922,806979-806982,807181,807205,807295,807748,807807,808035,808069,808085,808107,808464 Propchange: cxf/branches/2.2.x-fixes/ ------------------------------------------------------------------------------ Binary property 'svnmerge-integrated' - no diff available. Modified: cxf/branches/2.2.x-fixes/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java?rev=808542&r1=808541&r2=808542&view=diff ============================================================================== --- cxf/branches/2.2.x-fixes/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java (original) +++ cxf/branches/2.2.x-fixes/common/common/src/main/java/org/apache/cxf/helpers/DOMUtils.java Thu Aug 27 17:13:03 2009 @@ -175,7 +175,13 @@ } public static String getAttribute(Element element, QName attName) { - return element.getAttributeNS(attName.getNamespaceURI(), attName.getLocalPart()); + Attr attr; + if (StringUtils.isEmpty(attName.getNamespaceURI())) { + attr = element.getAttributeNode(attName.getLocalPart()); + } else { + attr = element.getAttributeNodeNS(attName.getNamespaceURI(), attName.getLocalPart()); + } + return attr == null ? null : attr.getValue(); } public static void setAttribute(Node node, String attName, String val) { Modified: cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java?rev=808542&r1=808541&r2=808542&view=diff ============================================================================== --- cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java (original) +++ cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java Thu Aug 27 17:13:03 2009 @@ -650,22 +650,39 @@ HttpURLConnection connection = (HttpURLConnection) message.get(KEY_HTTP_CONNECTION); - if (trustDecider != null) { + MessageTrustDecider decider2 = message.get(MessageTrustDecider.class); + if (trustDecider != null || decider2 != null) { try { // We must connect or we will not get the credentials. // The call is (said to be) ingored internally if // already connected. connection.connect(); - trustDecider.establishTrust( - getConduitName(), - getConnectionFactory(connection.getURL()).getConnectionInfo(connection), - message); - if (LOG.isLoggable(Level.FINE)) { - LOG.log(Level.FINE, "Trust Decider " - + trustDecider.getLogicalName() - + " considers Conduit " - + getConduitName() - + " trusted."); + URLConnectionInfo info = getConnectionFactory(connection.getURL()) + .getConnectionInfo(connection); + if (trustDecider != null) { + trustDecider.establishTrust( + getConduitName(), + info, + message); + if (LOG.isLoggable(Level.FINE)) { + LOG.log(Level.FINE, "Trust Decider " + + trustDecider.getLogicalName() + + " considers Conduit " + + getConduitName() + + " trusted."); + } + } + if (decider2 != null) { + decider2.establishTrust(getConduitName(), + info, + message); + if (LOG.isLoggable(Level.FINE)) { + LOG.log(Level.FINE, "Trust Decider " + + decider2.getLogicalName() + + " considers Conduit " + + getConduitName() + + " trusted."); + } } } catch (UntrustedURLConnectionIOException untrustedEx) { // This cast covers HttpsURLConnection as well. Modified: cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml?rev=808542&r1=808541&r2=808542&view=diff ============================================================================== --- cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml (original) +++ cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml Thu Aug 27 17:13:03 2009 @@ -82,6 +82,12 @@ provided + org.apache.cxf + cxf-rt-transports-http + ${project.version} + provided + + javax.xml.soap saaj-api Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java?rev=808542&r1=808541&r2=808542&view=diff ============================================================================== --- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java (original) +++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java Thu Aug 27 17:13:03 2009 @@ -76,7 +76,7 @@ if (attr != null) { httpsToken.setRequireClientCertificate("true".equals(attr)); } - } else if (consts.getVersion() == SPConstants.Version.SP_V11) { + } else { Element polEl = PolicyConstants.findPolicyElement(element); if (polEl != null) { Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java?rev=808542&r1=808541&r2=808542&view=diff ============================================================================== --- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java (original) +++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java Thu Aug 27 17:13:03 2009 @@ -34,6 +34,10 @@ import org.apache.cxf.phase.AbstractPhaseInterceptor; import org.apache.cxf.phase.Phase; import org.apache.cxf.security.transport.TLSSessionInfo; +import org.apache.cxf.transport.http.MessageTrustDecider; +import org.apache.cxf.transport.http.URLConnectionInfo; +import org.apache.cxf.transport.http.UntrustedURLConnectionIOException; +import org.apache.cxf.transport.https.HttpsURLConnectionInfo; import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider; import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; @@ -46,7 +50,7 @@ * */ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProvider { - + public HttpsTokenInterceptorProvider() { super(Arrays.asList(SP11Constants.HTTPS_TOKEN, SP12Constants.HTTPS_TOKEN)); this.getOutInterceptors().add(new HttpsTokenOutInterceptor()); @@ -67,7 +71,7 @@ static class HttpsTokenOutInterceptor extends AbstractPhaseInterceptor { public HttpsTokenOutInterceptor() { - super(Phase.PREPARE_SEND); + super(Phase.PRE_STREAM); } public void handleMessage(Message message) throws Fault { AssertionInfoMap aim = message.get(AssertionInfoMap.class); @@ -96,11 +100,29 @@ ai.setAsserted(true); Map> headers = getSetProtocolHeaders(message); + if (connection instanceof HttpsURLConnection) { - HttpsURLConnection https = (HttpsURLConnection)connection; - if (token.isRequireClientCertificate() - && https.getLocalCertificates().length == 0) { - ai.setNotAsserted("RequireClientCertificate is set, but no local certificates"); + if (token.isRequireClientCertificate()) { + final MessageTrustDecider orig = message.get(MessageTrustDecider.class); + MessageTrustDecider trust = new MessageTrustDecider() { + public void establishTrust(String conduitName, + URLConnectionInfo connectionInfo, + Message message) + throws UntrustedURLConnectionIOException { + if (orig != null) { + orig.establishTrust(conduitName, connectionInfo, message); + } + HttpsURLConnectionInfo info = (HttpsURLConnectionInfo)connectionInfo; + if (info.getLocalCertificates() == null + || info.getLocalCertificates().length == 0) { + throw new UntrustedURLConnectionIOException( + "RequireClientCertificate is set, " + + "but no local certificates we negotiated. Is" + + " the server set to ask for client authorization?"); + } + } + }; + message.put(MessageTrustDecider.class, trust); } if (token.isHttpBasicAuthentication()) { List auth = headers.get("Authorization"); @@ -174,7 +196,8 @@ TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class); if (tlsInfo != null) { if (token.isRequireClientCertificate() - && tlsInfo.getPeerCertificates().length == 0) { + && (tlsInfo.getPeerCertificates() == null + || tlsInfo.getPeerCertificates().length == 0)) { asserted = false; } } else {