Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r828758 - in /cxf/trunk:
 api/src/main/java/org/apache/cxf/configuration/jsse/
 common/schemas/src/main/resources/schemas/configuration/
 rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/
 rt/transports/http/src/main/j...
Date: Thu, 22 Oct 2009 15:41:59 -0000
To: commits@cxf.apache.org
From: dkulp@apache.org
Message-Id: <20091022154200.3684323888D7@eris.apache.org>

Author: dkulp
Date: Thu Oct 22 15:41:58 2009
New Revision: 828758

URL: http://svn.apache.org/viewvc?rev=828758&view=rev
Log:
[CXF-2491] Add support for TLS cert contraints
Modified patch from Colm applied

Added:
    cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraints.java   (with props)
    cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsFeature.java   (with props)
    cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsInterceptor.java   (with props)
    cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsJaxBUtils.java   (with props)
    cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/CertConstraintsTest.java   (with props)
    cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-server-constraints.xml   (with props)
Modified:
    cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java
    cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd
    cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPDestination.java
    cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
    cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSServerParametersConfig.java
    cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java
    cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java

Modified: cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java
URL: http://svn.apache.org/viewvc/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java?rev=828758&r1=828757&r2=828758&view=diff
==============================================================================
--- cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java (original)
+++ cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java Thu Oct 22 15:41:58 2009
@@ -25,6 +25,7 @@
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.TrustManager;
 
+import org.apache.cxf.configuration.security.CertificateConstraintsType;
 import org.apache.cxf.configuration.security.FiltersType;
 
 /**
@@ -37,6 +38,7 @@
     private String          provider;
     private List<String>    ciphersuites = new ArrayList<String>();
     private FiltersType     cipherSuiteFilters;
+    private CertificateConstraintsType certConstraints;
     private SecureRandom    secureRandom;
     private String          protocol;
     
@@ -125,6 +127,20 @@
     public final void setSecureRandom(SecureRandom random) {
         secureRandom = random;
     }
+    
+    /**
+     * Get the certificate constraints type
+     */
+    public CertificateConstraintsType getCertConstraints() {
+        return certConstraints;
+    }
+    
+    /**
+     * Set the certificate constraints type
+     */
+    public final void setCertConstraints(CertificateConstraintsType constraints) {
+        certConstraints = constraints;
+    }
 
     /**
      * Returns the secure random alogorithm.

Modified: cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd
URL: http://svn.apache.org/viewvc/cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd?rev=828758&r1=828757&r2=828758&view=diff
==============================================================================
--- cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd (original)
+++ cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd Thu Oct 22 15:41:58 2009
@@ -336,6 +336,48 @@
         <xs:attribute name="provider"/>
     </xs:complexType>
     
+    <xs:complexType name="CertificateConstraintsType">
+      <xs:annotation>
+        <xs:documentation>
+        This structure holds a list of regular expressions that corresponds to a sequence of
+        Certificate Constraints on either the Subject or Issuer DN.
+        </xs:documentation>
+      </xs:annotation>
+      <xs:sequence>
+        <xs:element name="SubjectDNConstraints" type="tns:DNConstraintsType" minOccurs="0"/>
+        <xs:element name="IssuerDNConstraints" type="tns:DNConstraintsType" minOccurs="0"/>
+      </xs:sequence>
+    </xs:complexType>
+    
+    <xs:complexType name="DNConstraintsType">
+      <xs:annotation>
+        <xs:documentation>
+        This structure holds a list of regular expressions that corresponds to a sequence of
+        Certificate Constraints. The optional combinator attribute refers to whether ALL or
+        ANY of these regular expressions must be satisfied.
+        </xs:documentation>
+      </xs:annotation>
+      <xs:sequence>
+        <xs:choice>
+          <xs:element name="RegularExpression" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+        </xs:choice>
+      </xs:sequence>
+      <xs:attribute name="combinator" type="tns:CombinatorType" default="ALL"/>
+    </xs:complexType>
+    
+    <xs:simpleType name="CombinatorType">
+      <xs:annotation>
+        <xs:documentation>
+        This type refers to whether ALL or ANY of the DNConstraintsType regular expressions 
+        must be satisfied.
+        </xs:documentation>
+      </xs:annotation>
+      <xs:restriction base="xs:string">
+        <xs:enumeration value="ANY"/>
+        <xs:enumeration value="ALL"/>
+      </xs:restriction>
+    </xs:simpleType>
+    
     <!-- Although there are common elements of TLSClientParametersType
       ** and TLSServerParametersType they are listed separate so we
       ** can use the xs:all element.
@@ -379,6 +421,13 @@
                 </xs:documentation>
               </xs:annotation>
            </xs:element>
+           <xs:element name="certConstraints" type="tns:CertificateConstraintsType" minOccurs="0">
+              <xs:annotation>
+                <xs:documentation>
+                This element contains the Certificate Constraints specification.
+                </xs:documentation>
+              </xs:annotation>
+           </xs:element>
         </xs:all>
            <xs:attribute name="disableCNCheck" type="xs:boolean" default="false">
              <xs:annotation>
@@ -454,6 +503,13 @@
                 </xs:documentation>
               </xs:annotation>
            </xs:element>
+           <xs:element name="certConstraints" type="tns:CertificateConstraintsType" minOccurs="0">
+              <xs:annotation>
+                <xs:documentation>
+                This element contains the Certificate Constraints specification.
+                </xs:documentation>
+              </xs:annotation>
+           </xs:element>
         </xs:all>
            <xs:attribute name="jsseProvider"          type="xs:string">
               <xs:annotation>

Modified: cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPDestination.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPDestination.java?rev=828758&r1=828757&r2=828758&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPDestination.java (original)
+++ cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPDestination.java Thu Oct 22 15:41:58 2009
@@ -33,6 +33,8 @@
 import org.apache.cxf.BusFactory;
 import org.apache.cxf.common.i18n.Message;
 import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.configuration.jsse.TLSServerParameters;
+import org.apache.cxf.configuration.security.CertificateConstraintsType;
 import org.apache.cxf.continuations.ContinuationInfo;
 import org.apache.cxf.continuations.ContinuationProvider;
 import org.apache.cxf.continuations.SuspendedInvocationException;
@@ -45,6 +47,7 @@
 import org.apache.cxf.transport.http.HTTPSession;
 import org.apache.cxf.transport.http_jetty.continuations.JettyContinuationProvider;
 import org.apache.cxf.transport.http_jetty.continuations.JettyContinuationWrapper;
+import org.apache.cxf.transport.https.CertConstraintsJaxBUtils;
 import org.apache.cxf.transports.http.QueryHandler;
 import org.apache.cxf.transports.http.QueryHandlerRegistry;
 import org.apache.cxf.transports.http.StemMatchingQueryHandler;
@@ -116,6 +119,13 @@
         }
 
         assert engine != null;
+        TLSServerParameters serverParameters = engine.getTlsServerParameters();
+        if (serverParameters != null && serverParameters.getCertConstraints() != null) {
+            CertificateConstraintsType constraints = serverParameters.getCertConstraints();
+            if (constraints != null) {
+                certConstraints = CertConstraintsJaxBUtils.createCertConstraints(constraints);
+            }
+        }
         
         // When configuring for "http", however, it is still possible that
         // Spring configuration has configured the port for https. 
@@ -297,7 +307,7 @@
             exchange.setInMessage(inMessage);
             exchange.setSession(new HTTPSession(req));
         }
-
+        
         try {    
             incomingObserver.onMessage(inMessage);
             resp.flushBuffer();

Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java?rev=828758&r1=828757&r2=828758&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java (original)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java Thu Oct 22 15:41:58 2009
@@ -86,6 +86,9 @@
                 TLSParameterJaxBUtils.getTrustManagers(
                         params.getTrustManagers()));
         }
+        if (params.isSetCertConstraints()) {
+            ret.setCertConstraints(params.getCertConstraints());
+        }
         return ret;
     }
     

Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSServerParametersConfig.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSServerParametersConfig.java?rev=828758&r1=828757&r2=828758&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSServerParametersConfig.java (original)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSServerParametersConfig.java Thu Oct 22 15:41:58 2009
@@ -62,5 +62,8 @@
                 TLSParameterJaxBUtils.getTrustManagers(
                         params.getTrustManagers()));
         }
+        if (params.isSetCertConstraints()) {
+            this.setCertConstraints(params.getCertConstraints());
+        }
     }
 }

Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java?rev=828758&r1=828757&r2=828758&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java (original)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java Thu Oct 22 15:41:58 2009
@@ -52,6 +52,7 @@
 import org.apache.cxf.configuration.security.AuthorizationPolicy;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.helpers.HttpHeaderHelper;
+import org.apache.cxf.interceptor.Interceptor;
 import org.apache.cxf.io.AbstractWrappedOutputStream;
 import org.apache.cxf.message.Exchange;
 import org.apache.cxf.message.Message;
@@ -61,6 +62,8 @@
 import org.apache.cxf.transport.AbstractMultiplexDestination;
 import org.apache.cxf.transport.Conduit;
 import org.apache.cxf.transport.http.policy.PolicyUtils;
+import org.apache.cxf.transport.https.CertConstraints;
+import org.apache.cxf.transport.https.CertConstraintsInterceptor;
 import org.apache.cxf.transport.https.SSLUtils;
 import org.apache.cxf.transports.http.configuration.HTTPServerPolicy;
 import org.apache.cxf.ws.addressing.EndpointReferenceType;
@@ -95,6 +98,7 @@
     protected String contextMatchStrategy = "stem";
     protected boolean fixedParameterOrder;
     protected boolean multiplexWithAddress;
+    protected CertConstraints certConstraints;
     
     /**
      * Constructor
@@ -315,6 +319,11 @@
         setHeaders(inMessage);
         
         SSLUtils.propogateSecureSession(req, inMessage);
+
+        inMessage.put(CertConstraints.class.getName(), certConstraints);
+        inMessage.put(Message.IN_INTERCEPTORS,
+                Arrays.asList(new Interceptor[] {CertConstraintsInterceptor.INSTANCE}));
+
     }
     
     protected String getBasePath(String contextPath) throws IOException {

Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java?rev=828758&r1=828757&r2=828758&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java (original)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java Thu Oct 22 15:41:58 2009
@@ -50,6 +50,7 @@
 import org.apache.cxf.configuration.Configurable;
 import org.apache.cxf.configuration.jsse.TLSClientParameters;
 import org.apache.cxf.configuration.security.AuthorizationPolicy;
+import org.apache.cxf.configuration.security.CertificateConstraintsType;
 import org.apache.cxf.configuration.security.ProxyAuthorizationPolicy;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.helpers.HttpHeaderHelper;
@@ -69,6 +70,9 @@
 import org.apache.cxf.transport.DestinationFactoryManager;
 import org.apache.cxf.transport.MessageObserver;
 import org.apache.cxf.transport.http.policy.PolicyUtils;
+import org.apache.cxf.transport.https.CertConstraints;
+import org.apache.cxf.transport.https.CertConstraintsInterceptor;
+import org.apache.cxf.transport.https.CertConstraintsJaxBUtils;
 import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
 import org.apache.cxf.version.Version;
 import org.apache.cxf.workqueue.AutomaticWorkQueue;
@@ -256,6 +260,8 @@
      */
     private Map<String, Cookie> sessionCookies = new ConcurrentHashMap<String, Cookie>();
     private boolean maintainSession;
+    
+    private CertConstraints certConstraints;
 
     /**
      * Constructor
@@ -478,7 +484,7 @@
      */
     public void prepare(Message message) throws IOException {
         Map<String, List<String>> headers = getSetProtocolHeaders(message);
-        
+
         // This call can possibly change the conduit endpoint address and 
         // protocol from the default set in EndpointInfo that is associated
         // with the Conduit.
@@ -592,9 +598,13 @@
         
         message.put(KEY_HTTP_CONNECTION, connection);
         
+        if (certConstraints != null) {
+            message.put(CertConstraints.class.getName(), certConstraints);
+            message.getInterceptorChain().add(CertConstraintsInterceptor.INSTANCE);
+        }
+        
         // Set the headers on the message according to configured 
         // client side policy.
-        
         setHeadersByPolicy(message, currentURL, headers);
      
         
@@ -1372,6 +1382,10 @@
                     + "trustManagers " + tlsClientParameters.getTrustManagers()
                     + "secureRandom " + tlsClientParameters.getSecureRandom());
             }
+            CertificateConstraintsType constraints = params.getCertConstraints();
+            if (constraints != null) {
+                certConstraints = CertConstraintsJaxBUtils.createCertConstraints(constraints);
+            }
         } else {
             if (LOG.isLoggable(Level.FINE)) {
                 LOG.log(Level.FINE, "Conduit '" + getConduitName()

Added: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraints.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraints.java?rev=828758&view=auto
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraints.java (added)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraints.java Thu Oct 22 15:41:58 2009
@@ -0,0 +1,150 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.transport.https;
+
+import java.util.ArrayList;
+import java.util.Collection;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * This class represents a set of constraints that can be placed on an X.509 certificate,
+ * in the form of a regular expression on a SubjectDN or IssuerDN.
+ *
+ * A CertConstraints object is initialized using a CertificateConstraintsType, which has
+ * a definition in schema and is so generated.
+ */
+public class CertConstraints {
+    
+    public enum Combinator { ANY, ALL };
+
+    private static class DNConstraints {
+        
+        /**
+         * the matching combinator (ANY or ALL)
+         */
+        private final Combinator combinator;
+        
+        /**
+         * a collection of compiled regular expression patterns
+         */
+        private final Collection<Pattern> dnPatterns = new ArrayList<java.util.regex.Pattern>();
+        
+        /**
+         * Creates a DNConstraints from a list of Strings
+         */
+        DNConstraints(
+            final java.util.List<String> patterns,
+            final Combinator patternCombinator
+        ) throws java.util.regex.PatternSyntaxException {
+            if (patterns == null) {
+                combinator = Combinator.ALL;
+                return;
+            }
+            combinator = patternCombinator;
+            for (String expression : patterns) {
+                dnPatterns.add(Pattern.compile(expression));
+            }
+        }
+        
+        /**
+         * @return      true if the DN name matches all patterns in the DNConstraints,
+         *              if the combinator is ALL, or any such pattern, if the combinator is
+         *              ANY.  Note that if the combinator is ALL and the list of patterns
+         *              is empty, then any dn will match (by definition of the universal quantifier)
+         */
+        final boolean
+        matches(
+            final javax.security.auth.x500.X500Principal dn
+        ) {
+            boolean atLeastOnePatternMatches = false;
+            boolean atLeastOnePatternDoesNotMatch = false;
+            //
+            // try matching dn against the patterns in this class
+            //
+            for (Pattern dnPattern : dnPatterns) {
+                final Matcher matcher = dnPattern.matcher(dn.getName());
+                if (matcher.matches()) {
+                    atLeastOnePatternMatches = true;
+                    if (combinator == Combinator.ANY) {
+                        break;
+                    }
+                } else {
+                    atLeastOnePatternDoesNotMatch = true;
+                    if (combinator == Combinator.ALL) {
+                        break;
+                    }
+                }
+            }
+            //
+            // check combinator logic
+            //
+            switch (combinator) {
+            case ALL:
+                return !atLeastOnePatternDoesNotMatch;
+            case ANY:
+                return atLeastOnePatternMatches;
+            default:
+                throw new RuntimeException("LOGIC ERROR: Unreachable code");
+            }
+        }
+    }
+    
+    /**
+     * The DNConstraints on the SubjectDN
+     */
+    private final DNConstraints subjectDNConstraints;
+    
+    /**
+     * The DNConstraints on the IssuerDN
+     */
+    private final DNConstraints issuerDNConstraints;
+    
+    /**
+     * Create a CertificateConstraints from a CertificateConstraintsType specification
+     */
+    public
+    CertConstraints(
+        final java.util.List<String> subjectConstraints,
+        final Combinator subjectConstraintsCombinator,
+        final java.util.List<String> issuerConstraints,
+        final Combinator issuerConstraintsCombinator
+    ) throws java.util.regex.PatternSyntaxException {
+        this.subjectDNConstraints = 
+            new DNConstraints(subjectConstraints, subjectConstraintsCombinator);
+        this.issuerDNConstraints = 
+            new DNConstraints(issuerConstraints, issuerConstraintsCombinator);
+    }
+    
+    /**
+     * @return      true if the certificate's SubjectDN matches the constraints defined in the
+     *              subject DNConstraints and the certificate's IssuerDN matches the issuer
+     *              DNConstraints; false, otherwise
+     */
+    public boolean
+    matches(
+        final java.security.cert.X509Certificate cert
+    ) {
+        return 
+            this.subjectDNConstraints.matches(cert.getSubjectX500Principal())
+            && this.issuerDNConstraints.matches(cert.getIssuerX500Principal());
+    }
+}

Propchange: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraints.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraints.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsFeature.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsFeature.java?rev=828758&view=auto
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsFeature.java (added)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsFeature.java Thu Oct 22 15:41:58 2009
@@ -0,0 +1,111 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.transport.https;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.common.injection.NoJSR250Annotations;
+import org.apache.cxf.configuration.security.CertificateConstraintsType;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.endpoint.Server;
+import org.apache.cxf.feature.AbstractFeature;
+import org.apache.cxf.interceptor.InterceptorProvider;
+
+/**
+ * <pre>
+ * <![CDATA[
+    <jaxws:endpoint ...>
+      <jaxws:features>
+       <bean class="org.apache.cxf.transport.https.CertConstraintsFeature">
+           <property name="CertificateConstraints">
+               <bean class="org.apache.cxf.configuration.security.CertificateConstraintsType">
+                   <property name="SubjectDNConstraints">
+                       <bean class="org.apache.cxf.configuration.security.DNConstraintsType">
+                           <property name="RegularExpression">
+                               <list>
+                                   <value>.*CN=(Bethal|Gordy).*</value>
+                                   <value>.*O=ApacheTest.*</value>
+                               </list>
+                           </property>
+                       </bean>
+                   </property>
+                   .........
+               </bean>
+           </property>
+       </bean>
+      </jaxws:features>
+    </jaxws:endpoint>
+  ]]>
+  </pre>
+ */
+@NoJSR250Annotations
+public class CertConstraintsFeature extends AbstractFeature {
+    CertificateConstraintsType contraints;
+    
+    
+    public CertConstraintsFeature() {
+    }
+    
+    @Override
+    public void initialize(Server server, Bus bus) {
+        if (contraints == null) {
+            return;
+        }
+        initializeProvider(server.getEndpoint(), bus);
+        CertConstraints c = CertConstraintsJaxBUtils.createCertConstraints(contraints);
+        server.getEndpoint().put(CertConstraints.class.getName(), c);
+    }
+    
+    @Override
+    public void initialize(Client client, Bus bus) {
+        if (contraints == null) {
+            return;
+        }
+        initializeProvider(client, bus);
+        CertConstraints c = CertConstraintsJaxBUtils.createCertConstraints(contraints);
+        client.getEndpoint().put(CertConstraints.class.getName(), c);
+    }
+       
+    @Override
+    public void initialize(Bus bus) {
+        if (contraints == null) {
+            return;
+        }
+        initializeProvider(bus, bus);
+        CertConstraints c = CertConstraintsJaxBUtils.createCertConstraints(contraints);
+        bus.setProperty(CertConstraints.class.getName(), c);
+    }
+    
+    @Override
+    protected void initializeProvider(InterceptorProvider provider, Bus bus) {
+        if (contraints == null) {
+            return;
+        }
+        provider.getInInterceptors().add(CertConstraintsInterceptor.INSTANCE);
+        provider.getInFaultInterceptors().add(CertConstraintsInterceptor.INSTANCE);
+    }
+    
+    public void setCertificateConstraints(CertificateConstraintsType c) {
+        contraints = c;
+    }
+    
+    public CertificateConstraintsType getCertificateConstraints() {
+        return contraints;
+    }
+}

Propchange: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsFeature.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsFeature.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsInterceptor.java?rev=828758&view=auto
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsInterceptor.java (added)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsInterceptor.java Thu Oct 22 15:41:58 2009
@@ -0,0 +1,122 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.transport.https;
+
+import java.net.HttpURLConnection;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.logging.Logger;
+
+import javax.net.ssl.HttpsURLConnection;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.security.transport.TLSSessionInfo;
+import org.apache.cxf.transport.http.MessageTrustDecider;
+import org.apache.cxf.transport.http.URLConnectionInfo;
+import org.apache.cxf.transport.http.UntrustedURLConnectionIOException; 
+
+/**
+ * An interceptor that enforces certificate constraints logic at the TLS layer.
+ */
+public final class CertConstraintsInterceptor extends AbstractPhaseInterceptor<Message> {
+    public static final CertConstraintsInterceptor INSTANCE = new CertConstraintsInterceptor();
+    
+    static final Logger LOG = LogUtils.getL7dLogger(CertConstraintsInterceptor.class);
+    
+    private CertConstraintsInterceptor() {
+        super(Phase.PRE_STREAM);
+    }
+
+    public void handleMessage(Message message) throws Fault {
+        final CertConstraints certConstraints 
+            = (CertConstraints)message.getContextualProperty(CertConstraints.class.getName());
+        if (certConstraints == null) {
+            return;
+        }
+        
+        if (isRequestor(message)) {
+            try {
+                HttpURLConnection connection = 
+                    (HttpURLConnection) message.get("http.connection");
+                
+                if (connection instanceof HttpsURLConnection) {
+                    final MessageTrustDecider orig = message.get(MessageTrustDecider.class);
+                    MessageTrustDecider trust = new MessageTrustDecider() {
+                        public void establishTrust(String conduitName,
+                                URLConnectionInfo connectionInfo,
+                                Message message)
+                            throws UntrustedURLConnectionIOException {
+                            if (orig != null) {
+                                orig.establishTrust(conduitName, connectionInfo, message);
+                            }
+                            HttpsURLConnectionInfo info = (HttpsURLConnectionInfo)connectionInfo;
+
+                            if (info.getServerCertificates() == null 
+                                    || info.getServerCertificates().length == 0) {
+                                throw new UntrustedURLConnectionIOException(
+                                    "No server certificates were found"
+                                );
+                            } else {
+                                X509Certificate[] certs = (X509Certificate[])info.getServerCertificates();
+                                if (!certConstraints.matches(certs[0])) {
+                                    throw new UntrustedURLConnectionIOException(
+                                        "The server certificate(s) do not match the defined cert constraints"
+                                    );
+                                }
+                            }
+                        }
+                    };
+                    message.put(MessageTrustDecider.class, trust);
+                } else {
+                    throw new UntrustedURLConnectionIOException(
+                        "TLS is not in use"
+                    );
+                }
+            } catch (UntrustedURLConnectionIOException ex) {
+                throw new Fault(ex);
+            }
+        } else {
+            try {
+                TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+                final Certificate[] certs = tlsInfo.getPeerCertificates();
+                if (certs == null || certs.length == 0) {
+                    throw new UntrustedURLConnectionIOException(
+                        "No client certificates were found"
+                    );
+                } else {
+                    X509Certificate[] x509Certs = (X509Certificate[])certs;
+                    if (!certConstraints.matches(x509Certs[0])) {
+                        throw new UntrustedURLConnectionIOException(
+                            "The client certificate does not match the defined cert constraints"
+                        );
+                    }
+                }
+            } catch (UntrustedURLConnectionIOException ex) {
+                throw new Fault(ex);
+            }
+        }
+    }
+ 
+}
+        
\ No newline at end of file

Propchange: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsInterceptor.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsInterceptor.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsJaxBUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsJaxBUtils.java?rev=828758&view=auto
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsJaxBUtils.java (added)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsJaxBUtils.java Thu Oct 22 15:41:58 2009
@@ -0,0 +1,119 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+ 
+package org.apache.cxf.transport.https;
+
+import java.util.List;
+
+import org.apache.cxf.configuration.security.CertificateConstraintsType;
+import org.apache.cxf.configuration.security.CombinatorType;
+import org.apache.cxf.configuration.security.DNConstraintsType;
+
+/**
+ * A set of static methods that operate on the generated CertificateConstraintsType.
+ */
+public final class CertConstraintsJaxBUtils {
+    
+    private CertConstraintsJaxBUtils() {
+        // complete
+    }
+    
+    /**
+     * Create a CertConstraints object from a JAXB CertificateConstraintsType
+     */
+    public static CertConstraints createCertConstraints(
+        CertificateConstraintsType certConstraints
+    ) {
+        List<String> subjectRegexps = getSubjectConstraints(certConstraints);
+        CertConstraints.Combinator subjectCombinator = 
+            getSubjectConstraintsCombinator(certConstraints);
+        List<String> issuerRegexps = getIssuerConstraints(certConstraints);
+        CertConstraints.Combinator issuerCombinator =
+            getIssuerConstraintsCombinator(certConstraints);
+
+        return new CertConstraints(
+            subjectRegexps, subjectCombinator, issuerRegexps, issuerCombinator);
+    }
+    
+    /**
+     * Get a List of Strings that corresponds to the subject regular expression
+     * constraints from a JAXB CertificateConstraintsType
+     */
+    public static List<String> getSubjectConstraints(
+        CertificateConstraintsType certConstraints
+    ) {
+        if (certConstraints != null && certConstraints.isSetSubjectDNConstraints()) {
+            DNConstraintsType constraints = certConstraints.getSubjectDNConstraints();
+            return constraints.getRegularExpression();
+        }
+        return java.util.Collections.emptyList();
+    }
+    
+    /**
+     * Get a List of Strings that corresponds to the issuer regular expression
+     * constraints from a JAXB CertificateConstraintsType
+     */
+    public static List<String> getIssuerConstraints(
+        CertificateConstraintsType certConstraints
+    ) {
+        if (certConstraints != null && certConstraints.isSetIssuerDNConstraints()) {
+            DNConstraintsType constraints = certConstraints.getIssuerDNConstraints();
+            return constraints.getRegularExpression();
+        }
+        return java.util.Collections.emptyList();
+    }
+
+    /**
+     * Get a (subject) CertConstrains.Combinator from a JAXB CertificateConstraintsType
+     */
+    public static CertConstraints.Combinator getSubjectConstraintsCombinator(
+        CertificateConstraintsType certConstraints
+    ) {
+        if (certConstraints != null && certConstraints.isSetSubjectDNConstraints()) {
+            DNConstraintsType constraints = certConstraints.getSubjectDNConstraints();
+            if (constraints != null && constraints.isSetCombinator()) {
+                CombinatorType combinator = constraints.getCombinator();
+                if (combinator == CombinatorType.ANY) {
+                    return CertConstraints.Combinator.ANY;
+                }
+            }
+        }
+        return CertConstraints.Combinator.ALL;
+    }
+    
+    /**
+     * Get a (issuer) CertConstrains.Combinator from a JAXB CertificateConstraintsType
+     */
+    public static CertConstraints.Combinator getIssuerConstraintsCombinator(
+        CertificateConstraintsType certConstraints
+    ) {
+        if (certConstraints != null && certConstraints.isSetIssuerDNConstraints()) {
+            DNConstraintsType constraints = certConstraints.getIssuerDNConstraints();
+            if (constraints != null && constraints.isSetCombinator()) {
+                CombinatorType combinator = constraints.getCombinator();
+                if (combinator == CombinatorType.ANY) {
+                    return CertConstraints.Combinator.ANY;
+                }
+            }
+        }
+        return CertConstraints.Combinator.ALL;
+    }
+    
+    
+}

Propchange: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsJaxBUtils.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertConstraintsJaxBUtils.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/CertConstraintsTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/CertConstraintsTest.java?rev=828758&view=auto
==============================================================================
--- cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/CertConstraintsTest.java (added)
+++ cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/CertConstraintsTest.java Thu Oct 22 15:41:58 2009
@@ -0,0 +1,158 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.http;
+
+import java.net.URL;
+
+import javax.xml.ws.BindingProvider;
+
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.configuration.Configurer;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.hello_world.Greeter;
+import org.apache.hello_world.services.SOAPService;
+
+import org.junit.Test;
+
+/**
+ * This test is meant to run against a spring-loaded HTTP/S service. It tests the certificate
+ * constraints logic.
+ */
+public class CertConstraintsTest extends AbstractBusClientServerTestBase {
+    
+    //
+    // data
+    //
+    
+    /**
+     * the package path used to locate resources specific to this test
+     */
+    private void setTheConfiguration(String config) {
+        //System.setProperty("javax.net.debug", "all");
+        try {
+            System.setProperty(
+                Configurer.USER_CFG_FILE_PROPERTY_URL,
+                CertConstraintsTest.class.getResource(config).toString()
+            );
+        } catch (final Exception e) {
+            e.printStackTrace();
+        }
+    }
+          
+    public void startServers() throws Exception {
+        assertTrue(
+            "Server failed to launch",
+            // run the server in the same process
+            // set this to false to fork a new process
+            launchServer(BusServer.class, true)
+        );
+    }
+    
+    
+    public void stopServers() throws Exception {
+        stopAllServers();
+        System.clearProperty(Configurer.USER_CFG_FILE_PROPERTY_URL);
+        BusFactory.setDefaultBus(null);
+        BusFactory.setThreadDefaultBus(null);
+    }    
+    
+    
+    //
+    // tests
+    //
+    public final void testSuccessfulCall(String address) throws Exception {
+        URL url = SOAPService.WSDL_LOCATION;
+        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+        assertNotNull("Service is null", service);   
+        final Greeter port = service.getHttpsPort();
+        assertNotNull("Port is null", port);
+        
+        BindingProvider provider = (BindingProvider)port;
+        provider.getRequestContext().put(
+              BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
+              address);
+        
+        assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+    }
+    
+    public final void testFailedCall(String address) throws Exception {
+        URL url = SOAPService.WSDL_LOCATION;
+        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+        assertNotNull("Service is null", service);   
+        final Greeter port = service.getHttpsPort();
+        assertNotNull("Port is null", port);
+
+        BindingProvider provider = (BindingProvider)port;
+        provider.getRequestContext().put(
+                BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
+                address);
+
+        try {
+            assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+            fail("Failure expected");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            // expected
+        } catch (javax.xml.ws.WebServiceException ex) {
+            // expected
+        }
+    }
+    
+    @Test
+    public final void testCertConstraints() throws Exception {
+        setTheConfiguration("resources/jaxws-server-constraints.xml");
+        startServers();
+        
+        //
+        // Good Subject DN
+        //
+        testSuccessfulCall("https://localhost:9006/SoapContext/HttpsPort");
+        //
+        // Bad Subject DN
+        //
+        testFailedCall("https://localhost:9007/SoapContext/HttpsPort");
+        //
+        // Mixed Subject DN (ALL)
+        //
+        testFailedCall("https://localhost:9008/SoapContext/HttpsPort");
+        //
+        // Mixed Subject DN (ANY)
+        //
+        testSuccessfulCall("https://localhost:9009/SoapContext/HttpsPort");
+        //
+        // Mixed Issuer DN (ALL)
+        //
+        testFailedCall("https://localhost:9010/SoapContext/HttpsPort");
+        //
+        // Mixed Issuer DN (ANY)
+        //
+        testSuccessfulCall("https://localhost:9011/SoapContext/HttpsPort");
+        //
+        // Bad server Subject DN
+        //
+        testFailedCall("https://localhost:9012/SoapContext/HttpsPort");
+        //
+        // Bad server Issuer DN
+        //
+        testFailedCall("https://localhost:9013/SoapContext/HttpsPort");
+        
+        stopServers();
+    }
+    
+}

Propchange: cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/CertConstraintsTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/CertConstraintsTest.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-server-constraints.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-server-constraints.xml?rev=828758&view=auto
==============================================================================
--- cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-server-constraints.xml (added)
+++ cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-server-constraints.xml Thu Oct 22 15:41:58 2009
@@ -0,0 +1,361 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:http="http://cxf.apache.org/transports/http/configuration"
+       xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
+       xmlns:jaxws="http://cxf.apache.org/jaxws"
+       xmlns:sec="http://cxf.apache.org/configuration/security"
+       xsi:schemaLocation="
+        http://www.springframework.org/schema/beans                 http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+        http://cxf.apache.org/jaxws                                 http://cxf.apache.org/schemas/jaxws.xsd
+        http://cxf.apache.org/transports/http/configuration         http://cxf.apache.org/schemas/configuration/http-conf.xsd
+        http://cxf.apache.org/transports/http-jetty/configuration   http://cxf.apache.org/schemas/configuration/http-jetty.xsd
+        http://cxf.apache.org/configuration/security                http://cxf.apache.org/schemas/configuration/security.xsd
+        ">
+
+    <!-- -->
+    <!-- This Spring config file is designed to represent a minimal -->
+    <!-- configuration for spring-loading a CXF servant, where the -->
+    <!-- servant listens using HTTP/S as the transport protocol. -->
+    <!-- -->
+    <!-- Note that the service endpoint is spring-loaded.  In the -->
+    <!-- scenario in which this config is designed to run, the -->
+    <!-- server application merely instantiates a Bus, and does not -->
+    <!-- publish any services programmatically -->
+    <!-- -->
+
+    <!-- -->
+    <!-- Spring-load an HTTPS servant -->
+    <!-- -->
+    <jaxws:server 
+        id="JaxwsHttpsEndpoint9006"        
+        address="https://localhost:9006/SoapContext/HttpsPort"
+        serviceName="s:SOAPService"
+        endpointName="e:HttpsPort"
+        xmlns:e="http://apache.org/hello_world/services"
+        xmlns:s="http://apache.org/hello_world/services"
+        depends-on="port-9006-tls-config">
+        <jaxws:serviceBean>
+           <bean class="org.apache.cxf.systest.http.GreeterImpl"/>
+        </jaxws:serviceBean>
+    </jaxws:server>  
+    
+    <jaxws:server 
+        id="JaxwsHttpsEndpoint9007"        
+        address="https://localhost:9007/SoapContext/HttpsPort"
+        serviceName="s:SOAPService"
+        endpointName="e:HttpsPort"
+        xmlns:e="http://apache.org/hello_world/services"
+        xmlns:s="http://apache.org/hello_world/services"
+        depends-on="port-9007-tls-config">
+        <jaxws:serviceBean>
+           <bean class="org.apache.cxf.systest.http.GreeterImpl"/>
+        </jaxws:serviceBean>
+    </jaxws:server> 
+    
+    <jaxws:server 
+        id="JaxwsHttpsEndpoint9008"        
+        address="https://localhost:9008/SoapContext/HttpsPort"
+        serviceName="s:SOAPService"
+        endpointName="e:HttpsPort"
+        xmlns:e="http://apache.org/hello_world/services"
+        xmlns:s="http://apache.org/hello_world/services"
+        depends-on="port-9008-tls-config">
+        <jaxws:serviceBean>
+           <bean class="org.apache.cxf.systest.http.GreeterImpl"/>
+        </jaxws:serviceBean>
+    </jaxws:server>   
+    
+    <jaxws:server 
+        id="JaxwsHttpsEndpoint9009"        
+        address="https://localhost:9009/SoapContext/HttpsPort"
+        serviceName="s:SOAPService"
+        endpointName="e:HttpsPort"
+        xmlns:e="http://apache.org/hello_world/services"
+        xmlns:s="http://apache.org/hello_world/services"
+        depends-on="port-9009-tls-config">
+        <jaxws:serviceBean>
+           <bean class="org.apache.cxf.systest.http.GreeterImpl"/>
+        </jaxws:serviceBean>
+    </jaxws:server>   
+    
+    <jaxws:server 
+        id="JaxwsHttpsEndpoint9010"        
+        address="https://localhost:9010/SoapContext/HttpsPort"
+        serviceName="s:SOAPService"
+        endpointName="e:HttpsPort"
+        xmlns:e="http://apache.org/hello_world/services"
+        xmlns:s="http://apache.org/hello_world/services"
+        depends-on="port-9010-tls-config">
+        <jaxws:serviceBean>
+           <bean class="org.apache.cxf.systest.http.GreeterImpl"/>
+        </jaxws:serviceBean>
+    </jaxws:server>   
+    
+    <jaxws:server 
+        id="JaxwsHttpsEndpoint9011"        
+        address="https://localhost:9011/SoapContext/HttpsPort"
+        serviceName="s:SOAPService"
+        endpointName="e:HttpsPort"
+        xmlns:e="http://apache.org/hello_world/services"
+        xmlns:s="http://apache.org/hello_world/services"
+        depends-on="port-9011-tls-config">
+        <jaxws:serviceBean>
+           <bean class="org.apache.cxf.systest.http.GreeterImpl"/>
+        </jaxws:serviceBean>
+    </jaxws:server>    
+    
+    <jaxws:server 
+        id="JaxwsHttpsEndpoint9012"        
+        address="https://localhost:9012/SoapContext/HttpsPort"
+        serviceName="s:SOAPService"
+        endpointName="e:HttpsPort"
+        xmlns:e="http://apache.org/hello_world/services"
+        xmlns:s="http://apache.org/hello_world/services"
+        depends-on="port-9012-tls-config">
+        <jaxws:serviceBean>
+           <bean class="org.apache.cxf.systest.http.GreeterImpl"/>
+        </jaxws:serviceBean>
+    </jaxws:server> 
+    
+    <jaxws:server 
+        id="JaxwsHttpsEndpoint9013"        
+        address="https://localhost:9013/SoapContext/HttpsPort"
+        serviceName="s:SOAPService"
+        endpointName="e:HttpsPort"
+        xmlns:e="http://apache.org/hello_world/services"
+        xmlns:s="http://apache.org/hello_world/services"
+        depends-on="port-9013-tls-config">
+        <jaxws:serviceBean>
+           <bean class="org.apache.cxf.systest.http.GreeterImpl"/>
+        </jaxws:serviceBean>
+    </jaxws:server>      
+    
+    <!-- -->
+    <!-- TLS Port configuration parameters for port 9006 -->
+    <!-- -->
+    <httpj:engine-factory id="port-9006-tls-config">
+        <httpj:engine port="9006">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+	            <sec:keyStore type="JKS" password="password" 
+	                file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
+	      		</sec:keyManagers>
+	      		<sec:trustManagers>
+	          	    <sec:keyStore type="JKS" password="password"
+	                    file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
+	     		</sec:trustManagers>
+	     		<sec:certConstraints>
+	                <sec:SubjectDNConstraints>
+	                    <sec:RegularExpression>.*O=ApacheTest.*</sec:RegularExpression>
+	                    <sec:RegularExpression>.*OU=Morpit.*</sec:RegularExpression>
+	                </sec:SubjectDNConstraints>
+	            </sec:certConstraints>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
+    <!-- -->
+    <!-- TLS Port configuration parameters for port 9007 -->
+    <!-- -->
+    <httpj:engine-factory id="port-9007-tls-config">
+        <httpj:engine port="9007">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+	            <sec:keyStore type="JKS" password="password" 
+	                file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
+	      		</sec:keyManagers>
+	      		<sec:trustManagers>
+	          	<sec:keyStore type="JKS" password="password"
+	               file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
+	     		</sec:trustManagers>
+	     		<sec:certConstraints>
+	                <sec:SubjectDNConstraints>
+	                    <sec:RegularExpression>.*O=BadApacheTest.*</sec:RegularExpression>
+	                </sec:SubjectDNConstraints>
+	            </sec:certConstraints>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
+    <!-- -->
+    <!-- TLS Port configuration parameters for port 9008 -->
+    <!-- -->
+    <httpj:engine-factory id="port-9008-tls-config">
+        <httpj:engine port="9008">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+	            <sec:keyStore type="JKS" password="password" 
+	                file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
+	      		</sec:keyManagers>
+	      		<sec:trustManagers>
+	          	<sec:keyStore type="JKS" password="password"
+	               file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
+	     		</sec:trustManagers>
+	     		<sec:certConstraints>
+	                <sec:SubjectDNConstraints>
+	                    <sec:RegularExpression>.*O=ApacheTest.*</sec:RegularExpression>
+	                    <sec:RegularExpression>.*O=BadApacheTest.*</sec:RegularExpression>
+	                </sec:SubjectDNConstraints>
+	            </sec:certConstraints>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
+    <!-- -->
+    <!-- TLS Port configuration parameters for port 9009 -->
+    <!-- -->
+    <httpj:engine-factory id="port-9009-tls-config">
+        <httpj:engine port="9009">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+	            <sec:keyStore type="JKS" password="password" 
+	                file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
+	      		</sec:keyManagers>
+	      		<sec:trustManagers>
+	          	<sec:keyStore type="JKS" password="password"
+	               file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
+	     		</sec:trustManagers>
+	     		<sec:certConstraints>
+	                <sec:SubjectDNConstraints combinator="ANY">
+	                    <sec:RegularExpression>.*O=ApacheTest.*</sec:RegularExpression>
+	                    <sec:RegularExpression>.*O=BadApacheTest.*</sec:RegularExpression>
+	                </sec:SubjectDNConstraints>
+	            </sec:certConstraints>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
+    <!-- -->
+    <!-- TLS Port configuration parameters for port 9010 -->
+    <!-- -->
+    <httpj:engine-factory id="port-9010-tls-config">
+        <httpj:engine port="9010">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+	            <sec:keyStore type="JKS" password="password" 
+	                file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
+	      		</sec:keyManagers>
+	      		<sec:trustManagers>
+	          	<sec:keyStore type="JKS" password="password"
+	               file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
+	     		</sec:trustManagers>
+	     		<sec:certConstraints>
+	                <sec:IssuerDNConstraints combinator="ALL">
+	                    <sec:RegularExpression>.*O=ApacheTest.*</sec:RegularExpression>
+	                    <sec:RegularExpression>.*O=BadApacheTest.*</sec:RegularExpression>
+	                </sec:IssuerDNConstraints>
+	            </sec:certConstraints>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
+    
+    <!-- -->
+    <!-- TLS Port configuration parameters for port 9011 -->
+    <!-- -->
+    <httpj:engine-factory id="port-9011-tls-config">
+        <httpj:engine port="9011">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+	            <sec:keyStore type="JKS" password="password" 
+	                file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
+	      		</sec:keyManagers>
+	      		<sec:trustManagers>
+	          	<sec:keyStore type="JKS" password="password"
+	               file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
+	     		</sec:trustManagers>
+	     		<sec:certConstraints>
+	                <sec:IssuerDNConstraints combinator="ANY">
+	                    <sec:RegularExpression>.*O=ApacheTest.*</sec:RegularExpression>
+	                    <sec:RegularExpression>.*O=BadApacheTest.*</sec:RegularExpression>
+	                </sec:IssuerDNConstraints>
+	            </sec:certConstraints>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
+    <!-- -->
+    <!-- TLS Port configuration parameters for port 9012 -->
+    <!-- -->
+    <httpj:engine-factory id="port-9012-tls-config">
+        <httpj:engine port="9012">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+	            <sec:keyStore type="JKS" password="password" 
+	                file="src/test/java/org/apache/cxf/systest/http/resources/Morpit.jks"/>
+	      		</sec:keyManagers>
+	      		<sec:trustManagers>
+	          	<sec:keyStore type="JKS" password="password"
+	               file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
+	     		</sec:trustManagers>
+	     		<sec:clientAuthentication required="true"/>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
+    <!-- -->
+    <!-- TLS Port configuration parameters for port 9013 -->
+    <!-- -->
+    <httpj:engine-factory id="port-9013-tls-config">
+        <httpj:engine port="9013">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+	            <sec:keyStore type="JKS" password="password" 
+	                file="src/test/java/org/apache/cxf/systest/http/resources/Gordy.jks"/>
+	      		</sec:keyManagers>
+	      		<sec:trustManagers>
+	          	<sec:keyStore type="JKS" password="password"
+	               file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
+	     		</sec:trustManagers>
+	     		<sec:clientAuthentication required="true"/>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
+
+    <!-- -->
+    <!-- HTTP/S configuration for clients -->
+    <!-- -->
+    <http:conduit name="{http://apache.org/hello_world/services}HttpsPort.http-conduit">
+        <http:tlsClientParameters disableCNCheck="true">
+            <sec:keyManagers keyPassword="password">
+	           <sec:keyStore type="JKS" password="password" 
+	                file="src/test/java/org/apache/cxf/systest/http/resources/Morpit.jks"/>
+	           </sec:keyManagers>
+	        <sec:trustManagers>
+	           <sec:keyStore type="JKS" password="password"
+	               file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
+	        </sec:trustManagers>
+	        <sec:certConstraints>
+	            <sec:SubjectDNConstraints>
+	                <sec:RegularExpression>.*CN=(Bethal|Gordy).*</sec:RegularExpression>
+	                <sec:RegularExpression>.*O=ApacheTest.*</sec:RegularExpression>
+	            </sec:SubjectDNConstraints>
+	            <sec:IssuerDNConstraints combinator="ANY">
+	                <sec:RegularExpression>.*CN=Bethal.*</sec:RegularExpression>
+	                <sec:RegularExpression>.*OU=Morpit.*</sec:RegularExpression>
+	            </sec:IssuerDNConstraints>
+	        </sec:certConstraints>
+        </http:tlsClientParameters>
+    </http:conduit>
+
+</beans>
\ No newline at end of file

Propchange: cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-server-constraints.xml
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-server-constraints.xml
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Propchange: cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-server-constraints.xml
------------------------------------------------------------------------------
    svn:mime-type = text/xml