cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From clecl...@apache.org
Subject svn commit: r917884 - in /cxf/trunk: api/src/main/java/org/apache/cxf/configuration/jsse/ common/schemas/src/main/resources/schemas/configuration/ rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/ rt/transports/http/src/main/ja...
Date Tue, 02 Mar 2010 05:32:27 GMT
Author: cleclerc
Date: Tue Mar  2 05:32:27 2010
New Revision: 917884

URL: http://svn.apache.org/viewvc?rev=917884&view=rev
Log:
[CXF-2688] Allow deactivation of SSL X509 Certificates validation

Modified:
    cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
    cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd
    cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
    cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java

Modified: cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
URL: http://svn.apache.org/viewvc/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java?rev=917884&r1=917883&r2=917884&view=diff
==============================================================================
--- cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
(original)
+++ cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
Tue Mar  2 05:32:27 2010
@@ -28,6 +28,7 @@
 public class TLSClientParameters extends TLSParameterBase {
     private boolean disableCNCheck;
     private SSLSocketFactory sslSocketFactory;    
+    private boolean trustAllCertificates;
 
     /**
      * Set whether or not JSEE should omit checking if the host name
@@ -49,6 +50,22 @@
     }
 
     /**
+     * Returns whether or not JSSE omits checking X509 certificates 
+     * validity (using an 'accept all' X509TrustManager).
+     */
+    public boolean isTrustAllCertificates() {
+        return trustAllCertificates;
+    }
+
+    /**
+     * Set whether or not JSSE should omit checking X509 certificates 
+     * validity (using an 'accept all' {@link javax.net.ssl.X509TrustManager}).
+     */
+    public void setTrustAllCertificates(boolean trustAllCertificates) {
+        this.trustAllCertificates = trustAllCertificates;
+    }
+
+    /**
      * This sets the SSLSocketFactory to use, causing all other properties of
      * this bean (and its superclass) to get ignored (this takes precendence).
      */

Modified: cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd
URL: http://svn.apache.org/viewvc/cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd?rev=917884&r1=917883&r2=917884&view=diff
==============================================================================
--- cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd (original)
+++ cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd Tue Mar
 2 05:32:27 2010
@@ -443,6 +443,16 @@
                 </xs:documentation>
              </xs:annotation>
            </xs:attribute>
+           <xs:attribute name="trustAllCertificates" type="pt:ParameterizedBoolean" default="false">
+             <xs:annotation>
+                <xs:documentation>
+                This attribute specifies if JSSE should omit checking X509
+                certificates validity (using an 'accept all X509TrustManager').  
+                Default is false; this attribute should not be set to true during 
+                production use. Since 2.2.7.
+                </xs:documentation>
+             </xs:annotation>
+           </xs:attribute>
            <xs:attribute name="jsseProvider"          type="xs:string">
               <xs:annotation>
                 <xs:documentation>

Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java?rev=917884&r1=917883&r2=917884&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
(original)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
Tue Mar  2 05:32:27 2010
@@ -65,6 +65,9 @@
         if (params.isDisableCNCheck()) {
             ret.setDisableCNCheck(true);
         }
+        if (params.isTrustAllCertificates()) {
+            ret.setTrustAllCertificates(true);
+        }
         if (params.isSetSecureSocketProtocol()) {
             ret.setSecureSocketProtocol(params.getSecureSocketProtocol());
         }

Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java?rev=917884&r1=917883&r2=917884&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
(original)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
Tue Mar  2 05:32:27 2010
@@ -175,27 +175,30 @@
                       ? SSLContext.getInstance(protocol)
                       : SSLContext.getInstance(protocol, provider);
             
-                      
+            TrustManager[] trustManagers;
+            if (tlsClientParameters.isTrustAllCertificates()) {
+                trustManagers = new TrustManager[] {
+                    new javax.net.ssl.X509TrustManager() {
+                        public java.security.cert.X509Certificate[] getAcceptedIssuers()
{
+                            return null;
+                        }
 
-            TrustManager[] trustAllCerts = tlsClientParameters.getTrustManagers();
-            /*
-            TrustManager[] trustAllCerts = new TrustManager[] {
-                new javax.net.ssl.X509TrustManager() {
-                    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
-                        return null;
-                    }
-                    public void checkClientTrusted(
-                        java.security.cert.X509Certificate[] certs, String authType) {
-                    }
-                    public void checkServerTrusted(
-                        java.security.cert.X509Certificate[] certs, String authType) {
+                        public void checkClientTrusted(java.security.cert.X509Certificate[]
certs,
+                                                       String authType) {
+                        }
+
+                        public void checkServerTrusted(java.security.cert.X509Certificate[]
certs,
+                                                       String authType) {
+                        }
                     }
-                }
-            };
-            */         
+                };
+            } else {
+                trustManagers = tlsClientParameters.getTrustManagers();
+            }
+            
             ctx.init(
                 tlsClientParameters.getKeyManagers(),
-                trustAllCerts, 
+                trustManagers, 
                 tlsClientParameters.getSecureRandom());
             
             // The "false" argument means opposite of exclude.
@@ -211,12 +214,13 @@
                                                         tlsClientParameters.getSecureSocketProtocol());
         }
         
-        HostnameVerifier verifier = tlsClientParameters.isDisableCNCheck() 
-            ? CertificateHostnameVerifier.ALLOW_ALL : CertificateHostnameVerifier.DEFAULT;
+        HostnameVerifier hostnameVerifier = tlsClientParameters.isDisableCNCheck() 
+            || tlsClientParameters.isTrustAllCertificates() ? CertificateHostnameVerifier.ALLOW_ALL

+            : CertificateHostnameVerifier.DEFAULT;
         if (connection instanceof HttpsURLConnection) {
             // handle the expected case (javax.net.ssl)
             HttpsURLConnection conn = (HttpsURLConnection) connection;
-            conn.setHostnameVerifier(verifier);
+            conn.setHostnameVerifier(hostnameVerifier);
             conn.setSSLSocketFactory(socketFactory);
         } else {
             // handle the deprecated sun case and other possible hidden API's 
@@ -224,7 +228,7 @@
             try {
                 Method method = connection.getClass().getMethod("getHostnameVerifier");
                 
-                InvocationHandler handler = new ReflectionInvokationHandler(verifier) {
+                InvocationHandler handler = new ReflectionInvokationHandler(hostnameVerifier)
{
                     public Object invoke(Object proxy, 
                                          Method method, 
                                          Object[] args) throws Throwable {



Mime
View raw message