cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From clecl...@apache.org
Subject svn commit: r920744 - in /cxf/branches/2.2.x-fixes: ./ api/src/main/java/org/apache/cxf/configuration/jsse/ common/schemas/src/main/resources/schemas/configuration/ rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/ rt/transport...
Date Tue, 09 Mar 2010 09:08:15 GMT
Author: cleclerc
Date: Tue Mar  9 09:08:15 2010
New Revision: 920744

URL: http://svn.apache.org/viewvc?rev=920744&view=rev
Log:
Merged revisions 920741 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/trunk

........
  r920741 | cleclerc | 2010-03-09 10:01:17 +0100 (Tue, 09 Mar 2010) | 1 line
  
  [CXF-2693] Allow to use HttpsURLConnection's defaultSSLSocketFactory and defaultHostnameVerifier
in CXF client
........

Modified:
    cxf/branches/2.2.x-fixes/   (props changed)
    cxf/branches/2.2.x-fixes/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
    cxf/branches/2.2.x-fixes/common/schemas/src/main/resources/schemas/configuration/security.xsd
    cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
    cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java

Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
    svn:mergeinfo = /cxf/trunk:920741

Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Modified: cxf/branches/2.2.x-fixes/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java?rev=920744&r1=920743&r2=920744&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
(original)
+++ cxf/branches/2.2.x-fixes/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
Tue Mar  9 09:08:15 2010
@@ -27,7 +27,9 @@ import javax.net.ssl.SSLSocketFactory;
  */
 public class TLSClientParameters extends TLSParameterBase {
     private boolean disableCNCheck;
-    private SSLSocketFactory sslSocketFactory;    
+    private SSLSocketFactory sslSocketFactory;
+    private boolean useHttpsURLConnectionDefaultSslSocketFactory;
+    private boolean useHttpsURLConnectionDefaultHostnameVerifier;
 
     /**
      * Set whether or not JSEE should omit checking if the host name
@@ -62,5 +64,46 @@ public class TLSClientParameters extends
      */
     public final SSLSocketFactory getSSLSocketFactory() {
         return sslSocketFactory;
-    }    
+    }
+    
+    /**
+     * Returns whether or not {@link javax.net.ssl.HttpsURLConnection#getDefaultSSLSocketFactory()}Êshould
be
+     * used to create https connections. If <code>true</code> , {@link #getJsseProvider()}
,
+     * {@link #getSecureSocketProtocol()}, {@link #getTrustManagers()}, {@link #getKeyManagers()},
+     * {@link #getSecureRandom()}, {@link #getCipherSuites()} and {@link #getCipherSuitesFilter()}
are
+     * ignored.
+     */
+    public boolean isUseHttpsURLConnectionDefaultSslSocketFactory() {
+        return useHttpsURLConnectionDefaultSslSocketFactory;
+    }
+
+    /**
+     * Sets whether or not {@link javax.net.ssl.HttpsURLConnection#getDefaultSSLSocketFactory()}Êshould
be
+     * used to create https connections.
+     * 
+     * @see #isUseHttpsURLConnectionDefaultSslSocketFactory()
+     */
+    public void setUseHttpsURLConnectionDefaultSslSocketFactory(
+                      boolean useHttpsURLConnectionDefaultSslSocketFactory) {
+        this.useHttpsURLConnectionDefaultSslSocketFactory = useHttpsURLConnectionDefaultSslSocketFactory;
+    }
+
+    /**
+     * Returns whether or not {@link javax.net.ssl.HttpsURLConnection#getDefaultHostnameVerifier()}
should be
+     * used to create https connections. If <code>true</code>, {@link #isDisableCNCheck()}
is ignored.
+     */
+    public boolean isUseHttpsURLConnectionDefaultHostnameVerifier() {
+        return useHttpsURLConnectionDefaultHostnameVerifier;
+    }
+
+    /**
+     * Sets whether or not {@link javax.net.ssl.HttpsURLConnection#getDefaultHostnameVerifier()}
should be
+     * used to create https connections.
+     * 
+     * @see #isUseHttpsURLConnectionDefaultHostnameVerifier()
+     */
+    public void setUseHttpsURLConnectionDefaultHostnameVerifier(
+                      boolean useHttpsURLConnectionDefaultHostnameVerifier) {
+        this.useHttpsURLConnectionDefaultHostnameVerifier = useHttpsURLConnectionDefaultHostnameVerifier;
+    }
 }

Modified: cxf/branches/2.2.x-fixes/common/schemas/src/main/resources/schemas/configuration/security.xsd
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/common/schemas/src/main/resources/schemas/configuration/security.xsd?rev=920744&r1=920743&r2=920744&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/common/schemas/src/main/resources/schemas/configuration/security.xsd
(original)
+++ cxf/branches/2.2.x-fixes/common/schemas/src/main/resources/schemas/configuration/security.xsd
Tue Mar  9 09:08:15 2010
@@ -433,6 +433,27 @@
               </xs:annotation>
            </xs:element>
         </xs:all>
+           <xs:attribute name="useHttpsURLConnectionDefaultSslSocketFactory" type="pt:ParameterizedBoolean"
default="false">
+             <xs:annotation>
+                <xs:documentation>
+                This attribute specifies if HttpsURLConnection.defaultSslSocketFactory 
+                should be used to create https connections. If 'true', 'jsseProvider', 
+                'secureSocketProtocol', 'trustManagers', 'keyManagers', 'secureRandom', 
+                'cipherSuites' and 'cipherSuitesFilter' are ignored. 
+                Since 2.2.7.
+                </xs:documentation>
+             </xs:annotation>
+           </xs:attribute>
+           <xs:attribute name="useHttpsURLConnectionDefaultHostnameVerifier" type="pt:ParameterizedBoolean"
default="false">
+             <xs:annotation>
+                <xs:documentation>
+                This attribute specifies if HttpsURLConnection.defaultHostnameVerifier 
+                should be used to create https connections. If 'true', 'disableCNCheck'
+                is ignored.
+                Since 2.2.7.
+                </xs:documentation>
+             </xs:annotation>
+           </xs:attribute>
            <xs:attribute name="disableCNCheck" type="pt:ParameterizedBoolean" default="false">
              <xs:annotation>
                 <xs:documentation>

Modified: cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java?rev=920744&r1=920743&r2=920744&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
Tue Mar  9 09:08:15 2010
@@ -63,6 +63,12 @@ public final class TLSClientParametersCo
         if (params.isDisableCNCheck()) {
             ret.setDisableCNCheck(true);
         }
+        if (params.isUseHttpsURLConnectionDefaultHostnameVerifier()) {
+            ret.setUseHttpsURLConnectionDefaultHostnameVerifier(true);
+        }
+        if (params.isUseHttpsURLConnectionDefaultSslSocketFactory()) {
+            ret.setUseHttpsURLConnectionDefaultSslSocketFactory(true);
+        }
         if (params.isSetSecureSocketProtocol()) {
             ret.setSecureSocketProtocol(params.getSecureSocketProtocol());
         }

Modified: cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java?rev=920744&r1=920743&r2=920744&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
Tue Mar  9 09:08:15 2010
@@ -26,18 +26,14 @@ import java.lang.reflect.Method;
 import java.net.HttpURLConnection;
 import java.net.Proxy;
 import java.net.URL;
-import java.security.KeyManagementException;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
+import java.security.GeneralSecurityException;
 import java.util.logging.Handler;
 import java.util.logging.Logger;
 
-import javax.imageio.IIOException;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.TrustManager;
 
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.ReflectionInvokationHandler;
@@ -134,7 +130,7 @@ public final class HttpsURLConnectionFac
                     if (ex instanceof IOException) {
                         throw (IOException) ex;
                     }
-                    throw new IIOException("Error while initializing secure socket", ex);
+                    throw new IOException("Error while initializing secure socket", ex);
                 }
             }
         }
@@ -148,71 +144,55 @@ public final class HttpsURLConnectionFac
      * which allows internal cast to potentially divergent subtype (https) implementations.
      */
     protected synchronized void decorateWithTLS(HttpURLConnection connection)
-        throws NoSuchAlgorithmException,
-               NoSuchProviderException,
-               KeyManagementException {
-
-        // First see if an SSLSocketFactory was set.  This allows easy interop
-        // with not-yet-commons-ssl.jar, or even just people who like doing their
-        // own JSSE.
-        if (socketFactory == null) {
-            SSLSocketFactory preSetFactory = tlsClientParameters.getSSLSocketFactory();
-            if (preSetFactory != null) {
-                socketFactory = preSetFactory;
-            }
-        }
+        throws GeneralSecurityException {
 
-        // Okay, no SSLSocketFactory available in TLSClientParameters.  Maybe
-        // TrustManagers, KeyManagers, etc?
-        if (socketFactory == null) {
-            String provider = tlsClientParameters.getJsseProvider();
+        // always reload socketFactory from HttpsURLConnection.defaultSSLSocketFactory and

+        // tlsClientParameters.sslSocketFactory to allow runtime configuration change
+        if (tlsClientParameters.isUseHttpsURLConnectionDefaultSslSocketFactory()) {
+            socketFactory = HttpsURLConnection.getDefaultSSLSocketFactory();
             
-            String protocol = tlsClientParameters.getSecureSocketProtocol() != null
-                      ? tlsClientParameters.getSecureSocketProtocol()
-                      : "TLS";
-                      
-            SSLContext ctx = provider == null
-                      ? SSLContext.getInstance(protocol)
-                      : SSLContext.getInstance(protocol, provider);
+        } else if (tlsClientParameters.getSSLSocketFactory() != null) {
+            // see if an SSLSocketFactory was set. This allows easy interop
+            // with not-yet-commons-ssl.jar, or even just people who like doing their
+            // own JSSE.
+            socketFactory = tlsClientParameters.getSSLSocketFactory();
             
-                      
+        } else if (socketFactory == null) {
+            // ssl socket factory not yet instantiated, create a new one with tlsClientParameters's
Trust
+            // Managers, Key Managers, etc
+
+            String provider = tlsClientParameters.getJsseProvider();
+
+            String protocol = tlsClientParameters.getSecureSocketProtocol() != null ? tlsClientParameters
+                .getSecureSocketProtocol() : "TLS";
+
+            SSLContext ctx = provider == null ? SSLContext.getInstance(protocol) : SSLContext
+                .getInstance(protocol, provider);
+
+            ctx.init(tlsClientParameters.getKeyManagers(), tlsClientParameters.getTrustManagers(),
+                     tlsClientParameters.getSecureRandom());
 
-            TrustManager[] trustAllCerts = tlsClientParameters.getTrustManagers();
-            /*
-            TrustManager[] trustAllCerts = new TrustManager[] {
-                new javax.net.ssl.X509TrustManager() {
-                    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
-                        return null;
-                    }
-                    public void checkClientTrusted(
-                        java.security.cert.X509Certificate[] certs, String authType) {
-                    }
-                    public void checkServerTrusted(
-                        java.security.cert.X509Certificate[] certs, String authType) {
-                    }
-                }
-            };
-            */         
-            ctx.init(
-                tlsClientParameters.getKeyManagers(),
-                trustAllCerts, 
-                tlsClientParameters.getSecureRandom());
-            
             // The "false" argument means opposite of exclude.
-            String[] cipherSuites =
-                SSLUtils.getCiphersuites(tlsClientParameters.getCipherSuites(),
-                                         SSLUtils.getSupportedCipherSuites(ctx),
-                                         tlsClientParameters.getCipherSuitesFilter(),
-                                         LOG, false);
+            String[] cipherSuites = SSLUtils.getCiphersuites(tlsClientParameters.getCipherSuites(),
SSLUtils
+                .getSupportedCipherSuites(ctx), tlsClientParameters.getCipherSuitesFilter(),
LOG, false);
             // The SSLSocketFactoryWrapper enables certain cipher suites
             // from the policy.
-            socketFactory = new SSLSocketFactoryWrapper(ctx.getSocketFactory(),
-                                                        cipherSuites,
+            socketFactory = new SSLSocketFactoryWrapper(ctx.getSocketFactory(), cipherSuites,
                                                         tlsClientParameters.getSecureSocketProtocol());
+        } else {
+           // ssl socket factory already initialized, reuse it to benefit of keep alive
+        }
+        
+        
+        HostnameVerifier verifier;
+        if (tlsClientParameters.isUseHttpsURLConnectionDefaultHostnameVerifier()) {
+            verifier = HttpsURLConnection.getDefaultHostnameVerifier();
+        } else if (tlsClientParameters.isDisableCNCheck()) {
+            verifier = CertificateHostnameVerifier.ALLOW_ALL;
+        } else {
+            verifier = CertificateHostnameVerifier.DEFAULT;
         }
         
-        HostnameVerifier verifier = tlsClientParameters.isDisableCNCheck() 
-            ? CertificateHostnameVerifier.ALLOW_ALL : CertificateHostnameVerifier.DEFAULT;
         if (connection instanceof HttpsURLConnection) {
             // handle the expected case (javax.net.ssl)
             HttpsURLConnection conn = (HttpsURLConnection) connection;



Mime
View raw message