cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/3] git commit: [CXF-6087] - Add a way to exclude (multiple) SSL/TLS protocols in the HTTPJ namespace
Date Wed, 05 Nov 2014 17:31:11 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes d6b88f980 -> 11725278a


[CXF-6087] - Add a way to exclude (multiple) SSL/TLS protocols in the HTTPJ namespace

Conflicts:
	rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4199a30e
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4199a30e
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4199a30e

Branch: refs/heads/3.0.x-fixes
Commit: 4199a30e43e7fa90801fb4aafcfa3dc397f0c262
Parents: d6b88f9
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Nov 5 17:12:31 2014 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Nov 5 17:13:19 2014 +0000

----------------------------------------------------------------------
 .../configuration/jsse/TLSServerParameters.java |  22 ++
 .../jsse/TLSServerParametersConfig.java         |   3 +
 .../schemas/configuration/security.xsd          |  19 ++
 .../http_jetty/JettyHTTPServerEngine.java       | 242 +++++++++++++++++++
 .../osgi/HTTPJettyTransportActivator.java       |   5 +
 ...ttyHTTPServerEngineBeanDefinitionParser.java |   5 +-
 .../org/apache/cxf/systest/ws/ssl/SSLTest.java  |  67 +++++
 .../apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl  |   3 +
 .../apache/cxf/systest/ws/ssl/client-ssl3.xml   |  34 +++
 .../org/apache/cxf/systest/ws/ssl/server.xml    |  26 ++
 10 files changed, 425 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/4199a30e/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
index ab94d38..52884c3 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
@@ -18,6 +18,9 @@
  */
 package org.apache.cxf.configuration.jsse;
 
+import java.util.ArrayList;
+import java.util.List;
+
 import org.apache.cxf.configuration.security.ClientAuthentication;
 
 /**
@@ -28,6 +31,7 @@ import org.apache.cxf.configuration.security.ClientAuthentication;
 public class TLSServerParameters extends TLSParameterBase {
 
     ClientAuthentication clientAuthentication;
+    List<String> excludeProtocols = new ArrayList<String>();
     
     /**
      * This parameter configures the server side to request and/or
@@ -43,4 +47,22 @@ public class TLSServerParameters extends TLSParameterBase {
     public ClientAuthentication getClientAuthentication() {
         return clientAuthentication;
     }
+    
+    /**
+     * This parameter sets the protocol list to exclude.
+     */
+    public final void setExcludeProtocols(List<String> protocols) {
+        excludeProtocols = protocols;
+    }
+    
+    /**
+     * Returns the protocols to exclude that are associated with this endpoint.
+     */
+    public List<String> getExcludeProtocols() {
+        if (excludeProtocols == null) {
+            excludeProtocols = new ArrayList<String>();
+        }
+        return excludeProtocols;
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/4199a30e/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
index 13d84e8..a9c9cd6 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
@@ -54,6 +54,9 @@ public class TLSServerParametersConfig
         if (params.isSetCipherSuites()) {
             this.setCipherSuites(params.getCipherSuites().getCipherSuite());
         }
+        if (params.isSetExcludeProtocols()) {
+            this.setExcludeProtocols(params.getExcludeProtocols().getExcludeProtocol());
+        }
         if (params.isSetJsseProvider()) {
             this.setJsseProvider(params.getJsseProvider());
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/4199a30e/core/src/main/resources/schemas/configuration/security.xsd
----------------------------------------------------------------------
diff --git a/core/src/main/resources/schemas/configuration/security.xsd b/core/src/main/resources/schemas/configuration/security.xsd
index e68e65a..56fe888 100644
--- a/core/src/main/resources/schemas/configuration/security.xsd
+++ b/core/src/main/resources/schemas/configuration/security.xsd
@@ -341,6 +341,18 @@
         </xs:sequence>
     </xs:complexType>
     
+    <xs:complexType name="ExcludeProtocols">
+      <xs:annotation>
+        <xs:documentation>
+        This structure holds a list of protocols that are to be excluded.
+        If this structure is not defined then SSLv3 is excluded by default
+        </xs:documentation>
+      </xs:annotation>
+        <xs:sequence>
+           <xs:element name="excludeProtocol" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+        </xs:sequence>
+    </xs:complexType>
+    
     <xs:complexType name="SecureRandomParameters">
       <xs:annotation>
         <xs:documentation>
@@ -538,6 +550,13 @@
                 </xs:documentation>
               </xs:annotation>
            </xs:element>
+           <xs:element name="excludeProtocols" type="tns:ExcludeProtocols" minOccurs="0">
+              <xs:annotation>
+                <xs:documentation>
+                This element contains the the Protocols that will be excluded
+                </xs:documentation>
+              </xs:annotation>
+           </xs:element>
            <xs:element name="secureRandomParameters" 
                        type="tns:SecureRandomParameters" minOccurs="0">
               <xs:annotation>

http://git-wip-us.apache.org/repos/asf/cxf/blob/4199a30e/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
index f3eb849..be55bff 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
@@ -477,6 +477,248 @@ public class JettyHTTPServerEngine
         ++servantCount;
     }
     
+<<<<<<< HEAD
+=======
+    private void addServerMBean() {
+        if (mBeanContainer == null) {
+            return;
+        }        
+        
+        try {
+            Object o = getContainer(server);
+            o.getClass().getMethod("addEventListener", Container.Listener.class).invoke(o,
mBeanContainer);
+            if (Server.getVersion().startsWith("8")) {
+                return;
+            }
+            mBeanContainer.getClass().getMethod("beanAdded", Container.class, Object.class)
+                .invoke(mBeanContainer, null, server);
+        } catch (RuntimeException rex) {
+            throw rex;
+        } catch (Exception r) {
+            throw new RuntimeException(r);
+        }
+    }
+    private void removeServerMBean() {
+        try {
+            mBeanContainer.getClass().getMethod("beanRemoved", Container.class, Object.class)
+                .invoke(mBeanContainer, null, server);
+        } catch (RuntimeException rex) {
+            throw rex;
+        } catch (Exception r) {
+            throw new RuntimeException(r);
+        }
+    }
+
+    private Connector createConnector(String hosto, int porto) {
+        // now we just use the SelectChannelConnector as the default connector
+        SslContextFactory sslcf = null;
+        if (tlsServerParameters != null) { 
+            sslcf = new SslContextFactory() {
+                protected void doStart() throws Exception {
+                    setSslContext(createSSLContext(this));
+                    super.doStart();
+                }
+                public void checkKeyStore() {
+                    //we'll handle this later
+                }
+            };
+            decorateCXFJettySslSocketConnector(sslcf);
+        }
+        AbstractConnector result = null;
+        if (!Server.getVersion().startsWith("8")) {
+            result = createConnectorJetty9(sslcf, hosto, porto);
+        } else {
+            result = createConnectorJetty8(sslcf, hosto, porto);
+        }        
+        
+        try {
+            result.getClass().getMethod("setPort", Integer.TYPE).invoke(result, porto);
+            if (hosto != null) {
+                result.getClass().getMethod("setHost", String.class).invoke(result, hosto);
+            }
+            result.getClass().getMethod("setReuseAddress", Boolean.TYPE).invoke(result, isReuseAddress());
+        } catch (RuntimeException rex) {
+            throw rex;
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        }        
+        
+        return result;
+    }
+    
+    AbstractConnector createConnectorJetty9(SslContextFactory sslcf, String hosto, int porto)
{
+        //Jetty 9
+        AbstractConnector result = null;
+        try {
+            Class<?> configClass = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConfiguration",

+                                                              Server.class); 
+            Object httpConfig = configClass.newInstance();
+            httpConfig.getClass().getMethod("setSendServerVersion", Boolean.TYPE)
+                .invoke(httpConfig, getSendServerVersion());
+            
+            Object httpFactory = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConnectionFactory",

+                                                            Server.class)
+                                                            .getConstructor(configClass).newInstance(httpConfig);

+
+            Collection<Object> connectionFactories = new ArrayList<Object>();
+            result = (AbstractConnector)ClassLoaderUtils.loadClass("org.eclipse.jetty.server.ServerConnector",

+                                                                   Server.class)
+                                                                   .getConstructor(Server.class)
+                                                                   .newInstance(server);
+            
+            if (tlsServerParameters != null) {
+                Class<?> src = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SecureRequestCustomizer",
+                                                          Server.class);
+                httpConfig.getClass().getMethod("addCustomizer", src.getInterfaces()[0])
+                    .invoke(httpConfig, src.newInstance());
+                Object scf = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SslConnectionFactory",
+                                                        Server.class).getConstructor(SslContextFactory.class,
+                                                                                     String.class)
+                                                        .newInstance(sslcf, "HTTP/1.1");
+                connectionFactories.add(scf);
+                result.getClass().getMethod("setDefaultProtocol", String.class).invoke(result,
"SSL-HTTP/1.1");
+            }
+            connectionFactories.add(httpFactory);
+            result.getClass().getMethod("setConnectionFactories", Collection.class)
+                .invoke(result, connectionFactories);
+            
+            if (getMaxIdleTime() > 0) {
+                result.getClass().getMethod("setIdleTimeout", Long.TYPE).invoke(result, new
Long(getMaxIdleTime()));
+            }
+
+        } catch (RuntimeException rex) {
+            throw rex;
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        }
+        return result;
+    }
+    AbstractConnector createConnectorJetty8(SslContextFactory sslcf, String hosto, int porto)
{
+        //Jetty 8
+        AbstractConnector result = null;
+        try {
+            if (sslcf == null) { 
+                result = (AbstractConnector)ClassLoaderUtils
+                    .loadClass("org.eclipse.jetty.server.nio.SelectChannelConnector",
+                               Server.class).newInstance();
+            } else {
+                result = (AbstractConnector)ClassLoaderUtils
+                    .loadClass("org.eclipse.jetty.server.ssl.SslSelectChannelConnector",
+                               Server.class).getConstructor(SslContextFactory.class)
+                               .newInstance(sslcf);
+            }
+            Server.class.getMethod("setSendServerVersion", Boolean.TYPE).invoke(server, getSendServerVersion());
+            if (getMaxIdleTime() > 0) {
+                result.getClass().getMethod("setMaxIdleTime", Integer.TYPE).invoke(result,
getMaxIdleTime());
+            }
+        } catch (RuntimeException rex) {
+            throw rex;
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        }
+        return result;
+    }
+    
+    
+    protected SSLContext createSSLContext(SslContextFactory scf) throws Exception  {
+        String proto = tlsServerParameters.getSecureSocketProtocol() == null
+            ? "TLS" : tlsServerParameters.getSecureSocketProtocol();
+        
+        // Exclude SSLv3 by default unless the protocol is given as SSLv3
+        if (!"SSLv3".equals(proto) && tlsServerParameters.getExcludeProtocols().isEmpty())
{
+            scf.addExcludeProtocols("SSLv3");
+        } else {
+            for (String p : tlsServerParameters.getExcludeProtocols()) {
+                scf.addExcludeProtocols(p);
+            }
+        }
+ 
+        SSLContext context = tlsServerParameters.getJsseProvider() == null
+            ? SSLContext.getInstance(proto)
+                : SSLContext.getInstance(proto, tlsServerParameters.getJsseProvider());
+            
+        KeyManager keyManagers[] = tlsServerParameters.getKeyManagers();
+        if (tlsServerParameters.getCertAlias() != null) {
+            keyManagers = getKeyManagersWithCertAlias(keyManagers);
+        }
+        context.init(tlsServerParameters.getKeyManagers(), 
+                     tlsServerParameters.getTrustManagers(),
+                     tlsServerParameters.getSecureRandom());
+
+        String[] cs = 
+            SSLUtils.getCiphersuites(
+                    tlsServerParameters.getCipherSuites(),
+                    SSLUtils.getServerSupportedCipherSuites(context),
+                    tlsServerParameters.getCipherSuitesFilter(),
+                    LOG, true);
+                
+        scf.setExcludeCipherSuites(cs);
+        return context;
+    }
+    protected KeyManager[] getKeyManagersWithCertAlias(KeyManager keyManagers[]) throws Exception
{
+        if (tlsServerParameters.getCertAlias() != null) {
+            for (int idx = 0; idx < keyManagers.length; idx++) {
+                if (keyManagers[idx] instanceof X509KeyManager) {
+                    keyManagers[idx] = new AliasedX509ExtendedKeyManager(
+                        tlsServerParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]);
+                }
+            }
+        }
+        return keyManagers;
+    }
+    protected void setClientAuthentication(SslContextFactory con,
+                                           ClientAuthentication clientAuth) {
+        con.setWantClientAuth(true);
+        if (clientAuth != null) {
+            if (clientAuth.isSetWant()) {
+                con.setWantClientAuth(clientAuth.isWant());
+            }
+            if (clientAuth.isSetRequired()) {
+                con.setNeedClientAuth(clientAuth.isRequired());
+            }
+        }
+    }    
+    /**
+     * This method sets the security properties for the CXF extension
+     * of the JettySslConnector.
+     */
+    private void decorateCXFJettySslSocketConnector(
+            SslContextFactory con
+    ) {
+        setClientAuthentication(con,
+                                tlsServerParameters.getClientAuthentication());
+        con.setCertAlias(tlsServerParameters.getCertAlias());
+    }
+    
+
+    private static Container getContainer(Object server) {
+        if (server instanceof Container) {
+            return (Container)server;
+        }
+        try {
+            return (Container)server.getClass().getMethod("getContainer").invoke(server);
+        } catch (RuntimeException t) {
+            throw t;
+        } catch (Throwable t) {
+            throw new RuntimeException(t);
+        }
+    }
+
+    private static void logConnector(Connector connector) {
+        try {
+            String h = (String)connector.getClass().getMethod("getHost").invoke(connector);
+            int port = (Integer)connector.getClass().getMethod("getPort").invoke(connector);
+            LOG.finer("connector.host: " 
+                + h == null 
+                  ? "null" 
+                  : "\"" + h + "\"");
+            LOG.finer("connector.port: " + port);
+        } catch (Throwable t) {
+            //ignore
+        }
+    }
+
+>>>>>>> 1701e6c... [CXF-6087] - Add a way to exclude (multiple) SSL/TLS
protocols in the HTTPJ namespace
     protected void setupThreadPool() {
         AbstractConnector aconn = (AbstractConnector) connector;
         if (isSetThreadingParameters()) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/4199a30e/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
index 5160e53..b37ed4d 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
@@ -213,6 +213,11 @@ public class HTTPJettyTransportActivator
                     while (st.hasMoreTokens()) {
                         p.getCipherSuites().add(st.nextToken());
                     }
+                }  else if (k.startsWith("excludeProtocols")) {
+                    StringTokenizer st = new StringTokenizer(v, ",");
+                    while (st.hasMoreTokens()) {
+                        p.getExcludeProtocols().add(st.nextToken());
+                    }
                 } else if (k.startsWith("trustManagers.")) {
                     tmt = getTrustManagers(tmt,
                                           k.substring("trustManagers.".length()),

http://git-wip-us.apache.org/repos/asf/cxf/blob/4199a30e/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java
b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java
index a17e5bb..9ee06a0 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java
@@ -31,7 +31,6 @@ import org.w3c.dom.Attr;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
-
 import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.BusWiringBeanFactoryPostProcessor;
 import org.apache.cxf.common.injection.NoJSR250Annotations;
@@ -39,6 +38,7 @@ import org.apache.cxf.configuration.jsse.TLSServerParametersConfig;
 import org.apache.cxf.configuration.security.CertificateConstraintsType;
 import org.apache.cxf.configuration.security.CipherSuites;
 import org.apache.cxf.configuration.security.ClientAuthentication;
+import org.apache.cxf.configuration.security.ExcludeProtocols;
 import org.apache.cxf.configuration.security.FiltersType;
 import org.apache.cxf.configuration.security.KeyManagersType;
 import org.apache.cxf.configuration.security.SecureRandomParameters;
@@ -196,6 +196,9 @@ public class JettyHTTPServerEngineBeanDefinitionParser extends AbstractBeanDefin
             } else if ("cipherSuitesFilter".equals(ename)) {
                 mapElementToJaxbProperty((Element)n, paramsbean, ename,
                                          FiltersType.class);
+            } else if ("excludeProtocols".equals(ename)) {
+                mapElementToJaxbProperty((Element)n, paramsbean, ename,
+                                         ExcludeProtocols.class);
             } else if ("secureRandomParameters".equals(ename)) {
                 mapElementToJaxbProperty((Element)n, paramsbean, ename,
                                          SecureRandomParameters.class);

http://git-wip-us.apache.org/repos/asf/cxf/blob/4199a30e/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java
index 47c240d..6c3478e 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java
@@ -27,13 +27,19 @@ import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.TrustManager;
+import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
+import javax.xml.ws.Service;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.SpringBusFactory;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.configuration.jsse.SSLUtils;
 import org.apache.cxf.systest.ws.common.SecurityTestUtil;
+import org.apache.cxf.systest.ws.common.UTPasswordCallback;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.example.contract.doubleit.DoubleItPortType;
 import org.junit.BeforeClass;
 
 /**
@@ -42,6 +48,10 @@ import org.junit.BeforeClass;
 public class SSLTest extends AbstractBusClientServerTestBase {
     static final String PORT = allocatePort(Server.class);
     static final String PORT2 = allocatePort(Server.class, 2);
+    static final String PORT3 = allocatePort(Server.class, 3);
+    
+    private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt";
+    private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService");
     
     @BeforeClass
     public static void startServers() throws Exception {
@@ -131,6 +141,63 @@ public class SSLTest extends AbstractBusClientServerTestBase {
         bus.shutdown(true);
     }
     
+    @org.junit.Test
+    public void testClientSSL3NotAllowed() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SSLTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL wsdl = SSLTest.class.getResource("DoubleItSSL.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItPlaintextPort3");
+        DoubleItPortType utPort = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(utPort, PORT3);
+        
+        ((BindingProvider)utPort).getRequestContext().put(SecurityConstants.USERNAME, "Alice");
+        ((BindingProvider)utPort).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,
+                                                          new UTPasswordCallback());
+        
+        try {
+            utPort.doubleIt(25);
+            fail("Failure expected on the client not supporting SSLv3 by default");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        ((java.io.Closeable)utPort).close();
+        bus.shutdown(true);
+    }
+    
+    @org.junit.Test
+    public void testClientSSL3Allowed() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SSLTest.class.getResource("client-ssl3.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL wsdl = SSLTest.class.getResource("DoubleItSSL.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItPlaintextPort3");
+        DoubleItPortType utPort = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(utPort, PORT3);
+        
+        ((BindingProvider)utPort).getRequestContext().put(SecurityConstants.USERNAME, "Alice");
+        ((BindingProvider)utPort).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,
+                                                          new UTPasswordCallback());
+        
+        utPort.doubleIt(25);
+        
+        ((java.io.Closeable)utPort).close();
+        bus.shutdown(true);
+    }
+    
     private static final class DisableCNCheckVerifier implements HostnameVerifier {
 
         @Override

http://git-wip-us.apache.org/repos/asf/cxf/blob/4199a30e/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl
index ed021f4..ad391b1 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl
@@ -44,6 +44,9 @@
         <wsdl:port name="DoubleItPlaintextPort2" binding="tns:DoubleItPlaintextBinding">
             <soap:address location="https://localhost:9009/DoubleItUTPlaintext2"/>
         </wsdl:port>
+        <wsdl:port name="DoubleItPlaintextPort3" binding="tns:DoubleItPlaintextBinding">
+            <soap:address location="https://localhost:9009/DoubleItUTPlaintext3"/>
+        </wsdl:port>
     </wsdl:service>
     <wsp:Policy wsu:Id="DoubleItPlaintextPolicy">
         <wsp:ExactlyOne>

http://git-wip-us.apache.org/repos/asf/cxf/blob/4199a30e/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client-ssl3.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client-ssl3.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client-ssl3.xml
new file mode 100644
index 0000000..ac89427
--- /dev/null
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client-ssl3.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xmlns:sec="http://cxf.apache.org/configuration/security"
xsi:schemaLocation="           http://www.springframework.org/schema/beans           http://www.springframework.org/schema/beans/spring-beans.xsd
          http://cxf.apache.org/jaxws                           http://cxf.apache.org/schemas/jaxws.xsd
          http://cxf.apache.org/transports/http/configuration   http://cxf.apache.org/schemas/configuration/http-conf.xsd
          http://cxf.apache.org/configuration/security          http://cxf.apache.org/schemas/configuration/security.xsd
          http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd           http://cxf.apache.org/policy
http://cxf.apache.org/schemas/poli
 cy.xsd">
+    <cxf:bus>
+        <cxf:features>
+            <p:policies/>
+            <cxf:logging/>
+        </cxf:features>
+    </cxf:bus>
+    <http:conduit name="https://localhost:.*">
+        <http:tlsClientParameters disableCNCheck="true" secureSocketProtocol="SSLv3">
+            <sec:trustManagers>
+                <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
+            </sec:trustManagers>
+        </http:tlsClientParameters>
+    </http:conduit>
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf/blob/4199a30e/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml
index d1593b9..93adf5b 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml
@@ -66,4 +66,30 @@
         </jaxws:properties>
     </jaxws:endpoint>
     
+    <httpj:engine-factory id="disallow-tls-via-configuration">
+        <httpj:engine port="${testutil.ports.Server.3}">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+                    <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/>
+                </sec:keyManagers>
+                <sec:trustManagers>
+                    <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
+                </sec:trustManagers>
+                <sec:clientAuthentication want="true" required="false"/>
+                <sec:excludeProtocols>
+                    <sec:excludeProtocol>TLS</sec:excludeProtocol>
+                    <sec:excludeProtocol>TLSv1</sec:excludeProtocol>
+                    <sec:excludeProtocol>TLSv1.1</sec:excludeProtocol>
+                    <sec:excludeProtocol>TLSv1.2</sec:excludeProtocol>
+                </sec:excludeProtocols>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Plaintext3"
address="https://localhost:${testutil.ports.Server.3}/DoubleItUTPlaintext3" serviceName="s:DoubleItService"
endpointName="s:DoubleItPlaintextPort3" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl" depends-on="disallow-tls-via-configuration">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    
 </beans>


Mime
View raw message