Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: coheigea@apache.org
To: commits@cxf.apache.org
Message-Id: <a883f3982d93467b85a9eb5c35578509@git.apache.org>
Subject: git commit: [CXF-6087] - Add a way to exclude (multiple) SSL/TLS
 protocols in the HTTPJ namespace
Date: Wed,  5 Nov 2014 17:12:52 +0000 (UTC)

Repository: cxf
Updated Branches:
  refs/heads/master 79916d34d -> 1701e6c8d


[CXF-6087] - Add a way to exclude (multiple) SSL/TLS protocols in the HTTPJ namespace


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1701e6c8
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1701e6c8
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1701e6c8

Branch: refs/heads/master
Commit: 1701e6c8d4e794f25d69781e3f69357723ad7fcf
Parents: 79916d3
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Nov 5 17:12:31 2014 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Nov 5 17:12:47 2014 +0000

----------------------------------------------------------------------
 .../configuration/jsse/TLSServerParameters.java | 22 +++++++
 .../jsse/TLSServerParametersConfig.java         |  3 +
 .../schemas/configuration/security.xsd          | 19 ++++++
 .../http_jetty/JettyHTTPServerEngine.java       |  7 +-
 .../osgi/HTTPJettyTransportActivator.java       |  5 ++
 ...ttyHTTPServerEngineBeanDefinitionParser.java |  5 +-
 .../org/apache/cxf/systest/ws/ssl/SSLTest.java  | 67 ++++++++++++++++++++
 .../apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl  |  3 +
 .../apache/cxf/systest/ws/ssl/client-ssl3.xml   | 34 ++++++++++
 .../org/apache/cxf/systest/ws/ssl/server.xml    | 26 ++++++++
 10 files changed, 189 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
index ab94d38..52884c3 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
@@ -18,6 +18,9 @@
  */
 package org.apache.cxf.configuration.jsse;
 
+import java.util.ArrayList;
+import java.util.List;
+
 import org.apache.cxf.configuration.security.ClientAuthentication;
 
 /**
@@ -28,6 +31,7 @@ import org.apache.cxf.configuration.security.ClientAuthentication;
 public class TLSServerParameters extends TLSParameterBase {
 
     ClientAuthentication clientAuthentication;
+    List<String> excludeProtocols = new ArrayList<String>();
     
     /**
      * This parameter configures the server side to request and/or
@@ -43,4 +47,22 @@ public class TLSServerParameters extends TLSParameterBase {
     public ClientAuthentication getClientAuthentication() {
         return clientAuthentication;
     }
+    
+    /**
+     * This parameter sets the protocol list to exclude.
+     */
+    public final void setExcludeProtocols(List<String> protocols) {
+        excludeProtocols = protocols;
+    }
+    
+    /**
+     * Returns the protocols to exclude that are associated with this endpoint.
+     */
+    public List<String> getExcludeProtocols() {
+        if (excludeProtocols == null) {
+            excludeProtocols = new ArrayList<String>();
+        }
+        return excludeProtocols;
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
index 13d84e8..a9c9cd6 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
@@ -54,6 +54,9 @@ public class TLSServerParametersConfig
         if (params.isSetCipherSuites()) {
             this.setCipherSuites(params.getCipherSuites().getCipherSuite());
         }
+        if (params.isSetExcludeProtocols()) {
+            this.setExcludeProtocols(params.getExcludeProtocols().getExcludeProtocol());
+        }
         if (params.isSetJsseProvider()) {
             this.setJsseProvider(params.getJsseProvider());
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/core/src/main/resources/schemas/configuration/security.xsd
----------------------------------------------------------------------
diff --git a/core/src/main/resources/schemas/configuration/security.xsd b/core/src/main/resources/schemas/configuration/security.xsd
index 4cfa92a..d53d3e6 100644
--- a/core/src/main/resources/schemas/configuration/security.xsd
+++ b/core/src/main/resources/schemas/configuration/security.xsd
@@ -350,6 +350,18 @@
         </xs:sequence>
     </xs:complexType>
     
+    <xs:complexType name="ExcludeProtocols">
+      <xs:annotation>
+        <xs:documentation>
+        This structure holds a list of protocols that are to be excluded.
+        If this structure is not defined then SSLv3 is excluded by default
+        </xs:documentation>
+      </xs:annotation>
+        <xs:sequence>
+           <xs:element name="excludeProtocol" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+        </xs:sequence>
+    </xs:complexType>
+    
     <xs:complexType name="SecureRandomParameters">
       <xs:annotation>
         <xs:documentation>
@@ -547,6 +559,13 @@
                 </xs:documentation>
               </xs:annotation>
            </xs:element>
+           <xs:element name="excludeProtocols" type="tns:ExcludeProtocols" minOccurs="0">
+              <xs:annotation>
+                <xs:documentation>
+                This element contains the the Protocols that will be excluded
+                </xs:documentation>
+              </xs:annotation>
+           </xs:element>
            <xs:element name="secureRandomParameters" 
                        type="tns:SecureRandomParameters" minOccurs="0">
               <xs:annotation>

http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
index 7e4c3e2..3d13a96 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
@@ -674,8 +674,13 @@ public class JettyHTTPServerEngine
         String proto = tlsServerParameters.getSecureSocketProtocol() == null
             ? "TLS" : tlsServerParameters.getSecureSocketProtocol();
         
-        if (!"SSLv3".equals(proto)) {
+        // Exclude SSLv3 by default unless the protocol is given as SSLv3
+        if (!"SSLv3".equals(proto) && tlsServerParameters.getExcludeProtocols().isEmpty()) {
             scf.addExcludeProtocols("SSLv3");
+        } else {
+            for (String p : tlsServerParameters.getExcludeProtocols()) {
+                scf.addExcludeProtocols(p);
+            }
         }
  
         SSLContext context = tlsServerParameters.getJsseProvider() == null

http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
index 5160e53..b37ed4d 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
@@ -213,6 +213,11 @@ public class HTTPJettyTransportActivator
                     while (st.hasMoreTokens()) {
                         p.getCipherSuites().add(st.nextToken());
                     }
+                }  else if (k.startsWith("excludeProtocols")) {
+                    StringTokenizer st = new StringTokenizer(v, ",");
+                    while (st.hasMoreTokens()) {
+                        p.getExcludeProtocols().add(st.nextToken());
+                    }
                 } else if (k.startsWith("trustManagers.")) {
                     tmt = getTrustManagers(tmt,
                                           k.substring("trustManagers.".length()),

http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java
index a17e5bb..9ee06a0 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java
@@ -31,7 +31,6 @@ import org.w3c.dom.Attr;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
-
 import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.BusWiringBeanFactoryPostProcessor;
 import org.apache.cxf.common.injection.NoJSR250Annotations;
@@ -39,6 +38,7 @@ import org.apache.cxf.configuration.jsse.TLSServerParametersConfig;
 import org.apache.cxf.configuration.security.CertificateConstraintsType;
 import org.apache.cxf.configuration.security.CipherSuites;
 import org.apache.cxf.configuration.security.ClientAuthentication;
+import org.apache.cxf.configuration.security.ExcludeProtocols;
 import org.apache.cxf.configuration.security.FiltersType;
 import org.apache.cxf.configuration.security.KeyManagersType;
 import org.apache.cxf.configuration.security.SecureRandomParameters;
@@ -196,6 +196,9 @@ public class JettyHTTPServerEngineBeanDefinitionParser extends AbstractBeanDefin
             } else if ("cipherSuitesFilter".equals(ename)) {
                 mapElementToJaxbProperty((Element)n, paramsbean, ename,
                                          FiltersType.class);
+            } else if ("excludeProtocols".equals(ename)) {
+                mapElementToJaxbProperty((Element)n, paramsbean, ename,
+                                         ExcludeProtocols.class);
             } else if ("secureRandomParameters".equals(ename)) {
                 mapElementToJaxbProperty((Element)n, paramsbean, ename,
                                          SecureRandomParameters.class);

http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java
index 47c240d..6c3478e 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java
@@ -27,13 +27,19 @@ import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.TrustManager;
+import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
+import javax.xml.ws.Service;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.SpringBusFactory;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.configuration.jsse.SSLUtils;
 import org.apache.cxf.systest.ws.common.SecurityTestUtil;
+import org.apache.cxf.systest.ws.common.UTPasswordCallback;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.example.contract.doubleit.DoubleItPortType;
 import org.junit.BeforeClass;
 
 /**
@@ -42,6 +48,10 @@ import org.junit.BeforeClass;
 public class SSLTest extends AbstractBusClientServerTestBase {
     static final String PORT = allocatePort(Server.class);
     static final String PORT2 = allocatePort(Server.class, 2);
+    static final String PORT3 = allocatePort(Server.class, 3);
+    
+    private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt";
+    private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService");
     
     @BeforeClass
     public static void startServers() throws Exception {
@@ -131,6 +141,63 @@ public class SSLTest extends AbstractBusClientServerTestBase {
         bus.shutdown(true);
     }
     
+    @org.junit.Test
+    public void testClientSSL3NotAllowed() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SSLTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL wsdl = SSLTest.class.getResource("DoubleItSSL.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItPlaintextPort3");
+        DoubleItPortType utPort = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(utPort, PORT3);
+        
+        ((BindingProvider)utPort).getRequestContext().put(SecurityConstants.USERNAME, "Alice");
+        ((BindingProvider)utPort).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,
+                                                          new UTPasswordCallback());
+        
+        try {
+            utPort.doubleIt(25);
+            fail("Failure expected on the client not supporting SSLv3 by default");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        ((java.io.Closeable)utPort).close();
+        bus.shutdown(true);
+    }
+    
+    @org.junit.Test
+    public void testClientSSL3Allowed() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SSLTest.class.getResource("client-ssl3.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL wsdl = SSLTest.class.getResource("DoubleItSSL.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItPlaintextPort3");
+        DoubleItPortType utPort = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(utPort, PORT3);
+        
+        ((BindingProvider)utPort).getRequestContext().put(SecurityConstants.USERNAME, "Alice");
+        ((BindingProvider)utPort).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,
+                                                          new UTPasswordCallback());
+        
+        utPort.doubleIt(25);
+        
+        ((java.io.Closeable)utPort).close();
+        bus.shutdown(true);
+    }
+    
     private static final class DisableCNCheckVerifier implements HostnameVerifier {
 
         @Override

http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl
index ed021f4..ad391b1 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl
@@ -44,6 +44,9 @@
         <wsdl:port name="DoubleItPlaintextPort2" binding="tns:DoubleItPlaintextBinding">
             <soap:address location="https://localhost:9009/DoubleItUTPlaintext2"/>
         </wsdl:port>
+        <wsdl:port name="DoubleItPlaintextPort3" binding="tns:DoubleItPlaintextBinding">
+            <soap:address location="https://localhost:9009/DoubleItUTPlaintext3"/>
+        </wsdl:port>
     </wsdl:service>
     <wsp:Policy wsu:Id="DoubleItPlaintextPolicy">
         <wsp:ExactlyOne>

http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client-ssl3.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client-ssl3.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client-ssl3.xml
new file mode 100644
index 0000000..ac89427
--- /dev/null
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client-ssl3.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xmlns:sec="http://cxf.apache.org/configuration/security" xsi:schemaLocation="           http://www.springframework.org/schema/beans           http://www.springframework.org/schema/beans/spring-beans.xsd           http://cxf.apache.org/jaxws                           http://cxf.apache.org/schemas/jaxws.xsd           http://cxf.apache.org/transports/http/configuration   http://cxf.apache.org/schemas/configuration/http-conf.xsd           http://cxf.apache.org/configuration/security          http://cxf.apache.org/schemas/configuration/security.xsd           http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd           http://cxf.apache.org/policy http://cxf.apache.org/schemas/poli
 cy.xsd">
+    <cxf:bus>
+        <cxf:features>
+            <p:policies/>
+            <cxf:logging/>
+        </cxf:features>
+    </cxf:bus>
+    <http:conduit name="https://localhost:.*">
+        <http:tlsClientParameters disableCNCheck="true" secureSocketProtocol="SSLv3">
+            <sec:trustManagers>
+                <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
+            </sec:trustManagers>
+        </http:tlsClientParameters>
+    </http:conduit>
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml
index d1593b9..93adf5b 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml
@@ -66,4 +66,30 @@
         </jaxws:properties>
     </jaxws:endpoint>
     
+    <httpj:engine-factory id="disallow-tls-via-configuration">
+        <httpj:engine port="${testutil.ports.Server.3}">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+                    <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/>
+                </sec:keyManagers>
+                <sec:trustManagers>
+                    <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
+                </sec:trustManagers>
+                <sec:clientAuthentication want="true" required="false"/>
+                <sec:excludeProtocols>
+                    <sec:excludeProtocol>TLS</sec:excludeProtocol>
+                    <sec:excludeProtocol>TLSv1</sec:excludeProtocol>
+                    <sec:excludeProtocol>TLSv1.1</sec:excludeProtocol>
+                    <sec:excludeProtocol>TLSv1.2</sec:excludeProtocol>
+                </sec:excludeProtocols>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Plaintext3" address="https://localhost:${testutil.ports.Server.3}/DoubleItUTPlaintext3" serviceName="s:DoubleItService" endpointName="s:DoubleItPlaintextPort3" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl" depends-on="disallow-tls-via-configuration">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    
 </beans>