cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [4/5] cxf git commit: Another refactor of systests/transports to make the https tests more manageable
Date Fri, 12 Dec 2014 15:28:18 GMT
http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/SSLv3Test.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/SSLv3Test.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/SSLv3Test.java
deleted file mode 100644
index 99381e7..0000000
--- a/systests/transports/src/test/java/org/apache/cxf/systest/https/SSLv3Test.java
+++ /dev/null
@@ -1,204 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.systest.https;
-
-import java.io.IOException;
-import java.net.URL;
-
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.TrustManager;
-import javax.xml.ws.BindingProvider;
-
-import org.apache.cxf.Bus;
-import org.apache.cxf.bus.spring.SpringBusFactory;
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.configuration.jsse.SSLUtils;
-import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
-import org.apache.hello_world.Greeter;
-import org.apache.hello_world.services.SOAPService;
-import org.junit.AfterClass;
-import org.junit.BeforeClass;
-
-/**
- * A set of tests SSL v3 protocol support. It should be disallowed by default on both the
- * (Jetty) server and CXF client side.
- */
-public class SSLv3Test extends AbstractBusClientServerTestBase {
-    static final String PORT = allocatePort(SSLv3Server.class);
-    static final String PORT2 = allocatePort(SSLv3Server.class, 2);
-    static final String PORT3 = allocatePort(SSLv3Server.class, 3);
-    
-    @BeforeClass
-    public static void startServers() throws Exception {
-        assertTrue(
-            "Server failed to launch",
-            // run the server in the same process
-            // set this to false to fork
-            launchServer(SSLv3Server.class, true)
-        );
-    }
-    
-    @AfterClass
-    public static void cleanup() throws Exception {
-        stopAllServers();
-    }
-
-    @org.junit.Test
-    public void testSSLv3ServerNotAllowedByDefault() throws Exception {
-
-        SpringBusFactory bf = new SpringBusFactory();
-        URL busFile = SSLv3Test.class.getResource("sslv3-client.xml");
-
-        Bus bus = bf.createBus(busFile.toString());
-        SpringBusFactory.setDefaultBus(bus);
-        SpringBusFactory.setThreadDefaultBus(bus);
-        
-        System.setProperty("https.protocols", "SSLv3");
-
-        URL service = new URL("https://localhost:" + PORT);
-        HttpsURLConnection connection = (HttpsURLConnection) service.openConnection();
-        
-        connection.setHostnameVerifier(new DisableCNCheckVerifier());
-        
-        SSLContext sslContext = SSLContext.getInstance("SSL");
-        URL keystore = SSLv3Test.class.getResource("../../../../../keys/Truststore.jks");
-        TrustManager[] trustManagers = 
-            SSLUtils.getTrustStoreManagers(false, "jks", keystore.getPath(), 
-                                           "PKIX", LogUtils.getL7dLogger(SSLv3Test.class));
-        sslContext.init(null, trustManagers, new java.security.SecureRandom());
-        
-        connection.setSSLSocketFactory(sslContext.getSocketFactory());
-        
-        try {
-            connection.connect();
-            fail("Failure expected on an SSLv3 connection attempt");
-        } catch (IOException ex) {
-            // expected
-        }
-        
-        System.clearProperty("https.protocols");
-        
-        bus.shutdown(true);
-    }
-    
-    @org.junit.Test
-    public void testSSLv3ServerAllowed() throws Exception {
-
-        SpringBusFactory bf = new SpringBusFactory();
-        URL busFile = SSLv3Test.class.getResource("sslv3-client.xml");
-
-        Bus bus = bf.createBus(busFile.toString());
-        SpringBusFactory.setDefaultBus(bus);
-        SpringBusFactory.setThreadDefaultBus(bus);
-        
-        System.setProperty("https.protocols", "SSLv3");
-
-        URL service = new URL("https://localhost:" + PORT2);
-        HttpsURLConnection connection = (HttpsURLConnection) service.openConnection();
-        
-        connection.setHostnameVerifier(new DisableCNCheckVerifier());
-        
-        SSLContext sslContext = SSLContext.getInstance("SSL");
-        URL keystore = SSLv3Test.class.getResource("../../../../../keys/Truststore.jks");
-        TrustManager[] trustManagers = 
-            SSLUtils.getTrustStoreManagers(false, "jks", keystore.getPath(), 
-                                           "PKIX", LogUtils.getL7dLogger(SSLv3Test.class));
-        sslContext.init(null, trustManagers, new java.security.SecureRandom());
-        
-        connection.setSSLSocketFactory(sslContext.getSocketFactory());
-        
-        connection.connect();
-        
-        connection.disconnect();
-        
-        System.clearProperty("https.protocols");
-        
-        bus.shutdown(true);
-    }
-    
-    @org.junit.Test
-    public void testClientSSL3NotAllowed() throws Exception {
-        SpringBusFactory bf = new SpringBusFactory();
-        URL busFile = SSLv3Test.class.getResource("sslv3-client.xml");
-
-        Bus bus = bf.createBus(busFile.toString());
-        SpringBusFactory.setDefaultBus(bus);
-        SpringBusFactory.setThreadDefaultBus(bus);
-        
-        URL url = SOAPService.WSDL_LOCATION;
-        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
-        assertNotNull("Service is null", service);   
-        final Greeter port = service.getHttpsPort();
-        assertNotNull("Port is null", port);
-        
-        BindingProvider provider = (BindingProvider)port;
-        provider.getRequestContext().put("use.async.http.conduit", Boolean.FALSE);
-        
-        updateAddressPort(port, PORT3);
-        
-        try {
-            port.greetMe("Kitty");
-            fail("Failure expected on the client not supporting SSLv3 by default");
-        } catch (Exception ex) {
-            // expected
-        }
-        
-        ((java.io.Closeable)port).close();
-        bus.shutdown(true);
-    }
-    
-    @org.junit.Test
-    public void testClientSSL3Allowed() throws Exception {
-        SpringBusFactory bf = new SpringBusFactory();
-        URL busFile = SSLv3Test.class.getResource("sslv3-client-allow.xml");
-
-        Bus bus = bf.createBus(busFile.toString());
-        SpringBusFactory.setDefaultBus(bus);
-        SpringBusFactory.setThreadDefaultBus(bus);
-        
-        URL url = SOAPService.WSDL_LOCATION;
-        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
-        assertNotNull("Service is null", service);   
-        final Greeter port = service.getHttpsPort();
-        assertNotNull("Port is null", port);
-        
-        BindingProvider provider = (BindingProvider)port;
-        provider.getRequestContext().put("use.async.http.conduit", Boolean.FALSE);
-        
-        updateAddressPort(port, PORT3);
-        
-        assertEquals(port.greetMe("Kitty"), "Hello Kitty");
-        
-        ((java.io.Closeable)port).close();
-        bus.shutdown(true);
-    }
-    
-    private static final class DisableCNCheckVerifier implements HostnameVerifier {
-
-        @Override
-        public boolean verify(String arg0, SSLSession arg1) {
-            return true;
-        }
-        
-    };
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/Server.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/Server.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/Server.java
deleted file mode 100644
index 12f3bbd..0000000
--- a/systests/transports/src/test/java/org/apache/cxf/systest/https/Server.java
+++ /dev/null
@@ -1,100 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.systest.https;
-
-import java.net.URL;
-
-import javax.xml.namespace.QName;
-
-import org.apache.cxf.bus.spring.SpringBusFactory;
-import org.apache.cxf.jaxws.EndpointImpl;
-import org.apache.cxf.systest.http.GreeterImpl;
-import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
-
-public class Server extends AbstractBusTestServerBase {
-    public static final String PORT = allocatePort(Server.class);
-
-    private String name;
-    private String address;
-    private URL configFileURL;
-    private EndpointImpl ep;
-    
-    public Server(String[] args) throws Exception {
-        this(args[0], args[1], args[2]);
-    }
-    
-    public Server(String n, String addr, String conf) throws Exception {
-        name    = n;
-        address = addr;
-        configFileURL = new URL(conf);
-        //System.out.println("Starting " + name 
-        //                     + " Server at " + address
-        //                     + " with config " + configFileURL);
-
-    }
-    public void tearDown() throws Exception {
-        if (ep != null) {
-            ep.stop();
-            ep = null;
-        }
-    }
-
-    protected void run()  {
-        // We use a null binding id in the call to EndpointImpl
-        // constructor. Why?
-        final String nullBindingID = null;
-
-        // We need to specify to use defaults on constructing the
-        // bus, because our configuration file doesn't have
-        // everything needed.
-        final boolean useDefaults = true;
-
-        // We configure a new bus for this server.
-        setBus(new SpringBusFactory().createBus(configFileURL, useDefaults));
-
-        // This impl class must have the appropriate annotations
-        // to match the WSDL file that we are using.
-        Object implementor = new GreeterImpl(name);
-        
-        // I don't know why this works.
-        ep = 
-            new EndpointImpl(
-                    getBus(), 
-                    implementor,
-                    nullBindingID,
-                    this.getClass().getResource("greeting.wsdl").toString());
-        // How the hell do I know what the name of the 
-        // http-destination is from using this call?
-        ep.setEndpointName(new QName("http://apache.org/hello_world", name));
-        ep.publish(address);
-    }
-
-
-    public static void main(String[] args) {
-        try {
-            Server s = new Server(args);
-            s.start();
-        } catch (Exception ex) {
-            ex.printStackTrace();
-            System.exit(-1);
-        }
-    }
-}
-

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/clientauth/ClientAuthServer.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/clientauth/ClientAuthServer.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/clientauth/ClientAuthServer.java
new file mode 100644
index 0000000..203527c
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/clientauth/ClientAuthServer.java
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.clientauth;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class ClientAuthServer extends AbstractBusTestServerBase {
+
+    public ClientAuthServer() {
+
+    }
+
+    protected void run()  {
+        URL busFile = ClientAuthServer.class.getResource("client-auth-server.xml");
+        Bus busLocal = new SpringBusFactory().createBus(busFile);
+        BusFactory.setDefaultBus(busLocal);
+        setBus(busLocal);
+
+        try {
+            new ClientAuthServer();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/clientauth/ClientAuthTest.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/clientauth/ClientAuthTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/clientauth/ClientAuthTest.java
new file mode 100644
index 0000000..4493d53
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/clientauth/ClientAuthTest.java
@@ -0,0 +1,246 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.clientauth;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.hello_world.Greeter;
+import org.apache.hello_world.services.SOAPService;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+
+/**
+ * A set of tests for TLS client authentication.
+ */
+public class ClientAuthTest extends AbstractBusClientServerTestBase {
+    static final String PORT = allocatePort(ClientAuthServer.class);
+    static final String PORT2 = allocatePort(ClientAuthServer.class, 2);
+    
+    @BeforeClass
+    public static void startServers() throws Exception {
+        assertTrue(
+            "Server failed to launch",
+            // run the server in the same process
+            // set this to false to fork
+            launchServer(ClientAuthServer.class, true)
+        );
+    }
+    
+    @AfterClass
+    public static void cleanup() throws Exception {
+        stopAllServers();
+    }
+
+    // Server directly trusts the client cert
+    @org.junit.Test
+    public void testDirectTrust() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = ClientAuthTest.class.getResource("client-auth.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL url = SOAPService.WSDL_LOCATION;
+        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+        assertNotNull("Service is null", service);   
+        final Greeter port = service.getHttpsPort();
+        assertNotNull("Port is null", port);
+        
+        updateAddressPort(port, PORT);
+        
+        assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+    
+    // Server does not (directly) trust the client cert
+    @org.junit.Test
+    public void testInvalidDirectTrust() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = ClientAuthTest.class.getResource("client-auth-invalid.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL url = SOAPService.WSDL_LOCATION;
+        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+        assertNotNull("Service is null", service);   
+        final Greeter port = service.getHttpsPort();
+        assertNotNull("Port is null", port);
+        
+        updateAddressPort(port, PORT);
+        
+        try {
+            port.greetMe("Kitty");
+            fail("Failure expected on an untrusted cert");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+    
+    // Client does not specify a KeyStore, only a TrustStore
+    @org.junit.Test
+    public void testNoClientCert() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = ClientAuthTest.class.getResource("../ssl3/sslv3-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL url = SOAPService.WSDL_LOCATION;
+        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+        assertNotNull("Service is null", service);   
+        final Greeter port = service.getHttpsPort();
+        assertNotNull("Port is null", port);
+        
+        updateAddressPort(port, PORT);
+        
+        try {
+            port.greetMe("Kitty");
+            fail("Failure expected on no trusted cert");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+    
+    // Server trusts the issuer of the client cert
+    @org.junit.Test
+    public void testChainTrust() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = ClientAuthTest.class.getResource("client-auth-chain.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL url = SOAPService.WSDL_LOCATION;
+        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+        assertNotNull("Service is null", service);   
+        final Greeter port = service.getHttpsPort();
+        assertNotNull("Port is null", port);
+        
+        updateAddressPort(port, PORT2);
+        
+        assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+    
+    // Server does not trust the issuer of the client cert
+    @org.junit.Test
+    public void testInvalidChainTrust() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = ClientAuthTest.class.getResource("client-auth-invalid2.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL url = SOAPService.WSDL_LOCATION;
+        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+        assertNotNull("Service is null", service);   
+        final Greeter port = service.getHttpsPort();
+        assertNotNull("Port is null", port);
+        
+        updateAddressPort(port, PORT2);
+        
+        try {
+            port.greetMe("Kitty");
+            fail("Failure expected on no trusted cert");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+    
+    // Client does not trust the issuer of the server cert
+    @org.junit.Test
+    public void testClientInvalidCertChain() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = ClientAuthTest.class.getResource("client-auth-invalid2.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL url = SOAPService.WSDL_LOCATION;
+        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+        assertNotNull("Service is null", service);   
+        final Greeter port = service.getHttpsPort();
+        assertNotNull("Port is null", port);
+        
+        updateAddressPort(port, PORT);
+        
+        try {
+            port.greetMe("Kitty");
+            fail("Failure expected on no trusted cert");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+    
+    // Client does not directly trust the server cert
+    @org.junit.Test
+    public void testClientInvalidDirectTrust() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = ClientAuthTest.class.getResource("client-auth-invalid.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL url = SOAPService.WSDL_LOCATION;
+        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+        assertNotNull("Service is null", service);   
+        final Greeter port = service.getHttpsPort();
+        assertNotNull("Port is null", port);
+        
+        updateAddressPort(port, PORT2);
+        
+        try {
+            port.greetMe("Kitty");
+            fail("Failure expected on no trusted cert");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSClientTest.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSClientTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSClientTest.java
new file mode 100644
index 0000000..af7d702
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSClientTest.java
@@ -0,0 +1,250 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.conduit;
+
+import java.net.URL;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.TrustManager;
+import javax.xml.ws.BindingProvider;
+
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.configuration.Configurer;
+import org.apache.cxf.configuration.jsse.TLSParameterJaxBUtils;
+import org.apache.cxf.configuration.security.KeyManagersType;
+import org.apache.cxf.configuration.security.KeyStoreType;
+import org.apache.cxf.configuration.security.TrustManagersType;
+import org.apache.cxf.jaxws.endpoint.dynamic.JaxWsDynamicClientFactory;
+import org.apache.cxf.systest.https.BusServer;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.hello_world.Greeter;
+import org.apache.hello_world.services.SOAPService;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+/**
+ * This test is meant to run against a spring-loaded
+ * HTTP/S service.
+ */
+public class HTTPSClientTest extends AbstractBusClientServerTestBase {
+    //
+    // data
+    //
+    
+    /**
+     * the package path used to locate resources specific to this test
+     */
+    private void setTheConfiguration(String config) {
+        //System.setProperty("javax.net.debug", "all");
+        try {
+            System.setProperty(
+                Configurer.USER_CFG_FILE_PROPERTY_URL,
+                HTTPSClientTest.class.getResource(config).toString()
+            );
+        } catch (final Exception e) {
+            e.printStackTrace();
+        }
+    }
+    
+    @BeforeClass
+    public static void setupPorts() {
+        BusServer.resetPortMap();
+    }
+          
+    public void startServers() throws Exception {
+        assertTrue(
+            "Server failed to launch",
+            // run the server in the same process
+            // set this to false to fork a new process
+            launchServer(BusServer.class, true)
+        );
+    }
+    
+    
+    public void stopServers() throws Exception {
+        stopAllServers();
+        System.clearProperty(Configurer.USER_CFG_FILE_PROPERTY_URL);
+        BusFactory.setDefaultBus(null);
+        BusFactory.setThreadDefaultBus(null);
+    }    
+    
+    
+    //
+    // tests
+    //
+    public final void testSuccessfulCall(String configuration,
+                                         String address) throws Exception {
+        testSuccessfulCall(configuration, address, null);
+    }
+    public final void testSuccessfulCall(String configuration,
+                                         String address,
+                                         URL url) throws Exception {
+        testSuccessfulCall(configuration, address, url, false);
+    }
+    public final void testSuccessfulCall(String configuration,
+                                         String address,
+                                         URL url, 
+                                         boolean dynamicClient) throws Exception {
+        setTheConfiguration(configuration);
+        startServers();
+        if (url == null) {
+            url = SOAPService.WSDL_LOCATION;
+        }
+        
+        //CXF-4037 - dynamic client isn't using the conduit settings to resolve schemas
+        if (dynamicClient) {
+            ClassLoader loader = Thread.currentThread().getContextClassLoader();
+            JaxWsDynamicClientFactory.newInstance(BusFactory.getDefaultBus())
+                .createClient(url.toExternalForm());
+            Thread.currentThread().setContextClassLoader(loader);
+        }
+
+        
+        
+        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+        assertNotNull("Service is null", service);   
+        final Greeter port = service.getHttpsPort();
+        assertNotNull("Port is null", port);
+        
+        BindingProvider provider = (BindingProvider)port;
+        provider.getRequestContext().put(
+              BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
+              address);
+        
+        //provider.getRequestContext().put("use.async.http.conduit", Boolean.TRUE);
+        //for (int x = 0; x < 100000; x++) {
+        assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+        //}
+        
+        
+        stopServers();
+    }
+    
+    @Test
+    public final void testJaxwsServer() throws Exception {
+        testSuccessfulCall("jaxws-server.xml", 
+                           "https://localhost:" + BusServer.getPort(2) + "/SoapContext/HttpsPort");        
+    }
+    @Test
+    public final void testJaxwsServerChangeHttpsToHttp() throws Exception {
+        testSuccessfulCall("jaxws-server.xml", 
+                            "http://localhost:" + BusServer.getPort(3) + "/SoapContext/HttpPort");    
+    }    
+    @Test
+    public final void testJaxwsEndpoint() throws Exception {
+        testSuccessfulCall("jaxws-publish.xml",
+                           "https://localhost:" + BusServer.getPort(1) + "/SoapContext/HttpsPort");
+    }
+    @Test
+    public final void testJaxwsEndpointCallback() throws Exception {
+        testSuccessfulCall("jaxws-publish-callback.xml",
+                           "https://localhost:" + BusServer.getPort(1) + "/SoapContext/HttpsPort");
+    }
+    @Test
+    public final void testJaxwsTLSRefsEndpoint() throws Exception {
+        testSuccessfulCall("jaxws-tlsrefs-publish.xml",
+                           "https://localhost:" + BusServer.getPort(1) + "/SoapContext/HttpsPort");
+    }
+    @Test
+    public final void testPKCS12Endpoint() throws Exception {
+        testSuccessfulCall("pkcs12.xml",
+                           "https://localhost:" + BusServer.getPort(6) + "/SoapContext/HttpsPort");
+    }
+    
+    @Test
+    public final void testResourceKeySpecEndpoint() throws Exception {
+        testSuccessfulCall("resource-key-spec.xml",
+                           "https://localhost:" + BusServer.getPort(4) + "/SoapContext/HttpsPort");
+    }
+    @Test
+    public final void testResourceKeySpecEndpointURL() throws Exception {
+        testSuccessfulCall("resource-key-spec-url.xml",
+                           "https://localhost:" + BusServer.getPort(5) + "/SoapContext/HttpsPort",
+                           new URL("https://localhost:" + BusServer.getPort(5) + "/SoapContext/HttpsPort?wsdl"),
+                           true);
+        
+    }
+    
+    public static class ServerManagersFactory {
+        public static KeyManager[] getKeyManagers() {
+            KeyManagersType kmt = new KeyManagersType();
+            KeyStoreType kst = new KeyStoreType();
+            kst.setFile("src/test/resources/keys/Bethal.jks");
+            kst.setPassword("password");
+            kst.setType("JKS");
+        
+            kmt.setKeyStore(kst);
+            kmt.setKeyPassword("password");
+            try {
+                return TLSParameterJaxBUtils.getKeyManagers(kmt);
+            } catch (Exception e) {
+                throw new RuntimeException("failed to retrieve key managers", e);
+            }
+        }
+    
+        public static TrustManager[] getTrustManagers() {
+            TrustManagersType tmt = new TrustManagersType();
+            KeyStoreType kst = new KeyStoreType();
+            kst.setFile("src/test/resources/keys/Truststore.jks");
+            kst.setPassword("password");
+            kst.setType("JKS");
+        
+            tmt.setKeyStore(kst);
+            try {
+                return TLSParameterJaxBUtils.getTrustManagers(tmt);
+            } catch (Exception e) {
+                throw new RuntimeException("failed to retrieve trust managers", e);
+            }
+        }
+    }
+
+    public static class ClientManagersFactory {
+        public static KeyManager[] getKeyManagers() {
+            KeyManagersType kmt = new KeyManagersType();
+            KeyStoreType kst = new KeyStoreType();
+            kst.setFile("src/test/resources/keys/Morpit.jks");
+            kst.setPassword("password");
+            kst.setType("JKS");
+        
+            kmt.setKeyStore(kst);
+            kmt.setKeyPassword("password");
+            try {
+                return TLSParameterJaxBUtils.getKeyManagers(kmt);
+            } catch (Exception e) {
+                throw new RuntimeException("failed to retrieve key managers", e);
+            }
+        }
+    
+        public static TrustManager[] getTrustManagers() {
+            TrustManagersType tmt = new TrustManagersType();
+            KeyStoreType kst = new KeyStoreType();
+            kst.setFile("src/test/resources/keys/Truststore.jks");
+            kst.setPassword("password");
+            kst.setType("JKS");
+        
+            tmt.setKeyStore(kst);
+            try {
+                return TLSParameterJaxBUtils.getTrustManagers(tmt);
+            } catch (Exception e) {
+                throw new RuntimeException("failed to retrieve trust managers", e);
+            }
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSConduitTest.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSConduitTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSConduitTest.java
new file mode 100644
index 0000000..c754f99
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSConduitTest.java
@@ -0,0 +1,761 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.conduit;
+
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.TreeMap;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.BusApplicationContext;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.common.util.Base64Utility;
+import org.apache.cxf.configuration.jsse.TLSClientParameters;
+import org.apache.cxf.configuration.security.AuthorizationPolicy;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.systest.https.BusServer;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.transport.http.HTTPConduit;
+import org.apache.cxf.transport.http.MessageTrustDecider;
+import org.apache.cxf.transport.http.URLConnectionInfo;
+import org.apache.cxf.transport.http.UntrustedURLConnectionIOException;
+import org.apache.cxf.transport.http.auth.HttpAuthHeader;
+import org.apache.cxf.transport.http.auth.HttpAuthSupplier;
+import org.apache.cxf.transport.https.HttpsURLConnectionInfo;
+import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
+import org.apache.hello_world.Greeter;
+import org.apache.hello_world.services.SOAPService;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.springframework.context.ApplicationContext;
+
+/**
+ * This class tests several issues and Conduit policies based 
+ * on a set up of redirecting servers.
+ * <pre>
+ * 
+ * Http Redirection:
+ * 
+ * Poltim(https:9005)  ----> Mortimer (http:9000)
+ * 
+ * HttpS redirection/Trust:
+ * 
+ * Tarpin(https:9003) ----> Gordy(https:9001) ----> Bethal(https:9002)
+ * 
+ * Hostname Verifier Test
+ * 
+ * Morpit (https:9008)
+ * 
+ * </pre>HTTPConduitTest
+ * The Bethal server issues 401 with differing realms depending on the
+ * User name given in the authorization header.
+ * <p>
+ * The Morpit has a CN that is not equal to "localhost" to kick in
+ * the Hostname Verifier.
+ */
+public class HTTPSConduitTest extends AbstractBusClientServerTestBase {
+    private static final boolean IN_PROCESS = true;
+    
+    private static TLSClientParameters tlsClientParameters = new TLSClientParameters();
+    private static List<String> servers = new ArrayList<String>();
+
+    private static Map<String, String> addrMap = new TreeMap<String, String>();
+    
+    static {
+        try {
+            //System.setProperty("javax.net.debug", "all");
+            URL key = Server.class.getResource("../../../../../../keys/Morpit.jks");
+            String keystore = new File(key.toURI()).getAbsolutePath();
+            //System.out.println("Keystore: " + keystore);
+            KeyManager[] kmgrs = getKeyManagers(getKeyStore("JKS", keystore, "password"), "password");
+            
+            key = Server.class.getResource("../../../../../../keys/Truststore.jks");
+            
+            String truststore = new File(key.toURI()).getAbsolutePath();
+            //System.out.println("Truststore: " + truststore);
+            TrustManager[] tmgrs = getTrustManagers(getKeyStore("JKS", truststore, "password"));
+            
+            tlsClientParameters.setKeyManagers(kmgrs);
+            tlsClientParameters.setTrustManagers(tmgrs);
+        } catch (Exception e) {
+            throw new RuntimeException("Static initialization failed", e);
+        }
+    }
+
+    private final QName serviceName = 
+        new QName("http://apache.org/hello_world", "SOAPService");
+    private final QName bethalQ = 
+        new QName("http://apache.org/hello_world", "Bethal");
+    private final QName gordyQ = 
+        new QName("http://apache.org/hello_world", "Gordy");
+    private final QName tarpinQ = 
+        new QName("http://apache.org/hello_world", "Tarpin");
+    private final QName poltimQ = 
+        new QName("http://apache.org/hello_world", "Poltim");
+
+    public HTTPSConduitTest() {
+    }
+    
+    
+    public static String getPort(String s) {
+        return BusServer.PORTMAP.get(s);
+    }
+    
+    @BeforeClass
+    public static void allocatePorts() {
+        BusServer.resetPortMap();
+        addrMap.clear();
+        addrMap.put("Mortimer", "http://localhost:" + getPort("PORT0") + "/");
+        addrMap.put("Tarpin",   "https://localhost:" + getPort("PORT1") + "/");
+        addrMap.put("Poltim",   "https://localhost:" + getPort("PORT2") + "/");
+        addrMap.put("Gordy",    "https://localhost:" + getPort("PORT3") + "/");
+        addrMap.put("Bethal",   "https://localhost:" + getPort("PORT4") + "/");
+        addrMap.put("Morpit",   "https://localhost:" + getPort("PORT5") + "/");
+        tlsClientParameters.setDisableCNCheck(true);
+        servers.clear();
+    }
+
+
+    /**
+     * This function is used to start up a server. It only "starts" a
+     * server if it hasn't been started before, hence its static nature.
+     * <p>
+     * This approach is used to start the needed servers for a particular test
+     * instead of starting them all in "startServers". This single needed
+     * server approach allieviates the pain in starting them all just to run
+     * a particular test in the debugger.
+     */
+    public synchronized boolean startServer(String name) {
+        if (servers.contains(name)) {
+            return true;
+        }
+        Bus bus = BusFactory.getThreadDefaultBus(false);
+        URL serverC =
+            Server.class.getResource(name + ".cxf");
+        BusFactory.setDefaultBus(null);
+        BusFactory.setThreadDefaultBus(null);
+        boolean server = launchServer(Server.class, null,
+                new String[] { 
+                    name, 
+                    addrMap.get(name),
+                    serverC.toString() }, 
+                IN_PROCESS);
+        if (server) {
+            servers.add(name);
+        }
+        BusFactory.setDefaultBus(null);
+        BusFactory.setThreadDefaultBus(bus);
+        return server;
+    }
+    
+    @AfterClass
+    public static void cleanUp() {
+        Bus b = BusFactory.getDefaultBus(false);
+        if (b != null) {
+            b.shutdown(true);
+        }
+        b = BusFactory.getThreadDefaultBus(false);
+        if (b != null) {
+            b.shutdown(true);
+        }
+    }
+
+    public static KeyStore getKeyStore(String ksType, String file, String ksPassword)
+        throws GeneralSecurityException,
+               IOException {
+        
+        String type = ksType != null
+                    ? ksType
+                    : KeyStore.getDefaultType();
+                    
+        char[] password = ksPassword != null
+                    ? ksPassword.toCharArray()
+                    : null;
+
+        // We just use the default Keystore provider
+        KeyStore keyStore = KeyStore.getInstance(type);
+        
+        keyStore.load(new FileInputStream(file), password);
+        
+        return keyStore;
+    }
+
+    public static KeyManager[] getKeyManagers(KeyStore keyStore, String keyPassword) 
+        throws GeneralSecurityException,
+               IOException {
+        // For tests, we just use the default algorithm
+        String alg = KeyManagerFactory.getDefaultAlgorithm();
+        
+        char[] keyPass = keyPassword != null
+                     ? keyPassword.toCharArray()
+                     : null;
+        
+        // For tests, we just use the default provider.
+        KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
+                     
+        fac.init(keyStore, keyPass);
+        
+        return fac.getKeyManagers();
+    }
+
+    public static TrustManager[] getTrustManagers(KeyStore keyStore) 
+        throws GeneralSecurityException,
+               IOException {
+        // For tests, we just use the default algorithm
+        String alg = TrustManagerFactory.getDefaultAlgorithm();
+        
+        // For tests, we just use the default provider.
+        TrustManagerFactory fac = TrustManagerFactory.getInstance(alg);
+                     
+        fac.init(keyStore);
+        
+        return fac.getTrustManagers();
+    }
+
+    //methods that a subclass can override to inject a Proxy into the flow
+    //and assert the proxy was appropriately called
+    public void configureProxy(Client c) {
+    }
+    public void resetProxyCount() {
+    }
+    public void assertProxyRequestCount(int i) {
+    }
+
+    /**
+     * We use this class to reset the default bus.
+     * Note: This may not always work in the future.
+     * I was lucky in that "defaultBus" is actually a 
+     * protected static.
+     */
+    class DefaultBusFactory extends SpringBusFactory {
+        public Bus createBus(URL config) {
+            Bus bus = super.createBus(config, true);
+            BusFactory.setDefaultBus(bus);
+            BusFactory.setThreadDefaultBus(bus);
+            return bus;
+        }
+    }
+    
+    /**
+     * This methods tests a basic https connection to Bethal.
+     * It supplies an authorization policy with preemptive user/pass
+     * to avoid the 401.
+     */
+    @Test
+    public void testHttpsBasicConnectionWithConfig() throws Exception {
+        startServer("Bethal");
+
+        URL config = getClass().getResource("BethalClientConfig.cxf");
+        
+        // We go through the back door, setting the default bus.
+        new DefaultBusFactory().createBus(config);
+        URL wsdl = getClass().getResource("greeting.wsdl");
+        assertNotNull("WSDL is null", wsdl);
+
+        SOAPService service = new SOAPService(wsdl, serviceName);
+        assertNotNull("Service is null", service);
+
+        Greeter bethal = service.getPort(bethalQ, Greeter.class);
+
+        assertNotNull("Port is null", bethal);
+        updateAddressPort(bethal, getPort("PORT4"));
+        verifyBethalClient(bethal);        
+    }
+    
+    @Test
+    public void testGetClientFromSpringContext() throws Exception {
+        startServer("Bethal");        
+        
+        BusFactory.setDefaultBus(null);
+        // The client bean configuration file
+        URL beans = getClass().getResource("BethalClientBeans.xml");
+        // We go through the back door, setting the default bus.
+        Bus bus = new DefaultBusFactory().createBus(beans);
+        
+        ApplicationContext context = bus.getExtension(BusApplicationContext.class);
+        Greeter bethal = (Greeter)context.getBean("Bethal");        
+        updateAddressPort(bethal, getPort("PORT4"));
+        // verify the client side's setting
+        verifyBethalClient(bethal);         
+    }
+    
+    // we just verify the configurations are loaded successfully
+    private void verifyBethalClient(Greeter bethal) {
+        Client client = ClientProxy.getClient(bethal);
+
+        HTTPConduit http = 
+            (HTTPConduit) client.getConduit();
+        
+        HTTPClientPolicy httpClientPolicy = http.getClient();
+        assertEquals("the httpClientPolicy's autoRedirect should be true",
+                     true, httpClientPolicy.isAutoRedirect());
+        TLSClientParameters tlsParameters = http.getTlsClientParameters();
+        assertNotNull("the http conduit's tlsParameters should not be null", tlsParameters);
+        
+        
+        // If we set any name, but Edward, Mary, or George,
+        // and a password of "password" we will get through
+        // Bethal.
+        AuthorizationPolicy authPolicy = http.getAuthorization();
+        assertEquals("Set the wrong user name from the configuration",
+                     "Betty", authPolicy.getUserName());
+        assertEquals("Set the wrong pass word form the configuration",
+                     "password", authPolicy.getPassword());
+
+        configureProxy(ClientProxy.getClient(bethal));
+        
+        String answer = bethal.sayHi();
+        answer = bethal.sayHi();
+        answer = bethal.sayHi();
+        answer = bethal.sayHi();
+        answer = bethal.sayHi();
+        assertTrue("Unexpected answer: " + answer, 
+                "Bonjour from Bethal".equals(answer));
+        
+        //With HTTPS, it will just be a CONNECT to the proxy and all the 
+        //data is encrypted.  Thus, the proxy cannot distinquish the requests
+        assertProxyRequestCount(0);
+    }
+    
+    /**
+     * This methods tests a basic https connection to Bethal.
+     * It supplies an authorization policy with premetive user/pass
+     * to avoid the 401.
+     */
+    @Test
+    public void testHttpsBasicConnection() throws Exception {
+        startServer("Bethal");
+
+        URL wsdl = getClass().getResource("greeting.wsdl");
+        assertNotNull("WSDL is null", wsdl);
+
+        SOAPService service = new SOAPService(wsdl, serviceName);
+        assertNotNull("Service is null", service);
+
+        Greeter bethal = service.getPort(bethalQ, Greeter.class);
+        assertNotNull("Port is null", bethal);
+        updateAddressPort(bethal, getPort("PORT4"));
+        
+        // Okay, I'm sick of configuration files.
+        // This also tests dynamic configuration of the conduit.
+        Client client = ClientProxy.getClient(bethal);
+        HTTPConduit http = 
+            (HTTPConduit) client.getConduit();
+        
+        HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
+        
+        httpClientPolicy.setAutoRedirect(false);
+        // If we set any name, but Edward, Mary, or George,
+        // and a password of "password" we will get through
+        // Bethal.
+        AuthorizationPolicy authPolicy = new AuthorizationPolicy();
+        authPolicy.setUserName("Betty");
+        authPolicy.setPassword("password");
+        
+        http.setClient(httpClientPolicy);
+        http.setTlsClientParameters(tlsClientParameters);
+        http.setAuthorization(authPolicy);
+        
+        configureProxy(client);
+        String answer = bethal.sayHi();
+        assertTrue("Unexpected answer: " + answer, 
+                "Bonjour from Bethal".equals(answer));
+        assertProxyRequestCount(0);
+    }
+    
+
+    @Test
+    public void testHttpsRedirectToHttpFail() throws Exception {
+        startServer("Mortimer");
+        startServer("Poltim");
+
+        URL wsdl = getClass().getResource("greeting.wsdl");
+        assertNotNull("WSDL is null", wsdl);
+
+        SOAPService service = new SOAPService(wsdl, serviceName);
+        assertNotNull("Service is null", service);
+
+        Greeter poltim = service.getPort(poltimQ, Greeter.class);
+        assertNotNull("Port is null", poltim);
+        updateAddressPort(poltim, getPort("PORT2"));
+
+        // Okay, I'm sick of configuration files.
+        // This also tests dynamic configuration of the conduit.
+        Client client = ClientProxy.getClient(poltim);
+        HTTPConduit http = 
+            (HTTPConduit) client.getConduit();
+        
+        HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
+        
+        httpClientPolicy.setAutoRedirect(true);
+        
+        http.setClient(httpClientPolicy);
+        http.setTlsClientParameters(tlsClientParameters);
+        configureProxy(client);
+        poltim.sayHi();
+        //client -> poltim is https and thus not recorded but then redirected to mortimer
+        //client -> mortimer is http and recoreded
+        assertProxyRequestCount(1);
+    }
+    
+    class MyHttpsTrustDecider extends MessageTrustDecider {
+        
+        private String[] trustName;
+        private int      called;
+        
+        MyHttpsTrustDecider(String name) {
+            trustName = new String[] {name};
+        }
+        
+        MyHttpsTrustDecider(String[] name) {
+            trustName = name;
+        }
+        
+        public int wasCalled() {
+            return called;
+        }
+        
+        public void establishTrust(
+            String            conduitName,
+            URLConnectionInfo cinfo,
+            Message           message
+        ) throws UntrustedURLConnectionIOException {
+        
+            called++;
+
+            HttpsURLConnectionInfo ci = (HttpsURLConnectionInfo) cinfo;
+            boolean trusted = false;
+            for (int i = 0; i < trustName.length; i++) {
+                trusted = trusted 
+                         || ci.getPeerPrincipal()
+                                 .toString().contains("OU=" + trustName[i]);
+            }
+            if (!trusted) {
+                throw new UntrustedURLConnectionIOException(
+                        "Peer Principal \"" 
+                        + ci.getPeerPrincipal() 
+                        + "\" does not contain " 
+                        + getTrustNames());
+            }
+        }
+        
+        private String getTrustNames() {
+            StringBuffer sb = new StringBuffer();
+            for (int i = 0; i < trustName.length; i++) {
+                sb.append("\"OU=");
+                sb.append(trustName[i]);
+                sb.append("\"");
+                if (i < trustName.length - 1) {
+                    sb.append(", ");
+                }
+            }
+            return sb.toString();
+        }
+    }
+    
+    @Test
+    public void testHttpsTrust() throws Exception {
+        startServer("Bethal");
+
+        URL wsdl = getClass().getResource("greeting.wsdl");
+        assertNotNull("WSDL is null", wsdl);
+
+        SOAPService service = new SOAPService(wsdl, serviceName);
+        assertNotNull("Service is null", service);
+
+        Greeter bethal = service.getPort(bethalQ, Greeter.class);
+        assertNotNull("Port is null", bethal);
+        updateAddressPort(bethal, getPort("PORT4"));
+        
+        // Okay, I'm sick of configuration files.
+        // This also tests dynamic configuration of the conduit.
+        Client client = ClientProxy.getClient(bethal);
+        HTTPConduit http = 
+            (HTTPConduit) client.getConduit();
+        
+        HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
+        
+        httpClientPolicy.setAutoRedirect(false);
+        // If we set any name, but Edward, Mary, or George,
+        // and a password of "password" we will get through
+        // Bethal.
+        AuthorizationPolicy authPolicy = new AuthorizationPolicy();
+        authPolicy.setUserName("Betty");
+        authPolicy.setPassword("password");
+        
+        http.setClient(httpClientPolicy);
+        http.setTlsClientParameters(tlsClientParameters);
+        http.setAuthorization(authPolicy);
+        
+        // Our expected server should be OU=Bethal
+        http.setTrustDecider(new MyHttpsTrustDecider("Bethal"));
+        
+        configureProxy(client);
+        String answer = bethal.sayHi();
+        assertTrue("Unexpected answer: " + answer, 
+                "Bonjour from Bethal".equals(answer));
+        assertProxyRequestCount(0);
+        
+        
+        // Nobody will not equal OU=Bethal
+        MyHttpsTrustDecider trustDecider =
+                                 new MyHttpsTrustDecider("Nobody");
+        http.setTrustDecider(trustDecider);
+        try {
+            answer = bethal.sayHi();
+            fail("Unexpected answer from Bethal: " + answer);
+        } catch (Exception e) {
+            //e.printStackTrace();
+            //assertTrue("Trust Decider was not called", 
+            //              0 > trustDecider.wasCalled());
+        }
+        assertProxyRequestCount(0);
+    }
+
+    @Test
+    public void testHttpsTrustRedirect() throws Exception {
+        startServer("Tarpin");
+        startServer("Gordy");
+        startServer("Bethal");
+
+        URL wsdl = getClass().getResource("greeting.wsdl");
+        assertNotNull("WSDL is null", wsdl);
+
+        SOAPService service = new SOAPService(wsdl, serviceName);
+        assertNotNull("Service is null", service);
+
+        Greeter tarpin = service.getPort(tarpinQ, Greeter.class);
+        assertNotNull("Port is null", tarpin);
+        updateAddressPort(tarpin, getPort("PORT1"));
+        
+        // Okay, I'm sick of configuration files.
+        // This also tests dynamic configuration of the conduit.
+        Client client = ClientProxy.getClient(tarpin);
+        HTTPConduit http = 
+            (HTTPConduit) client.getConduit();
+        
+        HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
+        
+        httpClientPolicy.setAutoRedirect(true);
+        // If we set any name, but Edward, Mary, or George,
+        // and a password of "password" we will get through
+        // Bethal.
+        AuthorizationPolicy authPolicy = new AuthorizationPolicy();
+        authPolicy.setUserName("Betty");
+        authPolicy.setPassword("password");
+        
+        http.setClient(httpClientPolicy);
+        http.setTlsClientParameters(tlsClientParameters);
+        http.setAuthorization(authPolicy);
+        
+        // We get redirected from Tarpin, to Gordy, to Bethal.
+        MyHttpsTrustDecider trustDecider =
+            new MyHttpsTrustDecider(
+                    new String[] {"Tarpin", "Gordy", "Bethal"});
+        http.setTrustDecider(trustDecider);
+        
+        // We actually get our answer from Bethal at the end of the
+        // redirects.
+        configureProxy(ClientProxy.getClient(tarpin));
+        String answer = tarpin.sayHi();
+        assertProxyRequestCount(0);
+        
+        assertTrue("Trust Decider wasn't called correctly", 
+                       3 == trustDecider.wasCalled());
+        assertTrue("Unexpected answer: " + answer, 
+                "Bonjour from Bethal".equals(answer));
+        
+        // Limit the redirects to 1, since there are two, this should fail.
+        http.getClient().setMaxRetransmits(1);
+
+        try {
+            answer = tarpin.sayHi();
+            fail("Unexpected answer from Tarpin: " + answer);
+        } catch (Exception e) {
+            //e.printStackTrace();
+        }
+        assertProxyRequestCount(0);
+        
+        // Set back to unlimited.
+        http.getClient().setMaxRetransmits(-1);
+        
+        // Effectively we will not trust Gordy in the middle.
+        trustDecider = 
+                new MyHttpsTrustDecider(
+                    new String[] {"Tarpin", "Bethal"});
+        http.setTrustDecider(trustDecider);
+        
+        try {
+            answer = tarpin.sayHi();
+            fail("Unexpected answer from Tarpin: " + answer);
+        } catch (Exception e) {
+            //e.printStackTrace();
+            assertTrue("Trust Decider wasn't called correctly",
+                     2 == trustDecider.wasCalled());
+        }
+        assertProxyRequestCount(0);
+    }
+
+    public class MyBasicAuthSupplier implements HttpAuthSupplier {
+
+        String realm;
+        String user;
+        String pass;
+        
+        /**
+         * This will loop from Cronus, to Andromeda, to Zorantius
+         */
+        MyBasicAuthSupplier() {
+        }
+        
+        MyBasicAuthSupplier(String r, String u, String p) {
+            realm = r;
+            user  = u;
+            pass  = p;
+        }
+
+        /**
+         * If we don't have the realm set, then we loop
+         * through the realms.
+         */
+        public String getAuthorization(
+                AuthorizationPolicy authPolicy,
+                URI     currentURI,
+                Message message,
+                String fullHeader
+        ) {
+            String reqestedRealm = new HttpAuthHeader(fullHeader).getRealm();
+            if (realm != null && realm.equals(reqestedRealm)) {
+                return createUserPass(user, pass);
+            }
+            if ("Andromeda".equals(reqestedRealm)) {
+                // This will get us another 401 to Zorantius
+                return createUserPass("Edward", "password");
+            }
+            if ("Zorantius".equals(reqestedRealm)) {
+                // George will get us another 401 to Cronus
+                return createUserPass("George", "password");
+            }
+            if ("Cronus".equals(reqestedRealm)) {
+                // Mary will get us another 401 to Andromeda
+                return createUserPass("Mary", "password");
+            }
+            return null;
+        }
+
+        private String createUserPass(String usr, String pwd) {
+            String userpass = usr + ":" + pwd;
+            String token = Base64Utility.encode(userpass.getBytes());
+            return "Basic " + token;
+        }
+
+        public boolean requiresRequestCaching() {
+            return false;
+        }
+
+    }
+
+    /**
+     * This tests redirects through Gordy to Bethal. Bethal will
+     * supply a series of 401s. See PushBack401.
+     */
+    @Test    
+    public void testHttpsRedirect401Response() throws Exception {
+        startServer("Gordy");
+        startServer("Bethal");
+
+        URL wsdl = getClass().getResource("greeting.wsdl");
+        assertNotNull("WSDL is null", wsdl);
+
+        SOAPService service = new SOAPService(wsdl, serviceName);
+        assertNotNull("Service is null", service);
+
+        Greeter gordy = service.getPort(gordyQ, Greeter.class);
+        assertNotNull("Port is null", gordy);
+        updateAddressPort(gordy, getPort("PORT3"));
+        
+        // Okay, I'm sick of configuration files.
+        // This also tests dynamic configuration of the conduit.
+        Client client = ClientProxy.getClient(gordy);
+        
+        BindingProvider provider = (BindingProvider)gordy;
+        provider.getRequestContext().put("use.async.http.conduit", Boolean.FALSE);
+        
+        HTTPConduit http = 
+            (HTTPConduit) client.getConduit();
+        
+        HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
+        
+        httpClientPolicy.setAutoRedirect(true);
+        http.setClient(httpClientPolicy);
+        http.setTlsClientParameters(tlsClientParameters);
+        
+        // We get redirected from Gordy, to Bethal.
+        http.setTrustDecider(
+                new MyHttpsTrustDecider(
+                        new String[] {"Gordy", "Bethal"}));
+        
+        // Without preemptive user/pass Bethal returns a
+        // 401 for realm Cronus. If we supply any name other
+        // than Edward, George, or Mary, with the pass of "password"
+        // we should succeed.
+        http.setAuthSupplier(
+                new MyBasicAuthSupplier("Cronus", "Betty", "password"));
+        
+        // We actually get our answer from Bethal at the end of the
+        // redirects.
+        String answer = gordy.sayHi();
+        assertTrue("Unexpected answer: " + answer, 
+                "Bonjour from Bethal".equals(answer));
+        
+        // The loop auth supplier, 
+        // We should die with looping realms.
+        http.setAuthSupplier(new MyBasicAuthSupplier());
+        
+        try {
+            answer = gordy.sayHi();
+            fail("Unexpected answer from Gordy: " + answer);
+        } catch (Exception e) {
+            //e.printStackTrace();
+        }
+    }
+    
+}
+

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSProxyAuthConduitTest.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSProxyAuthConduitTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSProxyAuthConduitTest.java
new file mode 100644
index 0000000..82369df
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSProxyAuthConduitTest.java
@@ -0,0 +1,111 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.conduit;
+
+import java.util.HashMap;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import org.apache.cxf.configuration.security.ProxyAuthorizationPolicy;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.transport.http.HTTPConduit;
+import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
+
+import org.jboss.netty.handler.codec.http.HttpRequest;
+
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+
+import org.littleshoot.proxy.DefaultHttpProxyServer;
+import org.littleshoot.proxy.HttpFilter;
+import org.littleshoot.proxy.HttpRequestFilter;
+import org.littleshoot.proxy.ProxyAuthorizationHandler;
+
+
+/**
+ * 
+ */
+public class HTTPSProxyAuthConduitTest extends HTTPSConduitTest {
+    static final int PROXY_PORT = Integer.parseInt(allocatePort(HTTPSProxyAuthConduitTest.class));
+    static DefaultHttpProxyServer proxy;
+    static CountingFilter requestFilter = new CountingFilter();
+    
+    static class CountingFilter implements HttpRequestFilter {
+        AtomicInteger count = new AtomicInteger();
+        public void filter(HttpRequest httpRequest) {
+            count.incrementAndGet();
+        }
+        
+        public void reset() {
+            count.set(0);
+        }
+        public int getCount() {
+            return count.get();
+        }
+    }
+    
+    public HTTPSProxyAuthConduitTest() {
+    }
+
+    
+    @AfterClass
+    public static void stopProxy() {
+        proxy.stop();
+        proxy = null;
+    }
+    
+    @BeforeClass
+    public static void startProxy() {
+        proxy = new DefaultHttpProxyServer(PROXY_PORT, requestFilter, new HashMap<String, HttpFilter>());
+        proxy.addProxyAuthenticationHandler(new ProxyAuthorizationHandler() {
+            public boolean authenticate(String userName, String password) {
+                return "password".equals(password) && "CXF".equals(userName);
+            }
+        });
+        proxy.start();
+    }
+    @Before
+    public void resetCount() {
+        requestFilter.reset();
+    }
+    
+    public void configureProxy(Client client) {
+        HTTPConduit cond = (HTTPConduit)client.getConduit();
+        HTTPClientPolicy pol = cond.getClient();
+        if (pol == null) {
+            pol = new HTTPClientPolicy();
+            cond.setClient(pol);
+        }
+        pol.setProxyServer("localhost");
+        pol.setProxyServerPort(PROXY_PORT);
+        ProxyAuthorizationPolicy auth = new ProxyAuthorizationPolicy();
+        auth.setUserName("CXF");
+        auth.setPassword("password");
+        cond.setProxyAuthorization(auth);
+    }
+    
+    public void resetProxyCount() {
+        requestFilter.reset();
+    }
+    public void assertProxyRequestCount(int i) {
+        assertEquals("Unexpected request count", i, requestFilter.getCount());
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSProxyConduitTest.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSProxyConduitTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSProxyConduitTest.java
new file mode 100644
index 0000000..2338c16
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/HTTPSProxyConduitTest.java
@@ -0,0 +1,100 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.conduit;
+
+import java.util.HashMap;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.transport.http.HTTPConduit;
+import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
+
+import org.jboss.netty.handler.codec.http.HttpRequest;
+
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+
+import org.littleshoot.proxy.DefaultHttpProxyServer;
+import org.littleshoot.proxy.HttpFilter;
+import org.littleshoot.proxy.HttpRequestFilter;
+
+
+/**
+ * 
+ */
+public class HTTPSProxyConduitTest extends HTTPSConduitTest {
+    static final int PROXY_PORT = Integer.parseInt(allocatePort(HTTPSProxyConduitTest.class));
+    static DefaultHttpProxyServer proxy;
+    static CountingFilter requestFilter = new CountingFilter();
+    
+    static class CountingFilter implements HttpRequestFilter {
+        AtomicInteger count = new AtomicInteger();
+        public void filter(HttpRequest httpRequest) {
+            count.incrementAndGet();
+        }
+        
+        public void reset() {
+            count.set(0);
+        }
+        public int getCount() {
+            return count.get();
+        }
+    }
+    
+    public HTTPSProxyConduitTest() {
+    }
+
+    
+    @AfterClass
+    public static void stopProxy() {
+        proxy.stop();
+        proxy = null;
+    }
+    
+    @BeforeClass
+    public static void startProxy() {
+        proxy = new DefaultHttpProxyServer(PROXY_PORT, requestFilter, new HashMap<String, HttpFilter>());
+        proxy.start();
+    }
+    @Before
+    public void resetCount() {
+        requestFilter.reset();
+    }
+    
+    public void configureProxy(Client client) {
+        HTTPConduit cond = (HTTPConduit)client.getConduit();
+        HTTPClientPolicy pol = cond.getClient();
+        if (pol == null) {
+            pol = new HTTPClientPolicy();
+            cond.setClient(pol);
+        }
+        pol.setProxyServer("localhost");
+        pol.setProxyServerPort(PROXY_PORT);
+    }
+    
+    public void resetProxyCount() {
+        requestFilter.reset();
+    }
+    public void assertProxyRequestCount(int i) {
+        assertEquals("Unexpected request count", i, requestFilter.getCount());
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/KeyPasswordCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/KeyPasswordCallbackHandler.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/KeyPasswordCallbackHandler.java
new file mode 100644
index 0000000..403917e
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/KeyPasswordCallbackHandler.java
@@ -0,0 +1,39 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.https.conduit;
+
+import java.io.IOException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+public class KeyPasswordCallbackHandler implements CallbackHandler {
+
+    @Override
+    public void handle(Callback[] callbacks) throws IOException,
+        UnsupportedCallbackException {
+        for (int i = 0; i < callbacks.length; i++) {
+            PasswordCallback pc = (PasswordCallback)callbacks[i];
+            pc.setPassword("password".toCharArray());
+        }
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/PushBack401.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/PushBack401.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/PushBack401.java
new file mode 100644
index 0000000..b9503ab
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/PushBack401.java
@@ -0,0 +1,223 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.conduit;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.net.HttpURLConnection;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.cxf.common.util.Base64Utility;
+import org.apache.cxf.endpoint.Endpoint;
+import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.Exchange;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.transport.Conduit;
+import org.apache.cxf.transport.http.Headers;
+
+/*
+ * This interceptor will issue 401s
+ *    No Authorization Header  --> 401 Realm=Cronus
+ *    Username Mary            --> 401 Realm=Andromeda
+ *    Username Edward          --> 401 Realm=Zorantius
+ *    Username George          --> 401 Realm=Cronus
+ *    If the password is not "password" a 401 is issued without 
+ *    realm.
+ */
+public class PushBack401 extends AbstractPhaseInterceptor<Message> {
+    
+    PushBack401() {
+        super(Phase.RECEIVE);
+    }
+    
+    /**
+     * This function extracts the user:pass token from 
+     * the Authorization:Basic header. It returns a two element
+     * String array, the first being the userid, the second
+     * being the password. It returns null, if it cannot parse.
+     */
+    private String[] extractUserPass(String token) {
+        try {
+            byte[] userpass = Base64Utility.decode(token);
+            String up = IOUtils.newStringFromBytes(userpass);
+            String user = up.substring(0, up.indexOf(':'));
+            String pass = up.substring(up.indexOf(':') + 1);
+            return new String[] {user, pass};
+        } catch (Exception e) {
+            return null;
+        }
+        
+    }
+    
+    /**
+     * This function returns the realm which depends on 
+     * the user name, as follows:
+     * <pre>
+     *    Username Mary            --> Andromeda
+     *    Username Edward          --> Zorantius
+     *    Username George          --> Cronus
+     * </pre>
+     * However, if the password is not "password" this function 
+     * throws an exception, regardless.
+     */
+    private String checkUserPass(
+        String user,
+        String pass
+    ) throws Exception {
+        //System.out.println("Got user: " + user + " pass: " + pass);
+        if (!"password".equals(pass)) {
+            throw new Exception("bad password");
+        }
+        if ("Mary".equals(user)) {
+            return "Andromeda";
+        }
+        if ("Edward".equals(user)) {
+            return "Zorantius";
+        }
+        if ("George".equals(user)) {
+            return "Cronus";
+        }
+        return null;
+    }
+    
+    @SuppressWarnings("unchecked")
+    public void handleMessage(Message message) throws Fault {
+        
+        Map<String, List<String>> headers =
+            (Map<String, List<String>>) 
+                message.get(Message.PROTOCOL_HEADERS);
+        
+        List<String> auth = headers.get("Authorization");
+        if (auth == null) {
+            // No Auth Header, respond with 401 Realm=Cronus
+            replyUnauthorized(message, "Cronus");
+            return;
+        } else {
+            for (String a : auth) {
+                if (a.startsWith("Basic ")) {
+                    String[] userpass = 
+                        extractUserPass(a.substring("Basic ".length()));
+                    if (userpass != null) {
+                        try {
+                            String realm = 
+                                checkUserPass(userpass[0], userpass[1]);
+                            if (realm != null) {
+                                replyUnauthorized(message, realm);
+                                return;
+                            } else {
+                                // Password is good and no realm
+                                // We just return for successful fall thru.
+                                return;
+                            }
+                        } catch (Exception e) {
+                            // Bad Password
+                            replyUnauthorized(message, null);
+                            return;
+                        }
+                    }
+                }
+            }
+            // No Authorization: Basic
+            replyUnauthorized(message, null);
+            return;
+        }
+    }
+    
+    /**
+     * This function issues a 401 response back down the conduit.
+     * If the realm is not null, a WWW-Authenticate: Basic realm=
+     * header is sent. The interceptor chain is aborted stopping
+     * the Message from going to the servant.
+     */
+    private void replyUnauthorized(Message message, String realm) {
+        Message outMessage = getOutMessage(message);
+        outMessage.put(Message.RESPONSE_CODE, 
+                HttpURLConnection.HTTP_UNAUTHORIZED);
+        
+        if (realm != null) {
+            setHeader(outMessage, 
+                      "WWW-Authenticate", "Basic realm=" + realm);
+        }
+        message.getInterceptorChain().abort();
+        try {
+            getConduit(message).prepare(outMessage);
+            close(outMessage);
+        } catch (IOException e) {
+            //System.out.println("Prepare of message not working." + e);
+            e.printStackTrace();
+        }
+    }
+    
+    /**
+     * Retrieves/creates the corresponding Outbound Message.
+     */
+    private Message getOutMessage(Message message) {
+        Exchange exchange = message.getExchange();
+        Message outMessage = exchange.getOutMessage();
+        if (outMessage == null) {
+            Endpoint endpoint = exchange.get(Endpoint.class);
+            outMessage = new MessageImpl();
+            outMessage.putAll(message);
+            outMessage.remove(Message.PROTOCOL_HEADERS);
+            outMessage.setExchange(exchange);
+            outMessage = endpoint.getBinding().createMessage(outMessage);
+            exchange.setOutMessage(outMessage);
+        }
+        return outMessage;
+    }
+    
+    /**
+     * This function sets the header in the PROTOCO_HEADERS of
+     * the message.
+     */
+    private void setHeader(Message message, String key, String value) {
+        Map<String, List<String>> responseHeaders = Headers.getSetProtocolHeaders(message);
+        responseHeaders.put(key, Arrays.asList(new String[] {value}));
+    }
+    
+    /**
+     * This method retrieves/creates the conduit for the response
+     * message.
+     */
+    private Conduit getConduit(Message message) throws IOException {
+        Exchange exchange = message.getExchange();
+        Conduit conduit =
+            exchange.getDestination().getBackChannel(message);
+        exchange.setConduit(conduit);
+        return conduit;
+    }
+    
+    /**
+     * This method closes the output stream associated with the
+     * message.
+     */
+    private void close(Message message) throws IOException {
+        OutputStream os = message.getContent(OutputStream.class);
+        os.flush();
+        os.close();
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e97d1e2/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/Server.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/Server.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/Server.java
new file mode 100644
index 0000000..db00b72
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/conduit/Server.java
@@ -0,0 +1,100 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.conduit;
+
+import java.net.URL;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.jaxws.EndpointImpl;
+import org.apache.cxf.systest.http.GreeterImpl;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class Server extends AbstractBusTestServerBase {
+    public static final String PORT = allocatePort(Server.class);
+
+    private String name;
+    private String address;
+    private URL configFileURL;
+    private EndpointImpl ep;
+    
+    public Server(String[] args) throws Exception {
+        this(args[0], args[1], args[2]);
+    }
+    
+    public Server(String n, String addr, String conf) throws Exception {
+        name    = n;
+        address = addr;
+        configFileURL = new URL(conf);
+        //System.out.println("Starting " + name 
+        //                     + " Server at " + address
+        //                     + " with config " + configFileURL);
+
+    }
+    public void tearDown() throws Exception {
+        if (ep != null) {
+            ep.stop();
+            ep = null;
+        }
+    }
+
+    protected void run()  {
+        // We use a null binding id in the call to EndpointImpl
+        // constructor. Why?
+        final String nullBindingID = null;
+
+        // We need to specify to use defaults on constructing the
+        // bus, because our configuration file doesn't have
+        // everything needed.
+        final boolean useDefaults = true;
+
+        // We configure a new bus for this server.
+        setBus(new SpringBusFactory().createBus(configFileURL, useDefaults));
+
+        // This impl class must have the appropriate annotations
+        // to match the WSDL file that we are using.
+        Object implementor = new GreeterImpl(name);
+        
+        // I don't know why this works.
+        ep = 
+            new EndpointImpl(
+                    getBus(), 
+                    implementor,
+                    nullBindingID,
+                    this.getClass().getResource("greeting.wsdl").toString());
+        // How the hell do I know what the name of the 
+        // http-destination is from using this call?
+        ep.setEndpointName(new QName("http://apache.org/hello_world", name));
+        ep.publish(address);
+    }
+
+
+    public static void main(String[] args) {
+        try {
+            Server s = new Server(args);
+            s.start();
+        } catch (Exception ex) {
+            ex.printStackTrace();
+            System.exit(-1);
+        }
+    }
+}
+


Mime
View raw message