cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/4] cxf git commit: Explicitly "include" ciphersuites for the Jetty Server + some tests for NULL ciphersuites
Date Mon, 05 Jan 2015 17:21:40 GMT
Explicitly "include" ciphersuites for the Jetty Server + some tests for NULL ciphersuites

Conflicts:
	rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d55cb4aa
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d55cb4aa
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d55cb4aa

Branch: refs/heads/3.0.x-fixes
Commit: d55cb4aaaec9c5b3a0a807669c4e6543bac99c2d
Parents: 7bf1eb7
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Jan 5 16:13:04 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Jan 5 16:15:10 2015 +0000

----------------------------------------------------------------------
 .../http_jetty/JettyHTTPServerEngine.java       | 255 +++++++++++++++++++
 .../https/ciphersuites/CipherSuitesTest.java    | 113 ++++++++
 .../ciphersuites/ciphersuites-null-client.xml   |  37 +++
 .../https/ciphersuites/ciphersuites-server.xml  |  24 +-
 4 files changed, 428 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/d55cb4aa/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
index f95e4f3..83d701c 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
@@ -477,6 +477,261 @@ public class JettyHTTPServerEngine implements ServerEngine {
         ++servantCount;
     }
     
+<<<<<<< HEAD
+=======
+    private void addServerMBean() {
+        if (mBeanContainer == null) {
+            return;
+        }        
+        
+        try {
+            Object o = getContainer(server);
+            o.getClass().getMethod("addEventListener", Container.Listener.class).invoke(o,
mBeanContainer);
+            if (Server.getVersion().startsWith("8")) {
+                return;
+            }
+            mBeanContainer.getClass().getMethod("beanAdded", Container.class, Object.class)
+                .invoke(mBeanContainer, null, server);
+        } catch (RuntimeException rex) {
+            throw rex;
+        } catch (Exception r) {
+            throw new RuntimeException(r);
+        }
+    }
+    private void removeServerMBean() {
+        try {
+            mBeanContainer.getClass().getMethod("beanRemoved", Container.class, Object.class)
+                .invoke(mBeanContainer, null, server);
+        } catch (RuntimeException rex) {
+            throw rex;
+        } catch (Exception r) {
+            throw new RuntimeException(r);
+        }
+    }
+
+    private Connector createConnector(String hosto, int porto) {
+        // now we just use the SelectChannelConnector as the default connector
+        SslContextFactory sslcf = null;
+        if (tlsServerParameters != null) { 
+            sslcf = new SslContextFactory() {
+                protected void doStart() throws Exception {
+                    setSslContext(createSSLContext(this));
+                    super.doStart();
+                }
+                public void checkKeyStore() {
+                    //we'll handle this later
+                }
+            };
+            decorateCXFJettySslSocketConnector(sslcf);
+        }
+        AbstractConnector result = null;
+        if (!Server.getVersion().startsWith("8")) {
+            result = createConnectorJetty9(sslcf, hosto, porto);
+        } else {
+            result = createConnectorJetty8(sslcf, hosto, porto);
+        }        
+        
+        try {
+            result.getClass().getMethod("setPort", Integer.TYPE).invoke(result, porto);
+            if (hosto != null) {
+                result.getClass().getMethod("setHost", String.class).invoke(result, hosto);
+            }
+            result.getClass().getMethod("setReuseAddress", Boolean.TYPE).invoke(result, isReuseAddress());
+        } catch (RuntimeException rex) {
+            throw rex;
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        }        
+        
+        return result;
+    }
+    
+    AbstractConnector createConnectorJetty9(SslContextFactory sslcf, String hosto, int porto)
{
+        //Jetty 9
+        AbstractConnector result = null;
+        try {
+            Class<?> configClass = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConfiguration",

+                                                              Server.class); 
+            Object httpConfig = configClass.newInstance();
+            httpConfig.getClass().getMethod("setSendServerVersion", Boolean.TYPE)
+                .invoke(httpConfig, getSendServerVersion());
+            
+            Object httpFactory = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConnectionFactory",

+                                                            Server.class)
+                                                            .getConstructor(configClass).newInstance(httpConfig);

+
+            Collection<Object> connectionFactories = new ArrayList<Object>();
+            result = (AbstractConnector)ClassLoaderUtils.loadClass("org.eclipse.jetty.server.ServerConnector",

+                                                                   Server.class)
+                                                                   .getConstructor(Server.class)
+                                                                   .newInstance(server);
+            
+            if (tlsServerParameters != null) {
+                Class<?> src = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SecureRequestCustomizer",
+                                                          Server.class);
+                httpConfig.getClass().getMethod("addCustomizer", src.getInterfaces()[0])
+                    .invoke(httpConfig, src.newInstance());
+                Object scf = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SslConnectionFactory",
+                                                        Server.class).getConstructor(SslContextFactory.class,
+                                                                                     String.class)
+                                                        .newInstance(sslcf, "HTTP/1.1");
+                connectionFactories.add(scf);
+                result.getClass().getMethod("setDefaultProtocol", String.class).invoke(result,
"SSL-HTTP/1.1");
+            }
+            connectionFactories.add(httpFactory);
+            result.getClass().getMethod("setConnectionFactories", Collection.class)
+                .invoke(result, connectionFactories);
+            
+            if (getMaxIdleTime() > 0) {
+                result.getClass().getMethod("setIdleTimeout", Long.TYPE).invoke(result, new
Long(getMaxIdleTime()));
+            }
+
+        } catch (RuntimeException rex) {
+            throw rex;
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        }
+        return result;
+    }
+    AbstractConnector createConnectorJetty8(SslContextFactory sslcf, String hosto, int porto)
{
+        //Jetty 8
+        AbstractConnector result = null;
+        try {
+            if (sslcf == null) { 
+                result = (AbstractConnector)ClassLoaderUtils
+                    .loadClass("org.eclipse.jetty.server.nio.SelectChannelConnector",
+                               Server.class).newInstance();
+            } else {
+                result = (AbstractConnector)ClassLoaderUtils
+                    .loadClass("org.eclipse.jetty.server.ssl.SslSelectChannelConnector",
+                               Server.class).getConstructor(SslContextFactory.class)
+                               .newInstance(sslcf);
+            }
+            Server.class.getMethod("setSendServerVersion", Boolean.TYPE).invoke(server, getSendServerVersion());
+            if (getMaxIdleTime() > 0) {
+                result.getClass().getMethod("setMaxIdleTime", Integer.TYPE).invoke(result,
getMaxIdleTime());
+            }
+        } catch (RuntimeException rex) {
+            throw rex;
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        }
+        return result;
+    }
+    
+    
+    protected SSLContext createSSLContext(SslContextFactory scf) throws Exception  {
+        String proto = tlsServerParameters.getSecureSocketProtocol() == null
+            ? "TLS" : tlsServerParameters.getSecureSocketProtocol();
+        
+        // Exclude SSLv3 + SSLv2Hello by default unless the protocol is given as SSLv3
+        if (!"SSLv3".equals(proto) && tlsServerParameters.getExcludeProtocols().isEmpty())
{
+            scf.addExcludeProtocols("SSLv3");
+            scf.addExcludeProtocols("SSLv2Hello");
+        } else {
+            for (String p : tlsServerParameters.getExcludeProtocols()) {
+                scf.addExcludeProtocols(p);
+            }
+        }
+ 
+        SSLContext context = tlsServerParameters.getJsseProvider() == null
+            ? SSLContext.getInstance(proto)
+                : SSLContext.getInstance(proto, tlsServerParameters.getJsseProvider());
+            
+        KeyManager keyManagers[] = tlsServerParameters.getKeyManagers();
+        if (tlsServerParameters.getCertAlias() != null) {
+            keyManagers = getKeyManagersWithCertAlias(keyManagers);
+        }
+        context.init(tlsServerParameters.getKeyManagers(), 
+                     tlsServerParameters.getTrustManagers(),
+                     tlsServerParameters.getSecureRandom());
+
+        // Set the CipherSuites
+        final String[] supportedCipherSuites = 
+            SSLUtils.getServerSupportedCipherSuites(context);
+
+        String[] excludedCipherSuites = 
+            SSLUtils.getCiphersuites(
+                    tlsServerParameters.getCipherSuites(),
+                    supportedCipherSuites,
+                    tlsServerParameters.getCipherSuitesFilter(),
+                    LOG, true);
+        scf.setExcludeCipherSuites(excludedCipherSuites);
+        
+        String[] includedCipherSuites = 
+            SSLUtils.getCiphersuites(
+                    tlsServerParameters.getCipherSuites(),
+                    supportedCipherSuites,
+                    tlsServerParameters.getCipherSuitesFilter(),
+                    LOG, false);
+        scf.setIncludeCipherSuites(includedCipherSuites);
+        
+        return context;
+    }
+    protected KeyManager[] getKeyManagersWithCertAlias(KeyManager keyManagers[]) throws Exception
{
+        if (tlsServerParameters.getCertAlias() != null) {
+            for (int idx = 0; idx < keyManagers.length; idx++) {
+                if (keyManagers[idx] instanceof X509KeyManager) {
+                    keyManagers[idx] = new AliasedX509ExtendedKeyManager(
+                        tlsServerParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]);
+                }
+            }
+        }
+        return keyManagers;
+    }
+    protected void setClientAuthentication(SslContextFactory con,
+                                           ClientAuthentication clientAuth) {
+        con.setWantClientAuth(true);
+        if (clientAuth != null) {
+            if (clientAuth.isSetWant()) {
+                con.setWantClientAuth(clientAuth.isWant());
+            }
+            if (clientAuth.isSetRequired()) {
+                con.setNeedClientAuth(clientAuth.isRequired());
+            }
+        }
+    }    
+    /**
+     * This method sets the security properties for the CXF extension
+     * of the JettySslConnector.
+     */
+    private void decorateCXFJettySslSocketConnector(
+            SslContextFactory con
+    ) {
+        setClientAuthentication(con,
+                                tlsServerParameters.getClientAuthentication());
+        con.setCertAlias(tlsServerParameters.getCertAlias());
+    }
+    
+
+    private static Container getContainer(Object server) {
+        if (server instanceof Container) {
+            return (Container)server;
+        }
+        try {
+            return (Container)server.getClass().getMethod("getContainer").invoke(server);
+        } catch (RuntimeException t) {
+            throw t;
+        } catch (Throwable t) {
+            throw new RuntimeException(t);
+        }
+    }
+
+    private static void logConnector(Connector connector) {
+        try {
+            String h = (String)connector.getClass().getMethod("getHost").invoke(connector);
+            int port = (Integer)connector.getClass().getMethod("getPort").invoke(connector);
+            LOG.finer("connector.host: " 
+                + h == null 
+                  ? "null" 
+                  : "\"" + h + "\"");
+            LOG.finer("connector.port: " + port);
+        } catch (Throwable t) {
+            //ignore
+        }
+    }
+
+>>>>>>> a97f886... Explicitly "include" ciphersuites for the Jetty Server
+ some tests for NULL ciphersuites
     protected void setupThreadPool() {
         AbstractConnector aconn = (AbstractConnector) connector;
         if (isSetThreadingParameters()) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/d55cb4aa/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
index 4f2f8c5..f37b1f9 100644
--- a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
@@ -37,6 +37,7 @@ import org.junit.BeforeClass;
 public class CipherSuitesTest extends AbstractBusClientServerTestBase {
     static final String PORT = allocatePort(CipherSuitesServer.class);
     static final String PORT2 = allocatePort(CipherSuitesServer.class, 2);
+    static final String PORT3 = allocatePort(CipherSuitesServer.class, 3);
     
     @BeforeClass
     public static void startServers() throws Exception {
@@ -277,4 +278,116 @@ public class CipherSuitesTest extends AbstractBusClientServerTestBase
{
         bus.shutdown(true);
     }
     
+    // Both client + server include NULL
+    @org.junit.Test
+    public void testNULLIncluded() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = CipherSuitesTest.class.getResource("ciphersuites-null-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL url = SOAPService.WSDL_LOCATION;
+        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+        assertNotNull("Service is null", service);   
+        final Greeter port = service.getHttpsPort();
+        assertNotNull("Port is null", port);
+        
+        updateAddressPort(port, PORT3);
+        
+        assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+    
+    // Both client + server include NULL
+    @org.junit.Test
+    public void testNULLIncludedAsync() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = CipherSuitesTest.class.getResource("ciphersuites-null-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL url = SOAPService.WSDL_LOCATION;
+        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+        assertNotNull("Service is null", service);   
+        final Greeter port = service.getHttpsPort();
+        assertNotNull("Port is null", port);
+        
+        // Enable Async
+        ((BindingProvider)port).getRequestContext().put("use.async.http.conduit", true);
+        
+        updateAddressPort(port, PORT3);
+        
+        assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+    
+    // Client does not allow NULL
+    @org.junit.Test
+    public void testClientAESServerNULL() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = CipherSuitesTest.class.getResource("ciphersuites-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL url = SOAPService.WSDL_LOCATION;
+        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+        assertNotNull("Service is null", service);   
+        final Greeter port = service.getHttpsPort();
+        assertNotNull("Port is null", port);
+        
+        updateAddressPort(port, PORT3);
+        
+        try {
+            port.greetMe("Kitty");
+            fail("Failure expected on not being able to negotiate a cipher suite");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+    
+    // Client does not allow NULL
+    @org.junit.Test
+    public void testClientAESServerNULLAsync() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = CipherSuitesTest.class.getResource("ciphersuites-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL url = SOAPService.WSDL_LOCATION;
+        SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+        assertNotNull("Service is null", service);   
+        final Greeter port = service.getHttpsPort();
+        assertNotNull("Port is null", port);
+        
+        // Enable Async
+        ((BindingProvider)port).getRequestContext().put("use.async.http.conduit", true);
+        
+        updateAddressPort(port, PORT3);
+        
+        try {
+            port.greetMe("Kitty");
+            fail("Failure expected on not being able to negotiate a cipher suite");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d55cb4aa/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-null-client.xml
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-null-client.xml
b/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-null-client.xml
new file mode 100644
index 0000000..e5861d9
--- /dev/null
+++ b/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-null-client.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xmlns:sec="http://cxf.apache.org/configuration/security"
xsi:schemaLocation="           http://www.springframework.org/schema/beans           http://www.springframework.org/schema/beans/spring-beans.xsd
          http://cxf.apache.org/jaxws                           http://cxf.apache.org/schemas/jaxws.xsd
          http://cxf.apache.org/transports/http/configuration   http://cxf.apache.org/schemas/configuration/http-conf.xsd
          http://cxf.apache.org/configuration/security          http://cxf.apache.org/schemas/configuration/security.xsd
          http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd           http://cxf.apache.org/policy
http://cxf.apache.org/schemas/poli
 cy.xsd">
+    
+    <cxf:bus>
+        <cxf:features>
+            <cxf:logging/>
+        </cxf:features>
+    </cxf:bus>
+    <http:conduit name="https://localhost:.*">
+        <http:tlsClientParameters disableCNCheck="true">
+            <sec:trustManagers>
+                <sec:keyStore type="jks" password="password" resource="keys/Truststore.jks"/>
+            </sec:trustManagers>
+            <sec:cipherSuitesFilter>
+                <sec:include>.*_WITH_NULL_.*</sec:include>
+            </sec:cipherSuitesFilter>
+        </http:tlsClientParameters>
+    </http:conduit>
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf/blob/d55cb4aa/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml
b/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml
index 13ea1c5..d65371e 100644
--- a/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml
+++ b/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml
@@ -65,10 +65,32 @@
     
     <jaxws:endpoint xmlns:e="http://apache.org/hello_world/services" 
                      xmlns:s="http://apache.org/hello_world/services" 
-                     id="DESTLSServer" 
+                     id="RC4TLSServer" 
                      implementor="org.apache.cxf.systest.http.GreeterImpl" 
                      address="https://localhost:${testutil.ports.CipherSuitesServer.2}/SoapContext/HttpsPort"

                      serviceName="s:SOAPService" 
                      endpointName="e:HttpsPort" depends-on="rc4-tls-settings"/>
+                     
+     <httpj:engine-factory id="null-tls-settings">
+        <httpj:engine port="${testutil.ports.CipherSuitesServer.3}">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+                    <sec:keyStore type="jks" password="password" resource="keys/Bethal.jks"/>
+                </sec:keyManagers>
+                <sec:clientAuthentication want="false" required="false"/>
+                <sec:cipherSuitesFilter>
+                    <sec:include>.*_WITH_NULL_.*</sec:include>
+                </sec:cipherSuitesFilter>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
+    <jaxws:endpoint xmlns:e="http://apache.org/hello_world/services" 
+                     xmlns:s="http://apache.org/hello_world/services" 
+                     id="NULLTLSServer" 
+                     implementor="org.apache.cxf.systest.http.GreeterImpl" 
+                     address="https://localhost:${testutil.ports.CipherSuitesServer.3}/SoapContext/HttpsPort"

+                     serviceName="s:SOAPService" 
+                     endpointName="e:HttpsPort" depends-on="null-tls-settings"/>
     
 </beans>


Mime
View raw message