Repository: cxf Updated Branches: refs/heads/master 79916d34d -> 1701e6c8d
[CXF-6087] - Add a way to exclude (multiple) SSL/TLS protocols in the HTTPJ namespace Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1701e6c8 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1701e6c8 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1701e6c8 Branch: refs/heads/master Commit: 1701e6c8d4e794f25d69781e3f69357723ad7fcf Parents: 79916d3 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Wed Nov 5 17:12:31 2014 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Wed Nov 5 17:12:47 2014 +0000 ---------------------------------------------------------------------- .../configuration/jsse/TLSServerParameters.java | 22 +++++++ .../jsse/TLSServerParametersConfig.java | 3 + .../schemas/configuration/security.xsd | 19 ++++++ .../http_jetty/JettyHTTPServerEngine.java | 7 +- .../osgi/HTTPJettyTransportActivator.java | 5 ++ ...ttyHTTPServerEngineBeanDefinitionParser.java | 5 +- .../org/apache/cxf/systest/ws/ssl/SSLTest.java | 67 ++++++++++++++++++++ .../apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl | 3 + .../apache/cxf/systest/ws/ssl/client-ssl3.xml | 34 ++++++++++ .../org/apache/cxf/systest/ws/ssl/server.xml | 26 ++++++++ 10 files changed, 189 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java index ab94d38..52884c3 100644 --- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java +++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java @@ -18,6 +18,9 @@ */ package org.apache.cxf.configuration.jsse; +import java.util.ArrayList; +import java.util.List; + import org.apache.cxf.configuration.security.ClientAuthentication; /** @@ -28,6 +31,7 @@ import org.apache.cxf.configuration.security.ClientAuthentication; public class TLSServerParameters extends TLSParameterBase { ClientAuthentication clientAuthentication; + List<String> excludeProtocols = new ArrayList<String>(); /** * This parameter configures the server side to request and/or @@ -43,4 +47,22 @@ public class TLSServerParameters extends TLSParameterBase { public ClientAuthentication getClientAuthentication() { return clientAuthentication; } + + /** + * This parameter sets the protocol list to exclude. + */ + public final void setExcludeProtocols(List<String> protocols) { + excludeProtocols = protocols; + } + + /** + * Returns the protocols to exclude that are associated with this endpoint. + */ + public List<String> getExcludeProtocols() { + if (excludeProtocols == null) { + excludeProtocols = new ArrayList<String>(); + } + return excludeProtocols; + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java index 13d84e8..a9c9cd6 100644 --- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java +++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java @@ -54,6 +54,9 @@ public class TLSServerParametersConfig if (params.isSetCipherSuites()) { this.setCipherSuites(params.getCipherSuites().getCipherSuite()); } + if (params.isSetExcludeProtocols()) { + this.setExcludeProtocols(params.getExcludeProtocols().getExcludeProtocol()); + } if (params.isSetJsseProvider()) { this.setJsseProvider(params.getJsseProvider()); } http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/core/src/main/resources/schemas/configuration/security.xsd ---------------------------------------------------------------------- diff --git a/core/src/main/resources/schemas/configuration/security.xsd b/core/src/main/resources/schemas/configuration/security.xsd index 4cfa92a..d53d3e6 100644 --- a/core/src/main/resources/schemas/configuration/security.xsd +++ b/core/src/main/resources/schemas/configuration/security.xsd @@ -350,6 +350,18 @@ </xs:sequence> </xs:complexType> + <xs:complexType name="ExcludeProtocols"> + <xs:annotation> + <xs:documentation> + This structure holds a list of protocols that are to be excluded. + If this structure is not defined then SSLv3 is excluded by default + </xs:documentation> + </xs:annotation> + <xs:sequence> + <xs:element name="excludeProtocol" type="xs:string" minOccurs="0" maxOccurs="unbounded"/> + </xs:sequence> + </xs:complexType> + <xs:complexType name="SecureRandomParameters"> <xs:annotation> <xs:documentation> @@ -547,6 +559,13 @@ </xs:documentation> </xs:annotation> </xs:element> + <xs:element name="excludeProtocols" type="tns:ExcludeProtocols" minOccurs="0"> + <xs:annotation> + <xs:documentation> + This element contains the the Protocols that will be excluded + </xs:documentation> + </xs:annotation> + </xs:element> <xs:element name="secureRandomParameters" type="tns:SecureRandomParameters" minOccurs="0"> <xs:annotation> http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java ---------------------------------------------------------------------- diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java index 7e4c3e2..3d13a96 100644 --- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java +++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java @@ -674,8 +674,13 @@ public class JettyHTTPServerEngine String proto = tlsServerParameters.getSecureSocketProtocol() == null ? "TLS" : tlsServerParameters.getSecureSocketProtocol(); - if (!"SSLv3".equals(proto)) { + // Exclude SSLv3 by default unless the protocol is given as SSLv3 + if (!"SSLv3".equals(proto) && tlsServerParameters.getExcludeProtocols().isEmpty()) { scf.addExcludeProtocols("SSLv3"); + } else { + for (String p : tlsServerParameters.getExcludeProtocols()) { + scf.addExcludeProtocols(p); + } } SSLContext context = tlsServerParameters.getJsseProvider() == null http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java ---------------------------------------------------------------------- diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java index 5160e53..b37ed4d 100644 --- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java +++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java @@ -213,6 +213,11 @@ public class HTTPJettyTransportActivator while (st.hasMoreTokens()) { p.getCipherSuites().add(st.nextToken()); } + } else if (k.startsWith("excludeProtocols")) { + StringTokenizer st = new StringTokenizer(v, ","); + while (st.hasMoreTokens()) { + p.getExcludeProtocols().add(st.nextToken()); + } } else if (k.startsWith("trustManagers.")) { tmt = getTrustManagers(tmt, k.substring("trustManagers.".length()), http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java ---------------------------------------------------------------------- diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java index a17e5bb..9ee06a0 100644 --- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java +++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/spring/JettyHTTPServerEngineBeanDefinitionParser.java @@ -31,7 +31,6 @@ import org.w3c.dom.Attr; import org.w3c.dom.Element; import org.w3c.dom.NamedNodeMap; import org.w3c.dom.Node; - import org.apache.cxf.Bus; import org.apache.cxf.bus.spring.BusWiringBeanFactoryPostProcessor; import org.apache.cxf.common.injection.NoJSR250Annotations; @@ -39,6 +38,7 @@ import org.apache.cxf.configuration.jsse.TLSServerParametersConfig; import org.apache.cxf.configuration.security.CertificateConstraintsType; import org.apache.cxf.configuration.security.CipherSuites; import org.apache.cxf.configuration.security.ClientAuthentication; +import org.apache.cxf.configuration.security.ExcludeProtocols; import org.apache.cxf.configuration.security.FiltersType; import org.apache.cxf.configuration.security.KeyManagersType; import org.apache.cxf.configuration.security.SecureRandomParameters; @@ -196,6 +196,9 @@ public class JettyHTTPServerEngineBeanDefinitionParser extends AbstractBeanDefin } else if ("cipherSuitesFilter".equals(ename)) { mapElementToJaxbProperty((Element)n, paramsbean, ename, FiltersType.class); + } else if ("excludeProtocols".equals(ename)) { + mapElementToJaxbProperty((Element)n, paramsbean, ename, + ExcludeProtocols.class); } else if ("secureRandomParameters".equals(ename)) { mapElementToJaxbProperty((Element)n, paramsbean, ename, SecureRandomParameters.class); http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java index 47c240d..6c3478e 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java @@ -27,13 +27,19 @@ import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; +import javax.xml.namespace.QName; +import javax.xml.ws.BindingProvider; +import javax.xml.ws.Service; import org.apache.cxf.Bus; import org.apache.cxf.bus.spring.SpringBusFactory; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.configuration.jsse.SSLUtils; import org.apache.cxf.systest.ws.common.SecurityTestUtil; +import org.apache.cxf.systest.ws.common.UTPasswordCallback; import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; +import org.apache.cxf.ws.security.SecurityConstants; +import org.example.contract.doubleit.DoubleItPortType; import org.junit.BeforeClass; /** @@ -42,6 +48,10 @@ import org.junit.BeforeClass; public class SSLTest extends AbstractBusClientServerTestBase { static final String PORT = allocatePort(Server.class); static final String PORT2 = allocatePort(Server.class, 2); + static final String PORT3 = allocatePort(Server.class, 3); + + private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt"; + private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService"); @BeforeClass public static void startServers() throws Exception { @@ -131,6 +141,63 @@ public class SSLTest extends AbstractBusClientServerTestBase { bus.shutdown(true); } + @org.junit.Test + public void testClientSSL3NotAllowed() throws Exception { + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = SSLTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = SSLTest.class.getResource("DoubleItSSL.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItPlaintextPort3"); + DoubleItPortType utPort = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(utPort, PORT3); + + ((BindingProvider)utPort).getRequestContext().put(SecurityConstants.USERNAME, "Alice"); + ((BindingProvider)utPort).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER, + new UTPasswordCallback()); + + try { + utPort.doubleIt(25); + fail("Failure expected on the client not supporting SSLv3 by default"); + } catch (Exception ex) { + // expected + } + + ((java.io.Closeable)utPort).close(); + bus.shutdown(true); + } + + @org.junit.Test + public void testClientSSL3Allowed() throws Exception { + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = SSLTest.class.getResource("client-ssl3.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = SSLTest.class.getResource("DoubleItSSL.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItPlaintextPort3"); + DoubleItPortType utPort = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(utPort, PORT3); + + ((BindingProvider)utPort).getRequestContext().put(SecurityConstants.USERNAME, "Alice"); + ((BindingProvider)utPort).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER, + new UTPasswordCallback()); + + utPort.doubleIt(25); + + ((java.io.Closeable)utPort).close(); + bus.shutdown(true); + } + private static final class DisableCNCheckVerifier implements HostnameVerifier { @Override http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl index ed021f4..ad391b1 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl @@ -44,6 +44,9 @@ <wsdl:port name="DoubleItPlaintextPort2" binding="tns:DoubleItPlaintextBinding"> <soap:address location="https://localhost:9009/DoubleItUTPlaintext2"/> </wsdl:port> + <wsdl:port name="DoubleItPlaintextPort3" binding="tns:DoubleItPlaintextBinding"> + <soap:address location="https://localhost:9009/DoubleItUTPlaintext3"/> + </wsdl:port> </wsdl:service> <wsp:Policy wsu:Id="DoubleItPlaintextPolicy"> <wsp:ExactlyOne> http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client-ssl3.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client-ssl3.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client-ssl3.xml new file mode 100644 index 0000000..ac89427 --- /dev/null +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client-ssl3.xml @@ -0,0 +1,34 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xmlns:sec="http://cxf.apache.org/configuration/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/policy http://cxf.apache.org/schemas/poli cy.xsd"> + <cxf:bus> + <cxf:features> + <p:policies/> + <cxf:logging/> + </cxf:features> + </cxf:bus> + <http:conduit name="https://localhost:.*"> + <http:tlsClientParameters disableCNCheck="true" secureSocketProtocol="SSLv3"> + <sec:trustManagers> + <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/> + </sec:trustManagers> + </http:tlsClientParameters> + </http:conduit> +</beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/1701e6c8/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml index d1593b9..93adf5b 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml @@ -66,4 +66,30 @@ </jaxws:properties> </jaxws:endpoint> + <httpj:engine-factory id="disallow-tls-via-configuration"> + <httpj:engine port="${testutil.ports.Server.3}"> + <httpj:tlsServerParameters> + <sec:keyManagers keyPassword="password"> + <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/> + </sec:keyManagers> + <sec:trustManagers> + <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/> + </sec:trustManagers> + <sec:clientAuthentication want="true" required="false"/> + <sec:excludeProtocols> + <sec:excludeProtocol>TLS</sec:excludeProtocol> + <sec:excludeProtocol>TLSv1</sec:excludeProtocol> + <sec:excludeProtocol>TLSv1.1</sec:excludeProtocol> + <sec:excludeProtocol>TLSv1.2</sec:excludeProtocol> + </sec:excludeProtocols> + </httpj:tlsServerParameters> + </httpj:engine> + </httpj:engine-factory> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Plaintext3" address="https://localhost:${testutil.ports.Server.3}/DoubleItUTPlaintext3" serviceName="s:DoubleItService" endpointName="s:DoubleItPlaintextPort3" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl" depends-on="disallow-tls-via-configuration"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> + </jaxws:properties> + </jaxws:endpoint> + </beans>