Explicitly "include" ciphersuites for the Jetty Server + some tests for NULL
ciphersuites
Conflicts:
rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d55cb4aa
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d55cb4aa
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d55cb4aa
Branch: refs/heads/3.0.x-fixes
Commit: d55cb4aaaec9c5b3a0a807669c4e6543bac99c2d
Parents: 7bf1eb7
Author: Colm O hEigeartaigh <[email protected]>
Authored: Mon Jan 5 16:13:04 2015 +0000
Committer: Colm O hEigeartaigh <[email protected]>
Committed: Mon Jan 5 16:15:10 2015 +0000
----------------------------------------------------------------------
.../http_jetty/JettyHTTPServerEngine.java | 255 +++++++++++++++++++
.../https/ciphersuites/CipherSuitesTest.java | 113 ++++++++
.../ciphersuites/ciphersuites-null-client.xml | 37 +++
.../https/ciphersuites/ciphersuites-server.xml | 24 +-
4 files changed, 428 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/d55cb4aa/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
----------------------------------------------------------------------
diff --git
a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
index f95e4f3..83d701c 100644
---
a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
+++
b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
@@ -477,6 +477,261 @@ public class JettyHTTPServerEngine implements
ServerEngine {
++servantCount;
}
+<<<<<<< HEAD
+=======
+ private void addServerMBean() {
+ if (mBeanContainer == null) {
+ return;
+ }
+
+ try {
+ Object o = getContainer(server);
+ o.getClass().getMethod("addEventListener",
Container.Listener.class).invoke(o, mBeanContainer);
+ if (Server.getVersion().startsWith("8")) {
+ return;
+ }
+ mBeanContainer.getClass().getMethod("beanAdded", Container.class,
Object.class)
+ .invoke(mBeanContainer, null, server);
+ } catch (RuntimeException rex) {
+ throw rex;
+ } catch (Exception r) {
+ throw new RuntimeException(r);
+ }
+ }
+ private void removeServerMBean() {
+ try {
+ mBeanContainer.getClass().getMethod("beanRemoved",
Container.class, Object.class)
+ .invoke(mBeanContainer, null, server);
+ } catch (RuntimeException rex) {
+ throw rex;
+ } catch (Exception r) {
+ throw new RuntimeException(r);
+ }
+ }
+
+ private Connector createConnector(String hosto, int porto) {
+ // now we just use the SelectChannelConnector as the default connector
+ SslContextFactory sslcf = null;
+ if (tlsServerParameters != null) {
+ sslcf = new SslContextFactory() {
+ protected void doStart() throws Exception {
+ setSslContext(createSSLContext(this));
+ super.doStart();
+ }
+ public void checkKeyStore() {
+ //we'll handle this later
+ }
+ };
+ decorateCXFJettySslSocketConnector(sslcf);
+ }
+ AbstractConnector result = null;
+ if (!Server.getVersion().startsWith("8")) {
+ result = createConnectorJetty9(sslcf, hosto, porto);
+ } else {
+ result = createConnectorJetty8(sslcf, hosto, porto);
+ }
+
+ try {
+ result.getClass().getMethod("setPort",
Integer.TYPE).invoke(result, porto);
+ if (hosto != null) {
+ result.getClass().getMethod("setHost",
String.class).invoke(result, hosto);
+ }
+ result.getClass().getMethod("setReuseAddress",
Boolean.TYPE).invoke(result, isReuseAddress());
+ } catch (RuntimeException rex) {
+ throw rex;
+ } catch (Exception ex) {
+ throw new RuntimeException(ex);
+ }
+
+ return result;
+ }
+
+ AbstractConnector createConnectorJetty9(SslContextFactory sslcf, String
hosto, int porto) {
+ //Jetty 9
+ AbstractConnector result = null;
+ try {
+ Class<?> configClass =
ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConfiguration",
+ Server.class);
+ Object httpConfig = configClass.newInstance();
+ httpConfig.getClass().getMethod("setSendServerVersion",
Boolean.TYPE)
+ .invoke(httpConfig, getSendServerVersion());
+
+ Object httpFactory =
ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConnectionFactory",
+ Server.class)
+
.getConstructor(configClass).newInstance(httpConfig);
+
+ Collection<Object> connectionFactories = new ArrayList<Object>();
+ result =
(AbstractConnector)ClassLoaderUtils.loadClass("org.eclipse.jetty.server.ServerConnector",
+
Server.class)
+
.getConstructor(Server.class)
+
.newInstance(server);
+
+ if (tlsServerParameters != null) {
+ Class<?> src =
ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SecureRequestCustomizer",
+ Server.class);
+ httpConfig.getClass().getMethod("addCustomizer",
src.getInterfaces()[0])
+ .invoke(httpConfig, src.newInstance());
+ Object scf =
ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SslConnectionFactory",
+
Server.class).getConstructor(SslContextFactory.class,
+
String.class)
+ .newInstance(sslcf,
"HTTP/1.1");
+ connectionFactories.add(scf);
+ result.getClass().getMethod("setDefaultProtocol",
String.class).invoke(result, "SSL-HTTP/1.1");
+ }
+ connectionFactories.add(httpFactory);
+ result.getClass().getMethod("setConnectionFactories",
Collection.class)
+ .invoke(result, connectionFactories);
+
+ if (getMaxIdleTime() > 0) {
+ result.getClass().getMethod("setIdleTimeout",
Long.TYPE).invoke(result, new Long(getMaxIdleTime()));
+ }
+
+ } catch (RuntimeException rex) {
+ throw rex;
+ } catch (Exception ex) {
+ throw new RuntimeException(ex);
+ }
+ return result;
+ }
+ AbstractConnector createConnectorJetty8(SslContextFactory sslcf, String
hosto, int porto) {
+ //Jetty 8
+ AbstractConnector result = null;
+ try {
+ if (sslcf == null) {
+ result = (AbstractConnector)ClassLoaderUtils
+
.loadClass("org.eclipse.jetty.server.nio.SelectChannelConnector",
+ Server.class).newInstance();
+ } else {
+ result = (AbstractConnector)ClassLoaderUtils
+
.loadClass("org.eclipse.jetty.server.ssl.SslSelectChannelConnector",
+
Server.class).getConstructor(SslContextFactory.class)
+ .newInstance(sslcf);
+ }
+ Server.class.getMethod("setSendServerVersion",
Boolean.TYPE).invoke(server, getSendServerVersion());
+ if (getMaxIdleTime() > 0) {
+ result.getClass().getMethod("setMaxIdleTime",
Integer.TYPE).invoke(result, getMaxIdleTime());
+ }
+ } catch (RuntimeException rex) {
+ throw rex;
+ } catch (Exception ex) {
+ throw new RuntimeException(ex);
+ }
+ return result;
+ }
+
+
+ protected SSLContext createSSLContext(SslContextFactory scf) throws
Exception {
+ String proto = tlsServerParameters.getSecureSocketProtocol() == null
+ ? "TLS" : tlsServerParameters.getSecureSocketProtocol();
+
+ // Exclude SSLv3 + SSLv2Hello by default unless the protocol is given
as SSLv3
+ if (!"SSLv3".equals(proto) &&
tlsServerParameters.getExcludeProtocols().isEmpty()) {
+ scf.addExcludeProtocols("SSLv3");
+ scf.addExcludeProtocols("SSLv2Hello");
+ } else {
+ for (String p : tlsServerParameters.getExcludeProtocols()) {
+ scf.addExcludeProtocols(p);
+ }
+ }
+
+ SSLContext context = tlsServerParameters.getJsseProvider() == null
+ ? SSLContext.getInstance(proto)
+ : SSLContext.getInstance(proto,
tlsServerParameters.getJsseProvider());
+
+ KeyManager keyManagers[] = tlsServerParameters.getKeyManagers();
+ if (tlsServerParameters.getCertAlias() != null) {
+ keyManagers = getKeyManagersWithCertAlias(keyManagers);
+ }
+ context.init(tlsServerParameters.getKeyManagers(),
+ tlsServerParameters.getTrustManagers(),
+ tlsServerParameters.getSecureRandom());
+
+ // Set the CipherSuites
+ final String[] supportedCipherSuites =
+ SSLUtils.getServerSupportedCipherSuites(context);
+
+ String[] excludedCipherSuites =
+ SSLUtils.getCiphersuites(
+ tlsServerParameters.getCipherSuites(),
+ supportedCipherSuites,
+ tlsServerParameters.getCipherSuitesFilter(),
+ LOG, true);
+ scf.setExcludeCipherSuites(excludedCipherSuites);
+
+ String[] includedCipherSuites =
+ SSLUtils.getCiphersuites(
+ tlsServerParameters.getCipherSuites(),
+ supportedCipherSuites,
+ tlsServerParameters.getCipherSuitesFilter(),
+ LOG, false);
+ scf.setIncludeCipherSuites(includedCipherSuites);
+
+ return context;
+ }
+ protected KeyManager[] getKeyManagersWithCertAlias(KeyManager
keyManagers[]) throws Exception {
+ if (tlsServerParameters.getCertAlias() != null) {
+ for (int idx = 0; idx < keyManagers.length; idx++) {
+ if (keyManagers[idx] instanceof X509KeyManager) {
+ keyManagers[idx] = new AliasedX509ExtendedKeyManager(
+ tlsServerParameters.getCertAlias(),
(X509KeyManager)keyManagers[idx]);
+ }
+ }
+ }
+ return keyManagers;
+ }
+ protected void setClientAuthentication(SslContextFactory con,
+ ClientAuthentication clientAuth) {
+ con.setWantClientAuth(true);
+ if (clientAuth != null) {
+ if (clientAuth.isSetWant()) {
+ con.setWantClientAuth(clientAuth.isWant());
+ }
+ if (clientAuth.isSetRequired()) {
+ con.setNeedClientAuth(clientAuth.isRequired());
+ }
+ }
+ }
+ /**
+ * This method sets the security properties for the CXF extension
+ * of the JettySslConnector.
+ */
+ private void decorateCXFJettySslSocketConnector(
+ SslContextFactory con
+ ) {
+ setClientAuthentication(con,
+ tlsServerParameters.getClientAuthentication());
+ con.setCertAlias(tlsServerParameters.getCertAlias());
+ }
+
+
+ private static Container getContainer(Object server) {
+ if (server instanceof Container) {
+ return (Container)server;
+ }
+ try {
+ return
(Container)server.getClass().getMethod("getContainer").invoke(server);
+ } catch (RuntimeException t) {
+ throw t;
+ } catch (Throwable t) {
+ throw new RuntimeException(t);
+ }
+ }
+
+ private static void logConnector(Connector connector) {
+ try {
+ String h =
(String)connector.getClass().getMethod("getHost").invoke(connector);
+ int port =
(Integer)connector.getClass().getMethod("getPort").invoke(connector);
+ LOG.finer("connector.host: "
+ + h == null
+ ? "null"
+ : "\"" + h + "\"");
+ LOG.finer("connector.port: " + port);
+ } catch (Throwable t) {
+ //ignore
+ }
+ }
+
+>>>>>>> a97f886... Explicitly "include" ciphersuites for the Jetty Server +
some tests for NULL ciphersuites
protected void setupThreadPool() {
AbstractConnector aconn = (AbstractConnector) connector;
if (isSetThreadingParameters()) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/d55cb4aa/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
----------------------------------------------------------------------
diff --git
a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
index 4f2f8c5..f37b1f9 100644
---
a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
+++
b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
@@ -37,6 +37,7 @@ import org.junit.BeforeClass;
public class CipherSuitesTest extends AbstractBusClientServerTestBase {
static final String PORT = allocatePort(CipherSuitesServer.class);
static final String PORT2 = allocatePort(CipherSuitesServer.class, 2);
+ static final String PORT3 = allocatePort(CipherSuitesServer.class, 3);
@BeforeClass
public static void startServers() throws Exception {
@@ -277,4 +278,116 @@ public class CipherSuitesTest extends
AbstractBusClientServerTestBase {
bus.shutdown(true);
}
+ // Both client + server include NULL
+ @org.junit.Test
+ public void testNULLIncluded() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-null-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ updateAddressPort(port, PORT3);
+
+ assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Both client + server include NULL
+ @org.junit.Test
+ public void testNULLIncludedAsync() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-null-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ // Enable Async
+
((BindingProvider)port).getRequestContext().put("use.async.http.conduit", true);
+
+ updateAddressPort(port, PORT3);
+
+ assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Client does not allow NULL
+ @org.junit.Test
+ public void testClientAESServerNULL() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ updateAddressPort(port, PORT3);
+
+ try {
+ port.greetMe("Kitty");
+ fail("Failure expected on not being able to negotiate a cipher
suite");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Client does not allow NULL
+ @org.junit.Test
+ public void testClientAESServerNULLAsync() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ // Enable Async
+
((BindingProvider)port).getRequestContext().put("use.async.http.conduit", true);
+
+ updateAddressPort(port, PORT3);
+
+ try {
+ port.greetMe("Kitty");
+ fail("Failure expected on not being able to negotiate a cipher
suite");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/d55cb4aa/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-null-client.xml
----------------------------------------------------------------------
diff --git
a/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-null-client.xml
b/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-null-client.xml
new file mode 100644
index 0000000..e5861d9
--- /dev/null
+++
b/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-null-client.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:http="http://cxf.apache.org/transports/http/configuration";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xmlns:cxf="http://cxf.apache.org/core"; xmlns:p="http://cxf.apache.org/policy";
xmlns:sec="http://cxf.apache.org/configuration/security"; xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/policy http://cxf.apache.org/schemas/poli
cy.xsd">
+
+ <cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+ <http:conduit name="https://localhost:.*";>
+ <http:tlsClientParameters disableCNCheck="true">
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="password"
resource="keys/Truststore.jks"/>
+ </sec:trustManagers>
+ <sec:cipherSuitesFilter>
+ <sec:include>.*_WITH_NULL_.*</sec:include>
+ </sec:cipherSuitesFilter>
+ </http:tlsClientParameters>
+ </http:conduit>
+</beans>
http://git-wip-us.apache.org/repos/asf/cxf/blob/d55cb4aa/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml
----------------------------------------------------------------------
diff --git
a/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml
b/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml
index 13ea1c5..d65371e 100644
---
a/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml
+++
b/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml
@@ -65,10 +65,32 @@
<jaxws:endpoint xmlns:e="http://apache.org/hello_world/services";
xmlns:s="http://apache.org/hello_world/services";
- id="DESTLSServer"
+ id="RC4TLSServer"
implementor="org.apache.cxf.systest.http.GreeterImpl"
address="https://localhost:${testutil.ports.CipherSuitesServer.2}/SoapContext/HttpsPort";
serviceName="s:SOAPService"
endpointName="e:HttpsPort" depends-on="rc4-tls-settings"/>
+
+ <httpj:engine-factory id="null-tls-settings">
+ <httpj:engine port="${testutil.ports.CipherSuitesServer.3}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="jks" password="password"
resource="keys/Bethal.jks"/>
+ </sec:keyManagers>
+ <sec:clientAuthentication want="false" required="false"/>
+ <sec:cipherSuitesFilter>
+ <sec:include>.*_WITH_NULL_.*</sec:include>
+ </sec:cipherSuitesFilter>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+
+ <jaxws:endpoint xmlns:e="http://apache.org/hello_world/services";
+ xmlns:s="http://apache.org/hello_world/services";
+ id="NULLTLSServer"
+ implementor="org.apache.cxf.systest.http.GreeterImpl"
+
address="https://localhost:${testutil.ports.CipherSuitesServer.3}/SoapContext/HttpsPort";
+ serviceName="s:SOAPService"
+ endpointName="e:HttpsPort"
depends-on="null-tls-settings"/>
</beans>
