Author: gmazza
Date: Thu Mar 27 23:18:19 2008
New Revision: 642095
URL: http://svn.apache.org/viewvc?rev=642095&view=rev
Log:
Reactivating hostname = SSL certificate common name (CN) check for https://
based SOAP client requests. The cxf.xml config property I chose to disable
this option is "disableCNCheck". I'm open to other names if anyone can think
of something better.
Modified:
incubator/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
incubator/cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd
incubator/cxf/trunk/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java
incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
Modified:
incubator/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
URL:
http://svn.apache.org/viewvc/incubator/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java?rev=642095&r1=642094&r2=642095&view=diff
==============================================================================
---
incubator/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
(original)
+++
incubator/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java
Thu Mar 27 23:18:19 2008
@@ -24,5 +24,24 @@
*
*/
public class TLSClientParameters extends TLSParameterBase {
-
+ private boolean disableCNCheck;
+
+ /**
+ * Set whether or not JSEE should omit checking if the host name
+ * specified in the URL matches that of the Common Name
+ * (CN) on the server's certificate. Default is false;
+ * this attribute should not be set to true during production use.
+ */
+ public void setDisableCNCheck(boolean disableCNCheck) {
+ this.disableCNCheck = disableCNCheck;
+ }
+
+ /**
+ * Returns whether or not JSSE omits checking if the
+ * host name specified in the URL matches that of the Common Name
+ * (CN) on the server's certificate.
+ */
+ public boolean isDisableCNCheck() {
+ return disableCNCheck;
+ }
}
Modified:
incubator/cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd
URL:
http://svn.apache.org/viewvc/incubator/cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd?rev=642095&r1=642094&r2=642095&view=diff
==============================================================================
---
incubator/cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd
(original)
+++
incubator/cxf/trunk/common/schemas/src/main/resources/schemas/configuration/security.xsd
Thu Mar 27 23:18:19 2008
@@ -380,6 +380,16 @@
</xs:annotation>
</xs:element>
</xs:all>
+ <xs:attribute name="disableCNCheck" type="xs:boolean"
default="false">
+ <xs:annotation>
+ <xs:documentation>
+ This attribute specifies if JSSE should omit checking if the
+ host name specified in the URL matches that of the Common Name
+ (CN) on the server's certificate. Default is false; this
attribute
+ should not be set to true during production use.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:attribute>
<xs:attribute name="jsseProvider" type="xs:string">
<xs:annotation>
<xs:documentation>
Modified:
incubator/cxf/trunk/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java
URL:
http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java?rev=642095&r1=642094&r2=642095&view=diff
==============================================================================
---
incubator/cxf/trunk/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java
(original)
+++
incubator/cxf/trunk/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java
Thu Mar 27 23:18:19 2008
@@ -76,7 +76,7 @@
if (xmlReader == null) {
InputStream in =
(InputStream)message.getContent(InputStream.class);
if (in == null) {
- throw new RuntimeException("Can't found input stream in
message");
+ throw new RuntimeException("Can't find input stream in
message");
}
xmlReader = StaxUtils.createXMLStreamReader(in);
}
Modified:
incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
URL:
http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java?rev=642095&r1=642094&r2=642095&view=diff
==============================================================================
---
incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
(original)
+++
incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
Thu Mar 27 23:18:19 2008
@@ -38,6 +38,9 @@
throws GeneralSecurityException,
IOException {
+ if (params.isDisableCNCheck()) {
+ this.setDisableCNCheck(true);
+ }
if (params.isSetCipherSuitesFilter()) {
this.setCipherSuitesFilter(params.getCipherSuitesFilter());
}
Modified:
incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
URL:
http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java?rev=642095&r1=642094&r2=642095&view=diff
==============================================================================
---
incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
(original)
+++
incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
Thu Mar 27 23:18:19 2008
@@ -402,7 +402,8 @@
+ "' has been configured for TLS "
+ "keyManagers " + tlsClientParameters.getKeyManagers()
+ "trustManagers " + tlsClientParameters.getTrustManagers()
- + "secureRandom " + tlsClientParameters.getSecureRandom());
+ + "secureRandom " + tlsClientParameters.getSecureRandom()
+ + "Disable Common Name (CN) Check: " +
tlsClientParameters.isDisableCNCheck());
}
} else {
if (LOG.isLoggable(Level.FINE)) {
@@ -1752,7 +1753,18 @@
*/
@Override
protected void onFirstWrite() throws IOException {
- handleHeadersTrustCaching();
+ try {
+ handleHeadersTrustCaching();
+ } catch (IOException e) {
+ if (e.getMessage() != null && e.getMessage().contains("HTTPS
hostname wrong:")) {
+ throw new IOException("The https URL hostname does not
match the "
+ + "Common Name (CN) on the server certificate. To
disable this check "
+ + "(NOT recommended for production) set the CXF client
TLS configuration "
+ + "property \"disableCNCheck\" to true.");
+ } else {
+ throw e;
+ }
+ }
}
protected void handleHeadersTrustCaching() throws IOException {
Modified:
incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
URL:
http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java?rev=642095&r1=642094&r2=642095&view=diff
==============================================================================
---
incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
(original)
+++
incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
Thu Mar 27 23:18:19 2008
@@ -60,7 +60,7 @@
private static final Logger LOG =
LogUtils.getL7dLogger(HttpsURLConnectionFactory.class);
- private static final HostnameVerifier VERIFIER = new
AlwaysTrueHostnameVerifier();
+ private static final HostnameVerifier DISABLE_HOSTNAME_VERIFIER = new
AlwaysTrueHostnameVerifier();
/*
* For development and testing only
@@ -105,7 +105,7 @@
}
/**
- * Create a HttpURLConnection, proxified if neccessary.
+ * Create a HttpURLConnection, proxified if necessary.
*
*
* @param proxy This parameter is non-null if connection should be proxied.
@@ -153,17 +153,12 @@
}
/**
- * This class is the default hostname verifier that the
- * HttpsURLConnection implementation uses to verify that
- * a hostname belongs to a particular verified key/certificate
- * pair.
- * <p>
- * The default is to make sure that "CN=<hostname>", which
- * isn't always desired. The MessageTrustDecider is
- * the point at which an application can place trust in the
- * certificate and target URL. We use this default of always
- * returning true, delegating the trust decision to the
- * MessageTrustDecider.
+ * This "accept all" hostname verifier is activated when the
+ * disableCNCheck TLS client configuration parameter is set to
+ * true (not recommended for production use). The default of
+ * false makes sure the Common Name (CN) on the server
+ * certificate equals that of the https:// URL provided by
+ * the SOAP client.
*/
private static class AlwaysTrueHostnameVerifier implements
HostnameVerifier {
@@ -212,7 +207,9 @@
socketFactory = new SSLSocketFactoryWrapper(ctx.getSocketFactory(),
cipherSuites);
}
- connection.setHostnameVerifier(VERIFIER);
+ if (tlsClientParameters.isDisableCNCheck()) {
+ connection.setHostnameVerifier(DISABLE_HOSTNAME_VERIFIER);
+ }
connection.setSSLSocketFactory(socketFactory);
}
