Adding a checker on the TLS CipherSuite
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/9a0788b9 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/9a0788b9 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/9a0788b9 Branch: refs/heads/3.0.x-fixes Commit: 9a0788b91c7dc63c1232a5d27c59958d42c7bdc1 Parents: a2922b7 Author: Colm O hEigeartaigh <[email protected]> Authored: Fri May 29 11:10:25 2015 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Fri May 29 13:46:25 2015 +0100 ---------------------------------------------------------------------- .../https/ciphersuites/CipherSuiteChecker.java | 60 ++++++++++++++++++++ .../https/ciphersuites/ciphersuites-server.xml | 8 ++- 2 files changed, 67 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/9a0788b9/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuiteChecker.java ---------------------------------------------------------------------- diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuiteChecker.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuiteChecker.java new file mode 100644 index 0000000..34f2fda --- /dev/null +++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuiteChecker.java @@ -0,0 +1,60 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.https.ciphersuites; + +import org.apache.cxf.interceptor.Fault; +import org.apache.cxf.message.Message; +import org.apache.cxf.phase.AbstractPhaseInterceptor; +import org.apache.cxf.phase.Phase; +import org.apache.cxf.security.transport.TLSSessionInfo; + +/** + * A service side interceptor to check that the negotiated TLS protocol matches a desired + * algorithm + */ +public class CipherSuiteChecker extends AbstractPhaseInterceptor<Message> { + + private String requiredAlgorithm; + + public CipherSuiteChecker() { + super(Phase.PRE_INVOKE); + } + + public CipherSuiteChecker(String phase) { + super(phase); + } + + public void handleMessage(Message mc) throws Fault { + TLSSessionInfo session = mc.get(TLSSessionInfo.class); + if (!session.getCipherSuite().contains(requiredAlgorithm)) { + throw new Fault(new Exception("Required algorithm not found")); + } + } + + public String getRequiredAlgorithm() { + return requiredAlgorithm; + } + + public void setRequiredAlgorithm(String requiredAlgorithm) { + this.requiredAlgorithm = requiredAlgorithm; + } + + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/9a0788b9/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml ---------------------------------------------------------------------- diff --git a/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml b/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml index 6ce8b0a..e5b382e 100644 --- a/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml +++ b/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml @@ -45,7 +45,13 @@ implementor="org.apache.cxf.systest.http.GreeterImpl" address="https://localhost:${testutil.ports.CipherSuitesServer}/SoapContext/HttpsPort"; serviceName="s:SOAPService" - endpointName="e:HttpsPort" depends-on="aes-tls-settings"/> + endpointName="e:HttpsPort" depends-on="aes-tls-settings"> + <jaxws:inInterceptors> + <bean class="org.apache.cxf.systest.https.ciphersuites.CipherSuiteChecker"> + <property name="requiredAlgorithm" value="AES"/> + </bean> + </jaxws:inInterceptors> + </jaxws:endpoint> <httpj:engine-factory id="rc4-tls-settings">
