cxf git commit: Recording .gitmergeinfo Changes
Repository: cxf Updated Branches: refs/heads/2.7.x-fixes 1798afb80 -> 566787ec5 Recording .gitmergeinfo Changes Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/566787ec Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/566787ec Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/566787ec Branch: refs/heads/2.7.x-fixes Commit: 566787ec5cc6b9519e575df6434e212ff384c85a Parents: 1798afb Author: Colm O hEigeartaigh Authored: Fri Mar 13 23:18:09 2015 + Committer: Colm O hEigeartaigh Committed: Fri Mar 13 23:18:09 2015 + -- .gitmergeinfo | 1 + 1 file changed, 1 insertion(+) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/566787ec/.gitmergeinfo -- diff --git a/.gitmergeinfo b/.gitmergeinfo index 8f66ef3..c41ca79 100644 --- a/.gitmergeinfo +++ b/.gitmergeinfo @@ -1279,6 +1279,7 @@ B aab6216c1a32ce7f37792066b4dbbbe9ca04b90e B ab1cd2bba38e4209991bd108158a08036f097b5e B ab5e64e0414bcbe0e8a5c5b8575289db816acccb B ab8818b7c15adb227e9e4bfb7ed4293bffcfa3eb +B abe4cba67337556651787d3e14f3ecf472cd7f80 B abe5b35ec859a2bae12c44bb4a7a8f1a118c6cf6 B abfbb35df11021077417e1ac631ed3315c9b625b B ac2f3f8c4f435ee71f5a7bc27f2d934a24628732
cxf git commit: Disable test when unlimited security policies are not installed
Repository: cxf Updated Branches: refs/heads/3.0.x-fixes f5b751cc4 -> abe4cba67 Disable test when unlimited security policies are not installed Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/abe4cba6 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/abe4cba6 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/abe4cba6 Branch: refs/heads/3.0.x-fixes Commit: abe4cba67337556651787d3e14f3ecf472cd7f80 Parents: f5b751c Author: Colm O hEigeartaigh Authored: Fri Mar 13 23:14:10 2015 + Committer: Colm O hEigeartaigh Committed: Fri Mar 13 23:14:10 2015 + -- .../https/ciphersuites/CipherSuitesTest.java| 28 1 file changed, 28 insertions(+) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/abe4cba6/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java -- diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java index 3a93002..a0cad91 100644 --- a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java +++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java @@ -21,6 +21,9 @@ package org.apache.cxf.systest.https.ciphersuites; import java.net.URL; +import javax.crypto.Cipher; +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; import javax.xml.ws.BindingProvider; import org.apache.cxf.Bus; @@ -40,6 +43,27 @@ public class CipherSuitesTest extends AbstractBusClientServerTestBase { static final String PORT3 = allocatePort(CipherSuitesServer.class, 3); static final String PORT4 = allocatePort(CipherSuitesServer.class, 4); +private static final boolean UNRESTRICTED_POLICIES_INSTALLED; +static { +boolean ok = false; +try { +byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07}; + +SecretKey key192 = new SecretKeySpec( +new byte[] {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, +0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, +0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17}, +"AES"); +Cipher c = Cipher.getInstance("AES"); +c.init(Cipher.ENCRYPT_MODE, key192); +c.doFinal(data); +ok = true; +} catch (Exception e) { +// +} +UNRESTRICTED_POLICIES_INSTALLED = ok; +} + @BeforeClass public static void startServers() throws Exception { assertTrue( @@ -109,6 +133,10 @@ public class CipherSuitesTest extends AbstractBusClientServerTestBase { // Both client + server include a specific AES CipherSuite (not via a filter) @org.junit.Test public void testAESIncludedExplicitly() throws Exception { + +if (!UNRESTRICTED_POLICIES_INSTALLED) { +return; +} SpringBusFactory bf = new SpringBusFactory(); URL busFile = CipherSuitesTest.class.getResource("ciphersuites-explicit-client.xml");
cxf git commit: [CXF-6294] - Cannot activate TLSv1.2 cipher suites on client on Java7 - Adding a test
Repository: cxf Updated Branches: refs/heads/master d1c7f1f6b -> 08f376bdf [CXF-6294] - Cannot activate TLSv1.2 cipher suites on client on Java7 - Adding a test Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/08f376bd Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/08f376bd Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/08f376bd Branch: refs/heads/master Commit: 08f376bdfd744b99132387076f3fc61167a330ec Parents: d1c7f1f Author: Colm O hEigeartaigh Authored: Fri Mar 13 18:46:23 2015 + Committer: Colm O hEigeartaigh Committed: Fri Mar 13 18:46:23 2015 + -- .../https/SSLSocketFactoryWrapper.java | 17 - .../https/ciphersuites/CipherSuitesTest.java| 25 - .../ciphersuites/ciphersuites-client-tlsv12.xml | 37 3 files changed, 70 insertions(+), 9 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/08f376bd/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLSocketFactoryWrapper.java -- diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLSocketFactoryWrapper.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLSocketFactoryWrapper.java index 6f58e4a..4e635f0 100644 --- a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLSocketFactoryWrapper.java +++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLSocketFactoryWrapper.java @@ -23,7 +23,6 @@ import java.io.IOException; import java.net.InetAddress; import java.net.Socket; import java.net.UnknownHostException; - import java.util.ArrayList; import java.util.List; import java.util.logging.Handler; @@ -97,19 +96,21 @@ class SSLSocketFactoryWrapper extends SSLSocketFactory { private Socket enableCipherSuites(Socket s, Object[] logParams) { SSLSocket socket = (SSLSocket)s; -if ((socket != null) && (ciphers != null)) { -socket.setEnabledCipherSuites(ciphers); +if (socket == null) { +LogUtils.log(LOG, Level.SEVERE, + "PROBLEM_CREATING_OUTBOUND_REQUEST_SOCKET", + logParams); +return socket; } -if ((socket != null) && (protocol != null)) { + +if (protocol != null) { String p[] = findProtocols(protocol, socket.getSupportedProtocols()); if (p != null) { socket.setEnabledProtocols(p); } } -if (socket == null) { -LogUtils.log(LOG, Level.SEVERE, - "PROBLEM_CREATING_OUTBOUND_REQUEST_SOCKET", - logParams); +if (ciphers != null) { +socket.setEnabledCipherSuites(ciphers); } return socket; http://git-wip-us.apache.org/repos/asf/cxf/blob/08f376bd/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java -- diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java index 3a93002..a1002e3 100644 --- a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java +++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java @@ -414,5 +414,28 @@ public class CipherSuitesTest extends AbstractBusClientServerTestBase { ((java.io.Closeable)port).close(); bus.shutdown(true); } - + +// Both client + server include AES, client enables a TLS v1.2 CipherSuite +@org.junit.Test +public void testAESIncludedTLSv12() throws Exception { +SpringBusFactory bf = new SpringBusFactory(); +URL busFile = CipherSuitesTest.class.getResource("ciphersuites-client-tlsv12.xml"); + +Bus bus = bf.createBus(busFile.toString()); +SpringBusFactory.setDefaultBus(bus); +SpringBusFactory.setThreadDefaultBus(bus); + +URL url = SOAPService.WSDL_LOCATION; +SOAPService service = new SOAPService(url, SOAPService.SERVICE); +assertNotNull("Service is null", service); +final Greeter port = service.getHttpsPort(); +assertNotNull("Port is null", port); + +updateAddressPort(port, PORT); + +assertEquals(port.greetMe("Kitty"), "Hello Kitty"); + +((java.io.Closeable)port).close(); +bus.shutdown(true); +} } http://git-wip-us.apache.org/repos/asf/cxf/blob/08f376bd/systests/transports/src/test/resources/org/apache/c
cxf git commit: Updates to get the new wss4j stuff installed in OSGi. (may not work yet)
Repository: cxf Updated Branches: refs/heads/master 99b13f1da -> d1c7f1f6b Updates to get the new wss4j stuff installed in OSGi. (may not work yet) Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d1c7f1f6 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d1c7f1f6 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d1c7f1f6 Branch: refs/heads/master Commit: d1c7f1f6be4ce14bd0e99ec9672d9c1957515f35 Parents: 99b13f1 Author: Daniel Kulp Authored: Fri Mar 13 14:14:32 2015 -0400 Committer: Daniel Kulp Committed: Fri Mar 13 14:14:53 2015 -0400 -- osgi/karaf/features/src/main/resources/features.xml | 1 + parent/pom.xml | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/d1c7f1f6/osgi/karaf/features/src/main/resources/features.xml -- diff --git a/osgi/karaf/features/src/main/resources/features.xml b/osgi/karaf/features/src/main/resources/features.xml index 74ca7fa..f7052ff 100644 --- a/osgi/karaf/features/src/main/resources/features.xml +++ b/osgi/karaf/features/src/main/resources/features.xml @@ -56,6 +56,7 @@ mvn:joda-time/joda-time/${cxf.joda.time.version} mvn:commons-codec/commons-codec/${cxf.commons-codec.version} mvn:org.apache.santuario/xmlsec/${cxf.xmlsec.bundle.version} +mvn:com.google.guava/guava/${cxf.guava.version} mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.opensaml/${cxf.opensaml.osgi.version} mvn:org.jvnet.staxex/stax-ex/${cxf.stax-ex.version} mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.saaj-impl/${cxf.saaj-impl.bundle.version} http://git-wip-us.apache.org/repos/asf/cxf/blob/d1c7f1f6/parent/pom.xml -- diff --git a/parent/pom.xml b/parent/pom.xml index bed6fc1..83a9de6 100644 --- a/parent/pom.xml +++ b/parent/pom.xml @@ -81,6 +81,7 @@ 10.2.2.0 2.9.0 1.2.13_1 +18.0 1.9.4 4.0.2 [4.0,4.1) @@ -106,7 +107,7 @@ ${cxf.jaxb.version} ${cxf.jaxb.version} ${cxf.jaxb.version} -2.2 +2.7 1.0 1.3.7 8.1.15.v20140411 @@ -124,7 +125,7 @@ 20100527_1 20100527 3.1.0 -3.1.0_1 +3.1.0_1-SNAPSHOT 1.7R2 org.apache.geronimo.specs geronimo-servlet_3.0_spec
[1/3] cxf git commit: Recording .gitmergeinfo Changes
Repository: cxf Updated Branches: refs/heads/2.7.x-fixes 16f466dbe -> 1798afb80 Recording .gitmergeinfo Changes Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/baeea673 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/baeea673 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/baeea673 Branch: refs/heads/2.7.x-fixes Commit: baeea673f2dc70e75b816a6d4beb216c7e8dbe6a Parents: 80cdbd7 Author: Colm O hEigeartaigh Authored: Fri Mar 13 17:23:41 2015 + Committer: Colm O hEigeartaigh Committed: Fri Mar 13 17:23:41 2015 + -- .gitmergeinfo | 1 + 1 file changed, 1 insertion(+) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/baeea673/.gitmergeinfo -- diff --git a/.gitmergeinfo b/.gitmergeinfo index 75d91ec..8f66ef3 100644 --- a/.gitmergeinfo +++ b/.gitmergeinfo @@ -2638,6 +2638,7 @@ M f5684767d04676304063edecacf8d72896f1524c M f57a75aa40be9ab959ae1fade89c2803f2a5b45e M f584187d09471f28578854e288a7c7d612ea82bc M f5a82c1c393775334725b9de61b94f492cdd1f2f +M f5b751cc44cde43f9bd776fd1f7504c9b7fc54e3 M f61876836d11eb04b47a647a20e6a1d504e93671 M f678cdd89d1ba6be3b5113743cfa5859806ba99a M f68f775a7b95a268e66ebbc832d1f8a30c9ac240
[3/3] cxf git commit: Fixing merge
Fixing merge Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1798afb8 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1798afb8 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1798afb8 Branch: refs/heads/2.7.x-fixes Commit: 1798afb80ccc53fd6c76b5352372c5d80f55754d Parents: baeea67 Author: Colm O hEigeartaigh Authored: Fri Mar 13 17:26:10 2015 + Committer: Colm O hEigeartaigh Committed: Fri Mar 13 17:26:10 2015 + -- .../apache/cxf/configuration/jsse/SSLUtils.java | 25 +- .../apache/cxf/configuration/jsse/SSLUtils.java | 742 --- .../https/ciphersuites/CipherSuitesTest.java| 418 --- .../ciphersuites-explicit-client.xml| 37 - .../https/ciphersuites/ciphersuites-server.xml | 117 --- 5 files changed, 14 insertions(+), 1325 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/1798afb8/api/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java -- diff --git a/api/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java b/api/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java index 81994f8..4b0bee1 100644 --- a/api/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java +++ b/api/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java @@ -452,17 +452,21 @@ public final class SSLUtils { String[] supportedCipherSuites, FiltersType filters, Logger log, boolean exclude) { -String[] cipherSuites = null; -if (!(cipherSuitesList == null || cipherSuitesList.isEmpty())) { -cipherSuites = getCiphersFromList(cipherSuitesList, log, exclude); -return cipherSuites; -} +// First check the "include" case only. If we have defined explicit "cipherSuite" +// configuration, then just return these. Otherwise see if we have defined ciphersuites +// via a system property. if (!exclude) { -cipherSuites = getSystemCiphersuites(log); -if (cipherSuites != null) { -return cipherSuites; +if (!(cipherSuitesList == null || cipherSuitesList.isEmpty())) { +return getCiphersFromList(cipherSuitesList, log, exclude); +} else { +String[] cipherSuites = getSystemCiphersuites(log); +if (cipherSuites != null) { +return cipherSuites; +} } } + +// Otherwise check the "include/exclude" cipherSuiteFilter configuration LogUtils.log(log, Level.FINE, "CIPHERSUITES_NOT_SET"); if (filters == null) { LogUtils.log(log, Level.FINE, "CIPHERSUITE_FILTERS_NOT_SET"); @@ -502,11 +506,10 @@ public final class SSLUtils { "CIPHERSUITES_EXCLUDED", excludedCipherSuites); if (exclude) { -cipherSuites = getCiphersFromList(excludedCipherSuites, log, exclude); +return getCiphersFromList(excludedCipherSuites, log, exclude); } else { -cipherSuites = getCiphersFromList(filteredCipherSuites, log, exclude); +return getCiphersFromList(filteredCipherSuites, log, exclude); } -return cipherSuites; } private static String[] getSystemCiphersuites(Logger log) { http://git-wip-us.apache.org/repos/asf/cxf/blob/1798afb8/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java -- diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java deleted file mode 100644 index ebae85d..000 --- a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java +++ /dev/null @@ -1,742 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License.
[2/3] cxf git commit: [CXF-6300] - cipherSuite configuration does not work with HTTPJ servers
[CXF-6300] - cipherSuite configuration does not work with HTTPJ servers Conflicts: core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/80cdbd72 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/80cdbd72 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/80cdbd72 Branch: refs/heads/2.7.x-fixes Commit: 80cdbd72891c028d331bd365398cd8ea2843b1bf Parents: 16f466d Author: Colm O hEigeartaigh Authored: Fri Mar 13 17:16:56 2015 + Committer: Colm O hEigeartaigh Committed: Fri Mar 13 17:23:41 2015 + -- .../apache/cxf/configuration/jsse/SSLUtils.java | 742 +++ .../https/ciphersuites/CipherSuitesTest.java| 418 +++ .../ciphersuites-explicit-client.xml| 37 + .../https/ciphersuites/ciphersuites-server.xml | 117 +++ 4 files changed, 1314 insertions(+) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/80cdbd72/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java -- diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java new file mode 100644 index 000..ebae85d --- /dev/null +++ b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java @@ -0,0 +1,742 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.configuration.jsse; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.DataInputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.lang.reflect.Method; +import java.security.KeyManagementException; +import java.security.KeyStore; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import java.util.logging.Level; +import java.util.logging.Logger; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import javax.net.ssl.KeyManager; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; + +import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.common.util.SystemPropertyAction; +import org.apache.cxf.configuration.security.FiltersType; + + +/** + * Holder for utility methods related to manipulating SSL settings, common + * to the connection and listener factories (previously duplicated). + */ +public final class SSLUtils { + +static final String PKCS12_TYPE = "PKCS12"; + +private static final String DEFAULT_KEYSTORE_TYPE = "PKCS12"; +private static final String DEFAULT_TRUST_STORE_TYPE = "JKS"; +private static final String DEFAULT_SECURE_SOCKET_PROTOCOL = "TLSv1"; +private static final String CERTIFICATE_FACTORY_TYPE = "X.509"; + +private static final String HTTPS_CIPHER_SUITES = "https.cipherSuites"; + +private static final boolean DEFAULT_REQUIRE_CLIENT_AUTHENTICATION = false; +private static final boolean DEFAULT_WANT_CLIENT_AUTHENTICATION = true; + +private static final List DEFAULT_CIPHERSUITE_FILTERS_INCLUDE = +Arrays.asList(new String[] {".*"}); +/** + * By default, exclude NULL, anon, EXPORT, DES ciphersuites + */ +private static final List DEFAULT_CIPHERSUITE_FILTERS_EXCLUDE = +Arrays.asList(new String[] {".*_NULL_.*", +".*_anon_.*", +".*_EXPORT_.*", +".*_DES_.*"}); + +private static volatile KeyManager[] defaultManagers;
cxf git commit: [CXF-6300] - cipherSuite configuration does not work with HTTPJ servers
Repository: cxf Updated Branches: refs/heads/3.0.x-fixes a3d605568 -> f5b751cc4 [CXF-6300] - cipherSuite configuration does not work with HTTPJ servers Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f5b751cc Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f5b751cc Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f5b751cc Branch: refs/heads/3.0.x-fixes Commit: f5b751cc44cde43f9bd776fd1f7504c9b7fc54e3 Parents: a3d6055 Author: Colm O hEigeartaigh Authored: Fri Mar 13 17:16:56 2015 + Committer: Colm O hEigeartaigh Committed: Fri Mar 13 17:17:59 2015 + -- .../apache/cxf/configuration/jsse/SSLUtils.java | 27 -- .../https/ciphersuites/CipherSuitesTest.java| 27 +- .../ciphersuites-explicit-client.xml| 37 .../https/ciphersuites/ciphersuites-server.xml | 21 +++ 4 files changed, 100 insertions(+), 12 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/f5b751cc/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java -- diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java index 534c256..ebae85d 100644 --- a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java +++ b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java @@ -454,17 +454,23 @@ public final class SSLUtils { String[] supportedCipherSuites, FiltersType filters, Logger log, boolean exclude) { -String[] cipherSuites = null; -if (!(cipherSuitesList == null || cipherSuitesList.isEmpty())) { -cipherSuites = getCiphersFromList(cipherSuitesList, log, exclude); -return cipherSuites; -} + +// First check the "include" case only. If we have defined explicit "cipherSuite" +// configuration, then just return these. Otherwise see if we have defined ciphersuites +// via a system property. if (!exclude) { -cipherSuites = getSystemCiphersuites(log); -if (cipherSuites != null) { -return cipherSuites; +if (!(cipherSuitesList == null || cipherSuitesList.isEmpty())) { +return getCiphersFromList(cipherSuitesList, log, exclude); +} else { +String[] cipherSuites = getSystemCiphersuites(log); +if (cipherSuites != null) { +return cipherSuites; +} } } + +// Otherwise check the "include/exclude" cipherSuiteFilter configuration + LogUtils.log(log, Level.FINE, "CIPHERSUITES_NOT_SET"); if (filters == null) { LogUtils.log(log, Level.FINE, "CIPHERSUITE_FILTERS_NOT_SET"); @@ -504,11 +510,10 @@ public final class SSLUtils { "CIPHERSUITES_EXCLUDED", excludedCipherSuites); if (exclude) { -cipherSuites = getCiphersFromList(excludedCipherSuites, log, exclude); +return getCiphersFromList(excludedCipherSuites, log, exclude); } else { -cipherSuites = getCiphersFromList(filteredCipherSuites, log, exclude); +return getCiphersFromList(filteredCipherSuites, log, exclude); } -return cipherSuites; } private static String[] getSystemCiphersuites(Logger log) { http://git-wip-us.apache.org/repos/asf/cxf/blob/f5b751cc/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java -- diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java index f37b1f9..3a93002 100644 --- a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java +++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java @@ -38,6 +38,7 @@ public class CipherSuitesTest extends AbstractBusClientServerTestBase { static final String PORT = allocatePort(CipherSuitesServer.class); static final String PORT2 = allocatePort(CipherSuitesServer.class, 2); static final String PORT3 = allocatePort(CipherSuitesServer.class, 3); +static final String PORT4 = allocatePort(CipherSuitesServer.class, 4); @BeforeClass public static void startServers() throws Exception { @@ -105,6 +106,30 @@ publi
cxf git commit: [CXF-6300] - cipherSuite configuration does not work with HTTPJ servers
Repository: cxf Updated Branches: refs/heads/master dfecaa60e -> 99b13f1da [CXF-6300] - cipherSuite configuration does not work with HTTPJ servers Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/99b13f1d Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/99b13f1d Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/99b13f1d Branch: refs/heads/master Commit: 99b13f1da6998678d2af2e928e04ebad8e121fa3 Parents: dfecaa6 Author: Colm O hEigeartaigh Authored: Fri Mar 13 17:16:56 2015 + Committer: Colm O hEigeartaigh Committed: Fri Mar 13 17:16:56 2015 + -- .../apache/cxf/configuration/jsse/SSLUtils.java | 27 -- .../https/ciphersuites/CipherSuitesTest.java| 27 +- .../ciphersuites-explicit-client.xml| 37 .../https/ciphersuites/ciphersuites-server.xml | 21 +++ 4 files changed, 100 insertions(+), 12 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/99b13f1d/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java -- diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java index b656820..1023f31 100644 --- a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java +++ b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java @@ -430,17 +430,23 @@ public final class SSLUtils { String[] supportedCipherSuites, FiltersType filters, Logger log, boolean exclude) { -String[] cipherSuites = null; -if (!(cipherSuitesList == null || cipherSuitesList.isEmpty())) { -cipherSuites = getCiphersFromList(cipherSuitesList, log, exclude); -return cipherSuites; -} + +// First check the "include" case only. If we have defined explicit "cipherSuite" +// configuration, then just return these. Otherwise see if we have defined ciphersuites +// via a system property. if (!exclude) { -cipherSuites = getSystemCiphersuites(log); -if (cipherSuites != null) { -return cipherSuites; +if (!(cipherSuitesList == null || cipherSuitesList.isEmpty())) { +return getCiphersFromList(cipherSuitesList, log, exclude); +} else { +String[] cipherSuites = getSystemCiphersuites(log); +if (cipherSuites != null) { +return cipherSuites; +} } } + +// Otherwise check the "include/exclude" cipherSuiteFilter configuration + LogUtils.log(log, Level.FINE, "CIPHERSUITES_NOT_SET"); if (filters == null) { LogUtils.log(log, Level.FINE, "CIPHERSUITE_FILTERS_NOT_SET"); @@ -480,11 +486,10 @@ public final class SSLUtils { "CIPHERSUITES_EXCLUDED", excludedCipherSuites); if (exclude) { -cipherSuites = getCiphersFromList(excludedCipherSuites, log, exclude); +return getCiphersFromList(excludedCipherSuites, log, exclude); } else { -cipherSuites = getCiphersFromList(filteredCipherSuites, log, exclude); +return getCiphersFromList(filteredCipherSuites, log, exclude); } -return cipherSuites; } private static String[] getSystemCiphersuites(Logger log) { http://git-wip-us.apache.org/repos/asf/cxf/blob/99b13f1d/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java -- diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java index f37b1f9..3a93002 100644 --- a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java +++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java @@ -38,6 +38,7 @@ public class CipherSuitesTest extends AbstractBusClientServerTestBase { static final String PORT = allocatePort(CipherSuitesServer.class); static final String PORT2 = allocatePort(CipherSuitesServer.class, 2); static final String PORT3 = allocatePort(CipherSuitesServer.class, 3); +static final String PORT4 = allocatePort(CipherSuitesServer.class, 4); @BeforeClass public static void startServers() throws Exception { @@ -105,6 +106,30 @@ public class Ci
svn commit: r943707 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-jose.html
Author: buildbot Date: Fri Mar 13 15:46:50 2015 New Revision: 943707 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-jose.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-jose.html == --- websites/production/cxf/content/docs/jax-rs-jose.html (original) +++ websites/production/cxf/content/docs/jax-rs-jose.html Fri Mar 13 15:46:50 2015 @@ -118,14 +118,16 @@ Apache CXF -- JAX-RS JOSE /**/ -IntroductionMaven DependenciesJOSE Overview -JWA AlgorithmsJWK KeysJWS SignatureJSON EncryptionJSON Web Tokens -JOSE JAX-RS FiltersConfigurationOAuth2 and JoseThird-Party Alternatives +/*]]>*/ +IntroductionMaven DependenciesJOSE OverviewJWA AlgorithmsJWK KeysJWS SignatureJSON EncryptionJSON Web TokensLinking JWT authentications to JWS or JWE contentJOSE JAX-RS Filters +JWEJWS +Configuration +Encrypting JWK stores +OAuth2 and JoseOIDC and JoseFuture WorkThird-Party Alternatives IntroductionCXF 3.0.x implements https://datatracker.ietf.org/wg/jose/documents/"; rel="nofollow">JOSE.Maven Dependencies - JOSE OverviewJOSE is a set of high quality specifications that specify how data payloads can be signed and/or encrypted with the cryptographic properties set in JSON-formatted metadata (headers).Note that not only JSON documents but also documents in the arbitrary formats can be secured: text, binary data, even XML. JOSE is a key piece of the advanced OAuth2 applications but is also perfect at securing the regular HTTP web service communications. At the moment two signature and encryption output formats are supported: compact and JSON. Compact format is a concatenation of Base64URL-encoded JOSE headers (where the cryptographic signature or encryption properties are set),Base64URL-encoded payload (in the original form if it is signed, otherwise - encrypted), plus Base64URL-encoded signature of the payload or some of encryption process input or outpu t datasuch as an initialization vector, authentication tag, etc. The JSON (full) format is where all the information describing a signature or encryption process is presented in a not-compact, regular JSON document, offering a non-optimized but easier to understand format.The JSON format also supports multiple signatures when signing the content or multiple content key encryptions when encrypting the content which can be useful when multiple recipients are involved.The signature process also supports the detached body mode where the body to be signed is not included in the actual output - assuming that both the consumer and producer know how to access the original payload in order tovalidate the signature. The following subsections will have the examples with more details.JWA AlgorithmsAll JOSE signature and encryption algorithms are grouped and described in a https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40"; rel="nofollow">JSON Web Algorithms (JWA) specification.The algorithms are split into 3 categories: signature algorithms (MAC, RSA, Elliptic Curve), algorithms for supporting the encryption of content encryption keys (RSA-OAEP, Key Wrap, etc),algorithms for encrypting the actual content (AES GCM, etc).All encryption algorithms produce authentication tags which provides the protection against manipulating the already encrypted content.Refer to this specification to get all the information needed (with the follow up links to the corresponding RFC when applicable) about a particular signature or encryptionalgorithm: the properties, recommended key sizes, other security considerations related to all of or some specific algorithms.CXF offers the initial utility support for working with JWA algorithms in https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa;h=c2b9c5466de8f4b3ad1ea9270c1bc00f07fce862;hb=HEAD";>this package.JWK Keys https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41"; rel="nofollow">Json Web Key (JWK) is a JSON document describing the cryptographic key properties. JWKs ar
svn commit: r943700 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-jose.html
Author: buildbot Date: Fri Mar 13 14:46:58 2015 New Revision: 943700 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-jose.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-jose.html == --- websites/production/cxf/content/docs/jax-rs-jose.html (original) +++ websites/production/cxf/content/docs/jax-rs-jose.html Fri Mar 13 14:46:58 2015 @@ -32,6 +32,7 @@ + SyntaxHighlighter.defaults['toolbar'] = false; @@ -117,22 +118,46 @@ Apache CXF -- JAX-RS JOSE
+/*]]>*/+
- Introduction
- Maven Dependencies
- JOSE Overview -
- JAX-RS Jose Filters
- OAuth2 and Jose
- Third-Party Alternatives
JOSE JAX-RS Filters Configuration OAuth2 and Jose Third-Party Alternatives Introduction
CXF 3.0.x implements https://datatracker.ietf.org/wg/jose/documents/"; rel="nofollow">JOSE.
Maven Dependencies