org.apache.cxf.configuration.jsse.TLSClientParameters Java Examples

The following examples show how to use org.apache.cxf.configuration.jsse.TLSClientParameters. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: RestUtil.java    From peer-os with Apache License 2.0 7 votes vote down vote up
public static WebClient createTrustedWebClient( String url )
{
    WebClient client = WebClient.create( url );

    HTTPConduit httpConduit = ( HTTPConduit ) WebClient.getConfig( client ).getConduit();

    HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
    httpClientPolicy.setConnectionTimeout( defaultConnectionTimeout );
    httpClientPolicy.setReceiveTimeout( defaultReceiveTimeout );
    httpClientPolicy.setMaxRetransmits( defaultMaxRetransmits );


    httpConduit.setClient( httpClientPolicy );

    SSLManager sslManager = new SSLManager( null, null, null, null );

    TLSClientParameters tlsClientParameters = new TLSClientParameters();
    tlsClientParameters.setDisableCNCheck( true );
    tlsClientParameters.setTrustManagers( sslManager.getClientFullTrustManagers() );
    httpConduit.setTlsClientParameters( tlsClientParameters );

    return client;
}
 
Example #2
Source File: HTTPConduitURLConnectionTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
private Object doTestTLSServerParameters() throws Exception {
    Bus bus = new ExtensionManagerBus();
    EndpointInfo ei = new EndpointInfo();
    ei.setAddress("https://secure.nowhere.null/" + "bar/foo");
    HTTPConduit conduit = new URLConnectionHTTPConduit(bus, ei, null);
    conduit.finalizeConfig();

    Message message = getNewMessage();
    // We need an SSL policy, or we can't use "https".
    conduit.setTlsClientParameters(new TLSClientParameters());

    // Test call
    conduit.prepare(message);

    return message.get("http.connection");
}
 
Example #3
Source File: HTTPConduit.java    From cxf with Apache License 2.0 6 votes vote down vote up
/**
 * This method sets the TLS Client Parameters for this HTTPConduit.
 * Using this method overrides any TLS Client Parameters that is configured
 * for this HTTPConduit.
 */
public void setTlsClientParameters(TLSClientParameters params) {
    this.tlsClientParameters = params;
    if (this.tlsClientParameters != null) {
        if (LOG.isLoggable(Level.FINE)) {
            LOG.log(Level.FINE, "Conduit '" + getConduitName()
                + "' has been (re) configured for TLS "
                + "keyManagers " + Arrays.toString(tlsClientParameters.getKeyManagers())
                + "trustManagers " + Arrays.toString(tlsClientParameters.getTrustManagers())
                + "secureRandom " + tlsClientParameters.getSecureRandom());
        }
        CertificateConstraintsType constraints = params.getCertConstraints();
        if (constraints != null) {
            certConstraints = CertConstraintsJaxBUtils.createCertConstraints(constraints);
        }
    } else {
        if (LOG.isLoggable(Level.FINE)) {
            LOG.log(Level.FINE, "Conduit '" + getConduitName()
                + "' has been (re)configured for plain http.");
        }
    }
}
 
Example #4
Source File: HttpsURLConnectionFactoryTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
@Test
public void noExplicitKeystoreNoCertAlias() throws Exception {
    clearDefaults();
    System.clearProperty("javax.net.ssl.keyStore");
    System.clearProperty("javax.net.ssl.keyStorePassword");

    HttpsURLConnectionFactory factory = new HttpsURLConnectionFactory();
    Assert.assertNull(factory.socketFactory);

    TLSClientParameters tlsClientParams = new TLSClientParameters();
    tlsClientParams.setUseHttpsURLConnectionDefaultSslSocketFactory(false);

    HttpsURLConnection conn = EasyMock.createMock(HttpsURLConnection.class);

    try {
        factory.decorateWithTLS(tlsClientParams, conn);
    } catch (NullPointerException e) {
        Assert.fail("should not fail with NullPointerException");
    }
}
 
Example #5
Source File: HttpsURLConnectionFactoryTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
@Test
public void noExplicitKeystoreWithCertAlias() throws Exception {
    clearDefaults();
    System.clearProperty("javax.net.ssl.keyStore");
    System.clearProperty("javax.net.ssl.keyStorePassword");

    HttpsURLConnectionFactory factory = new HttpsURLConnectionFactory();
    Assert.assertNull(factory.socketFactory);

    TLSClientParameters tlsClientParams = new TLSClientParameters();
    tlsClientParams.setUseHttpsURLConnectionDefaultSslSocketFactory(false);
    tlsClientParams.setCertAlias("someAlias");

    HttpsURLConnection conn = EasyMock.createMock(HttpsURLConnection.class);

    try {
        factory.decorateWithTLS(tlsClientParams, conn);
    } catch (NullPointerException e) {
        Assert.fail("should not fail with NullPointerException");
    }
}
 
Example #6
Source File: HttpsURLConnectionFactoryTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
@Test
public void defaultKeystoreNoCertAlias() throws Exception {
    clearDefaults();
    String keystorePath = getClass().getResource("resources/defaultkeystore2").getPath();
    System.setProperty("javax.net.ssl.keyStore", keystorePath);
    System.setProperty("javax.net.ssl.keyStorePassword", "123456");

    HttpsURLConnectionFactory factory = new HttpsURLConnectionFactory();
    Assert.assertNull(factory.socketFactory);

    TLSClientParameters tlsClientParams = new TLSClientParameters();
    tlsClientParams.setUseHttpsURLConnectionDefaultSslSocketFactory(false);

    HttpsURLConnection conn = EasyMock.createMock(HttpsURLConnection.class);

    try {
        factory.decorateWithTLS(tlsClientParams, conn);
    } catch (NullPointerException e) {
        Assert.fail("should not fail with NullPointerException");
    }
}
 
Example #7
Source File: ClientNonSpring.java    From cxf with Apache License 2.0 6 votes vote down vote up
private static void setupTLS(Greeter port)
    throws IOException, GeneralSecurityException {
    final TLSClientParameters tlsCP = new TLSClientParameters();
    tlsCP.setDisableCNCheck(true);

    final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
    try (InputStream is = new FileInputStream("src/main/config/clientKeystore.jks")) {
        keyStore.load(is, "cspass".toCharArray());
    }

    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    kmf.init(keyStore, "ckpass".toCharArray());
    tlsCP.setKeyManagers(kmf.getKeyManagers());

    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(keyStore);
    tlsCP.setTrustManagers(tmf.getTrustManagers());

    ((HTTPConduit) ClientProxy.getClient(port).getConduit()).setTlsClientParameters(tlsCP);
}
 
Example #8
Source File: HttpsURLConnectionFactoryTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
@Test
public void defaultKeystoreWithCertAlias() throws Exception {
    clearDefaults();
    String keystorePath = getClass().getResource("resources/defaultkeystore2").getPath();
    System.setProperty("javax.net.ssl.keyStore", keystorePath);
    System.setProperty("javax.net.ssl.keyStorePassword", "123456");

    HttpsURLConnectionFactory factory = new HttpsURLConnectionFactory();
    Assert.assertNull(factory.socketFactory);

    TLSClientParameters tlsClientParams = new TLSClientParameters();
    tlsClientParams.setUseHttpsURLConnectionDefaultSslSocketFactory(false);
    tlsClientParams.setCertAlias("someAlias");

    HttpsURLConnection conn = EasyMock.createMock(HttpsURLConnection.class);

    try {
        factory.decorateWithTLS(tlsClientParams, conn);
    } catch (NullPointerException e) {
        Assert.fail("should not fail with NullPointerException");
    }
}
 
Example #9
Source File: HttpConduitConfigurationTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
private void verifyConduit(HTTPConduit conduit) {
    AuthorizationPolicy authp = conduit.getAuthorization();
    assertNotNull(authp);
    assertEquals("Betty", authp.getUserName());
    assertEquals("password", authp.getPassword());
    TLSClientParameters tlscps = conduit.getTlsClientParameters();
    assertNotNull(tlscps);
    assertTrue(tlscps.isDisableCNCheck());
    assertEquals(3600000, tlscps.getSslCacheTimeout());

    KeyManager[] kms = tlscps.getKeyManagers();
    assertTrue(kms != null && kms.length == 1);
    assertTrue(kms[0] instanceof X509KeyManager);

    TrustManager[] tms = tlscps.getTrustManagers();
    assertTrue(tms != null && tms.length == 1);
    assertTrue(tms[0] instanceof X509TrustManager);

    FiltersType csfs = tlscps.getCipherSuitesFilter();
    assertNotNull(csfs);
    assertEquals(1, csfs.getInclude().size());
    assertEquals(1, csfs.getExclude().size());
    HTTPClientPolicy clientPolicy = conduit.getClient();
    assertEquals(10240, clientPolicy.getChunkLength());
}
 
Example #10
Source File: BatchResponse.java    From syncope with Apache License 2.0 6 votes vote down vote up
/**
 * If asynchronous processing was requested, queries the monitor URI.
 *
 * @param monitor monitor URI
 * @param jwt authorization JWT
 * @param boundary mutipart / mixed boundary
 * @param tlsClientParameters (optional) TLS client parameters
 *
 * @return the last Response received from the Batch service
 */
public static Response poll(
        final URI monitor,
        final String jwt,
        final String boundary,
        final TLSClientParameters tlsClientParameters) {

    WebClient webClient = WebClient.create(monitor).
            header(HttpHeaders.AUTHORIZATION, "Bearer " + jwt).
            type(RESTHeaders.multipartMixedWith(boundary.substring(2)));
    if (tlsClientParameters != null) {
        ClientConfiguration config = WebClient.getConfig(webClient);
        HTTPConduit httpConduit = (HTTPConduit) config.getConduit();
        httpConduit.setTlsClientParameters(tlsClientParameters);
    }

    return webClient.get();
}
 
Example #11
Source File: SyncopeClient.java    From syncope with Apache License 2.0 6 votes vote down vote up
public SyncopeClient(
        final MediaType mediaType,
        final JAXRSClientFactoryBean restClientFactory,
        final RestClientExceptionMapper exceptionMapper,
        final AuthenticationHandler handler,
        final boolean useCompression,
        final TLSClientParameters tlsClientParameters) {

    this.mediaType = mediaType;
    this.restClientFactory = restClientFactory;
    if (this.restClientFactory.getHeaders() == null) {
        this.restClientFactory.setHeaders(new HashMap<>());
    }
    this.exceptionMapper = exceptionMapper;
    this.tlsClientParameters = tlsClientParameters;
    init(handler);
    this.useCompression = useCompression;
}
 
Example #12
Source File: SSLNettyServerTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
private static void setupTLS(Greeter port)
    throws FileNotFoundException, IOException, GeneralSecurityException {
    String keyStoreLoc =
        "/keys/clientstore.jks";
    HTTPConduit httpConduit = (HTTPConduit) ClientProxy.getClient(port).getConduit();

    TLSClientParameters tlsCP = new TLSClientParameters();
    String keyPassword = "ckpass";
    KeyStore keyStore = KeyStore.getInstance("JKS");
    keyStore.load(SSLNettyServerTest.class.getResourceAsStream(keyStoreLoc), "cspass".toCharArray());
    KeyManager[] myKeyManagers = getKeyManagers(keyStore, keyPassword);
    tlsCP.setKeyManagers(myKeyManagers);


    KeyStore trustStore = KeyStore.getInstance("JKS");
    trustStore.load(SSLNettyServerTest.class.getResourceAsStream(keyStoreLoc), "cspass".toCharArray());
    TrustManager[] myTrustStoreKeyManagers = getTrustManagers(trustStore);
    tlsCP.setTrustManagers(myTrustStoreKeyManagers);

    tlsCP.setDisableCNCheck(true);
    httpConduit.setTlsClientParameters(tlsCP);
}
 
Example #13
Source File: SSLNettyClientTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
private static void setupTLS(Greeter port)
    throws FileNotFoundException, IOException, GeneralSecurityException {
    String keyStoreLoc =
        "/keys/clientstore.jks";
    NettyHttpConduit httpConduit = (NettyHttpConduit) ClientProxy.getClient(port).getConduit();

    TLSClientParameters tlsCP = new TLSClientParameters();
    String keyPassword = "ckpass";
    KeyStore keyStore = KeyStore.getInstance("JKS");
    keyStore.load(SSLNettyClientTest.class.getResourceAsStream(keyStoreLoc), "cspass".toCharArray());
    KeyManager[] myKeyManagers = getKeyManagers(keyStore, keyPassword);
    tlsCP.setKeyManagers(myKeyManagers);


    KeyStore trustStore = KeyStore.getInstance("JKS");
    trustStore.load(SSLNettyClientTest.class.getResourceAsStream(keyStoreLoc), "cspass".toCharArray());
    TrustManager[] myTrustStoreKeyManagers = getTrustManagers(trustStore);
    tlsCP.setTrustManagers(myTrustStoreKeyManagers);


    tlsCP.setDisableCNCheck(true);
    httpConduit.setTlsClientParameters(tlsCP);
}
 
Example #14
Source File: TLSClientParametersUtils.java    From cxf with Apache License 2.0 6 votes vote down vote up
public static TLSClientParameters getTLSClientParameters() throws GeneralSecurityException, IOException {
    final TLSClientParameters tlsCP = new TLSClientParameters();
    tlsCP.setDisableCNCheck(true);

    final KeyStore keyStore;
    try (InputStream is = ClassLoaderUtils.getResourceAsStream(CLIENTSTORE, TLSClientParametersUtils.class)) {
        keyStore = CryptoUtils.loadKeyStore(is, KEYSTORE_PASS.toCharArray(), null);
    }

    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    kmf.init(keyStore, KEY_PASS.toCharArray());
    tlsCP.setKeyManagers(kmf.getKeyManagers());

    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(keyStore);
    tlsCP.setTrustManagers(tmf.getTrustManagers());

    return tlsCP;
}
 
Example #15
Source File: JAXRS20HttpsBookTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
private SSLContext createSSLContext() throws Exception {
    TLSClientParameters tlsParams = new TLSClientParameters();

    try (InputStream keystore = ClassLoaderUtils.getResourceAsStream("keys/Truststore.jks", this.getClass())) {
        KeyStore trustStore = loadStore(keystore, "password");

        TrustManagerFactory tmf =
            TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(trustStore);
        tlsParams.setTrustManagers(tmf.getTrustManagers());
    }

    try (InputStream keystore = ClassLoaderUtils.getResourceAsStream("keys/Morpit.jks", this.getClass())) {
        KeyStore keyStore = loadStore(keystore, "password");

        KeyManagerFactory kmf =
            KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        kmf.init(keyStore, "password".toCharArray());
        tlsParams.setKeyManagers(kmf.getKeyManagers());
    }

    return SSLUtils.getSSLContext(tlsParams);
}
 
Example #16
Source File: RestUtil.java    From peer-os with Apache License 2.0 6 votes vote down vote up
public static WebClient createTrustedWebClient( String url, Object provider )
{
    WebClient client = WebClient.create( url, Arrays.asList( provider ) );

    HTTPConduit httpConduit = ( HTTPConduit ) WebClient.getConfig( client ).getConduit();

    HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
    httpClientPolicy.setConnectionTimeout( defaultConnectionTimeout );
    httpClientPolicy.setReceiveTimeout( defaultReceiveTimeout );
    httpClientPolicy.setMaxRetransmits( defaultMaxRetransmits );


    httpConduit.setClient( httpClientPolicy );

    SSLManager sslManager = new SSLManager( null, null, null, null );

    TLSClientParameters tlsClientParameters = new TLSClientParameters();
    tlsClientParameters.setDisableCNCheck( true );
    tlsClientParameters.setTrustManagers( sslManager.getClientFullTrustManagers() );
    httpConduit.setTlsClientParameters( tlsClientParameters );

    return client;
}
 
Example #17
Source File: AbstractSTSTest.java    From cxf-fediz with Apache License 2.0 6 votes vote down vote up
protected TLSClientParameters initTLSClientParameters(Properties testProps, boolean initKeystore)
    throws URISyntaxException, GeneralSecurityException, IOException {
    TLSClientParameters tlsClientParameters = new TLSClientParameters();
    String truststore = testProps.getProperty(PROPERTY_TRUSTSTORE);
    String tuststorePw = testProps.getProperty(PROPERTY_TRUSTSTORE_PW);
    Assert.assertNotNull("Property '" + PROPERTY_TRUSTSTORE + "' null", truststore);
    Assert.assertNotNull("Property '" + PROPERTY_TRUSTSTORE_PW + "' null", tuststorePw);

    String keystoreFile = testProps.getProperty(PROPERTY_KEYSTORE);
    if (initKeystore && keystoreFile != null) {
        String keystorePassword = testProps.getProperty(PROPERTY_KEYSTORE_PW);
        String keyPassword = testProps.getProperty(PROPERTY_KEYSTORE_KEY_PW);
        Assert.assertNotNull("Property '" + PROPERTY_KEYSTORE + "' null", keystoreFile);
        Assert.assertNotNull("Property '" + PROPERTY_KEYSTORE_PW + "' null", keystorePassword);
        Assert.assertNotNull("Property '" + PROPERTY_KEYSTORE_KEY_PW + "' null", keyPassword);
        Utils.initTLSClientParameters(tlsClientParameters, keystoreFile, keystorePassword,
                                      keyPassword, truststore, tuststorePw);
    } else {
        Utils.initTLSClientParameters(tlsClientParameters, null, null, null, truststore, tuststorePw);
    }
    return tlsClientParameters;
}
 
Example #18
Source File: SSLUtils.java    From cxf with Apache License 2.0 5 votes vote down vote up
public static SSLContext getSSLContext(TLSParameterBase parameters) throws GeneralSecurityException {
    // TODO do we need to cache the context
    String provider = parameters.getJsseProvider();

    String protocol = parameters.getSecureSocketProtocol() != null ? parameters
        .getSecureSocketProtocol() : "TLS";

    SSLContext ctx = provider == null ? SSLContext.getInstance(protocol) : SSLContext
        .getInstance(protocol, provider);

    KeyManager[] keyManagers = parameters.getKeyManagers();
    if (keyManagers == null && parameters instanceof TLSClientParameters) {
        keyManagers = org.apache.cxf.configuration.jsse.SSLUtils.getDefaultKeyStoreManagers(LOG);
    }
    KeyManager[] configuredKeyManagers = configureKeyManagersWithCertAlias(parameters, keyManagers);

    TrustManager[] trustManagers = parameters.getTrustManagers();
    if (trustManagers == null && parameters instanceof TLSClientParameters) {
        trustManagers = org.apache.cxf.configuration.jsse.SSLUtils.getDefaultTrustStoreManagers(LOG);
    }

    ctx.init(configuredKeyManagers, trustManagers, parameters.getSecureRandom());

    if (parameters instanceof TLSClientParameters && ctx.getClientSessionContext() != null) {
        ctx.getClientSessionContext().setSessionTimeout(((TLSClientParameters)parameters).getSslCacheTimeout());
    }

    return ctx;
}
 
Example #19
Source File: SSLUtils.java    From cxf with Apache License 2.0 5 votes vote down vote up
public static HostnameVerifier getHostnameVerifier(TLSClientParameters tlsClientParameters) {
    HostnameVerifier verifier;

    if (tlsClientParameters.getHostnameVerifier() != null) {
        verifier = tlsClientParameters.getHostnameVerifier();
    } else if (tlsClientParameters.isUseHttpsURLConnectionDefaultHostnameVerifier()) {
        verifier = HttpsURLConnection.getDefaultHostnameVerifier();
    } else if (tlsClientParameters.isDisableCNCheck()) {
        verifier = new AllowAllHostnameVerifier();
    } else {
        verifier = new DefaultHostnameVerifier(PublicSuffixMatcherLoader.getDefault());
    }
    return verifier;
}
 
Example #20
Source File: BatchRequest.java    From syncope with Apache License 2.0 5 votes vote down vote up
public BatchRequest(
        final MediaType mediaType,
        final String address,
        final List<?> providers,
        final String jwt,
        final TLSClientParameters tlsClientParameters) {

    this.mediaType = mediaType;
    this.jwt = jwt;
    this.address = address;
    this.providers = providers;
    this.tlsClientParameters = tlsClientParameters;
    initBatchClientFactoryBean();
}
 
Example #21
Source File: MicroProfileClientFactoryBean.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Override
protected void initClient(AbstractClient client, Endpoint ep, boolean addHeaders) {
    super.initClient(client, ep, addHeaders);

    TLSClientParameters tlsParams = secConfig.getTlsClientParams();
    if (tlsParams.getSSLSocketFactory() != null
        || tlsParams.getTrustManagers() != null
        || tlsParams.getHostnameVerifier() != null) {
        client.getConfiguration().getHttpConduit().setTlsClientParameters(tlsParams);
    }

    if (PropertyUtils.isTrue(configuration.getProperty(ClientProperties.HTTP_AUTOREDIRECT_PROP))) {
        client.getConfiguration().getHttpConduit().getClient().setAutoRedirect(true);
    }

    String proxyHost = (String) configuration.getProperty(ClientProperties.HTTP_PROXY_SERVER_PROP);
    if (proxyHost != null) {
        client.getConfiguration().getHttpConduit().getClient().setProxyServer(proxyHost);
        int proxyPort = (int) configuration.getProperty(ClientProperties.HTTP_PROXY_SERVER_PORT_PROP);
        client.getConfiguration().getHttpConduit().getClient().setProxyServerPort(proxyPort);
    }

    MicroProfileClientProviderFactory factory = MicroProfileClientProviderFactory.createInstance(getBus(),
            comparator);
    factory.setUserProviders(registeredProviders);
    ep.put(MicroProfileClientProviderFactory.CLIENT_FACTORY_NAME, factory);
}
 
Example #22
Source File: HTTPSConduitTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
private void verifyBethalClient(Greeter bethal) {
    Client client = ClientProxy.getClient(bethal);

    HTTPConduit http =
        (HTTPConduit) client.getConduit();

    HTTPClientPolicy httpClientPolicy = http.getClient();
    assertTrue("the httpClientPolicy's autoRedirect should be true",
                 httpClientPolicy.isAutoRedirect());
    TLSClientParameters tlsParameters = http.getTlsClientParameters();
    assertNotNull("the http conduit's tlsParameters should not be null", tlsParameters);


    // If we set any name, but Edward, Mary, or George,
    // and a password of "password" we will get through
    // Bethal.
    AuthorizationPolicy authPolicy = http.getAuthorization();
    assertEquals("Set the wrong user name from the configuration",
                 "Betty", authPolicy.getUserName());
    assertEquals("Set the wrong pass word form the configuration",
                 "password", authPolicy.getPassword());

    configureProxy(ClientProxy.getClient(bethal));

    String answer = bethal.sayHi();
    answer = bethal.sayHi();
    answer = bethal.sayHi();
    answer = bethal.sayHi();
    answer = bethal.sayHi();
    assertTrue("Unexpected answer: " + answer,
            "Bonjour from Bethal".equals(answer));

    //With HTTPS, it will just be a CONNECT to the proxy and all the
    //data is encrypted.  Thus, the proxy cannot distinquish the requests
    assertProxyRequestCount(0);
}
 
Example #23
Source File: CalculatorTest.java    From tomee with Apache License 2.0 5 votes vote down vote up
public static void setupTLS(final Object port) throws GeneralSecurityException, IOException {

        final HTTPConduit httpConduit = (HTTPConduit) ClientProxy.getClient(port).getConduit();

        final TLSClientParameters tlsCP = new TLSClientParameters();
        final String storePassword = "keystorePass";
        final String keyPassword = "clientPassword";
        final KeyStore keyStore = KeyStore.getInstance("jks");
        final String keyStoreLoc = "META-INF/clientStore.jks";
        keyStore.load(Thread.currentThread().getContextClassLoader().getResourceAsStream(keyStoreLoc), storePassword.toCharArray());

        // set the key managers from the Java KeyStore we just loaded
        final KeyManager[] myKeyManagers = getKeyManagers(keyStore, keyPassword);
        tlsCP.setKeyManagers(myKeyManagers);
        tlsCP.setCertAlias("clientalias"); // in case there is multiple certs in the keystore, make sure we pick the one we want

        // Create a trust manager that does not validate certificate chains
        // this should not be done in production. It's recommended to create a cacerts with the certificate chain or
        // to rely on a well known CA such as Verisign which is already available in the JVM
        TrustManager[] trustAllCerts = getTrustManagers();
        tlsCP.setTrustManagers(trustAllCerts);

        // don't check the host name of the certificate to match the server (running locally)
        // this should not be done on a real production system
        tlsCP.setHostnameVerifier((s, sslSession) -> true);

        httpConduit.setTlsClientParameters(tlsCP);
    }
 
Example #24
Source File: HttpConduitConfigApplier.java    From cxf with Apache License 2.0 5 votes vote down vote up
private void parseCertConstaints(TLSClientParameters p, String k, String v) {
    k = k.substring("certConstraints.".length());
    CertificateConstraintsType cct = p.getCertConstraints();
    if (cct == null) {
        cct = new CertificateConstraintsType();
        p.setCertConstraints(cct);
    }
    DNConstraintsType dnct = null;
    if (k.startsWith("SubjectDNConstraints.")) {
        dnct = cct.getSubjectDNConstraints();
        if (dnct == null) {
            dnct = new DNConstraintsType();
            cct.setSubjectDNConstraints(dnct);
        }
        k = k.substring("SubjectDNConstraints.".length());
    } else if (k.startsWith("IssuerDNConstraints.")) {
        dnct = cct.getIssuerDNConstraints();
        if (dnct == null) {
            dnct = new DNConstraintsType();
            cct.setIssuerDNConstraints(dnct);
        }
        k = k.substring("IssuerDNConstraints.".length());
    }
    if (dnct != null) {
        if ("combinator".equals(k)) {
            dnct.setCombinator(CombinatorType.fromValue(v));
        } else if ("RegularExpression".equals(k)) {
            dnct.getRegularExpression().add(k);
        }
    }
}
 
Example #25
Source File: HTTPConduit.java    From cxf with Apache License 2.0 5 votes vote down vote up
private static void configureConduitFromEndpointInfo(HTTPConduit conduit,
        EndpointInfo endpointInfo) {
    if (conduit.getClient() == null) {
        conduit.setClient(endpointInfo.getTraversedExtensor(
                new HTTPClientPolicy(), HTTPClientPolicy.class));
    }
    if (conduit.getAuthorization() == null) {
        conduit.setAuthorization(endpointInfo.getTraversedExtensor(
                new AuthorizationPolicy(), AuthorizationPolicy.class));

    }
    if (conduit.getProxyAuthorization() == null) {
        conduit.setProxyAuthorization(endpointInfo.getTraversedExtensor(
                new ProxyAuthorizationPolicy(),
                ProxyAuthorizationPolicy.class));

    }
    if (conduit.getTlsClientParameters() == null) {
        conduit.setTlsClientParameters(endpointInfo.getTraversedExtensor(
                null, TLSClientParameters.class));
    }
    if (conduit.getTrustDecider() == null) {
        conduit.setTrustDecider(endpointInfo.getTraversedExtensor(null,
                MessageTrustDecider.class));
    }
    if (conduit.getAuthSupplier() == null) {
        conduit.setAuthSupplier(endpointInfo.getTraversedExtensor(null,
                HttpAuthSupplier.class));
    }
}
 
Example #26
Source File: URLConnectionHTTPConduit.java    From cxf with Apache License 2.0 5 votes vote down vote up
private HttpURLConnection createConnection(Message message, Address address, HTTPClientPolicy csPolicy)
    throws IOException {
    URL url = address.getURL();
    URI uri = address.getURI();
    Proxy proxy = proxyFactory.createProxy(csPolicy, uri);
    message.put("http.scheme", uri.getScheme());
    // check tlsClientParameters from message header
    TLSClientParameters clientParameters = message.get(TLSClientParameters.class);
    if (clientParameters == null) {
        clientParameters = tlsClientParameters;
    }
    return connectionFactory.createConnection(clientParameters,
                                              proxy != null ? proxy : address.getDefaultProxy(), url);
}
 
Example #27
Source File: AbstractSTSTest.java    From cxf-fediz with Apache License 2.0 5 votes vote down vote up
protected SecurityToken requestSecurityTokenUsernamePassword(String username, String password,
                                                             String tokenType, String keyType, String realm,
                                                             Bus bus, TLSClientParameters tlsClientParameters,
                                                             String baseEndpointUrl)
    throws Exception {
    STSClient stsClient = new STSClient(bus);

    String endpointUrl = baseEndpointUrl + realm + "/STSServiceTransportUT";
    stsClient.setWsdlLocation(endpointUrl + "?wsdl");
    stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService");
    stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}TransportUT_Port");

    // insert TLS config for STS Client
    HTTPConduit http = (HTTPConduit)stsClient.getClient().getConduit();
    http.setTlsClientParameters(tlsClientParameters);
    TLSClientParameters tlsParameters = http.getTlsClientParameters();
    Assert.assertNotNull("the http conduit's tlsParameters should not be null", tlsParameters);

    Map<String, Object> properties = new HashMap<>();
    properties.put(SecurityConstants.USERNAME, username);
    properties.put(SecurityConstants.PASSWORD, password);
    properties.put(SecurityConstants.IS_BSP_COMPLIANT, "false");

    stsClient.setProperties(properties);
    stsClient.setTokenType(tokenType);
    stsClient.setKeyType(keyType);

    return stsClient.requestSecurityToken(endpointUrl);
}
 
Example #28
Source File: AbstractSTSTest.java    From cxf-fediz with Apache License 2.0 5 votes vote down vote up
protected SecurityToken requestSecurityTokenOnbehalfOf(String tokenType, String keyType, String realm,
    String appliesTo, List<String> claims, Element supportingToken,
    Bus bus, TLSClientParameters tlsClientParameters,
    String baseEndpointUrl)
    throws Exception {

    STSClient stsClient = new STSClient(bus);

    String endpointUrl = baseEndpointUrl + realm + "/STSServiceTransport";
    stsClient.setWsdlLocation(endpointUrl + "?wsdl");
    stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService");
    stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port");

    // insert TLS config for STS Client
    HTTPConduit http = (HTTPConduit)stsClient.getClient().getConduit();
    http.setTlsClientParameters(tlsClientParameters);
    TLSClientParameters tlsParameters = http.getTlsClientParameters();
    Assert.assertNotNull("the http conduit's tlsParameters should not be null", tlsParameters);

    Map<String, Object> properties = new HashMap<>();
    properties.put(SecurityConstants.IS_BSP_COMPLIANT, "false");

    Assert.assertNotNull("supportingToken must not be null", supportingToken);
    stsClient.setOnBehalfOf(supportingToken);

    stsClient.setProperties(properties);
    stsClient.setTokenType(tokenType);
    stsClient.setKeyType(keyType);

    if (claims != null) {
        stsClient.setClaims(createClaimsElement(claims));
    }
    if (appliesTo == null) {

        return stsClient.requestSecurityToken();
    } else {
        stsClient.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
        return stsClient.requestSecurityToken(appliesTo);
    }
}
 
Example #29
Source File: Utils.java    From cxf-fediz with Apache License 2.0 5 votes vote down vote up
public static void initTLSClientParameters(TLSClientParameters tlsClientParameters, String keystoreFile,
                                           String keystorePassword, String keyPassword,
                                           String truststoreFile, String trustPassword)
    throws URISyntaxException, GeneralSecurityException, IOException {

    tlsClientParameters.setDisableCNCheck(true);
    // System.setProperty("javax.net.debug", "all");
    if (keystoreFile != null && keystoreFile.length() > 0) {
        String keystore = new File(Thread.currentThread().getContextClassLoader()
                                   .getResource(keystoreFile).toURI()).getAbsolutePath();

        KeyManager[] kmgrs = getKeyManagers(getKeyStore("JKS", keystore, keystorePassword), keyPassword);
        tlsClientParameters.setKeyManagers(kmgrs);
    }

    String truststore = new File(Thread.currentThread().getContextClassLoader()
                                 .getResource(truststoreFile).toURI()).getAbsolutePath();

    TrustManager[] tmgrs = getTrustManagers(getKeyStore("JKS", truststore, trustPassword));

    tlsClientParameters.setTrustManagers(tmgrs);
    FiltersType filters = new FiltersType();
    filters.getInclude().add(".*_EXPORT_.*");
    filters.getInclude().add(".*_EXPORT1024_.*");
    filters.getInclude().add(".*_WITH_DES_.*");
    filters.getInclude().add(".*_WITH_AES_.*");
    filters.getInclude().add(".*_WITH_NULL_.*");
    filters.getInclude().add(".*_DH_anon_.*");
    tlsClientParameters.setCipherSuitesFilter(filters);

}
 
Example #30
Source File: SoapClient.java    From document-management-software with GNU Lesser General Public License v3.0 5 votes vote down vote up
/**
 * Configures the SSL environment.
 */
protected void configureSSL() {
	TLSClientParameters tlsParams = new TLSClientParameters();
	tlsParams.setDisableCNCheck(true);
	tlsParams.setTrustManagers(new TrustManager[] { new EasyX509TrustManager() });

	org.apache.cxf.endpoint.Client cl = ClientProxy.getClient(client);
	HTTPConduit httpConduit = (HTTPConduit) cl.getConduit();
	httpConduit.setTlsClientParameters(tlsParams);
}