Skip to content

Commit

Permalink
HTTPS enforced via HttpsToken WS-SecurityPolicy does not work fix #628
Browse files Browse the repository at this point in the history
  • Loading branch information
@ppalaga
ppalaga committed Sep 25, 2023
1 parent a5544de commit 57c363e
Show file tree
Hide file tree
Showing 17 changed files with 653 additions and 1 deletion.
2 changes: 1 addition & 1 deletion .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ jobs:
strategy:
fail-fast: false
matrix:
testModule: [client, hc5, logging, metrics, mtom, mtom-awt, server, ws-addressing, ws-rm, ws-security-client, ws-security-server, ws-trust, wsdl2java, wsdl2java-no-config]
testModule: [client, hc5, logging, metrics, mtom, mtom-awt, server, ws-addressing, ws-rm, ws-security-client, ws-security-policy, ws-security-server, ws-trust, wsdl2java, wsdl2java-no-config]
name: ${{matrix.testModule}} native tests
needs: build-and-run-jvm-tests
runs-on: ubuntu-latest
Expand Down
16 changes: 16 additions & 0 deletions ...ions/core/runtime/src/main/java/io/quarkiverse/cxf/transport/VertxHttpServletRequest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@
import java.util.Map;
import java.util.TreeMap;

import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;

import jakarta.servlet.*;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletRequest;
Expand All @@ -37,6 +40,8 @@

public class VertxHttpServletRequest implements HttpServletRequest {
private static final Logger LOG = Logger.getLogger(VertxHttpServletRequest.class);
private static final String SSL_CIPHER_SUITE_ATTRIBUTE = "jakarta.servlet.request.cipher_suite";
private static final String SSL_PEER_CERT_CHAIN_ATTRIBUTE = "jakarta.servlet.request.X509Certificate";
private final RoutingContext context;
private final VertxInputStream in;
private final HttpServerRequest request;
Expand All @@ -51,6 +56,17 @@ public VertxHttpServletRequest(RoutingContext context, String contextPath, Strin
this.attributes = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
this.context = context;
in = new VertxInputStream(context, 10000);

final SSLSession sslSession = this.request.connection().sslSession();
if (sslSession != null) {
this.attributes.put(SSL_CIPHER_SUITE_ATTRIBUTE, sslSession.getCipherSuite());
try {
this.attributes.put(SSL_PEER_CERT_CHAIN_ATTRIBUTE, sslSession.getPeerCertificates());
} catch (SSLPeerUnverifiedException e) {
// do nothing
}
}

}

@Override
Expand Down
1 change: 1 addition & 0 deletions integration-tests/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
<module>logging</module>
<module>ws-addressing</module>
<module>ws-security-client</module>
<module>ws-security-policy</module>
<module>ws-security-server</module>
<module>ws-trust</module>
<module>ws-rm</module>
Expand Down
276 changes: 276 additions & 0 deletions integration-tests/ws-security-policy/pom.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,276 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>io.quarkiverse.cxf</groupId>
<artifactId>quarkus-cxf-integration-tests</artifactId>
<version>2.2.4-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>

<artifactId>quarkus-cxf-integration-test-ws-security-policy</artifactId>

<name>Quarkus CXF - Integration Test - WS-SecurityPolicy</name>

<dependencies>
<dependency>
<groupId>io.quarkiverse.cxf</groupId>
<artifactId>quarkus-cxf</artifactId>
</dependency>
<dependency>
<groupId>io.quarkiverse.cxf</groupId>
<artifactId>quarkus-cxf-rt-ws-security</artifactId>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-resteasy</artifactId>
</dependency>

<dependency>
<groupId>io.rest-assured</groupId>
<artifactId>rest-assured</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.quarkiverse.cxf</groupId>
<artifactId>quarkus-cxf-test-util</artifactId>
<scope>test</scope>
</dependency>
</dependencies>

<build>
<plugins>
<plugin>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-maven-plugin</artifactId>
<executions>
<execution>
<goals>
<goal>build</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>keytool-maven-plugin</artifactId>
<configuration>
<keypass>password</keypass>
<validity>3650</validity>
<keyalg>RSA</keyalg>
<storepass>password</storepass>
<skip>${keytool.skip}</skip>
</configuration>
<executions>
<!-- CA -->
<execution>
<id>generate-cxfca-keypair</id>
<phase>generate-sources</phase>
<goals>
<goal>clean</goal>
<goal>generateKeyPair</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<dname>CN=cxfca, OU=eng, O=apache.org</dname>
<exts>
<ext>bc:c=ca:true,pathlen:2147483647</ext>
<ext>IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE</ext>
</exts>
<keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
</configuration>
</execution>
<execution>
<id>export-cxfca-certificate</id>
<phase>generate-sources</phase>
<goals>
<goal>exportCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
<rfc>true</rfc>
<file>${project.build.outputDirectory}/cxfca.pem</file>
</configuration>
</execution>
<!-- Server -->
<execution>
<id>generate-server-keypair</id>
<phase>generate-sources</phase>
<goals>
<goal>clean</goal>
<goal>generateKeyPair</goal>
</goals>
<configuration>
<alias>localhost</alias>
<dname>CN=localhost, OU=eng, O=apache.org</dname>
<exts>
<ext>bc:c=ca:true,pathlen:2147483647</ext>
<ext>IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE</ext>
</exts>
<keystore>${project.build.outputDirectory}/server-keystore.jks</keystore>
</configuration>
</execution>
<execution>
<id>generate-server-certificate-request</id>
<phase>generate-sources</phase>
<goals>
<goal>generateCertificateRequest</goal>
</goals>
<configuration>
<alias>localhost</alias>
<keystore>${project.build.outputDirectory}/server-keystore.jks</keystore>
<file>${project.build.outputDirectory}/server.csr</file>
</configuration>
</execution>
<execution>
<id>sign-server-certificate</id>
<phase>generate-sources</phase>
<goals>
<goal>generateCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
<rfc>true</rfc>
<infile>${project.build.outputDirectory}/server.csr</infile>
<outfile>${project.build.outputDirectory}/server.pem</outfile>
</configuration>
</execution>
<execution>
<id>import-cxfca-certificate-to-server-keystore</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<keystore>${project.build.outputDirectory}/server-keystore.jks</keystore>
<file>${project.build.outputDirectory}/cxfca.pem</file>
</configuration>
</execution>
<execution>
<id>import-signed-server-certificate-to-server-keystore</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>localhost</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<keystore>${project.build.outputDirectory}/server-keystore.jks</keystore>
<file>${project.build.outputDirectory}/server.pem</file>
</configuration>
</execution>

<!-- Client -->
<execution>
<id>prepare-client-truststore-jks</id>
<phase>generate-sources</phase>
<goals>
<goal>clean</goal>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<keystore>${project.build.outputDirectory}/client-truststore.jks</keystore>
<file>${project.build.outputDirectory}/cxfca.pem</file>
</configuration>
</execution>
<execution>
<id>prepare-client-truststore-pkcs12</id>
<phase>generate-sources</phase>
<goals>
<goal>clean</goal>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<keystore>${project.build.outputDirectory}/client-truststore.p12</keystore>
<storetype>PKCS12</storetype>
<file>${project.build.outputDirectory}/cxfca.pem</file>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>

<profiles>
<profile>
<id>native</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<properties>
<quarkus.package.type>native</quarkus.package.type>
</properties>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<executions>
<execution>
<goals>
<goal>integration-test</goal>
<goal>verify</goal>
</goals>
<configuration>
<systemPropertyVariables>
<native.image.path>${project.build.directory}/${project.build.finalName}-runner</native.image.path>
</systemPropertyVariables>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile>
<id>virtualDependencies</id>
<activation>
<property>
<name>!noVirtualDependencies</name>
</property>
</activation>
<dependencies>
<!-- The following dependencies guarantee that this module is built after them. You can update them by running `mvn process-resources -Pformat -N` from the source tree root directory -->
<dependency>
<groupId>io.quarkiverse.cxf</groupId>
<artifactId>quarkus-cxf-deployment</artifactId>
<version>${project.version}</version>
<type>pom</type>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>*</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>io.quarkiverse.cxf</groupId>
<artifactId>quarkus-cxf-rt-ws-security-deployment</artifactId>
<version>${project.version}</version>
<type>pom</type>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>*</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</profile>
</profiles>

</project>
15 changes: 15 additions & 0 deletions .../ws-security-policy/src/main/java/io/quarkiverse/cxf/it/security/policy/HelloService.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
package io.quarkiverse.cxf.it.security.policy;

import jakarta.jws.WebMethod;
import jakarta.jws.WebService;

/**
* The simplest Hello service.
*/
@WebService(name = "HelloService", serviceName = "HelloService")
public interface HelloService {

@WebMethod
String hello(String text);

}
18 changes: 18 additions & 0 deletions ...security-policy/src/main/java/io/quarkiverse/cxf/it/security/policy/HelloServiceImpl.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
package io.quarkiverse.cxf.it.security.policy;

import jakarta.jws.WebMethod;
import jakarta.jws.WebService;

/**
* The simplest Hello service implementation.
*/
@WebService(serviceName = "HelloService")
public class HelloServiceImpl implements HelloService {

@WebMethod
@Override
public String hello(String text) {
return "Hello " + text + "!";
}

}
21 changes: 21 additions & 0 deletions ...licy/src/main/java/io/quarkiverse/cxf/it/security/policy/HttpsPolicyHelloServiceImpl.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
package io.quarkiverse.cxf.it.security.policy;

import jakarta.jws.WebMethod;
import jakarta.jws.WebService;

import org.apache.cxf.annotations.Policy;

/**
* A service implementation with a transport policy set
*/
@WebService(serviceName = "HelloService")
@Policy(placement = Policy.Placement.BINDING, uri = "https-policy.xml")
public class HttpsPolicyHelloServiceImpl implements HelloService {

@WebMethod
@Override
public String hello(String text) {
return "Hello " + text + " from HTTPS!";
}

}
Loading

0 comments on commit 57c363e

Please sign in to comment.