Uploaded image for project: 'SwitchYard'
  1. SwitchYard
  2. SWITCHYARD-2737

Missing support for X509Certificate from the transport layer

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 1.0, 2.0
    • Fix Version/s: 2.1.0
    • Component/s: security
    • Labels:
      None

      Description

      SY is missing support for "two-way-SSL", i. e. the client certificate from transport layer is used for authentication in the application layer.

      The following code analysis, shows where this should be done (but is not):

      In org.switchyard.component.soap.InboundHandler.invoke(), the SecurityContext is filled. First, ThreadLocal CREDENTIALS is read (which
      is always empty since it is not filled by CXF), and then, org.switchyard.component.soap.composer.SOAPBindingData.extractCredentials() is called, which collects credentials in three different paths:

      1) SOAPMessageCredentialExtractor
      This one looks out for a Assertion/BinarySecurityToken in the message.

      2) WebServiceContextCredentialExtractor
      This one extracts a possible user principal from CXF's SecurityContext which itself got it out of the HttpServletRequest.

      3) ServletRequestCredentialExtractor
      This one does exactly the same by calling HttpServletRequest.getUserPincipal() directly. Moreover, it checks the authorization header. What it does not is check the certificate chain.

      So, in order for this to work, to org.switchyard.security.credential.extractor.ServletRequestCredentialExtractor.extract must be added:

      X509Certificate certs[] = 
      (X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate");
      if(certs != null && certs.length > 0) {
           credentials.add(new CertificateCredential(certs[0]));
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  igarashitm tomohisa igarashi
                  Reporter:
                  mputz Martin Weiler
                • Votes:
                  4 Vote for this issue
                  Watchers:
                  9 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: