Uploaded image for project: 'SwitchYard'
  1. SwitchYard
  2. SWITCHYARD-2739

Missing support for X509Certificate from the transport layer

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Done
    • 1.0, 2.0
    • 1.1.1
    • security
    • None

    Description

      SY is missing support for "two-way-SSL", i. e. the client certificate from transport layer is used for authentication in the application layer.

      The following code analysis, shows where this should be done (but is not):

      In org.switchyard.component.soap.InboundHandler.invoke(), the SecurityContext is filled. First, ThreadLocal CREDENTIALS is read (which
      is always empty since it is not filled by CXF), and then, org.switchyard.component.soap.composer.SOAPBindingData.extractCredentials() is called, which collects credentials in three different paths:

      1) SOAPMessageCredentialExtractor
      This one looks out for a Assertion/BinarySecurityToken in the message.

      2) WebServiceContextCredentialExtractor
      This one extracts a possible user principal from CXF's SecurityContext which itself got it out of the HttpServletRequest.

      3) ServletRequestCredentialExtractor
      This one does exactly the same by calling HttpServletRequest.getUserPincipal() directly. Moreover, it checks the authorization header. What it does not is check the certificate chain.

      So, in order for this to work, to org.switchyard.security.credential.extractor.ServletRequestCredentialExtractor.extract must be added:

      X509Certificate certs[] = 
      (X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate");
      if(certs != null && certs.length > 0) {
           credentials.add(new CertificateCredential(certs[0]));
      

      Attachments

        Issue Links

          Activity

            People

              toigaras@redhat.com tomohisa igarashi
              rhn-support-mputz Martin Weiler
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: