CASC-180 - Add support for Client Side Certificates

In order to utilize client side certificates, this commit facilitates the creation of a SSLSocketFactory on HttpsURLConnection for the client. The configuration is encapsulated inside a url factory instance that applies the adjustments where necessary.

This commit is continuation of the posted pending pull on github that is at:
apereo#26

...and applies the suggestions and fixes that were brought to light during the code review.

Author: SavvasMisaghMoayyed

cas-client-core/src/main/java/org/jasig/cas/client/proxy/Cas20ProxyRetriever.java

@@ -29,20 +29,19 @@
 /**
  * Implementation of a ProxyRetriever that follows the CAS 2.0 specification.
  * For more information on the CAS 2.0 specification, please see the <a
- * href="http://www.ja-sig.org/products/cas/overview/protocol/index.html">specification
+ * href="http://www.jasig.org/cas/protocol">specification
  * document</a>.
  * <p/>
  * In general, this class will make a call to the CAS server with some specified
  * parameters and receive an XML response to parse.
  *
  * @author Scott Battaglia
- * @version $Revision: 11729 $ $Date: 2007-09-26 14:22:30 -0400 (Tue, 26 Sep 2007) $
  * @since 3.0
  */
 public final class Cas20ProxyRetriever implements ProxyRetriever {
 
     /** Unique Id for serialization. */
-	private static final long serialVersionUID = 560409469568911791L;
+	  private static final long serialVersionUID = 560409469568911791L;
 
 	/**
      * Instance of Commons Logging.

cas-client-core/src/main/java/org/jasig/cas/client/util/CommonUtils.java

@@ -24,20 +24,20 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.HttpsURLConnection;
+
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import java.io.Closeable;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.io.BufferedReader;
 import java.io.InputStreamReader;
+import java.net.MalformedURLException;
 import java.net.URLConnection;
 import java.net.URLEncoder;
 import java.net.URL;
 import java.net.HttpURLConnection;
-import java.net.MalformedURLException;
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
 import java.util.*;
@@ -323,28 +323,16 @@ public static String safeGetParameter(final HttpServletRequest request, final St
      * Contacts the remote URL and returns the response.
      *
      * @param constructedUrl the url to contact.
+     * @param factory connection factory to prepare the URL connection instance
      * @param encoding the encoding to use.
      * @return the response.
      */
-    public static String getResponseFromServer(final URL constructedUrl, final String encoding) {
-        return getResponseFromServer(constructedUrl, HttpsURLConnection.getDefaultHostnameVerifier(), encoding);
-    }
+    public static String getResponseFromServer(final URL constructedUrl, final URLConnectionFactory factory, final String encoding) {
 
-    /**
-     * Contacts the remote URL and returns the response.
-     *
-     * @param constructedUrl the url to contact.
-     * @param hostnameVerifier Host name verifier to use for HTTPS connections.
-     * @param encoding the encoding to use.
-     * @return the response.
-     */
-    public static String getResponseFromServer(final URL constructedUrl, final HostnameVerifier hostnameVerifier, final String encoding) {
         URLConnection conn = null;
         try {
-            conn = constructedUrl.openConnection();
-            if (conn instanceof HttpsURLConnection) {
-                ((HttpsURLConnection)conn).setHostnameVerifier(hostnameVerifier);
-            }
+            conn = factory.getURLConnection(constructedUrl.openConnection());
+            
             final BufferedReader in;
 
             if (CommonUtils.isEmpty(encoding)) {
@@ -371,6 +359,7 @@ public static String getResponseFromServer(final URL constructedUrl, final Hostn
         }
 
     }
+
     /**
      * Contacts the remote URL and returns the response.
      *
@@ -380,12 +369,12 @@ public static String getResponseFromServer(final URL constructedUrl, final Hostn
      */
     public static String getResponseFromServer(final String url, String encoding) {
         try {
-            return getResponseFromServer(new URL(url), encoding);
+            return getResponseFromServer(new URL(url), new HttpsURLConnectionFactory(), encoding);
         } catch (final MalformedURLException e) {
             throw new IllegalArgumentException(e);
         }
     }
-
+         
     public static ProxyList createProxyList(final String proxies) {
         if (CommonUtils.isBlank(proxies)) {
             return new ProxyList();
@@ -410,4 +399,19 @@ public static void sendRedirect(final HttpServletResponse response, final String
         }
 
     }
+
+    /**
+     * Unconditionally close a {@link Closeable}. Equivalent to {@link java.io.Closeable#close()}close(), except any exceptions 
+     * will be ignored. This is typically used in finally blocks.
+     * @param resource
+     */
+    public static void closeQuietly(final Closeable resource) {
+        try {
+            if (resource != null) {
+                resource.close();
+            }
+        } catch (final IOException e) {
+            //ignore
+        }
+    }
 }

cas-client-core/src/main/java/org/jasig/cas/client/util/HttpsURLConnectionFactory.java

@@ -0,0 +1,126 @@
+package org.jasig.cas.client.util;
+
+import java.io.FileInputStream;
+import java.io.InputStream;
+import java.net.URLConnection;
+import java.security.KeyStore;
+import java.util.Properties;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * An implementation of the {@link URLConnectionFactory} whose responsible to configure
+ * the underlying <i>https</i> connection, if needed, with a given hostname and SSL socket factory based on the
+ * configuration provided. 
+ * 
+ * @author Misagh Moayyed
+ * @since 3.3
+ * @see #setHostnameVerifier(HostnameVerifier)
+ * @see #setSSLConfiguration(Properties)
+ */
+public final class HttpsURLConnectionFactory implements URLConnectionFactory {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(HttpsURLConnectionFactory.class);
+    
+    /**
+     * Hostname verifier used when making an SSL request to the CAS server.
+     * Defaults to {@link HttpsURLConnection#getDefaultHostnameVerifier()}
+     */
+    private HostnameVerifier hostnameVerifier = HttpsURLConnection.getDefaultHostnameVerifier();
+    
+    /**
+     * Properties file that can contains key/trust info for Client Side Certificates
+     */
+    private Properties sslConfiguration = new Properties(); 
+    
+    public HttpsURLConnectionFactory() {}
+    
+    public HttpsURLConnectionFactory(final HostnameVerifier verifier, final Properties config) {
+        setHostnameVerifier(verifier);
+        setSSLConfiguration(config);
+    }
+        
+    public final void setSSLConfiguration(final Properties config) {
+        this.sslConfiguration = config;
+    }
+    
+    public final void setHostnameVerifier(final HostnameVerifier verifier) {
+        this.hostnameVerifier = verifier;
+    }
+
+    public URLConnection getURLConnection(final URLConnection url) {
+        return this.configureHttpsConnectionIfNeeded(url);
+    }
+    
+    /**
+     * Configures the connection with specific settings for secure http connections
+     * If the connection instance is not a {@link HttpsURLConnection},
+     * no additional changes will be made and the connection itself is simply returned.
+     *
+     * @param conn the http connection
+     */
+    private URLConnection configureHttpsConnectionIfNeeded(final URLConnection conn) {
+        if (conn instanceof HttpsURLConnection) {
+            final HttpsURLConnection httpsConnection = (HttpsURLConnection) conn;
+            final SSLSocketFactory socketFactory = this.createSSLSocketFactory();
+            if (socketFactory != null) {
+                httpsConnection.setSSLSocketFactory(socketFactory);
+            } 
+
+            if (this.hostnameVerifier != null) {
+                httpsConnection.setHostnameVerifier(this.hostnameVerifier);
+            }
+        }
+        return conn;
+    }
+    
+    /**
+     * Creates a {@link SSLSocketFactory} based on the configuration specified
+     * <p>
+     * Sample properties file:
+     * <pre>
+     * protocol=TLS
+     * keyStoreType=JKS
+     * keyStorePath=/var/secure/location/.keystore
+     * keyStorePass=changeit
+     * certificatePassword=aGoodPass
+     * </pre>
+     * @param sslConfig {@link Properties} 
+     * @return the {@link SSLSocketFactory}
+     */
+    private SSLSocketFactory createSSLSocketFactory() {
+        InputStream keyStoreIS = null;
+        try {
+            final SSLContext sslContext = SSLContext.getInstance(this.sslConfiguration.getProperty("protocol", "SSL"));
+
+            if (this.sslConfiguration.getProperty("keyStoreType") != null) {
+                final KeyStore keyStore = KeyStore.getInstance(this.sslConfiguration.getProperty("keyStoreType"));
+                if (this.sslConfiguration.getProperty("keyStorePath") != null) {
+                    keyStoreIS = new FileInputStream(this.sslConfiguration.getProperty("keyStorePath"));
+                    if (this.sslConfiguration.getProperty("keyStorePass") != null) {
+                        keyStore.load(keyStoreIS, this.sslConfiguration.getProperty("keyStorePass").toCharArray());
+                        LOGGER.debug("Keystore has {} keys", keyStore.size());
+                        final KeyManagerFactory keyManager = KeyManagerFactory.getInstance(this.sslConfiguration.getProperty("keyManagerType", "SunX509"));
+                        keyManager.init(keyStore, this.sslConfiguration.getProperty("certificatePassword").toCharArray());
+                        sslContext.init(keyManager.getKeyManagers(), null, null);
+                    }
+                }
+            }
+
+            return sslContext.getSocketFactory();
+        } catch (final Exception e) {
+            LOGGER.error(e.getMessage(), e);
+        } finally {
+            CommonUtils.closeQuietly(keyStoreIS);
+        }
+        return null;
+    }
+
+}

cas-client-core/src/main/java/org/jasig/cas/client/util/URLConnectionFactory.java

@@ -0,0 +1,44 @@
+/*
+ * Licensed to Jasig under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work
+ * for additional information regarding copyright ownership.
+ * Jasig licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License.  You may obtain a
+ * copy of the License at the following location:
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.jasig.cas.client.util;
+
+import java.net.URL;
+import java.net.URLConnection;
+
+/**
+ * A factory to prepare and configure {@link java.net.URLConnection} instances. 
+ *
+ * @author Misagh Moayyed
+ * @since 3.3
+ */
+public interface URLConnectionFactory {
+    
+    /**
+     * Receives a {@link URLConnection} instance typically as a result of a {@link URL}
+     * opening a connection to a remote resource. The received url connection is then
+     * configured and prepared appropriately depending on its type and is then returned to the caller
+     * to accommodate method chaining.
+     *  
+     * @param url The url connection that needs to be configured
+     * @return The configured {@link URLConnection} instance
+     * 
+     * @see {@link HttpsURLConnectionFactory}
+     */
+    URLConnection getURLConnection(final URLConnection url);
+}

cas-client-core/src/main/java/org/jasig/cas/client/validation/AbstractCasProtocolUrlBasedTicketValidator.java

@@ -43,10 +43,6 @@ protected final void setDisableXmlSchemaValidation(final boolean disable) {
      * Retrieves the response from the server by opening a connection and merely reading the response.
      */
     protected final String retrieveResponseFromServer(final URL validationUrl, final String ticket) {
-        if (this.hostnameVerifier != null) {
-	        return CommonUtils.getResponseFromServer(validationUrl, this.hostnameVerifier, getEncoding());
-        } else {
-	        return CommonUtils.getResponseFromServer(validationUrl, getEncoding());
-        }
+        return CommonUtils.getResponseFromServer(validationUrl, getURLConnectionFactory(), getEncoding());
     }
 }

cas-client-core/src/main/java/org/jasig/cas/client/validation/AbstractTicketValidationFilter.java

@@ -31,6 +31,8 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.io.FileInputStream;
+import java.util.Properties;
 
 /**
  * The filter that handles all the work of validating ticket requests.
@@ -81,6 +83,31 @@ protected TicketValidator getTicketValidator(final FilterConfig filterConfig) {
         return this.ticketValidator;
     }
 
+    /**
+     * Gets the ssl config to use for HTTPS connections
+     * if one is configured for this filter.
+     * @param filterConfig Servlet filter configuration.
+     * @return Properties that can contains key/trust info for Client Side Certificates
+     */
+    protected Properties getSSLConfig(final FilterConfig filterConfig) {
+        final Properties properties = new Properties();
+        final String fileName = getPropertyFromInitParams(filterConfig, "sslConfigFile", null);	
+        
+        if (fileName != null) {
+            FileInputStream fis = null;
+            try {
+                fis = new FileInputStream(fileName);
+                properties.load(fis);
+                logger.trace("Loaded {} entries from {}", properties.size(), fileName);  
+            } catch(final IOException ioe) {
+                logger.error(ioe.getMessage(), ioe);
+            } finally {
+                CommonUtils.closeQuietly(fis);
+            }
+        }
+        return properties;
+    }
+
     /**
      * Gets the configured {@link HostnameVerifier} to use for HTTPS connections
      * if one is configured for this filter.