[arquillian-issues] [JBoss JIRA] (ARQ-1370) Warp: support SSL for CommandService using untrusted communication

Oliver Bock (JIRA) jira-events at lists.jboss.org
Wed Apr 10 08:03:36 EDT 2013 

    [ https://issues.jboss.org/browse/ARQ-1370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12765915#comment-12765915 ] 

Oliver Bock edited comment on ARQ-1370 at 4/9/13 6:52 PM:
----------------------------------------------------------

Great, thanks for the doc pointers! The Arquillian GitHub wiki at [2] would have been the last place for me to look for such Warp details ;-)

{quote}
I actually think that any SSL communication wouldn't work in Warp in Alpha2, beucase Warp is a Man in the Middle from the SSL handshake perspective
{quote}
Well, as described earlier, it does - at least for client-side tests in a test class annotated with {{@WarpTest}}. That's why this issue seemed like a Alpha2->Alpha3 regression from a user's (my) perspective: for some reason Warp-enriched _client-side_ tests do fail with Alpha3 while they work with Alpha2 (via SSL). You know better than me whether that kind of client-side tests is also affected by the new {{CommandService}} infrastructure/workflow.

I guess the major difference compared to Alpha2 is the _additional_ request in Alpha3 you describe: while Alpha2 (enriched) client-side tests, issuing requests via Drone/WebDriver, simply run in JBoss's configured SSL context, Alpha3 (enriched) client-side tests involve {{CommandService}} creating a new request _itself_, somehow outside the container's SSL context...? If my assessment is correct the question should be, can you tap into the container's SSL context or adopt it somehow? If not, you most likely need to establish your own, as suggested by your proposed workaround, if Warp's architecture itself can't be changed/improved in that regard.

IMHO, such a workaround would be less optimal, however, because a functional JSF test naturally involves the web app's container, including potential security measures in place (like SSL or authentication). Thus it would be nice to run such tests in their actual environment, without the need for a parallel security setup that (potentially) needs to be kept in sync with the container's setup in order to produce meaningful test results (without superfluous artefacts). This is what Arquillian is all about after all, right? :-)

What do you think?
                
      was (Author: brevilo):
    Great, thanks for the doc pointers! The Arquillian GitHub wiki at [2] would have been the last place for me to look for such Warp details ;-)

{quote}
I actually think that any SSL communication wouldn't work in Warp in Alpha2, beucase Warp is a Man in the Middle from the SSL handshake perspective
{quote}
Well, as described earlier, it does - at least for client-side tests in a test class annotated with {{@WarpTest}}. That's why this issue seemed like a Alpha2->Alpha3 regression from a user's (my) perspective: for some reason Warp-enriched _client-side_ tests do fail with Alpha3 while they work with Alpha2 (via SSL). You know better than me whether that kind of client-side tests is also affected by the new {{CommandService}} infrastructure/workflow.

I guess the major difference compared to Alpha2 is the _additional_ request in Alpha3 you describe: while Alpha2 (enriched) client-side tests, issuing requests via Drone/WebDriver, simply run in JBoss's configured SSL context, Alpha3 (enriched) client-side tests involve {{CommandService}} creating a new request _itself_, somehow outside the container's SSL context...? If my assessment is correct the question should be, can you tap into the container's SSL context or adopt it somehow? If not, you most likely need to establish your own, as suggested by your proposed workaround, if Warp's architecture itself can't be changed/improved in that regard.

IMHO, such a workaround would be less optimal, however, because a functional JSF test naturally involves the web app's container, including potential security measures in place (like SSL or authentication). Thus it would be nice to run such tests in their actual environment, without the need for a parallel security setup that (potentially) needs to be kept in sync with the container's setup in order to produce meaningful test results (without superfluous artefacts). This is what Arquillian is all about after all, right? :-)

Thoughts?
                  
> Warp: support SSL for CommandService using untrusted communication
> ------------------------------------------------------------------
>
>                 Key: ARQ-1370
>                 URL: https://issues.jboss.org/browse/ARQ-1370
>             Project: Arquillian
>          Issue Type: Enhancement
>      Security Level: Public(Everyone can see) 
>          Components: Extension - Warp
>    Affects Versions: warp_1.0.0.Alpha3
>            Reporter: Lukáš Fryč
>
> We can make use of HTTP client which will automatically trust SSL endpoint.
> http://stackoverflow.com/questions/2703161/how-to-ignore-ssl-certificate-errors-in-apache-httpclient-4-0

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the arquillian-issues mailing list