Repository: cxf Updated Branches: refs/heads/master bf879ad99 -> 71488c6fa
Simplify the SSL config since we don't need to support Jetty 7.x. Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/71488c6f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/71488c6f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/71488c6f Branch: refs/heads/master Commit: 71488c6fa7635c88285214a0479379aafef9ed3c Parents: 4f61ca8 Author: Daniel Kulp <dk...@apache.org> Authored: Wed Aug 6 11:17:19 2014 -0400 Committer: Daniel Kulp <dk...@apache.org> Committed: Wed Aug 6 11:28:21 2014 -0400 ---------------------------------------------------------------------- .../http_jetty/JettyHTTPServerEngine.java | 60 +++--- .../https_jetty/CXFJettySslSocketConnector.java | 181 ------------------- .../https_jetty/JettySslConnectorFactory.java | 97 ++++++++-- .../JettyHTTPServerEngineFactoryTest.java | 9 +- 4 files changed, 119 insertions(+), 228 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/71488c6f/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java ---------------------------------------------------------------------- diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java index 03540a5..0494237 100644 --- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java +++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java @@ -50,11 +50,9 @@ import org.eclipse.jetty.server.handler.ContextHandler; import org.eclipse.jetty.server.handler.ContextHandlerCollection; import org.eclipse.jetty.server.handler.DefaultHandler; import org.eclipse.jetty.server.handler.HandlerCollection; -import org.eclipse.jetty.server.nio.SelectChannelConnector; import org.eclipse.jetty.server.session.HashSessionIdManager; import org.eclipse.jetty.server.session.HashSessionManager; import org.eclipse.jetty.server.session.SessionHandler; -import org.eclipse.jetty.server.ssl.SslConnector; import org.eclipse.jetty.util.component.Container; import org.eclipse.jetty.util.thread.QueuedThreadPool; import org.eclipse.jetty.util.thread.ThreadPool; @@ -327,8 +325,6 @@ public class JettyHTTPServerEngine // create a new jetty server instance if there is no server there server = new Server(); - server.setSendServerVersion(getSendServerVersion()); - if (mBeanContainer != null) { getContainer(server).addEventListener(mBeanContainer); } @@ -636,10 +632,18 @@ public class JettyHTTPServerEngine } return ret; } + + private boolean isSsl() { + if (connector == null) { + return false; + } + //return "https".equalsIgnoreCase(connector.getDefaultConnectionFactory().getProtocol()); + return connector instanceof org.eclipse.jetty.server.ssl.SslConnector; + } protected void retrieveListenerFactory() { if (tlsServerParameters != null) { - if (null != connector && !(connector instanceof SslConnector)) { + if (connector != null && !isSsl()) { LOG.warning("Connector " + connector + " for JettyServerEngine Port " + port + " does not support SSL connections."); return; @@ -649,7 +653,7 @@ public class JettyHTTPServerEngine protocol = "https"; } else { - if (connector instanceof SslConnector) { + if (isSsl()) { throw new RuntimeException("Connector " + connector + " for JettyServerEngine Port " + port + " does not support non-SSL connections."); } @@ -666,35 +670,30 @@ public class JettyHTTPServerEngine protected JettyConnectorFactory getHTTPConnectorFactory() { return new JettyConnectorFactory() { public AbstractConnector createConnector(JettyHTTPServerEngine engine, String hosto, int porto) { + + + // now we just use the SelectChannelConnector as the default connector + org.eclipse.jetty.server.nio.SelectChannelConnector result = + new org.eclipse.jetty.server.nio.SelectChannelConnector(); + engine.getServer().setSendServerVersion(getSendServerVersion()); + if (engine.getMaxIdleTime() > 0) { + result.setMaxIdleTime(engine.getMaxIdleTime()); + } + /* HttpConfiguration httpConfig = new HttpConfiguration(); httpConfig.setSendServerVersion(getSendServerVersion()); HttpConnectionFactory httpFactory = new HttpConnectionFactory(httpConfig); - ServerConnector httpConnector = new ServerConnector(server, httpFactory); - httpConnector.setPort(porto); - httpConnector.setHost(hosto); + ServerConnector result = new ServerConnector(server, httpFactory); if (engine.getMaxIdleTime() > 0) { - httpConnector.setIdleTimeout(engine.getMaxIdleTime()); + result.setIdleTimeout(engine.getMaxIdleTime()); } - httpConnector.setReuseAddress(engine.isReuseAddress()); - return httpConnector; */ - // now we just use the SelectChannelConnector as the default connector - SelectChannelConnector result = - new SelectChannelConnector(); - - // Regardless the port has to equal the one - // we are configured for. - assert porto == port; - assert hosto == null ? host == null : hosto.equals(host); + result.setPort(porto); if (hosto != null) { result.setHost(hosto); } - result.setPort(porto); - if (engine.getMaxIdleTime() > 0) { - result.setMaxIdleTime(engine.getMaxIdleTime()); - } result.setReuseAddress(engine.isReuseAddress()); return result; } @@ -723,9 +722,16 @@ public class JettyHTTPServerEngine } private void checkConnectorPort() throws IOException { - if (null != connector && port != connector.getPort()) { - throw new IOException("Error: Connector port " + connector.getPort() + " does not match" - + " with the server engine port " + port); + try { + int cp = (Integer)connector.getClass().getMethod("getPort").invoke(connector); + if (null != connector && port != cp) { + throw new IOException("Error: Connector port " + cp + " does not match" + + " with the server engine port " + port); + } + } catch (IOException ioe) { + throw ioe; + } catch (Throwable t) { + //ignore... } } http://git-wip-us.apache.org/repos/asf/cxf/blob/71488c6f/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java ---------------------------------------------------------------------- diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java deleted file mode 100644 index 42c5ddf..0000000 --- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java +++ /dev/null @@ -1,181 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.transport.https_jetty; - - -import java.security.SecureRandom; -import java.util.List; -import java.util.logging.Logger; - -import javax.net.ssl.KeyManager; -import javax.net.ssl.SSLContext; -import javax.net.ssl.TrustManager; -import javax.net.ssl.X509KeyManager; - -import org.apache.cxf.common.logging.LogUtils; -import org.apache.cxf.common.util.ReflectionInvokationHandler; -import org.apache.cxf.configuration.jsse.SSLUtils; -import org.apache.cxf.configuration.security.ClientAuthentication; -import org.apache.cxf.configuration.security.FiltersType; -import org.apache.cxf.transport.https.AliasedX509ExtendedKeyManager; -import org.eclipse.jetty.server.ssl.SslSelectChannelConnector; - -/** - * This class extends the Jetty SslSelectChannelConnector, which allows - * us to configure it more in tune with the JSSE, using KeyManagers - * and TrustManagers. - */ -public class CXFJettySslSocketConnector extends SslSelectChannelConnector { - private static final Logger LOG = LogUtils.getL7dLogger(CXFJettySslSocketConnector.class); - - protected KeyManager[] keyManagers; - protected TrustManager[] trustManagers; - protected SecureRandom secureRandom; - protected List<String> cipherSuites; - protected FiltersType cipherSuitesFilter; - - /** - * Set the cipherSuites - */ - protected void setCipherSuites(List<String> cs) { - cipherSuites = cs; - } - - /** - * Set the CipherSuites Filter - */ - protected void setCipherSuitesFilter(FiltersType filter) { - cipherSuitesFilter = filter; - } - - /** - * Set the KeyManagers. - */ - protected void setKeyManagers(KeyManager[] kmgrs) { - keyManagers = kmgrs; - } - - /** - * Set the TrustManagers. - */ - protected void setTrustManagers(TrustManager[] tmgrs) { - trustManagers = tmgrs; - } - - /** - * Set the SecureRandom Parameters - */ - protected void setSecureRandom(SecureRandom random) { - secureRandom = random; - } - - - /** - * Set the ClientAuthentication (from the JAXB type) that - * configures an HTTP Destination. - */ - protected void setClientAuthentication(ClientAuthentication clientAuth) { - getCxfSslContextFactory().setWantClientAuth(true); - if (clientAuth != null) { - if (clientAuth.isSetWant()) { - getCxfSslContextFactory().setWantClientAuth(clientAuth.isWant()); - } - if (clientAuth.isSetRequired()) { - getCxfSslContextFactory().setNeedClientAuth(clientAuth.isRequired()); - } - } - } - - protected void doStart() throws Exception { - // setup the create SSLContext on the SSLContextFactory - getCxfSslContextFactory().setSslContext(createSSLContext()); - super.doStart(); - } - - protected SSLContext createSSLContext() throws Exception { - String proto = getCxfSslContextFactory().getProtocol() == null - ? "TLS" - : getCxfSslContextFactory().getProtocol(); - - SSLContext context = getCxfSslContextFactory().getProvider() == null - ? SSLContext.getInstance(proto) - : SSLContext.getInstance(proto, getCxfSslContextFactory().getProvider()); - - if (getCxfSslContextFactory().getCertAlias() != null) { - getKeyManagersWithCertAlias(); - } - context.init(keyManagers, trustManagers, secureRandom); - - String[] cs = - SSLUtils.getCiphersuites( - cipherSuites, - SSLUtils.getServerSupportedCipherSuites(context), - cipherSuitesFilter, - LOG, true); - - getCxfSslContextFactory().setExcludeCipherSuites(cs); - - return context; - } - - protected void getKeyManagersWithCertAlias() throws Exception { - if (getCxfSslContextFactory().getCertAlias() != null) { - for (int idx = 0; idx < keyManagers.length; idx++) { - if (keyManagers[idx] instanceof X509KeyManager) { - keyManagers[idx] = new AliasedX509ExtendedKeyManager( - getCxfSslContextFactory().getCertAlias(), (X509KeyManager)keyManagers[idx]); - } - } - } - } - - public CxfSslContextFactory getCxfSslContextFactory() { - try { - Object o = getClass().getMethod("getSslContextFactory").invoke(this); - return ReflectionInvokationHandler.createProxyWrapper(o, CxfSslContextFactory.class); - } catch (Exception e) { - //ignore, the NPE is fine - } - - return null; - } - - interface CxfSslContextFactory { - void setExcludeCipherSuites(String ... cs); - - String getProtocol(); - - String getProvider(); - - void setSslContext(SSLContext createSSLContext); - - void setNeedClientAuth(boolean required); - - void setWantClientAuth(boolean want); - - void setProtocol(String secureSocketProtocol); - - void setProvider(String jsseProvider); - - void setCertAlias(String certAlias); - - String getCertAlias(); - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/71488c6f/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java ---------------------------------------------------------------------- diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java index da1fbc5..e103d0d 100644 --- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java +++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java @@ -19,16 +19,29 @@ package org.apache.cxf.transport.https_jetty; +import java.util.logging.Logger; + +import javax.net.ssl.KeyManager; +import javax.net.ssl.SSLContext; +import javax.net.ssl.X509KeyManager; + +import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.configuration.jsse.SSLUtils; import org.apache.cxf.configuration.jsse.TLSServerParameters; +import org.apache.cxf.configuration.security.ClientAuthentication; import org.apache.cxf.transport.http_jetty.JettyConnectorFactory; import org.apache.cxf.transport.http_jetty.JettyHTTPServerEngine; +import org.apache.cxf.transport.https.AliasedX509ExtendedKeyManager; import org.eclipse.jetty.server.AbstractConnector; +import org.eclipse.jetty.server.ssl.SslSelectChannelConnector; +import org.eclipse.jetty.util.ssl.SslContextFactory; /** * This class wraps the JettyConnectorFactory and will create * TLS enabled acceptors. */ public final class JettySslConnectorFactory implements JettyConnectorFactory { + private static final Logger LOG = LogUtils.getL7dLogger(JettySslConnectorFactory.class); final TLSServerParameters tlsServerParameters; @@ -45,8 +58,9 @@ public final class JettySslConnectorFactory implements JettyConnectorFactory { public AbstractConnector createConnector(JettyHTTPServerEngine engine, String host, int port) { assert tlsServerParameters != null; - CXFJettySslSocketConnector secureConnector = - new CXFJettySslSocketConnector(); + SslContextFactory sslcf = new CXFSslContextFactory(); + SslSelectChannelConnector secureConnector = + new SslSelectChannelConnector(sslcf); if (host != null) { secureConnector.setHost(host); } @@ -55,27 +69,82 @@ public final class JettySslConnectorFactory implements JettyConnectorFactory { secureConnector.setMaxIdleTime(engine.getMaxIdleTime()); } secureConnector.setReuseAddress(engine.isReuseAddress()); - decorateCXFJettySslSocketConnector(secureConnector); + decorateCXFJettySslSocketConnector(sslcf); return secureConnector; } + private class CXFSslContextFactory extends SslContextFactory { + public CXFSslContextFactory() { + super(); + } + protected void doStart() throws Exception { + setSslContext(createSSLContext(this)); + super.doStart(); + } + public void checkKeyStore() { + //we'll handle this later + } + } + + protected SSLContext createSSLContext(SslContextFactory scf) throws Exception { + String proto = tlsServerParameters.getSecureSocketProtocol() == null + ? "TLS" : tlsServerParameters.getSecureSocketProtocol(); + + SSLContext context = tlsServerParameters.getJsseProvider() == null + ? SSLContext.getInstance(proto) + : SSLContext.getInstance(proto, tlsServerParameters.getJsseProvider()); + + KeyManager keyManagers[] = tlsServerParameters.getKeyManagers(); + if (tlsServerParameters.getCertAlias() != null) { + keyManagers = getKeyManagersWithCertAlias(keyManagers); + } + context.init(tlsServerParameters.getKeyManagers(), + tlsServerParameters.getTrustManagers(), + tlsServerParameters.getSecureRandom()); + + String[] cs = + SSLUtils.getCiphersuites( + tlsServerParameters.getCipherSuites(), + SSLUtils.getServerSupportedCipherSuites(context), + tlsServerParameters.getCipherSuitesFilter(), + LOG, true); + + scf.setExcludeCipherSuites(cs); + return context; + } + protected KeyManager[] getKeyManagersWithCertAlias(KeyManager keyManagers[]) throws Exception { + if (tlsServerParameters.getCertAlias() != null) { + for (int idx = 0; idx < keyManagers.length; idx++) { + if (keyManagers[idx] instanceof X509KeyManager) { + keyManagers[idx] = new AliasedX509ExtendedKeyManager( + tlsServerParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]); + } + } + } + return keyManagers; + } + protected void setClientAuthentication(SslContextFactory con, + ClientAuthentication clientAuth) { + con.setWantClientAuth(true); + if (clientAuth != null) { + if (clientAuth.isSetWant()) { + con.setWantClientAuth(clientAuth.isWant()); + } + if (clientAuth.isSetRequired()) { + con.setNeedClientAuth(clientAuth.isRequired()); + } + } + } /** * This method sets the security properties for the CXF extension * of the JettySslConnector. */ private void decorateCXFJettySslSocketConnector( - CXFJettySslSocketConnector con + SslContextFactory con ) { - con.setKeyManagers(tlsServerParameters.getKeyManagers()); - con.setTrustManagers(tlsServerParameters.getTrustManagers()); - con.setSecureRandom(tlsServerParameters.getSecureRandom()); - con.setClientAuthentication( - tlsServerParameters.getClientAuthentication()); - con.getCxfSslContextFactory().setProtocol(tlsServerParameters.getSecureSocketProtocol()); - con.getCxfSslContextFactory().setProvider(tlsServerParameters.getJsseProvider()); - con.setCipherSuites(tlsServerParameters.getCipherSuites()); - con.setCipherSuitesFilter(tlsServerParameters.getCipherSuitesFilter()); - con.getCxfSslContextFactory().setCertAlias(tlsServerParameters.getCertAlias()); + setClientAuthentication(con, + tlsServerParameters.getClientAuthentication()); + con.setCertAlias(tlsServerParameters.getCertAlias()); } http://git-wip-us.apache.org/repos/asf/cxf/blob/71488c6f/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngineFactoryTest.java ---------------------------------------------------------------------- diff --git a/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngineFactoryTest.java b/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngineFactoryTest.java index 07ffb84..e1d4a52 100644 --- a/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngineFactoryTest.java +++ b/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngineFactoryTest.java @@ -95,7 +95,7 @@ public class JettyHTTPServerEngineFactoryTest * for TLS. */ @Test - public void testMakeSureTransportFactoryHasEngineFactoryConfigured() { + public void testMakeSureTransportFactoryHasEngineFactoryConfigured() throws Exception { // This file configures the factory to configure // port 1234 with default TLS. @@ -112,11 +112,8 @@ public class JettyHTTPServerEngineFactoryTest // The Engine for port 1234 should be configured for TLS. // This will throw an error if it is not. JettyHTTPServerEngine engine = null; - try { - engine = factory.createJettyHTTPServerEngine(1234, "https"); - } catch (Exception e) { - fail("Error getting factory" + e); - } + engine = factory.createJettyHTTPServerEngine(1234, "https"); + assertNotNull("Engine is not available.", engine); assertEquals(1234, engine.getPort()); assertEquals("Not https", "https", engine.getProtocol());