diff options
| author | Greg Wilkins | 2011-10-25 14:15:59 +0000 |
|---|---|---|
| committer | Greg Wilkins | 2011-10-25 14:15:59 +0000 |
| commit | 61664d3c0f8ec68cdf1da7d272b044e5e99317e3 (patch) | |
| tree | c94336d2bb20e98280296f5cad86bd2301ea8079 | |
| parent | 6a17c69bfbe865f4ba310590ca86512b2258a09a (diff) | |
| download | org.eclipse.jetty.project-61664d3c0f8ec68cdf1da7d272b044e5e99317e3.tar.gz org.eclipse.jetty.project-61664d3c0f8ec68cdf1da7d272b044e5e99317e3.tar.xz org.eclipse.jetty.project-61664d3c0f8ec68cdf1da7d272b044e5e99317e3.zip | |
Added concept of SslConnection
78 files changed, 2328 insertions, 1603 deletions
diff --git a/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java b/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java index 99b954fdbb..8bbc5c0fb2 100644 --- a/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java +++ b/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java @@ -19,7 +19,6 @@ import org.eclipse.jetty.ajp.Ajp13SocketConnector; import org.eclipse.jetty.deploy.DeploymentManager; import org.eclipse.jetty.deploy.providers.ContextProvider; import org.eclipse.jetty.deploy.providers.WebAppProvider; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.jmx.MBeanContainer; import org.eclipse.jetty.security.HashLoginService; import org.eclipse.jetty.server.Connector; @@ -35,6 +34,7 @@ import org.eclipse.jetty.server.nio.SelectChannelConnector; import org.eclipse.jetty.server.ssl.SslSelectChannelConnector; import org.eclipse.jetty.server.ssl.SslSocketConnector; import org.eclipse.jetty.util.log.Log; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.eclipse.jetty.util.thread.QueuedThreadPool; public class LikeJettyXml diff --git a/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/ManyConnectors.java b/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/ManyConnectors.java index 1059b94502..b60b8c1483 100644 --- a/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/ManyConnectors.java +++ b/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/ManyConnectors.java @@ -13,11 +13,11 @@ package org.eclipse.jetty.embedded; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.nio.SelectChannelConnector; import org.eclipse.jetty.server.ssl.SslSelectChannelConnector; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.eclipse.jetty.util.thread.QueuedThreadPool; /* ------------------------------------------------------------ */ diff --git a/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/SecuredHelloHandler.java b/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/SecuredHelloHandler.java index 33c00e7a69..d02754041b 100644 --- a/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/SecuredHelloHandler.java +++ b/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/SecuredHelloHandler.java @@ -17,13 +17,13 @@ import java.util.Collections; import java.util.HashSet; import java.util.Set; -import org.eclipse.jetty.http.security.Constraint; import org.eclipse.jetty.security.ConstraintMapping; import org.eclipse.jetty.security.ConstraintSecurityHandler; import org.eclipse.jetty.security.HashLoginService; import org.eclipse.jetty.security.LoginService; import org.eclipse.jetty.security.authentication.BasicAuthenticator; import org.eclipse.jetty.server.Server; +import org.eclipse.jetty.util.security.Constraint; public class SecuredHelloHandler { diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/AbstractHttpConnection.java b/jetty-client/src/main/java/org/eclipse/jetty/client/AbstractHttpConnection.java index 0e619f1707..0acd2b3d33 100644 --- a/jetty-client/src/main/java/org/eclipse/jetty/client/AbstractHttpConnection.java +++ b/jetty-client/src/main/java/org/eclipse/jetty/client/AbstractHttpConnection.java @@ -174,7 +174,7 @@ public abstract class AbstractHttpConnection extends AbstractConnection implemen return false; } - public void closed() + public void onClose() { } diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java index cffaad767f..0b168be513 100644 --- a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java +++ b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java @@ -29,13 +29,13 @@ import org.eclipse.jetty.client.security.RealmResolver; import org.eclipse.jetty.client.security.SecurityListener; import org.eclipse.jetty.http.HttpBuffers; import org.eclipse.jetty.http.HttpSchemes; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.io.Buffers.Type; import org.eclipse.jetty.util.Attributes; import org.eclipse.jetty.util.AttributesMap; import org.eclipse.jetty.util.component.AggregateLifeCycle; import org.eclipse.jetty.util.component.Dumpable; import org.eclipse.jetty.util.component.LifeCycle; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.eclipse.jetty.util.thread.QueuedThreadPool; import org.eclipse.jetty.util.thread.ThreadPool; import org.eclipse.jetty.util.thread.Timeout; diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/SelectConnector.java b/jetty-client/src/main/java/org/eclipse/jetty/client/SelectConnector.java index 1d9f533348..7b75d71583 100644 --- a/jetty-client/src/main/java/org/eclipse/jetty/client/SelectConnector.java +++ b/jetty-client/src/main/java/org/eclipse/jetty/client/SelectConnector.java @@ -26,7 +26,6 @@ import javax.net.ssl.SSLSession; import org.eclipse.jetty.http.HttpGenerator; import org.eclipse.jetty.http.HttpParser; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.io.Buffer; import org.eclipse.jetty.io.Buffers; import org.eclipse.jetty.io.Buffers.Type; @@ -41,6 +40,7 @@ import org.eclipse.jetty.io.nio.SslSelectChannelEndPoint; import org.eclipse.jetty.util.component.AbstractLifeCycle; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.eclipse.jetty.util.thread.Timeout; class SelectConnector extends AbstractLifeCycle implements HttpClient.Connector diff --git a/jetty-client/src/test/java/org/eclipse/jetty/client/AsyncSslHttpExchangeTest.java b/jetty-client/src/test/java/org/eclipse/jetty/client/AsyncSslHttpExchangeTest.java index 132fc7d129..ce739426f3 100644 --- a/jetty-client/src/test/java/org/eclipse/jetty/client/AsyncSslHttpExchangeTest.java +++ b/jetty-client/src/test/java/org/eclipse/jetty/client/AsyncSslHttpExchangeTest.java @@ -33,7 +33,7 @@ public class AsyncSslHttpExchangeTest extends SslHttpExchangeTest @Override public void testPerf() throws Exception { - sender(1,true); + sender(10,true); } diff --git a/jetty-client/src/test/java/org/eclipse/jetty/client/ProxyTunnellingTest.java b/jetty-client/src/test/java/org/eclipse/jetty/client/ProxyTunnellingTest.java index 5157d8fa8e..100b6c74c8 100644 --- a/jetty-client/src/test/java/org/eclipse/jetty/client/ProxyTunnellingTest.java +++ b/jetty-client/src/test/java/org/eclipse/jetty/client/ProxyTunnellingTest.java @@ -16,7 +16,6 @@ import javax.servlet.http.HttpServletResponse; import org.eclipse.jetty.http.HttpHeaders; import org.eclipse.jetty.http.HttpMethods; import org.eclipse.jetty.http.MimeTypes; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.io.ByteArrayBuffer; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.Handler; @@ -27,6 +26,7 @@ import org.eclipse.jetty.server.handler.ConnectHandler; import org.eclipse.jetty.server.nio.SelectChannelConnector; import org.eclipse.jetty.server.ssl.SslSelectChannelConnector; import org.eclipse.jetty.toolchain.test.MavenTestingUtils; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.After; import org.junit.Test; diff --git a/jetty-client/src/test/java/org/eclipse/jetty/client/SecuredContentExchangeTest.java b/jetty-client/src/test/java/org/eclipse/jetty/client/SecuredContentExchangeTest.java index b7883b229a..9016b50a8f 100644 --- a/jetty-client/src/test/java/org/eclipse/jetty/client/SecuredContentExchangeTest.java +++ b/jetty-client/src/test/java/org/eclipse/jetty/client/SecuredContentExchangeTest.java @@ -19,7 +19,6 @@ import java.util.HashSet; import java.util.Set; import org.eclipse.jetty.client.security.Realm; -import org.eclipse.jetty.http.security.Constraint; import org.eclipse.jetty.security.ConstraintMapping; import org.eclipse.jetty.security.ConstraintSecurityHandler; import org.eclipse.jetty.security.HashLoginService; @@ -33,6 +32,7 @@ import org.eclipse.jetty.servlet.DefaultServlet; import org.eclipse.jetty.servlet.ServletContextHandler; import org.eclipse.jetty.servlet.ServletHolder; import org.eclipse.jetty.toolchain.test.MavenTestingUtils; +import org.eclipse.jetty.util.security.Constraint; public class SecuredContentExchangeTest extends ContentExchangeTest diff --git a/jetty-client/src/test/java/org/eclipse/jetty/client/SecuredErrorStatusTest.java b/jetty-client/src/test/java/org/eclipse/jetty/client/SecuredErrorStatusTest.java index 7af4be8928..00a99a8f1f 100644 --- a/jetty-client/src/test/java/org/eclipse/jetty/client/SecuredErrorStatusTest.java +++ b/jetty-client/src/test/java/org/eclipse/jetty/client/SecuredErrorStatusTest.java @@ -20,7 +20,6 @@ import java.util.Set; import org.eclipse.jetty.client.security.Realm; import org.eclipse.jetty.http.HttpStatus; -import org.eclipse.jetty.http.security.Constraint; import org.eclipse.jetty.security.ConstraintMapping; import org.eclipse.jetty.security.ConstraintSecurityHandler; import org.eclipse.jetty.security.HashLoginService; @@ -34,6 +33,7 @@ import org.eclipse.jetty.servlet.DefaultServlet; import org.eclipse.jetty.servlet.ServletContextHandler; import org.eclipse.jetty.servlet.ServletHolder; import org.eclipse.jetty.toolchain.test.MavenTestingUtils; +import org.eclipse.jetty.util.security.Constraint; import org.junit.Test; public class SecuredErrorStatusTest diff --git a/jetty-client/src/test/java/org/eclipse/jetty/client/SecurityListenerTest.java b/jetty-client/src/test/java/org/eclipse/jetty/client/SecurityListenerTest.java index 133cf476c9..8a1e8a50e9 100644 --- a/jetty-client/src/test/java/org/eclipse/jetty/client/SecurityListenerTest.java +++ b/jetty-client/src/test/java/org/eclipse/jetty/client/SecurityListenerTest.java @@ -31,7 +31,6 @@ import javax.servlet.http.HttpServletResponse; import org.eclipse.jetty.client.security.Realm; import org.eclipse.jetty.client.security.SimpleRealmResolver; import org.eclipse.jetty.http.HttpMethods; -import org.eclipse.jetty.http.security.Constraint; import org.eclipse.jetty.io.Buffer; import org.eclipse.jetty.io.EofException; import org.eclipse.jetty.security.ConstraintMapping; @@ -46,6 +45,7 @@ import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.handler.AbstractHandler; import org.eclipse.jetty.server.nio.SelectChannelConnector; import org.eclipse.jetty.toolchain.test.MavenTestingUtils; +import org.eclipse.jetty.util.security.Constraint; import org.junit.After; import org.junit.Before; import org.junit.Test; diff --git a/jetty-client/src/test/java/org/eclipse/jetty/client/SslCertSecuredExchangeTest.java b/jetty-client/src/test/java/org/eclipse/jetty/client/SslCertSecuredExchangeTest.java index 5c41ee335d..0b07a42403 100644 --- a/jetty-client/src/test/java/org/eclipse/jetty/client/SslCertSecuredExchangeTest.java +++ b/jetty-client/src/test/java/org/eclipse/jetty/client/SslCertSecuredExchangeTest.java @@ -20,9 +20,6 @@ import java.util.Set; import javax.security.auth.Subject; -import org.eclipse.jetty.http.security.Constraint; -import org.eclipse.jetty.http.security.Credential; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.security.ConstraintMapping; import org.eclipse.jetty.security.ConstraintSecurityHandler; import org.eclipse.jetty.security.IdentityService; @@ -38,6 +35,9 @@ import org.eclipse.jetty.servlet.DefaultServlet; import org.eclipse.jetty.servlet.ServletContextHandler; import org.eclipse.jetty.servlet.ServletHolder; import org.eclipse.jetty.toolchain.test.MavenTestingUtils; +import org.eclipse.jetty.util.security.Constraint; +import org.eclipse.jetty.util.security.Credential; +import org.eclipse.jetty.util.ssl.SslContextFactory; public class SslCertSecuredExchangeTest extends ContentExchangeTest { diff --git a/jetty-client/src/test/java/org/eclipse/jetty/client/SslContentExchangeTest.java b/jetty-client/src/test/java/org/eclipse/jetty/client/SslContentExchangeTest.java index 0a97a9e64e..510ca71156 100644 --- a/jetty-client/src/test/java/org/eclipse/jetty/client/SslContentExchangeTest.java +++ b/jetty-client/src/test/java/org/eclipse/jetty/client/SslContentExchangeTest.java @@ -15,7 +15,6 @@ package org.eclipse.jetty.client; import java.io.File; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.handler.HandlerCollection; @@ -24,6 +23,7 @@ import org.eclipse.jetty.servlet.DefaultServlet; import org.eclipse.jetty.servlet.ServletContextHandler; import org.eclipse.jetty.servlet.ServletHolder; import org.eclipse.jetty.toolchain.test.MavenTestingUtils; +import org.eclipse.jetty.util.ssl.SslContextFactory; public class SslContentExchangeTest extends ContentExchangeTest diff --git a/jetty-client/src/test/java/org/eclipse/jetty/client/SslSecuredContentExchangeTest.java b/jetty-client/src/test/java/org/eclipse/jetty/client/SslSecuredContentExchangeTest.java index f85641998f..30112af730 100644 --- a/jetty-client/src/test/java/org/eclipse/jetty/client/SslSecuredContentExchangeTest.java +++ b/jetty-client/src/test/java/org/eclipse/jetty/client/SslSecuredContentExchangeTest.java @@ -19,8 +19,6 @@ import java.util.HashSet; import java.util.Set; import org.eclipse.jetty.client.security.Realm; -import org.eclipse.jetty.http.security.Constraint; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.security.ConstraintMapping; import org.eclipse.jetty.security.ConstraintSecurityHandler; import org.eclipse.jetty.security.HashLoginService; @@ -34,6 +32,8 @@ import org.eclipse.jetty.servlet.DefaultServlet; import org.eclipse.jetty.servlet.ServletContextHandler; import org.eclipse.jetty.servlet.ServletHolder; import org.eclipse.jetty.toolchain.test.MavenTestingUtils; +import org.eclipse.jetty.util.security.Constraint; +import org.eclipse.jetty.util.ssl.SslContextFactory; public class SslSecuredContentExchangeTest extends ContentExchangeTest diff --git a/jetty-client/src/test/java/org/eclipse/jetty/client/SslSecuredErrorStatusTest.java b/jetty-client/src/test/java/org/eclipse/jetty/client/SslSecuredErrorStatusTest.java index 4b4c4dcf19..91c5da4096 100644 --- a/jetty-client/src/test/java/org/eclipse/jetty/client/SslSecuredErrorStatusTest.java +++ b/jetty-client/src/test/java/org/eclipse/jetty/client/SslSecuredErrorStatusTest.java @@ -20,7 +20,6 @@ import java.util.Set; import org.eclipse.jetty.client.security.Realm; import org.eclipse.jetty.http.HttpStatus; -import org.eclipse.jetty.http.security.Constraint; import org.eclipse.jetty.security.ConstraintMapping; import org.eclipse.jetty.security.ConstraintSecurityHandler; import org.eclipse.jetty.security.HashLoginService; @@ -34,6 +33,7 @@ import org.eclipse.jetty.servlet.DefaultServlet; import org.eclipse.jetty.servlet.ServletContextHandler; import org.eclipse.jetty.servlet.ServletHolder; import org.eclipse.jetty.toolchain.test.MavenTestingUtils; +import org.eclipse.jetty.util.security.Constraint; import org.junit.Test; /* ------------------------------------------------------------ */ diff --git a/jetty-client/src/test/java/org/eclipse/jetty/client/SslSecurityListenerTest.java b/jetty-client/src/test/java/org/eclipse/jetty/client/SslSecurityListenerTest.java index 9a1d593dc4..1e9c18ead6 100644 --- a/jetty-client/src/test/java/org/eclipse/jetty/client/SslSecurityListenerTest.java +++ b/jetty-client/src/test/java/org/eclipse/jetty/client/SslSecurityListenerTest.java @@ -34,8 +34,6 @@ import javax.servlet.http.HttpServletResponse; import org.eclipse.jetty.client.security.HashRealmResolver; import org.eclipse.jetty.client.security.Realm; import org.eclipse.jetty.http.HttpMethods; -import org.eclipse.jetty.http.security.Constraint; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.io.EofException; import org.eclipse.jetty.security.ConstraintMapping; import org.eclipse.jetty.security.ConstraintSecurityHandler; @@ -51,6 +49,8 @@ import org.eclipse.jetty.server.ssl.SslSocketConnector; import org.eclipse.jetty.toolchain.test.MavenTestingUtils; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; +import org.eclipse.jetty.util.security.Constraint; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.After; import org.junit.Before; import org.junit.Test; diff --git a/jetty-client/src/test/java/org/eclipse/jetty/client/SslValidationTestBase.java b/jetty-client/src/test/java/org/eclipse/jetty/client/SslValidationTestBase.java index 99862dae2e..375020a71a 100644 --- a/jetty-client/src/test/java/org/eclipse/jetty/client/SslValidationTestBase.java +++ b/jetty-client/src/test/java/org/eclipse/jetty/client/SslValidationTestBase.java @@ -6,7 +6,6 @@ import java.security.KeyStore; import java.security.cert.CRL; import java.util.Collection; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.handler.HandlerCollection; @@ -16,6 +15,7 @@ import org.eclipse.jetty.servlet.ServletContextHandler; import org.eclipse.jetty.servlet.ServletHolder; import org.eclipse.jetty.toolchain.test.MavenTestingUtils; import org.eclipse.jetty.util.security.CertificateUtils; +import org.eclipse.jetty.util.ssl.SslContextFactory; public abstract class SslValidationTestBase extends ContentExchangeTest { diff --git a/jetty-client/src/test/java/org/eclipse/jetty/client/helperClasses/AbstractSslServerAndClientCreator.java b/jetty-client/src/test/java/org/eclipse/jetty/client/helperClasses/AbstractSslServerAndClientCreator.java index cee537e834..4208eb6bab 100644 --- a/jetty-client/src/test/java/org/eclipse/jetty/client/helperClasses/AbstractSslServerAndClientCreator.java +++ b/jetty-client/src/test/java/org/eclipse/jetty/client/helperClasses/AbstractSslServerAndClientCreator.java @@ -14,7 +14,6 @@ package org.eclipse.jetty.client.helperClasses; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.ssl.SslSelectChannelConnector; @@ -22,6 +21,7 @@ import org.eclipse.jetty.server.ssl.SslSocketConnector; import org.eclipse.jetty.toolchain.test.MavenTestingUtils; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; +import org.eclipse.jetty.util.ssl.SslContextFactory; /* ------------------------------------------------------------ */ diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/ssl/SslContextFactory.java b/jetty-http/src/main/java/org/eclipse/jetty/http/ssl/SslContextFactory.java index 9f9fca8bd1..3f1b16ec61 100644 --- a/jetty-http/src/main/java/org/eclipse/jetty/http/ssl/SslContextFactory.java +++ b/jetty-http/src/main/java/org/eclipse/jetty/http/ssl/SslContextFactory.java @@ -1,1528 +1,25 @@ -//======================================================================== -//Copyright (c) Webtide LLC -//------------------------------------------------------------------------ -//All rights reserved. This program and the accompanying materials -//are made available under the terms of the Eclipse Public License v1.0 -//and Apache License v2.0 which accompanies this distribution. -// -//The Eclipse Public License is available at -//http://www.eclipse.org/legal/epl-v10.html -// -//The Apache License v2.0 is available at -//http://www.apache.org/licenses/LICENSE-2.0.txt -// -//You may elect to redistribute this code under either of these licenses. -//======================================================================== - package org.eclipse.jetty.http.ssl; -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.File; -import java.io.IOException; -import java.io.InputStream; -import java.net.InetAddress; -import java.security.InvalidParameterException; -import java.security.KeyStore; -import java.security.SecureRandom; -import java.security.Security; -import java.security.cert.CRL; -import java.security.cert.CertStore; -import java.security.cert.Certificate; -import java.security.cert.CollectionCertStoreParameters; -import java.security.cert.PKIXBuilderParameters; -import java.security.cert.X509CertSelector; -import java.util.Arrays; -import java.util.Collection; -import java.util.Collections; -import java.util.HashSet; -import java.util.List; -import java.util.Set; - -import javax.net.ssl.CertPathTrustManagerParameters; -import javax.net.ssl.KeyManager; -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLEngine; -import javax.net.ssl.SSLServerSocket; -import javax.net.ssl.SSLServerSocketFactory; -import javax.net.ssl.SSLSocket; -import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import javax.net.ssl.X509KeyManager; -import javax.net.ssl.X509TrustManager; - -import org.eclipse.jetty.http.security.Password; -import org.eclipse.jetty.util.IO; -import org.eclipse.jetty.util.component.AbstractLifeCycle; -import org.eclipse.jetty.util.log.Log; -import org.eclipse.jetty.util.log.Logger; -import org.eclipse.jetty.util.resource.Resource; -import org.eclipse.jetty.util.security.CertificateUtils; -import org.eclipse.jetty.util.security.CertificateValidator; - /* ------------------------------------------------------------ */ /** - * SslContextFactory is used to configure SSL connectors - * as well as HttpClient. It holds all SSL parameters and - * creates SSL context based on these parameters to be - * used by the SSL connectors. + * @deprecated Use org.eclipse.jetty.util.ssl.SslContextFactory */ -public class SslContextFactory extends AbstractLifeCycle +public class SslContextFactory extends org.eclipse.jetty.util.ssl.SslContextFactory { - private static final Logger LOG = Log.getLogger(SslContextFactory.class); - - public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM = - (Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ? - "SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm")); - public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM = - (Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ? - "SunX509" : Security.getProperty("ssl.TrustManagerFactory.algorithm")); - - /** Default value for the keystore location path. */ - public static final String DEFAULT_KEYSTORE_PATH = - System.getProperty("user.home") + File.separator + ".keystore"; - - /** String name of key password property. */ - public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword"; - - /** String name of keystore password property. */ - public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password"; - - /** Excluded protocols. */ - private final Set<String> _excludeProtocols = new HashSet<String>(); - // private final Set<String> _excludeProtocols = new HashSet<String>(Collections.singleton("SSLv2Hello")); - /** Included protocols. */ - private Set<String> _includeProtocols = null; - - /** Excluded cipher suites. */ - private final Set<String> _excludeCipherSuites = new HashSet<String>(); - /** Included cipher suites. */ - private Set<String> _includeCipherSuites = null; - - /** Keystore path. */ - private String _keyStorePath; - /** Keystore provider name */ - private String _keyStoreProvider; - /** Keystore type */ - private String _keyStoreType = "JKS"; - /** Keystore input stream */ - private InputStream _keyStoreInputStream; - - /** SSL certificate alias */ - private String _certAlias; - - /** Truststore path */ - private String _trustStorePath; - /** Truststore provider name */ - private String _trustStoreProvider; - /** Truststore type */ - private String _trustStoreType = "JKS"; - /** Truststore input stream */ - private InputStream _trustStoreInputStream; - - /** Set to true if client certificate authentication is required */ - private boolean _needClientAuth = false; - /** Set to true if client certificate authentication is desired */ - private boolean _wantClientAuth = false; - - /** Set to true if renegotiation is allowed */ - private boolean _allowRenegotiate = true; - - /** Keystore password */ - private transient Password _keyStorePassword; - /** Key manager password */ - private transient Password _keyManagerPassword; - /** Truststore password */ - private transient Password _trustStorePassword; - - /** SSL provider name */ - private String _sslProvider; - /** SSL protocol name */ - private String _sslProtocol = "TLS"; - - /** SecureRandom algorithm */ - private String _secureRandomAlgorithm; - /** KeyManager factory algorithm */ - private String _keyManagerFactoryAlgorithm = DEFAULT_KEYMANAGERFACTORY_ALGORITHM; - /** TrustManager factory algorithm */ - private String _trustManagerFactoryAlgorithm = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM; - - /** Set to true if SSL certificate validation is required */ - private boolean _validateCerts; - /** Set to true if SSL certificate of the peer validation is required */ - private boolean _validatePeerCerts; - /** Maximum certification path length (n - number of intermediate certs, -1 for unlimited) */ - private int _maxCertPathLength = -1; - /** Path to file that contains Certificate Revocation List */ - private String _crlPath; - /** Set to true to enable CRL Distribution Points (CRLDP) support */ - private boolean _enableCRLDP = false; - /** Set to true to enable On-Line Certificate Status Protocol (OCSP) support */ - private boolean _enableOCSP = false; - /** Location of OCSP Responder */ - private String _ocspResponderURL; - - /** SSL keystore */ - private KeyStore _keyStore; - /** SSL truststore */ - private KeyStore _trustStore; - /** Set to true to enable SSL Session caching */ - private boolean _sessionCachingEnabled = true; - /** SSL session cache size */ - private int _sslSessionCacheSize; - /** SSL session timeout */ - private int _sslSessionTimeout; - - /** SSL context */ - private SSLContext _context; - - private boolean _trustAll; - - /* ------------------------------------------------------------ */ - /** - * Construct an instance of SslContextFactory - * Default constructor for use in XmlConfiguration files - */ public SslContextFactory() { - _trustAll=true; + super(); } - /* ------------------------------------------------------------ */ - /** - * Construct an instance of SslContextFactory - * Default constructor for use in XmlConfiguration files - */ public SslContextFactory(boolean trustAll) { - _trustAll=trustAll; + super(trustAll); } - /* ------------------------------------------------------------ */ - /** - * Construct an instance of SslContextFactory - * @param keyStorePath default keystore location - */ public SslContextFactory(String keyStorePath) { - _keyStorePath = keyStorePath; - } - - /* ------------------------------------------------------------ */ - /** - * Create the SSLContext object and start the lifecycle - * @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStart() - */ - @Override - protected void doStart() throws Exception - { - if (_context == null) - { - if (_keyStore==null && _keyStoreInputStream == null && _keyStorePath == null && - _trustStore==null && _trustStoreInputStream == null && _trustStorePath == null ) - { - TrustManager[] trust_managers=null; - - if (_trustAll) - { - LOG.debug("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!"); - // Create a trust manager that does not validate certificate chains - TrustManager trustAllCerts = new X509TrustManager() - { - public java.security.cert.X509Certificate[] getAcceptedIssuers() - { - return null; - } - - public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) - { - } - - public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) - { - } - }; - trust_managers = new TrustManager[] { trustAllCerts }; - } - - SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm); - _context = SSLContext.getInstance(_sslProtocol); - _context.init(null, trust_managers, secureRandom); - } - else - { - // verify that keystore and truststore - // parameters are set up correctly - try - { - checkKeyStore(); - } - catch(IllegalStateException e) - { - LOG.ignore(e); - } - - KeyStore keyStore = loadKeyStore(); - KeyStore trustStore = loadTrustStore(); - - Collection<? extends CRL> crls = loadCRL(_crlPath); - - if (_validateCerts && keyStore != null) - { - if (_certAlias == null) - { - List<String> aliases = Collections.list(keyStore.aliases()); - _certAlias = aliases.size() == 1 ? aliases.get(0) : null; - } - - Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias); - if (cert == null) - { - throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias)); - } - - CertificateValidator validator = new CertificateValidator(trustStore, crls); - validator.setMaxCertPathLength(_maxCertPathLength); - validator.setEnableCRLDP(_enableCRLDP); - validator.setEnableOCSP(_enableOCSP); - validator.setOcspResponderURL(_ocspResponderURL); - validator.validate(keyStore, cert); - } - - KeyManager[] keyManagers = getKeyManagers(keyStore); - TrustManager[] trustManagers = getTrustManagers(trustStore,crls); - - SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm); - _context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider); - _context.init(keyManagers,trustManagers,secureRandom); - - SSLEngine engine=newSslEngine(); - - LOG.info("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols())); - if (LOG.isDebugEnabled()) - LOG.debug("Enabled Ciphers {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites())); - } - } - } - - /* ------------------------------------------------------------ */ - /** - * @return The array of protocol names to exclude from - * {@link SSLEngine#setEnabledProtocols(String[])} - */ - public String[] getExcludeProtocols() - { - return _excludeProtocols.toArray(new String[_excludeProtocols.size()]); - } - - /* ------------------------------------------------------------ */ - /** - * @param Protocols - * The array of protocol names to exclude from - * {@link SSLEngine#setEnabledProtocols(String[])} - */ - public void setExcludeProtocols(String... protocols) - { - checkNotStarted(); - - _excludeProtocols.clear(); - _excludeProtocols.addAll(Arrays.asList(protocols)); - } - - /* ------------------------------------------------------------ */ - /** - * @param protocol Protocol names to add to {@link SSLEngine#setEnabledProtocols(String[])} - */ - public void addExcludeProtocols(String... protocol) - { - checkNotStarted(); - _excludeProtocols.addAll(Arrays.asList(protocol)); - } - - /* ------------------------------------------------------------ */ - /** - * @return The array of protocol names to include in - * {@link SSLEngine#setEnabledProtocols(String[])} - */ - public String[] getIncludeProtocols() - { - return _includeProtocols.toArray(new String[_includeProtocols.size()]); - } - - /* ------------------------------------------------------------ */ - /** - * @param Protocols - * The array of protocol names to include in - * {@link SSLEngine#setEnabledProtocols(String[])} - */ - public void setIncludeProtocols(String... protocols) - { - checkNotStarted(); - - _includeProtocols = new HashSet<String>(Arrays.asList(protocols)); - } - - /* ------------------------------------------------------------ */ - /** - * @return The array of cipher suite names to exclude from - * {@link SSLEngine#setEnabledCipherSuites(String[])} - */ - public String[] getExcludeCipherSuites() - { - return _excludeCipherSuites.toArray(new String[_excludeCipherSuites.size()]); - } - - /* ------------------------------------------------------------ */ - /** - * @param cipherSuites - * The array of cipher suite names to exclude from - * {@link SSLEngine#setEnabledCipherSuites(String[])} - */ - public void setExcludeCipherSuites(String... cipherSuites) - { - checkNotStarted(); - _excludeCipherSuites.clear(); - _excludeCipherSuites.addAll(Arrays.asList(cipherSuites)); - } - - /* ------------------------------------------------------------ */ - /** - * @param cipher Cipher names to add to {@link SSLEngine#setEnabledCipherSuites(String[])} - */ - public void addExcludeCipherSuites(String... cipher) - { - checkNotStarted(); - _excludeCipherSuites.addAll(Arrays.asList(cipher)); - } - - /* ------------------------------------------------------------ */ - /** - * @return The array of cipher suite names to include in - * {@link SSLEngine#setEnabledCipherSuites(String[])} - */ - public String[] getIncludeCipherSuites() - { - return _includeCipherSuites.toArray(new String[_includeCipherSuites.size()]); - } - - /* ------------------------------------------------------------ */ - /** - * @param cipherSuites - * The array of cipher suite names to include in - * {@link SSLEngine#setEnabledCipherSuites(String[])} - */ - public void setIncludeCipherSuites(String... cipherSuites) - { - checkNotStarted(); - - _includeCipherSuites = new HashSet<String>(Arrays.asList(cipherSuites)); - } - - /* ------------------------------------------------------------ */ - /** - * @return The file or URL of the SSL Key store. - */ - public String getKeyStorePath() - { - return _keyStorePath; - } - - /* ------------------------------------------------------------ */ - @Deprecated - public String getKeyStore() - { - return _keyStorePath; - } - - /* ------------------------------------------------------------ */ - /** - * @param keyStorePath - * The file or URL of the SSL Key store. - */ - public void setKeyStorePath(String keyStorePath) - { - checkNotStarted(); - - _keyStorePath = keyStorePath; - } - - /* ------------------------------------------------------------ */ - /** - * @param keyStorePath - * @deprecated Use {@link #setKeyStorePath(String)} - */ - @Deprecated - public void setKeyStore(String keyStorePath) - { - checkNotStarted(); - - _keyStorePath = keyStorePath; - } - - /* ------------------------------------------------------------ */ - /** - * @return The provider of the key store - */ - public String getKeyStoreProvider() - { - return _keyStoreProvider; - } - - /* ------------------------------------------------------------ */ - /** - * @param keyStoreProvider - * The provider of the key store - */ - public void setKeyStoreProvider(String keyStoreProvider) - { - checkNotStarted(); - - _keyStoreProvider = keyStoreProvider; - } - - /* ------------------------------------------------------------ */ - /** - * @return The type of the key store (default "JKS") - */ - public String getKeyStoreType() - { - return (_keyStoreType); - } - - /* ------------------------------------------------------------ */ - /** - * @param keyStoreType - * The type of the key store (default "JKS") - */ - public void setKeyStoreType(String keyStoreType) - { - checkNotStarted(); - - _keyStoreType = keyStoreType; - } - - /* ------------------------------------------------------------ */ - /** Get the _keyStoreInputStream. - * @return the _keyStoreInputStream - * - * @deprecated - */ - @Deprecated - public InputStream getKeyStoreInputStream() - { - checkKeyStore(); - - return _keyStoreInputStream; - } - - /* ------------------------------------------------------------ */ - /** Set the keyStoreInputStream. - * @param keyStoreInputStream the InputStream to the KeyStore - * - * @deprecated Use {@link #setKeyStore(KeyStore)} - */ - @Deprecated - public void setKeyStoreInputStream(InputStream keyStoreInputStream) - { - checkNotStarted(); - - _keyStoreInputStream = keyStoreInputStream; - } - - /* ------------------------------------------------------------ */ - /** - * @return Alias of SSL certificate for the connector - */ - public String getCertAlias() - { - return _certAlias; - } - - /* ------------------------------------------------------------ */ - /** - * @param certAlias - * Alias of SSL certificate for the connector - */ - public void setCertAlias(String certAlias) - { - checkNotStarted(); - - _certAlias = certAlias; - } - - /* ------------------------------------------------------------ */ - /** - * @return The file name or URL of the trust store location - */ - public String getTrustStore() - { - return _trustStorePath; - } - - /* ------------------------------------------------------------ */ - /** - * @param trustStorePath - * The file name or URL of the trust store location - */ - public void setTrustStore(String trustStorePath) - { - checkNotStarted(); - - _trustStorePath = trustStorePath; - } - - /* ------------------------------------------------------------ */ - /** - * @return The provider of the trust store - */ - public String getTrustStoreProvider() - { - return _trustStoreProvider; - } - - /* ------------------------------------------------------------ */ - /** - * @param trustStoreProvider - * The provider of the trust store - */ - public void setTrustStoreProvider(String trustStoreProvider) - { - checkNotStarted(); - - _trustStoreProvider = trustStoreProvider; - } - - /* ------------------------------------------------------------ */ - /** - * @return The type of the trust store (default "JKS") - */ - public String getTrustStoreType() - { - return _trustStoreType; - } - - /* ------------------------------------------------------------ */ - /** - * @param trustStoreType - * The type of the trust store (default "JKS") - */ - public void setTrustStoreType(String trustStoreType) - { - checkNotStarted(); - - _trustStoreType = trustStoreType; - } - - /* ------------------------------------------------------------ */ - /** Get the _trustStoreInputStream. - * @return the _trustStoreInputStream - * - * @deprecated - */ - @Deprecated - public InputStream getTrustStoreInputStream() - { - checkKeyStore(); - - return _trustStoreInputStream; - } - - /* ------------------------------------------------------------ */ - /** Set the _trustStoreInputStream. - * @param trustStoreInputStream the InputStream to the TrustStore - * - * @deprecated - */ - @Deprecated - public void setTrustStoreInputStream(InputStream trustStoreInputStream) - { - checkNotStarted(); - - _trustStoreInputStream = trustStoreInputStream; - } - - /* ------------------------------------------------------------ */ - /** - * @return True if SSL needs client authentication. - * @see SSLEngine#getNeedClientAuth() - */ - public boolean getNeedClientAuth() - { - return _needClientAuth; - } - - /* ------------------------------------------------------------ */ - /** - * @param needClientAuth - * True if SSL needs client authentication. - * @see SSLEngine#getNeedClientAuth() - */ - public void setNeedClientAuth(boolean needClientAuth) - { - checkNotStarted(); - - _needClientAuth = needClientAuth; - } - - /* ------------------------------------------------------------ */ - /** - * @return True if SSL wants client authentication. - * @see SSLEngine#getWantClientAuth() - */ - public boolean getWantClientAuth() - { - return _wantClientAuth; - } - - /* ------------------------------------------------------------ */ - /** - * @param wantClientAuth - * True if SSL wants client authentication. - * @see SSLEngine#getWantClientAuth() - */ - public void setWantClientAuth(boolean wantClientAuth) - { - checkNotStarted(); - - _wantClientAuth = wantClientAuth; - } - - /* ------------------------------------------------------------ */ - /** - * @return true if SSL certificate has to be validated - * @deprecated - */ - @Deprecated - public boolean getValidateCerts() - { - return _validateCerts; - } - - /* ------------------------------------------------------------ */ - /** - * @return true if SSL certificate has to be validated - */ - public boolean isValidateCerts() - { - return _validateCerts; - } - - /* ------------------------------------------------------------ */ - /** - * @param validateCerts - * true if SSL certificates have to be validated - */ - public void setValidateCerts(boolean validateCerts) - { - checkNotStarted(); - - _validateCerts = validateCerts; - } - - /* ------------------------------------------------------------ */ - /** - * @return true if SSL certificates of the peer have to be validated - */ - public boolean isValidatePeerCerts() - { - return _validatePeerCerts; - } - - /* ------------------------------------------------------------ */ - /** - * @param validatePeerCerts - * true if SSL certificates of the peer have to be validated - */ - public void setValidatePeerCerts(boolean validatePeerCerts) - { - checkNotStarted(); - - _validatePeerCerts = validatePeerCerts; - } - - /* ------------------------------------------------------------ */ - /** - * @return True if SSL re-negotiation is allowed (default false) - */ - public boolean isAllowRenegotiate() - { - return _allowRenegotiate; - } - - /* ------------------------------------------------------------ */ - /** - * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered - * a vulnerability in SSL/TLS with re-negotiation. If your JVM - * does not have CVE-2009-3555 fixed, then re-negotiation should - * not be allowed. CVE-2009-3555 was fixed in Sun java 1.6 with a ban - * of renegotiates in u19 and with RFC5746 in u22. - * - * @param allowRenegotiate - * true if re-negotiation is allowed (default false) - */ - public void setAllowRenegotiate(boolean allowRenegotiate) - { - checkNotStarted(); - - _allowRenegotiate = allowRenegotiate; - } - - /* ------------------------------------------------------------ */ - /** - * @param password - * The password for the key store - */ - public void setKeyStorePassword(String password) - { - checkNotStarted(); - - _keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null); - } - - /* ------------------------------------------------------------ */ - /** - * @param password - * The password (if any) for the specific key within the key store - */ - public void setKeyManagerPassword(String password) - { - checkNotStarted(); - - _keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null); - } - - /* ------------------------------------------------------------ */ - /** - * @param password - * The password for the trust store - */ - public void setTrustStorePassword(String password) - { - checkNotStarted(); - - _trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null); - } - - /* ------------------------------------------------------------ */ - /** - * @return The SSL provider name, which if set is passed to - * {@link SSLContext#getInstance(String, String)} - */ - public String getProvider() - { - return _sslProvider; - } - - /* ------------------------------------------------------------ */ - /** - * @param provider - * The SSL provider name, which if set is passed to - * {@link SSLContext#getInstance(String, String)} - */ - public void setProvider(String provider) - { - checkNotStarted(); - - _sslProvider = provider; - } - - /* ------------------------------------------------------------ */ - /** - * @return The SSL protocol (default "TLS") passed to - * {@link SSLContext#getInstance(String, String)} - */ - public String getProtocol() - { - return _sslProtocol; - } - - /* ------------------------------------------------------------ */ - /** - * @param protocol - * The SSL protocol (default "TLS") passed to - * {@link SSLContext#getInstance(String, String)} - */ - public void setProtocol(String protocol) - { - checkNotStarted(); - - _sslProtocol = protocol; - } - - /* ------------------------------------------------------------ */ - /** - * @return The algorithm name, which if set is passed to - * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to - * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)} - */ - public String getSecureRandomAlgorithm() - { - return _secureRandomAlgorithm; - } - - /* ------------------------------------------------------------ */ - /** - * @param algorithm - * The algorithm name, which if set is passed to - * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to - * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)} - */ - public void setSecureRandomAlgorithm(String algorithm) - { - checkNotStarted(); - - _secureRandomAlgorithm = algorithm; - } - - /* ------------------------------------------------------------ */ - /** - * @return The algorithm name (default "SunX509") used by the {@link KeyManagerFactory} - */ - public String getSslKeyManagerFactoryAlgorithm() - { - return (_keyManagerFactoryAlgorithm); - } - - /* ------------------------------------------------------------ */ - /** - * @param algorithm - * The algorithm name (default "SunX509") used by the {@link KeyManagerFactory} - */ - public void setSslKeyManagerFactoryAlgorithm(String algorithm) - { - checkNotStarted(); - - _keyManagerFactoryAlgorithm = algorithm; - } - - /* ------------------------------------------------------------ */ - /** - * @return The algorithm name (default "SunX509") used by the {@link TrustManagerFactory} - */ - public String getTrustManagerFactoryAlgorithm() - { - return (_trustManagerFactoryAlgorithm); - } - - /* ------------------------------------------------------------ */ - /** - * @return True if all certificates should be trusted if there is no KeyStore or TrustStore - */ - public boolean isTrustAll() - { - return _trustAll; - } - - /* ------------------------------------------------------------ */ - /** - * @param trustAll True if all certificates should be trusted if there is no KeyStore or TrustStore - */ - public void setTrustAll(boolean trustAll) - { - _trustAll = trustAll; - } - - /* ------------------------------------------------------------ */ - /** - * @param algorithm - * The algorithm name (default "SunX509") used by the {@link TrustManagerFactory} - * Use the string "TrustAll" to install a trust manager that trusts all. - */ - public void setTrustManagerFactoryAlgorithm(String algorithm) - { - checkNotStarted(); - - _trustManagerFactoryAlgorithm = algorithm; - } - - /* ------------------------------------------------------------ */ - /** - * @return Path to file that contains Certificate Revocation List - */ - public String getCrlPath() - { - return _crlPath; - } - - /* ------------------------------------------------------------ */ - /** - * @param crlPath - * Path to file that contains Certificate Revocation List - */ - public void setCrlPath(String crlPath) - { - checkNotStarted(); - - _crlPath = crlPath; - } - - /* ------------------------------------------------------------ */ - /** - * @return Maximum number of intermediate certificates in - * the certification path (-1 for unlimited) - */ - public int getMaxCertPathLength() - { - return _maxCertPathLength; - } - - /* ------------------------------------------------------------ */ - /** - * @param maxCertPathLength - * maximum number of intermediate certificates in - * the certification path (-1 for unlimited) - */ - public void setMaxCertPathLength(int maxCertPathLength) - { - checkNotStarted(); - - _maxCertPathLength = maxCertPathLength; - } - - /* ------------------------------------------------------------ */ - /** - * @return The SSLContext - */ - public SSLContext getSslContext() - { - if (!isStarted()) - throw new IllegalStateException(getState()); - return _context; - } - - /* ------------------------------------------------------------ */ - /** - * @param sslContext - * Set a preconfigured SSLContext - */ - public void setSslContext(SSLContext sslContext) - { - checkNotStarted(); - - _context = sslContext; - } - - /* ------------------------------------------------------------ */ - /** - * Override this method to provide alternate way to load a keystore. - * - * @return the key store instance - * @throws Exception - */ - protected KeyStore loadKeyStore() throws Exception - { - return _keyStore != null ? _keyStore : getKeyStore(_keyStoreInputStream, - _keyStorePath, _keyStoreType, _keyStoreProvider, - _keyStorePassword==null? null: _keyStorePassword.toString()); - } - - /* ------------------------------------------------------------ */ - /** - * Override this method to provide alternate way to load a truststore. - * - * @return the key store instance - * @throws Exception - */ - protected KeyStore loadTrustStore() throws Exception - { - return _trustStore != null ? _trustStore : getKeyStore(_trustStoreInputStream, - _trustStorePath, _trustStoreType, _trustStoreProvider, - _trustStorePassword==null? null: _trustStorePassword.toString()); - } - - /* ------------------------------------------------------------ */ - /** - * Loads keystore using an input stream or a file path in the same - * order of precedence. - * - * Required for integrations to be able to override the mechanism - * used to load a keystore in order to provide their own implementation. - * - * @param storeStream keystore input stream - * @param storePath path of keystore file - * @param storeType keystore type - * @param storeProvider keystore provider - * @param storePassword keystore password - * @return created keystore - * @throws Exception - * - * @deprecated - */ - @Deprecated - protected KeyStore getKeyStore(InputStream storeStream, String storePath, String storeType, String storeProvider, String storePassword) throws Exception - { - return CertificateUtils.getKeyStore(storeStream, storePath, storeType, storeProvider, storePassword); - } - - /* ------------------------------------------------------------ */ - /** - * Loads certificate revocation list (CRL) from a file. - * - * Required for integrations to be able to override the mechanism used to - * load CRL in order to provide their own implementation. - * - * @param crlPath path of certificate revocation list file - * @return Collection of CRL's - * @throws Exception - */ - protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception - { - return CertificateUtils.loadCRL(crlPath); - } - - /* ------------------------------------------------------------ */ - protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception - { - KeyManager[] managers = null; - - if (keyStore != null) - { - KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerFactoryAlgorithm); - keyManagerFactory.init(keyStore,_keyManagerPassword == null?(_keyStorePassword == null?null:_keyStorePassword.toString().toCharArray()):_keyManagerPassword.toString().toCharArray()); - managers = keyManagerFactory.getKeyManagers(); - - if (_certAlias != null) - { - for (int idx = 0; idx < managers.length; idx++) - { - if (managers[idx] instanceof X509KeyManager) - { - managers[idx] = new AliasedX509ExtendedKeyManager(_certAlias,(X509KeyManager)managers[idx]); - } - } - } - } - - return managers; - } - - /* ------------------------------------------------------------ */ - protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception - { - TrustManager[] managers = null; - if (trustStore != null) - { - // Revocation checking is only supported for PKIX algorithm - if (_validatePeerCerts && _trustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX")) - { - PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore,new X509CertSelector()); - - // Set maximum certification path length - pbParams.setMaxPathLength(_maxCertPathLength); - - // Make sure revocation checking is enabled - pbParams.setRevocationEnabled(true); - - if (crls != null && !crls.isEmpty()) - { - pbParams.addCertStore(CertStore.getInstance("Collection",new CollectionCertStoreParameters(crls))); - } - - if (_enableCRLDP) - { - // Enable Certificate Revocation List Distribution Points (CRLDP) support - System.setProperty("com.sun.security.enableCRLDP","true"); - } - - if (_enableOCSP) - { - // Enable On-Line Certificate Status Protocol (OCSP) support - Security.setProperty("ocsp.enable","true"); - - if (_ocspResponderURL != null) - { - // Override location of OCSP Responder - Security.setProperty("ocsp.responderURL", _ocspResponderURL); - } - } - - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm); - trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams)); - - managers = trustManagerFactory.getTrustManagers(); - } - else - { - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm); - trustManagerFactory.init(trustStore); - - managers = trustManagerFactory.getTrustManagers(); - } - } - - return managers; - } - - /* ------------------------------------------------------------ */ - /** - * Check KetyStore Configuration. Ensures that if keystore has been - * configured but there's no truststore, that keystore is - * used as truststore. - * @throws IllegalStateException if SslContextFactory configuration can't be used. - */ - public void checkKeyStore() - { - if (_keyStore == null && _keyStoreInputStream == null && _keyStorePath == null) - throw new IllegalStateException("SSL doesn't have a valid keystore"); - - // if the keystore has been configured but there is no - // truststore configured, use the keystore as the truststore - if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null) - { - _trustStore = _keyStore; - _trustStorePath = _keyStorePath; - _trustStoreInputStream = _keyStoreInputStream; - _trustStoreType = _keyStoreType; - _trustStoreProvider = _keyStoreProvider; - _trustStorePassword = _keyStorePassword; - _trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm; - } - - // It's the same stream we cannot read it twice, so read it once in memory - if (_keyStoreInputStream != null && _keyStoreInputStream == _trustStoreInputStream) - { - try - { - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - IO.copy(_keyStoreInputStream, baos); - _keyStoreInputStream.close(); - - _keyStoreInputStream = new ByteArrayInputStream(baos.toByteArray()); - _trustStoreInputStream = new ByteArrayInputStream(baos.toByteArray()); - } - catch (Exception ex) - { - throw new IllegalStateException(ex); - } - } - } - - /* ------------------------------------------------------------ */ - /** - * Select cipher suites to be used by the connector - * based on configured inclusion and exclusion lists - * as well as enabled and supported cipher suite lists. - * @param enabledCipherSuites Array of enabled cipher suites - * @param supportedCipherSuites Array of supported cipher suites - * @return Array of cipher suites to enable - */ - public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols) - { - Set<String> selected_protocols = new HashSet<String>(); - - // Set the starting protocols - either from the included or enabled list - if (_includeProtocols!=null) - { - // Use only the supported included protocols - for (String protocol : supportedProtocols) - if (_includeProtocols.contains(protocol)) - selected_protocols.add(protocol); - } - else - selected_protocols.addAll(Arrays.asList(enabledProtocols)); - - - // Remove any excluded protocols - if (_excludeProtocols != null) - selected_protocols.removeAll(_excludeProtocols); - - return selected_protocols.toArray(new String[selected_protocols.size()]); - } - - /* ------------------------------------------------------------ */ - /** - * Select cipher suites to be used by the connector - * based on configured inclusion and exclusion lists - * as well as enabled and supported cipher suite lists. - * @param enabledCipherSuites Array of enabled cipher suites - * @param supportedCipherSuites Array of supported cipher suites - * @return Array of cipher suites to enable - */ - public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites) - { - Set<String> selected_ciphers = new HashSet<String>(); - - // Set the starting ciphers - either from the included or enabled list - if (_includeCipherSuites!=null) - { - // Use only the supported included ciphers - for (String cipherSuite : supportedCipherSuites) - if (_includeCipherSuites.contains(cipherSuite)) - selected_ciphers.add(cipherSuite); - } - else - selected_ciphers.addAll(Arrays.asList(enabledCipherSuites)); - - - // Remove any excluded ciphers - if (_excludeCipherSuites != null) - selected_ciphers.removeAll(_excludeCipherSuites); - return selected_ciphers.toArray(new String[selected_ciphers.size()]); - } - - /* ------------------------------------------------------------ */ - /** - * Check if the lifecycle has been started and throw runtime exception - */ - protected void checkNotStarted() - { - if (isStarted()) - throw new IllegalStateException("Cannot modify configuration when "+getState()); - } - - /* ------------------------------------------------------------ */ - /** - * @return true if CRL Distribution Points support is enabled - */ - public boolean isEnableCRLDP() - { - return _enableCRLDP; - } - - /* ------------------------------------------------------------ */ - /** Enables CRL Distribution Points Support - * @param enableCRLDP true - turn on, false - turns off - */ - public void setEnableCRLDP(boolean enableCRLDP) - { - checkNotStarted(); - - _enableCRLDP = enableCRLDP; - } - - /* ------------------------------------------------------------ */ - /** - * @return true if On-Line Certificate Status Protocol support is enabled - */ - public boolean isEnableOCSP() - { - return _enableOCSP; - } - - /* ------------------------------------------------------------ */ - /** Enables On-Line Certificate Status Protocol support - * @param enableOCSP true - turn on, false - turn off - */ - public void setEnableOCSP(boolean enableOCSP) - { - checkNotStarted(); - - _enableOCSP = enableOCSP; - } - - /* ------------------------------------------------------------ */ - /** - * @return Location of the OCSP Responder - */ - public String getOcspResponderURL() - { - return _ocspResponderURL; - } - - /* ------------------------------------------------------------ */ - /** Set the location of the OCSP Responder. - * @param ocspResponderURL location of the OCSP Responder - */ - public void setOcspResponderURL(String ocspResponderURL) - { - checkNotStarted(); - - _ocspResponderURL = ocspResponderURL; - } - - /* ------------------------------------------------------------ */ - /** Set the key store. - * @param keyStore the key store to set - */ - public void setKeyStore(KeyStore keyStore) - { - checkNotStarted(); - - _keyStore = keyStore; - } - - /* ------------------------------------------------------------ */ - /** Set the trust store. - * @param trustStore the trust store to set - */ - public void setTrustStore(KeyStore trustStore) - { - checkNotStarted(); - - _trustStore = trustStore; - } - - /* ------------------------------------------------------------ */ - /** Set the key store resource. - * @param resource the key store resource to set - */ - public void setKeyStoreResource(Resource resource) - { - checkNotStarted(); - - try - { - _keyStoreInputStream = resource.getInputStream(); - } - catch (IOException e) - { - throw new InvalidParameterException("Unable to get resource "+ - "input stream for resource "+resource.toString()); - } - } - - /* ------------------------------------------------------------ */ - /** Set the trust store resource. - * @param resource the trust store resource to set - */ - public void setTrustStore(Resource resource) - { - checkNotStarted(); - - try - { - _trustStoreInputStream = resource.getInputStream(); - } - catch (IOException e) - { - throw new InvalidParameterException("Unable to get resource "+ - "input stream for resource "+resource.toString()); - } - } - - /* ------------------------------------------------------------ */ - /** - * @return true if SSL Session caching is enabled - */ - public boolean isSessionCachingEnabled() - { - return _sessionCachingEnabled; - } - - /* ------------------------------------------------------------ */ - /** Set the flag to enable SSL Session caching. - * @param enableSessionCaching the value of the flag - */ - public void setSessionCachingEnabled(boolean enableSessionCaching) - { - _sessionCachingEnabled = enableSessionCaching; - } - - /* ------------------------------------------------------------ */ - /** Get SSL session cache size. - * @return SSL session cache size - */ - public int getSslSessionCacheSize() - { - return _sslSessionCacheSize; - } - - /* ------------------------------------------------------------ */ - /** SEt SSL session cache size. - * @param sslSessionCacheSize SSL session cache size to set - */ - public void setSslSessionCacheSize(int sslSessionCacheSize) - { - _sslSessionCacheSize = sslSessionCacheSize; - } - - /* ------------------------------------------------------------ */ - /** Get SSL session timeout. - * @return SSL session timeout - */ - public int getSslSessionTimeout() - { - return _sslSessionTimeout; - } - - /* ------------------------------------------------------------ */ - /** Set SSL session timeout. - * @param sslSessionTimeout SSL session timeout to set - */ - public void setSslSessionTimeout(int sslSessionTimeout) - { - _sslSessionTimeout = sslSessionTimeout; - } - - - /* ------------------------------------------------------------ */ - public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException - { - SSLServerSocketFactory factory = _context.getServerSocketFactory(); - - SSLServerSocket socket = - (SSLServerSocket) (host==null ? - factory.createServerSocket(port,backlog): - factory.createServerSocket(port,backlog,InetAddress.getByName(host))); - - if (getWantClientAuth()) - socket.setWantClientAuth(getWantClientAuth()); - if (getNeedClientAuth()) - socket.setNeedClientAuth(getNeedClientAuth()); - - socket.setEnabledCipherSuites(selectCipherSuites( - socket.getEnabledCipherSuites(), - socket.getSupportedCipherSuites())); - socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols())); - - return socket; - } - - /* ------------------------------------------------------------ */ - public SSLSocket newSslSocket() throws IOException - { - SSLSocketFactory factory = _context.getSocketFactory(); - - SSLSocket socket = (SSLSocket)factory.createSocket(); - - if (getWantClientAuth()) - socket.setWantClientAuth(getWantClientAuth()); - if (getNeedClientAuth()) - socket.setNeedClientAuth(getNeedClientAuth()); - - socket.setEnabledCipherSuites(selectCipherSuites( - socket.getEnabledCipherSuites(), - socket.getSupportedCipherSuites())); - socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols())); - - return socket; - } - - /* ------------------------------------------------------------ */ - public SSLEngine newSslEngine(String host,int port) - { - SSLEngine sslEngine=isSessionCachingEnabled() - ?_context.createSSLEngine(host, port) - :_context.createSSLEngine(); - - customize(sslEngine); - return sslEngine; - } - - /* ------------------------------------------------------------ */ - public SSLEngine newSslEngine() - { - SSLEngine sslEngine=_context.createSSLEngine(); - customize(sslEngine); - return sslEngine; - } - - /* ------------------------------------------------------------ */ - public void customize(SSLEngine sslEngine) - { - if (getWantClientAuth()) - sslEngine.setWantClientAuth(getWantClientAuth()); - if (getNeedClientAuth()) - sslEngine.setNeedClientAuth(getNeedClientAuth()); - - sslEngine.setEnabledCipherSuites(selectCipherSuites( - sslEngine.getEnabledCipherSuites(), - sslEngine.getSupportedCipherSuites())); - - sslEngine.setEnabledProtocols(selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols())); + super(keyStorePath); } } diff --git a/jetty-io/src/main/java/org/eclipse/jetty/io/AbstractConnection.java b/jetty-io/src/main/java/org/eclipse/jetty/io/AbstractConnection.java index 583cd336c6..1062b7df48 100644 --- a/jetty-io/src/main/java/org/eclipse/jetty/io/AbstractConnection.java +++ b/jetty-io/src/main/java/org/eclipse/jetty/io/AbstractConnection.java @@ -35,7 +35,7 @@ public abstract class AbstractConnection implements Connection return _endp; } - public void idleExpired() + public void onIdleExpired() { try { diff --git a/jetty-io/src/main/java/org/eclipse/jetty/io/Connection.java b/jetty-io/src/main/java/org/eclipse/jetty/io/Connection.java index 431964afe8..6519905dae 100644 --- a/jetty-io/src/main/java/org/eclipse/jetty/io/Connection.java +++ b/jetty-io/src/main/java/org/eclipse/jetty/io/Connection.java @@ -50,10 +50,10 @@ public interface Connection /** * Called when the connection is closed */ - void closed(); + void onClose(); /** * Called when the connection idle timeout expires */ - void idleExpired(); + void onIdleExpired(); } diff --git a/jetty-io/src/main/java/org/eclipse/jetty/io/nio/SelectChannelEndPoint.java b/jetty-io/src/main/java/org/eclipse/jetty/io/nio/SelectChannelEndPoint.java index 511b33d342..e9ffdaee5b 100644 --- a/jetty-io/src/main/java/org/eclipse/jetty/io/nio/SelectChannelEndPoint.java +++ b/jetty-io/src/main/java/org/eclipse/jetty/io/nio/SelectChannelEndPoint.java @@ -271,7 +271,7 @@ public class SelectChannelEndPoint extends ChannelEndPoint implements AsyncEndPo /* ------------------------------------------------------------ */ protected void idleExpired() { - _connection.idleExpired(); + _connection.onIdleExpired(); } /* ------------------------------------------------------------ */ diff --git a/jetty-io/src/main/java/org/eclipse/jetty/io/nio/SslConnection.java b/jetty-io/src/main/java/org/eclipse/jetty/io/nio/SslConnection.java new file mode 100644 index 0000000000..7f901a7014 --- /dev/null +++ b/jetty-io/src/main/java/org/eclipse/jetty/io/nio/SslConnection.java @@ -0,0 +1,435 @@ +// ======================================================================== +// Copyright (c) 2004-2009 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== + +package org.eclipse.jetty.io.nio; + +import java.io.IOException; +import java.nio.ByteBuffer; +import java.nio.channels.SelectionKey; +import java.nio.channels.SocketChannel; + +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLEngineResult; +import javax.net.ssl.SSLEngineResult.HandshakeStatus; +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSession; + +import org.eclipse.jetty.io.AbstractConnection; +import org.eclipse.jetty.io.Buffer; +import org.eclipse.jetty.io.Buffers; +import org.eclipse.jetty.io.Connection; +import org.eclipse.jetty.io.EndPoint; +import org.eclipse.jetty.io.EofException; +import org.eclipse.jetty.util.log.Log; +import org.eclipse.jetty.util.log.Logger; + +/* ------------------------------------------------------------ */ +/** + */ +public class SslConnection extends AbstractConnection implements AsyncConnection +{ + private static final Logger LOG=Log.getLogger("org.eclipse.jetty.io.nio.ssl"); + static + { + LOG.setDebugEnabled(true); + } + private static final NIOBuffer __ZERO_BUFFER=new IndirectNIOBuffer(0); + + private final ThreadLocal<NIOBuffer> __inBuffer = new ThreadLocal<NIOBuffer>(); + private final ThreadLocal<NIOBuffer> __outBuffer = new ThreadLocal<NIOBuffer>(); + private final SSLEngine _engine; + private final SSLSession _session; + private AsyncConnection _delegate; + private int _allocations; + private NIOBuffer _inbound; + private NIOBuffer _unwrapBuf; + private NIOBuffer _outbound; + + public SslConnection(SSLEngine engine,AsyncConnection connection,EndPoint endp) + { + this(engine,connection,endp,System.currentTimeMillis()); + } + + public SslConnection(SSLEngine engine,AsyncConnection connection,EndPoint endp, long timeStamp) + { + super(endp,timeStamp); + _delegate=connection; + _engine=engine; + _session=_engine.getSession(); + } + + private void allocateBuffers() + { + synchronized (this) + { + if (_allocations++==0) + { + if (_inbound==null) + { + _inbound = __inBuffer.get(); + if (_inbound==null) + _inbound=new IndirectNIOBuffer(_session.getPacketBufferSize()); + } + + if (_outbound==null) + { + _outbound = __outBuffer.get(); + if (_outbound==null) + _outbound=new IndirectNIOBuffer(_session.getPacketBufferSize()); + } + } + } + } + + private void releaseBuffers() + { + synchronized (this) + { + if (--_allocations==0) + { + if (_inbound!=null && _inbound.length()==0) + { + __inBuffer.set(_inbound); + _inbound=null; + } + + if (_outbound!=null && _outbound.length()==0) + { + __outBuffer.set(_outbound); + _outbound=null; + } + + if (_unwrapBuf!=null && _unwrapBuf.length()==0) + _unwrapBuf=null; + } + } + } + + public Connection handle() throws IOException + { + try + { + allocateBuffers(); + + boolean progress=true; + + while (progress) + { + progress=false; + int filled=0,flushed=0; + + // Read any available data + if (_inbound.space()>0 && (filled=_endp.fill(_inbound))>0) + progress = true; + + // flush any output data + if (_outbound.hasContent() && (flushed=_endp.flush(_outbound))>0) + progress = true; + + LOG.debug("{} filled={} flushed={}",_session,filled,flushed); + + // If we are handshook let the delegate connection + if (_engine.getHandshakeStatus()==HandshakeStatus.NOT_HANDSHAKING) + { + // handle the delegate connection + AsyncConnection next = (AsyncConnection)_delegate.handle(); + if (next!=_delegate && next==null) + { + _delegate=next; + progress=true; + } + } + else + { + process(null,null); + } + } + } + finally + { + releaseBuffers(); + } + + return this; + } + + public boolean isIdle() + { + return false; + } + + public boolean isSuspended() + { + return false; + } + + public void onClose() + { + + } + + public void onInputShutdown() throws IOException + { + + } + + /* ------------------------------------------------------------ */ + private synchronized int process(NIOBuffer toFill, NIOBuffer toFlush) throws IOException + { + if (toFill==null) + { + if (_unwrapBuf==null) + _unwrapBuf=new IndirectNIOBuffer(_session.getApplicationBufferSize()); + toFill=_unwrapBuf; + } + else if (_unwrapBuf!=null && _unwrapBuf.hasContent()) + { + _unwrapBuf.skip(toFill.put(_unwrapBuf)); + return 1; + } + if (toFlush==null) + toFlush=__ZERO_BUFFER; + + HandshakeStatus initialStatus = _engine.getHandshakeStatus(); + boolean progress=true; + int received=0; + int sent=0; + + try + { + allocateBuffers(); + + while (progress) + { + progress=false; + + // handle the current hand share status + LOG.debug("{} status {}",_session,_engine.getHandshakeStatus()); + switch(_engine.getHandshakeStatus()) + { + case FINISHED: + throw new IllegalStateException(); + + case NOT_HANDSHAKING: + { + // Try wrapping some application data + if (toFlush.hasContent() && _outbound.space()>0 && wrap(toFlush)) + progress=true; + + + // Try unwrapping some application data + if (toFill.space()>0 && _inbound.hasContent() && unwrap(toFill)) + progress=true; + } + break; + + case NEED_TASK: + { + // A task needs to be run, so run it! + Runnable task; + while ((task=_engine.getDelegatedTask())!=null) + { + progress=true; + task.run(); + } + + // Detect SUN JVM Bug!!! + if(initialStatus==HandshakeStatus.NOT_HANDSHAKING && + _engine.getHandshakeStatus()==HandshakeStatus.NEED_UNWRAP && sent==0) + { + // This should be NEED_WRAP + // The fix simply detects the signature of the bug and then close the connection (fail-fast) so that ff3 will delegate to using SSL instead of TLS. + // This is a jvm bug on java1.6 where the SSLEngine expects more data from the initial handshake when the client(ff3-tls) already had given it. + // See http://jira.codehaus.org/browse/JETTY-567 for more details + LOG.warn("{} JETTY-567",_session); + return -1; + } + } + break; + + case NEED_WRAP: + { + // The SSL needs to send some handshake data to the other side + if (wrap(toFlush)) + progress=true; + } + break; + + case NEED_UNWRAP: + { + // The SSL needs to receive some handshake data from the other side + if (unwrap(toFill)) + progress=true; + } + break; + } + + LOG.debug("{} progress {}",_session,progress); + } + + LOG.debug("{} received {} sent {}",_session,received,sent); + } + finally + { + releaseBuffers(); + } + return (received<0||sent<0)?-1:(received+sent); + } + + private synchronized boolean wrap(final NIOBuffer buffer) throws IOException + { + ByteBuffer bbuf=buffer.getByteBuffer(); + final SSLEngineResult result; + + synchronized(bbuf) + { + _outbound.compact(); + ByteBuffer out_buffer=_outbound.getByteBuffer(); + synchronized(out_buffer) + { + try + { + bbuf.position(buffer.getIndex()); + bbuf.limit(buffer.putIndex()); + out_buffer.position(_outbound.putIndex()); + out_buffer.limit(out_buffer.capacity()); + result=_engine.wrap(bbuf,out_buffer); + if (LOG.isDebugEnabled()) + LOG.debug("{} wrap {} {} consumed={} produced={}", + _session, + result.getStatus(), + result.getHandshakeStatus(), + result.bytesConsumed(), + result.bytesProduced()); + + buffer.skip(result.bytesConsumed()); + buffer.compact(); + _outbound.setPutIndex(_outbound.putIndex()+result.bytesProduced()); + } + catch(SSLException e) + { + LOG.warn(_endp+":",e); + _endp.close(); // TODO ? + throw e; + } + finally + { + out_buffer.position(0); + out_buffer.limit(out_buffer.capacity()); + bbuf.position(0); + bbuf.limit(bbuf.capacity()); + } + } + } + + switch(result.getStatus()) + { + case BUFFER_UNDERFLOW: + throw new IllegalStateException(); + + case BUFFER_OVERFLOW: + break; + + case OK: + break; + + case CLOSED: + System.err.println("wrap CLOSE"); + break; + + default: + LOG.warn("{} wrap default {}",_session,result); + throw new IOException(result.toString()); + } + + return result.bytesConsumed()>0 || result.bytesProduced()>0; + } + + private synchronized boolean unwrap(final NIOBuffer buffer) throws IOException + { + if (!_inbound.hasContent()) + return false; + + buffer.compact(); + ByteBuffer bbuf=buffer.getByteBuffer(); + final SSLEngineResult result; + + synchronized(bbuf) + { + ByteBuffer in_buffer=_inbound.getByteBuffer(); + synchronized(in_buffer) + { + try + { + bbuf.position(buffer.putIndex()); + bbuf.limit(buffer.capacity()); + in_buffer.position(_inbound.getIndex()); + in_buffer.limit(_inbound.putIndex()); + + result=_engine.unwrap(in_buffer,bbuf); + if (LOG.isDebugEnabled()) + LOG.debug("{} unwrap {} {} consumed={} produced={}", + _session, + result.getStatus(), + result.getHandshakeStatus(), + result.bytesConsumed(), + result.bytesProduced()); + + _inbound.skip(result.bytesConsumed()); + _inbound.compact(); + buffer.setPutIndex(buffer.putIndex()+result.bytesProduced()); + } + catch(SSLException e) + { + LOG.warn(_endp+":",e); + _endp.close(); // TODO ? + throw e; + } + finally + { + in_buffer.position(0); + in_buffer.limit(in_buffer.capacity()); + bbuf.position(0); + bbuf.limit(bbuf.capacity()); + } + } + } + + switch(result.getStatus()) + { + case BUFFER_UNDERFLOW: + break; + + case BUFFER_OVERFLOW: + LOG.debug("{} wrap {}",_session,result); + break; + + case OK: + break; + + case CLOSED: + System.err.println("unwrap CLOSE"); + break; + + default: + LOG.warn("{} wrap default {}",_session,result); + throw new IOException(result.toString()); + } + + if (LOG.isDebugEnabled() && result.bytesProduced()>0) + LOG.debug("{} unwrapped '{}'",_session,buffer); + + return result.bytesConsumed()>0 || result.bytesProduced()>0; + } + +} diff --git a/jetty-io/src/main/java/org/eclipse/jetty/io/nio/SslSelectChannelEndPoint.java b/jetty-io/src/main/java/org/eclipse/jetty/io/nio/SslSelectChannelEndPoint.java index 202f19d117..a2b3bb8697 100644 --- a/jetty-io/src/main/java/org/eclipse/jetty/io/nio/SslSelectChannelEndPoint.java +++ b/jetty-io/src/main/java/org/eclipse/jetty/io/nio/SslSelectChannelEndPoint.java @@ -192,6 +192,9 @@ public class SslSelectChannelEndPoint extends SelectChannelEndPoint @Override public void shutdownInput() throws IOException { + System.err.println("SSL sIn"); + super.shutdownInput(); + /* LOG.debug("{} shutdownInput",_session); // All SSL closes should be graceful, as it is more secure. @@ -212,12 +215,14 @@ public class SslSelectChannelEndPoint extends SelectChannelEndPoint LOG.ignore(e); close(); } + */ } /* ------------------------------------------------------------ */ @Override public void shutdownOutput() throws IOException { + System.err.println("SSL sOut"); LOG.debug("{} shutdownOutput",_session); // All SSL closes should be graceful, as it is more secure. @@ -526,6 +531,7 @@ public class SslSelectChannelEndPoint extends SelectChannelEndPoint while (_inNIOBuffer.space()>0 && super.isOpen()) { int filled=super.fill(_inNIOBuffer); + System.err.println("f="+filled); if (_debug) LOG.debug("{} filled {}",_session,filled); if (filled < 0) remoteClosed = true; @@ -612,6 +618,7 @@ public class SslSelectChannelEndPoint extends SelectChannelEndPoint return (total_filled > 0); case CLOSED: + System.err.println("unwrap CLOSE"); if (super.isOpen()) super.close(); // return true is some bytes somewhere were moved about. @@ -709,6 +716,7 @@ public class SslSelectChannelEndPoint extends SelectChannelEndPoint case OK: return _result.bytesConsumed(); case CLOSED: + System.err.println("wrap CLOSE"); if (super.isOpen()) super.close(); return _result.bytesConsumed()>0?_result.bytesConsumed():-1; diff --git a/jetty-io/src/test/java/org/eclipse/jetty/io/EndPointTest.java b/jetty-io/src/test/java/org/eclipse/jetty/io/EndPointTest.java index be2cdfd218..79f7e84837 100644 --- a/jetty-io/src/test/java/org/eclipse/jetty/io/EndPointTest.java +++ b/jetty-io/src/test/java/org/eclipse/jetty/io/EndPointTest.java @@ -9,19 +9,19 @@ import org.junit.Test; public abstract class EndPointTest<T extends EndPoint> { - public static class Connection<T> + public static class EndPointPair<T> { public T client; public T server; } - protected abstract Connection<T> newConnection() throws Exception; + protected abstract EndPointPair<T> newConnection() throws Exception; @Test public void testClientServerExchange() throws Exception { - Connection<T> c = newConnection(); + EndPointPair<T> c = newConnection(); Buffer buffer = new IndirectNIOBuffer(4096); c.client.flush(new ByteArrayBuffer("request")); @@ -96,7 +96,7 @@ public abstract class EndPointTest<T extends EndPoint> @Test public void testClientClose() throws Exception { - Connection<T> c = newConnection(); + EndPointPair<T> c = newConnection(); Buffer buffer = new IndirectNIOBuffer(4096); c.client.flush(new ByteArrayBuffer("request")); diff --git a/jetty-io/src/test/java/org/eclipse/jetty/io/bio/SocketEndPointTest.java b/jetty-io/src/test/java/org/eclipse/jetty/io/bio/SocketEndPointTest.java index 4661fcf1b5..277c6c7ccb 100644 --- a/jetty-io/src/test/java/org/eclipse/jetty/io/bio/SocketEndPointTest.java +++ b/jetty-io/src/test/java/org/eclipse/jetty/io/bio/SocketEndPointTest.java @@ -26,9 +26,9 @@ public class SocketEndPointTest extends EndPointTest<SocketEndPoint> } @Override - protected Connection<SocketEndPoint> newConnection() throws Exception + protected EndPointPair<SocketEndPoint> newConnection() throws Exception { - Connection<SocketEndPoint> c = new Connection<SocketEndPoint>(); + EndPointPair<SocketEndPoint> c = new EndPointPair<SocketEndPoint>(); c.client=new SocketEndPoint(new Socket(connector.getInetAddress(),connector.getLocalPort())); c.server=new SocketEndPoint(connector.accept()); return c; diff --git a/jetty-io/src/test/java/org/eclipse/jetty/io/nio/ChannelEndPointTest.java b/jetty-io/src/test/java/org/eclipse/jetty/io/nio/ChannelEndPointTest.java index 7e417c2b3a..b6a97991a7 100644 --- a/jetty-io/src/test/java/org/eclipse/jetty/io/nio/ChannelEndPointTest.java +++ b/jetty-io/src/test/java/org/eclipse/jetty/io/nio/ChannelEndPointTest.java @@ -26,9 +26,9 @@ public class ChannelEndPointTest extends EndPointTest<ChannelEndPoint> } @Override - protected Connection<ChannelEndPoint> newConnection() throws Exception + protected EndPointPair<ChannelEndPoint> newConnection() throws Exception { - Connection<ChannelEndPoint> c = new Connection<ChannelEndPoint>(); + EndPointPair<ChannelEndPoint> c = new EndPointPair<ChannelEndPoint>(); c.client=new ChannelEndPoint(SocketChannel.open(connector.socket().getLocalSocketAddress())); c.server=new ChannelEndPoint(connector.accept()); diff --git a/jetty-io/src/test/java/org/eclipse/jetty/io/nio/SelectChannelEndPointTest.java b/jetty-io/src/test/java/org/eclipse/jetty/io/nio/SelectChannelEndPointTest.java new file mode 100644 index 0000000000..33b06f58b3 --- /dev/null +++ b/jetty-io/src/test/java/org/eclipse/jetty/io/nio/SelectChannelEndPointTest.java @@ -0,0 +1,197 @@ +package org.eclipse.jetty.io.nio; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + +import java.io.IOException; +import java.net.Socket; +import java.net.SocketTimeoutException; +import java.nio.channels.SelectionKey; +import java.nio.channels.ServerSocketChannel; +import java.nio.channels.SocketChannel; + +import org.eclipse.jetty.io.AbstractConnection; +import org.eclipse.jetty.io.ConnectedEndPoint; +import org.eclipse.jetty.io.EndPoint; +import org.eclipse.jetty.util.thread.QueuedThreadPool; +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; + +public class SelectChannelEndPointTest +{ + protected ServerSocketChannel _connector; + protected ServerSocketChannel __serverSocket; + protected QueuedThreadPool _threadPool = new QueuedThreadPool(); + protected SelectorManager _manager = new SelectorManager() + { + @Override + public boolean dispatch(Runnable task) + { + return _threadPool.dispatch(task); + } + + @Override + protected void endPointClosed(SelectChannelEndPoint endpoint) + { + } + + @Override + protected void endPointOpened(SelectChannelEndPoint endpoint) + { + } + + @Override + protected void endPointUpgraded(ConnectedEndPoint endpoint, org.eclipse.jetty.io.Connection oldConnection) + { + } + + @Override + protected AsyncConnection newConnection(SocketChannel channel, SelectChannelEndPoint endpoint) + { + return SelectChannelEndPointTest.this.newConnection(channel,endpoint); + } + + @Override + protected SelectChannelEndPoint newEndPoint(SocketChannel channel, SelectSet selectSet, SelectionKey sKey) throws IOException + { + return new SelectChannelEndPoint(channel,selectSet,sKey,2000); + } + }; + + @Before + public void startManager() throws Exception + { + _connector = ServerSocketChannel.open(); + _connector.socket().bind(null); + _threadPool.start(); + _manager.start(); + } + + @After + public void stopManager() throws Exception + { + _manager.stop(); + _threadPool.stop(); + _connector.close(); + } + + protected Socket newClient() throws IOException + { + return new Socket(_connector.socket().getInetAddress(),_connector.socket().getLocalPort()); + } + + protected AsyncConnection newConnection(SocketChannel channel, SelectChannelEndPoint endpoint) + { + return new TestConnection(endpoint); + } + + public static class TestConnection extends AbstractConnection implements AsyncConnection + { + NIOBuffer _in = new IndirectNIOBuffer(32*1024); + NIOBuffer _out = new IndirectNIOBuffer(32*1024); + boolean _echo=true; + + public TestConnection(EndPoint endp) + { + super(endp); + } + + public org.eclipse.jetty.io.Connection handle() throws IOException + { + boolean progress=true; + while(progress) + { + progress=false; + _in.compact(); + if (_in.space()>0 && _endp.fill(_in)>0) + progress=true; + + if (_echo && _in.hasContent() && _in.skip(_out.put(_in))>0) + progress=true; + + if (_out.hasContent() && _endp.flush(_out)>0) + progress=true; + + _out.compact(); + + if (!_out.hasContent() && _endp.isInputShutdown()) + _endp.shutdownOutput(); + } + return this; + } + + public boolean isIdle() + { + return false; + } + + public boolean isSuspended() + { + return false; + } + + public void onClose() + { + } + + public void onInputShutdown() throws IOException + { + } + + } + + @Test + public void testEcho() throws Exception + { + Socket client = newClient(); + + client.setSoTimeout(500); + + SocketChannel server = _connector.accept(); + server.configureBlocking(false); + + _manager.register(server); + + // Write client to server + client.getOutputStream().write("HelloWorld".getBytes("UTF-8")); + + // Verify echo server to client + for (char c : "HelloWorld".toCharArray()) + { + int b = client.getInputStream().read(); + assertTrue(b>0); + assertEquals(c,(char)b); + } + + // wait for read timeout + long start=System.currentTimeMillis(); + try + { + client.getInputStream().read(); + Assert.fail(); + } + catch(SocketTimeoutException e) + { + assertTrue(System.currentTimeMillis()-start>=400); + } + + // write then shutdown + client.getOutputStream().write("Goodbye".getBytes("UTF-8")); + client.shutdownOutput(); + + + // Verify echo server to client + for (char c : "Goodbye".toCharArray()) + { + int b = client.getInputStream().read(); + assertTrue(b>0); + assertEquals(c,(char)b); + } + + // Read close + assertEquals(-1,client.getInputStream().read()); + + } +} diff --git a/jetty-io/src/test/java/org/eclipse/jetty/io/nio/SslSelectChannelEndPointTest.java b/jetty-io/src/test/java/org/eclipse/jetty/io/nio/SslSelectChannelEndPointTest.java new file mode 100644 index 0000000000..06b33ce10f --- /dev/null +++ b/jetty-io/src/test/java/org/eclipse/jetty/io/nio/SslSelectChannelEndPointTest.java @@ -0,0 +1,60 @@ +package org.eclipse.jetty.io.nio; + +import java.io.File; +import java.io.IOException; +import java.net.Socket; +import java.nio.channels.SocketChannel; + +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; + +import org.eclipse.jetty.toolchain.test.MavenTestingUtils; +import org.eclipse.jetty.util.ssl.SslContextFactory; +import org.junit.BeforeClass; + + +public class SslSelectChannelEndPointTest extends SelectChannelEndPointTest +{ + static SslContextFactory __sslCtxFactory=new SslContextFactory(); + + @BeforeClass + public static void initSslEngine() throws Exception + { + File keystore = MavenTestingUtils.getTestResourceFile("keystore"); + __sslCtxFactory.setKeyStorePath(keystore.getAbsolutePath()); + __sslCtxFactory.setKeyStorePassword("storepwd"); + __sslCtxFactory.setKeyManagerPassword("keypwd"); + __sslCtxFactory.setTrustAll(true); + __sslCtxFactory.start(); + } + + @Override + protected Socket newClient() throws IOException + { + SSLSocket socket = __sslCtxFactory.newSslSocket(); + socket.connect(_connector.socket().getLocalSocketAddress()); + return socket; + } + + @Override + protected AsyncConnection newConnection(SocketChannel channel, SelectChannelEndPoint endpoint) + { + try + { + AsyncConnection delegate = super.newConnection(channel,endpoint); + SSLEngine engine = __sslCtxFactory.newSslEngine(); + engine.setUseClientMode(false); + engine.beginHandshake(); + return new SslConnection(engine,delegate,endpoint); + } + catch(SSLException e) + { + throw new RuntimeException(e); + } + + } + + +} diff --git a/jetty-io/src/test/resources/keystore b/jetty-io/src/test/resources/keystore Binary files differnew file mode 100644 index 0000000000..b727bd0fb7 --- /dev/null +++ b/jetty-io/src/test/resources/keystore diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintMapping.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintMapping.java index 378ff14d57..13361cf1e4 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintMapping.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintMapping.java @@ -13,7 +13,7 @@ package org.eclipse.jetty.security; -import org.eclipse.jetty.http.security.Constraint; +import org.eclipse.jetty.util.security.Constraint; public class ConstraintMapping { diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java index 76ca4ee469..3b427e8826 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java @@ -25,7 +25,6 @@ import java.util.concurrent.CopyOnWriteArrayList; import java.util.concurrent.CopyOnWriteArraySet; import org.eclipse.jetty.http.PathMap; -import org.eclipse.jetty.http.security.Constraint; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.AbstractHttpConnection; import org.eclipse.jetty.server.Request; @@ -33,6 +32,7 @@ import org.eclipse.jetty.server.Response; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.StringMap; import org.eclipse.jetty.util.TypeUtil; +import org.eclipse.jetty.util.security.Constraint; /* ------------------------------------------------------------ */ /** diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java index 0016be50b4..6c243a3a87 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java @@ -15,7 +15,6 @@ package org.eclipse.jetty.security; import javax.servlet.ServletContext; -import org.eclipse.jetty.http.security.Constraint; import org.eclipse.jetty.security.Authenticator.AuthConfiguration; import org.eclipse.jetty.security.authentication.BasicAuthenticator; import org.eclipse.jetty.security.authentication.ClientCertAuthenticator; @@ -23,6 +22,7 @@ import org.eclipse.jetty.security.authentication.DigestAuthenticator; import org.eclipse.jetty.security.authentication.FormAuthenticator; import org.eclipse.jetty.security.authentication.SpnegoAuthenticator; import org.eclipse.jetty.server.Server; +import org.eclipse.jetty.util.security.Constraint; /* ------------------------------------------------------------ */ /** diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java index 9b833f5adb..34f7a5cede 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java @@ -15,13 +15,13 @@ package org.eclipse.jetty.security; import java.io.IOException; -import org.eclipse.jetty.http.security.Credential; import org.eclipse.jetty.security.PropertyUserStore.UserListener; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.Scanner; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; import org.eclipse.jetty.util.resource.Resource; +import org.eclipse.jetty.util.security.Credential; /* ------------------------------------------------------------ */ /** diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java index 20942b1e57..44e7ef078e 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java @@ -23,12 +23,12 @@ import java.util.ArrayList; import java.util.List; import java.util.Properties; -import org.eclipse.jetty.http.security.Credential; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.Loader; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; import org.eclipse.jetty.util.resource.Resource; +import org.eclipse.jetty.util.security.Credential; /* ------------------------------------------------------------ */ /** diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java index 8808be26da..5ca896fb15 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java @@ -23,11 +23,11 @@ import java.util.concurrent.ConcurrentMap; import javax.security.auth.Subject; -import org.eclipse.jetty.http.security.Credential; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.component.AbstractLifeCycle; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; +import org.eclipse.jetty.util.security.Credential; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java b/jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java index b7e64ac123..d3921bcab0 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java @@ -15,7 +15,6 @@ import java.util.Set; import javax.security.auth.Subject; -import org.eclipse.jetty.http.security.Credential; import org.eclipse.jetty.security.MappedLoginService.KnownUser; import org.eclipse.jetty.security.MappedLoginService.RolePrincipal; import org.eclipse.jetty.server.UserIdentity; @@ -25,6 +24,7 @@ import org.eclipse.jetty.util.component.AbstractLifeCycle; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; import org.eclipse.jetty.util.resource.Resource; +import org.eclipse.jetty.util.security.Credential; /** * PropertyUserStore diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java index 1bc1122f1d..94321f03ae 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java @@ -19,12 +19,12 @@ import java.util.Properties; import javax.security.auth.Subject; -import org.eclipse.jetty.http.security.B64Code; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.component.AbstractLifeCycle; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; import org.eclipse.jetty.util.resource.Resource; +import org.eclipse.jetty.util.security.B64Code; import org.ietf.jgss.GSSContext; import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSException; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java index bfadf40031..a30f60996f 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java @@ -2,7 +2,7 @@ package org.eclipse.jetty.security; import java.security.Principal; -import org.eclipse.jetty.http.security.B64Code; +import org.eclipse.jetty.util.security.B64Code; public class SpnegoUserPrincipal implements Principal { diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java index 8871fb7813..7857b4d46a 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java @@ -21,7 +21,6 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.eclipse.jetty.http.HttpHeaders; -import org.eclipse.jetty.http.security.Constraint; import org.eclipse.jetty.security.ServerAuthException; import org.eclipse.jetty.security.UserAuthentication; import org.eclipse.jetty.server.Authentication; @@ -29,6 +28,7 @@ import org.eclipse.jetty.server.Authentication.User; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.B64Code; import org.eclipse.jetty.util.StringUtil; +import org.eclipse.jetty.util.security.Constraint; /** * @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $ diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java index 9efd783b8a..2522037550 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java @@ -25,8 +25,6 @@ import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.eclipse.jetty.http.security.Constraint; -import org.eclipse.jetty.http.security.Password; import org.eclipse.jetty.security.ServerAuthException; import org.eclipse.jetty.security.UserAuthentication; import org.eclipse.jetty.server.Authentication; @@ -35,6 +33,8 @@ import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.B64Code; import org.eclipse.jetty.util.security.CertificateUtils; import org.eclipse.jetty.util.security.CertificateValidator; +import org.eclipse.jetty.util.security.Constraint; +import org.eclipse.jetty.util.security.Password; /** * @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $ diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java index fc324ea81a..08348a7a72 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java @@ -28,8 +28,6 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.eclipse.jetty.http.HttpHeaders; -import org.eclipse.jetty.http.security.Constraint; -import org.eclipse.jetty.http.security.Credential; import org.eclipse.jetty.security.SecurityHandler; import org.eclipse.jetty.security.ServerAuthException; import org.eclipse.jetty.security.UserAuthentication; @@ -43,6 +41,8 @@ import org.eclipse.jetty.util.StringUtil; import org.eclipse.jetty.util.TypeUtil; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; +import org.eclipse.jetty.util.security.Constraint; +import org.eclipse.jetty.util.security.Credential; /** * @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $ diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java index e2710baa16..38b486560e 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java @@ -30,7 +30,6 @@ import javax.servlet.http.HttpSession; import org.eclipse.jetty.http.HttpHeaders; import org.eclipse.jetty.http.HttpMethods; import org.eclipse.jetty.http.MimeTypes; -import org.eclipse.jetty.http.security.Constraint; import org.eclipse.jetty.security.ServerAuthException; import org.eclipse.jetty.security.UserAuthentication; import org.eclipse.jetty.server.Authentication; @@ -43,6 +42,7 @@ import org.eclipse.jetty.util.StringUtil; import org.eclipse.jetty.util.URIUtil; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; +import org.eclipse.jetty.util.security.Constraint; /** * FORM Authenticator. diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java index 8ed9a790a0..9df7448468 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java @@ -23,7 +23,6 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.eclipse.jetty.http.HttpHeaders; -import org.eclipse.jetty.http.security.Constraint; import org.eclipse.jetty.security.ServerAuthException; import org.eclipse.jetty.security.UserAuthentication; import org.eclipse.jetty.server.Authentication; @@ -31,6 +30,7 @@ import org.eclipse.jetty.server.Authentication.User; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; +import org.eclipse.jetty.util.security.Constraint; public class SpnegoAuthenticator extends LoginAuthenticator { diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java index 5650e0f4c5..47190675b6 100644 --- a/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java +++ b/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java @@ -27,8 +27,6 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.eclipse.jetty.http.security.Constraint; -import org.eclipse.jetty.http.security.Password; import org.eclipse.jetty.security.authentication.BasicAuthenticator; import org.eclipse.jetty.security.authentication.FormAuthenticator; import org.eclipse.jetty.server.Connector; @@ -41,6 +39,8 @@ import org.eclipse.jetty.server.handler.ContextHandler; import org.eclipse.jetty.server.handler.HandlerWrapper; import org.eclipse.jetty.server.session.SessionHandler; import org.eclipse.jetty.util.B64Code; +import org.eclipse.jetty.util.security.Constraint; +import org.eclipse.jetty.util.security.Password; import org.junit.After; import org.junit.Before; import org.junit.BeforeClass; diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/PropertyUserStoreTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/PropertyUserStoreTest.java index 68220b8dbc..2e24c178c4 100644 --- a/jetty-security/src/test/java/org/eclipse/jetty/security/PropertyUserStoreTest.java +++ b/jetty-security/src/test/java/org/eclipse/jetty/security/PropertyUserStoreTest.java @@ -9,7 +9,7 @@ import java.util.concurrent.atomic.AtomicInteger; import junit.framework.Assert; -import org.eclipse.jetty.http.security.Credential; +import org.eclipse.jetty.util.security.Credential; import org.junit.After; import org.junit.Before; import org.junit.Test; diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/AbstractConnector.java b/jetty-server/src/main/java/org/eclipse/jetty/server/AbstractConnector.java index 3b171e791c..1a062fdf5d 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/AbstractConnector.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/AbstractConnector.java @@ -1046,7 +1046,7 @@ public abstract class AbstractConnector extends HttpBuffers implements Connector /* ------------------------------------------------------------ */ protected void connectionClosed(Connection connection) { - connection.closed(); + connection.onClose(); if (_statsStartedAt.get() == -1) return; diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/AbstractHttpConnection.java b/jetty-server/src/main/java/org/eclipse/jetty/server/AbstractHttpConnection.java index 7616d2a722..9f5549ba39 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/AbstractHttpConnection.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/AbstractHttpConnection.java @@ -656,7 +656,7 @@ public abstract class AbstractHttpConnection extends AbstractConnection } /* ------------------------------------------------------------ */ - public void closed() + public void onClose() { LOG.debug("closed {}",this); } diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/Connector.java b/jetty-server/src/main/java/org/eclipse/jetty/server/Connector.java index ddad84d6aa..95c30b1513 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/Connector.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/Connector.java @@ -135,14 +135,14 @@ public interface Connector extends LifeCycle /* ------------------------------------------------------------ */ /** * @return The port to use when redirecting a request if a data constraint of integral is - * required. See {@link org.eclipse.jetty.http.security.Constraint#getDataConstraint()} + * required. See {@link org.eclipse.jetty.util.security.Constraint#getDataConstraint()} */ int getIntegralPort(); /* ------------------------------------------------------------ */ /** * @return The schema to use when redirecting a request if a data constraint of integral is - * required. See {@link org.eclipse.jetty.http.security.Constraint#getDataConstraint()} + * required. See {@link org.eclipse.jetty.util.security.Constraint#getDataConstraint()} */ String getIntegralScheme(); @@ -156,7 +156,7 @@ public interface Connector extends LifeCycle /* ------------------------------------------------------------ */ /** * @return The port to use when redirecting a request if a data constraint of confidential is - * required. See {@link org.eclipse.jetty.http.security.Constraint#getDataConstraint()} + * required. See {@link org.eclipse.jetty.util.security.Constraint#getDataConstraint()} */ int getConfidentialPort(); @@ -164,7 +164,7 @@ public interface Connector extends LifeCycle /* ------------------------------------------------------------ */ /** * @return The schema to use when redirecting a request if a data constraint of confidential is - * required. See {@link org.eclipse.jetty.http.security.Constraint#getDataConstraint()} + * required. See {@link org.eclipse.jetty.util.security.Constraint#getDataConstraint()} */ String getConfidentialScheme(); diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ConnectHandler.java b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ConnectHandler.java index 1e44f943e4..92bbcf46cb 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ConnectHandler.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ConnectHandler.java @@ -604,7 +604,7 @@ public class ConnectHandler extends HandlerWrapper return false; } - public void closed() + public void onClose() { } @@ -665,7 +665,7 @@ public class ConnectHandler extends HandlerWrapper _endPoint.shutdownOutput(); } - public void idleExpired() + public void onIdleExpired() { try { @@ -787,7 +787,7 @@ public class ConnectHandler extends HandlerWrapper return false; } - public void closed() + public void onClose() { } @@ -832,7 +832,7 @@ public class ConnectHandler extends HandlerWrapper _endPoint.shutdownOutput(); } - public void idleExpired() + public void onIdleExpired() { try { diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslConnector.java b/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslConnector.java index 1bf6b4680c..fb04d57d61 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslConnector.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslConnector.java @@ -9,8 +9,8 @@ import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.TrustManagerFactory; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.server.Connector; +import org.eclipse.jetty.util.ssl.SslContextFactory; /* ------------------------------------------------------------ */ diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSelectChannelConnector.java b/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSelectChannelConnector.java index d6f4978617..b5e47ba705 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSelectChannelConnector.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSelectChannelConnector.java @@ -24,7 +24,6 @@ import javax.net.ssl.SSLSocket; import org.eclipse.jetty.http.HttpParser; import org.eclipse.jetty.http.HttpSchemes; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.io.Buffers; import org.eclipse.jetty.io.Buffers.Type; import org.eclipse.jetty.io.BuffersFactory; @@ -37,6 +36,7 @@ import org.eclipse.jetty.io.nio.SslSelectChannelEndPoint; import org.eclipse.jetty.server.AsyncHttpConnection; import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.nio.SelectChannelConnector; +import org.eclipse.jetty.util.ssl.SslContextFactory; /* ------------------------------------------------------------ */ /** diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSocketConnector.java b/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSocketConnector.java index d2859662b2..e8b9ed85bc 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSocketConnector.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSocketConnector.java @@ -26,7 +26,6 @@ import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; import org.eclipse.jetty.http.HttpSchemes; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.io.EndPoint; import org.eclipse.jetty.io.RuntimeIOException; import org.eclipse.jetty.io.bio.SocketEndPoint; @@ -34,6 +33,7 @@ import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.bio.SocketConnector; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; +import org.eclipse.jetty.util.ssl.SslContextFactory; /* ------------------------------------------------------------ */ /** diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/handler/ConnectHandlerSSLTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/handler/ConnectHandlerSSLTest.java index 9bae25a863..07977ee247 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/handler/ConnectHandlerSSLTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/handler/ConnectHandlerSSLTest.java @@ -24,10 +24,10 @@ import javax.servlet.ServletOutputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.ssl.SslSelectChannelConnector; import org.eclipse.jetty.toolchain.test.MavenTestingUtils; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.BeforeClass; import org.junit.Test; diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java index fc0f4abc77..c0d39e2bf2 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java @@ -44,13 +44,13 @@ import javax.servlet.ServletOutputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.handler.AbstractHandler; import org.eclipse.jetty.toolchain.test.MavenTestingUtils; import org.eclipse.jetty.util.IO; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLSelectChannelConnectorLoadTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLSelectChannelConnectorLoadTest.java index 72fe6e38b9..79ef7d32f2 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLSelectChannelConnectorLoadTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLSelectChannelConnectorLoadTest.java @@ -22,10 +22,10 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.handler.AbstractHandler; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslRenegotiateTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslRenegotiateTest.java index d56e42678a..9508e2109e 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslRenegotiateTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslRenegotiateTest.java @@ -21,7 +21,6 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.io.nio.IndirectNIOBuffer; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.Request; @@ -31,6 +30,7 @@ import org.eclipse.jetty.toolchain.test.MavenTestingUtils; import org.eclipse.jetty.util.StringUtil; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.Test; public class SslRenegotiateTest diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSelectChannelServerTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSelectChannelServerTest.java index 50cb232575..c85a112aa5 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSelectChannelServerTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSelectChannelServerTest.java @@ -20,8 +20,8 @@ import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManagerFactory; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.server.HttpServerTestBase; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.BeforeClass; import org.junit.Test; diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSelectChannelTimeoutTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSelectChannelTimeoutTest.java index 6ae5b990d4..364f56ee70 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSelectChannelTimeoutTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSelectChannelTimeoutTest.java @@ -20,8 +20,8 @@ import java.security.KeyStore; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManagerFactory; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.server.ConnectorTimeoutTest; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.BeforeClass; import org.junit.Test; diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketServerTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketServerTest.java index e7d7997a8d..1fce51291d 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketServerTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketServerTest.java @@ -20,8 +20,8 @@ import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManagerFactory; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.server.HttpServerTestBase; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.BeforeClass; import org.junit.Test; diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketTimeoutTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketTimeoutTest.java index 871181be46..c51b80595e 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketTimeoutTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketTimeoutTest.java @@ -21,8 +21,8 @@ import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManagerFactory; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.server.ConnectorTimeoutTest; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.BeforeClass; public class SslSocketTimeoutTest extends ConnectorTimeoutTest diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslTruncationAttackTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslTruncationAttackTest.java index 1e2933b94f..c21c0be10a 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslTruncationAttackTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslTruncationAttackTest.java @@ -18,7 +18,6 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.eclipse.jetty.http.HttpParser; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.io.Connection; import org.eclipse.jetty.io.nio.AsyncConnection; import org.eclipse.jetty.io.nio.SelectChannelEndPoint; @@ -28,6 +27,7 @@ import org.eclipse.jetty.server.AsyncHttpConnection; import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.handler.AbstractHandler; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.After; import org.junit.Assert; import org.junit.Before; diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslUploadTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslUploadTest.java index 7bcf8a3e79..e3a15e42ff 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslUploadTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslUploadTest.java @@ -31,11 +31,11 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.eclipse.jetty.http.ssl.SslContextFactory; import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.handler.AbstractHandler; import org.eclipse.jetty.util.IO; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/security/B64Code.java b/jetty-util/src/main/java/org/eclipse/jetty/util/security/B64Code.java index 99550ee2ed..ded3a40c53 100644 --- a/jetty-http/src/main/java/org/eclipse/jetty/http/security/B64Code.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/security/B64Code.java @@ -12,7 +12,7 @@ // ======================================================================== -package org.eclipse.jetty.http.security; +package org.eclipse.jetty.util.security; /* ------------------------------------------------------------ */ diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/security/Constraint.java b/jetty-util/src/main/java/org/eclipse/jetty/util/security/Constraint.java index 984a8aa471..320625ca96 100644 --- a/jetty-http/src/main/java/org/eclipse/jetty/http/security/Constraint.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/security/Constraint.java @@ -11,7 +11,7 @@ // You may elect to redistribute this code under either of these licenses. // ======================================================================== -package org.eclipse.jetty.http.security; +package org.eclipse.jetty.util.security; import java.io.Serializable; import java.util.Arrays; diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/security/Credential.java b/jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java index 93dfa1c5f4..c0fe0b36f7 100644 --- a/jetty-http/src/main/java/org/eclipse/jetty/http/security/Credential.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java @@ -11,7 +11,7 @@ // You may elect to redistribute this code under either of these licenses. // ======================================================================== -package org.eclipse.jetty.http.security; +package org.eclipse.jetty.util.security; import java.io.Serializable; import java.security.MessageDigest; diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/security/Password.java b/jetty-util/src/main/java/org/eclipse/jetty/util/security/Password.java index fdaf58741e..76d33a0de7 100644 --- a/jetty-http/src/main/java/org/eclipse/jetty/http/security/Password.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/security/Password.java @@ -11,7 +11,7 @@ // You may elect to redistribute this code under either of these licenses. // ======================================================================== -package org.eclipse.jetty.http.security; +package org.eclipse.jetty.util.security; import java.io.IOException; import java.util.Arrays; diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/security/UnixCrypt.java b/jetty-util/src/main/java/org/eclipse/jetty/util/security/UnixCrypt.java index 96f472d464..e3f98e807f 100644 --- a/jetty-http/src/main/java/org/eclipse/jetty/http/security/UnixCrypt.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/security/UnixCrypt.java @@ -21,7 +21,7 @@ * by Iris Van den Broeke, Daniel Deville */ -package org.eclipse.jetty.http.security; +package org.eclipse.jetty.util.security; /* ------------------------------------------------------------ */ diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/ssl/AliasedX509ExtendedKeyManager.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/AliasedX509ExtendedKeyManager.java index 5e128ddfc5..cbff56277d 100644 --- a/jetty-http/src/main/java/org/eclipse/jetty/http/ssl/AliasedX509ExtendedKeyManager.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/AliasedX509ExtendedKeyManager.java @@ -14,7 +14,7 @@ //You may elect to redistribute this code under either of these licenses. //======================================================================== -package org.eclipse.jetty.http.ssl; +package org.eclipse.jetty.util.ssl; import java.net.Socket; import java.security.Principal; diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/ssl/AliasedX509KeyManager.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/AliasedX509KeyManager.java index 955c1452de..5630882167 100644 --- a/jetty-http/src/main/java/org/eclipse/jetty/http/ssl/AliasedX509KeyManager.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/AliasedX509KeyManager.java @@ -14,7 +14,7 @@ //You may elect to redistribute this code under either of these licenses. //======================================================================== -package org.eclipse.jetty.http.ssl; +package org.eclipse.jetty.util.ssl; import java.net.Socket; import java.security.Principal; diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java new file mode 100644 index 0000000000..4e7865172e --- /dev/null +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java @@ -0,0 +1,1528 @@ +//======================================================================== +//Copyright (c) Webtide LLC +//------------------------------------------------------------------------ +//All rights reserved. This program and the accompanying materials +//are made available under the terms of the Eclipse Public License v1.0 +//and Apache License v2.0 which accompanies this distribution. +// +//The Eclipse Public License is available at +//http://www.eclipse.org/legal/epl-v10.html +// +//The Apache License v2.0 is available at +//http://www.apache.org/licenses/LICENSE-2.0.txt +// +//You may elect to redistribute this code under either of these licenses. +//======================================================================== + +package org.eclipse.jetty.util.ssl; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.net.InetAddress; +import java.security.InvalidParameterException; +import java.security.KeyStore; +import java.security.SecureRandom; +import java.security.Security; +import java.security.cert.CRL; +import java.security.cert.CertStore; +import java.security.cert.Certificate; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.X509CertSelector; +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import javax.net.ssl.CertPathTrustManagerParameters; +import javax.net.ssl.KeyManager; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLServerSocket; +import javax.net.ssl.SSLServerSocketFactory; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.X509KeyManager; +import javax.net.ssl.X509TrustManager; + +import org.eclipse.jetty.util.IO; +import org.eclipse.jetty.util.component.AbstractLifeCycle; +import org.eclipse.jetty.util.log.Log; +import org.eclipse.jetty.util.log.Logger; +import org.eclipse.jetty.util.resource.Resource; +import org.eclipse.jetty.util.security.CertificateUtils; +import org.eclipse.jetty.util.security.CertificateValidator; +import org.eclipse.jetty.util.security.Password; + + +/* ------------------------------------------------------------ */ +/** + * SslContextFactory is used to configure SSL connectors + * as well as HttpClient. It holds all SSL parameters and + * creates SSL context based on these parameters to be + * used by the SSL connectors. + */ +public class SslContextFactory extends AbstractLifeCycle +{ + private static final Logger LOG = Log.getLogger(SslContextFactory.class); + + public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM = + (Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ? + "SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm")); + public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM = + (Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ? + "SunX509" : Security.getProperty("ssl.TrustManagerFactory.algorithm")); + + /** Default value for the keystore location path. */ + public static final String DEFAULT_KEYSTORE_PATH = + System.getProperty("user.home") + File.separator + ".keystore"; + + /** String name of key password property. */ + public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword"; + + /** String name of keystore password property. */ + public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password"; + + /** Excluded protocols. */ + private final Set<String> _excludeProtocols = new HashSet<String>(); + // private final Set<String> _excludeProtocols = new HashSet<String>(Collections.singleton("SSLv2Hello")); + /** Included protocols. */ + private Set<String> _includeProtocols = null; + + /** Excluded cipher suites. */ + private final Set<String> _excludeCipherSuites = new HashSet<String>(); + /** Included cipher suites. */ + private Set<String> _includeCipherSuites = null; + + /** Keystore path. */ + private String _keyStorePath; + /** Keystore provider name */ + private String _keyStoreProvider; + /** Keystore type */ + private String _keyStoreType = "JKS"; + /** Keystore input stream */ + private InputStream _keyStoreInputStream; + + /** SSL certificate alias */ + private String _certAlias; + + /** Truststore path */ + private String _trustStorePath; + /** Truststore provider name */ + private String _trustStoreProvider; + /** Truststore type */ + private String _trustStoreType = "JKS"; + /** Truststore input stream */ + private InputStream _trustStoreInputStream; + + /** Set to true if client certificate authentication is required */ + private boolean _needClientAuth = false; + /** Set to true if client certificate authentication is desired */ + private boolean _wantClientAuth = false; + + /** Set to true if renegotiation is allowed */ + private boolean _allowRenegotiate = true; + + /** Keystore password */ + private transient Password _keyStorePassword; + /** Key manager password */ + private transient Password _keyManagerPassword; + /** Truststore password */ + private transient Password _trustStorePassword; + + /** SSL provider name */ + private String _sslProvider; + /** SSL protocol name */ + private String _sslProtocol = "TLS"; + + /** SecureRandom algorithm */ + private String _secureRandomAlgorithm; + /** KeyManager factory algorithm */ + private String _keyManagerFactoryAlgorithm = DEFAULT_KEYMANAGERFACTORY_ALGORITHM; + /** TrustManager factory algorithm */ + private String _trustManagerFactoryAlgorithm = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM; + + /** Set to true if SSL certificate validation is required */ + private boolean _validateCerts; + /** Set to true if SSL certificate of the peer validation is required */ + private boolean _validatePeerCerts; + /** Maximum certification path length (n - number of intermediate certs, -1 for unlimited) */ + private int _maxCertPathLength = -1; + /** Path to file that contains Certificate Revocation List */ + private String _crlPath; + /** Set to true to enable CRL Distribution Points (CRLDP) support */ + private boolean _enableCRLDP = false; + /** Set to true to enable On-Line Certificate Status Protocol (OCSP) support */ + private boolean _enableOCSP = false; + /** Location of OCSP Responder */ + private String _ocspResponderURL; + + /** SSL keystore */ + private KeyStore _keyStore; + /** SSL truststore */ + private KeyStore _trustStore; + /** Set to true to enable SSL Session caching */ + private boolean _sessionCachingEnabled = true; + /** SSL session cache size */ + private int _sslSessionCacheSize; + /** SSL session timeout */ + private int _sslSessionTimeout; + + /** SSL context */ + private SSLContext _context; + + private boolean _trustAll; + + /* ------------------------------------------------------------ */ + /** + * Construct an instance of SslContextFactory + * Default constructor for use in XmlConfiguration files + */ + public SslContextFactory() + { + _trustAll=true; + } + + /* ------------------------------------------------------------ */ + /** + * Construct an instance of SslContextFactory + * Default constructor for use in XmlConfiguration files + */ + public SslContextFactory(boolean trustAll) + { + _trustAll=trustAll; + } + + /* ------------------------------------------------------------ */ + /** + * Construct an instance of SslContextFactory + * @param keyStorePath default keystore location + */ + public SslContextFactory(String keyStorePath) + { + _keyStorePath = keyStorePath; + } + + /* ------------------------------------------------------------ */ + /** + * Create the SSLContext object and start the lifecycle + * @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStart() + */ + @Override + protected void doStart() throws Exception + { + if (_context == null) + { + if (_keyStore==null && _keyStoreInputStream == null && _keyStorePath == null && + _trustStore==null && _trustStoreInputStream == null && _trustStorePath == null ) + { + TrustManager[] trust_managers=null; + + if (_trustAll) + { + LOG.debug("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!"); + // Create a trust manager that does not validate certificate chains + TrustManager trustAllCerts = new X509TrustManager() + { + public java.security.cert.X509Certificate[] getAcceptedIssuers() + { + return null; + } + + public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) + { + } + + public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) + { + } + }; + trust_managers = new TrustManager[] { trustAllCerts }; + } + + SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm); + _context = SSLContext.getInstance(_sslProtocol); + _context.init(null, trust_managers, secureRandom); + } + else + { + // verify that keystore and truststore + // parameters are set up correctly + try + { + checkKeyStore(); + } + catch(IllegalStateException e) + { + LOG.ignore(e); + } + + KeyStore keyStore = loadKeyStore(); + KeyStore trustStore = loadTrustStore(); + + Collection<? extends CRL> crls = loadCRL(_crlPath); + + if (_validateCerts && keyStore != null) + { + if (_certAlias == null) + { + List<String> aliases = Collections.list(keyStore.aliases()); + _certAlias = aliases.size() == 1 ? aliases.get(0) : null; + } + + Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias); + if (cert == null) + { + throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias)); + } + + CertificateValidator validator = new CertificateValidator(trustStore, crls); + validator.setMaxCertPathLength(_maxCertPathLength); + validator.setEnableCRLDP(_enableCRLDP); + validator.setEnableOCSP(_enableOCSP); + validator.setOcspResponderURL(_ocspResponderURL); + validator.validate(keyStore, cert); + } + + KeyManager[] keyManagers = getKeyManagers(keyStore); + TrustManager[] trustManagers = getTrustManagers(trustStore,crls); + + SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm); + _context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider); + _context.init(keyManagers,trustManagers,secureRandom); + + SSLEngine engine=newSslEngine(); + + LOG.info("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols())); + if (LOG.isDebugEnabled()) + LOG.debug("Enabled Ciphers {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites())); + } + } + } + + /* ------------------------------------------------------------ */ + /** + * @return The array of protocol names to exclude from + * {@link SSLEngine#setEnabledProtocols(String[])} + */ + public String[] getExcludeProtocols() + { + return _excludeProtocols.toArray(new String[_excludeProtocols.size()]); + } + + /* ------------------------------------------------------------ */ + /** + * @param Protocols + * The array of protocol names to exclude from + * {@link SSLEngine#setEnabledProtocols(String[])} + */ + public void setExcludeProtocols(String... protocols) + { + checkNotStarted(); + + _excludeProtocols.clear(); + _excludeProtocols.addAll(Arrays.asList(protocols)); + } + + /* ------------------------------------------------------------ */ + /** + * @param protocol Protocol names to add to {@link SSLEngine#setEnabledProtocols(String[])} + */ + public void addExcludeProtocols(String... protocol) + { + checkNotStarted(); + _excludeProtocols.addAll(Arrays.asList(protocol)); + } + + /* ------------------------------------------------------------ */ + /** + * @return The array of protocol names to include in + * {@link SSLEngine#setEnabledProtocols(String[])} + */ + public String[] getIncludeProtocols() + { + return _includeProtocols.toArray(new String[_includeProtocols.size()]); + } + + /* ------------------------------------------------------------ */ + /** + * @param Protocols + * The array of protocol names to include in + * {@link SSLEngine#setEnabledProtocols(String[])} + */ + public void setIncludeProtocols(String... protocols) + { + checkNotStarted(); + + _includeProtocols = new HashSet<String>(Arrays.asList(protocols)); + } + + /* ------------------------------------------------------------ */ + /** + * @return The array of cipher suite names to exclude from + * {@link SSLEngine#setEnabledCipherSuites(String[])} + */ + public String[] getExcludeCipherSuites() + { + return _excludeCipherSuites.toArray(new String[_excludeCipherSuites.size()]); + } + + /* ------------------------------------------------------------ */ + /** + * @param cipherSuites + * The array of cipher suite names to exclude from + * {@link SSLEngine#setEnabledCipherSuites(String[])} + */ + public void setExcludeCipherSuites(String... cipherSuites) + { + checkNotStarted(); + _excludeCipherSuites.clear(); + _excludeCipherSuites.addAll(Arrays.asList(cipherSuites)); + } + + /* ------------------------------------------------------------ */ + /** + * @param cipher Cipher names to add to {@link SSLEngine#setEnabledCipherSuites(String[])} + */ + public void addExcludeCipherSuites(String... cipher) + { + checkNotStarted(); + _excludeCipherSuites.addAll(Arrays.asList(cipher)); + } + + /* ------------------------------------------------------------ */ + /** + * @return The array of cipher suite names to include in + * {@link SSLEngine#setEnabledCipherSuites(String[])} + */ + public String[] getIncludeCipherSuites() + { + return _includeCipherSuites.toArray(new String[_includeCipherSuites.size()]); + } + + /* ------------------------------------------------------------ */ + /** + * @param cipherSuites + * The array of cipher suite names to include in + * {@link SSLEngine#setEnabledCipherSuites(String[])} + */ + public void setIncludeCipherSuites(String... cipherSuites) + { + checkNotStarted(); + + _includeCipherSuites = new HashSet<String>(Arrays.asList(cipherSuites)); + } + + /* ------------------------------------------------------------ */ + /** + * @return The file or URL of the SSL Key store. + */ + public String getKeyStorePath() + { + return _keyStorePath; + } + + /* ------------------------------------------------------------ */ + @Deprecated + public String getKeyStore() + { + return _keyStorePath; + } + + /* ------------------------------------------------------------ */ + /** + * @param keyStorePath + * The file or URL of the SSL Key store. + */ + public void setKeyStorePath(String keyStorePath) + { + checkNotStarted(); + + _keyStorePath = keyStorePath; + } + + /* ------------------------------------------------------------ */ + /** + * @param keyStorePath + * @deprecated Use {@link #setKeyStorePath(String)} + */ + @Deprecated + public void setKeyStore(String keyStorePath) + { + checkNotStarted(); + + _keyStorePath = keyStorePath; + } + + /* ------------------------------------------------------------ */ + /** + * @return The provider of the key store + */ + public String getKeyStoreProvider() + { + return _keyStoreProvider; + } + + /* ------------------------------------------------------------ */ + /** + * @param keyStoreProvider + * The provider of the key store + */ + public void setKeyStoreProvider(String keyStoreProvider) + { + checkNotStarted(); + + _keyStoreProvider = keyStoreProvider; + } + + /* ------------------------------------------------------------ */ + /** + * @return The type of the key store (default "JKS") + */ + public String getKeyStoreType() + { + return (_keyStoreType); + } + + /* ------------------------------------------------------------ */ + /** + * @param keyStoreType + * The type of the key store (default "JKS") + */ + public void setKeyStoreType(String keyStoreType) + { + checkNotStarted(); + + _keyStoreType = keyStoreType; + } + + /* ------------------------------------------------------------ */ + /** Get the _keyStoreInputStream. + * @return the _keyStoreInputStream + * + * @deprecated + */ + @Deprecated + public InputStream getKeyStoreInputStream() + { + checkKeyStore(); + + return _keyStoreInputStream; + } + + /* ------------------------------------------------------------ */ + /** Set the keyStoreInputStream. + * @param keyStoreInputStream the InputStream to the KeyStore + * + * @deprecated Use {@link #setKeyStore(KeyStore)} + */ + @Deprecated + public void setKeyStoreInputStream(InputStream keyStoreInputStream) + { + checkNotStarted(); + + _keyStoreInputStream = keyStoreInputStream; + } + + /* ------------------------------------------------------------ */ + /** + * @return Alias of SSL certificate for the connector + */ + public String getCertAlias() + { + return _certAlias; + } + + /* ------------------------------------------------------------ */ + /** + * @param certAlias + * Alias of SSL certificate for the connector + */ + public void setCertAlias(String certAlias) + { + checkNotStarted(); + + _certAlias = certAlias; + } + + /* ------------------------------------------------------------ */ + /** + * @return The file name or URL of the trust store location + */ + public String getTrustStore() + { + return _trustStorePath; + } + + /* ------------------------------------------------------------ */ + /** + * @param trustStorePath + * The file name or URL of the trust store location + */ + public void setTrustStore(String trustStorePath) + { + checkNotStarted(); + + _trustStorePath = trustStorePath; + } + + /* ------------------------------------------------------------ */ + /** + * @return The provider of the trust store + */ + public String getTrustStoreProvider() + { + return _trustStoreProvider; + } + + /* ------------------------------------------------------------ */ + /** + * @param trustStoreProvider + * The provider of the trust store + */ + public void setTrustStoreProvider(String trustStoreProvider) + { + checkNotStarted(); + + _trustStoreProvider = trustStoreProvider; + } + + /* ------------------------------------------------------------ */ + /** + * @return The type of the trust store (default "JKS") + */ + public String getTrustStoreType() + { + return _trustStoreType; + } + + /* ------------------------------------------------------------ */ + /** + * @param trustStoreType + * The type of the trust store (default "JKS") + */ + public void setTrustStoreType(String trustStoreType) + { + checkNotStarted(); + + _trustStoreType = trustStoreType; + } + + /* ------------------------------------------------------------ */ + /** Get the _trustStoreInputStream. + * @return the _trustStoreInputStream + * + * @deprecated + */ + @Deprecated + public InputStream getTrustStoreInputStream() + { + checkKeyStore(); + + return _trustStoreInputStream; + } + + /* ------------------------------------------------------------ */ + /** Set the _trustStoreInputStream. + * @param trustStoreInputStream the InputStream to the TrustStore + * + * @deprecated + */ + @Deprecated + public void setTrustStoreInputStream(InputStream trustStoreInputStream) + { + checkNotStarted(); + + _trustStoreInputStream = trustStoreInputStream; + } + + /* ------------------------------------------------------------ */ + /** + * @return True if SSL needs client authentication. + * @see SSLEngine#getNeedClientAuth() + */ + public boolean getNeedClientAuth() + { + return _needClientAuth; + } + + /* ------------------------------------------------------------ */ + /** + * @param needClientAuth + * True if SSL needs client authentication. + * @see SSLEngine#getNeedClientAuth() + */ + public void setNeedClientAuth(boolean needClientAuth) + { + checkNotStarted(); + + _needClientAuth = needClientAuth; + } + + /* ------------------------------------------------------------ */ + /** + * @return True if SSL wants client authentication. + * @see SSLEngine#getWantClientAuth() + */ + public boolean getWantClientAuth() + { + return _wantClientAuth; + } + + /* ------------------------------------------------------------ */ + /** + * @param wantClientAuth + * True if SSL wants client authentication. + * @see SSLEngine#getWantClientAuth() + */ + public void setWantClientAuth(boolean wantClientAuth) + { + checkNotStarted(); + + _wantClientAuth = wantClientAuth; + } + + /* ------------------------------------------------------------ */ + /** + * @return true if SSL certificate has to be validated + * @deprecated + */ + @Deprecated + public boolean getValidateCerts() + { + return _validateCerts; + } + + /* ------------------------------------------------------------ */ + /** + * @return true if SSL certificate has to be validated + */ + public boolean isValidateCerts() + { + return _validateCerts; + } + + /* ------------------------------------------------------------ */ + /** + * @param validateCerts + * true if SSL certificates have to be validated + */ + public void setValidateCerts(boolean validateCerts) + { + checkNotStarted(); + + _validateCerts = validateCerts; + } + + /* ------------------------------------------------------------ */ + /** + * @return true if SSL certificates of the peer have to be validated + */ + public boolean isValidatePeerCerts() + { + return _validatePeerCerts; + } + + /* ------------------------------------------------------------ */ + /** + * @param validatePeerCerts + * true if SSL certificates of the peer have to be validated + */ + public void setValidatePeerCerts(boolean validatePeerCerts) + { + checkNotStarted(); + + _validatePeerCerts = validatePeerCerts; + } + + /* ------------------------------------------------------------ */ + /** + * @return True if SSL re-negotiation is allowed (default false) + */ + public boolean isAllowRenegotiate() + { + return _allowRenegotiate; + } + + /* ------------------------------------------------------------ */ + /** + * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered + * a vulnerability in SSL/TLS with re-negotiation. If your JVM + * does not have CVE-2009-3555 fixed, then re-negotiation should + * not be allowed. CVE-2009-3555 was fixed in Sun java 1.6 with a ban + * of renegotiates in u19 and with RFC5746 in u22. + * + * @param allowRenegotiate + * true if re-negotiation is allowed (default false) + */ + public void setAllowRenegotiate(boolean allowRenegotiate) + { + checkNotStarted(); + + _allowRenegotiate = allowRenegotiate; + } + + /* ------------------------------------------------------------ */ + /** + * @param password + * The password for the key store + */ + public void setKeyStorePassword(String password) + { + checkNotStarted(); + + _keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null); + } + + /* ------------------------------------------------------------ */ + /** + * @param password + * The password (if any) for the specific key within the key store + */ + public void setKeyManagerPassword(String password) + { + checkNotStarted(); + + _keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null); + } + + /* ------------------------------------------------------------ */ + /** + * @param password + * The password for the trust store + */ + public void setTrustStorePassword(String password) + { + checkNotStarted(); + + _trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null); + } + + /* ------------------------------------------------------------ */ + /** + * @return The SSL provider name, which if set is passed to + * {@link SSLContext#getInstance(String, String)} + */ + public String getProvider() + { + return _sslProvider; + } + + /* ------------------------------------------------------------ */ + /** + * @param provider + * The SSL provider name, which if set is passed to + * {@link SSLContext#getInstance(String, String)} + */ + public void setProvider(String provider) + { + checkNotStarted(); + + _sslProvider = provider; + } + + /* ------------------------------------------------------------ */ + /** + * @return The SSL protocol (default "TLS") passed to + * {@link SSLContext#getInstance(String, String)} + */ + public String getProtocol() + { + return _sslProtocol; + } + + /* ------------------------------------------------------------ */ + /** + * @param protocol + * The SSL protocol (default "TLS") passed to + * {@link SSLContext#getInstance(String, String)} + */ + public void setProtocol(String protocol) + { + checkNotStarted(); + + _sslProtocol = protocol; + } + + /* ------------------------------------------------------------ */ + /** + * @return The algorithm name, which if set is passed to + * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to + * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)} + */ + public String getSecureRandomAlgorithm() + { + return _secureRandomAlgorithm; + } + + /* ------------------------------------------------------------ */ + /** + * @param algorithm + * The algorithm name, which if set is passed to + * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to + * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)} + */ + public void setSecureRandomAlgorithm(String algorithm) + { + checkNotStarted(); + + _secureRandomAlgorithm = algorithm; + } + + /* ------------------------------------------------------------ */ + /** + * @return The algorithm name (default "SunX509") used by the {@link KeyManagerFactory} + */ + public String getSslKeyManagerFactoryAlgorithm() + { + return (_keyManagerFactoryAlgorithm); + } + + /* ------------------------------------------------------------ */ + /** + * @param algorithm + * The algorithm name (default "SunX509") used by the {@link KeyManagerFactory} + */ + public void setSslKeyManagerFactoryAlgorithm(String algorithm) + { + checkNotStarted(); + + _keyManagerFactoryAlgorithm = algorithm; + } + + /* ------------------------------------------------------------ */ + /** + * @return The algorithm name (default "SunX509") used by the {@link TrustManagerFactory} + */ + public String getTrustManagerFactoryAlgorithm() + { + return (_trustManagerFactoryAlgorithm); + } + + /* ------------------------------------------------------------ */ + /** + * @return True if all certificates should be trusted if there is no KeyStore or TrustStore + */ + public boolean isTrustAll() + { + return _trustAll; + } + + /* ------------------------------------------------------------ */ + /** + * @param trustAll True if all certificates should be trusted if there is no KeyStore or TrustStore + */ + public void setTrustAll(boolean trustAll) + { + _trustAll = trustAll; + } + + /* ------------------------------------------------------------ */ + /** + * @param algorithm + * The algorithm name (default "SunX509") used by the {@link TrustManagerFactory} + * Use the string "TrustAll" to install a trust manager that trusts all. + */ + public void setTrustManagerFactoryAlgorithm(String algorithm) + { + checkNotStarted(); + + _trustManagerFactoryAlgorithm = algorithm; + } + + /* ------------------------------------------------------------ */ + /** + * @return Path to file that contains Certificate Revocation List + */ + public String getCrlPath() + { + return _crlPath; + } + + /* ------------------------------------------------------------ */ + /** + * @param crlPath + * Path to file that contains Certificate Revocation List + */ + public void setCrlPath(String crlPath) + { + checkNotStarted(); + + _crlPath = crlPath; + } + + /* ------------------------------------------------------------ */ + /** + * @return Maximum number of intermediate certificates in + * the certification path (-1 for unlimited) + */ + public int getMaxCertPathLength() + { + return _maxCertPathLength; + } + + /* ------------------------------------------------------------ */ + /** + * @param maxCertPathLength + * maximum number of intermediate certificates in + * the certification path (-1 for unlimited) + */ + public void setMaxCertPathLength(int maxCertPathLength) + { + checkNotStarted(); + + _maxCertPathLength = maxCertPathLength; + } + + /* ------------------------------------------------------------ */ + /** + * @return The SSLContext + */ + public SSLContext getSslContext() + { + if (!isStarted()) + throw new IllegalStateException(getState()); + return _context; + } + + /* ------------------------------------------------------------ */ + /** + * @param sslContext + * Set a preconfigured SSLContext + */ + public void setSslContext(SSLContext sslContext) + { + checkNotStarted(); + + _context = sslContext; + } + + /* ------------------------------------------------------------ */ + /** + * Override this method to provide alternate way to load a keystore. + * + * @return the key store instance + * @throws Exception + */ + protected KeyStore loadKeyStore() throws Exception + { + return _keyStore != null ? _keyStore : getKeyStore(_keyStoreInputStream, + _keyStorePath, _keyStoreType, _keyStoreProvider, + _keyStorePassword==null? null: _keyStorePassword.toString()); + } + + /* ------------------------------------------------------------ */ + /** + * Override this method to provide alternate way to load a truststore. + * + * @return the key store instance + * @throws Exception + */ + protected KeyStore loadTrustStore() throws Exception + { + return _trustStore != null ? _trustStore : getKeyStore(_trustStoreInputStream, + _trustStorePath, _trustStoreType, _trustStoreProvider, + _trustStorePassword==null? null: _trustStorePassword.toString()); + } + + /* ------------------------------------------------------------ */ + /** + * Loads keystore using an input stream or a file path in the same + * order of precedence. + * + * Required for integrations to be able to override the mechanism + * used to load a keystore in order to provide their own implementation. + * + * @param storeStream keystore input stream + * @param storePath path of keystore file + * @param storeType keystore type + * @param storeProvider keystore provider + * @param storePassword keystore password + * @return created keystore + * @throws Exception + * + * @deprecated + */ + @Deprecated + protected KeyStore getKeyStore(InputStream storeStream, String storePath, String storeType, String storeProvider, String storePassword) throws Exception + { + return CertificateUtils.getKeyStore(storeStream, storePath, storeType, storeProvider, storePassword); + } + + /* ------------------------------------------------------------ */ + /** + * Loads certificate revocation list (CRL) from a file. + * + * Required for integrations to be able to override the mechanism used to + * load CRL in order to provide their own implementation. + * + * @param crlPath path of certificate revocation list file + * @return Collection of CRL's + * @throws Exception + */ + protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception + { + return CertificateUtils.loadCRL(crlPath); + } + + /* ------------------------------------------------------------ */ + protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception + { + KeyManager[] managers = null; + + if (keyStore != null) + { + KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerFactoryAlgorithm); + keyManagerFactory.init(keyStore,_keyManagerPassword == null?(_keyStorePassword == null?null:_keyStorePassword.toString().toCharArray()):_keyManagerPassword.toString().toCharArray()); + managers = keyManagerFactory.getKeyManagers(); + + if (_certAlias != null) + { + for (int idx = 0; idx < managers.length; idx++) + { + if (managers[idx] instanceof X509KeyManager) + { + managers[idx] = new AliasedX509ExtendedKeyManager(_certAlias,(X509KeyManager)managers[idx]); + } + } + } + } + + return managers; + } + + /* ------------------------------------------------------------ */ + protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception + { + TrustManager[] managers = null; + if (trustStore != null) + { + // Revocation checking is only supported for PKIX algorithm + if (_validatePeerCerts && _trustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX")) + { + PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore,new X509CertSelector()); + + // Set maximum certification path length + pbParams.setMaxPathLength(_maxCertPathLength); + + // Make sure revocation checking is enabled + pbParams.setRevocationEnabled(true); + + if (crls != null && !crls.isEmpty()) + { + pbParams.addCertStore(CertStore.getInstance("Collection",new CollectionCertStoreParameters(crls))); + } + + if (_enableCRLDP) + { + // Enable Certificate Revocation List Distribution Points (CRLDP) support + System.setProperty("com.sun.security.enableCRLDP","true"); + } + + if (_enableOCSP) + { + // Enable On-Line Certificate Status Protocol (OCSP) support + Security.setProperty("ocsp.enable","true"); + + if (_ocspResponderURL != null) + { + // Override location of OCSP Responder + Security.setProperty("ocsp.responderURL", _ocspResponderURL); + } + } + + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm); + trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams)); + + managers = trustManagerFactory.getTrustManagers(); + } + else + { + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm); + trustManagerFactory.init(trustStore); + + managers = trustManagerFactory.getTrustManagers(); + } + } + + return managers; + } + + /* ------------------------------------------------------------ */ + /** + * Check KetyStore Configuration. Ensures that if keystore has been + * configured but there's no truststore, that keystore is + * used as truststore. + * @throws IllegalStateException if SslContextFactory configuration can't be used. + */ + public void checkKeyStore() + { + if (_keyStore == null && _keyStoreInputStream == null && _keyStorePath == null) + throw new IllegalStateException("SSL doesn't have a valid keystore"); + + // if the keystore has been configured but there is no + // truststore configured, use the keystore as the truststore + if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null) + { + _trustStore = _keyStore; + _trustStorePath = _keyStorePath; + _trustStoreInputStream = _keyStoreInputStream; + _trustStoreType = _keyStoreType; + _trustStoreProvider = _keyStoreProvider; + _trustStorePassword = _keyStorePassword; + _trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm; + } + + // It's the same stream we cannot read it twice, so read it once in memory + if (_keyStoreInputStream != null && _keyStoreInputStream == _trustStoreInputStream) + { + try + { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + IO.copy(_keyStoreInputStream, baos); + _keyStoreInputStream.close(); + + _keyStoreInputStream = new ByteArrayInputStream(baos.toByteArray()); + _trustStoreInputStream = new ByteArrayInputStream(baos.toByteArray()); + } + catch (Exception ex) + { + throw new IllegalStateException(ex); + } + } + } + + /* ------------------------------------------------------------ */ + /** + * Select cipher suites to be used by the connector + * based on configured inclusion and exclusion lists + * as well as enabled and supported cipher suite lists. + * @param enabledCipherSuites Array of enabled cipher suites + * @param supportedCipherSuites Array of supported cipher suites + * @return Array of cipher suites to enable + */ + public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols) + { + Set<String> selected_protocols = new HashSet<String>(); + + // Set the starting protocols - either from the included or enabled list + if (_includeProtocols!=null) + { + // Use only the supported included protocols + for (String protocol : supportedProtocols) + if (_includeProtocols.contains(protocol)) + selected_protocols.add(protocol); + } + else + selected_protocols.addAll(Arrays.asList(enabledProtocols)); + + + // Remove any excluded protocols + if (_excludeProtocols != null) + selected_protocols.removeAll(_excludeProtocols); + + return selected_protocols.toArray(new String[selected_protocols.size()]); + } + + /* ------------------------------------------------------------ */ + /** + * Select cipher suites to be used by the connector + * based on configured inclusion and exclusion lists + * as well as enabled and supported cipher suite lists. + * @param enabledCipherSuites Array of enabled cipher suites + * @param supportedCipherSuites Array of supported cipher suites + * @return Array of cipher suites to enable + */ + public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites) + { + Set<String> selected_ciphers = new HashSet<String>(); + + // Set the starting ciphers - either from the included or enabled list + if (_includeCipherSuites!=null) + { + // Use only the supported included ciphers + for (String cipherSuite : supportedCipherSuites) + if (_includeCipherSuites.contains(cipherSuite)) + selected_ciphers.add(cipherSuite); + } + else + selected_ciphers.addAll(Arrays.asList(enabledCipherSuites)); + + + // Remove any excluded ciphers + if (_excludeCipherSuites != null) + selected_ciphers.removeAll(_excludeCipherSuites); + return selected_ciphers.toArray(new String[selected_ciphers.size()]); + } + + /* ------------------------------------------------------------ */ + /** + * Check if the lifecycle has been started and throw runtime exception + */ + protected void checkNotStarted() + { + if (isStarted()) + throw new IllegalStateException("Cannot modify configuration when "+getState()); + } + + /* ------------------------------------------------------------ */ + /** + * @return true if CRL Distribution Points support is enabled + */ + public boolean isEnableCRLDP() + { + return _enableCRLDP; + } + + /* ------------------------------------------------------------ */ + /** Enables CRL Distribution Points Support + * @param enableCRLDP true - turn on, false - turns off + */ + public void setEnableCRLDP(boolean enableCRLDP) + { + checkNotStarted(); + + _enableCRLDP = enableCRLDP; + } + + /* ------------------------------------------------------------ */ + /** + * @return true if On-Line Certificate Status Protocol support is enabled + */ + public boolean isEnableOCSP() + { + return _enableOCSP; + } + + /* ------------------------------------------------------------ */ + /** Enables On-Line Certificate Status Protocol support + * @param enableOCSP true - turn on, false - turn off + */ + public void setEnableOCSP(boolean enableOCSP) + { + checkNotStarted(); + + _enableOCSP = enableOCSP; + } + + /* ------------------------------------------------------------ */ + /** + * @return Location of the OCSP Responder + */ + public String getOcspResponderURL() + { + return _ocspResponderURL; + } + + /* ------------------------------------------------------------ */ + /** Set the location of the OCSP Responder. + * @param ocspResponderURL location of the OCSP Responder + */ + public void setOcspResponderURL(String ocspResponderURL) + { + checkNotStarted(); + + _ocspResponderURL = ocspResponderURL; + } + + /* ------------------------------------------------------------ */ + /** Set the key store. + * @param keyStore the key store to set + */ + public void setKeyStore(KeyStore keyStore) + { + checkNotStarted(); + + _keyStore = keyStore; + } + + /* ------------------------------------------------------------ */ + /** Set the trust store. + * @param trustStore the trust store to set + */ + public void setTrustStore(KeyStore trustStore) + { + checkNotStarted(); + + _trustStore = trustStore; + } + + /* ------------------------------------------------------------ */ + /** Set the key store resource. + * @param resource the key store resource to set + */ + public void setKeyStoreResource(Resource resource) + { + checkNotStarted(); + + try + { + _keyStoreInputStream = resource.getInputStream(); + } + catch (IOException e) + { + throw new InvalidParameterException("Unable to get resource "+ + "input stream for resource "+resource.toString()); + } + } + + /* ------------------------------------------------------------ */ + /** Set the trust store resource. + * @param resource the trust store resource to set + */ + public void setTrustStore(Resource resource) + { + checkNotStarted(); + + try + { + _trustStoreInputStream = resource.getInputStream(); + } + catch (IOException e) + { + throw new InvalidParameterException("Unable to get resource "+ + "input stream for resource "+resource.toString()); + } + } + + /* ------------------------------------------------------------ */ + /** + * @return true if SSL Session caching is enabled + */ + public boolean isSessionCachingEnabled() + { + return _sessionCachingEnabled; + } + + /* ------------------------------------------------------------ */ + /** Set the flag to enable SSL Session caching. + * @param enableSessionCaching the value of the flag + */ + public void setSessionCachingEnabled(boolean enableSessionCaching) + { + _sessionCachingEnabled = enableSessionCaching; + } + + /* ------------------------------------------------------------ */ + /** Get SSL session cache size. + * @return SSL session cache size + */ + public int getSslSessionCacheSize() + { + return _sslSessionCacheSize; + } + + /* ------------------------------------------------------------ */ + /** SEt SSL session cache size. + * @param sslSessionCacheSize SSL session cache size to set + */ + public void setSslSessionCacheSize(int sslSessionCacheSize) + { + _sslSessionCacheSize = sslSessionCacheSize; + } + + /* ------------------------------------------------------------ */ + /** Get SSL session timeout. + * @return SSL session timeout + */ + public int getSslSessionTimeout() + { + return _sslSessionTimeout; + } + + /* ------------------------------------------------------------ */ + /** Set SSL session timeout. + * @param sslSessionTimeout SSL session timeout to set + */ + public void setSslSessionTimeout(int sslSessionTimeout) + { + _sslSessionTimeout = sslSessionTimeout; + } + + + /* ------------------------------------------------------------ */ + public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException + { + SSLServerSocketFactory factory = _context.getServerSocketFactory(); + + SSLServerSocket socket = + (SSLServerSocket) (host==null ? + factory.createServerSocket(port,backlog): + factory.createServerSocket(port,backlog,InetAddress.getByName(host))); + + if (getWantClientAuth()) + socket.setWantClientAuth(getWantClientAuth()); + if (getNeedClientAuth()) + socket.setNeedClientAuth(getNeedClientAuth()); + + socket.setEnabledCipherSuites(selectCipherSuites( + socket.getEnabledCipherSuites(), + socket.getSupportedCipherSuites())); + socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols())); + + return socket; + } + + /* ------------------------------------------------------------ */ + public SSLSocket newSslSocket() throws IOException + { + SSLSocketFactory factory = _context.getSocketFactory(); + + SSLSocket socket = (SSLSocket)factory.createSocket(); + + if (getWantClientAuth()) + socket.setWantClientAuth(getWantClientAuth()); + if (getNeedClientAuth()) + socket.setNeedClientAuth(getNeedClientAuth()); + + socket.setEnabledCipherSuites(selectCipherSuites( + socket.getEnabledCipherSuites(), + socket.getSupportedCipherSuites())); + socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols())); + + return socket; + } + + /* ------------------------------------------------------------ */ + public SSLEngine newSslEngine(String host,int port) + { + SSLEngine sslEngine=isSessionCachingEnabled() + ?_context.createSSLEngine(host, port) + :_context.createSSLEngine(); + + customize(sslEngine); + return sslEngine; + } + + /* ------------------------------------------------------------ */ + public SSLEngine newSslEngine() + { + SSLEngine sslEngine=_context.createSSLEngine(); + customize(sslEngine); + return sslEngine; + } + + /* ------------------------------------------------------------ */ + public void customize(SSLEngine sslEngine) + { + if (getWantClientAuth()) + sslEngine.setWantClientAuth(getWantClientAuth()); + if (getNeedClientAuth()) + sslEngine.setNeedClientAuth(getNeedClientAuth()); + + sslEngine.setEnabledCipherSuites(selectCipherSuites( + sslEngine.getEnabledCipherSuites(), + sslEngine.getSupportedCipherSuites())); + + sslEngine.setEnabledProtocols(selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols())); + } + +} diff --git a/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/StandardDescriptorProcessor.java b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/StandardDescriptorProcessor.java index 26cd6df175..db5ec955af 100644 --- a/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/StandardDescriptorProcessor.java +++ b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/StandardDescriptorProcessor.java @@ -26,7 +26,6 @@ import java.util.Map; import javax.servlet.ServletException; -import org.eclipse.jetty.http.security.Constraint; import org.eclipse.jetty.security.ConstraintAware; import org.eclipse.jetty.security.ConstraintMapping; import org.eclipse.jetty.security.authentication.FormAuthenticator; @@ -42,6 +41,7 @@ import org.eclipse.jetty.util.Loader; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; import org.eclipse.jetty.util.resource.Resource; +import org.eclipse.jetty.util.security.Constraint; import org.eclipse.jetty.xml.XmlParser; /** diff --git a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketClientFactory.java b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketClientFactory.java index 46b0ed3a99..699d35f4cb 100644 --- a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketClientFactory.java +++ b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketClientFactory.java @@ -233,7 +233,7 @@ public class WebSocketClientFactory extends AggregateLifeCycle @Override protected void endPointClosed(SelectChannelEndPoint endpoint) { - endpoint.getConnection().closed(); + endpoint.getConnection().onClose(); } @Override @@ -426,7 +426,7 @@ public class WebSocketClientFactory extends AggregateLifeCycle return false; } - public void closed() + public void onClose() { if (_error!=null) _future.handshakeFailed(new ProtocolException(_error)); diff --git a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD00.java b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD00.java index 8a38a49c73..d0607bd26d 100644 --- a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD00.java +++ b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD00.java @@ -239,7 +239,7 @@ public class WebSocketConnectionD00 extends AbstractConnection implements WebSoc } /* ------------------------------------------------------------ */ - public void closed() + public void onClose() { _websocket.onClose(WebSocketConnectionD06.CLOSE_NORMAL,""); } diff --git a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD06.java b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD06.java index e72732883a..7b0e583c1e 100644 --- a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD06.java +++ b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD06.java @@ -227,7 +227,7 @@ public class WebSocketConnectionD06 extends AbstractConnection implements WebSoc /* ------------------------------------------------------------ */ @Override - public void idleExpired() + public void onIdleExpired() { closeOut(WebSocketConnectionD06.CLOSE_NORMAL,"Idle"); } @@ -239,7 +239,7 @@ public class WebSocketConnectionD06 extends AbstractConnection implements WebSoc } /* ------------------------------------------------------------ */ - public void closed() + public void onClose() { _webSocket.onClose(WebSocketConnectionD06.CLOSE_NORMAL,""); } diff --git a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD08.java b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD08.java index 38bba045b2..18e2dbd708 100644 --- a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD08.java +++ b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD08.java @@ -272,7 +272,7 @@ public class WebSocketConnectionD08 extends AbstractConnection implements WebSoc /* ------------------------------------------------------------ */ @Override - public void idleExpired() + public void onIdleExpired() { long idle = System.currentTimeMillis()-((SelectChannelEndPoint)_endp).getIdleTimestamp(); closeOut(WebSocketConnectionD08.CLOSE_NORMAL,"Idle for "+idle+"ms > "+_endp.getMaxIdleTime()+"ms"); @@ -285,7 +285,7 @@ public class WebSocketConnectionD08 extends AbstractConnection implements WebSoc } /* ------------------------------------------------------------ */ - public void closed() + public void onClose() { final boolean closed; synchronized (this) diff --git a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD13.java b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD13.java index a937988ab4..74ef938efd 100644 --- a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD13.java +++ b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD13.java @@ -297,7 +297,7 @@ public class WebSocketConnectionD13 extends AbstractConnection implements WebSoc /* ------------------------------------------------------------ */ @Override - public void idleExpired() + public void onIdleExpired() { long idle = System.currentTimeMillis()-((SelectChannelEndPoint)_endp).getIdleTimestamp(); closeOut(WebSocketConnectionD13.CLOSE_NORMAL,"Idle for "+idle+"ms > "+_endp.getMaxIdleTime()+"ms"); @@ -310,7 +310,7 @@ public class WebSocketConnectionD13 extends AbstractConnection implements WebSoc } /* ------------------------------------------------------------ */ - public void closed() + public void onClose() { final boolean closed; synchronized (this) diff --git a/tests/test-integration/src/test/java/org/eclipse/jetty/test/DigestPostTest.java b/tests/test-integration/src/test/java/org/eclipse/jetty/test/DigestPostTest.java index 60a1569333..bb491353fc 100644 --- a/tests/test-integration/src/test/java/org/eclipse/jetty/test/DigestPostTest.java +++ b/tests/test-integration/src/test/java/org/eclipse/jetty/test/DigestPostTest.java @@ -16,8 +16,6 @@ import org.eclipse.jetty.client.HttpClient; import org.eclipse.jetty.client.security.Realm; import org.eclipse.jetty.client.security.SimpleRealmResolver; import org.eclipse.jetty.http.HttpMethods; -import org.eclipse.jetty.http.security.Constraint; -import org.eclipse.jetty.http.security.Password; import org.eclipse.jetty.io.ByteArrayBuffer; import org.eclipse.jetty.security.ConstraintMapping; import org.eclipse.jetty.security.ConstraintSecurityHandler; @@ -33,6 +31,8 @@ import org.eclipse.jetty.servlet.ServletContextHandler; import org.eclipse.jetty.util.IO; import org.eclipse.jetty.util.StringUtil; import org.eclipse.jetty.util.TypeUtil; +import org.eclipse.jetty.util.security.Constraint; +import org.eclipse.jetty.util.security.Password; import org.junit.AfterClass; import org.junit.Assert; import org.junit.BeforeClass; |