diff --git a/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java b/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java index 0caec484893..f8aa4949802 100644 --- a/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java +++ b/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java @@ -88,33 +88,13 @@ public class LikeJettyXml "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" }); + cf.setProtocol("TLSv1.1"); + cf.addExcludeProtocols(new String[]{"TLSv1","SSLv3"}); ssl_connector.setStatsOn(true); server.addConnector(ssl_connector); ssl_connector.open(); - SslSocketConnector ssls_connector = new SslSocketConnector(); - ssls_connector.setPort(8444); - cf = ssls_connector.getSslContextFactory(); - cf.setKeyStore(jetty_home + "/etc/keystore"); - cf.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"); - cf.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g"); - cf.setTrustStore(jetty_home + "/etc/keystore"); - cf.setTrustStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"); - cf.setExcludeCipherSuites( - new String[] { - "SSL_RSA_WITH_DES_CBC_SHA", - "SSL_DHE_RSA_WITH_DES_CBC_SHA", - "SSL_DHE_DSS_WITH_DES_CBC_SHA", - "SSL_RSA_EXPORT_WITH_RC4_40_MD5", - "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", - "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", - "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" - }); - ssls_connector.setStatsOn(true); - server.addConnector(ssls_connector); - ssls_connector.open(); - Ajp13SocketConnector ajp = new Ajp13SocketConnector(); diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java index 99b4a07dfa1..31b27424dc9 100644 --- a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java +++ b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java @@ -178,7 +178,7 @@ public class HttpClient extends HttpBuffers implements Attributes, Dumpable /* ------------------------------------------------------------ */ /** - * @return the threadPool + * @return the threadpool */ public ThreadPool getThreadPool() { diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/SelectConnector.java b/jetty-client/src/main/java/org/eclipse/jetty/client/SelectConnector.java index c2274ef5eda..7a561727abe 100644 --- a/jetty-client/src/main/java/org/eclipse/jetty/client/SelectConnector.java +++ b/jetty-client/src/main/java/org/eclipse/jetty/client/SelectConnector.java @@ -51,7 +51,6 @@ class SelectConnector extends AbstractLifeCycle implements HttpClient.Connector private final HttpClient _httpClient; private final Manager _selectorManager=new Manager(); private final Map _connectingChannels = new ConcurrentHashMap(); - private SSLContext _sslContext; private Buffers _sslBuffers; /** @@ -211,19 +210,16 @@ class SelectConnector extends AbstractLifeCycle implements HttpClient.Connector private synchronized SSLEngine newSslEngine(SocketChannel channel) throws IOException { SslContextFactory sslContextFactory = _httpClient.getSslContextFactory(); - if (_sslContext == null) - _sslContext = sslContextFactory.getSslContext(); - SSLEngine sslEngine; - if (channel != null && sslContextFactory.isSessionCachingEnabled()) + if (channel != null) { String peerHost = channel.socket().getInetAddress().getHostAddress(); int peerPort = channel.socket().getPort(); - sslEngine = _sslContext.createSSLEngine(peerHost, peerPort); + sslEngine = sslContextFactory.newSslEngine(peerHost, peerPort); } else { - sslEngine = _sslContext.createSSLEngine(); + sslEngine = sslContextFactory.newSslEngine(); } sslEngine.setUseClientMode(true); sslEngine.beginHandshake(); diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/SocketConnector.java b/jetty-client/src/main/java/org/eclipse/jetty/client/SocketConnector.java index 309abe87881..031c0cb5bb3 100644 --- a/jetty-client/src/main/java/org/eclipse/jetty/client/SocketConnector.java +++ b/jetty-client/src/main/java/org/eclipse/jetty/client/SocketConnector.java @@ -45,18 +45,9 @@ class SocketConnector extends AbstractLifeCycle implements HttpClient.Connector public void startConnection(final HttpDestination destination) throws IOException { - Socket socket=null; - - if ( destination.isSecure() ) - { - SSLContext sslContext = _httpClient.getSSLContext(); - socket = sslContext.getSocketFactory().createSocket(); - } - else - { - LOG.debug("Using Regular Socket"); - socket = SocketFactory.getDefault().createSocket(); - } + Socket socket= destination.isSecure() + ?_httpClient.getSslContextFactory().newSslSocket() + :SocketFactory.getDefault().createSocket(); socket.setSoTimeout(0); socket.setTcpNoDelay(true); diff --git a/jetty-client/src/test/java/org/eclipse/jetty/client/helperClasses/GenericServerHandler.java b/jetty-client/src/test/java/org/eclipse/jetty/client/helperClasses/GenericServerHandler.java index 71cd3cd1e1d..82dbdb35c47 100644 --- a/jetty-client/src/test/java/org/eclipse/jetty/client/helperClasses/GenericServerHandler.java +++ b/jetty-client/src/test/java/org/eclipse/jetty/client/helperClasses/GenericServerHandler.java @@ -68,7 +68,7 @@ public class GenericServerHandler extends AbstractHandler } catch (InterruptedException e) { - LOG.warn(e); + LOG.debug(e); } catch (IOException e) { diff --git a/jetty-deploy/src/main/config/etc/jetty-deploy.xml b/jetty-deploy/src/main/config/etc/jetty-deploy.xml index ebbec509329..dd25f7ff34c 100644 --- a/jetty-deploy/src/main/config/etc/jetty-deploy.xml +++ b/jetty-deploy/src/main/config/etc/jetty-deploy.xml @@ -22,7 +22,7 @@ org.eclipse.jetty.server.webapp.ContainerIncludeJarPattern - .*/jsp-api-[^/]*\.jar$|.*/jsp-[^/]*\.jar$ + .*/.*jsp-api-[^/]*\.jar$|.*/.*jsp-[^/]*\.jar$|.*/.*taglibs[^/]*\.jar$ diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/ssl/SslContextFactory.java b/jetty-http/src/main/java/org/eclipse/jetty/http/ssl/SslContextFactory.java index 52cecaaad1b..90227c88073 100644 --- a/jetty-http/src/main/java/org/eclipse/jetty/http/ssl/SslContextFactory.java +++ b/jetty-http/src/main/java/org/eclipse/jetty/http/ssl/SslContextFactory.java @@ -21,6 +21,7 @@ import java.io.ByteArrayOutputStream; import java.io.File; import java.io.IOException; import java.io.InputStream; +import java.net.InetAddress; import java.security.InvalidParameterException; import java.security.KeyStore; import java.security.SecureRandom; @@ -42,7 +43,10 @@ import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; -import javax.net.ssl.SSLSessionContext; +import javax.net.ssl.SSLServerSocket; +import javax.net.ssl.SSLServerSocketFactory; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509KeyManager; @@ -51,6 +55,8 @@ import javax.net.ssl.X509TrustManager; import org.eclipse.jetty.http.security.Password; import org.eclipse.jetty.util.IO; import org.eclipse.jetty.util.component.AbstractLifeCycle; +import org.eclipse.jetty.util.log.Log; +import org.eclipse.jetty.util.log.Logger; import org.eclipse.jetty.util.resource.Resource; import org.eclipse.jetty.util.security.CertificateUtils; import org.eclipse.jetty.util.security.CertificateValidator; @@ -65,6 +71,8 @@ import org.eclipse.jetty.util.security.CertificateValidator; */ public class SslContextFactory extends AbstractLifeCycle { + private static final Logger LOG = Log.getLogger(SslContextFactory.class); + public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM = (Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ? "SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm")); @@ -82,8 +90,14 @@ public class SslContextFactory extends AbstractLifeCycle /** String name of keystore password property. */ public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password"; + /** Excluded protocols. */ + private final Set _excludeProtocols = new HashSet(); + // private final Set _excludeProtocols = new HashSet(Collections.singleton("SSLv2Hello")); + /** Included protocols. */ + private Set _includeProtocols = null; + /** Excluded cipher suites. */ - private Set _excludeCipherSuites = null; + private final Set _excludeCipherSuites = new HashSet(); /** Included cipher suites. */ private Set _includeCipherSuites = null; @@ -196,6 +210,7 @@ public class SslContextFactory extends AbstractLifeCycle if (_keyStoreInputStream == null && _keyStorePath == null && _trustStoreInputStream == null && _trustStorePath == null ) { + LOG.debug("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!"); // Create a trust manager that does not validate certificate chains TrustManager trustAllCerts = new X509TrustManager() { @@ -218,11 +233,115 @@ public class SslContextFactory extends AbstractLifeCycle } else { - createSSLContext(); + // verify that keystore and truststore + // parameters are set up correctly + try + { + checkKeyStore(); + } + catch(IllegalStateException e) + { + LOG.ignore(e); + } + + KeyStore keyStore = loadKeyStore(); + KeyStore trustStore = loadTrustStore(); + + Collection crls = loadCRL(_crlPath); + + if (_validateCerts && keyStore != null) + { + if (_certAlias == null) + { + List aliases = Collections.list(keyStore.aliases()); + _certAlias = aliases.size() == 1 ? aliases.get(0) : null; + } + + Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias); + if (cert == null) + { + throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias)); + } + + CertificateValidator validator = new CertificateValidator(trustStore, crls); + validator.setMaxCertPathLength(_maxCertPathLength); + validator.setEnableCRLDP(_enableCRLDP); + validator.setEnableOCSP(_enableOCSP); + validator.setOcspResponderURL(_ocspResponderURL); + validator.validate(keyStore, cert); + } + + KeyManager[] keyManagers = getKeyManagers(keyStore); + TrustManager[] trustManagers = getTrustManagers(trustStore,crls); + + SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm); + _context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider); + _context.init(keyManagers,trustManagers,secureRandom); + + SSLEngine engine=newSslEngine(); + LOG.info("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols())); + LOG.debug("Enabled Ciphers {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites())); } } } + /* ------------------------------------------------------------ */ + /** + * @return The array of protocol names to exclude from + * {@link SSLEngine#setEnabledProtocols(String[])} + */ + public String[] getExcludeProtocols() + { + return _excludeProtocols.toArray(new String[_excludeProtocols.size()]); + } + + /* ------------------------------------------------------------ */ + /** + * @param Protocols + * The array of protocol names to exclude from + * {@link SSLEngine#setEnabledProtocols(String[])} + */ + public void setExcludeProtocols(String... protocols) + { + checkNotStarted(); + + _excludeProtocols.clear(); + _excludeProtocols.addAll(Arrays.asList(protocols)); + } + + /* ------------------------------------------------------------ */ + /** + * @param protocol Protocol names to add to {@link SSLEngine#setEnabledProtocols(String[])} + */ + public void addExcludeProtocols(String... protocol) + { + checkNotStarted(); + _excludeProtocols.addAll(Arrays.asList(protocol)); + } + + /* ------------------------------------------------------------ */ + /** + * @return The array of protocol names to include in + * {@link SSLEngine#setEnabledProtocols(String[])} + */ + public String[] getIncludeProtocols() + { + return _includeProtocols.toArray(new String[_includeProtocols.size()]); + } + + /* ------------------------------------------------------------ */ + /** + * @param Protocols + * The array of protocol names to include in + * {@link SSLEngine#setEnabledProtocols(String[])} + */ + public void setIncludeProtocols(String... protocols) + { + checkNotStarted(); + + _includeProtocols = new HashSet(Arrays.asList(protocols)); + } + /* ------------------------------------------------------------ */ /** * @return The array of cipher suite names to exclude from @@ -239,11 +358,21 @@ public class SslContextFactory extends AbstractLifeCycle * The array of cipher suite names to exclude from * {@link SSLEngine#setEnabledCipherSuites(String[])} */ - public void setExcludeCipherSuites(String[] cipherSuites) + public void setExcludeCipherSuites(String... cipherSuites) { - checkStarted(); - - _excludeCipherSuites = new HashSet(Arrays.asList(cipherSuites)); + checkNotStarted(); + _excludeCipherSuites.clear(); + _excludeCipherSuites.addAll(Arrays.asList(cipherSuites)); + } + + /* ------------------------------------------------------------ */ + /** + * @param cipher Cipher names to add to {@link SSLEngine#setEnabledCipherSuites(String[])} + */ + public void addExcludeCipherSuites(String... cipher) + { + checkNotStarted(); + _excludeCipherSuites.addAll(Arrays.asList(cipher)); } /* ------------------------------------------------------------ */ @@ -262,9 +391,9 @@ public class SslContextFactory extends AbstractLifeCycle * The array of cipher suite names to include in * {@link SSLEngine#setEnabledCipherSuites(String[])} */ - public void setIncludeCipherSuites(String[] cipherSuites) + public void setIncludeCipherSuites(String... cipherSuites) { - checkStarted(); + checkNotStarted(); _includeCipherSuites = new HashSet(Arrays.asList(cipherSuites)); } @@ -285,7 +414,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setKeyStore(String keyStorePath) { - checkStarted(); + checkNotStarted(); _keyStorePath = keyStorePath; } @@ -306,7 +435,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setKeyStoreProvider(String keyStoreProvider) { - checkStarted(); + checkNotStarted(); _keyStoreProvider = keyStoreProvider; } @@ -327,7 +456,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setKeyStoreType(String keyStoreType) { - checkStarted(); + checkNotStarted(); _keyStoreType = keyStoreType; } @@ -341,7 +470,7 @@ public class SslContextFactory extends AbstractLifeCycle @Deprecated public InputStream getKeyStoreInputStream() { - checkConfig(); + checkKeyStore(); return _keyStoreInputStream; } @@ -355,7 +484,7 @@ public class SslContextFactory extends AbstractLifeCycle @Deprecated public void setKeyStoreInputStream(InputStream keyStoreInputStream) { - checkStarted(); + checkNotStarted(); _keyStoreInputStream = keyStoreInputStream; } @@ -376,7 +505,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setCertAlias(String certAlias) { - checkStarted(); + checkNotStarted(); _certAlias = certAlias; } @@ -397,7 +526,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setTrustStore(String trustStorePath) { - checkStarted(); + checkNotStarted(); _trustStorePath = trustStorePath; } @@ -418,7 +547,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setTrustStoreProvider(String trustStoreProvider) { - checkStarted(); + checkNotStarted(); _trustStoreProvider = trustStoreProvider; } @@ -439,7 +568,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setTrustStoreType(String trustStoreType) { - checkStarted(); + checkNotStarted(); _trustStoreType = trustStoreType; } @@ -453,7 +582,7 @@ public class SslContextFactory extends AbstractLifeCycle @Deprecated public InputStream getTrustStoreInputStream() { - checkConfig(); + checkKeyStore(); return _trustStoreInputStream; } @@ -467,7 +596,7 @@ public class SslContextFactory extends AbstractLifeCycle @Deprecated public void setTrustStoreInputStream(InputStream trustStoreInputStream) { - checkStarted(); + checkNotStarted(); _trustStoreInputStream = trustStoreInputStream; } @@ -490,7 +619,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setNeedClientAuth(boolean needClientAuth) { - checkStarted(); + checkNotStarted(); _needClientAuth = needClientAuth; } @@ -513,7 +642,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setWantClientAuth(boolean wantClientAuth) { - checkStarted(); + checkNotStarted(); _wantClientAuth = wantClientAuth; } @@ -545,7 +674,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setValidateCerts(boolean validateCerts) { - checkStarted(); + checkNotStarted(); _validateCerts = validateCerts; } @@ -566,7 +695,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setValidatePeerCerts(boolean validatePeerCerts) { - checkStarted(); + checkNotStarted(); _validatePeerCerts = validatePeerCerts; } @@ -593,7 +722,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setAllowRenegotiate(boolean allowRenegotiate) { - checkStarted(); + checkNotStarted(); _allowRenegotiate = allowRenegotiate; } @@ -605,7 +734,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setKeyStorePassword(String password) { - checkStarted(); + checkNotStarted(); _keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null); } @@ -617,7 +746,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setKeyManagerPassword(String password) { - checkStarted(); + checkNotStarted(); _keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null); } @@ -629,7 +758,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setTrustStorePassword(String password) { - checkStarted(); + checkNotStarted(); _trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null); } @@ -652,7 +781,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setProvider(String provider) { - checkStarted(); + checkNotStarted(); _sslProvider = provider; } @@ -675,7 +804,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setProtocol(String protocol) { - checkStarted(); + checkNotStarted(); _sslProtocol = protocol; } @@ -700,7 +829,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setSecureRandomAlgorithm(String algorithm) { - checkStarted(); + checkNotStarted(); _secureRandomAlgorithm = algorithm; } @@ -721,7 +850,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setSslKeyManagerFactoryAlgorithm(String algorithm) { - checkStarted(); + checkNotStarted(); _keyManagerFactoryAlgorithm = algorithm; } @@ -742,7 +871,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setTrustManagerFactoryAlgorithm(String algorithm) { - checkStarted(); + checkNotStarted(); _trustManagerFactoryAlgorithm = algorithm; } @@ -763,7 +892,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setCrlPath(String crlPath) { - checkStarted(); + checkNotStarted(); _crlPath = crlPath; } @@ -786,7 +915,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setMaxCertPathLength(int maxCertPathLength) { - checkStarted(); + checkNotStarted(); _maxCertPathLength = maxCertPathLength; } @@ -797,6 +926,8 @@ public class SslContextFactory extends AbstractLifeCycle */ public SSLContext getSslContext() { + if (!isStarted()) + throw new IllegalStateException(getState()); return _context; } @@ -807,60 +938,11 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setSslContext(SSLContext sslContext) { - checkStarted(); + checkNotStarted(); _context = sslContext; } - /* ------------------------------------------------------------ */ - /** - * @throws Exception - */ - protected void createSSLContext() throws Exception - { - // verify that keystore and truststore - // parameters are set up correctly - checkConfig(); - - KeyStore keyStore = loadKeyStore(); - KeyStore trustStore = loadTrustStore(); - - Collection crls = loadCRL(_crlPath); - - if (_validateCerts && keyStore != null) - { - if (_certAlias == null) - { - List aliases = Collections.list(keyStore.aliases()); - _certAlias = aliases.size() == 1 ? aliases.get(0) : null; - } - - Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias); - if (cert == null) - { - throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias)); - } - - CertificateValidator validator = new CertificateValidator(trustStore, crls); - validator.setMaxCertPathLength(_maxCertPathLength); - validator.setEnableCRLDP(_enableCRLDP); - validator.setEnableOCSP(_enableOCSP); - validator.setOcspResponderURL(_ocspResponderURL); - validator.validate(keyStore, cert); - } - - KeyManager[] keyManagers = getKeyManagers(keyStore); - TrustManager[] trustManagers = getTrustManagers(trustStore,crls); - - SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm); - _context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider); - _context.init(keyManagers,trustManagers,secureRandom); - - SSLSessionContext sslSessionContext = _context.getServerSessionContext(); - sslSessionContext.setSessionCacheSize(_sslSessionCacheSize); - sslSessionContext.setSessionTimeout(_sslSessionTimeout); - } - /* ------------------------------------------------------------ */ /** * Override this method to provide alternate way to load a keystore. @@ -1014,33 +1096,27 @@ public class SslContextFactory extends AbstractLifeCycle /* ------------------------------------------------------------ */ /** - * Check configuration. Ensures that if keystore has been + * Check KetyStore Configuration. Ensures that if keystore has been * configured but there's no truststore, that keystore is * used as truststore. - * @return true SslContextFactory configuration can be used in server connector. + * @throws IllegalStateException if SslContextFactory configuration can't be used. */ - public boolean checkConfig() + public void checkKeyStore() { - boolean check = true; if (_keyStore == null && _keyStoreInputStream == null && _keyStorePath == null) + throw new IllegalStateException("SSL doesn't have a valid keystore"); + + // if the keystore has been configured but there is no + // truststore configured, use the keystore as the truststore + if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null) { - // configuration doesn't have a valid keystore - check = false; - } - else - { - // if the keystore has been configured but there is no - // truststore configured, use the keystore as the truststore - if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null) - { - _trustStore = _keyStore; - _trustStorePath = _keyStorePath; - _trustStoreInputStream = _keyStoreInputStream; - _trustStoreType = _keyStoreType; - _trustStoreProvider = _keyStoreProvider; - _trustStorePassword = _keyStorePassword; - _trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm; - } + _trustStore = _keyStore; + _trustStorePath = _keyStorePath; + _trustStoreInputStream = _keyStoreInputStream; + _trustStoreType = _keyStoreType; + _trustStoreProvider = _keyStoreProvider; + _trustStorePassword = _keyStorePassword; + _trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm; } // It's the same stream we cannot read it twice, so read it once in memory @@ -1057,11 +1133,9 @@ public class SslContextFactory extends AbstractLifeCycle } catch (Exception ex) { - throw new RuntimeException(ex); + throw new IllegalStateException(ex); } } - - return check; } /* ------------------------------------------------------------ */ @@ -1073,57 +1147,68 @@ public class SslContextFactory extends AbstractLifeCycle * @param supportedCipherSuites Array of supported cipher suites * @return Array of cipher suites to enable */ - public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites) + public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols) { - Set selectedCipherSuites = null; - if (enabledCipherSuites != null) + Set selected_protocols = new HashSet(); + + // Set the starting protocols - either from the included or enabled list + if (_includeProtocols!=null) { - selectedCipherSuites = new HashSet(Arrays.asList(enabledCipherSuites)); + // Use only the supported included protocols + for (String protocol : supportedProtocols) + if (_includeProtocols.contains(protocol)) + selected_protocols.add(protocol); } else + selected_protocols.addAll(Arrays.asList(enabledProtocols)); + + + // Remove any excluded protocols + if (_excludeProtocols != null) + selected_protocols.removeAll(_excludeProtocols); + + return selected_protocols.toArray(new String[selected_protocols.size()]); + } + + /* ------------------------------------------------------------ */ + /** + * Select cipher suites to be used by the connector + * based on configured inclusion and exclusion lists + * as well as enabled and supported cipher suite lists. + * @param enabledCipherSuites Array of enabled cipher suites + * @param supportedCipherSuites Array of supported cipher suites + * @return Array of cipher suites to enable + */ + public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites) + { + Set selected_ciphers = new HashSet(); + + // Set the starting ciphers - either from the included or enabled list + if (_includeCipherSuites!=null) { - selectedCipherSuites = new HashSet(); + // Use only the supported included ciphers + for (String cipherSuite : supportedCipherSuites) + if (_includeCipherSuites.contains(cipherSuite)) + selected_ciphers.add(cipherSuite); } - - if ((supportedCipherSuites != null && supportedCipherSuites.length > 0) && - (_includeCipherSuites != null && _includeCipherSuites.size() > 0)) - { - Set supportedCSList = new HashSet(Arrays.asList(supportedCipherSuites)); - - for (String cipherName : _includeCipherSuites) - { - if ((!selectedCipherSuites.contains(cipherName)) && - supportedCSList.contains(cipherName)) - { - selectedCipherSuites.add(cipherName); - } - } - } - - if (_excludeCipherSuites != null && _excludeCipherSuites.size() > 0) - { - for (String cipherName : _excludeCipherSuites) - { - if (selectedCipherSuites.contains(cipherName)) - { - selectedCipherSuites.remove(cipherName); - } - } - } - - return selectedCipherSuites.toArray(new String[selectedCipherSuites.size()]); + else + selected_ciphers.addAll(Arrays.asList(enabledCipherSuites)); + + + // Remove any excluded ciphers + if (_excludeCipherSuites != null) + selected_ciphers.removeAll(_excludeCipherSuites); + return selected_ciphers.toArray(new String[selected_ciphers.size()]); } /* ------------------------------------------------------------ */ /** * Check if the lifecycle has been started and throw runtime exception */ - protected void checkStarted() + protected void checkNotStarted() { if (isStarted()) - { - throw new IllegalStateException("Cannot modify configuration after SslContextFactory was started"); - } + throw new IllegalStateException("Cannot modify configuration when "+getState()); } /* ------------------------------------------------------------ */ @@ -1141,7 +1226,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setEnableCRLDP(boolean enableCRLDP) { - checkStarted(); + checkNotStarted(); _enableCRLDP = enableCRLDP; } @@ -1161,7 +1246,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setEnableOCSP(boolean enableOCSP) { - checkStarted(); + checkNotStarted(); _enableOCSP = enableOCSP; } @@ -1181,7 +1266,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setOcspResponderURL(String ocspResponderURL) { - checkStarted(); + checkNotStarted(); _ocspResponderURL = ocspResponderURL; } @@ -1192,7 +1277,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setKeyStore(KeyStore keyStore) { - checkStarted(); + checkNotStarted(); _keyStore = keyStore; } @@ -1203,7 +1288,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setTrustStore(KeyStore trustStore) { - checkStarted(); + checkNotStarted(); _trustStore = trustStore; } @@ -1214,7 +1299,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setKeyStoreResource(Resource resource) { - checkStarted(); + checkNotStarted(); try { @@ -1233,7 +1318,7 @@ public class SslContextFactory extends AbstractLifeCycle */ public void setTrustStore(Resource resource) { - checkStarted(); + checkNotStarted(); try { @@ -1299,4 +1384,83 @@ public class SslContextFactory extends AbstractLifeCycle { _sslSessionTimeout = sslSessionTimeout; } + + + /* ------------------------------------------------------------ */ + public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException + { + SSLServerSocketFactory factory = _context.getServerSocketFactory(); + + SSLServerSocket socket = + (SSLServerSocket) (host==null ? + factory.createServerSocket(port,backlog): + factory.createServerSocket(port,backlog,InetAddress.getByName(host))); + + if (getWantClientAuth()) + socket.setWantClientAuth(getWantClientAuth()); + if (getNeedClientAuth()) + socket.setNeedClientAuth(getNeedClientAuth()); + + socket.setEnabledCipherSuites(selectCipherSuites( + socket.getEnabledCipherSuites(), + socket.getSupportedCipherSuites())); + socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols())); + + return socket; + } + + /* ------------------------------------------------------------ */ + public SSLSocket newSslSocket() throws IOException + { + SSLSocketFactory factory = _context.getSocketFactory(); + + SSLSocket socket = (SSLSocket)factory.createSocket(); + + if (getWantClientAuth()) + socket.setWantClientAuth(getWantClientAuth()); + if (getNeedClientAuth()) + socket.setNeedClientAuth(getNeedClientAuth()); + + socket.setEnabledCipherSuites(selectCipherSuites( + socket.getEnabledCipherSuites(), + socket.getSupportedCipherSuites())); + socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols())); + + return socket; + } + + /* ------------------------------------------------------------ */ + public SSLEngine newSslEngine(String host,int port) + { + SSLEngine sslEngine=isSessionCachingEnabled() + ?_context.createSSLEngine(host, port) + :_context.createSSLEngine(); + + customize(sslEngine); + return sslEngine; + } + + /* ------------------------------------------------------------ */ + public SSLEngine newSslEngine() + { + SSLEngine sslEngine=_context.createSSLEngine(); + customize(sslEngine); + return sslEngine; + } + + /* ------------------------------------------------------------ */ + public void customize(SSLEngine sslEngine) + { + if (getWantClientAuth()) + sslEngine.setWantClientAuth(getWantClientAuth()); + if (getNeedClientAuth()) + sslEngine.setNeedClientAuth(getNeedClientAuth()); + + sslEngine.setEnabledCipherSuites(selectCipherSuites( + sslEngine.getEnabledCipherSuites(), + sslEngine.getSupportedCipherSuites())); + + sslEngine.setEnabledProtocols(selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols())); + } + } diff --git a/jetty-io/src/main/java/org/eclipse/jetty/io/nio/SelectChannelEndPoint.java b/jetty-io/src/main/java/org/eclipse/jetty/io/nio/SelectChannelEndPoint.java index d682584c096..5a8ed7842b6 100644 --- a/jetty-io/src/main/java/org/eclipse/jetty/io/nio/SelectChannelEndPoint.java +++ b/jetty-io/src/main/java/org/eclipse/jetty/io/nio/SelectChannelEndPoint.java @@ -251,7 +251,7 @@ public class SelectChannelEndPoint extends ChannelEndPoint implements AsyncEndPo public void checkIdleTimestamp(long now) { long idleTimestamp=_idleTimestamp; - if (!getChannel().isOpen() || idleTimestamp!=0 && _maxIdleTime!=0 && now>(idleTimestamp+_maxIdleTime)) + if (!getChannel().isOpen() || idleTimestamp!=0 && _maxIdleTime>0 && now>(idleTimestamp+_maxIdleTime)) idleExpired(); } diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/HttpConnection.java b/jetty-server/src/main/java/org/eclipse/jetty/server/HttpConnection.java index 8ee1938d1c6..26d2fb6071b 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/HttpConnection.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/HttpConnection.java @@ -674,10 +674,10 @@ public abstract class HttpConnection extends AbstractConnection /* ------------------------------------------------------------ */ public int getMaxIdleTime() { + if (_connector.isLowResources() && _endp.getMaxIdleTime()==_connector.getMaxIdleTime()) + return _connector.getLowResourceMaxIdleTime(); if (_endp.getMaxIdleTime()>0) return _endp.getMaxIdleTime(); - if (_connector.isLowResources()) - return _connector.getLowResourceMaxIdleTime(); return _connector.getMaxIdleTime(); } diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSelectChannelConnector.java b/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSelectChannelConnector.java index d60f82dea6b..8bfe80a4f8a 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSelectChannelConnector.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSelectChannelConnector.java @@ -16,6 +16,8 @@ package org.eclipse.jetty.server.ssl; import java.io.IOException; import java.nio.channels.SelectionKey; import java.nio.channels.SocketChannel; +import java.util.Arrays; + import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLSession; @@ -36,7 +38,6 @@ import org.eclipse.jetty.io.nio.SslSelectChannelEndPoint; import org.eclipse.jetty.server.HttpConnection; import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.nio.SelectChannelConnector; -import org.eclipse.jetty.util.log.Log; /* ------------------------------------------------------------ */ /** @@ -97,7 +98,9 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements SslSelectChannelEndPoint sslHttpChannelEndpoint=(SslSelectChannelEndPoint)endpoint; SSLEngine sslEngine=sslHttpChannelEndpoint.getSSLEngine(); SSLSession sslSession=sslEngine.getSession(); - + + System.err.println(sslSession.getProtocol()); + SslCertificates.customize(sslSession,endpoint,request); } @@ -565,33 +568,19 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements protected SSLEngine createSSLEngine(SocketChannel channel) throws IOException { SSLEngine engine; - if (channel != null && _sslContextFactory.isSessionCachingEnabled()) + if (channel != null) { String peerHost = channel.socket().getInetAddress().getHostAddress(); int peerPort = channel.socket().getPort(); - engine = _sslContextFactory.getSslContext().createSSLEngine(peerHost, peerPort); + engine = _sslContextFactory.newSslEngine(peerHost, peerPort); } else { - engine = _sslContextFactory.getSslContext().createSSLEngine(); + engine = _sslContextFactory.newSslEngine(); } - customizeEngine(engine); - return engine; - } - - /* ------------------------------------------------------------ */ - private void customizeEngine(SSLEngine engine) - { + engine.setUseClientMode(false); - - if (_sslContextFactory.getWantClientAuth()) - engine.setWantClientAuth(_sslContextFactory.getWantClientAuth()); - if (_sslContextFactory.getNeedClientAuth()) - engine.setNeedClientAuth(_sslContextFactory.getNeedClientAuth()); - - engine.setEnabledCipherSuites( - _sslContextFactory.selectCipherSuites(engine.getEnabledCipherSuites(), - engine.getSupportedCipherSuites())); + return engine; } /* ------------------------------------------------------------ */ @@ -601,22 +590,13 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements @Override protected void doStart() throws Exception { - if (!_sslContextFactory.checkConfig()) - { - throw new IllegalStateException("SSL context is not configured correctly."); - } + _sslContextFactory.checkKeyStore(); _sslContextFactory.start(); - SSLEngine sslEngine = _sslContextFactory.getSslContext().createSSLEngine(); + SSLEngine sslEngine = _sslContextFactory.newSslEngine(); sslEngine.setUseClientMode(false); - sslEngine.setWantClientAuth(_sslContextFactory.getWantClientAuth()); - sslEngine.setNeedClientAuth(_sslContextFactory.getNeedClientAuth()); - - sslEngine.setEnabledCipherSuites(_sslContextFactory.selectCipherSuites( - sslEngine.getEnabledCipherSuites(), - sslEngine.getSupportedCipherSuites())); SSLSession sslSession = sslEngine.getSession(); diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSocketConnector.java b/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSocketConnector.java index 85c50bb4a94..be7c5dcf12a 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSocketConnector.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSocketConnector.java @@ -335,11 +335,7 @@ public class SslSocketConnector extends SocketConnector implements SslConnector @Override public void open() throws IOException { - if (!_sslContextFactory.checkConfig()) - { - throw new IllegalStateException("SSL context is not configured correctly."); - } - + _sslContextFactory.checkKeyStore(); try { _sslContextFactory.start(); @@ -358,11 +354,7 @@ public class SslSocketConnector extends SocketConnector implements SslConnector @Override protected void doStart() throws Exception { - if (!_sslContextFactory.checkConfig()) - { - throw new IllegalStateException("SSL context is not configured correctly."); - } - + _sslContextFactory.checkKeyStore(); _sslContextFactory.start(); super.doStart(); @@ -394,22 +386,7 @@ public class SslSocketConnector extends SocketConnector implements SslConnector @Override protected ServerSocket newServerSocket(String host, int port,int backlog) throws IOException { - SSLServerSocketFactory factory = _sslContextFactory.getSslContext().getServerSocketFactory(); - - SSLServerSocket socket = - (SSLServerSocket) (host==null ? - factory.createServerSocket(port,backlog): - factory.createServerSocket(port,backlog,InetAddress.getByName(host))); - - if (_sslContextFactory.getWantClientAuth()) - socket.setWantClientAuth(_sslContextFactory.getWantClientAuth()); - if (_sslContextFactory.getNeedClientAuth()) - socket.setNeedClientAuth(_sslContextFactory.getNeedClientAuth()); - - socket.setEnabledCipherSuites(_sslContextFactory.selectCipherSuites( - socket.getEnabledCipherSuites(), - socket.getSupportedCipherSuites())); - return socket; + return _sslContextFactory.newSslServerSocket(host,port,backlog); } /* ------------------------------------------------------------ */ diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/HttpServerTestBase.java b/jetty-server/src/test/java/org/eclipse/jetty/server/HttpServerTestBase.java index 8b1c982db7f..2b510cd8504 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/HttpServerTestBase.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/HttpServerTestBase.java @@ -425,7 +425,7 @@ public abstract class HttpServerTestBase extends HttpServerTestFixture while(len>=0) { - Thread.sleep(500); + Thread.sleep(100); len=is.read(buf); if (len>0) total+=len; diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java index 0373a3f3e4f..432d51ea689 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java @@ -133,7 +133,7 @@ public class SSLEngineTest @Test public void testBigResponse() throws Exception { - SSLContext ctx=SSLContext.getInstance("SSLv3"); + SSLContext ctx=SSLContext.getInstance("TLS"); ctx.init(null,s_dummyTrustManagers,new java.security.SecureRandom()); int port=connector.getLocalPort(); @@ -367,4 +367,5 @@ public class SSLEngineTest response.flushBuffer(); } } + } diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSelectChannelServerTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSelectChannelServerTest.java index 1acfa7d9e29..a568fe7ce70 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSelectChannelServerTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSelectChannelServerTest.java @@ -60,14 +60,14 @@ public class SslSelectChannelServerTest extends HttpServerTestBase keystore.load(new FileInputStream(connector.getKeystore()), "storepwd".toCharArray()); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(keystore); - __sslContext = SSLContext.getInstance("SSL"); + __sslContext = SSLContext.getInstance("TLS"); __sslContext.init(null, trustManagerFactory.getTrustManagers(), null); try { HttpsURLConnection.setDefaultHostnameVerifier(__hostnameverifier); - SSLContext sc = SSLContext.getInstance("SSL"); + SSLContext sc = SSLContext.getInstance("TLS"); sc.init(null, __trustAllCerts, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketServerTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketServerTest.java index c9da61e856d..f77757beb2d 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketServerTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketServerTest.java @@ -15,8 +15,10 @@ package org.eclipse.jetty.server.ssl; import java.io.FileInputStream; import java.net.Socket; import java.security.KeyStore; +import java.util.Arrays; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManagerFactory; import org.eclipse.jetty.http.ssl.SslContextFactory; @@ -37,7 +39,9 @@ public class SslSocketServerTest extends HttpServerTestBase @Override protected Socket newSocket(String host, int port) throws Exception { - return __sslContext.getSocketFactory().createSocket(host,port); + SSLSocket socket = (SSLSocket)__sslContext.getSocketFactory().createSocket(host,port); + socket.setEnabledProtocols(new String[] {"TLSv1"}); + return socket; } @@ -59,7 +63,7 @@ public class SslSocketServerTest extends HttpServerTestBase keystore.load(new FileInputStream(connector.getKeystore()), "storepwd".toCharArray()); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(keystore); - __sslContext = SSLContext.getInstance("SSL"); + __sslContext = SSLContext.getInstance("TLSv1"); __sslContext.init(null, trustManagerFactory.getTrustManagers(), null); diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketTimeoutTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketTimeoutTest.java index edcaac7b785..d995f0e5c3a 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketTimeoutTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketTimeoutTest.java @@ -18,6 +18,7 @@ import java.net.Socket; import java.security.KeyStore; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManagerFactory; import org.eclipse.jetty.http.ssl.SslContextFactory; @@ -26,12 +27,14 @@ import org.junit.BeforeClass; public class SslSocketTimeoutTest extends ConnectorTimeoutTest { - static SSLContext _sslContext; + static SSLContext __sslContext; @Override protected Socket newSocket(String host, int port) throws Exception { - return _sslContext.getSocketFactory().createSocket(host,port); + SSLSocket socket = (SSLSocket)__sslContext.getSocketFactory().createSocket(host,port); + socket.setEnabledProtocols(new String[] {"TLSv1"}); + return socket; } @BeforeClass @@ -53,8 +56,8 @@ public class SslSocketTimeoutTest extends ConnectorTimeoutTest keystore.load(new FileInputStream(connector.getKeystore()), "storepwd".toCharArray()); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(keystore); - _sslContext = SSLContext.getInstance("SSL"); - _sslContext.init(null, trustManagerFactory.getTrustManagers(), null); + __sslContext = SSLContext.getInstance("TLSv1"); + __sslContext.init(null, trustManagerFactory.getTrustManagers(), null); } diff --git a/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/TagLibConfiguration.java b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/TagLibConfiguration.java index f5f14b8e4d7..863c85c9113 100644 --- a/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/TagLibConfiguration.java +++ b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/TagLibConfiguration.java @@ -14,13 +14,16 @@ package org.eclipse.jetty.webapp; import java.io.IOException; +import java.net.URI; import java.net.URL; import java.util.ArrayList; import java.util.Collection; import java.util.EventListener; +import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; import java.util.List; +import java.util.Map; import java.util.Set; import javax.servlet.Servlet; @@ -58,6 +61,7 @@ public class TagLibConfiguration extends AbstractConfiguration public static final String TLD_RESOURCES = "org.eclipse.jetty.tlds"; + /** * TagLibListener * @@ -96,7 +100,37 @@ public class TagLibConfiguration extends AbstractConfiguration public void contextInitialized(ServletContextEvent sce) { - try { + try + { + //For jasper 2.1: + //Get the system classpath tlds and tell jasper about them, if jasper is on the classpath + try + { + Class clazz = getClass().getClassLoader().loadClass("org.apache.jasper.compiler.TldLocationsCache"); + Collection tld_resources = (Collection)_context.getAttribute(TLD_RESOURCES); + + Map> tldMap = new HashMap>(); + + if (tld_resources != null) + { + //get the jar file names of the files + for (Resource r:tld_resources) + { + Resource jarResource = extractJarResource(r); + //jasper is happy with an empty list of tlds + if (!tldMap.containsKey(jarResource.getURI())) + tldMap.put(jarResource.getURI(), null); + + } + //set the magic context attribute that tells jasper about the system tlds + sce.getServletContext().setAttribute("com.sun.appserv.tld.map", tldMap); + } + } + catch (ClassNotFoundException e) + { + LOG.ignore(e); + } + //find the tld files and parse them to get out their //listeners Set tlds = findTldResources(); @@ -117,12 +151,37 @@ public class TagLibConfiguration extends AbstractConfiguration } } - } catch (Exception e) { + } + catch (Exception e) { LOG.warn(e); } } + + + private Resource extractJarResource (Resource r) + { + if (r == null) + return null; + + try + { + String url = r.getURI().toURL().toString(); + int idx = url.lastIndexOf("!/"); + if (idx >= 0) + url = url.substring(0, idx); + if (url.startsWith("jar:")) + url = url.substring(4); + return Resource.newResource(url); + } + catch (IOException e) + { + LOG.warn(e); + return null; + } + } + /** * Find all the locations that can harbour tld files that may contain * a listener which the web container is supposed to instantiate and diff --git a/tests/test-integration/src/test/java/org/eclipse/jetty/test/support/rawhttp/HttpsSocketImpl.java b/tests/test-integration/src/test/java/org/eclipse/jetty/test/support/rawhttp/HttpsSocketImpl.java index 3a071047195..332aa4fed39 100644 --- a/tests/test-integration/src/test/java/org/eclipse/jetty/test/support/rawhttp/HttpsSocketImpl.java +++ b/tests/test-integration/src/test/java/org/eclipse/jetty/test/support/rawhttp/HttpsSocketImpl.java @@ -25,6 +25,7 @@ import java.net.SocketAddress; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; @@ -78,7 +79,7 @@ public class HttpsSocketImpl implements HttpSocket try { // TODO real trust manager - this.sslContext = SSLContext.getInstance("SSL"); + this.sslContext = SSLContext.getInstance("TLS"); sslContext.init(null,trustAllCerts,new java.security.SecureRandom()); } catch (Exception e) @@ -87,11 +88,13 @@ public class HttpsSocketImpl implements HttpSocket } sslfactory = sslContext.getSocketFactory(); + } public Socket connect(InetAddress host, int port) throws IOException { - Socket sslsock = sslfactory.createSocket(); + SSLSocket sslsock = (SSLSocket)sslfactory.createSocket(); + sslsock.setEnabledProtocols(new String[] {"TLSv1"}); SocketAddress address = new InetSocketAddress(host,port); sslsock.connect(address); return sslsock;