From cd7926584d99238cba2e0ced9866652ef4fc740a Mon Sep 17 00:00:00 2001 From: Simone Bordet Date: Thu, 7 Oct 2010 08:21:12 +0000 Subject: [PATCH] Fixes #327183 (Allow better configurability of HttpClient for TLS/SSL). git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@2329 7e9141cc-0065-0410-87d8-b60c137991c4 --- VERSION.txt | 11 +- .../org/eclipse/jetty/client/HttpClient.java | 130 +++++++++++------- 2 files changed, 89 insertions(+), 52 deletions(-) diff --git a/VERSION.txt b/VERSION.txt index 638dc6521d4..cd76a5318e7 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1,20 +1,21 @@ -jetty-7.2.0.RC1-SNAPSHOT +jetty-7.2.0.RC1-SNAPSHOT + 289540 added javadoc into distribution + 297154 add source distribution artifact + 323985 Xmlconfiguration pulls start.jar config properties + 326734 Configure Digest maxNonceAge with Security handler init param + 327109 Fixed AJP handling of empty packets + + 327183 Allow better configurability of HttpClient for TLS/SSL jetty-7.2.0.RC0 1 Oct 2010 + 314087 Simplified SelectorManager + 319334 Concurrent, sharable ResourceCache + 319370 WebAppClassLoader.Context - + 319444 Two nulls are appended to log statements from ContextHanler$Context + + 319444 Two nulls are appended to log statements from ContextHanler$Context + 320073 Reconsile configuration mechanism + 320112 Websocket in aggregate jars + 320264 Removed duplicate mime.property entries + 320457 Added rfc2045 support to B64Code - + 321232 BasicAuthenticator ignores bad Authorization header. + + 321232 BasicAuthenticator ignores bad Authorization header. + 321307 HashSessionManager calls passivation listeners. + 321730 SelectChannelEndPoint prints to System.err + 321735 HttpClient onException called for buffer overflow. @@ -67,8 +68,8 @@ jetty-7.2.0.RC0 1 Oct 2010 jetty-7.1.6.v20100715 + 319519 Warn about duplicate configuration files - + 319655 Reset HEAD status - + JETTY-1247 synchronize recylcing of SSL NIO buffers + + 319655 Reset HEAD status + + JETTY-1247 synchronize recylcing of SSL NIO buffers + JETTY-1248 fix parsing of bad multiparts + JETTY-1249 Apply max idle time to all connectors + JETTY-1251 Replace then close selector for JVM bugs diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java index aab4220bebf..ea353db507f 100644 --- a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java +++ b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java @@ -25,11 +25,9 @@ import java.util.Map; import java.util.Set; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; -import javax.net.ssl.HostnameVerifier; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; @@ -101,7 +99,6 @@ public class HttpClient extends HttpBuffers implements Attributes private int _maxRedirects = 20; private LinkedList _registeredListeners; - // TODO clean up and add getters/setters to some of this maybe private String _keyStoreLocation; private String _keyStoreType = "JKS"; private String _keyStorePassword; @@ -111,13 +108,12 @@ public class HttpClient extends HttpBuffers implements Attributes private String _trustStoreType = "JKS"; private String _trustStorePassword; private String _trustManagerAlgorithm = (Security.getProperty("ssl.TrustManagerFactory.algorithm")==null?"SunX509":Security.getProperty("ssl.TrustManagerFactory.algorithm")); - - private SSLContext _sslContext; - private String _protocol = "TLS"; private String _provider; private String _secureRandomAlgorithm; + private SSLContext _sslContext; + private RealmResolver _realmResolver; private AttributesMap _attributes=new AttributesMap(); @@ -242,7 +238,7 @@ public class HttpClient extends HttpBuffers implements Attributes { _timeoutQ.schedule(task); } - + public void schedule(Timeout.Task task, long timeout) { _timeoutQ.schedule(task, timeout); @@ -271,7 +267,7 @@ public class HttpClient extends HttpBuffers implements Attributes /* ------------------------------------------------------------ */ /** Set a RealmResolver for client Authentication. - * If a realmResolver is set, then the HttpDestinations created by + * If a realmResolver is set, then the HttpDestinations created by * this client will instantiate a {@link SecurityListener} so that * BASIC and DIGEST authentication can be performed. * @param resolver @@ -318,7 +314,7 @@ public class HttpClient extends HttpBuffers implements Attributes } _registeredListeners.add(listenerClass); } - + /* ------------------------------------------------------------ */ public LinkedList getRegisteredListeners() { @@ -548,7 +544,6 @@ public class HttpClient extends HttpBuffers implements Attributes protected SSLContext getStrictSSLContext() throws IOException { - try { if (_trustStoreLocation == null) @@ -557,45 +552,36 @@ public class HttpClient extends HttpBuffers implements Attributes _trustStoreType = _keyStoreType; } - KeyManager[] keyManagers = null; - InputStream keystoreInputStream = null; - - keystoreInputStream = Resource.newResource(_keyStoreLocation).getInputStream(); + InputStream keyStoreInputStream = Resource.newResource(_keyStoreLocation).getInputStream(); KeyStore keyStore = KeyStore.getInstance(_keyStoreType); - keyStore.load(keystoreInputStream, _keyStorePassword == null ? null : _keyStorePassword.toString().toCharArray()); + keyStore.load(keyStoreInputStream, _keyStorePassword == null ? null : _keyStorePassword.toCharArray()); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerAlgorithm); - keyManagerFactory.init(keyStore, _keyManagerPassword == null ? null : _keyManagerPassword.toString().toCharArray()); - keyManagers = keyManagerFactory.getKeyManagers(); + keyManagerFactory.init(keyStore, _keyManagerPassword == null ? null : _keyManagerPassword.toCharArray()); + KeyManager[] keyManagers = keyManagerFactory.getKeyManagers(); - TrustManager[] trustManagers = null; - InputStream truststoreInputStream = null; - - truststoreInputStream = Resource.newResource(_trustStoreLocation).getInputStream(); + InputStream trustStoreInputStream = Resource.newResource(_trustStoreLocation).getInputStream(); KeyStore trustStore = KeyStore.getInstance(_trustStoreType); - trustStore.load(truststoreInputStream, _trustStorePassword == null ? null : _trustStorePassword.toString().toCharArray()); + trustStore.load(trustStoreInputStream, _trustStorePassword == null ? null : _trustStorePassword.toCharArray()); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerAlgorithm); trustManagerFactory.init(trustStore); - trustManagers = trustManagerFactory.getTrustManagers(); + TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); SecureRandom secureRandom = _secureRandomAlgorithm == null ? null : SecureRandom.getInstance(_secureRandomAlgorithm); SSLContext context = _provider == null ? SSLContext.getInstance(_protocol) : SSLContext.getInstance(_protocol, _provider); context.init(keyManagers, trustManagers, secureRandom); return context; } - catch (Exception e) + catch (Exception x) { - e.printStackTrace(); - throw new IOException("error generating ssl context for " + _keyStoreLocation + " " + e.getMessage()); + throw (IOException)new IOException("Error generating SSLContext for keystore " + _keyStoreLocation).initCause(x); } } protected SSLContext getLooseSSLContext() throws IOException { - - // Create a trust manager that does not validate certificate - // chains + // Create a trust manager that does not validate certificate chains TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() { public java.security.cert.X509Certificate[] getAcceptedIssuers() @@ -612,26 +598,16 @@ public class HttpClient extends HttpBuffers implements Attributes } }}; - HostnameVerifier hostnameVerifier = new HostnameVerifier() - { - public boolean verify(String urlHostName, SSLSession session) - { - Log.warn("Warning: URL Host: " + urlHostName + " vs." + session.getPeerHost()); - return true; - } - }; - // Install the all-trusting trust manager try { - // TODO real trust manager - SSLContext sslContext = SSLContext.getInstance("SSL"); - sslContext.init(null, trustAllCerts, new java.security.SecureRandom()); + SSLContext sslContext = SSLContext.getInstance(_protocol); + sslContext.init(null, trustAllCerts, null); return sslContext; } - catch (Exception e) + catch (Exception x) { - throw new IOException("issue ignoring certs"); + throw (IOException)new IOException("Error generating loose SSLContext").initCause(x); } } @@ -814,28 +790,88 @@ public class HttpClient extends HttpBuffers implements Attributes { this._trustStorePassword = new Password(trustStorePassword).toString(); } - + /* ------------------------------------------------------------ */ public String getKeyStoreType() { return this._keyStoreType; } - + /* ------------------------------------------------------------ */ public void setKeyStoreType(String keyStoreType) { this._keyStoreType = keyStoreType; } - + /* ------------------------------------------------------------ */ public String getTrustStoreType() { return this._trustStoreType; } - + /* ------------------------------------------------------------ */ public void setTrustStoreType(String trustStoreType) { this._trustStoreType = trustStoreType; } + + /* ------------------------------------------------------------ */ + public String getKeyManagerAlgorithm() + { + return _keyManagerAlgorithm; + } + + /* ------------------------------------------------------------ */ + public void setKeyManagerAlgorithm(String keyManagerAlgorithm) + { + this._keyManagerAlgorithm = keyManagerAlgorithm; + } + + /* ------------------------------------------------------------ */ + public String getTrustManagerAlgorithm() + { + return _trustManagerAlgorithm; + } + + /* ------------------------------------------------------------ */ + public void setTrustManagerAlgorithm(String trustManagerAlgorithm) + { + this._trustManagerAlgorithm = trustManagerAlgorithm; + } + + /* ------------------------------------------------------------ */ + public String getProtocol() + { + return _protocol; + } + + /* ------------------------------------------------------------ */ + public void setProtocol(String protocol) + { + this._protocol = protocol; + } + + /* ------------------------------------------------------------ */ + public String getProvider() + { + return _provider; + } + + /* ------------------------------------------------------------ */ + public void setProvider(String provider) + { + this._provider = provider; + } + + /* ------------------------------------------------------------ */ + public String getSecureRandomAlgorithm() + { + return _secureRandomAlgorithm; + } + + /* ------------------------------------------------------------ */ + public void setSecureRandomAlgorithm(String secureRandomAlgorithm) + { + this._secureRandomAlgorithm = secureRandomAlgorithm; + } }