Fixes #327183 (Allow better configurability of HttpClient for TLS/SSL).

git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@2329 7e9141cc-0065-0410-87d8-b60c137991c4
This commit is contained in:
Simone Bordet 2010-10-07 08:21:12 +00:00
parent e574ba8b13
commit cd7926584d
2 changed files with 89 additions and 52 deletions

View File

@ -1,20 +1,21 @@
jetty-7.2.0.RC1-SNAPSHOT jetty-7.2.0.RC1-SNAPSHOT
+ 289540 added javadoc into distribution + 289540 added javadoc into distribution
+ 297154 add source distribution artifact + 297154 add source distribution artifact
+ 323985 Xmlconfiguration pulls start.jar config properties + 323985 Xmlconfiguration pulls start.jar config properties
+ 326734 Configure Digest maxNonceAge with Security handler init param + 326734 Configure Digest maxNonceAge with Security handler init param
+ 327109 Fixed AJP handling of empty packets + 327109 Fixed AJP handling of empty packets
+ 327183 Allow better configurability of HttpClient for TLS/SSL
jetty-7.2.0.RC0 1 Oct 2010 jetty-7.2.0.RC0 1 Oct 2010
+ 314087 Simplified SelectorManager + 314087 Simplified SelectorManager
+ 319334 Concurrent, sharable ResourceCache + 319334 Concurrent, sharable ResourceCache
+ 319370 WebAppClassLoader.Context + 319370 WebAppClassLoader.Context
+ 319444 Two nulls are appended to log statements from ContextHanler$Context + 319444 Two nulls are appended to log statements from ContextHanler$Context
+ 320073 Reconsile configuration mechanism + 320073 Reconsile configuration mechanism
+ 320112 Websocket in aggregate jars + 320112 Websocket in aggregate jars
+ 320264 Removed duplicate mime.property entries + 320264 Removed duplicate mime.property entries
+ 320457 Added rfc2045 support to B64Code + 320457 Added rfc2045 support to B64Code
+ 321232 BasicAuthenticator ignores bad Authorization header. + 321232 BasicAuthenticator ignores bad Authorization header.
+ 321307 HashSessionManager calls passivation listeners. + 321307 HashSessionManager calls passivation listeners.
+ 321730 SelectChannelEndPoint prints to System.err + 321730 SelectChannelEndPoint prints to System.err
+ 321735 HttpClient onException called for buffer overflow. + 321735 HttpClient onException called for buffer overflow.
@ -67,8 +68,8 @@ jetty-7.2.0.RC0 1 Oct 2010
jetty-7.1.6.v20100715 jetty-7.1.6.v20100715
+ 319519 Warn about duplicate configuration files + 319519 Warn about duplicate configuration files
+ 319655 Reset HEAD status + 319655 Reset HEAD status
+ JETTY-1247 synchronize recylcing of SSL NIO buffers + JETTY-1247 synchronize recylcing of SSL NIO buffers
+ JETTY-1248 fix parsing of bad multiparts + JETTY-1248 fix parsing of bad multiparts
+ JETTY-1249 Apply max idle time to all connectors + JETTY-1249 Apply max idle time to all connectors
+ JETTY-1251 Replace then close selector for JVM bugs + JETTY-1251 Replace then close selector for JVM bugs

View File

@ -25,11 +25,9 @@ import java.util.Map;
import java.util.Set; import java.util.Set;
import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap; import java.util.concurrent.ConcurrentMap;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext; import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager; import javax.net.ssl.X509TrustManager;
@ -101,7 +99,6 @@ public class HttpClient extends HttpBuffers implements Attributes
private int _maxRedirects = 20; private int _maxRedirects = 20;
private LinkedList<String> _registeredListeners; private LinkedList<String> _registeredListeners;
// TODO clean up and add getters/setters to some of this maybe
private String _keyStoreLocation; private String _keyStoreLocation;
private String _keyStoreType = "JKS"; private String _keyStoreType = "JKS";
private String _keyStorePassword; private String _keyStorePassword;
@ -111,13 +108,12 @@ public class HttpClient extends HttpBuffers implements Attributes
private String _trustStoreType = "JKS"; private String _trustStoreType = "JKS";
private String _trustStorePassword; private String _trustStorePassword;
private String _trustManagerAlgorithm = (Security.getProperty("ssl.TrustManagerFactory.algorithm")==null?"SunX509":Security.getProperty("ssl.TrustManagerFactory.algorithm")); private String _trustManagerAlgorithm = (Security.getProperty("ssl.TrustManagerFactory.algorithm")==null?"SunX509":Security.getProperty("ssl.TrustManagerFactory.algorithm"));
private SSLContext _sslContext;
private String _protocol = "TLS"; private String _protocol = "TLS";
private String _provider; private String _provider;
private String _secureRandomAlgorithm; private String _secureRandomAlgorithm;
private SSLContext _sslContext;
private RealmResolver _realmResolver; private RealmResolver _realmResolver;
private AttributesMap _attributes=new AttributesMap(); private AttributesMap _attributes=new AttributesMap();
@ -242,7 +238,7 @@ public class HttpClient extends HttpBuffers implements Attributes
{ {
_timeoutQ.schedule(task); _timeoutQ.schedule(task);
} }
public void schedule(Timeout.Task task, long timeout) public void schedule(Timeout.Task task, long timeout)
{ {
_timeoutQ.schedule(task, timeout); _timeoutQ.schedule(task, timeout);
@ -271,7 +267,7 @@ public class HttpClient extends HttpBuffers implements Attributes
/* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */
/** Set a RealmResolver for client Authentication. /** Set a RealmResolver for client Authentication.
* If a realmResolver is set, then the HttpDestinations created by * If a realmResolver is set, then the HttpDestinations created by
* this client will instantiate a {@link SecurityListener} so that * this client will instantiate a {@link SecurityListener} so that
* BASIC and DIGEST authentication can be performed. * BASIC and DIGEST authentication can be performed.
* @param resolver * @param resolver
@ -318,7 +314,7 @@ public class HttpClient extends HttpBuffers implements Attributes
} }
_registeredListeners.add(listenerClass); _registeredListeners.add(listenerClass);
} }
/* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */
public LinkedList<String> getRegisteredListeners() public LinkedList<String> getRegisteredListeners()
{ {
@ -548,7 +544,6 @@ public class HttpClient extends HttpBuffers implements Attributes
protected SSLContext getStrictSSLContext() throws IOException protected SSLContext getStrictSSLContext() throws IOException
{ {
try try
{ {
if (_trustStoreLocation == null) if (_trustStoreLocation == null)
@ -557,45 +552,36 @@ public class HttpClient extends HttpBuffers implements Attributes
_trustStoreType = _keyStoreType; _trustStoreType = _keyStoreType;
} }
KeyManager[] keyManagers = null; InputStream keyStoreInputStream = Resource.newResource(_keyStoreLocation).getInputStream();
InputStream keystoreInputStream = null;
keystoreInputStream = Resource.newResource(_keyStoreLocation).getInputStream();
KeyStore keyStore = KeyStore.getInstance(_keyStoreType); KeyStore keyStore = KeyStore.getInstance(_keyStoreType);
keyStore.load(keystoreInputStream, _keyStorePassword == null ? null : _keyStorePassword.toString().toCharArray()); keyStore.load(keyStoreInputStream, _keyStorePassword == null ? null : _keyStorePassword.toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerAlgorithm); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerAlgorithm);
keyManagerFactory.init(keyStore, _keyManagerPassword == null ? null : _keyManagerPassword.toString().toCharArray()); keyManagerFactory.init(keyStore, _keyManagerPassword == null ? null : _keyManagerPassword.toCharArray());
keyManagers = keyManagerFactory.getKeyManagers(); KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
TrustManager[] trustManagers = null; InputStream trustStoreInputStream = Resource.newResource(_trustStoreLocation).getInputStream();
InputStream truststoreInputStream = null;
truststoreInputStream = Resource.newResource(_trustStoreLocation).getInputStream();
KeyStore trustStore = KeyStore.getInstance(_trustStoreType); KeyStore trustStore = KeyStore.getInstance(_trustStoreType);
trustStore.load(truststoreInputStream, _trustStorePassword == null ? null : _trustStorePassword.toString().toCharArray()); trustStore.load(trustStoreInputStream, _trustStorePassword == null ? null : _trustStorePassword.toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerAlgorithm); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerAlgorithm);
trustManagerFactory.init(trustStore); trustManagerFactory.init(trustStore);
trustManagers = trustManagerFactory.getTrustManagers(); TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
SecureRandom secureRandom = _secureRandomAlgorithm == null ? null : SecureRandom.getInstance(_secureRandomAlgorithm); SecureRandom secureRandom = _secureRandomAlgorithm == null ? null : SecureRandom.getInstance(_secureRandomAlgorithm);
SSLContext context = _provider == null ? SSLContext.getInstance(_protocol) : SSLContext.getInstance(_protocol, _provider); SSLContext context = _provider == null ? SSLContext.getInstance(_protocol) : SSLContext.getInstance(_protocol, _provider);
context.init(keyManagers, trustManagers, secureRandom); context.init(keyManagers, trustManagers, secureRandom);
return context; return context;
} }
catch (Exception e) catch (Exception x)
{ {
e.printStackTrace(); throw (IOException)new IOException("Error generating SSLContext for keystore " + _keyStoreLocation).initCause(x);
throw new IOException("error generating ssl context for " + _keyStoreLocation + " " + e.getMessage());
} }
} }
protected SSLContext getLooseSSLContext() throws IOException protected SSLContext getLooseSSLContext() throws IOException
{ {
// Create a trust manager that does not validate certificate chains
// Create a trust manager that does not validate certificate
// chains
TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager()
{ {
public java.security.cert.X509Certificate[] getAcceptedIssuers() public java.security.cert.X509Certificate[] getAcceptedIssuers()
@ -612,26 +598,16 @@ public class HttpClient extends HttpBuffers implements Attributes
} }
}}; }};
HostnameVerifier hostnameVerifier = new HostnameVerifier()
{
public boolean verify(String urlHostName, SSLSession session)
{
Log.warn("Warning: URL Host: " + urlHostName + " vs." + session.getPeerHost());
return true;
}
};
// Install the all-trusting trust manager // Install the all-trusting trust manager
try try
{ {
// TODO real trust manager SSLContext sslContext = SSLContext.getInstance(_protocol);
SSLContext sslContext = SSLContext.getInstance("SSL"); sslContext.init(null, trustAllCerts, null);
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
return sslContext; return sslContext;
} }
catch (Exception e) catch (Exception x)
{ {
throw new IOException("issue ignoring certs"); throw (IOException)new IOException("Error generating loose SSLContext").initCause(x);
} }
} }
@ -814,28 +790,88 @@ public class HttpClient extends HttpBuffers implements Attributes
{ {
this._trustStorePassword = new Password(trustStorePassword).toString(); this._trustStorePassword = new Password(trustStorePassword).toString();
} }
/* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */
public String getKeyStoreType() public String getKeyStoreType()
{ {
return this._keyStoreType; return this._keyStoreType;
} }
/* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */
public void setKeyStoreType(String keyStoreType) public void setKeyStoreType(String keyStoreType)
{ {
this._keyStoreType = keyStoreType; this._keyStoreType = keyStoreType;
} }
/* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */
public String getTrustStoreType() public String getTrustStoreType()
{ {
return this._trustStoreType; return this._trustStoreType;
} }
/* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */
public void setTrustStoreType(String trustStoreType) public void setTrustStoreType(String trustStoreType)
{ {
this._trustStoreType = trustStoreType; this._trustStoreType = trustStoreType;
} }
/* ------------------------------------------------------------ */
public String getKeyManagerAlgorithm()
{
return _keyManagerAlgorithm;
}
/* ------------------------------------------------------------ */
public void setKeyManagerAlgorithm(String keyManagerAlgorithm)
{
this._keyManagerAlgorithm = keyManagerAlgorithm;
}
/* ------------------------------------------------------------ */
public String getTrustManagerAlgorithm()
{
return _trustManagerAlgorithm;
}
/* ------------------------------------------------------------ */
public void setTrustManagerAlgorithm(String trustManagerAlgorithm)
{
this._trustManagerAlgorithm = trustManagerAlgorithm;
}
/* ------------------------------------------------------------ */
public String getProtocol()
{
return _protocol;
}
/* ------------------------------------------------------------ */
public void setProtocol(String protocol)
{
this._protocol = protocol;
}
/* ------------------------------------------------------------ */
public String getProvider()
{
return _provider;
}
/* ------------------------------------------------------------ */
public void setProvider(String provider)
{
this._provider = provider;
}
/* ------------------------------------------------------------ */
public String getSecureRandomAlgorithm()
{
return _secureRandomAlgorithm;
}
/* ------------------------------------------------------------ */
public void setSecureRandomAlgorithm(String secureRandomAlgorithm)
{
this._secureRandomAlgorithm = secureRandomAlgorithm;
}
} }