* Issue #3863 - Enforce use of SNI.
Introduced SslContextFactory.rejectUnmatchedSNIHost (default false)
so that if no SNI is sent, or SNI does not match a certificate,
then the TLS handshake is aborted.
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
* Issue #3863 - Enforce use of SNI.
Updates after review.
Introduced SslContextFactory.SNISelector to allow application to write
their custom logic to select a certificate based on SNI information.
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
* Issue #3863 Enforce SNI
Added two sniRequired fields - one at SslContextLevel and the other at the SecureRequestCustomizer. This allows rejection either at TLS handshake or by 400 response.
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #3863 Enforce SNI
cleanups from review
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #3863 Enforce SNI
improved comments
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #3863 Enforce SNI
syntax sugar
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #3863 SNI
Updates from review. Extra test for sniSelector function
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #4265 Remove doError
The doError method and the ErrorDispatchHandler class were
hang overs from when we needed to dispatch into a context to get sendError called, which would then generate the error page.
Now sendError doesn't do any generation, rather it changes state that arranges either for a minimal error page to be generated or an ERROR dispatch to a real handler/servlet to generate the error page.
Thus the ErrorDispatchHandler and doError methods can now be removed.
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #4265 Remove doError
Moved the error page dispatching logic back to the ErrorHandler class to assist with backwards compatibility
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #4265 Remove doError
Moved the error page dispatching logic back to the ErrorHandler class to assist with backwards compatibility
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #4265 doError
Updates from review.
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #4227 - do not use encodeRedirectURL for openid redirects
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
* changes from review
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
Made methods that were exposing RateTracker (a package private class)
non-public, since no code outside jetty-servlets could have used them.
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
Made method reportDifferences(...) private since it was exposing
package private class TimeNSize and no code outside of jetty-util
could have used it.
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
Releasing the decrypted input buffer so that it can be re-acquired
with an expanded capacity.
Looping around only if the buffer size has changed.
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
* Issue #4203 - Updating test to verify report on Transfer-Encoding
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
* Fixes#4203 - Transfer-Encoding + Content-Length is 400 Bad Request
+ Fixing validation to not be header order dependent.
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
* Issue #4203 - Fixing hasTransferEncoding reset and testcase assumption
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
* Issue #4204 - Transfer-Encoding RFC7230 behaviors
+ More test cases and implementation.
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
* Issue #4204 - Transfer-Encoding RFC7230 behaviors
+ Adjusting HttpParser to handle the case where we have multiple
Transfer-Encoding headers and none declare the 'chunked' token.
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
* Issue #4204 - Transfer-Encoding RFC7230 behaviors
+ Making changes from PR review
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
* Issue #4203 Transfer Encoding
request with TE and no chunking is a Bad Request
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* issue exclude/include con name InetAccesHandler - add better unit test
this logic:
String name =
baseRequest.getHttpChannel().getConnector().getName();
return _names.test(name) && _addrs.test(addr);
Is not correct. it's treating the connector name exactly like the
filter. But that's not what it's intended to do. It's supposed to tell
what connectors are applicable to this filter. And what connectors are
not affected.
For example in the unit test there exists 2 connectors:
http
tls
We want to restrict the http connector, but we want to leave tls
connector alone.
So we would specify:
include = 192.168.1.1-192.168.1.254
includeConnector = http
The way the logic is above, it is treating the connector name as if it's
the filter itself. Which is not what I intended.
What i need in psuedo-code is this:
if (there are no "include connectors" OR if this connector is
included) AND (if this connector is not in the excluded list)
---> Then apply the IP filter.
Signed-off-by: Nicholas DiPiazza <nicholas.dipiazza@lucidworks.com>
* exclude should take precedence over include
Signed-off-by: Nicholas DiPiazza <nicholas.dipiazza@lucidworks.com>
* Issue #4193 InetAccessHandler
reverted changes to IncludeExcludeSet
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #4193 InetAccessHandler
updates from review
Signed-off-by: Greg Wilkins <gregw@webtide.com>
Lachlan
Jan Bartel
Olivier Lamy
Greg Wilkins
Simone Bordet
Julien Gouesse
Chris Walker
Joakim Erdfelt