Commit Graph

17814 Commits

Author SHA1 Message Date
Simone Bordet e09444eeb5 Issue #3863 - Enforce use of SNI (#4085)
* Issue #3863 -  Enforce use of SNI.

Introduced SslContextFactory.rejectUnmatchedSNIHost (default false)
so that if no SNI is sent, or SNI does not match a certificate,
then the TLS handshake is aborted.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>

* Issue #3863 - Enforce use of SNI.

Updates after review.
Introduced SslContextFactory.SNISelector to allow application to write
their custom logic to select a certificate based on SNI information.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>

* Issue #3863 Enforce SNI

Added two sniRequired fields - one at SslContextLevel and the other at the SecureRequestCustomizer.  This allows rejection either at TLS handshake or by 400 response.

Signed-off-by: Greg Wilkins <gregw@webtide.com>

* Issue #3863 Enforce SNI

cleanups from review

Signed-off-by: Greg Wilkins <gregw@webtide.com>

* Issue #3863 Enforce SNI

improved comments

Signed-off-by: Greg Wilkins <gregw@webtide.com>

* Issue #3863 Enforce SNI

syntax sugar

Signed-off-by: Greg Wilkins <gregw@webtide.com>

* Issue #3863 SNI

Updates from review.  Extra test for sniSelector function

Signed-off-by: Greg Wilkins <gregw@webtide.com>
2019-11-05 09:07:34 +11:00
Joakim Erdfelt 68cf4f23f1
Issue #4173 - Ignore logging of failed Resource.getFile()
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2019-11-04 16:03:01 -06:00
Joakim Erdfelt 6ac925631c
Issue #4173 - Adding more testcases for raw root-ish Resources
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2019-11-04 16:01:43 -06:00
Joakim Erdfelt f4298c12c4
Issue #4173 - Improve OSX test expectation (NFD form)
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2019-11-04 15:52:22 -06:00
Greg Wilkins 869c3b51ce
Issue #4265 Remove doError (#4266)
* Issue #4265 Remove doError

The doError method and the ErrorDispatchHandler class were
hang overs from when we needed to dispatch into a context to get sendError called, which would then generate the error page.

Now sendError doesn't do any generation, rather it changes state that arranges either for a minimal error page to be generated or an ERROR dispatch to a real handler/servlet to generate the error page.

Thus the ErrorDispatchHandler and doError methods can now be removed.

Signed-off-by: Greg Wilkins <gregw@webtide.com>

* Issue #4265 Remove doError

Moved the error page dispatching logic back to the ErrorHandler class to assist with backwards compatibility

Signed-off-by: Greg Wilkins <gregw@webtide.com>

* Issue #4265 Remove doError

Moved the error page dispatching logic back to the ErrorHandler class to assist with backwards compatibility

Signed-off-by: Greg Wilkins <gregw@webtide.com>

* Issue #4265 doError

Updates from review.

Signed-off-by: Greg Wilkins <gregw@webtide.com>
2019-11-05 08:45:46 +11:00
Joakim Erdfelt 2774533150
Issue #4173 - improved Base Resource Name resolution
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2019-11-04 14:55:41 -06:00
Jan Bartel e9a8497936 Issue #4173 Avoid NPE generating name of tmp dir in WebInfConfiguration
Signed-off-by: Jan Bartel <janb@webtide.com>
2019-11-04 17:53:05 +11:00
Julien Gouesse 9cede68b35
Add systemd service file #1485
Signed-off-by: Julien Gouesse <gouessej@orange.fr>
2019-11-01 12:13:00 -05:00
Simone Bordet cc92ad0b07
Merge pull request #4261 from eclipse/jetty-9.4.x-4251-broken_http2-settings_header
Fixes #4251 - Http 2.0 clients cannot upgrade protocol in 9.4.22 rele…
2019-11-01 00:35:59 +03:00
Simone Bordet 3ae9faab79 Fixes #4251 - Http 2.0 clients cannot upgrade protocol in 9.4.22 release.
Updates after review.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
2019-10-31 22:24:31 +01:00
Joakim Erdfelt 6c69c39ffa
Merge pull request #4245 from eclipse/jetty-9.3.x-4217-sslconnection-flush-loop
Issue #4217 - (9.3.x) SslConnection DecryptedEndpoint flush eternal busy loop
2019-10-31 11:42:08 -05:00
Joakim Erdfelt b27ead06b2
Merge branch 'jetty-9.2.x' of github.com:eclipse/jetty.project into jetty-9.2.x 2019-10-31 11:40:07 -05:00
Joakim Erdfelt 37222661d5
Merge pull request #4256 from eclipse/jetty-9.2.x-tls-large-record
Issue #4217 - (9.2.x) SslConnection DecryptedEndpoint flush eternal busy loop
2019-10-31 11:39:58 -05:00
Joakim Erdfelt a890df115e
Merge branch 'jetty-9.2.x' of github.com:eclipse/jetty.project into jetty-9.2.x 2019-10-31 11:39:21 -05:00
Simone Bordet 4f19e6b638 Fixes #4251 - Http 2.0 clients cannot upgrade protocol in 9.4.22 release.
Fixed HTTP2-Settings header parsing.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
2019-10-31 15:56:24 +01:00
Joakim Erdfelt a3f3612fb4
Issue #4217 - Reverting debug output in IllegalStateException
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2019-10-30 17:23:08 -05:00
Joakim Erdfelt f7ab02a5d1
Issue #4217 - Fixing OVERFLOW case to allow flush()
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2019-10-30 17:21:59 -05:00
Joakim Erdfelt c980e3dd34
Fixing compilation issue
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2019-10-30 17:18:03 -05:00
Joakim Erdfelt c04997f7e0
Issue #4217 - SslConnection DecryptedEndpoint flush eternal busy loop
+ Flush on BUFFER_OVERFLOW

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2019-10-30 17:05:46 -05:00
Joakim Erdfelt 737144a35e
Issue #4217 - Allowing Large TLS Records in Java 11+ in Jetty 9.2.x
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2019-10-30 15:29:20 -05:00
Joakim Erdfelt e137ee3cd7
Issue #4217 - SslConnection DecryptedEndpoint flush eternal busy loop
+ Cleanup from review

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2019-10-30 14:03:16 -05:00
Chris Walker c50c4536dd
Added additional, http/2 specific documentation for #4253 2019-10-30 13:16:30 -04:00
Chris Walker 372313a388
Updating security reports. Resolves #4253 2019-10-30 11:36:14 -04:00
Joakim Erdfelt c58fd58e41
Testing Large TLS Records for Jetty 9.2.x
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2019-10-29 19:14:07 -05:00
Joakim Erdfelt 93a5ff0b89
Issue #4217 - SslConnection DecryptedEndpoint flush eternal busy loop
+ Small cleanup of duplicate if statements

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2019-10-25 16:41:26 -05:00
Joakim Erdfelt e665c8f806
Issue #4217 - SslConnection DecryptedEndpoint flush eternal busy loop
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2019-10-24 16:26:43 -05:00
Joakim Erdfelt 9b3b174862
Merge branch 'jetty-9.4.x' of github.com:eclipse/jetty.project into jetty-9.4.x 2019-10-24 06:35:04 -05:00
Joakim Erdfelt 344a064b39
Release script should commit only what it created.
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2019-10-24 06:34:50 -05:00
Lachlan fea8bb794d
Issue #4240 - use default charset utf-8 for cgi request form encoding (#4241)
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
2019-10-24 08:24:19 +11:00
Joakim Erdfelt 1ed13b6b30 Updating to version 9.4.23-SNAPSHOT 2019-10-22 09:19:41 -05:00
Joakim Erdfelt b1e6b55512 Updating to version 9.4.22.v20191022 2019-10-22 08:20:50 -05:00
Lachlan a9e543c1c0
Issue #4227 - do not use encodeRedirectURL for openid redirects (#4233)
* Issue #4227 - do not use encodeRedirectURL for openid redirects

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>

* changes from review

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
2019-10-22 22:47:29 +11:00
Simone Bordet add8ffca5b
Merge pull request #4218 from eclipse/jetty-9.4.x-4217-tls_flush_buffer_overflow_busy_loop
Fixes #4217 - SslConnection.DecryptedEnpoint.flush eternal busy loop.
2019-10-21 21:32:22 +02:00
Simone Bordet a547a77d74
Merge pull request #4230 from gouessej/jetty-9.4.x
Issue #4160, fixes some spelling mistakes
2019-10-21 21:27:29 +02:00
Julien Gouesse a0c9a14a62 Issue #4160, fixes some spelling mistakes
Signed-off-by: Julien Gouesse <gouessej@orange.fr>
2019-10-21 20:21:55 +02:00
Simone Bordet 862ac407f1 Code cleanup.
Made methods that were exposing RateTracker (a package private class)
non-public, since no code outside jetty-servlets could have used them.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
2019-10-20 16:54:11 +02:00
Simone Bordet dc59addb6f Code cleanup.
Made method reportDifferences(...) private since it was exposing
package private class TimeNSize and no code outside of jetty-util
could have used it.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
2019-10-20 16:50:31 +02:00
Simone Bordet 95b205aa34 Class InetPattern is package private, so made nnewInetRange(String)
private because no code outside jetty-util could call that method.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
2019-10-20 16:18:58 +02:00
Simone Bordet 92bfcb6c73 Class Managed is package private, so made addBean(Object, Managed)
private because no code outside of jetty-util could call that method.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
2019-10-20 16:10:01 +02:00
olivier lamy 66dd5ad788 use last jacoco plugin 0.8.5
Signed-off-by: olivier lamy <oliver.lamy@gmail.com>
2019-10-20 21:44:15 +10:00
Simone Bordet 73eb82c20f Issue #4217 - SslConnection.DecryptedEndpoint.flush eternal busy loop.
Updates after review.
Added test case.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
2019-10-19 20:06:10 +02:00
Simone Bordet 991cf20cce Issue #4217 - SslConnection.DecryptedEndpoint.flush eternal busy loop.
Releasing the decrypted input buffer so that it can be re-acquired
with an expanded capacity.
Looping around only if the buffer size has changed.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
2019-10-19 12:27:58 +02:00
Joakim Erdfelt 890c0b26cb Fixes #4203 and #4204 - Transfer-Encoding + Content-Length behaviors (#4205)
* Issue #4203 - Updating test to verify report on Transfer-Encoding

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>

* Fixes #4203 - Transfer-Encoding + Content-Length is 400 Bad Request

+ Fixing validation to not be header order dependent.

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>

* Issue #4203 - Fixing hasTransferEncoding reset and testcase assumption

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>

* Issue #4204 - Transfer-Encoding RFC7230 behaviors

+ More test cases and implementation.

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>

* Issue #4204 - Transfer-Encoding RFC7230 behaviors

+ Adjusting HttpParser to handle the case where we have multiple
  Transfer-Encoding headers and none declare the 'chunked' token.

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>

* Issue #4204 - Transfer-Encoding RFC7230 behaviors

+ Making changes from PR review

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>

* Issue #4203 Transfer Encoding

request with TE and no chunking is a Bad Request

Signed-off-by: Greg Wilkins <gregw@webtide.com>
2019-10-19 08:05:15 +11:00
Lachlan Roberts ed74a459a7 Issue #4138 - only warn if metadata issuer is not consistent with config
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
2019-10-18 10:31:50 +11:00
Greg Wilkins 3d19f61122
Issue #4193 - Fix InetAccess port control (#4206)
* issue exclude/include con name InetAccesHandler - add better unit test

this logic:

        String name =
baseRequest.getHttpChannel().getConnector().getName();
        return _names.test(name) && _addrs.test(addr);

Is not correct. it's treating the connector name exactly like the
filter. But that's not what it's intended to do. It's supposed to tell
what connectors are applicable to this filter. And what connectors are
not affected.

For example in the unit test there exists 2 connectors:

http
tls

We want to restrict the http connector, but we want to leave tls
connector alone.

So we would specify:

include = 192.168.1.1-192.168.1.254
includeConnector = http

The way the logic is above, it is treating the connector name as if it's
the filter itself. Which is not what I intended.

What i need in psuedo-code is this:


   if (there are no "include connectors" OR if this connector is
included) AND (if this connector is not in the excluded list)
     ---> Then apply the IP filter.

Signed-off-by: Nicholas DiPiazza <nicholas.dipiazza@lucidworks.com>

* exclude should take precedence over include

Signed-off-by: Nicholas DiPiazza <nicholas.dipiazza@lucidworks.com>

* Issue #4193 InetAccessHandler

reverted changes to IncludeExcludeSet

Signed-off-by: Greg Wilkins <gregw@webtide.com>

* Issue #4193 InetAccessHandler

updates from review

Signed-off-by: Greg Wilkins <gregw@webtide.com>
2019-10-18 09:03:28 +11:00
Simone Bordet 2e633a4e86 Fixes #4217 - SslConnection.DecryptedEnpoint.flush eternal busy loop.
Releasing the encrypted output buffer so that it can be re-acquired
with an expanded capacity.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
2019-10-17 19:41:52 +02:00
Lachlan Roberts 337b6c1439 Issue #4138 - Changes from review
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
2019-10-17 15:59:21 +11:00
Greg Wilkins 894fc9b115
Issue #4208 - Content-Length in 304 (#4211)
* Issue #4208 Content-Length in 304

Added tests for RFC7230 section 3.3.2 for 304 and HEAD responses with content length.
Fixed HttpGenerator to set content-length in 304 response
Fixed insufficient content written check for 304

Signed-off-by: Greg Wilkins <gregw@webtide.com>

* Issue #4208 Content-Length in 304

Use contentLengthField

Signed-off-by: Greg Wilkins <gregw@webtide.com>
2019-10-17 14:26:19 +11:00
Simone Bordet 869184c827
Merge pull request #4200 from eclipse/jetty-9.4.x-4190-deadlock_httpoutput_close
Fixes #4190 Jetty hangs after thread blocked in SharedBlockingCallbac…
2019-10-16 23:35:52 +02:00
Simone Bordet 2efce33fbe
Merge pull request #4202 from eclipse/jetty-9.4.x-4201-httpclient_throw_sslhandshakeexception
Fixes #4201 - Throw SSLHandshakeException in case of TLS handshake fa…
2019-10-16 23:31:12 +02:00