org.eclipse.jetty.server.ssl
Class SslSocketConnector

java.lang.Object
  org.eclipse.jetty.util.component.AbstractLifeCycle
      org.eclipse.jetty.http.HttpBuffers
          org.eclipse.jetty.server.AbstractConnector
              org.eclipse.jetty.server.bio.SocketConnector
                  org.eclipse.jetty.server.ssl.SslSocketConnector

All Implemented Interfaces:

Connector, SslConnector, LifeCycle

public class SslSocketConnector
extends SocketConnector
implements SslConnector

SSL Socket Connector. This specialization of SocketConnector is an abstract listener that can be used as the basis for a specific JSSE listener. The original of this class was heavily based on the work from Court Demas, which in turn is based on the work from Forge Research. Since JSSE, this class has evolved significantly from that early work.

Nested Class Summary

class

SslSocketConnector.SslConnectorEndPoint

Nested classes/interfaces inherited from class org.eclipse.jetty.server.bio.SocketConnector

SocketConnector.ConnectorEndPoint

Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

AbstractLifeCycle.AbstractLifeCycleListener

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle

LifeCycle.Listener

Field Summary

Fields inherited from class org.eclipse.jetty.server.bio.SocketConnector

_connections, _localPort, _serverSocket

Fields inherited from class org.eclipse.jetty.server.AbstractConnector

_lowResourceMaxIdleTime, _maxIdleTime, _soLingerTime

Fields inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

_listeners, FAILED, RUNNING, STARTED, STARTING, STOPPED, STOPPING

Fields inherited from interface org.eclipse.jetty.server.ssl.SslConnector

DEFAULT_KEYSTORE, DEFAULT_KEYSTORE_ALGORITHM, DEFAULT_TRUSTSTORE_ALGORITHM, KEYPASSWORD_PROPERTY, PASSWORD_PROPERTY

Constructor Summary

SslSocketConnector()
Constructor.

Method Summary

void	accept(int acceptorID)
protected void	configure(Socket socket)
protected SSLServerSocketFactory	createFactory()
protected SSLContext	createSSLContext()
void	customize(EndPoint endpoint, Request request) Allow the Listener a chance to customise the request.
String	getAlgorithm() Unsupported.
String[]	getExcludeCipherSuites()
int	getHandshakeTimeout()
String[]	getIncludeCipherSuites()
protected KeyManager[]	getKeyManagers()
String	getKeystore()
protected KeyStore	getKeyStore(String keystorePath, String keystoreType, String keystorePassword)
String	getKeystoreType()
boolean	getNeedClientAuth()
String	getProtocol()
String	getProvider()
String	getSecureRandomAlgorithm()
SSLContext	getSslContext()
String	getSslKeyManagerFactoryAlgorithm()
String	getSslTrustManagerFactoryAlgorithm()
protected TrustManager[]	getTrustManagers()
String	getTruststore()
String	getTruststoreType()
boolean	getWantClientAuth()
boolean	isAllowRenegotiate()
boolean	isConfidential(Request request) By default, we're confidential, given we speak SSL.
boolean	isIntegral(Request request) By default, we're integral, given we speak SSL.
protected ServerSocket	newServerSocket(String host, int port, int backlog)
void	setAlgorithm(String algorithm) Unsupported.
void	setAllowRenegotiate(boolean allowRenegotiate) Set if SSL re-negotiation is allowed.
void	setExcludeCipherSuites(String[] cipherSuites)
void	setHandshakeTimeout(int msec) Set the time in milliseconds for so_timeout during ssl handshaking
void	setIncludeCipherSuites(String[] cipherSuites)
void	setKeyPassword(String password)
void	setKeystore(String keystore)
void	setKeystoreType(String keystoreType)
void	setNeedClientAuth(boolean needClientAuth) Set the value of the needClientAuth property
void	setPassword(String password)
void	setProtocol(String protocol)
void	setProvider(String _provider)
void	setSecureRandomAlgorithm(String algorithm)
void	setSslContext(SSLContext sslContext)
void	setSslKeyManagerFactoryAlgorithm(String algorithm)
void	setSslTrustManagerFactoryAlgorithm(String algorithm)
void	setTrustPassword(String password)
void	setTruststore(String truststore)
void	setTruststoreType(String truststoreType)
void	setWantClientAuth(boolean wantClientAuth) Set the value of the _wantClientAuth property.

Methods inherited from class org.eclipse.jetty.server.bio.SocketConnector

close, doStart, doStop, getConnection, getLocalPort, newConnection, open

Methods inherited from class org.eclipse.jetty.server.AbstractConnector

checkForwardedHeaders, connectionClosed, connectionOpened, connectionUpgraded, getAcceptorPriorityOffset, getAcceptors, getAcceptQueueSize, getConfidentialPort, getConfidentialScheme, getConnections, getConnectionsDurationMax, getConnectionsDurationMean, getConnectionsDurationStdDev, getConnectionsDurationTotal, getConnectionsOpen, getConnectionsOpenMax, getConnectionsRequestsMax, getConnectionsRequestsMean, getConnectionsRequestsStdDev, getForwardedForHeader, getForwardedHostHeader, getForwardedProtoHeader, getForwardedServerHeader, getHost, getHostHeader, getIntegralPort, getIntegralScheme, getLeftMostValue, getLowResourceMaxIdleTime, getLowResourcesMaxIdleTime, getMaxIdleTime, getName, getPort, getRequests, getResolveNames, getReuseAddress, getServer, getSoLingerTime, getStatsOn, getStatsOnMs, getThreadPool, isForwarded, isLowResources, isRequestHeader, isResponseHeader, join, newBuffer, newRequestBuffer, newRequestHeader, newResponseBuffer, newResponseHeader, persist, setAcceptorPriorityOffset, setAcceptors, setAcceptQueueSize, setConfidentialPort, setConfidentialScheme, setForwarded, setForwardedForHeader, setForwardedHostHeader, setForwardedProtoHeader, setForwardedServerHeader, setHost, setHostHeader, setIntegralPort, setIntegralScheme, setLowResourceMaxIdleTime, setLowResourcesMaxIdleTime, setMaxIdleTime, setName, setPort, setResolveNames, setReuseAddress, setServer, setSoLingerTime, setStatsOn, setThreadPool, statsReset, stopAccept, toString

Methods inherited from class org.eclipse.jetty.http.HttpBuffers

getHeaderBufferSize, getRequestBuffers, getRequestBufferSize, getRequestHeaderSize, getResponseBuffers, getResponseBufferSize, getResponseHeaderSize, setHeaderBufferSize, setRequestBufferSize, setRequestHeaderSize, setResponseBufferSize, setResponseHeaderSize

Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

addLifeCycleListener, getState, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.eclipse.jetty.server.Connector

close, getConfidentialPort, getConfidentialScheme, getConnection, getConnections, getConnectionsDurationMax, getConnectionsDurationMean, getConnectionsDurationStdDev, getConnectionsDurationTotal, getConnectionsOpen, getConnectionsOpenMax, getConnectionsRequestsMax, getConnectionsRequestsMean, getConnectionsRequestsStdDev, getHost, getIntegralPort, getIntegralScheme, getLocalPort, getLowResourceMaxIdleTime, getMaxIdleTime, getName, getPort, getRequestBuffers, getRequestBufferSize, getRequestHeaderSize, getRequests, getResolveNames, getResponseBuffers, getResponseBufferSize, getResponseHeaderSize, getServer, getStatsOn, getStatsOnMs, isLowResources, open, persist, setHost, setLowResourceMaxIdleTime, setMaxIdleTime, setPort, setRequestBufferSize, setRequestHeaderSize, setResponseBufferSize, setResponseHeaderSize, setServer, setStatsOn, statsReset

Methods inherited from interface org.eclipse.jetty.util.component.LifeCycle

addLifeCycleListener, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop

Constructor Detail

SslSocketConnector

public SslSocketConnector()

Constructor.

Method Detail

isAllowRenegotiate

public boolean isAllowRenegotiate()

Specified by:

isAllowRenegotiate in interface SslConnector

Returns:

True if SSL re-negotiation is allowed (default false)

setAllowRenegotiate

public void setAllowRenegotiate(boolean allowRenegotiate)

Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered a vulnerability in SSL/TLS with re-negotiation. If your JVM does not have CVE-2009-3555 fixed, then re-negotiation should not be allowed.

Specified by:

setAllowRenegotiate in interface SslConnector

Parameters:

allowRenegotiate - true if re-negotiation is allowed (default false)

accept

public void accept(int acceptorID)
            throws IOException,
                   InterruptedException

Overrides:

accept in class SocketConnector

Throws:

IOException

InterruptedException

configure

protected void configure(Socket socket)
                  throws IOException

Overrides:

configure in class AbstractConnector

Throws:

IOException

createSSLContext

protected SSLContext createSSLContext()
                               throws Exception

Throws:

Exception

createFactory

protected SSLServerSocketFactory createFactory()
                                        throws Exception

Throws:

Exception

getKeyManagers

protected KeyManager[] getKeyManagers()
                               throws Exception

Throws:

Exception

getTrustManagers

protected TrustManager[] getTrustManagers()
                                   throws Exception

Throws:

Exception

getKeyStore

protected KeyStore getKeyStore(String keystorePath,
                               String keystoreType,
                               String keystorePassword)
                        throws Exception

Throws:

Exception

customize

public void customize(EndPoint endpoint,
                      Request request)
               throws IOException

Allow the Listener a chance to customise the request. before the server does its stuff.
This allows the required attributes to be set for SSL requests.
The requirements of the Servlet specs are:

• an attribute named "javax.servlet.request.ssl_id" of type String (since Spec 3.0).
• an attribute named "javax.servlet.request.cipher_suite" of type String.
• an attribute named "javax.servlet.request.key_size" of type Integer.
• an attribute named "javax.servlet.request.X509Certificate" of type java.security.cert.X509Certificate[]. This is an array of objects of type X509Certificate, the order of this array is defined as being in ascending order of trust. The first certificate in the chain is the one set by the client, the next is the one used to authenticate the first, and so on.

Specified by:

customize in interface Connector

Overrides:

customize in class SocketConnector

Parameters:

endpoint - The Socket the request arrived on. This should be a SocketEndPoint wrapping a SSLSocket.

request - HttpRequest to be customised.

Throws:

IOException

getExcludeCipherSuites

public String[] getExcludeCipherSuites()

Specified by:

getExcludeCipherSuites in interface SslConnector

Returns:

The array of Ciphersuite names to exclude from SSLEngine.setEnabledCipherSuites(String[])

getIncludeCipherSuites

public String[] getIncludeCipherSuites()

Specified by:

getIncludeCipherSuites in interface SslConnector

Returns:

The array of Ciphersuite names to include in SSLEngine.setEnabledCipherSuites(String[])

getKeystore

public String getKeystore()

Specified by:

getKeystore in interface SslConnector

Returns:

The file or URL of the SSL Key store.

getKeystoreType

public String getKeystoreType()

Specified by:

getKeystoreType in interface SslConnector

Returns:

The type of the key store (default "JKS")

getNeedClientAuth

public boolean getNeedClientAuth()

Specified by:

getNeedClientAuth in interface SslConnector

Returns:

True if SSL needs client authentication.

See Also:

SSLEngine.getNeedClientAuth()

getProtocol

public String getProtocol()

Specified by:

getProtocol in interface SslConnector

Returns:

The SSL protocol (default "TLS") passed to SSLContext.getInstance(String, String)

getProvider

public String getProvider()

Specified by:

getProvider in interface SslConnector

Returns:

The SSL provider name, which if set is passed to SSLContext.getInstance(String, String)

getSecureRandomAlgorithm

public String getSecureRandomAlgorithm()

Specified by:

getSecureRandomAlgorithm in interface SslConnector

Returns:

The algorithm name, which if set is passed to SecureRandom.getInstance(String) to obtain the SecureRandom instance passed to SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)

getSslKeyManagerFactoryAlgorithm

public String getSslKeyManagerFactoryAlgorithm()

Specified by:

getSslKeyManagerFactoryAlgorithm in interface SslConnector

Returns:

The algorithm name (default "SunX509") used by the KeyManagerFactory

getSslTrustManagerFactoryAlgorithm

public String getSslTrustManagerFactoryAlgorithm()

Specified by:

getSslTrustManagerFactoryAlgorithm in interface SslConnector

Returns:

The algorithm name (default "SunX509") used by the TrustManagerFactory

getTruststore

public String getTruststore()

Specified by:

getTruststore in interface SslConnector

Returns:

The file name or URL of the trust store location

getTruststoreType

public String getTruststoreType()

Specified by:

getTruststoreType in interface SslConnector

Returns:

The type of the trust store (default "JKS")

getWantClientAuth

public boolean getWantClientAuth()

Specified by:

getWantClientAuth in interface SslConnector

Returns:

True if SSL wants client authentication.

See Also:

SSLEngine.getWantClientAuth()

isConfidential

public boolean isConfidential(Request request)

By default, we're confidential, given we speak SSL. But, if we've been told about an confidential port, and said port is not our port, then we're not. This allows separation of listeners providing INTEGRAL versus CONFIDENTIAL constraints, such as one SSL listener configured to require client certs providing CONFIDENTIAL, whereas another SSL listener not requiring client certs providing mere INTEGRAL constraints.

Specified by:

isConfidential in interface Connector

Overrides:

isConfidential in class AbstractConnector

Parameters:

request - A request

Returns:

true if the request is confidential. This normally means the https schema has been used.

isIntegral

public boolean isIntegral(Request request)

By default, we're integral, given we speak SSL. But, if we've been told about an integral port, and said port is not our port, then we're not. This allows separation of listeners providing INTEGRAL versus CONFIDENTIAL constraints, such as one SSL listener configured to require client certs providing CONFIDENTIAL, whereas another SSL listener not requiring client certs providing mere INTEGRAL constraints.

Specified by:

isIntegral in interface Connector

Overrides:

isIntegral in class AbstractConnector

Parameters:

request - A request

Returns:

true if the request is integral. This normally means the https schema has been used.

newServerSocket

protected ServerSocket newServerSocket(String host,
                                       int port,
                                       int backlog)
                                throws IOException

Overrides:

newServerSocket in class SocketConnector

Parameters:

host - The host name that this server should listen on

port - the port that this server should listen on

backlog - See ServerSocket.bind(java.net.SocketAddress, int)

Returns:

A new socket object bound to the supplied address with all other settings as per the current configuration of this connector.

Throws:

IOException

See Also:

setWantClientAuth(boolean), setNeedClientAuth(boolean)

setExcludeCipherSuites

public void setExcludeCipherSuites(String[] cipherSuites)

Specified by:

setExcludeCipherSuites in interface SslConnector

Parameters:

cipherSuites - The array of Ciphersuite names to exclude from SSLEngine.setEnabledCipherSuites(String[])

setIncludeCipherSuites

public void setIncludeCipherSuites(String[] cipherSuites)

Specified by:

setIncludeCipherSuites in interface SslConnector

Parameters:

cipherSuites - The array of Ciphersuite names to include in SSLEngine.setEnabledCipherSuites(String[])

setKeyPassword

public void setKeyPassword(String password)

Specified by:

setKeyPassword in interface SslConnector

Parameters:

password - The password (if any) for the specific key within the key store

setKeystore

public void setKeystore(String keystore)

Specified by:

setKeystore in interface SslConnector

Parameters:

keystore - The resource path to the keystore, or null for built in keystores.

setKeystoreType

public void setKeystoreType(String keystoreType)

Specified by:

setKeystoreType in interface SslConnector

Parameters:

keystoreType - The type of the key store (default "JKS")

setNeedClientAuth

public void setNeedClientAuth(boolean needClientAuth)

Set the value of the needClientAuth property

Specified by:

setNeedClientAuth in interface SslConnector

Parameters:

needClientAuth - true iff we require client certificate authentication.

See Also:

SSLEngine.getNeedClientAuth()

setPassword

public void setPassword(String password)

Specified by:

setPassword in interface SslConnector

Parameters:

password - The password for the key store

setTrustPassword

public void setTrustPassword(String password)

Specified by:

setTrustPassword in interface SslConnector

Parameters:

password - The password for the trust store

setProtocol

public void setProtocol(String protocol)

Specified by:

setProtocol in interface SslConnector

Parameters:

protocol - The SSL protocol (default "TLS") passed to SSLContext.getInstance(String, String)

setProvider

public void setProvider(String _provider)

Specified by:

setProvider in interface SslConnector

Parameters:

_provider - The SSL provider name, which if set is passed to SSLContext.getInstance(String, String)

setSecureRandomAlgorithm

public void setSecureRandomAlgorithm(String algorithm)

Specified by:

setSecureRandomAlgorithm in interface SslConnector

Parameters:

algorithm - The algorithm name, which if set is passed to SecureRandom.getInstance(String) to obtain the SecureRandom instance passed to SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)

setSslKeyManagerFactoryAlgorithm

public void setSslKeyManagerFactoryAlgorithm(String algorithm)

Specified by:

setSslKeyManagerFactoryAlgorithm in interface SslConnector

Parameters:

algorithm - The algorithm name (default "SunX509") used by the KeyManagerFactory

setSslTrustManagerFactoryAlgorithm

public void setSslTrustManagerFactoryAlgorithm(String algorithm)

Specified by:

setSslTrustManagerFactoryAlgorithm in interface SslConnector

Parameters:

algorithm - The algorithm name (default "SunX509") used by the TrustManagerFactory

setTruststore

public void setTruststore(String truststore)

Specified by:

setTruststore in interface SslConnector

Parameters:

truststore - The file name or URL of the trust store location

setTruststoreType

public void setTruststoreType(String truststoreType)

Specified by:

setTruststoreType in interface SslConnector

Parameters:

truststoreType - The type of the trust store (default "JKS")

setSslContext

public void setSslContext(SSLContext sslContext)

Specified by:

setSslContext in interface SslConnector

Parameters:

sslContext - Set a preconfigured SSLContext

getSslContext

public SSLContext getSslContext()

Specified by:

getSslContext in interface SslConnector

Returns:

The SSLContext

See Also:

SslConnector.setSslContext(javax.net.ssl.SSLContext)

setWantClientAuth

public void setWantClientAuth(boolean wantClientAuth)

Set the value of the _wantClientAuth property. This property is used internally when opening server sockets.

Specified by:

setWantClientAuth in interface SslConnector

Parameters:

wantClientAuth - true if we want client certificate authentication.

See Also:

SSLServerSocket.setWantClientAuth(boolean)

setHandshakeTimeout

public void setHandshakeTimeout(int msec)

Set the time in milliseconds for so_timeout during ssl handshaking

Parameters:

msec - a non-zero value will be used to set so_timeout during ssl handshakes. A zero value means the maxIdleTime is used instead.

getHandshakeTimeout

public int getHandshakeTimeout()

getAlgorithm

public String getAlgorithm()

Unsupported. TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)

setAlgorithm

public void setAlgorithm(String algorithm)

Unsupported. TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)