private void configureSslTrustStore(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) { if (ssl.getTrustStore() != null) { try { protocol.setTruststoreFile( ResourceUtils.getURL(ssl.getTrustStore()).toString()); } catch (FileNotFoundException ex) { throw new EmbeddedServletContainerException( "Could not load trust store: " + ex.getMessage(), ex); } } protocol.setTruststorePass(ssl.getTrustStorePassword()); if (ssl.getTrustStoreType() != null) { protocol.setTruststoreType(ssl.getTrustStoreType()); } if (ssl.getTrustStoreProvider() != null) { protocol.setTruststoreProvider(ssl.getTrustStoreProvider()); } }
private KeyManager[] getKeyManagers() { try { KeyStore keyStore = getKeyStore(); KeyManagerFactory keyManagerFactory = KeyManagerFactory .getInstance(KeyManagerFactory.getDefaultAlgorithm()); Ssl ssl = getSsl(); char[] keyPassword = (ssl.getKeyPassword() != null ? ssl.getKeyPassword().toCharArray() : null); if (keyPassword == null && ssl.getKeyStorePassword() != null) { keyPassword = ssl.getKeyStorePassword().toCharArray(); } keyManagerFactory.init(keyStore, keyPassword); return keyManagerFactory.getKeyManagers(); } catch (Exception ex) { throw new IllegalStateException(ex); } }
private void configureSslKeyStore(SslContextFactory factory, Ssl ssl) { try { URL url = ResourceUtils.getURL(ssl.getKeyStore()); factory.setKeyStoreResource(Resource.newResource(url)); } catch (IOException ex) { throw new EmbeddedServletContainerException( "Could not find key store '" + ssl.getKeyStore() + "'", ex); } if (ssl.getKeyStoreType() != null) { factory.setKeyStoreType(ssl.getKeyStoreType()); } if (ssl.getKeyStoreProvider() != null) { factory.setKeyStoreProvider(ssl.getKeyStoreProvider()); } }
private void configureSslTrustStore(SslContextFactory factory, Ssl ssl) { if (ssl.getTrustStorePassword() != null) { factory.setTrustStorePassword(ssl.getTrustStorePassword()); } if (ssl.getTrustStore() != null) { try { URL url = ResourceUtils.getURL(ssl.getTrustStore()); factory.setTrustStoreResource(Resource.newResource(url)); } catch (IOException ex) { throw new EmbeddedServletContainerException( "Could not find trust store '" + ssl.getTrustStore() + "'", ex); } } if (ssl.getTrustStoreType() != null) { factory.setTrustStoreType(ssl.getTrustStoreType()); } if (ssl.getTrustStoreProvider() != null) { factory.setTrustStoreProvider(ssl.getTrustStoreProvider()); } }
@Test public void sslCiphersConfiguration() throws Exception { Ssl ssl = new Ssl(); ssl.setKeyStore("test.jks"); ssl.setKeyStorePassword("secret"); ssl.setCiphers(new String[] { "ALPHA", "BRAVO", "CHARLIE" }); TomcatEmbeddedServletContainerFactory factory = getFactory(); factory.setSsl(ssl); Tomcat tomcat = getTomcat(factory); Connector connector = tomcat.getConnector(); SSLHostConfig[] sslHostConfigs = connector.getProtocolHandler() .findSslHostConfigs(); assertThat(sslHostConfigs[0].getCiphers()).isEqualTo("ALPHA:BRAVO:CHARLIE"); }
@Test public void sslEnabledMultipleProtocolsConfiguration() throws Exception { Ssl ssl = getSsl(null, "password", "src/test/resources/test.jks"); ssl.setEnabledProtocols(new String[] { "TLSv1.1", "TLSv1.2" }); ssl.setCiphers(new String[] { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "BRAVO" }); TomcatEmbeddedServletContainerFactory factory = getFactory(); factory.setSsl(ssl); this.container = factory .getEmbeddedServletContainer(sessionServletRegistration()); this.container.start(); Tomcat tomcat = ((TomcatEmbeddedServletContainer) this.container).getTomcat(); Connector connector = tomcat.getConnector(); SSLHostConfig sslHostConfig = connector.getProtocolHandler() .findSslHostConfigs()[0]; assertThat(sslHostConfig.getSslProtocol()).isEqualTo("TLS"); assertThat(sslHostConfig.getEnabledProtocols()) .containsExactlyInAnyOrder("TLSv1.1", "TLSv1.2"); }
@Test public void sslEnabledProtocolsConfiguration() throws Exception { Ssl ssl = getSsl(null, "password", "src/test/resources/test.jks"); ssl.setEnabledProtocols(new String[] { "TLSv1.2" }); ssl.setCiphers(new String[] { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "BRAVO" }); TomcatEmbeddedServletContainerFactory factory = getFactory(); factory.setSsl(ssl); this.container = factory .getEmbeddedServletContainer(sessionServletRegistration()); Tomcat tomcat = ((TomcatEmbeddedServletContainer) this.container).getTomcat(); Connector connector = tomcat.getConnector(); this.container.start(); SSLHostConfig sslHostConfig = connector.getProtocolHandler() .findSslHostConfigs()[0]; assertThat(sslHostConfig.getSslProtocol()).isEqualTo("TLS"); assertThat(sslHostConfig.getEnabledProtocols()).containsExactly("TLSv1.2"); }
@Test public void sslCiphersConfiguration() throws Exception { Ssl ssl = new Ssl(); ssl.setKeyStore("src/test/resources/test.jks"); ssl.setKeyStorePassword("secret"); ssl.setKeyPassword("password"); ssl.setCiphers(new String[] { "ALPHA", "BRAVO", "CHARLIE" }); JettyEmbeddedServletContainerFactory factory = getFactory(); factory.setSsl(ssl); this.container = factory.getEmbeddedServletContainer(); this.container.start(); JettyEmbeddedServletContainer jettyContainer = (JettyEmbeddedServletContainer) this.container; ServerConnector connector = (ServerConnector) jettyContainer.getServer() .getConnectors()[0]; SslConnectionFactory connectionFactory = connector .getConnectionFactory(SslConnectionFactory.class); assertThat(connectionFactory.getSslContextFactory().getIncludeCipherSuites()) .containsExactly("ALPHA", "BRAVO", "CHARLIE"); assertThat(connectionFactory.getSslContextFactory().getExcludeCipherSuites()) .isEmpty(); }
@Test public void sslEnabledMultiProtocolsConfiguration() throws Exception { Ssl ssl = new Ssl(); ssl.setKeyStore("src/test/resources/test.jks"); ssl.setKeyStorePassword("secret"); ssl.setKeyPassword("password"); ssl.setCiphers(new String[] { "ALPHA", "BRAVO", "CHARLIE" }); ssl.setEnabledProtocols(new String[] { "TLSv1.1", "TLSv1.2" }); JettyEmbeddedServletContainerFactory factory = getFactory(); factory.setSsl(ssl); this.container = factory.getEmbeddedServletContainer(); this.container.start(); JettyEmbeddedServletContainer jettyContainer = (JettyEmbeddedServletContainer) this.container; ServerConnector connector = (ServerConnector) jettyContainer.getServer() .getConnectors()[0]; SslConnectionFactory connectionFactory = connector .getConnectionFactory(SslConnectionFactory.class); assertThat(connectionFactory.getSslContextFactory().getIncludeProtocols()) .isEqualTo(new String[] { "TLSv1.1", "TLSv1.2" }); }
@Test public void sslEnabledProtocolsConfiguration() throws Exception { Ssl ssl = new Ssl(); ssl.setKeyStore("src/test/resources/test.jks"); ssl.setKeyStorePassword("secret"); ssl.setKeyPassword("password"); ssl.setCiphers(new String[] { "ALPHA", "BRAVO", "CHARLIE" }); ssl.setEnabledProtocols(new String[] { "TLSv1.1" }); JettyEmbeddedServletContainerFactory factory = getFactory(); factory.setSsl(ssl); this.container = factory.getEmbeddedServletContainer(); this.container.start(); JettyEmbeddedServletContainer jettyContainer = (JettyEmbeddedServletContainer) this.container; ServerConnector connector = (ServerConnector) jettyContainer.getServer() .getConnectors()[0]; SslConnectionFactory connectionFactory = connector .getConnectionFactory(SslConnectionFactory.class); assertThat(connectionFactory.getSslContextFactory().getIncludeProtocols()) .isEqualTo(new String[] { "TLSv1.1" }); }
@Override public void customize(ConfigurableEmbeddedServletContainer container) { KeystoreConfig cert = configureKeystore(); if(cert == null) { log.debug("Ssl is not enabled due to no any configured keystore."); return; } String keystorePath = cert.getKeystore().getAbsolutePath(); log.debug("Configure ssl with {} keystore.", keystorePath); Ssl ssl = new Ssl(); ssl.setEnabled(true); ssl.setKeyStore(keystorePath); ssl.setKeyStorePassword(cert.getKeystorePassword()); ssl.setKeyPassword(cert.getKeyPassword()); container.setSsl(ssl); }
/** * Configure Tomcat's {@link AbstractHttp11JsseProtocol} for SSL. * @param protocol the protocol * @param ssl the ssl details */ protected void configureSsl(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) { protocol.setSSLEnabled(true); protocol.setSslProtocol(ssl.getProtocol()); configureSslClientAuth(protocol, ssl); protocol.setKeystorePass(ssl.getKeyStorePassword()); protocol.setKeyPass(ssl.getKeyPassword()); protocol.setKeyAlias(ssl.getKeyAlias()); protocol.setCiphers(StringUtils.arrayToCommaDelimitedString(ssl.getCiphers())); if (ssl.getEnabledProtocols() != null) { protocol.setProperty("sslEnabledProtocols", StringUtils.arrayToCommaDelimitedString(ssl.getEnabledProtocols())); } if (getSslStoreProvider() != null) { configureSslStoreProvider(protocol, getSslStoreProvider()); } else { configureSslKeyStore(protocol, ssl); configureSslTrustStore(protocol, ssl); } }
private KeyManager[] getKeyManagers() { try { KeyStore keyStore = getKeyStore(); KeyManagerFactory keyManagerFactory = KeyManagerFactory .getInstance(KeyManagerFactory.getDefaultAlgorithm()); Ssl ssl = getSsl(); String keyPassword = ssl.getKeyPassword(); if (keyPassword == null) { keyPassword = ssl.getKeyStorePassword(); } keyManagerFactory.init(keyStore, keyPassword.toCharArray()); return keyManagerFactory.getKeyManagers(); } catch (Exception ex) { throw new IllegalStateException(ex); } }
/** * Configure the SSL connection. * @param factory the Jetty {@link SslContextFactory}. * @param ssl the ssl details. */ protected void configureSsl(SslContextFactory factory, Ssl ssl) { factory.setProtocol(ssl.getProtocol()); configureSslClientAuth(factory, ssl); configureSslPasswords(factory, ssl); factory.setCertAlias(ssl.getKeyAlias()); if (ssl.getCiphers() != null) { factory.setIncludeCipherSuites(ssl.getCiphers()); } if (ssl.getEnabledProtocols() != null) { factory.setIncludeProtocols(ssl.getEnabledProtocols()); } if (getSslStoreProvider() != null) { try { factory.setKeyStore(getSslStoreProvider().getKeyStore()); factory.setTrustStore(getSslStoreProvider().getTrustStore()); } catch (Exception ex) { throw new IllegalStateException("Unable to set SSL store", ex); } } else { configureSslKeyStore(factory, ssl); configureSslTrustStore(factory, ssl); } }
@Test public void sslCiphersConfiguration() throws Exception { Ssl ssl = new Ssl(); ssl.setKeyStore("test.jks"); ssl.setKeyStorePassword("secret"); ssl.setCiphers(new String[] { "ALPHA", "BRAVO", "CHARLIE" }); TomcatEmbeddedServletContainerFactory factory = getFactory(); factory.setSsl(ssl); Tomcat tomcat = getTomcat(factory); Connector connector = tomcat.getConnector(); AbstractHttp11JsseProtocol<?> jsseProtocol = (AbstractHttp11JsseProtocol<?>) connector .getProtocolHandler(); assertThat(jsseProtocol.getCiphers()).isEqualTo("ALPHA,BRAVO,CHARLIE"); }
@Test public void sslEnabledMultipleProtocolsConfiguration() throws Exception { Ssl ssl = new Ssl(); ssl.setKeyStore("test.jks"); ssl.setKeyStorePassword("secret"); ssl.setEnabledProtocols(new String[] { "TLSv1.1", "TLSv1.2" }); ssl.setCiphers(new String[] { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "BRAVO" }); TomcatEmbeddedServletContainerFactory factory = getFactory(); factory.setSsl(ssl); this.container = factory .getEmbeddedServletContainer(sessionServletRegistration()); Tomcat tomcat = ((TomcatEmbeddedServletContainer) this.container).getTomcat(); Connector connector = tomcat.getConnector(); AbstractHttp11JsseProtocol<?> jsseProtocol = (AbstractHttp11JsseProtocol<?>) connector .getProtocolHandler(); assertThat(jsseProtocol.getSslProtocol()).isEqualTo("TLS"); assertThat(jsseProtocol.getProperty("sslEnabledProtocols")) .isEqualTo("TLSv1.1,TLSv1.2"); }
@Test public void sslEnabledProtocolsConfiguration() throws Exception { Ssl ssl = new Ssl(); ssl.setKeyStore("test.jks"); ssl.setKeyStorePassword("secret"); ssl.setEnabledProtocols(new String[] { "TLSv1.2" }); ssl.setCiphers(new String[] { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "BRAVO" }); TomcatEmbeddedServletContainerFactory factory = getFactory(); factory.setSsl(ssl); this.container = factory .getEmbeddedServletContainer(sessionServletRegistration()); Tomcat tomcat = ((TomcatEmbeddedServletContainer) this.container).getTomcat(); Connector connector = tomcat.getConnector(); AbstractHttp11JsseProtocol<?> jsseProtocol = (AbstractHttp11JsseProtocol<?>) connector .getProtocolHandler(); assertThat(jsseProtocol.getSslProtocol()).isEqualTo("TLS"); assertThat(jsseProtocol.getProperty("sslEnabledProtocols")).isEqualTo("TLSv1.2"); }
@Test public void sslCiphersConfiguration() throws Exception { Ssl ssl = new Ssl(); ssl.setKeyStore("src/test/resources/test.jks"); ssl.setKeyStorePassword("secret"); ssl.setKeyPassword("password"); ssl.setCiphers(new String[] { "ALPHA", "BRAVO", "CHARLIE" }); JettyEmbeddedServletContainerFactory factory = getFactory(); factory.setSsl(ssl); this.container = factory.getEmbeddedServletContainer(); this.container.start(); JettyEmbeddedServletContainer jettyContainer = (JettyEmbeddedServletContainer) this.container; ServerConnector connector = (ServerConnector) jettyContainer.getServer() .getConnectors()[0]; SslConnectionFactory connectionFactory = connector .getConnectionFactory(SslConnectionFactory.class); assertThat(connectionFactory.getSslContextFactory().getIncludeCipherSuites()) .containsExactly("ALPHA", "BRAVO", "CHARLIE"); }
private KeyManager[] getKeyManagers() { try { Ssl ssl = getSsl(); String keyStoreType = ssl.getKeyStoreType(); if (keyStoreType == null) { keyStoreType = "JKS"; } KeyStore keyStore = KeyStore.getInstance(keyStoreType); URL url = ResourceUtils.getURL(ssl.getKeyStore()); keyStore.load(url.openStream(), ssl.getKeyStorePassword().toCharArray()); // Get key manager to provide client credentials. KeyManagerFactory keyManagerFactory = KeyManagerFactory .getInstance(KeyManagerFactory.getDefaultAlgorithm()); char[] keyPassword = ssl.getKeyPassword() != null ? ssl.getKeyPassword().toCharArray() : ssl.getKeyStorePassword().toCharArray(); keyManagerFactory.init(keyStore, keyPassword); return keyManagerFactory.getKeyManagers(); } catch (Exception ex) { throw new IllegalStateException(ex); } }
private TrustManager[] getTrustManagers() { try { Ssl ssl = getSsl(); String trustStoreType = ssl.getTrustStoreType(); if (trustStoreType == null) { trustStoreType = "JKS"; } String trustStore = ssl.getTrustStore(); if (trustStore == null) { return null; } KeyStore trustedKeyStore = KeyStore.getInstance(trustStoreType); URL url = ResourceUtils.getURL(trustStore); trustedKeyStore.load(url.openStream(), ssl.getTrustStorePassword().toCharArray()); TrustManagerFactory trustManagerFactory = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(trustedKeyStore); return trustManagerFactory.getTrustManagers(); } catch (Exception ex) { throw new IllegalStateException(ex); } }
@Test public void sslCiphersConfiguration() throws Exception { Ssl ssl = new Ssl(); ssl.setKeyStore("test.jks"); ssl.setKeyStorePassword("secret"); ssl.setCiphers(new String[] { "ALPHA", "BRAVO", "CHARLIE" }); TomcatEmbeddedServletContainerFactory factory = getFactory(); factory.setSsl(ssl); Tomcat tomcat = getTomcat(factory); Connector connector = tomcat.getConnector(); AbstractHttp11JsseProtocol<?> jsseProtocol = (AbstractHttp11JsseProtocol<?>) connector .getProtocolHandler(); assertThat(jsseProtocol.getCiphers(), equalTo("ALPHA,BRAVO,CHARLIE")); }
@Test public void sslCiphersConfiguration() throws Exception { Ssl ssl = new Ssl(); ssl.setKeyStore("src/test/resources/test.jks"); ssl.setKeyStorePassword("secret"); ssl.setKeyPassword("password"); ssl.setCiphers(new String[] { "ALPHA", "BRAVO", "CHARLIE" }); JettyEmbeddedServletContainerFactory factory = getFactory(); factory.setSsl(ssl); this.container = factory.getEmbeddedServletContainer(); this.container.start(); JettyEmbeddedServletContainer jettyContainer = (JettyEmbeddedServletContainer) this.container; ServerConnector connector = (ServerConnector) jettyContainer.getServer() .getConnectors()[0]; SslConnectionFactory connectionFactory = connector .getConnectionFactory(SslConnectionFactory.class); assertThat(connectionFactory.getSslContextFactory().getIncludeCipherSuites(), equalTo(new String[] { "ALPHA", "BRAVO", "CHARLIE" })); }
private void configureSslClientAuth(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) { if (ssl.getClientAuth() == ClientAuth.NEED) { protocol.setClientAuth(Boolean.TRUE.toString()); } else if (ssl.getClientAuth() == ClientAuth.WANT) { protocol.setClientAuth("want"); } }
private void configureSslKeyStore(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) { try { protocol.setKeystoreFile(ResourceUtils.getURL(ssl.getKeyStore()).toString()); } catch (FileNotFoundException ex) { throw new EmbeddedServletContainerException( "Could not load key store: " + ex.getMessage(), ex); } if (ssl.getKeyStoreType() != null) { protocol.setKeystoreType(ssl.getKeyStoreType()); } if (ssl.getKeyStoreProvider() != null) { protocol.setKeystoreProvider(ssl.getKeyStoreProvider()); } }
private SslClientAuthMode getSslClientAuthMode(Ssl ssl) { if (ssl.getClientAuth() == ClientAuth.NEED) { return SslClientAuthMode.REQUIRED; } if (ssl.getClientAuth() == ClientAuth.WANT) { return SslClientAuthMode.REQUESTED; } return SslClientAuthMode.NOT_REQUESTED; }
private KeyStore getKeyStore() throws Exception { if (getSslStoreProvider() != null) { return getSslStoreProvider().getKeyStore(); } Ssl ssl = getSsl(); return loadKeyStore(ssl.getKeyStoreType(), ssl.getKeyStore(), ssl.getKeyStorePassword()); }
private KeyStore getTrustStore() throws Exception { if (getSslStoreProvider() != null) { return getSslStoreProvider().getTrustStore(); } Ssl ssl = getSsl(); return loadKeyStore(ssl.getTrustStoreType(), ssl.getTrustStore(), ssl.getTrustStorePassword()); }
/** * Configure the SSL connection. * @param factory the Jetty {@link SslContextFactory}. * @param ssl the ssl details. */ protected void configureSsl(SslContextFactory factory, Ssl ssl) { factory.setProtocol(ssl.getProtocol()); configureSslClientAuth(factory, ssl); configureSslPasswords(factory, ssl); factory.setCertAlias(ssl.getKeyAlias()); if (!ObjectUtils.isEmpty(ssl.getCiphers())) { factory.setIncludeCipherSuites(ssl.getCiphers()); factory.setExcludeCipherSuites(); } if (ssl.getEnabledProtocols() != null) { factory.setIncludeProtocols(ssl.getEnabledProtocols()); } if (getSslStoreProvider() != null) { try { factory.setKeyStore(getSslStoreProvider().getKeyStore()); factory.setTrustStore(getSslStoreProvider().getTrustStore()); } catch (Exception ex) { throw new IllegalStateException("Unable to set SSL store", ex); } } else { configureSslKeyStore(factory, ssl); configureSslTrustStore(factory, ssl); } }
private void configureSslClientAuth(SslContextFactory factory, Ssl ssl) { if (ssl.getClientAuth() == ClientAuth.NEED) { factory.setNeedClientAuth(true); factory.setWantClientAuth(true); } else if (ssl.getClientAuth() == ClientAuth.WANT) { factory.setWantClientAuth(true); } }
private void configureSslPasswords(SslContextFactory factory, Ssl ssl) { if (ssl.getKeyStorePassword() != null) { factory.setKeyStorePassword(ssl.getKeyStorePassword()); } if (ssl.getKeyPassword() != null) { factory.setKeyManagerPassword(ssl.getKeyPassword()); } }
