Java Code Examples for org.eclipse.jetty.util.ssl.SslContextFactory#setTrustStorePassword()

The following examples show how to use org.eclipse.jetty.util.ssl.SslContextFactory#setTrustStorePassword() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: JettyWebServer.java    From Doradus with Apache License 2.0 6 votes vote down vote up
private ServerConnector createSSLConnector() {
    SslContextFactory sslContextFactory = new SslContextFactory();
    sslContextFactory.setKeyStorePath(m_keystore);
    sslContextFactory.setKeyStorePassword(m_keystorepassword);
    sslContextFactory.setTrustStorePath(m_truststore);
    sslContextFactory.setTrustStorePassword(m_truststorepassword);
    sslContextFactory.setNeedClientAuth(m_clientauthentication);
    sslContextFactory.setIncludeCipherSuites(m_tls_cipher_suites);

    HttpConfiguration http_config = new HttpConfiguration();
    http_config.setSecureScheme("https");
    HttpConfiguration https_config = new HttpConfiguration(http_config);
    https_config.addCustomizer(new SecureRequestCustomizer());
    SslConnectionFactory sslConnFactory = new SslConnectionFactory(sslContextFactory, "http/1.1");
    HttpConnectionFactory httpConnFactory = new HttpConnectionFactory(https_config);
    ServerConnector sslConnector = new ServerConnector(m_jettyServer, sslConnFactory, httpConnFactory);
    return sslConnector;
}
 
Example 2
Source File: PrometheusServer.java    From nifi with Apache License 2.0 6 votes vote down vote up
private SslContextFactory createSslFactory(final SSLContextService sslService, boolean needClientAuth, boolean wantClientAuth) {
    SslContextFactory sslFactory = new SslContextFactory();

    sslFactory.setNeedClientAuth(needClientAuth);
    sslFactory.setWantClientAuth(wantClientAuth);
    sslFactory.setProtocol(sslService.getSslAlgorithm());

    if (sslService.isKeyStoreConfigured()) {
        sslFactory.setKeyStorePath(sslService.getKeyStoreFile());
        sslFactory.setKeyStorePassword(sslService.getKeyStorePassword());
        sslFactory.setKeyStoreType(sslService.getKeyStoreType());
    }

    if (sslService.isTrustStoreConfigured()) {
        sslFactory.setTrustStorePath(sslService.getTrustStoreFile());
        sslFactory.setTrustStorePassword(sslService.getTrustStorePassword());
        sslFactory.setTrustStoreType(sslService.getTrustStoreType());
    }

    return sslFactory;
}
 
Example 3
Source File: JettyServer.java    From pippo with Apache License 2.0 6 votes vote down vote up
protected ServerConnector createServerConnector(Server server) {
    String keyStoreFile = getSettings().getKeystoreFile();
    if (keyStoreFile == null) {
        return new ServerConnector(server);
    }

    SslContextFactory sslContextFactory = new SslContextFactory.Server();
    sslContextFactory.setKeyStorePath(asJettyFriendlyPath(keyStoreFile, "Keystore file"));

    if (getSettings().getKeystorePassword() != null) {
        sslContextFactory.setKeyStorePassword(getSettings().getKeystorePassword());
    }
    String truststoreFile = getSettings().getTruststoreFile();
    if (truststoreFile != null) {
        sslContextFactory.setTrustStorePath(asJettyFriendlyPath(truststoreFile, "Truststore file"));
    }
    if (getSettings().getTruststorePassword() != null) {
        sslContextFactory.setTrustStorePassword(getSettings().getTruststorePassword());
    }

    return new ServerConnector(server, sslContextFactory);
}
 
Example 4
Source File: AbstractJettyWebSocketService.java    From nifi with Apache License 2.0 6 votes vote down vote up
protected SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth, final String endpointIdentificationAlgorithm) {
    final SslContextFactory sslFactory = new SslContextFactory();

    sslFactory.setNeedClientAuth(needClientAuth);
    sslFactory.setWantClientAuth(wantClientAuth);

    // Need to set SslContextFactory's endpointIdentificationAlgorithm.
    // For clients, hostname verification should be enabled.
    // For servers, hostname verification should be disabled.
    // Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
    sslFactory.setEndpointIdentificationAlgorithm(endpointIdentificationAlgorithm);

    if (sslService.isKeyStoreConfigured()) {
        sslFactory.setKeyStorePath(sslService.getKeyStoreFile());
        sslFactory.setKeyStorePassword(sslService.getKeyStorePassword());
        sslFactory.setKeyStoreType(sslService.getKeyStoreType());
    }

    if (sslService.isTrustStoreConfigured()) {
        sslFactory.setTrustStorePath(sslService.getTrustStoreFile());
        sslFactory.setTrustStorePassword(sslService.getTrustStorePassword());
        sslFactory.setTrustStoreType(sslService.getTrustStoreType());
    }

    return sslFactory;
}
 
Example 5
Source File: SubmarineServer.java    From submarine with Apache License 2.0 6 votes vote down vote up
private static SslContextFactory getSslContextFactory(SubmarineConfiguration conf) {
  SslContextFactory sslContextFactory = new SslContextFactory();

  // Set keystore
  sslContextFactory.setKeyStorePath(conf.getKeyStorePath());
  sslContextFactory.setKeyStoreType(conf.getKeyStoreType());
  sslContextFactory.setKeyStorePassword(conf.getKeyStorePassword());
  sslContextFactory.setKeyManagerPassword(conf.getKeyManagerPassword());

  if (conf.useClientAuth()) {
    sslContextFactory.setNeedClientAuth(conf.useClientAuth());

    // Set truststore
    sslContextFactory.setTrustStorePath(conf.getTrustStorePath());
    sslContextFactory.setTrustStoreType(conf.getTrustStoreType());
    sslContextFactory.setTrustStorePassword(conf.getTrustStorePassword());
  }

  return sslContextFactory;
}
 
Example 6
Source File: HandleHttpRequest.java    From nifi with Apache License 2.0 5 votes vote down vote up
private SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth) {
    final SslContextFactory sslFactory = new SslContextFactory();

    sslFactory.setNeedClientAuth(needClientAuth);
    sslFactory.setWantClientAuth(wantClientAuth);

    sslFactory.setProtocol(sslService.getSslAlgorithm());

    // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
    // not a client.  Server does not need to perform hostname verification on the client.
    // Previous to Jetty 9.4.15.v20190215, this defaulted to null.
    sslFactory.setEndpointIdentificationAlgorithm(null);

    if (sslService.isKeyStoreConfigured()) {
        sslFactory.setKeyStorePath(sslService.getKeyStoreFile());
        sslFactory.setKeyStorePassword(sslService.getKeyStorePassword());
        sslFactory.setKeyStoreType(sslService.getKeyStoreType());
    }

    if (sslService.isTrustStoreConfigured()) {
        sslFactory.setTrustStorePath(sslService.getTrustStoreFile());
        sslFactory.setTrustStorePassword(sslService.getTrustStorePassword());
        sslFactory.setTrustStoreType(sslService.getTrustStoreType());
    }

    return sslFactory;
}
 
Example 7
Source File: TestServer.java    From localization_nifi with Apache License 2.0 5 votes vote down vote up
private void createSecureConnector(final Map<String, String> sslProperties) {
    SslContextFactory ssl = new SslContextFactory();

    if (sslProperties.get(StandardSSLContextService.KEYSTORE.getName()) != null) {
        ssl.setKeyStorePath(sslProperties.get(StandardSSLContextService.KEYSTORE.getName()));
        ssl.setKeyStorePassword(sslProperties.get(StandardSSLContextService.KEYSTORE_PASSWORD.getName()));
        ssl.setKeyStoreType(sslProperties.get(StandardSSLContextService.KEYSTORE_TYPE.getName()));
    }

    if (sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()) != null) {
        ssl.setTrustStorePath(sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()));
        ssl.setTrustStorePassword(sslProperties.get(StandardSSLContextService.TRUSTSTORE_PASSWORD.getName()));
        ssl.setTrustStoreType(sslProperties.get(StandardSSLContextService.TRUSTSTORE_TYPE.getName()));
    }

    final String clientAuth = sslProperties.get(NEED_CLIENT_AUTH);
    if (clientAuth == null) {
        ssl.setNeedClientAuth(true);
    } else {
        ssl.setNeedClientAuth(Boolean.parseBoolean(clientAuth));
    }

    // build the connector
    final ServerConnector https = new ServerConnector(jetty, ssl);

    // set host and port
    https.setPort(0);
    // Severely taxed environments may have significant delays when executing.
    https.setIdleTimeout(30000L);

    // add the connector
    jetty.addConnector(https);

    // mark secure as enabled
    secure = true;
}
 
Example 8
Source File: JettyServer.java    From localization_nifi with Apache License 2.0 4 votes vote down vote up
protected static void configureSslContextFactory(SslContextFactory contextFactory, NiFiProperties props) {
    // require client auth when not supporting login, Kerberos service, or anonymous access
    if (props.isClientAuthRequiredForRestApi()) {
        contextFactory.setNeedClientAuth(true);
    } else {
        contextFactory.setWantClientAuth(true);
    }

    /* below code sets JSSE system properties when values are provided */
    // keystore properties
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_KEYSTORE))) {
        contextFactory.setKeyStorePath(props.getProperty(NiFiProperties.SECURITY_KEYSTORE));
    }
    String keyStoreType = props.getProperty(NiFiProperties.SECURITY_KEYSTORE_TYPE);
    if (StringUtils.isNotBlank(keyStoreType)) {
        contextFactory.setKeyStoreType(keyStoreType);
        String keyStoreProvider = KeyStoreUtils.getKeyStoreProvider(keyStoreType);
        if (StringUtils.isNoneEmpty(keyStoreProvider)) {
            contextFactory.setKeyStoreProvider(keyStoreProvider);
        }
    }
    final String keystorePassword = props.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD);
    final String keyPassword = props.getProperty(NiFiProperties.SECURITY_KEY_PASSWD);
    if (StringUtils.isNotBlank(keystorePassword)) {
        // if no key password was provided, then assume the keystore password is the same as the key password.
        final String defaultKeyPassword = (StringUtils.isBlank(keyPassword)) ? keystorePassword : keyPassword;
        contextFactory.setKeyStorePassword(keystorePassword);
        contextFactory.setKeyManagerPassword(defaultKeyPassword);
    } else if (StringUtils.isNotBlank(keyPassword)) {
        // since no keystore password was provided, there will be no keystore integrity check
        contextFactory.setKeyManagerPassword(keyPassword);
    }

    // truststore properties
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE))) {
        contextFactory.setTrustStorePath(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE));
    }
    String trustStoreType = props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_TYPE);
    if (StringUtils.isNotBlank(trustStoreType)) {
        contextFactory.setTrustStoreType(trustStoreType);
        String trustStoreProvider = KeyStoreUtils.getKeyStoreProvider(trustStoreType);
        if (StringUtils.isNoneEmpty(trustStoreProvider)) {
            contextFactory.setTrustStoreProvider(trustStoreProvider);
        }
    }
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD))) {
        contextFactory.setTrustStorePassword(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD));
    }
}
 
Example 9
Source File: QuarksSslContainerProviderImpl.java    From quarks with Apache License 2.0 4 votes vote down vote up
@Override
public WebSocketContainer getSslContainer(Properties config) {
    
    // With jetty, can't directly use ContainerProvider.getWebSocketContainer()
    // as it's "too late" to inject SslContextFactory into the mix.
    
    String trustStore = config.getProperty("ws.trustStore", 
                            System.getProperty("javax.net.ssl.trustStore"));
    String trustStorePassword = config.getProperty("ws.trustStorePassword",
                            System.getProperty("javax.net.ssl.trustStorePassword"));
    String keyStore = config.getProperty("ws.keyStore", 
                            System.getProperty("javax.net.ssl.keyStore"));
    String keyStorePassword = config.getProperty("ws.keyStorePassword", 
                            System.getProperty("javax.net.ssl.keyStorePassword"));
    String keyPassword = config.getProperty("ws.keyPassword", keyStorePassword);
    String certAlias = config.getProperty("ws.keyCertificateAlias", "default");
    
    // create ClientContainer as usual
    ClientContainer container = new ClientContainer();
    
    //  tweak before starting it
    SslContextFactory scf = container.getClient().getSslContextFactory();
    if (trustStore != null) {
        // System.out.println("setting " + trustStore);
        scf.setTrustStorePath(trustStore);
        scf.setTrustStorePassword(trustStorePassword);
    }
    if (keyStore != null) {
        // System.out.println("setting " + keyStore);
        scf.setKeyStorePath(keyStore);
        scf.setKeyStorePassword(keyStorePassword);
        scf.setKeyManagerPassword(keyPassword);
        scf.setCertAlias(certAlias);
    }
    
    // start as usual
    try {
        container.start();
        return container;
    }
    catch (Exception e)
    {
        throw new RuntimeException("Unable to start Client Container", e);
    }
}
 
Example 10
Source File: JettyServer.java    From nifi with Apache License 2.0 4 votes vote down vote up
protected static void configureSslContextFactory(SslContextFactory contextFactory, NiFiProperties props) {
    // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
    // not a client.  Server does not need to perform hostname verification on the client.
    // Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
    contextFactory.setEndpointIdentificationAlgorithm(null);

    // Explicitly exclude legacy TLS protocol versions
    // contextFactory.setProtocol(CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion());
    contextFactory.setIncludeProtocols(CertificateUtils.getCurrentSupportedTlsProtocolVersions());
    contextFactory.setExcludeProtocols("TLS", "TLSv1", "TLSv1.1", "SSL", "SSLv2", "SSLv2Hello", "SSLv3");

    // require client auth when not supporting login, Kerberos service, or anonymous access
    if (props.isClientAuthRequiredForRestApi()) {
        contextFactory.setNeedClientAuth(true);
    } else {
        contextFactory.setWantClientAuth(true);
    }

    /* below code sets JSSE system properties when values are provided */
    // keystore properties
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_KEYSTORE))) {
        contextFactory.setKeyStorePath(props.getProperty(NiFiProperties.SECURITY_KEYSTORE));
    }
    String keyStoreType = props.getProperty(NiFiProperties.SECURITY_KEYSTORE_TYPE);
    if (StringUtils.isNotBlank(keyStoreType)) {
        contextFactory.setKeyStoreType(keyStoreType);
        String keyStoreProvider = KeyStoreUtils.getKeyStoreProvider(keyStoreType);
        if (StringUtils.isNoneEmpty(keyStoreProvider)) {
            contextFactory.setKeyStoreProvider(keyStoreProvider);
        }
    }
    final String keystorePassword = props.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD);
    final String keyPassword = props.getProperty(NiFiProperties.SECURITY_KEY_PASSWD);
    if (StringUtils.isNotBlank(keystorePassword)) {
        // if no key password was provided, then assume the keystore password is the same as the key password.
        final String defaultKeyPassword = (StringUtils.isBlank(keyPassword)) ? keystorePassword : keyPassword;
        contextFactory.setKeyStorePassword(keystorePassword);
        contextFactory.setKeyManagerPassword(defaultKeyPassword);
    } else if (StringUtils.isNotBlank(keyPassword)) {
        // since no keystore password was provided, there will be no keystore integrity check
        contextFactory.setKeyManagerPassword(keyPassword);
    }

    // truststore properties
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE))) {
        contextFactory.setTrustStorePath(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE));
    }
    String trustStoreType = props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_TYPE);
    if (StringUtils.isNotBlank(trustStoreType)) {
        contextFactory.setTrustStoreType(trustStoreType);
        String trustStoreProvider = KeyStoreUtils.getKeyStoreProvider(trustStoreType);
        if (StringUtils.isNoneEmpty(trustStoreProvider)) {
            contextFactory.setTrustStoreProvider(trustStoreProvider);
        }
    }
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD))) {
        contextFactory.setTrustStorePassword(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD));
    }
}
 
Example 11
Source File: SecureEmbeddedServer.java    From atlas with Apache License 2.0 4 votes vote down vote up
@Override
protected Connector getConnector(String host, int port) throws IOException {
    org.apache.commons.configuration.Configuration config = getConfiguration();

    SSLContext sslContext = getSSLContext();
    if (sslContext != null) {
        SSLContext.setDefault(sslContext);
    }

    SslContextFactory sslContextFactory = new SslContextFactory();
    sslContextFactory.setKeyStorePath(config.getString(KEYSTORE_FILE_KEY,
            System.getProperty(KEYSTORE_FILE_KEY, DEFAULT_KEYSTORE_FILE_LOCATION)));
    sslContextFactory.setKeyStorePassword(getPassword(config, KEYSTORE_PASSWORD_KEY));
    sslContextFactory.setKeyManagerPassword(getPassword(config, SERVER_CERT_PASSWORD_KEY));
    sslContextFactory.setTrustStorePath(config.getString(TRUSTSTORE_FILE_KEY,
            System.getProperty(TRUSTSTORE_FILE_KEY, DEFATULT_TRUSTORE_FILE_LOCATION)));
    sslContextFactory.setTrustStorePassword(getPassword(config, TRUSTSTORE_PASSWORD_KEY));
    sslContextFactory.setWantClientAuth(config.getBoolean(CLIENT_AUTH_KEY, Boolean.getBoolean(CLIENT_AUTH_KEY)));

    List<Object> cipherList = config.getList(ATLAS_SSL_EXCLUDE_CIPHER_SUITES, DEFAULT_CIPHER_SUITES);
    sslContextFactory.setExcludeCipherSuites(cipherList.toArray(new String[cipherList.size()]));
    sslContextFactory.setRenegotiationAllowed(false);

    String[] excludedProtocols = config.containsKey(ATLAS_SSL_EXCLUDE_PROTOCOLS) ?
            config.getStringArray(ATLAS_SSL_EXCLUDE_PROTOCOLS) : DEFAULT_EXCLUDE_PROTOCOLS;
    if (excludedProtocols != null && excludedProtocols.length > 0) {
        sslContextFactory.addExcludeProtocols(excludedProtocols);
    }

    // SSL HTTP Configuration
    // HTTP Configuration
    HttpConfiguration http_config = new HttpConfiguration();
    http_config.setSecureScheme("https");
    final int bufferSize = AtlasConfiguration.WEBSERVER_REQUEST_BUFFER_SIZE.getInt();
    http_config.setSecurePort(port);
    http_config.setRequestHeaderSize(bufferSize);
    http_config.setResponseHeaderSize(bufferSize);
    http_config.setSendServerVersion(true);
    http_config.setSendDateHeader(false);

    HttpConfiguration https_config = new HttpConfiguration(http_config);
    https_config.addCustomizer(new SecureRequestCustomizer());

    // SSL Connector
    ServerConnector sslConnector = new ServerConnector(server,
        new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
        new HttpConnectionFactory(https_config));
    sslConnector.setPort(port);
    server.addConnector(sslConnector);

    return sslConnector;
}
 
Example 12
Source File: WebSocketCommon.java    From datacollector with Apache License 2.0 4 votes vote down vote up
public static WebSocketClient createWebSocketClient(String resourceUrl, TlsConfigBean tlsConf) {
  try {
    resourceUrl = resourceUrl.toLowerCase();
    if (resourceUrl.startsWith("wss")) {
      SslContextFactory sslContextFactory = new SslContextFactory();
      if (tlsConf != null && tlsConf.isEnabled() && tlsConf.isInitialized()) {
        if (tlsConf.getKeyStore() != null) {
          sslContextFactory.setKeyStore(tlsConf.getKeyStore());
        } else {
          if (tlsConf.keyStoreFilePath != null) {
            sslContextFactory.setKeyStorePath(tlsConf.keyStoreFilePath);
          }
          if (tlsConf.keyStoreType != null) {
            sslContextFactory.setKeyStoreType(tlsConf.keyStoreType.getJavaValue());
          }
        }
        if (tlsConf.keyStorePassword != null) {
          sslContextFactory.setKeyStorePassword(tlsConf.keyStorePassword.get());
        }
        if (tlsConf.getTrustStore() != null) {
          sslContextFactory.setTrustStore(tlsConf.getTrustStore());
        } else {
          if (tlsConf.trustStoreFilePath != null) {
            sslContextFactory.setTrustStorePath(tlsConf.trustStoreFilePath);
          }
          if (tlsConf.trustStoreType != null) {
            sslContextFactory.setTrustStoreType(tlsConf.trustStoreType.getJavaValue());
          }
        }
        if (tlsConf.trustStorePassword != null) {
          sslContextFactory.setTrustStorePassword(tlsConf.trustStorePassword.get());
        }

        sslContextFactory.setSslContext(tlsConf.getSslContext());
        sslContextFactory.setIncludeCipherSuites(tlsConf.getFinalCipherSuites());
        sslContextFactory.setIncludeProtocols(tlsConf.getFinalProtocols());
      }
      return new WebSocketClient(sslContextFactory);
    } else {
     return new WebSocketClient();
    }
  } catch (Exception e) {
    throw new IllegalArgumentException(resourceUrl, e);
  }
}
 
Example 13
Source File: BrooklynWebServer.java    From brooklyn-server with Apache License 2.0 4 votes vote down vote up
private SslContextFactory createContextFactory() throws KeyStoreException {
    SslContextFactory sslContextFactory = new SslContextFactory();

    // allow webconsole keystore & related properties to be set in brooklyn.properties
    String ksUrl = getKeystoreUrl();
    String ksPassword = getConfig(keystorePassword, BrooklynWebConfig.KEYSTORE_PASSWORD);
    String ksCertAlias = getConfig(keystoreCertAlias, BrooklynWebConfig.KEYSTORE_CERTIFICATE_ALIAS);
    String trProtos = getConfig(transportProtocols, BrooklynWebConfig.TRANSPORT_PROTOCOLS);
    String trCiphers = getConfig(transportCiphers, BrooklynWebConfig.TRANSPORT_CIPHERS);
    
    if (ksUrl!=null) {
        sslContextFactory.setKeyStorePath(getLocalKeyStorePath(ksUrl));
        if (Strings.isEmpty(ksPassword))
            throw new IllegalArgumentException("Keystore password is required and non-empty if keystore is specified.");
        sslContextFactory.setKeyStorePassword(ksPassword);
        if (Strings.isNonEmpty(ksCertAlias))
            sslContextFactory.setCertAlias(ksCertAlias);
    } else {
        log.info("No keystore specified but https enabled; creating a default keystore");
        
        if (Strings.isEmpty(ksCertAlias))
            ksCertAlias = "web-console";
        
        // if password is blank the process will block and read from stdin !
        if (Strings.isEmpty(ksPassword)) {
            ksPassword = Identifiers.makeRandomId(8);
            log.debug("created random password "+ksPassword+" for ad hoc internal keystore");
        }
        
        KeyStore ks = SecureKeys.newKeyStore();
        KeyPair key = SecureKeys.newKeyPair();
        X509Certificate cert = new FluentKeySigner("brooklyn").newCertificateFor("web-console", key);
        ks.setKeyEntry(ksCertAlias, key.getPrivate(), ksPassword.toCharArray(),
            new Certificate[] { cert });
        
        sslContextFactory.setKeyStore(ks);
        sslContextFactory.setKeyStorePassword(ksPassword);
        sslContextFactory.setCertAlias(ksCertAlias);
    }
    if (!Strings.isEmpty(truststorePath)) {
        sslContextFactory.setTrustStorePath(checkFileExists(truststorePath, "truststore"));
        sslContextFactory.setTrustStorePassword(trustStorePassword);
    }

    if (Strings.isNonBlank(trProtos)) {
        sslContextFactory.setIncludeProtocols(parseArray(trProtos));
    }
    if (Strings.isNonBlank(trCiphers)) {
        sslContextFactory.setIncludeCipherSuites(parseArray(trCiphers));
    }
    return sslContextFactory;
}
 
Example 14
Source File: BasicMutualAuthTest.java    From apiman with Apache License 2.0 4 votes vote down vote up
/**
 * With thanks to assistance of http://stackoverflow.com/b/20056601/2766538
 * @throws Exception any exception
 */
@Before
public void setupJetty() throws Exception {
    server = new Server();
    server.setStopAtShutdown(true);

    http_config = new HttpConfiguration();
    http_config.setSecureScheme("https");

    SslContextFactory sslContextFactory = new SslContextFactory();
    sslContextFactory.setKeyStorePath(getResourcePath("2waytest/basic_mutual_auth/service_ks.jks"));

    sslContextFactory.setKeyStorePassword("password");
    sslContextFactory.setKeyManagerPassword("password");
    sslContextFactory.setTrustStorePath(getResourcePath("2waytest/basic_mutual_auth/service_ts.jks"));
    sslContextFactory.setTrustStorePassword("password");
    sslContextFactory.setNeedClientAuth(true);

    HttpConfiguration https_config = new HttpConfiguration(http_config);
    https_config.addCustomizer(new SecureRequestCustomizer());

    ServerConnector sslConnector = new ServerConnector(server,
        new SslConnectionFactory(sslContextFactory,"http/1.1"),
        new HttpConnectionFactory(https_config));
    sslConnector.setPort(8008);

    server.addConnector(sslConnector);
    // Thanks to Jetty getting started guide.
    server.setHandler(new AbstractHandler() {

        @Override
        public void handle(String target, Request baseRequest, HttpServletRequest request,
                HttpServletResponse response) throws IOException, ServletException {

            Enumeration<String> z = request.getAttributeNames();

            while (z.hasMoreElements()) {
                String elem = z.nextElement();
                System.out.println(elem + " - " + request.getAttribute(elem));
            }

            if (request.getAttribute("javax.servlet.request.X509Certificate") != null) {
                clientSerial = ((java.security.cert.X509Certificate[]) request
                        .getAttribute("javax.servlet.request.X509Certificate"))[0].getSerialNumber();
            }

            response.setStatus(HttpServletResponse.SC_OK);
            baseRequest.setHandled(true);
            response.getWriter().println("apiman");
        }
    });
    server.start();
}
 
Example 15
Source File: JettyServerFactory.java    From gravitee-management-rest-api with Apache License 2.0 4 votes vote down vote up
@Override
public Server getObject() throws Exception {

    // Setup ThreadPool
    QueuedThreadPool threadPool = new QueuedThreadPool(
            jettyConfiguration.getPoolMaxThreads(),
            jettyConfiguration.getPoolMinThreads(),
            jettyConfiguration.getPoolIdleTimeout(),
            new ArrayBlockingQueue<Runnable>(jettyConfiguration.getPoolQueueSize())
    );
    threadPool.setName("gravitee-listener");

    Server server = new Server(threadPool);

    // Extra options
    server.setDumpAfterStart(false);
    server.setDumpBeforeStop(false);
    server.setStopAtShutdown(true);

    // Setup JMX
    if (jettyConfiguration.isJmxEnabled()) {
        MBeanContainer mbContainer = new MBeanContainer(
                ManagementFactory.getPlatformMBeanServer());
        server.addBean(mbContainer);
    }

    // HTTP Configuration
    HttpConfiguration httpConfig = new HttpConfiguration();
    httpConfig.setOutputBufferSize(32768);
    httpConfig.setRequestHeaderSize(8192);
    httpConfig.setResponseHeaderSize(8192);
    httpConfig.setSendServerVersion(false);
    httpConfig.setSendDateHeader(false);

    // Setup Jetty HTTP or HTTPS Connector
    if (jettyConfiguration.isSecured()) {
        httpConfig.setSecureScheme("https");
        httpConfig.setSecurePort(jettyConfiguration.getHttpPort());

        // SSL Context Factory
        SslContextFactory sslContextFactory = new SslContextFactory.Server();

        if (jettyConfiguration.getKeyStorePath() != null) {
            sslContextFactory.setKeyStorePath(jettyConfiguration.getKeyStorePath());
            sslContextFactory.setKeyStorePassword(jettyConfiguration.getKeyStorePassword());

            if (KEYSTORE_TYPE_PKCS12.equalsIgnoreCase(jettyConfiguration.getKeyStoreType())) {
                sslContextFactory.setKeyStoreType(KEYSTORE_TYPE_PKCS12);
            }
        }

        if (jettyConfiguration.getTrustStorePath() != null) {
            sslContextFactory.setTrustStorePath(jettyConfiguration.getTrustStorePath());
            sslContextFactory.setTrustStorePassword(jettyConfiguration.getTrustStorePassword());

            if (KEYSTORE_TYPE_PKCS12.equalsIgnoreCase(jettyConfiguration.getTrustStoreType())) {
                sslContextFactory.setTrustStoreType(KEYSTORE_TYPE_PKCS12);
            }
        }

        HttpConfiguration httpsConfig = new HttpConfiguration(httpConfig);
        httpsConfig.addCustomizer(new SecureRequestCustomizer());

        ServerConnector https = new ServerConnector(server,
                new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
                new HttpConnectionFactory(httpsConfig));
        https.setHost(jettyConfiguration.getHttpHost());
        https.setPort(jettyConfiguration.getHttpPort());
        server.addConnector(https);
    } else {
        ServerConnector http = new ServerConnector(server,
                jettyConfiguration.getAcceptors(),
                jettyConfiguration.getSelectors(),
                new HttpConnectionFactory(httpConfig));
        http.setHost(jettyConfiguration.getHttpHost());
        http.setPort(jettyConfiguration.getHttpPort());
        http.setIdleTimeout(jettyConfiguration.getIdleTimeout());

        server.addConnector(http);
    }

    // Setup Jetty statistics
    if (jettyConfiguration.isStatisticsEnabled()) {
        StatisticsHandler stats = new StatisticsHandler();
        stats.setHandler(server.getHandler());
        server.setHandler(stats);
    }

    if (jettyConfiguration.isAccessLogEnabled()) {
        CustomRequestLog requestLog = new CustomRequestLog(
                new AsyncRequestLogWriter(jettyConfiguration.getAccessLogPath()),
                CustomRequestLog.EXTENDED_NCSA_FORMAT);

        server.setRequestLog(requestLog);
    }

    return server;
}
 
Example 16
Source File: StandardTLSTest.java    From apiman with Apache License 2.0 4 votes vote down vote up
@Before
public void setupJetty() throws Exception {
    server = new Server();
    server.setStopAtShutdown(true);

    http_config = new HttpConfiguration();
    http_config.setSecureScheme("https");

    SslContextFactory sslContextFactory = new SslContextFactory();
    sslContextFactory.setTrustStorePath(getResourcePath("2waytest/mutual_trust_via_ca/common_ts.jks"));
    sslContextFactory.setTrustStorePassword("password");
    sslContextFactory.setKeyStorePath(getResourcePath("2waytest/mutual_trust_via_ca/service_ks.jks"));
    sslContextFactory.setKeyStorePassword("password");
    sslContextFactory.setKeyManagerPassword("password");
    // Use default trust store
    // No client auth
    sslContextFactory.setNeedClientAuth(false);
    sslContextFactory.setWantClientAuth(false);

    HttpConfiguration https_config = new HttpConfiguration(http_config);
    https_config.addCustomizer(new SecureRequestCustomizer());

    ServerConnector sslConnector = new ServerConnector(server,
        new SslConnectionFactory(sslContextFactory,"http/1.1"),
        new HttpConnectionFactory(https_config));
    sslConnector.setPort(8008);

    server.addConnector(sslConnector);
    // Thanks to Jetty getting started guide.
    server.setHandler(new AbstractHandler() {

        @Override
        public void handle(String target, Request baseRequest, HttpServletRequest request,
                HttpServletResponse response) throws IOException, ServletException {

            Enumeration<String> z = request.getAttributeNames();

            while (z.hasMoreElements()) {
                String elem = z.nextElement();
                System.out.println(elem + " - " + request.getAttribute(elem));
            }

            response.setStatus(HttpServletResponse.SC_OK);
            baseRequest.setHandled(true);
            response.getWriter().println("apiman");
        }
    });
    server.start();
}
 
Example 17
Source File: ApplicationServer.java    From rest-utils with Apache License 2.0 4 votes vote down vote up
private SslContextFactory createSslContextFactory(RestConfig config) {
  SslContextFactory sslContextFactory = new SslContextFactory.Server();
  if (!config.getString(RestConfig.SSL_KEYSTORE_LOCATION_CONFIG).isEmpty()) {
    sslContextFactory.setKeyStorePath(
            config.getString(RestConfig.SSL_KEYSTORE_LOCATION_CONFIG)
    );
    sslContextFactory.setKeyStorePassword(
            config.getPassword(RestConfig.SSL_KEYSTORE_PASSWORD_CONFIG).value()
    );
    sslContextFactory.setKeyManagerPassword(
            config.getPassword(RestConfig.SSL_KEY_PASSWORD_CONFIG).value()
    );
    sslContextFactory.setKeyStoreType(
            config.getString(RestConfig.SSL_KEYSTORE_TYPE_CONFIG)
    );

    if (!config.getString(RestConfig.SSL_KEYMANAGER_ALGORITHM_CONFIG).isEmpty()) {
      sslContextFactory.setKeyManagerFactoryAlgorithm(
              config.getString(RestConfig.SSL_KEYMANAGER_ALGORITHM_CONFIG));
    }

    if (config.getBoolean(RestConfig.SSL_KEYSTORE_RELOAD_CONFIG)) {
      Path watchLocation = getWatchLocation(config);
      try {
        FileWatcher.onFileChange(watchLocation, () -> {
              // Need to reset the key store path for symbolic link case
              sslContextFactory.setKeyStorePath(
                  config.getString(RestConfig.SSL_KEYSTORE_LOCATION_CONFIG)
              );
              sslContextFactory.reload(scf -> log.info("Reloaded SSL cert"));
            }
        );
        log.info("Enabled SSL cert auto reload for: " + watchLocation);
      } catch (java.io.IOException e) {
        log.error("Can not enabled SSL cert auto reload", e);
      }
    }
  }

  configureClientAuth(sslContextFactory, config);

  List<String> enabledProtocols = config.getList(RestConfig.SSL_ENABLED_PROTOCOLS_CONFIG);
  if (!enabledProtocols.isEmpty()) {
    sslContextFactory.setIncludeProtocols(enabledProtocols.toArray(new String[0]));
  }

  List<String> cipherSuites = config.getList(RestConfig.SSL_CIPHER_SUITES_CONFIG);
  if (!cipherSuites.isEmpty()) {
    sslContextFactory.setIncludeCipherSuites(cipherSuites.toArray(new String[0]));
  }

  sslContextFactory.setEndpointIdentificationAlgorithm(
          config.getString(RestConfig.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG));

  if (!config.getString(RestConfig.SSL_TRUSTSTORE_LOCATION_CONFIG).isEmpty()) {
    sslContextFactory.setTrustStorePath(
            config.getString(RestConfig.SSL_TRUSTSTORE_LOCATION_CONFIG)
    );
    sslContextFactory.setTrustStorePassword(
            config.getPassword(RestConfig.SSL_TRUSTSTORE_PASSWORD_CONFIG).value()
    );
    sslContextFactory.setTrustStoreType(
            config.getString(RestConfig.SSL_TRUSTSTORE_TYPE_CONFIG)
    );

    if (!config.getString(RestConfig.SSL_TRUSTMANAGER_ALGORITHM_CONFIG).isEmpty()) {
      sslContextFactory.setTrustManagerFactoryAlgorithm(
              config.getString(RestConfig.SSL_TRUSTMANAGER_ALGORITHM_CONFIG)
      );
    }
  }

  sslContextFactory.setProtocol(config.getString(RestConfig.SSL_PROTOCOL_CONFIG));
  if (!config.getString(RestConfig.SSL_PROVIDER_CONFIG).isEmpty()) {
    sslContextFactory.setProtocol(config.getString(RestConfig.SSL_PROVIDER_CONFIG));
  }

  sslContextFactory.setRenegotiationAllowed(false);

  return sslContextFactory;
}
 
Example 18
Source File: JettyServerWrapper.java    From cougar with Apache License 2.0 4 votes vote down vote up
public void initialiseConnectors() throws Exception {
    threadPool = new QueuedThreadPool();
    threadPool.setMaxThreads(maxThreads);
    threadPool.setMinThreads(minThreads);
    threadPool.setName("JettyThread");
    jettyServer = new Server(threadPool);

    jettyServer.setStopAtShutdown(true);

    MBeanContainer container = new MBeanContainer(mbeanServer);
    jettyServer.addBean(container);

    LowResourceMonitor lowResourcesMonitor = new LowResourceMonitor(jettyServer);
    lowResourcesMonitor.setPeriod(lowResourcesPeriod);
    lowResourcesMonitor.setLowResourcesIdleTimeout(lowResourcesIdleTime);
    lowResourcesMonitor.setMonitorThreads(lowResourcesMonitorThreads);
    lowResourcesMonitor.setMaxConnections(lowResourcesMaxConnections);
    lowResourcesMonitor.setMaxMemory(lowResourcesMaxMemory);
    lowResourcesMonitor.setMaxLowResourcesTime(lowResourcesMaxTime);
    jettyServer.addBean(lowResourcesMonitor);

    // US24803 - Needed for preventing Hashtable key collision DoS CVE-2012-2739
    jettyServer.setAttribute("org.eclipse.jetty.server.Request.maxFormContentSize", maxFormContentSize);

    List<Connector> connectors = new ArrayList<Connector>();

    if (httpPort != -1) {
        httpConfiguration = createHttpConfiguration();
        setBufferSizes(httpConfiguration);
        if (httpForwarded) {
            httpConfiguration.addCustomizer(new ForwardedRequestCustomizer());
        }
        httpConnector = createHttpConnector(jettyServer, httpConfiguration, httpAcceptors, httpSelectors);
        httpConnector.setPort(httpPort);
        httpConnector.setReuseAddress(httpReuseAddress);
        httpConnector.setIdleTimeout(httpMaxIdle);
        httpConnector.setAcceptQueueSize(httpAcceptQueueSize);
        httpConnector.addBean(new ConnectorStatistics());

        connectors.add(httpConnector);
    }

    if (httpsPort != -1) {
        SslContextFactory sslContextFactory = new SslContextFactory();
        sslContextFactory.setKeyStorePath(httpsKeystore.getFile().getCanonicalPath());
        sslContextFactory.setKeyStoreType(httpsKeystoreType);
        sslContextFactory.setKeyStorePassword(httpsKeyPassword);
        if (StringUtils.isNotBlank(httpsCertAlias)) {
            sslContextFactory.setCertAlias(httpsCertAlias);
        }
        sslContextFactory.setKeyManagerPassword(httpsKeyPassword);
        // if you need it then you defo want it
        sslContextFactory.setWantClientAuth(httpsNeedClientAuth || httpsWantClientAuth);
        sslContextFactory.setNeedClientAuth(httpsNeedClientAuth);
        sslContextFactory.setRenegotiationAllowed(httpsAllowRenegotiate);

        httpsConfiguration = createHttpConfiguration();
        setBufferSizes(httpsConfiguration);
        if (httpsForwarded) {
            httpsConfiguration.addCustomizer(new ForwardedRequestCustomizer());
        }

        httpsConnector = createHttpsConnector(jettyServer, httpsConfiguration, httpsAcceptors, httpsSelectors, sslContextFactory);
        httpsConnector.setPort(httpsPort);
        httpsConnector.setReuseAddress(httpsReuseAddress);
        httpsConnector.setIdleTimeout(httpsMaxIdle);
        httpsConnector.setAcceptQueueSize(httpsAcceptQueueSize);
        httpsConnector.addBean(new ConnectorStatistics());

        mbeanServer.registerMBean(getKeystoreCertificateChains(), new ObjectName("CoUGAR.https:name=keyStore"));
        // truststore is not required if we don't want client auth
        if (httpsWantClientAuth) {
            sslContextFactory.setTrustStorePath(httpsTruststore.getFile().getCanonicalPath());
            sslContextFactory.setTrustStoreType(httpsTruststoreType);
            sslContextFactory.setTrustStorePassword(httpsTrustPassword);
            mbeanServer.registerMBean(getTruststoreCertificateChains(), new ObjectName("CoUGAR.https:name=trustStore"));
        }
        connectors.add(httpsConnector);
    }

    if (connectors.size() == 0) {
        throw new IllegalStateException("HTTP transport requires at least one port enabled to function correctly.");
    }

    jettyServer.setConnectors(connectors.toArray(new Connector[connectors.size()]));
}
 
Example 19
Source File: SSLUtilsTest.java    From athenz with Apache License 2.0 4 votes vote down vote up
private static JettyServer createHttpsJettyServer(boolean clientAuth) throws IOException {
    Server server = new Server();
    HttpConfiguration https_config = new HttpConfiguration();
    https_config.setSecureScheme("https");
    int port;
    try (ServerSocket socket = new ServerSocket(0)) {
        port = socket.getLocalPort();
    }
    https_config.setSecurePort(port);
    https_config.setOutputBufferSize(32768);

    SslContextFactory sslContextFactory = new SslContextFactory();
    File keystoreFile = new File(DEFAULT_SERVER_KEY_STORE);
    if (!keystoreFile.exists()) {
        throw new FileNotFoundException();
    }

    String trustStorePath = DEFAULT_CA_TRUST_STORE;
    File trustStoreFile = new File(trustStorePath);
    if (!trustStoreFile.exists()) {
        throw new FileNotFoundException();
    }

    sslContextFactory.setEndpointIdentificationAlgorithm(null);

    sslContextFactory.setTrustStorePath(trustStorePath);
    sslContextFactory.setTrustStoreType(DEFAULT_SSL_STORE_TYPE);
    sslContextFactory.setTrustStorePassword(DEFAULT_CERT_PWD);

    sslContextFactory.setKeyStorePath(keystoreFile.getAbsolutePath());
    sslContextFactory.setKeyStoreType(DEFAULT_SSL_STORE_TYPE);
    sslContextFactory.setKeyStorePassword(DEFAULT_CERT_PWD);

    sslContextFactory.setProtocol(DEFAULT_SSL_PROTOCOL);
    sslContextFactory.setNeedClientAuth(clientAuth);

    ServerConnector https = new ServerConnector(server,
            new SslConnectionFactory(sslContextFactory,HttpVersion.HTTP_1_1.asString()),
            new HttpConnectionFactory(https_config));
    https.setPort(port);
    https.setIdleTimeout(500000);
    server.setConnectors(new Connector[] { https });
    HandlerList handlers = new HandlerList();
    ResourceHandler resourceHandler = new ResourceHandler();
    resourceHandler.setBaseResource(Resource.newResource("."));
    handlers.setHandlers(new Handler[]
            { resourceHandler, new DefaultHandler() });
    server.setHandler(handlers);
    return new JettyServer(server, port);
}
 
Example 20
Source File: TestServer.java    From nifi with Apache License 2.0 4 votes vote down vote up
private void createSecureConnector(final Map<String, String> sslProperties) {
    SslContextFactory ssl = new SslContextFactory();

    if (sslProperties.get(StandardSSLContextService.KEYSTORE.getName()) != null) {
        ssl.setKeyStorePath(sslProperties.get(StandardSSLContextService.KEYSTORE.getName()));
        ssl.setKeyStorePassword(sslProperties.get(StandardSSLContextService.KEYSTORE_PASSWORD.getName()));
        ssl.setKeyStoreType(sslProperties.get(StandardSSLContextService.KEYSTORE_TYPE.getName()));
    }

    if (sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()) != null) {
        ssl.setTrustStorePath(sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()));
        ssl.setTrustStorePassword(sslProperties.get(StandardSSLContextService.TRUSTSTORE_PASSWORD.getName()));
        ssl.setTrustStoreType(sslProperties.get(StandardSSLContextService.TRUSTSTORE_TYPE.getName()));
    }

    final String clientAuth = sslProperties.get(NEED_CLIENT_AUTH);
    if (clientAuth == null) {
        ssl.setNeedClientAuth(true);
    } else {
        ssl.setNeedClientAuth(Boolean.parseBoolean(clientAuth));
    }

    // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
    // not a client.  Server does not need to perform hostname verification on the client.
    // Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
    ssl.setEndpointIdentificationAlgorithm(null);

    // build the connector
    final ServerConnector https = new ServerConnector(jetty, ssl);

    // set host and port
    https.setPort(0);
    // Severely taxed environments may have significant delays when executing.
    https.setIdleTimeout(30000L);

    // add the connector
    jetty.addConnector(https);

    // mark secure as enabled
    secure = true;
}