io.undertow.server.SSLSessionInfo Java Examples

The following examples show how to use io.undertow.server.SSLSessionInfo. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: SSLInformationAssociationHandler.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Return the chain of X509 certificates used to negotiate the SSL Session.
 * <p>
 * We convert JSSE's javax.security.cert.X509Certificate[]  to servlet's  java.security.cert.X509Certificate[]
 *
 * @param session the   javax.net.ssl.SSLSession to use as the source of the cert chain.
 * @return the chain of java.security.cert.X509Certificates used to
 *         negotiate the SSL connection. <br>
 *         Will be null if the chain is missing or empty.
 */
private X509Certificate[] getCerts(SSLSessionInfo session) {
    try {
        javax.security.cert.X509Certificate[] javaxCerts = session.getPeerCertificateChain();
        if (javaxCerts == null || javaxCerts.length == 0) {
            return null;
        }
        X509Certificate[] javaCerts = new X509Certificate[javaxCerts.length];
        java.security.cert.CertificateFactory cf = java.security.cert.CertificateFactory.getInstance("X.509");
        for (int i = 0; i < javaxCerts.length; i++) {
            byte[] bytes = javaxCerts[i].getEncoded();
            ByteArrayInputStream stream = new ByteArrayInputStream(bytes);
            javaCerts[i] = (X509Certificate) cf.generateCertificate(stream);
        }

        return javaCerts;
    } catch (Exception e) {
        return null;
    }
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    }
 
Example #2
Source File: SSLInformationAssociationHandler.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
@Override
public void handleRequest(HttpServerExchange exchange) throws Exception {
    ServletRequest request = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY).getServletRequest();
    SSLSessionInfo ssl = exchange.getConnection().getSslSessionInfo();
    if (ssl != null) {
        String cipherSuite = ssl.getCipherSuite();
        request.setAttribute("javax.servlet.request.cipher_suite", cipherSuite);
        request.setAttribute("javax.servlet.request.key_size", getKeyLength(cipherSuite));
        request.setAttribute("javax.servlet.request.ssl_session_id", ssl.getSessionId());
        X509Certificate[] certs = getCerts(ssl);
        if (certs != null) {
            request.setAttribute("javax.servlet.request.X509Certificate", certs);
        }

    }
    next.handleRequest(exchange);
}
 
Example #3
Source File: DatawaveAuthenticationMechanism.java    From datawave with Apache License 2.0 6 votes vote down vote up
private Certificate[] getPeerCertificates(HttpServerExchange exchange, SSLSessionInfo sslSession, SecurityContext securityContext)
                throws SSLPeerUnverifiedException {
    try {
        return sslSession.getPeerCertificates();
    } catch (RenegotiationRequiredException e) {
        // we only renegotiate if authentication is required
        if (forceRenegotiation && securityContext.isAuthenticationRequired()) {
            try {
                sslSession.renegotiate(exchange, SslClientAuthMode.REQUESTED);
                return sslSession.getPeerCertificates();
            } catch (IOException | RenegotiationRequiredException e1) {
                // ignore
            }
        }
    }
    throw new SSLPeerUnverifiedException("");
}
 
Example #4
Source File: ManagementHttpServer.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
private static boolean clientCertPotentiallyPossible(final SecurityRealm securityRealm, final HttpServerExchange exchange) {
    if (securityRealm.getSupportedAuthenticationMechanisms().contains(AuthMechanism.CLIENT_CERT) == false) {
        return false;
    }

    SSLSessionInfo session = exchange.getConnection().getSslSessionInfo();
    if (session != null) {
        try {
            // todo: renegotiation?
            return session.getPeerCertificates()[0] instanceof X509Certificate;
        } catch (SSLPeerUnverifiedException | RenegotiationRequiredException e) {
        }
    }

    return false;
}
 
Example #5
Source File: SslSessionConfig.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
@Override
public String findSessionId(final HttpServerExchange exchange) {
    SSLSessionInfo sslSession = exchange.getConnection().getSslSessionInfo();
    if (sslSession == null) {
        if (fallbackSessionConfig != null) {
            return fallbackSessionConfig.findSessionId(exchange);
        }
    } else {
        synchronized (this) {
            String sessionId = sessions.get(new Key(sslSession.getSessionId()));
            if(sessionId != null) {
                UndertowLogger.SESSION_LOGGER.tracef("Found SSL session id %s on %s", sessionId, exchange);
            }
            return sessionId;
        }
    }
    return null;
}
 
Example #6
Source File: SslSessionConfig.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
@Override
public void setSessionId(final HttpServerExchange exchange, final String sessionId) {
    UndertowLogger.SESSION_LOGGER.tracef("Setting SSL session id %s on %s", sessionId, exchange);
    SSLSessionInfo sslSession = exchange.getConnection().getSslSessionInfo();
    if (sslSession == null) {
        if (fallbackSessionConfig != null) {
            fallbackSessionConfig.setSessionId(exchange, sessionId);
        }
    } else {
        Key key = new Key(sslSession.getSessionId());
        synchronized (this) {
            sessions.put(key, sessionId);
            reverse.put(sessionId, key);
        }
    }
}
 
Example #7
Source File: SslSessionConfig.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
@Override
public void clearSession(final HttpServerExchange exchange, final String sessionId) {
    UndertowLogger.SESSION_LOGGER.tracef("Clearing SSL session id %s on %s", sessionId, exchange);
    SSLSessionInfo sslSession = exchange.getConnection().getSslSessionInfo();
    if (sslSession == null) {
        if (fallbackSessionConfig != null) {
            fallbackSessionConfig.clearSession(exchange, sessionId);
        }
    } else {
        synchronized (this) {
            Key sid = reverse.remove(sessionId);
            if (sid != null) {
                sessions.remove(sid);
            }
        }
    }
}
 
Example #8
Source File: ClientCertAuthenticationMechanism.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
public AuthenticationMechanismOutcome authenticate(final HttpServerExchange exchange, final SecurityContext securityContext) {
    SSLSessionInfo sslSession = exchange.getConnection().getSslSessionInfo();
    if (sslSession != null) {
        try {
            Certificate[] clientCerts = getPeerCertificates(exchange, sslSession, securityContext);
            if (clientCerts[0] instanceof X509Certificate) {
                Credential credential = new X509CertificateCredential((X509Certificate) clientCerts[0]);

                IdentityManager idm = getIdentityManager(securityContext);
                Account account = idm.verify(credential);
                if (account != null) {
                    securityContext.authenticationComplete(account, name, false);
                    return AuthenticationMechanismOutcome.AUTHENTICATED;
                }
            }
        } catch (SSLPeerUnverifiedException e) {
            // No action - this mechanism can not attempt authentication without peer certificates so allow it to drop out
            // to NOT_ATTEMPTED.
        }
    }

    /*
     * For ClientCert we do not have a concept of a failed authentication, if the client did use a key then it was deemed
     * acceptable for the connection to be established, this mechanism then just 'attempts' to use it for authentication but
     * does not mandate success.
     */

    return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
 
Example #9
Source File: SslSessionIdAttribute.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
@Override
public String readAttribute(HttpServerExchange exchange) {
    SSLSessionInfo ssl = exchange.getConnection().getSslSessionInfo();
    if(ssl == null || ssl.getSessionId() == null) {
        return null;
    }
    return FlexBase64.encodeString(ssl.getSessionId(), false);
}
 
Example #10
Source File: SslCipherAttribute.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
@Override
public String readAttribute(HttpServerExchange exchange) {
    SSLSessionInfo ssl = exchange.getConnection().getSslSessionInfo();
    if(ssl == null) {
        return null;
    }
    return ssl.getCipherSuite();
}
 
Example #11
Source File: SSLHeaderHandler.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
@Override
public void handleRequest(HttpServerExchange exchange) throws Exception {
    HeaderMap requestHeaders = exchange.getRequestHeaders();
    final String sessionId = requestHeaders.getFirst(SSL_SESSION_ID);
    final String cipher = requestHeaders.getFirst(SSL_CIPHER);
    String clientCert = requestHeaders.getFirst(SSL_CLIENT_CERT);
    //the proxy client replaces \n with ' '
    if (clientCert != null && clientCert.length() > 28) {
        StringBuilder sb = new StringBuilder(clientCert.length() + 1);
        sb.append(Certificates.BEGIN_CERT);
        sb.append('\n');
        sb.append(clientCert.replace(' ', '\n').substring(28, clientCert.length() - 26));//core certificate data
        sb.append('\n');
        sb.append(Certificates.END_CERT);
        clientCert = sb.toString();
    }
    if (clientCert != null || sessionId != null || cipher != null) {
        try {
            SSLSessionInfo info = new BasicSSLSessionInfo(sessionId, cipher, clientCert);
            exchange.setRequestScheme(HTTPS);
            exchange.getConnection().setSslSessionInfo(info);
            exchange.addExchangeCompleteListener(CLEAR_SSL_LISTENER);
        } catch (java.security.cert.CertificateException | CertificateException e) {
            UndertowLogger.REQUEST_LOGGER.debugf(e, "Could not create certificate from header %s", clientCert);
        }
    }
    next.handleRequest(exchange);
}
 
Example #12
Source File: UndertowHTTPHandler.java    From cxf with Apache License 2.0 4 votes vote down vote up
@Override
public void handleRequest(HttpServerExchange undertowExchange) throws Exception {
    try {
        // perform blocking operation on exchange
        if (undertowExchange.isInIoThread()) {
            undertowExchange.dispatch(this);
            return;
        }


        HttpServletResponseImpl response = new HttpServletResponseImpl(undertowExchange,
                                                                       (ServletContextImpl)servletContext);
        HttpServletRequestImpl request = new HttpServletRequestImpl(undertowExchange,
                                                                    (ServletContextImpl)servletContext);
        if (request.getMethod().equals(METHOD_TRACE)) {
            response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
            return;
        }
        ServletRequestContext servletRequestContext = new ServletRequestContext(((ServletContextImpl)servletContext)
            .getDeployment(), request, response, null);


        undertowExchange.putAttachment(ServletRequestContext.ATTACHMENT_KEY, servletRequestContext);
        request.setAttribute("HTTP_HANDLER", this);
        request.setAttribute("UNDERTOW_DESTINATION", undertowHTTPDestination);
        SSLSessionInfo ssl = undertowExchange.getConnection().getSslSessionInfo();
        if (ssl != null) {
            request.setAttribute(SSL_CIPHER_SUITE_ATTRIBUTE, ssl.getCipherSuite());
            try {
                request.setAttribute(SSL_PEER_CERT_CHAIN_ATTRIBUTE, ssl.getPeerCertificates());
            } catch (Exception e) {
                // for some case won't have the peer certification
                // do nothing
            }
        }
        undertowHTTPDestination.doService(servletContext, request, response);

    } catch (Throwable t) {
        t.printStackTrace();
        if (undertowExchange.isResponseChannelAvailable()) {
            undertowExchange.setStatusCode(500);
            final String errorPage = "<html><head><title>Error</title>"
                + "</head><body>Internal Error 500" + t.getMessage()
                + "</body></html>";
            undertowExchange.getResponseHeaders().put(Headers.CONTENT_LENGTH,
                                                      Integer.toString(errorPage.length()));
            undertowExchange.getResponseHeaders().put(Headers.CONTENT_TYPE, "text/html");
            Sender sender = undertowExchange.getResponseSender();
            sender.send(errorPage);
        }
    }
}
 
Example #13
Source File: InVMConnection.java    From thorntail with Apache License 2.0 4 votes vote down vote up
@Override
public void setSslSessionInfo(SSLSessionInfo sessionInfo) {
    sslSessionInfo = sessionInfo;
}
 
Example #14
Source File: InVMConnection.java    From thorntail with Apache License 2.0 4 votes vote down vote up
@Override
public SSLSessionInfo getSslSessionInfo() {
    return sslSessionInfo;
}
 
Example #15
Source File: InVMConnection.java    From thorntail with Apache License 2.0 4 votes vote down vote up
@Override
public void setSslSessionInfo(SSLSessionInfo sessionInfo) {
    sslSessionInfo = sessionInfo;
}
 
Example #16
Source File: InVMConnection.java    From thorntail with Apache License 2.0 4 votes vote down vote up
@Override
public SSLSessionInfo getSslSessionInfo() {
    return sslSessionInfo;
}
 
Example #17
Source File: HttpServerConnection.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
@Override
public void setSslSessionInfo(SSLSessionInfo sessionInfo) {
    this.sslSessionInfo = sessionInfo;
}
 
Example #18
Source File: HttpServerConnection.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
@Override
public SSLSessionInfo getSslSessionInfo() {
    return sslSessionInfo;
}
 
Example #19
Source File: Http2ServerConnection.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
@Override
public void setSslSessionInfo(SSLSessionInfo sessionInfo) {
    this.sessionInfo = sessionInfo;
}
 
Example #20
Source File: Http2ServerConnection.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
@Override
public SSLSessionInfo getSslSessionInfo() {
    return sessionInfo;
}
 
Example #21
Source File: AjpServerConnection.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
@Override
public void setSslSessionInfo(SSLSessionInfo sessionInfo) {
    this.sslSessionInfo = sessionInfo;
}
 
Example #22
Source File: AjpServerConnection.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
@Override
public SSLSessionInfo getSslSessionInfo() {
    return sslSessionInfo;
}
 
Example #23
Source File: ServletInitialHandler.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
@Override
public void setSslSessionInfo(SSLSessionInfo sessionInfo) {
    sslSessionInfo = sessionInfo;
}
 
Example #24
Source File: ServletInitialHandler.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
@Override
public SSLSessionInfo getSslSessionInfo() {
    return sslSessionInfo;
}