org.eclipse.jetty.server.ssl
Class SslSelectChannelConnector
java.lang.Object
org.eclipse.jetty.util.component.AbstractLifeCycle
org.eclipse.jetty.http.HttpBuffers
org.eclipse.jetty.server.AbstractConnector
org.eclipse.jetty.server.nio.AbstractNIOConnector
org.eclipse.jetty.server.nio.SelectChannelConnector
org.eclipse.jetty.server.ssl.SslSelectChannelConnector
- All Implemented Interfaces:
- Connector, NIOConnector, SslConnector, LifeCycle
public class SslSelectChannelConnector
- extends SelectChannelConnector
- implements SslConnector
SslSelectChannelConnector.
Method Summary |
protected SSLContext |
createSSLContext()
|
protected SSLEngine |
createSSLEngine()
|
void |
customize(EndPoint endpoint,
Request request)
Allow the Listener a chance to customise the request. |
protected void |
doStart()
|
String |
getAlgorithm()
Deprecated. use getSslKeyManagerFactoryAlgorithm() or
getSslTrustManagerFactoryAlgorithm() |
String[] |
getExcludeCipherSuites()
|
String[] |
getIncludeCipherSuites()
|
protected KeyManager[] |
getKeyManagers()
|
String |
getKeystore()
|
protected KeyStore |
getKeyStore(String keystorePath,
String keystoreType,
String keystorePassword)
|
String |
getKeystoreType()
|
boolean |
getNeedClientAuth()
|
String |
getProtocol()
|
String |
getProvider()
|
String |
getSecureRandomAlgorithm()
|
SSLContext |
getSslContext()
|
String |
getSslKeyManagerFactoryAlgorithm()
|
String |
getSslTrustManagerFactoryAlgorithm()
|
protected TrustManager[] |
getTrustManagers()
|
String |
getTruststore()
|
String |
getTruststoreType()
|
boolean |
getWantClientAuth()
|
boolean |
isAllowRenegotiate()
|
boolean |
isConfidential(Request request)
By default, we're confidential, given we speak SSL. |
boolean |
isIntegral(Request request)
By default, we're integral, given we speak SSL. |
protected Connection |
newConnection(SocketChannel channel,
SelectChannelEndPoint endpoint)
|
protected SelectChannelEndPoint |
newEndPoint(SocketChannel channel,
SelectorManager.SelectSet selectSet,
SelectionKey key)
|
void |
setAlgorithm(String algorithm)
Deprecated. use setSslKeyManagerFactoryAlgorithm(String) or
setSslTrustManagerFactoryAlgorithm(String) |
void |
setAllowRenegotiate(boolean allowRenegotiate)
Set if SSL re-negotiation is allowed. |
void |
setExcludeCipherSuites(String[] cipherSuites)
|
void |
setIncludeCipherSuites(String[] cipherSuites)
|
void |
setKeyPassword(String password)
|
void |
setKeystore(String keystore)
|
void |
setKeystoreType(String keystoreType)
|
void |
setNeedClientAuth(boolean needClientAuth)
|
void |
setPassword(String password)
|
void |
setProtocol(String protocol)
|
void |
setProvider(String provider)
|
void |
setSecureRandomAlgorithm(String algorithm)
|
void |
setSslContext(SSLContext sslContext)
|
void |
setSslKeyManagerFactoryAlgorithm(String algorithm)
|
void |
setSslTrustManagerFactoryAlgorithm(String algorithm)
|
void |
setTrustPassword(String password)
|
void |
setTruststore(String truststore)
|
void |
setTruststoreType(String truststoreType)
|
void |
setWantClientAuth(boolean wantClientAuth)
|
Methods inherited from class org.eclipse.jetty.server.nio.SelectChannelConnector |
accept, close, doStop, dump, getConnection, getLocalPort, getLowResourcesConnections, getLowResourcesMaxIdleTime, open, persist, setLowResourcesConnections, setLowResourcesMaxIdleTime, setMaxIdleTime |
Methods inherited from class org.eclipse.jetty.server.AbstractConnector |
checkForwardedHeaders, configure, connectionClosed, connectionOpened, connectionUpgraded, getAcceptorPriorityOffset, getAcceptors, getAcceptQueueSize, getConfidentialPort, getConfidentialScheme, getConnections, getConnectionsDurationMax, getConnectionsDurationMean, getConnectionsDurationStdDev, getConnectionsDurationTotal, getConnectionsOpen, getConnectionsOpenMax, getConnectionsRequestsMax, getConnectionsRequestsMean, getConnectionsRequestsStdDev, getForwardedForHeader, getForwardedHostHeader, getForwardedProtoHeader, getForwardedServerHeader, getHost, getHostHeader, getIntegralPort, getIntegralScheme, getLeftMostValue, getLowResourceMaxIdleTime, getMaxIdleTime, getName, getPort, getRequests, getResolveNames, getReuseAddress, getServer, getSoLingerTime, getStatsOn, getStatsOnMs, getThreadPool, isForwarded, isLowResources, join, newBuffer, setAcceptorPriorityOffset, setAcceptors, setAcceptQueueSize, setConfidentialPort, setConfidentialScheme, setForwarded, setForwardedForHeader, setForwardedHostHeader, setForwardedProtoHeader, setForwardedServerHeader, setHost, setHostHeader, setIntegralPort, setIntegralScheme, setLowResourceMaxIdleTime, setName, setPort, setResolveNames, setReuseAddress, setServer, setSoLingerTime, setStatsOn, setThreadPool, statsReset, stopAccept, toString |
Methods inherited from class org.eclipse.jetty.http.HttpBuffers |
getHeaderBufferSize, getRequestBuffers, getRequestBufferSize, getRequestHeaderSize, getResponseBuffers, getResponseBufferSize, getResponseHeaderSize, setHeaderBufferSize, setRequestBufferSize, setRequestHeaderSize, setResponseBufferSize, setResponseHeaderSize |
Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle |
addLifeCycleListener, getState, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop |
Methods inherited from interface org.eclipse.jetty.server.Connector |
close, getConfidentialPort, getConfidentialScheme, getConnection, getConnections, getConnectionsDurationMax, getConnectionsDurationMean, getConnectionsDurationStdDev, getConnectionsDurationTotal, getConnectionsOpen, getConnectionsOpenMax, getConnectionsRequestsMax, getConnectionsRequestsMean, getConnectionsRequestsStdDev, getHost, getIntegralPort, getIntegralScheme, getLocalPort, getLowResourceMaxIdleTime, getMaxIdleTime, getName, getPort, getRequestBuffers, getRequestBufferSize, getRequestHeaderSize, getRequests, getResolveNames, getResponseBuffers, getResponseBufferSize, getResponseHeaderSize, getServer, getStatsOn, getStatsOnMs, isLowResources, open, persist, setHost, setLowResourceMaxIdleTime, setMaxIdleTime, setPort, setRequestBufferSize, setRequestHeaderSize, setResponseBufferSize, setResponseHeaderSize, setServer, setStatsOn, statsReset |
SslSelectChannelConnector
public SslSelectChannelConnector()
customize
public void customize(EndPoint endpoint,
Request request)
throws IOException
- Allow the Listener a chance to customise the request. before the server
does its stuff.
This allows the required attributes to be set for SSL requests.
The requirements of the Servlet specs are:
- an attribute named "javax.servlet.request.ssl_session_id" of type
String (since Servlet Spec 3.0).
- an attribute named "javax.servlet.request.cipher_suite" of type
String.
- an attribute named "javax.servlet.request.key_size" of type Integer.
- an attribute named "javax.servlet.request.X509Certificate" of type
java.security.cert.X509Certificate[]. This is an array of objects of type
X509Certificate, the order of this array is defined as being in ascending
order of trust. The first certificate in the chain is the one set by the
client, the next is the one used to authenticate the first, and so on.
- Specified by:
customize
in interface Connector
- Overrides:
customize
in class SelectChannelConnector
- Parameters:
endpoint
- The Socket the request arrived on. This should be a
SocketEndPoint
wrapping a SSLSocket
.request
- HttpRequest to be customised.
- Throws:
IOException
isAllowRenegotiate
public boolean isAllowRenegotiate()
- Specified by:
isAllowRenegotiate
in interface SslConnector
- Returns:
- True if SSL re-negotiation is allowed (default false)
setAllowRenegotiate
public void setAllowRenegotiate(boolean allowRenegotiate)
- Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered
a vulnerability in SSL/TLS with re-negotiation. If your JVM
does not have CVE-2009-3555 fixed, then re-negotiation should
not be allowed.
- Specified by:
setAllowRenegotiate
in interface SslConnector
- Parameters:
allowRenegotiate
- true if re-negotiation is allowed (default false)
getExcludeCipherSuites
public String[] getExcludeCipherSuites()
- Specified by:
getExcludeCipherSuites
in interface SslConnector
- Returns:
- The array of Ciphersuite names to exclude from
SSLEngine.setEnabledCipherSuites(String[])
- See Also:
SslConnector.getExcludeCipherSuites()
setExcludeCipherSuites
public void setExcludeCipherSuites(String[] cipherSuites)
- Specified by:
setExcludeCipherSuites
in interface SslConnector
- Parameters:
cipherSuites
- The array of Ciphersuite names to exclude from
SSLEngine.setEnabledCipherSuites(String[])
- See Also:
SslConnector.setExcludeCipherSuites(java.lang.String[])
getIncludeCipherSuites
public String[] getIncludeCipherSuites()
- Specified by:
getIncludeCipherSuites
in interface SslConnector
- Returns:
- The array of Ciphersuite names to include in
SSLEngine.setEnabledCipherSuites(String[])
- See Also:
SslConnector.getExcludeCipherSuites()
setIncludeCipherSuites
public void setIncludeCipherSuites(String[] cipherSuites)
- Specified by:
setIncludeCipherSuites
in interface SslConnector
- Parameters:
cipherSuites
- The array of Ciphersuite names to include in
SSLEngine.setEnabledCipherSuites(String[])
- See Also:
SslConnector.setExcludeCipherSuites(java.lang.String[])
setPassword
public void setPassword(String password)
- Specified by:
setPassword
in interface SslConnector
- Parameters:
password
- The password for the key store- See Also:
SslConnector.setPassword(java.lang.String)
setTrustPassword
public void setTrustPassword(String password)
- Specified by:
setTrustPassword
in interface SslConnector
- Parameters:
password
- The password for the trust store- See Also:
SslConnector.setTrustPassword(java.lang.String)
setKeyPassword
public void setKeyPassword(String password)
- Specified by:
setKeyPassword
in interface SslConnector
- Parameters:
password
- The password (if any) for the specific key within
the key store- See Also:
SslConnector.setKeyPassword(java.lang.String)
getAlgorithm
@Deprecated
public String getAlgorithm()
- Deprecated. use
getSslKeyManagerFactoryAlgorithm()
or
getSslTrustManagerFactoryAlgorithm()
setAlgorithm
@Deprecated
public void setAlgorithm(String algorithm)
- Deprecated. use
setSslKeyManagerFactoryAlgorithm(String)
or
setSslTrustManagerFactoryAlgorithm(String)
getProtocol
public String getProtocol()
- Specified by:
getProtocol
in interface SslConnector
- Returns:
- The SSL protocol (default "TLS") passed to
SSLContext.getInstance(String, String)
- See Also:
SslConnector.getProtocol()
setProtocol
public void setProtocol(String protocol)
- Specified by:
setProtocol
in interface SslConnector
- Parameters:
protocol
- The SSL protocol (default "TLS") passed to SSLContext.getInstance(String, String)
- See Also:
SslConnector.setProtocol(java.lang.String)
setKeystore
public void setKeystore(String keystore)
- Specified by:
setKeystore
in interface SslConnector
- Parameters:
keystore
- The file or URL of the SSL Key store.- See Also:
SslConnector.setKeystore(java.lang.String)
getKeystore
public String getKeystore()
- Specified by:
getKeystore
in interface SslConnector
- Returns:
- The file or URL of the SSL Key store.
- See Also:
SslConnector.getKeystore()
getKeystoreType
public String getKeystoreType()
- Specified by:
getKeystoreType
in interface SslConnector
- Returns:
- The type of the key store (default "JKS")
- See Also:
SslConnector.getKeystoreType()
getNeedClientAuth
public boolean getNeedClientAuth()
- Specified by:
getNeedClientAuth
in interface SslConnector
- Returns:
- True if SSL needs client authentication.
- See Also:
SslConnector.getNeedClientAuth()
getWantClientAuth
public boolean getWantClientAuth()
- Specified by:
getWantClientAuth
in interface SslConnector
- Returns:
- True if SSL wants client authentication.
- See Also:
SslConnector.getWantClientAuth()
setNeedClientAuth
public void setNeedClientAuth(boolean needClientAuth)
- Specified by:
setNeedClientAuth
in interface SslConnector
- Parameters:
needClientAuth
- True if SSL needs client authentication.- See Also:
SslConnector.setNeedClientAuth(boolean)
setWantClientAuth
public void setWantClientAuth(boolean wantClientAuth)
- Specified by:
setWantClientAuth
in interface SslConnector
- Parameters:
wantClientAuth
- True if SSL wants client authentication.- See Also:
SslConnector.setWantClientAuth(boolean)
setKeystoreType
public void setKeystoreType(String keystoreType)
- Specified by:
setKeystoreType
in interface SslConnector
- Parameters:
keystoreType
- The type of the key store (default "JKS")- See Also:
SslConnector.setKeystoreType(java.lang.String)
getProvider
public String getProvider()
- Specified by:
getProvider
in interface SslConnector
- Returns:
- The SSL provider name, which if set is passed to
SSLContext.getInstance(String, String)
- See Also:
SslConnector.getProvider()
getSecureRandomAlgorithm
public String getSecureRandomAlgorithm()
- Specified by:
getSecureRandomAlgorithm
in interface SslConnector
- Returns:
- The algorithm name, which if set is passed to
SecureRandom.getInstance(String)
to obtain the SecureRandom
instance passed to SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)
- See Also:
SslConnector.getSecureRandomAlgorithm()
getSslKeyManagerFactoryAlgorithm
public String getSslKeyManagerFactoryAlgorithm()
- Specified by:
getSslKeyManagerFactoryAlgorithm
in interface SslConnector
- Returns:
- The algorithm name (default "SunX509") used by the
KeyManagerFactory
- See Also:
SslConnector.getSslKeyManagerFactoryAlgorithm()
getSslTrustManagerFactoryAlgorithm
public String getSslTrustManagerFactoryAlgorithm()
- Specified by:
getSslTrustManagerFactoryAlgorithm
in interface SslConnector
- Returns:
- The algorithm name (default "SunX509") used by the
TrustManagerFactory
- See Also:
SslConnector.getSslTrustManagerFactoryAlgorithm()
getTruststore
public String getTruststore()
- Specified by:
getTruststore
in interface SslConnector
- Returns:
- The file name or URL of the trust store location
- See Also:
SslConnector.getTruststore()
getTruststoreType
public String getTruststoreType()
- Specified by:
getTruststoreType
in interface SslConnector
- Returns:
- The type of the trust store (default "JKS")
- See Also:
SslConnector.getTruststoreType()
setProvider
public void setProvider(String provider)
- Specified by:
setProvider
in interface SslConnector
- Parameters:
provider
- The SSL provider name, which if set is passed to
SSLContext.getInstance(String, String)
- See Also:
SslConnector.setProvider(java.lang.String)
setSecureRandomAlgorithm
public void setSecureRandomAlgorithm(String algorithm)
- Specified by:
setSecureRandomAlgorithm
in interface SslConnector
- Parameters:
algorithm
- The algorithm name, which if set is passed to
SecureRandom.getInstance(String)
to obtain the SecureRandom
instance passed to SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)
- See Also:
SslConnector.setSecureRandomAlgorithm(java.lang.String)
setSslKeyManagerFactoryAlgorithm
public void setSslKeyManagerFactoryAlgorithm(String algorithm)
- Specified by:
setSslKeyManagerFactoryAlgorithm
in interface SslConnector
- Parameters:
algorithm
- The algorithm name (default "SunX509") used by
the KeyManagerFactory
- See Also:
SslConnector.setSslKeyManagerFactoryAlgorithm(java.lang.String)
setSslTrustManagerFactoryAlgorithm
public void setSslTrustManagerFactoryAlgorithm(String algorithm)
- Specified by:
setSslTrustManagerFactoryAlgorithm
in interface SslConnector
- Parameters:
algorithm
- The algorithm name (default "SunX509") used by the TrustManagerFactory
- See Also:
SslConnector.setSslTrustManagerFactoryAlgorithm(java.lang.String)
setTruststore
public void setTruststore(String truststore)
- Specified by:
setTruststore
in interface SslConnector
- Parameters:
truststore
- The file name or URL of the trust store location- See Also:
SslConnector.setTruststore(java.lang.String)
setTruststoreType
public void setTruststoreType(String truststoreType)
- Specified by:
setTruststoreType
in interface SslConnector
- Parameters:
truststoreType
- The type of the trust store (default "JKS")- See Also:
SslConnector.setTruststoreType(java.lang.String)
setSslContext
public void setSslContext(SSLContext sslContext)
- Specified by:
setSslContext
in interface SslConnector
- Parameters:
sslContext
- Set a preconfigured SSLContext- See Also:
SslConnector.setSslContext(javax.net.ssl.SSLContext)
getSslContext
public SSLContext getSslContext()
- Specified by:
getSslContext
in interface SslConnector
- Returns:
- The SSLContext
- See Also:
SslConnector.setSslContext(javax.net.ssl.SSLContext)
isConfidential
public boolean isConfidential(Request request)
- By default, we're confidential, given we speak SSL. But, if we've been
told about an confidential port, and said port is not our port, then
we're not. This allows separation of listeners providing INTEGRAL versus
CONFIDENTIAL constraints, such as one SSL listener configured to require
client certs providing CONFIDENTIAL, whereas another SSL listener not
requiring client certs providing mere INTEGRAL constraints.
- Specified by:
isConfidential
in interface Connector
- Overrides:
isConfidential
in class AbstractConnector
- Parameters:
request
- A request
- Returns:
- true if the request is confidential. This normally means the https schema has been used.
isIntegral
public boolean isIntegral(Request request)
- By default, we're integral, given we speak SSL. But, if we've been told
about an integral port, and said port is not our port, then we're not.
This allows separation of listeners providing INTEGRAL versus
CONFIDENTIAL constraints, such as one SSL listener configured to require
client certs providing CONFIDENTIAL, whereas another SSL listener not
requiring client certs providing mere INTEGRAL constraints.
- Specified by:
isIntegral
in interface Connector
- Overrides:
isIntegral
in class AbstractConnector
- Parameters:
request
- A request
- Returns:
- true if the request is integral. This normally means the https schema has been used.
newEndPoint
protected SelectChannelEndPoint newEndPoint(SocketChannel channel,
SelectorManager.SelectSet selectSet,
SelectionKey key)
throws IOException
- Overrides:
newEndPoint
in class SelectChannelConnector
- Throws:
IOException
newConnection
protected Connection newConnection(SocketChannel channel,
SelectChannelEndPoint endpoint)
- Overrides:
newConnection
in class SelectChannelConnector
createSSLEngine
protected SSLEngine createSSLEngine()
throws IOException
- Throws:
IOException
doStart
protected void doStart()
throws Exception
- Overrides:
doStart
in class SelectChannelConnector
- Throws:
Exception
createSSLContext
protected SSLContext createSSLContext()
throws Exception
- Throws:
Exception
getKeyManagers
protected KeyManager[] getKeyManagers()
throws Exception
- Throws:
Exception
getTrustManagers
protected TrustManager[] getTrustManagers()
throws Exception
- Throws:
Exception
getKeyStore
protected KeyStore getKeyStore(String keystorePath,
String keystoreType,
String keystorePassword)
throws Exception
- Throws:
Exception
Copyright © 1995-2010 Mort Bay Consulting. All Rights Reserved.