Return-Path: Delivered-To: apmail-incubator-cxf-commits-archive@locus.apache.org Received: (qmail 88428 invoked from network); 25 May 2007 06:45:02 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 25 May 2007 06:45:02 -0000 Received: (qmail 53482 invoked by uid 500); 25 May 2007 06:45:07 -0000 Delivered-To: apmail-incubator-cxf-commits-archive@incubator.apache.org Received: (qmail 53427 invoked by uid 500); 25 May 2007 06:45:07 -0000 Mailing-List: contact cxf-commits-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cxf-dev@incubator.apache.org Delivered-To: mailing list cxf-commits@incubator.apache.org Received: (qmail 53418 invoked by uid 99); 25 May 2007 06:45:07 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 May 2007 23:45:07 -0700 X-ASF-Spam-Status: No, hits=-99.5 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 May 2007 23:44:56 -0700 Received: by eris.apache.org (Postfix, from userid 65534) id 197E71A981D; Thu, 24 May 2007 23:44:36 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r541568 [2/4] - in /incubator/cxf/trunk: api/src/main/java/org/apache/cxf/configuration/jsse/ common/schemas/src/main/resources/schemas/configuration/ distribution/src/main/release/samples/hello_world_https/ distribution/src/main/release/sa... Date: Fri, 25 May 2007 06:44:32 -0000 To: cxf-commits@incubator.apache.org From: ningjiang@apache.org X-Mailer: svnmailer-1.1.0 Message-Id: <20070525064436.197E71A981D@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Modified: incubator/cxf/trunk/distribution/src/main/release/samples/hello_world_https/client.xml URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/distribution/src/main/release/samples/hello_world_https/client.xml?view=diff&rev=541568&r1=541567&r2=541568 ============================================================================== --- incubator/cxf/trunk/distribution/src/main/release/samples/hello_world_https/client.xml (original) +++ incubator/cxf/trunk/distribution/src/main/release/samples/hello_world_https/client.xml Thu May 24 23:44:27 2007 @@ -1,49 +0,0 @@ - - - - - - - - src/demo/hw_https/resources/celtix.p12 - celtixpass - celtixpass - src/demo/hw_https/resources/abigcompany_ca.pem - - - .*_EXPORT_.* - .*_EXPORT1024_.* - .*_WITH_DES_.* - .*_WITH_NULL_.* - .*_MD5 - - - - - - Modified: incubator/cxf/trunk/distribution/src/main/release/samples/hello_world_https/insecure_client.xml URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/distribution/src/main/release/samples/hello_world_https/insecure_client.xml?view=diff&rev=541568&r1=541567&r2=541568 ============================================================================== --- incubator/cxf/trunk/distribution/src/main/release/samples/hello_world_https/insecure_client.xml (original) +++ incubator/cxf/trunk/distribution/src/main/release/samples/hello_world_https/insecure_client.xml Thu May 24 23:44:27 2007 @@ -1,30 +0,0 @@ - - - - - - - - Modified: incubator/cxf/trunk/distribution/src/main/release/samples/hello_world_https/server.xml URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/distribution/src/main/release/samples/hello_world_https/server.xml?view=diff&rev=541568&r1=541567&r2=541568 ============================================================================== --- incubator/cxf/trunk/distribution/src/main/release/samples/hello_world_https/server.xml (original) +++ incubator/cxf/trunk/distribution/src/main/release/samples/hello_world_https/server.xml Thu May 24 23:44:27 2007 @@ -1,51 +0,0 @@ - - - - - - - src/demo/hw_https/resources/celtix.p12 - PKCS12 - celtixpass - celtixpass - true - true - src/demo/hw_https/resources/celtixp12.truststore - - - .*_EXPORT_.* - .*_EXPORT1024_.* - .*_WITH_DES_.* - .*_WITH_NULL_.* - .*_DH_anon_.* - - - - - Modified: incubator/cxf/trunk/rt/transports/http-jetty/pom.xml URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http-jetty/pom.xml?view=diff&rev=541568&r1=541567&r2=541568 ============================================================================== --- incubator/cxf/trunk/rt/transports/http-jetty/pom.xml (original) +++ incubator/cxf/trunk/rt/transports/http-jetty/pom.xml Thu May 24 23:44:27 2007 @@ -76,7 +76,7 @@ org.mortbay.jetty jetty - 6.1.2rc0 + 6.1.3 org.slf4j Modified: incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPDestination.java URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPDestination.java?view=diff&rev=541568&r1=541567&r2=541568 ============================================================================== --- incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPDestination.java (original) +++ incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPDestination.java Thu May 24 23:44:27 2007 @@ -32,6 +32,8 @@ import org.apache.cxf.Bus; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.common.util.StringUtils; +import org.apache.cxf.configuration.jsse.TLSServerParameters; +import org.apache.cxf.configuration.security.SSLServerPolicy; import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageImpl; import org.apache.cxf.security.SecurityContext; @@ -46,42 +48,40 @@ public class JettyHTTPDestination extends AbstractHTTPDestination { - private static final Logger LOG = LogUtils.getL7dLogger(JettyHTTPDestination.class); + private static final Logger LOG = + LogUtils.getL7dLogger(JettyHTTPDestination.class); - protected ServerEngine engine; - protected ServerEngine alternateEngine; + + protected JettyHTTPServerEngine engine; protected JettyHTTPTransportFactory transportFactory; + protected JettyHTTPServerEngineFactory serverEngineFactory; protected URL nurl; /** - * Constructor, using Jetty server engine. - * - * @param b the associated Bus - * @param ci the associated conduit initiator - * @param endpointInfo the endpoint info of the destination - * @throws IOException + * This variable signifies that finalizeConfig() has been called. + * It gets called after this object has been spring configured. + * It is used to automatically reinitialize things when resources + * are reset, such as setTlsServerParameters(). */ - public JettyHTTPDestination(Bus b, JettyHTTPTransportFactory ci, - EndpointInfo endpointInfo) throws IOException { - this(b, ci, endpointInfo, null); - } - + private boolean configFinalized; + /** - * Constructor, allowing subsititution of server engine. + * Constructor, using Jetty server engine. * * @param b the associated Bus * @param ci the associated conduit initiator * @param endpointInfo the endpoint info of the destination - * @param eng the server engine * @throws IOException */ - public JettyHTTPDestination(Bus b, JettyHTTPTransportFactory ci, - EndpointInfo endpointInfo, ServerEngine eng) - throws IOException { + public JettyHTTPDestination( + Bus b, + JettyHTTPTransportFactory ci, + EndpointInfo endpointInfo + ) throws IOException { //Add the defualt port if the address is missing it super(b, ci, endpointInfo, true); - alternateEngine = eng; this.transportFactory = ci; + this.serverEngineFactory = ci.getJettyHTTPServerEngineFactory(); nurl = new URL(endpointInfo.getAddress()); } @@ -93,22 +93,115 @@ * Post-configure retreival of server engine. */ protected void retrieveEngine() { - engine = alternateEngine != null - ? alternateEngine - : JettyHTTPServerEngine.getForPort(bus, - nurl.getProtocol(), - nurl.getPort(), - getSslServer()); + if (this.getTlsServerParameters() != null) { + if (!"https".equals(nurl.getProtocol())) { + throw new RuntimeException( + "Wrong protocol for TLS configuration: proto: " + + nurl.getProtocol()); + } + // If the previous engine was "https", we have to shut it down as + // it cannot be reconfigured. + if (engine != null + && "https".equals(engine.getProtocol()) + && nurl.getPort() == engine.getPort()) { + engine.shutdown(); + } + engine = serverEngineFactory.getForPort( + nurl.getProtocol(), + nurl.getPort(), + getTlsServerParameters()); + // TODO: Remove when old SSL config is gone + } else if (this.getSslServer() != null) { + if (!"https".equals(nurl.getProtocol())) { + throw new RuntimeException( + "Wrong protocol for TLS configuration: proto: " + + nurl.getProtocol()); + } + // If the previous engine was "https", we have to shut it down as + // it cannot be reconfigured. + if (engine != null + && "https".equals(engine.getProtocol()) + && nurl.getPort() == engine.getPort()) { + engine.shutdown(); + } + engine = serverEngineFactory.getForPort(nurl.getProtocol(), + nurl.getPort(), + getSslServer()); + } else { + // We may still have "https", but we might still get the configuration from + // http-listener. + + // If the previous engine was "https", we have to shut it down as + // it cannot be reconfigured. + if (engine != null && "https".equals(nurl.getPort()) + && "https".equals(engine.getProtocol()) + && nurl.getPort() == engine.getPort()) { + engine.shutdown(); + } + // This should throw an exception if TLS is not configured + // for http-listener and the protocol is "https". + engine = serverEngineFactory.getForPort(nurl.getProtocol(), + nurl.getPort()); + } + assert engine != null; + } + + /** + * This method is used to finalize the configuration + * after the configuration items have been set. + * + */ + public void finalizeConfig() { + retrieveEngine(); + configFinalized = true; } /** + * This method sets the SSLServerPolicy for this destination. Changing + * the SSLServerPolicy object internally will not affect this destination. + * This method must be called to reconfigure the Destination. + * + * @param policy + */ + @Deprecated + @Override + public void setSslServer(SSLServerPolicy policy) { + super.setSslServer(policy); + if (configFinalized) { + deactivate(); + engine.shutdown(); + engine = null; + retrieveEngine(); + } + } + + /** + * This method sets the TLS Server Parameters for this destination. + * Changing the TLSServerParameters object internally will not affect this + * destination. + * This method must be called to reconfigure the Destination. + * + * @param params + */ + @Override + public void setTlsServerParameters(TLSServerParameters params) { + super.setTlsServerParameters(params); + if (configFinalized) { + deactivate(); + engine.shutdown(); + engine = null; + retrieveEngine(); + } + } + /** * Activate receipt of incoming messages. */ protected void activate() { LOG.log(Level.FINE, "Activating receipt of incoming messages"); try { URL url = new URL(endpointInfo.getAddress()); - engine.addServant(url, new JettyHTTPHandler(this, contextMatchOnExact())); + engine.addServant(url, + new JettyHTTPHandler(this, contextMatchOnExact())); } catch (Exception e) { LOG.log(Level.WARNING, "URL creation failed: ", e); Modified: incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java?view=diff&rev=541568&r1=541567&r2=541568 ============================================================================== --- incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java (original) +++ incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java Thu May 24 23:44:27 2007 @@ -19,12 +19,13 @@ package org.apache.cxf.transport.http_jetty; +import java.io.IOException; import java.net.URL; -import java.util.HashMap; -import java.util.Map; +import java.security.GeneralSecurityException; import org.apache.cxf.Bus; -import org.apache.cxf.configuration.Configurer; +import org.apache.cxf.configuration.jsse.TLSServerParameters; +import org.apache.cxf.configuration.jsse.spring.TLSServerParametersConfig; import org.apache.cxf.configuration.security.SSLServerPolicy; import org.apache.cxf.transport.HttpUriMapper; import org.apache.cxf.transport.http.listener.HTTPListenerConfigBean; @@ -37,11 +38,10 @@ -public final class JettyHTTPServerEngine extends HTTPListenerConfigBean implements ServerEngine { +public class JettyHTTPServerEngine + extends HTTPListenerConfigBean + implements ServerEngine { private static final long serialVersionUID = 1L; - - private static Map portMap = - new HashMap(); private int servantCount; private Server server; @@ -49,9 +49,54 @@ private JettyConnectorFactory connectorFactory; private ContextHandlerCollection contexts; + /** + * This field holds the protocol this engine is for. "http" or "https". + */ + private final String protocol; + private final int port; - JettyHTTPServerEngine(Bus bus, String protocol, int p) { + /** + * This field holds the TLS ServerParameters that are programatically + * configured. The tlsServerParamers (due to JAXB) holds the struct + * placed by SpringConfig. + */ + private TLSServerParameters tlsProgrammaticServerParameters; + + /** + * This boolean signfies that SpringConfig is over. finalizeConfig + * has been called. + */ + private boolean configFinalized; + + /** + * This is the Server Engine Factory. This factory caches some + * engines based on port numbers. + */ + private JettyHTTPServerEngineFactory factory; + + JettyHTTPServerEngine(JettyHTTPServerEngineFactory fac, Bus bus, + String proto, int p) { + factory = fac; + protocol = proto; + port = p; + } + + // TODO: remove when old SSL config is gone. + @Deprecated + JettyHTTPServerEngine(JettyHTTPServerEngineFactory fac, Bus bus, + String proto, int p, SSLServerPolicy policy) { + factory = fac; + sslServer = policy; + protocol = proto; + port = p; + } + + JettyHTTPServerEngine(JettyHTTPServerEngineFactory fac, Bus bus, + String proto, int p, TLSServerParameters params) { + factory = fac; + tlsProgrammaticServerParameters = params; + protocol = proto; port = p; } @@ -59,39 +104,28 @@ return JettyHTTPServerEngine.class.getName() + "." + port; } - static synchronized JettyHTTPServerEngine getForPort(Bus bus, String protocol, int p) { - return getForPort(bus, protocol, p, null); + /** + * Returns the protocol "http" or "https" for which this engine + * was configured. + */ + public String getProtocol() { + return protocol; } - - static synchronized JettyHTTPServerEngine getForPort(Bus bus, - String protocol, - int p, - SSLServerPolicy sslServerPolicy) { - JettyHTTPServerEngine ref = portMap.get(p); - if (ref == null) { - ref = new JettyHTTPServerEngine(bus, protocol, p); - configure(bus, ref); - ref.init(sslServerPolicy); - ref.retrieveListenerFactory(); - portMap.put(p, ref); - } - return ref; - } - - public static synchronized void destroyForPort(int p) { - JettyHTTPServerEngine ref = portMap.remove(p); - if (ref != null && ref.server != null) { - try { - ref.connector.close(); - ref.server.stop(); - ref.server.destroy(); - ref.server = null; - ref.listener = null; - } catch (Exception e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } - } + + /** + * Returns the port number for which this server engine was configured. + * @return + */ + public int getPort() { + return port; + } + + /** + * This method will shut down the server engine and + * remove it from the factory's cache. + */ + public void shutdown() { + factory.destroyForPort(port); } /** @@ -241,19 +275,50 @@ } return ret; } - - protected static void configure(Bus bus, Object bean) { - Configurer configurer = bus.getExtension(Configurer.class); - if (null != configurer) { - configurer.configureBean(bean); + + protected void retrieveListenerFactory() { + if (tlsProgrammaticServerParameters != null) { + connectorFactory = JettyHTTPTransportFactory + .getConnectorFactory(tlsProgrammaticServerParameters); + // TODO: remove when old SSL Config is gone. + } else if (isSetSslServer()) { + connectorFactory = JettyHTTPTransportFactory + .getConnectorFactory(getSslServer()); + } else { + connectorFactory = JettyHTTPTransportFactory + .getConnectorFactory((TLSServerParameters) null); } } + + /** + * This method is called after configure on this object. + */ + protected void finalizeConfig() throws GeneralSecurityException, + IOException { - private void retrieveListenerFactory() { - connectorFactory = JettyHTTPTransportFactory.getConnectorFactory(getSslServer()); + // If the listener was spring configured, convert those structs + // to real configuration with KeyManagers and TrustManagers. + if (this.tlsProgrammaticServerParameters == null + && isSetTlsServerParameters()) { + tlsProgrammaticServerParameters = + new TLSServerParametersConfig(getTlsServerParameters()); + } + if (!isSetListener()) { + setListener(new HTTPListenerPolicy()); + } + if ("https".equals(protocol) + && tlsProgrammaticServerParameters == null + && !isSetSslServer()) { + throw new RuntimeException( + "Protocol is \"https\" without suitable " + + "programmatic or spring configuration."); + } + retrieveListenerFactory(); + this.configFinalized = true; } - private void init(SSLServerPolicy sslServerPolicy) { + @Deprecated + protected void init(SSLServerPolicy sslServerPolicy) { if (!isSetSslServer()) { setSslServer(sslServerPolicy); } @@ -261,4 +326,121 @@ setListener(new HTTPListenerPolicy()); } } + + @Deprecated + @Override + public void setSslServer(SSLServerPolicy policy) { + super.setSslServer(policy); + if (this.configFinalized) { + this.retrieveListenerFactory(); + } + } + /** + * This method is called to possibly reconfigure a listener. + */ + protected void reconfigure(String proto, TLSServerParameters tlsParams) { + if (!getProtocol().equals(proto)) { + throw new RuntimeException( + "Cannot reconfigure an allocated server port with " + + "different protocol." + + " Port: " + port + " to Protocol " + proto); + } + if ("https".equals(proto)) { + // TLS/SSL Parameters have not yet been set. + if (tlsProgrammaticServerParameters == null) { + if (!isSetSslServer()) { + try { + setProgrammaticTlsServerParameters(tlsParams); + } catch (Exception e) { + throw new RuntimeException( + "Could not initialize configuration of " + + getBeanName() + ".", e); + } + } else { + throw new RuntimeException( + "Cannot reconfigure an allocated TLS server port. " + + "Port = " + port); + } + } else if (tlsProgrammaticServerParameters != tlsParams) { + throw new RuntimeException( + "Cannot reconfigure an allocated TLS server port. " + + "Port = " + port); + } + } + + } + + /** + * This method is called to possibly reconfigure a listener. + * @param proto + * @param policy + */ + @Deprecated + protected void reconfigure(String proto, SSLServerPolicy policy) { + if (!getProtocol().equals(proto)) { + throw new RuntimeException( + "Cannot reconfigure an allocated server port with " + + "different protocol." + + " Port: " + port + " to Protocol " + proto); + } + if ("https".equals(proto)) { + // TLS/SSL Parameters have not yet been set. + if (!isSetSslServer()) { + if (tlsProgrammaticServerParameters == null) { + try { + setSslServer(policy); + } catch (Exception e) { + throw new RuntimeException( + "Could not initialize configuration of " + + getBeanName() + ".", e); + } + } else { + throw new RuntimeException( + "Cannot reconfigure an allocated TLS server port. " + + "Port = " + port); + } + } else if (getSslServer() != policy) { + throw new RuntimeException( + "Cannot reconfigure an allocated TLS server port. Port = " + + port); + } + } + } + + /** + * This method is called by the ServerEngine Factory to destroy the + * listener. + * + */ + protected void stop() throws Exception { + if (server != null) { + connector.close(); + server.stop(); + server.destroy(); + server = null; + listener = null; + } + } + + /** + * This method is used to programmatically set the TLSServerParameters. + * This method must be used to dynamically configure the http-listener. + */ + public void setProgrammaticTlsServerParameters(TLSServerParameters params) { + tlsProgrammaticServerParameters = params; + if (this.configFinalized) { + this.retrieveListenerFactory(); + } + } + + /** + * This method returns the programmatically set TLSServerParameters, not + * the TLSServerParametersType, which is the JAXB generated type used + * in SpringConfiguration. + * @return + */ + public TLSServerParameters getProgrammaticTlsServerParameters() { + return tlsProgrammaticServerParameters; + } + } Added: incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngineFactory.java URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngineFactory.java?view=auto&rev=541568 ============================================================================== --- incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngineFactory.java (added) +++ incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngineFactory.java Thu May 24 23:44:27 2007 @@ -0,0 +1,166 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.transport.http_jetty; + +import java.util.HashMap; +import java.util.Map; + +import org.apache.cxf.Bus; +import org.apache.cxf.configuration.Configurer; +import org.apache.cxf.configuration.jsse.TLSServerParameters; +import org.apache.cxf.configuration.security.SSLServerPolicy; + +public class JettyHTTPServerEngineFactory { + + /** + * This map holds references for allocated ports. + */ + // HACK!!! All system tests do not shut down bus correct, + // or the bus does not shutdown all endpoints correctly, + // so that these are shared amongst busses. Which is + // hogwash!! This was static before I changed it, and I + // tried to make it local. Now, we get address in use + // Bind exceptions because these server engines aren't + // shared!! What hog wash. Propper shutdowns people! + + // We will keep it static until + // we can resolve the problems in the System tests. + // TODO: Fix the System Tests so that they shutdown the + // buses that they are using and that the buses actually + // shutdown the destinations and their server engines + // properly. This will require a bit of lifecyle and reference + // counting on Destinations to server engines, if they are + // going to be shared, but they should by no means be + // shared accross buses, right? + private static Map portMap = + new HashMap(); + + /** + * The bus. + */ + private Bus bus; + + protected JettyHTTPServerEngineFactory(Bus b) { + bus = b; + } + + /** + * Allocate a JettyServer engine for a particular port. This call is allows + * the Spring configuration of the engine. If the protocol is "https" it + * must find a suitable configuration or this call will throw an error. + */ + synchronized JettyHTTPServerEngine getForPort(String protocol, int p) { + + return getForPort(protocol, p, (TLSServerParameters) null); + } + + /** + * Allocate a Jetty server engine for a particular port, and an ssl + * server policy. + * This call in order to remain consistent with previous implemenation + * does NOT override any spring configuration. That may be a bug. + * This method is deprecated in favor of using TLSServerParameters. + */ + @Deprecated + synchronized JettyHTTPServerEngine getForPort( + String protocol, + int p, + SSLServerPolicy sslServerPolicy + ) { + JettyHTTPServerEngine ref = portMap.get(p); + if (ref == null) { + ref = new JettyHTTPServerEngine(this, bus, protocol, p); + configure(ref); + // This previous incantaion says programatic configuration does not + // override because init tests to see if sslServer is already set + // and if so, ignores this sslServerPolicy. + // This situation has been fixed with tlsServerParameters. + ref.init(sslServerPolicy); + ref.retrieveListenerFactory(); + portMap.put(p, ref); + } else { + // This will throw an exception if the reference cannot be + // reconfigured + ref.reconfigure(protocol, sslServerPolicy); + } + return ref; + } + + /** + * Allocate a Jetty server engine for a particular port with TLS parameters. + * If tlsParams is not null, it overrides any spring configuration of TLS + * parameters. + */ + synchronized JettyHTTPServerEngine getForPort( + String protocol, + int p, + TLSServerParameters tlsParams + ) { + JettyHTTPServerEngine ref = portMap.get(p); + if (ref == null) { + ref = new JettyHTTPServerEngine(this, bus, protocol, p); + configure(ref); + // Programatic configuration overrides Spring configuration. + if (tlsParams != null) { + ref.setProgrammaticTlsServerParameters(tlsParams); + } + try { + ref.finalizeConfig(); + } catch (Exception e) { + throw new RuntimeException( + "Could not initialize configuration of " + + ref.getBeanName() + ".", e); + } + portMap.put(p, ref); + } else { + // This call will throw an exception if the engine cannot be + // reconfigured. + ref.reconfigure(protocol, tlsParams); + } + return ref; + } + + /** + * This method removes the Server Engine from the port map and stops it. + */ + public synchronized void destroyForPort(int port) { + JettyHTTPServerEngine ref = portMap.remove(port); + if (ref != null) { + try { + ref.stop(); + } catch (Exception e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + } + } + + /** + * This call configures the Server Engine as Spring Bean. + * @param bean + */ + protected void configure(JettyHTTPServerEngine bean) { + Configurer configurer = bus.getExtension(Configurer.class); + if (null != configurer) { + configurer.configureBean(bean); + } + } + + +} Propchange: incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngineFactory.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngineFactory.java ------------------------------------------------------------------------------ svn:keywords = Rev Date Modified: incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPTransportFactory.java URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPTransportFactory.java?view=diff&rev=541568&r1=541567&r2=541568 ============================================================================== --- incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPTransportFactory.java (original) +++ incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPTransportFactory.java Thu May 24 23:44:27 2007 @@ -25,6 +25,7 @@ import javax.annotation.Resource; import org.apache.cxf.Bus; +import org.apache.cxf.configuration.jsse.TLSServerParameters; import org.apache.cxf.configuration.security.SSLServerPolicy; import org.apache.cxf.service.model.EndpointInfo; import org.apache.cxf.transport.Destination; @@ -35,18 +36,35 @@ public class JettyHTTPTransportFactory extends AbstractHTTPTransportFactory { - Map destinations = new HashMap(); + Map destinations = + new HashMap(); + + /** + * This field contains the JettyHTTPServerEngineFactory. + * It holds a cache of engines that may be used for particular ports. + */ + private JettyHTTPServerEngineFactory serverEngineFactory; public JettyHTTPTransportFactory() { super(); - } @Resource(name = "bus") public void setBus(Bus b) { super.setBus(b); + // This cannot be called twice; + assert serverEngineFactory == null; + + serverEngineFactory = new JettyHTTPServerEngineFactory(b); } + /** + * This method returns the Jetty HTTP Server Engine Factory. + */ + protected JettyHTTPServerEngineFactory getJettyHTTPServerEngineFactory() { + return serverEngineFactory; + } + @Override public Destination getDestination(EndpointInfo endpointInfo) throws IOException { String addr = endpointInfo.getAddress(); @@ -60,6 +78,11 @@ private synchronized JettyHTTPDestination createDestination(EndpointInfo endpointInfo) throws IOException { + // Cached Destinations could potentially use an "https" destination + // created by somebody else that will not be able to be reconfigured. + // As a result of trying would shutdown the server engine that may + // be in use. + JettyHTTPDestination destination = destinations.get(endpointInfo.getAddress()); if (destination == null) { destination = new JettyHTTPDestination(getBus(), this, endpointInfo); @@ -67,11 +90,12 @@ destinations.put(endpointInfo.getAddress(), destination); configure(destination); - destination.retrieveEngine(); + destination.finalizeConfig(); } return destination; } + @Deprecated protected static JettyConnectorFactory getConnectorFactory(SSLServerPolicy policy) { return policy == null ? new JettyConnectorFactory() { @@ -83,5 +107,24 @@ } } : new JettySslConnectorFactory(policy); + } + + /** + * This method creates a connector factory. If there are TLS parameters + * then it creates a TLS enabled one. + */ + protected static JettyConnectorFactory getConnectorFactory( + TLSServerParameters tlsParams + ) { + return tlsParams == null + ? new JettyConnectorFactory() { + public AbstractConnector createConnector(int port) { + SelectChannelConnector result = new SelectChannelConnector(); + //SocketConnector result = new SocketConnector(); + result.setPort(port); + return result; + } + } + : new JettySslConnectorFactory(tlsParams); } } Added: incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java?view=auto&rev=541568 ============================================================================== --- incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java (added) +++ incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java Thu May 24 23:44:27 2007 @@ -0,0 +1,130 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.transport.https_jetty; + + +import java.security.SecureRandom; +import java.util.List; +import java.util.logging.Logger; + +import javax.net.ssl.KeyManager; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLServerSocketFactory; +import javax.net.ssl.TrustManager; + +import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.configuration.security.ClientAuthentication; +import org.apache.cxf.configuration.security.FiltersType; +import org.apache.cxf.transport.https.SSLUtils; +import org.mortbay.jetty.security.SslSocketConnector; + +/** + * This class extends the Jetty SslSocketConnector, which allows + * us to configure it more in tune with the JSSE, using KeyManagers + * and TrustManagers. Also, Jetty version 6.1.3 has a bug where + * the Trust store needs a password. + */ +public class CXFJettySslSocketConnector extends SslSocketConnector { + private static final Logger LOG = LogUtils.getL7dLogger(CXFJettySslSocketConnector.class); + + protected KeyManager[] keyManagers; + protected TrustManager[] trustManagers; + protected SecureRandom secureRandom; + protected List cipherSuites; + protected FiltersType cipherSuitesFilter; + + /** + * Set the cipherSuites + */ + protected void setCipherSuites(List cs) { + cipherSuites = cs; + } + + /** + * Set the CipherSuites Filter + */ + protected void setCipherSuitesFilter(FiltersType filter) { + cipherSuitesFilter = filter; + } + + /** + * Set the KeyManagers. + */ + protected void setKeyManagers(KeyManager[] kmgrs) { + keyManagers = kmgrs; + } + + /** + * Set the TrustManagers. + */ + protected void setTrustManagers(TrustManager[] tmgrs) { + trustManagers = tmgrs; + } + + /** + * Set the SecureRandom Parameters + */ + protected void setSecureRandom(SecureRandom random) { + secureRandom = random; + } + + /** + * Set the ClientAuthentication (from the JAXB type) that + * configures an HTTP Destination. + */ + protected void setClientAuthentication(ClientAuthentication clientAuth) { + if (clientAuth.isSetWant()) { + setWantClientAuth(clientAuth.isWant()); + } + if (clientAuth.isSetRequired()) { + setNeedClientAuth(clientAuth.isRequired()); + } + } + + /** + * We create our own socket factory. + */ + @Override + protected SSLServerSocketFactory createFactory() + throws Exception { + + String proto = getProtocol() == null + ? "TLS" + : getProtocol(); + + SSLContext context = getProvider() == null + ? SSLContext.getInstance(proto) + : SSLContext.getInstance(proto, getProvider()); + + context.init(keyManagers, trustManagers, secureRandom); + + SSLServerSocketFactory con = context.getServerSocketFactory(); + + String[] cs = + SSLUtils.getCiphersuites( + cipherSuites, + SSLUtils.getServerSupportedCipherSuites(context), + cipherSuitesFilter, + LOG, true); + + setExcludeCipherSuites(cs); + return con; + } + +} Propchange: incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java ------------------------------------------------------------------------------ svn:keywords = Rev Date Modified: incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java?view=diff&rev=541568&r1=541567&r2=541568 ============================================================================== --- incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java (original) +++ incubator/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java Thu May 24 23:44:27 2007 @@ -23,37 +23,47 @@ import java.util.logging.Level; import java.util.logging.Logger; +import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; +import javax.net.ssl.TrustManager; import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.configuration.jsse.TLSServerParameters; import org.apache.cxf.configuration.security.SSLServerPolicy; import org.apache.cxf.transport.http_jetty.JettyConnectorFactory; import org.apache.cxf.transport.https.SSLUtils; import org.mortbay.jetty.AbstractConnector; -import org.mortbay.jetty.security.SslSocketConnector; public final class JettySslConnectorFactory implements JettyConnectorFactory { private static final long serialVersionUID = 1L; private static final Logger LOG = LogUtils.getL7dLogger(JettySslConnectorFactory.class); + @Deprecated private static final String[] UNSUPPORTED = {"SessionCaching", "SessionCacheKey", "MaxChainLength", "CertValidator", "TrustStoreAlgorithm", "TrustStoreType"}; private static final String[] DERIVATIVE = {"CiphersuiteFilters"}; + @Deprecated SSLServerPolicy sslPolicy; + TLSServerParameters tlsServerParameters; + /** * Constructor. * * @param policy the applicable SSLServerPolicy (guaranteed non-null) */ + @Deprecated public JettySslConnectorFactory(SSLServerPolicy policy) { this.sslPolicy = policy; } + public JettySslConnectorFactory(TLSServerParameters params) { + tlsServerParameters = params; + } /** * Create a SSL Connector. @@ -61,43 +71,83 @@ * @param p the listen port */ public AbstractConnector createConnector(int port) { - SslSocketConnector secureConnector = new SslSocketConnector(); - secureConnector.setPort(port); - decorate(secureConnector); - return secureConnector; + if (tlsServerParameters != null) { + CXFJettySslSocketConnector secureConnector = + new CXFJettySslSocketConnector(); + secureConnector.setPort(port); + decorateCXFJettySslSocketConnector(secureConnector); + return secureConnector; + } + if (sslPolicy != null) { + //SslSocketConnector secureConnector = new SslSocketConnector(); + CXFJettySslSocketConnector secureConnector = + new CXFJettySslSocketConnector(); + secureConnector.setPort(port); + decorate(secureConnector); + return secureConnector; + } + assert false; + return null; + } + + /** + * This method sets the security properties for the CXF extension + * of the JettySslConnector. + */ + private void decorateCXFJettySslSocketConnector( + CXFJettySslSocketConnector con + ) { + con.setKeyManagers(tlsServerParameters.getKeyManagers()); + con.setTrustManagers(tlsServerParameters.getTrustManagers()); + con.setSecureRandom(tlsServerParameters.getSecureRandom()); + con.setClientAuthentication( + tlsServerParameters.getClientAuthentication()); + con.setProtocol(tlsServerParameters.getSecureSocketProtocol()); + con.setProvider(tlsServerParameters.getJsseProvider()); + con.setCipherSuites(tlsServerParameters.getCipherSuites()); + con.setCipherSuitesFilter(tlsServerParameters.getCipherSuitesFilter()); } /** * Decorate listener with applicable SSL settings. + * This method will be deprecated after old SSL configuration is gone. + * This method has been modified to use the CXF extension + * to the JettySslSocketConnector so that we may upgrade to + * Jetty 6.1.3. * * @param listener the secure listener */ - public void decorate(SslSocketConnector secureListener) { + @Deprecated + public void decorate(CXFJettySslSocketConnector secureListener) { + + // This has been modified to work with Jetty 6.1.3 and our + // extended JettySslSocketConnector, because they have a bug + // in which processing the TrustStore throws a null pointer + // exception if the trust store doesn't have a password set. + String keyStoreLocation = SSLUtils.getKeystore(sslPolicy.getKeystore(), LOG); - secureListener.setKeystore(keyStoreLocation); + //secureListener.setKeystore(keyStoreLocation); String keyStoreType = SSLUtils.getKeystoreType(sslPolicy.getKeystoreType(), LOG); - secureListener.setKeystoreType(keyStoreType); + //secureListener.setKeystoreType(keyStoreType); String keyStorePassword = SSLUtils.getKeystorePassword(sslPolicy.getKeystorePassword(), LOG); - secureListener.setPassword(keyStorePassword); + //secureListener.setPassword(keyStorePassword); String keyPassword = SSLUtils.getKeyPassword(sslPolicy.getKeyPassword(), LOG); - secureListener.setKeyPassword(keyPassword); + //secureListener.setKeyPassword(keyPassword); String keyStoreMgrFactoryAlgorithm = SSLUtils.getKeystoreAlgorithm(sslPolicy.getKeystoreAlgorithm(), LOG); - secureListener.setSslKeyManagerFactoryAlgorithm(keyStoreMgrFactoryAlgorithm); - - System.setProperty("javax.net.ssl.trustStore", - SSLUtils.getTrustStore(sslPolicy.getTrustStore(), - LOG)); + //secureListener.setSslKeyManagerFactoryAlgorithm(keyStoreMgrFactoryAlgorithm); + String secureSocketProtocol = SSLUtils.getSecureSocketProtocol(sslPolicy.getSecureSocketProtocol(), LOG); secureListener.setProtocol(secureSocketProtocol); - //need to Check it + + secureListener.setWantClientAuth( SSLUtils.getWantClientAuthentication( sslPolicy.isSetWantClientAuthentication(), @@ -109,22 +159,56 @@ sslPolicy.isRequireClientAuthentication(), LOG)); + String trustStoreType = + SSLUtils.getTrustStoreType(sslPolicy.getTrustStoreType(), LOG); + + String trustStoreLocation = + SSLUtils.getTrustStore(sslPolicy.getTrustStore(), LOG); + + String trustStoreMgrFactoryAlgorithm = + SSLUtils.getTrustStoreAlgorithm( + sslPolicy.getTrustStoreAlgorithm(), LOG); + + //System.setProperty("javax.net.ssl.trustStore", + // SSLUtils.getTrustStore(sslPolicy.getTrustStore(), + // LOG)); + //need to Check it try { - SSLContext ctx = SSLUtils.getSSLContext( - secureSocketProtocol, + KeyManager[] keyManagers = SSLUtils.getKeyStoreManagers(keyStoreLocation, - keyStoreType, - keyStorePassword, - keyPassword, - keyStoreMgrFactoryAlgorithm, - secureSocketProtocol, - LOG), - null); + keyStoreType, + keyStorePassword, + keyPassword, + keyStoreMgrFactoryAlgorithm, + secureSocketProtocol, + LOG); + secureListener.setKeyManagers(keyManagers); + + // On the client side, it was strange that if you Keystore was + // of type PCKS12, then your TrustStore location had to point to + // was a PEM encoded CA Certificate. However, in this code before + // modification, it didn't seem like the TrustSTore + // had to be a single PEM CA certificate if the Keystore was + // of type PKCS12. So, we use false here for pkcs12 parameter. + + TrustManager[] trustManagers = + SSLUtils.getTrustStoreManagers( + false, + trustStoreType, trustStoreLocation, + trustStoreMgrFactoryAlgorithm, LOG); + + secureListener.setTrustManagers(trustManagers); + + SSLContext ctx = SSLUtils.getSSLContext( + secureSocketProtocol, keyManagers, trustManagers); + secureListener.setExcludeCipherSuites( - SSLUtils.getCiphersuites(sslPolicy.getCiphersuites(), - SSLUtils.getServerSupportedCipherSuites(ctx), - sslPolicy.getCiphersuiteFilters(), - LOG, true)); + SSLUtils.getCiphersuites( + sslPolicy.getCiphersuites(), + SSLUtils.getServerSupportedCipherSuites(ctx), + sslPolicy.getCiphersuiteFilters(), + LOG, true)); + } catch (Exception e) { LogUtils.log(LOG, Level.SEVERE, "SSL_CONTEXT_INIT_FAILURE", e); } Modified: incubator/cxf/trunk/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/http_jetty/JettyHTTPDestinationTest.java URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/http_jetty/JettyHTTPDestinationTest.java?view=diff&rev=541568&r1=541567&r2=541568 ============================================================================== --- incubator/cxf/trunk/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/http_jetty/JettyHTTPDestinationTest.java (original) +++ incubator/cxf/trunk/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/http_jetty/JettyHTTPDestinationTest.java Thu May 24 23:44:27 2007 @@ -86,7 +86,7 @@ private EndpointInfo endpointInfo; private EndpointReferenceType address; private EndpointReferenceType replyTo; - private ServerEngine engine; + private JettyHTTPServerEngine engine; private HTTPServerPolicy policy; private JettyHTTPDestination destination; private Request request; @@ -101,6 +101,27 @@ private List queryHandlerList; private JettyHTTPTransportFactory transportFactory; + /** + * This class replaces the engine in the Jetty Destination. + */ + private class EasyMockJettyHTTPDestination + extends JettyHTTPDestination { + + public EasyMockJettyHTTPDestination( + Bus b, + JettyHTTPTransportFactory ci, + EndpointInfo endpointInfo, + JettyHTTPServerEngine easyMockEngine + ) throws IOException { + super(b, ci, endpointInfo); + engine = easyMockEngine; + } + + @Override + public void retrieveEngine() { + // Leave engine alone. + } + } @After public void tearDown() { @@ -317,14 +338,13 @@ endpointInfo.addExtensor(policy); endpointInfo.addExtensor(new SSLServerPolicy()); - engine = EasyMock.createMock(ServerEngine.class); + engine = EasyMock.createMock(JettyHTTPServerEngine.class); EasyMock.replay(); endpointInfo.setAddress(NOWHERE + "bar/foo"); - JettyHTTPDestination dest = new JettyHTTPDestination(bus, - transportFactory, - endpointInfo, - engine); + JettyHTTPDestination dest = + new EasyMockJettyHTTPDestination( + bus, transportFactory, endpointInfo, engine); assertEquals(policy, dest.getServer()); } @@ -397,7 +417,8 @@ return setUpDestination(false, false); }; - private JettyHTTPDestination setUpDestination(boolean contextMatchOnStem, boolean mockedBus) + private JettyHTTPDestination setUpDestination( + boolean contextMatchOnStem, boolean mockedBus) throws Exception { policy = new HTTPServerPolicy(); address = getEPR("bar/foo"); @@ -421,7 +442,7 @@ }; transportFactory.setBus(bus); - engine = EasyMock.createMock(ServerEngine.class); + engine = EasyMock.createMock(JettyHTTPServerEngine.class); ServiceInfo serviceInfo = new ServiceInfo(); serviceInfo.setName(new QName("bla", "Service")); endpointInfo = new EndpointInfo(serviceInfo, ""); @@ -436,7 +457,7 @@ EasyMock.expectLastCall(); EasyMock.replay(engine); - JettyHTTPDestination dest = new JettyHTTPDestination(bus, + JettyHTTPDestination dest = new EasyMockJettyHTTPDestination(bus, transportFactory, endpointInfo, engine); Modified: incubator/cxf/trunk/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngineTest.java URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngineTest.java?view=diff&rev=541568&r1=541567&r2=541568 ============================================================================== --- incubator/cxf/trunk/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngineTest.java (original) +++ incubator/cxf/trunk/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngineTest.java Thu May 24 23:44:27 2007 @@ -34,11 +34,13 @@ private Bus bus; private IMocksControl control; + private JettyHTTPServerEngineFactory factory; @Before public void setUp() throws Exception { control = EasyMock.createNiceControl(); bus = control.createMock(Bus.class); + factory = new JettyHTTPServerEngineFactory(bus); Configurer configurer = new ConfigurerImpl(); @@ -49,43 +51,43 @@ @Test public void testEngineEquality() { - JettyHTTPServerEngine engine = JettyHTTPServerEngine.getForPort(bus, "http", 1234); + JettyHTTPServerEngine engine = factory.getForPort("http", 1234); assertTrue("Engine references for the same port should point to the same instance", - engine == JettyHTTPServerEngine.getForPort(bus, "http", 1234)); + engine == factory.getForPort("http", 1234)); assertFalse("Engine references for the different ports should point to diff instances", - engine == JettyHTTPServerEngine.getForPort(bus, "http", 1235)); - JettyHTTPServerEngine.destroyForPort(1234); - JettyHTTPServerEngine.destroyForPort(1235); + engine == factory.getForPort("http", 1235)); + factory.destroyForPort(1234); + factory.destroyForPort(1235); } @Test public void testNoSSLServerPolicySet() { - JettyHTTPServerEngine engine = JettyHTTPServerEngine.getForPort(bus, "http", 1234); + JettyHTTPServerEngine engine = factory.getForPort("http", 1234); assertFalse("SSLServerPolicy must not be set", engine.isSetSslServer()); - engine = JettyHTTPServerEngine.getForPort(bus, "http", 1235, null); + engine = factory.getForPort("http", 1235, (SSLServerPolicy) null); assertFalse("SSLServerPolicy must not be set", engine.isSetSslServer()); - JettyHTTPServerEngine engine2 = JettyHTTPServerEngine.getForPort(bus, "http", 1234, + JettyHTTPServerEngine engine2 = factory.getForPort("http", 1234, new SSLServerPolicy()); assertFalse("SSLServerPolicy must not be set for already intialized engine", engine2.isSetSslServer()); - JettyHTTPServerEngine.destroyForPort(1234); - JettyHTTPServerEngine.destroyForPort(1235); + factory.destroyForPort(1234); + factory.destroyForPort(1235); } @Test public void testDestinationSSLServerPolicy() { SSLServerPolicy policy = new SSLServerPolicy(); - JettyHTTPServerEngine engine = JettyHTTPServerEngine.getForPort(bus, "http", 1234, + JettyHTTPServerEngine engine = factory.getForPort("http", 1234, policy); assertTrue("SSLServerPolicy must be set", engine.getSslServer() == policy); - JettyHTTPServerEngine engine2 = JettyHTTPServerEngine.getForPort(bus, "http", 1234, + JettyHTTPServerEngine engine2 = factory.getForPort("http", 1234, new SSLServerPolicy()); assertTrue("Engine references for the same port should point to the same instance", engine == engine2); assertTrue("SSLServerPolicy must not be set for already intialized engine", engine.getSslServer() == policy); - JettyHTTPServerEngine.destroyForPort(1234); + factory.destroyForPort(1234); } } Modified: incubator/cxf/trunk/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactoryTest.java URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactoryTest.java?view=diff&rev=541568&r1=541567&r2=541568 ============================================================================== --- incubator/cxf/trunk/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactoryTest.java (original) +++ incubator/cxf/trunk/rt/transports/http-jetty/src/test/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactoryTest.java Thu May 24 23:44:27 2007 @@ -19,7 +19,7 @@ package org.apache.cxf.transport.https_jetty; -import java.io.File; +//import java.io.File; import java.net.URISyntaxException; import java.net.URL; import java.util.Properties; @@ -27,8 +27,8 @@ import java.util.logging.LogRecord; -import org.apache.cxf.configuration.security.FiltersType; -import org.apache.cxf.configuration.security.ObjectFactory; +//import org.apache.cxf.configuration.security.FiltersType; +//import org.apache.cxf.configuration.security.ObjectFactory; import org.apache.cxf.configuration.security.SSLServerPolicy; import org.apache.cxf.transport.https.SSLUtils; @@ -37,7 +37,6 @@ import org.junit.Assert; import org.junit.Before; import org.junit.Test; -import org.mortbay.jetty.security.SslSocketConnector; public class JettySslConnectorFactoryTest extends Assert { @@ -45,16 +44,17 @@ "../../../../../../../../" + "http/src/test/java/org/apache/cxf/transport/https/"; - private static final String[] EXPORT_CIPHERS = - {"SSL_RSA_WITH_NULL_MD5", "SSL_RSA_EXPORT_WITH_RC4_40_MD5", "SSL_RSA_WITH_DES_CBC_SHA"}; - private static final String[] NON_EXPORT_CIPHERS = - {"SSL_RSA_WITH_RC4_128_MD5", "SSL_RSA_WITH_3DES_EDE_CBC_SHA"}; +// PMD non use because of commented out stuff below +// private static final String[] EXPORT_CIPHERS = +// {"SSL_RSA_WITH_NULL_MD5", "SSL_RSA_EXPORT_WITH_RC4_40_MD5", "SSL_RSA_WITH_DES_CBC_SHA"}; +// private static final String[] NON_EXPORT_CIPHERS = +// {"SSL_RSA_WITH_RC4_128_MD5", "SSL_RSA_WITH_3DES_EDE_CBC_SHA"}; - private SslSocketConnector sslConnector; + private CXFJettySslSocketConnector sslConnector; @Before public void setUp() throws Exception { - sslConnector = new SslSocketConnector(); + sslConnector = new CXFJettySslSocketConnector(); } @After @@ -126,7 +126,7 @@ } } */ - +/* With Jetty 6.1.3 this kind of configuration tests no longer apply. @Test public void testSetAllData() throws Exception { String keyStoreStr = getPath("resources/defaultkeystore"); @@ -397,6 +397,7 @@ assertTrue("Expected excluded ciphersuite not included", handler.checkLogContainsString("The enabled cipher suites have been filtered down to")); } +*/ @Test public void testAllValidDataJKS() throws Exception { @@ -459,21 +460,21 @@ factory.addLogHandler(handler); return factory; } - - private static String overrideHome() { - String oldHome = System.getProperty("user.home"); - String tmpHome = "" + System.getProperty("java.io.tmpdir") - + File.separator - + System.getProperty("user.name") - + File.separator - + System.currentTimeMillis(); - System.setProperty("user.home", tmpHome); - return oldHome; - } - - private static void restoreHome(String oldHome) { - System.setProperty("user.home", oldHome); - } +// PMD non use because of commented out stuff above +// private static String overrideHome() { +// String oldHome = System.getProperty("user.home"); +// String tmpHome = "" + System.getProperty("java.io.tmpdir") +// + File.separator +// + System.getProperty("user.name") +// + File.separator +// + System.currentTimeMillis(); +// System.setProperty("user.home", tmpHome); +// return oldHome; +// } +// +// private static void restoreHome(String oldHome) { +// System.setProperty("user.home", oldHome); +// } protected static String getPath(String fileName) throws URISyntaxException { Added: incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java?view=auto&rev=541568 ============================================================================== --- incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java (added) +++ incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java Thu May 24 23:44:27 2007 @@ -0,0 +1,56 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.configuration.jsse.spring; + +import java.io.IOException; +import java.security.GeneralSecurityException; + + +import org.apache.cxf.configuration.jsse.TLSClientParameters; +import org.apache.cxf.configuration.security.TLSClientParametersType; + +/** + * This class provides the TLSServerParameters that programmatically + * configure a HTTPDestination. It is initialized with the JAXB + * type TLSClientParametersType which is used in Spring Configuration + * of the http-conduit bean. + */ +public class TLSClientParametersConfig + extends TLSClientParameters { + + public TLSClientParametersConfig(TLSClientParametersType params) + throws GeneralSecurityException, + IOException { + + this.setCipherSuitesFilter(params.getCipherSuitesFilter()); + if (params.isSetCipherSuites()) { + this.setCipherSuites(params.getCipherSuites().getCipherSuite()); + } + this.setJsseProvider(params.getJsseProvider()); + this.setSecureSocketProtocol(params.getSecureSocketProtocol()); + this.setSecureRandom( + TLSParameterJaxBUtils.getSecureRandom( + params.getSecureRandomParameters())); + this.setKeyManagers( + TLSParameterJaxBUtils.getKeyManagers(params.getKeyManagers())); + this.setTrustManagers( + TLSParameterJaxBUtils.getTrustManagers(params.getTrustManagers())); + } + +} Propchange: incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java ------------------------------------------------------------------------------ svn:keywords = Rev Date Added: incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSParameterJaxBUtils.java URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSParameterJaxBUtils.java?view=auto&rev=541568 ============================================================================== --- incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSParameterJaxBUtils.java (added) +++ incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSParameterJaxBUtils.java Thu May 24 23:44:27 2007 @@ -0,0 +1,167 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.configuration.jsse.spring; + +import java.io.FileInputStream; +import java.io.IOException; +import java.net.URL; +import java.security.GeneralSecurityException; +import java.security.KeyStore; +import java.security.SecureRandom; + +import javax.net.ssl.KeyManager; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; + +import org.apache.cxf.configuration.security.KeyManagersType; +import org.apache.cxf.configuration.security.KeyStoreType; +import org.apache.cxf.configuration.security.SecureRandomParameters; +import org.apache.cxf.configuration.security.TrustManagersType; + +/** + * This class provides some functionality to convert the JAXB + * generated types in the security.xsd to the items needed + * to programatically configure the HTTPConduit and HTTPDesination + * with TLSClientParameters and TLSServerParameters respectively. + */ +public final class TLSParameterJaxBUtils { + + private TLSParameterJaxBUtils() { + // empty + } + /** + * This method converts the JAXB generated type into a SecureRandom. + */ + public static SecureRandom getSecureRandom( + SecureRandomParameters secureRandomParams + ) throws GeneralSecurityException { + + SecureRandom secureRandom = null; + if (secureRandomParams != null) { + String secureRandomAlg = + secureRandomParams.getAlgorithm(); + String randomProvider = + secureRandomParams.getProvider(); + if (randomProvider != null) { + secureRandom = secureRandomAlg != null + ? SecureRandom.getInstance( + secureRandomAlg, + randomProvider) + : null; + } else { + secureRandom = secureRandomAlg != null + ? SecureRandom.getInstance( + secureRandomAlg) + : null; + } + } + return secureRandom; + } + /** + * This method converts a JAXB generated KeyStoreType into a KeyStore. + */ + public static KeyStore getKeyStore(KeyStoreType kst) + throws GeneralSecurityException, + IOException { + + String type = kst.isSetType() + ? kst.getType() + : KeyStore.getDefaultType(); + + char[] password = kst.isSetPassword() + ? kst.getPassword().toCharArray() + : null; + + KeyStore keyStore = !kst.isSetProvider() + ? KeyStore.getInstance(type) + : KeyStore.getInstance(type, kst.getProvider()); + + if (kst.isSetFile()) { + keyStore.load(new FileInputStream(kst.getFile()), password); + } + if (kst.isSetResource()) { + keyStore.load(kst.getClass().getClassLoader().getResourceAsStream(kst.getResource()), password); + } + if (kst.isSetUrl()) { + keyStore.load(new URL(kst.getUrl()).openStream(), password); + } + return keyStore; + } + + /** + * This method converts the JAXB KeyManagersType into a list of + * JSSE KeyManagers. + */ + public static KeyManager[] getKeyManagers(KeyManagersType kmc) + throws GeneralSecurityException, + IOException { + + KeyStore keyStore = getKeyStore(kmc.getKeyStore()); + + if (keyStore == null) { + return null; + } + + String alg = kmc.isSetFactoryAlgorithm() + ? kmc.getFactoryAlgorithm() + : KeyManagerFactory.getDefaultAlgorithm(); + + char[] keyPass = kmc.isSetKeyPassword() + ? kmc.getKeyPassword().toCharArray() + : null; + + KeyManagerFactory fac = + kmc.isSetProvider() + ? KeyManagerFactory.getInstance(alg, kmc.getProvider()) + : KeyManagerFactory.getInstance(alg); + + fac.init(keyStore, keyPass); + + return fac.getKeyManagers(); + } + + /** + * This method converts the JAXB KeyManagersType into a list of + * JSSE TrustManagers. + */ + public static TrustManager[] getTrustManagers(TrustManagersType kmc) + throws GeneralSecurityException, + IOException { + + KeyStore keyStore = getKeyStore(kmc.getKeyStore()); + + if (keyStore == null) { + return null; + } + + String alg = kmc.isSetFactoryAlgorithm() + ? kmc.getFactoryAlgorithm() + : KeyManagerFactory.getDefaultAlgorithm(); + + TrustManagerFactory fac = + kmc.isSetProvider() + ? TrustManagerFactory.getInstance(alg, kmc.getProvider()) + : TrustManagerFactory.getInstance(alg); + + fac.init(keyStore); + + return fac.getTrustManagers(); + } +} Propchange: incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSParameterJaxBUtils.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSParameterJaxBUtils.java ------------------------------------------------------------------------------ svn:keywords = Rev Date Added: incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSServerParametersConfig.java URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSServerParametersConfig.java?view=auto&rev=541568 ============================================================================== --- incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSServerParametersConfig.java (added) +++ incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSServerParametersConfig.java Thu May 24 23:44:27 2007 @@ -0,0 +1,53 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.configuration.jsse.spring; + +import java.io.IOException; +import java.security.GeneralSecurityException; + +import org.apache.cxf.configuration.jsse.TLSServerParameters; +import org.apache.cxf.configuration.security.TLSServerParametersType; + +/** + * This class is used by Spring Config to convert the TLSServerParameters + * JAXB generated type into programmatic TLS Server Parameters for the + * configuration of the http-destination. + */ +public class TLSServerParametersConfig + extends TLSServerParameters { + + public TLSServerParametersConfig(TLSServerParametersType params) + throws GeneralSecurityException, + IOException { + + this.setCipherSuitesFilter(params.getCipherSuitesFilter()); + if (params.isSetCipherSuites()) { + this.setCipherSuites(params.getCipherSuites().getCipherSuite()); + } + this.setJsseProvider(params.getJsseProvider()); + this.setSecureRandom( + TLSParameterJaxBUtils.getSecureRandom( + params.getSecureRandomParameters())); + this.setClientAuthentication(params.getClientAuthentication()); + this.setKeyManagers( + TLSParameterJaxBUtils.getKeyManagers(params.getKeyManagers())); + this.setTrustManagers( + TLSParameterJaxBUtils.getTrustManagers(params.getTrustManagers())); + } +} Propchange: incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSServerParametersConfig.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSServerParametersConfig.java ------------------------------------------------------------------------------ svn:keywords = Rev Date Modified: incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java?view=diff&rev=541568&r1=541567&r2=541568 ============================================================================== --- incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java (original) +++ incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java Thu May 24 23:44:27 2007 @@ -42,6 +42,7 @@ import org.apache.cxf.common.util.Base64Utility; import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.configuration.Configurable; +import org.apache.cxf.configuration.jsse.TLSServerParameters; import org.apache.cxf.configuration.security.AuthorizationPolicy; import org.apache.cxf.configuration.security.SSLServerPolicy; import org.apache.cxf.helpers.CastUtils; @@ -85,6 +86,11 @@ protected String contextMatchStrategy = "stem"; protected boolean fixedParameterOrder; protected boolean multiplexWithAddress; + + /** + * This field holds the TLS Server Parameters for this Destination. + */ + protected TLSServerParameters tlsServerParameters; /** * Constructor @@ -459,12 +465,14 @@ String address = (String)context.get(Message.PATH_INFO); if (null != address) { int afterLastSlashIndex = address.lastIndexOf("/") + 1; - if (afterLastSlashIndex > 0 && afterLastSlashIndex < address.length()) { + if (afterLastSlashIndex > 0 + && afterLastSlashIndex < address.length()) { id = address.substring(afterLastSlashIndex); } } else { getLogger().log(Level.WARNING, - new org.apache.cxf.common.i18n.Message("MISSING_PATH_INFO", LOG).toString()); + new org.apache.cxf.common.i18n.Message( + "MISSING_PATH_INFO", LOG).toString()); } } else { return super.getId(context); @@ -511,15 +519,25 @@ public void setServer(HTTPServerPolicy server) { this.server = server; } - + + @Deprecated public SSLServerPolicy getSslServer() { return sslServer; } + @Deprecated public void setSslServer(SSLServerPolicy sslServer) { this.sslServer = sslServer; } + + public void setTlsServerParameters(TLSServerParameters params) { + this.tlsServerParameters = params; + } + public TLSServerParameters getTlsServerParameters() { + return this.tlsServerParameters; + } + public void assertMessage(Message message) { PolicyUtils.assertServerPolicy(message, server); } Modified: incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPTransportFactory.java URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPTransportFactory.java?view=diff&rev=541568&r1=541567&r2=541568 ============================================================================== --- incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPTransportFactory.java (original) +++ incubator/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPTransportFactory.java Thu May 24 23:44:27 2007 @@ -238,12 +238,19 @@ static HttpURLConnectionFactory getConnectionFactory( HTTPConduit configuredConduit ) { - if (configuredConduit.getSslClient() == null) { - return new HttpURLConnectionFactoryImpl(); - } else { - return new HttpsURLConnectionFactory( + HttpURLConnectionFactory fac = null; + + if (configuredConduit.getTlsClientParameters() != null) { + fac = new HttpsURLConnectionFactory( + configuredConduit.getTlsClientParameters()); + // TODO: remove when old SSL config is gone + } else if (configuredConduit.getSslClient() != null) { + fac = new HttpsURLConnectionFactory( configuredConduit.getSslClient()); + } else { + fac = new HttpURLConnectionFactoryImpl(); } + return fac; } private static class HttpEndpointInfo extends EndpointInfo {