Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3389D17302 for ; Wed, 5 Nov 2014 17:46:02 +0000 (UTC) Received: (qmail 81184 invoked by uid 500); 5 Nov 2014 17:46:01 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 81117 invoked by uid 500); 5 Nov 2014 17:46:01 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 80981 invoked by uid 99); 5 Nov 2014 17:46:01 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Nov 2014 17:46:01 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id 8C4E390853B; Wed, 5 Nov 2014 17:46:01 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Date: Wed, 05 Nov 2014 17:46:02 -0000 Message-Id: <1dfd53c736e440c79ff659605bc098a7@git.apache.org> In-Reply-To: <6150f73fbf334760ac44cf07586373d1@git.apache.org> References: <6150f73fbf334760ac44cf07586373d1@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [2/4] git commit: Fixing last commit Fixing last commit Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/26815745 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/26815745 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/26815745 Branch: refs/heads/2.7.x-fixes Commit: 26815745a13a8cd014f1266abc15dc022b741e2d Parents: f121288 Author: Colm O hEigeartaigh Authored: Wed Nov 5 17:31:01 2014 +0000 Committer: Colm O hEigeartaigh Committed: Wed Nov 5 17:31:35 2014 +0000 ---------------------------------------------------------------------- .../http_jetty/JettyHTTPServerEngine.java | 243 +------------------ .../osgi/HTTPJettyTransportActivator.java | 2 +- .../https_jetty/CXFJettySslSocketConnector.java | 16 +- .../https_jetty/JettySslConnectorFactory.java | 1 + 4 files changed, 18 insertions(+), 244 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/26815745/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java ---------------------------------------------------------------------- diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java index 5904007..d6c5376 100644 --- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java +++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java @@ -468,248 +468,6 @@ public class JettyHTTPServerEngine ++servantCount; } -<<<<<<< HEAD -======= - private void addServerMBean() { - if (mBeanContainer == null) { - return; - } - - try { - Object o = getContainer(server); - o.getClass().getMethod("addEventListener", Container.Listener.class).invoke(o, mBeanContainer); - if (Server.getVersion().startsWith("8")) { - return; - } - mBeanContainer.getClass().getMethod("beanAdded", Container.class, Object.class) - .invoke(mBeanContainer, null, server); - } catch (RuntimeException rex) { - throw rex; - } catch (Exception r) { - throw new RuntimeException(r); - } - } - private void removeServerMBean() { - try { - mBeanContainer.getClass().getMethod("beanRemoved", Container.class, Object.class) - .invoke(mBeanContainer, null, server); - } catch (RuntimeException rex) { - throw rex; - } catch (Exception r) { - throw new RuntimeException(r); - } - } - - private Connector createConnector(String hosto, int porto) { - // now we just use the SelectChannelConnector as the default connector - SslContextFactory sslcf = null; - if (tlsServerParameters != null) { - sslcf = new SslContextFactory() { - protected void doStart() throws Exception { - setSslContext(createSSLContext(this)); - super.doStart(); - } - public void checkKeyStore() { - //we'll handle this later - } - }; - decorateCXFJettySslSocketConnector(sslcf); - } - AbstractConnector result = null; - if (!Server.getVersion().startsWith("8")) { - result = createConnectorJetty9(sslcf, hosto, porto); - } else { - result = createConnectorJetty8(sslcf, hosto, porto); - } - - try { - result.getClass().getMethod("setPort", Integer.TYPE).invoke(result, porto); - if (hosto != null) { - result.getClass().getMethod("setHost", String.class).invoke(result, hosto); - } - result.getClass().getMethod("setReuseAddress", Boolean.TYPE).invoke(result, isReuseAddress()); - } catch (RuntimeException rex) { - throw rex; - } catch (Exception ex) { - throw new RuntimeException(ex); - } - - return result; - } - - AbstractConnector createConnectorJetty9(SslContextFactory sslcf, String hosto, int porto) { - //Jetty 9 - AbstractConnector result = null; - try { - Class configClass = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConfiguration", - Server.class); - Object httpConfig = configClass.newInstance(); - httpConfig.getClass().getMethod("setSendServerVersion", Boolean.TYPE) - .invoke(httpConfig, getSendServerVersion()); - - Object httpFactory = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConnectionFactory", - Server.class) - .getConstructor(configClass).newInstance(httpConfig); - - Collection connectionFactories = new ArrayList(); - result = (AbstractConnector)ClassLoaderUtils.loadClass("org.eclipse.jetty.server.ServerConnector", - Server.class) - .getConstructor(Server.class) - .newInstance(server); - - if (tlsServerParameters != null) { - Class src = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SecureRequestCustomizer", - Server.class); - httpConfig.getClass().getMethod("addCustomizer", src.getInterfaces()[0]) - .invoke(httpConfig, src.newInstance()); - Object scf = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SslConnectionFactory", - Server.class).getConstructor(SslContextFactory.class, - String.class) - .newInstance(sslcf, "HTTP/1.1"); - connectionFactories.add(scf); - result.getClass().getMethod("setDefaultProtocol", String.class).invoke(result, "SSL-HTTP/1.1"); - } - connectionFactories.add(httpFactory); - result.getClass().getMethod("setConnectionFactories", Collection.class) - .invoke(result, connectionFactories); - - if (getMaxIdleTime() > 0) { - result.getClass().getMethod("setIdleTimeout", Long.TYPE).invoke(result, new Long(getMaxIdleTime())); - } - - } catch (RuntimeException rex) { - throw rex; - } catch (Exception ex) { - throw new RuntimeException(ex); - } - return result; - } - AbstractConnector createConnectorJetty8(SslContextFactory sslcf, String hosto, int porto) { - //Jetty 8 - AbstractConnector result = null; - try { - if (sslcf == null) { - result = (AbstractConnector)ClassLoaderUtils - .loadClass("org.eclipse.jetty.server.nio.SelectChannelConnector", - Server.class).newInstance(); - } else { - result = (AbstractConnector)ClassLoaderUtils - .loadClass("org.eclipse.jetty.server.ssl.SslSelectChannelConnector", - Server.class).getConstructor(SslContextFactory.class) - .newInstance(sslcf); - } - Server.class.getMethod("setSendServerVersion", Boolean.TYPE).invoke(server, getSendServerVersion()); - if (getMaxIdleTime() > 0) { - result.getClass().getMethod("setMaxIdleTime", Integer.TYPE).invoke(result, getMaxIdleTime()); - } - } catch (RuntimeException rex) { - throw rex; - } catch (Exception ex) { - throw new RuntimeException(ex); - } - return result; - } - - - protected SSLContext createSSLContext(SslContextFactory scf) throws Exception { - String proto = tlsServerParameters.getSecureSocketProtocol() == null - ? "TLS" : tlsServerParameters.getSecureSocketProtocol(); - - // Exclude SSLv3 by default unless the protocol is given as SSLv3 - if (!"SSLv3".equals(proto) && tlsServerParameters.getExcludeProtocols().isEmpty()) { - scf.addExcludeProtocols("SSLv3"); - } else { - for (String p : tlsServerParameters.getExcludeProtocols()) { - scf.addExcludeProtocols(p); - } - } - - SSLContext context = tlsServerParameters.getJsseProvider() == null - ? SSLContext.getInstance(proto) - : SSLContext.getInstance(proto, tlsServerParameters.getJsseProvider()); - - KeyManager keyManagers[] = tlsServerParameters.getKeyManagers(); - if (tlsServerParameters.getCertAlias() != null) { - keyManagers = getKeyManagersWithCertAlias(keyManagers); - } - context.init(tlsServerParameters.getKeyManagers(), - tlsServerParameters.getTrustManagers(), - tlsServerParameters.getSecureRandom()); - - String[] cs = - SSLUtils.getCiphersuites( - tlsServerParameters.getCipherSuites(), - SSLUtils.getServerSupportedCipherSuites(context), - tlsServerParameters.getCipherSuitesFilter(), - LOG, true); - - scf.setExcludeCipherSuites(cs); - return context; - } - protected KeyManager[] getKeyManagersWithCertAlias(KeyManager keyManagers[]) throws Exception { - if (tlsServerParameters.getCertAlias() != null) { - for (int idx = 0; idx < keyManagers.length; idx++) { - if (keyManagers[idx] instanceof X509KeyManager) { - keyManagers[idx] = new AliasedX509ExtendedKeyManager( - tlsServerParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]); - } - } - } - return keyManagers; - } - protected void setClientAuthentication(SslContextFactory con, - ClientAuthentication clientAuth) { - con.setWantClientAuth(true); - if (clientAuth != null) { - if (clientAuth.isSetWant()) { - con.setWantClientAuth(clientAuth.isWant()); - } - if (clientAuth.isSetRequired()) { - con.setNeedClientAuth(clientAuth.isRequired()); - } - } - } - /** - * This method sets the security properties for the CXF extension - * of the JettySslConnector. - */ - private void decorateCXFJettySslSocketConnector( - SslContextFactory con - ) { - setClientAuthentication(con, - tlsServerParameters.getClientAuthentication()); - con.setCertAlias(tlsServerParameters.getCertAlias()); - } - - - private static Container getContainer(Object server) { - if (server instanceof Container) { - return (Container)server; - } - try { - return (Container)server.getClass().getMethod("getContainer").invoke(server); - } catch (RuntimeException t) { - throw t; - } catch (Throwable t) { - throw new RuntimeException(t); - } - } - - private static void logConnector(Connector connector) { - try { - String h = (String)connector.getClass().getMethod("getHost").invoke(connector); - int port = (Integer)connector.getClass().getMethod("getPort").invoke(connector); - LOG.finer("connector.host: " - + h == null - ? "null" - : "\"" + h + "\""); - LOG.finer("connector.port: " + port); - } catch (Throwable t) { - //ignore - } - } - ->>>>>>> 1701e6c... [CXF-6087] - Add a way to exclude (multiple) SSL/TLS protocols in the HTTPJ namespace protected void setupThreadPool() { AbstractConnector aconn = (AbstractConnector) connector; if (isSetThreadingParameters()) { @@ -1014,3 +772,4 @@ public class JettyHTTPServerEngine } + http://git-wip-us.apache.org/repos/asf/cxf/blob/26815745/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java ---------------------------------------------------------------------- diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java index 3d78851..3a48433 100644 --- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java +++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java @@ -211,7 +211,7 @@ public class HTTPJettyTransportActivator while (st.hasMoreTokens()) { p.getCipherSuites().add(st.nextToken()); } - } else if (k.startsWith("excludeProtocols")) { + } else if (k.startsWith("excludeProtocols")) { StringTokenizer st = new StringTokenizer(v, ","); while (st.hasMoreTokens()) { p.getExcludeProtocols().add(st.nextToken()); http://git-wip-us.apache.org/repos/asf/cxf/blob/26815745/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java ---------------------------------------------------------------------- diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java index c43dcab..072c7d0 100644 --- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java +++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java @@ -49,6 +49,7 @@ public class CXFJettySslSocketConnector extends SslSelectChannelConnector { protected SecureRandom secureRandom; protected List cipherSuites; protected FiltersType cipherSuitesFilter; + protected List excludeProtocols; /** * Set the cipherSuites @@ -65,6 +66,13 @@ public class CXFJettySslSocketConnector extends SslSelectChannelConnector { } /** + * Set the protocols to exclude + */ + protected void setExcludeProtocols(List ps) { + excludeProtocols = ps; + } + + /** * Set the KeyManagers. */ protected void setKeyManagers(KeyManager[] kmgrs) { @@ -113,8 +121,14 @@ public class CXFJettySslSocketConnector extends SslSelectChannelConnector { ? "TLS" : getCxfSslContextFactory().getProtocol(); - if (!"SSLv3".equals(proto)) { + // Exclude SSLv3 by default unless the protocol is given as SSLv3 + if (!"SSLv3".equals(proto) + && (excludeProtocols == null || excludeProtocols.isEmpty())) { getSslContextFactory().addExcludeProtocols("SSLv3"); + } else if (excludeProtocols != null) { + for (String p : excludeProtocols) { + getSslContextFactory().addExcludeProtocols(p); + } } SSLContext context = getCxfSslContextFactory().getProvider() == null http://git-wip-us.apache.org/repos/asf/cxf/blob/26815745/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java ---------------------------------------------------------------------- diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java index 2b6c5d2..807bba7 100644 --- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java +++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java @@ -87,6 +87,7 @@ public final class JettySslConnectorFactory implements JettyConnectorFactory { con.getCxfSslContextFactory().setProvider(tlsServerParameters.getJsseProvider()); con.setCipherSuites(tlsServerParameters.getCipherSuites()); con.setCipherSuitesFilter(tlsServerParameters.getCipherSuitesFilter()); + con.setExcludeProtocols(tlsServerParameters.getExcludeProtocols()); con.getCxfSslContextFactory().setCertAlias(tlsServerParameters.getCertAlias()); }