felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Willem Janssen <janwillem.jans...@luminis.eu>
Subject Re: [Http Service] Custom KeyStore provider
Date Fri, 28 Mar 2014 14:15:14 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 28/03/14 12:55, Felix Meschberger wrote:
> In our application which leverages the Felix Http Service we have 
> implemented a service which provides custom KeyStore and
> TrustStores along with their *Managers. Those are not file based
> hence we cannot simply configure the file paths.
> 
> On solution to approach this would be to support custom 
> "org.eclipse.jetty.util.ssl.SslContextFactory" services which the 
> Jetty Service would take into account. For example along these 
> lines:
> 
> (1) Define a property 
> "org.apache.felix.https.jetty.sslcontextfactory" which is a
> service selection filter, e.g. "(service.property=some.value)". If
> this property is set a SSLContextFactory service matching the given
> filter is required. If this property is not set, the default 
> SSLContextFactory is used and configured from the configuration.
> If this property is set to the special value "*" a SSLContextFacory
> is just required. (2) If the property is set but not matching
> service is available, the Jetty Service will not be started. (3)
> Any further SSL relevant properties such as cipher enablement and
> disablement will be configured into the SSLContextFactory service
> according to configuration (this has an implication on the service 
> implementation).
> 
> Alternative to (2): (2a) If plain HTTP is enabled, the server
> could start with HTTP only and HTTPS would dynamically be added,
> when a service becomes available; If HTTP is disabled, the server
> would not be started until a service becomes available.
> 
> Alternative to (3): (3a) Any SSL properties are ignored if the 
> .SslContextFactory service is to be used.

Coincidentally, I was looking at something similar while trying to get
SPDY working in Felix HTTP. For that to work I need to supply
additional (Jetty) connectors to our Jetty server in order to get it
working.
My idea to get this working was something similar: allow connectors
(or connection factories, maybe that would be even better) to be
registered as service and get those service(s) by means of a
configuration key. This would be a little more generic and still allow
you to supply your own instance of the SslContextFactory. This path
would allow us to support additional protocols/connectors without the
JettyConfig class blowing up with more and more properties.

WDYT?

- -- 
Met vriendelijke groeten | Kind regards

Jan Willem Janssen | Software Architect
+31 631 765 814

/My world is revolving around PulseOn and Amdatu/

Luminis Technologies B.V.
J.C. Wilslaan 29
7313 HK   Apeldoorn
+31 88 586 46 30

http://www.luminis-technologies.com
http://www.luminis.eu

KvK (CoC) 09 16 28 93
BTW (VAT) NL8169.78.566.B.01
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTNYPyAAoJEKF/mP2eHDc4pjMQAIfp7p2jnN2Aw7IDheGybra8
uWwDTXrgC8YHwuKpdRURqCPLbD7NJbaWMeGMcfgwStMZhhVBlPwmlAZGYhUsku6m
YBU/2zav+SyuljPDFlqcdjqDwz7WIlGVhrUYFsfcr/m8u5f6sgC+QZRdU6Kxcew5
K6LMGKl+SH5e+lFjLyrbokDtLczW2HxXT5oe2IlULMqDb1692zB5jJjdcjTZnoV3
Q/Bz5LQtHDwwTJQCiBuN7e9/YCSsZWQzok7lK07gwdQdQKUnyWLLCeXgP0xYY5rk
2Dxb2L45bl1GJTFPwfpYDjy8uObYq/YQJUZ6PCzYWLMVDjeR/DCwHAi4wuxMVj+V
gKym2abAmNDtBhrGZwvwaWhAWriII/xC0awjSZEl/DJCnSrIatzy8g4QwYOhIglb
xtahfsVdbCdw9zOOiCdmTMPuvWZVDsN7h6Wjk2shGDT5ibPsNoH93YVyZMbeHXxQ
pVDvFqFK3Ug0DDbtPMWu2eYca2i4J6257yr6UimoowMlMQ0ecAyvJjCRayjEyD3l
d3pyTbDZFladqzn0Gttp3qwiAMrq8FigsJ3+xjOQFfAygkjIFMYPmQXluT8H8OYP
HaJyPdPeoqHEc0J3V8ULij+qQZqpHyGhqRnhoLaj/jwxe6M+kZHnuGVg13sE5884
J/ixsFCiu9SaRmPnwZQL
=SKc2
-----END PGP SIGNATURE-----

Mime
View raw message