Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.eclipse.jetty.http.ssl
Class SslContextFactory

java.lang.Object
  extended by org.eclipse.jetty.util.component.AbstractLifeCycle
      extended by org.eclipse.jetty.http.ssl.SslContextFactory
All Implemented Interfaces:
LifeCycle
public class SslContextFactory
extends AbstractLifeCycle

SslContextFactory is used to configure SSL connectors as well as HttpClient. It holds all SSL parameters and creates SSL context based on these parameters to be used by the SSL connectors.

Nested Class Summary
 
Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
AbstractLifeCycle.AbstractLifeCycleListener
 
Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle
LifeCycle.Listener
 
Field Summary
static String DEFAULT_KEYMANAGERFACTORY_ALGORITHM
           
static String DEFAULT_KEYSTORE_PATH
          Default value for the keystore location path.
static String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM
           
static String KEYPASSWORD_PROPERTY
          String name of key password property.
static String PASSWORD_PROPERTY
          String name of keystore password property.
 
Fields inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
_listeners, FAILED, RUNNING, STARTED, STARTING, STOPPED, STOPPING
 
Constructor Summary
SslContextFactory()
          Construct an instance of SslContextFactory Default constructor for use in XmlConfiguration files
SslContextFactory(String keyStorePath)
          Construct an instance of SslContextFactory
 
Method Summary
 boolean checkConfig()
          Check configuration.
protected  void checkStarted()
          Check if the lifecycle has been started and throw runtime exception
protected  void createSSLContext()
           
protected  void doStart()
          Create the SSLContext object and start the lifecycle
 String getCertAlias()
           
 String getCrlPath()
           
 String[] getExcludeCipherSuites()
           
 String[] getIncludeCipherSuites()
           
protected  KeyManager[] getKeyManagers(KeyStore keyStore)
           
 String getKeyStore()
           
protected  KeyStore getKeyStore(InputStream storeStream, String storePath, String storeType, String storeProvider, String storePassword)
          Loads keystore using an input stream or a file path in the same order of precedence.
 InputStream getKeyStoreInputStream()
          Get the _keyStoreInputStream.
 String getKeyStoreProvider()
           
 String getKeyStoreType()
           
 int getMaxCertPathLength()
           
 boolean getNeedClientAuth()
           
 String getOcspResponderURL()
           
 String getProtocol()
           
 String getProvider()
           
 String getSecureRandomAlgorithm()
           
 SSLContext getSslContext()
           
 String getSslKeyManagerFactoryAlgorithm()
           
 String getTrustManagerFactoryAlgorithm()
           
protected  TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls)
           
 String getTrustStore()
           
 InputStream getTrustStoreInputStream()
          Get the _trustStoreInputStream.
 String getTrustStoreProvider()
           
 String getTrustStoreType()
           
 boolean getValidateCerts()
          Deprecated.  
 boolean getWantClientAuth()
           
 boolean isAllowRenegotiate()
           
 boolean isEnableCRLDP()
           
 boolean isEnableOCSP()
           
 boolean isValidateCerts()
           
protected  Collection<? extends CRL> loadCRL(String crlPath)
          Loads certificate revocation list (CRL) from a file.
 String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
          Select cipher suites to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported cipher suite lists.
 void setAllowRenegotiate(boolean allowRenegotiate)
          Set if SSL re-negotiation is allowed.
 void setCertAlias(String certAlias)
           
 void setCrlPath(String crlPath)
           
 void setEnableCRLDP(boolean enableCRLDP)
          Enables CRL Distribution Points Support
 void setEnableOCSP(boolean enableOCSP)
          Enables On-Line Certificate Status Protocol support
 void setExcludeCipherSuites(String[] cipherSuites)
           
 void setIncludeCipherSuites(String[] cipherSuites)
           
 void setKeyManagerPassword(String password)
           
 void setKeyStore(String keyStorePath)
           
 void setKeyStoreInputStream(InputStream keyStoreInputStream)
          Set the keyStoreInputStream.
 void setKeyStorePassword(String password)
           
 void setKeyStoreProvider(String keyStoreProvider)
           
 void setKeyStoreType(String keyStoreType)
           
 void setMaxCertPathLength(int maxCertPathLength)
           
 void setNeedClientAuth(boolean needClientAuth)
           
 void setOcspResponderURL(String ocspResponderURL)
          Set the location of the OCSP Responder.
 void setProtocol(String protocol)
           
 void setProvider(String provider)
           
 void setSecureRandomAlgorithm(String algorithm)
           
 void setSslContext(SSLContext sslContext)
           
 void setSslKeyManagerFactoryAlgorithm(String algorithm)
           
 void setTrustManagerFactoryAlgorithm(String algorithm)
           
 void setTrustStore(String trustStorePath)
           
 void setTrustStoreInputStream(InputStream trustStoreInputStream)
          Set the _trustStoreInputStream.
 void setTrustStorePassword(String password)
           
 void setTrustStoreProvider(String trustStoreProvider)
           
 void setTrustStoreType(String trustStoreType)
           
 void setValidateCerts(boolean validateCerts)
           
 void setWantClientAuth(boolean wantClientAuth)
           
 
Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
addLifeCycleListener, doStop, getState, getState, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

DEFAULT_KEYMANAGERFACTORY_ALGORITHM

public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM

DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM

public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM

DEFAULT_KEYSTORE_PATH

public static final String DEFAULT_KEYSTORE_PATH
Default value for the keystore location path.

KEYPASSWORD_PROPERTY

public static final String KEYPASSWORD_PROPERTY
String name of key password property.

See Also:
Constant Field Values

PASSWORD_PROPERTY

public static final String PASSWORD_PROPERTY
String name of keystore password property.

See Also:
Constant Field Values
Constructor Detail

SslContextFactory

public SslContextFactory()
Construct an instance of SslContextFactory Default constructor for use in XmlConfiguration files

SslContextFactory

public SslContextFactory(String keyStorePath)
Construct an instance of SslContextFactory

Parameters:
keyStorePath - default keystore location
Method Detail

doStart

protected void doStart()
                throws Exception
Create the SSLContext object and start the lifecycle

Overrides:
doStart in class AbstractLifeCycle
Throws:
Exception
See Also:
AbstractLifeCycle.doStart()

getExcludeCipherSuites

public String[] getExcludeCipherSuites()
Returns:
The array of cipher suite names to exclude from SSLEngine.setEnabledCipherSuites(String[])

setExcludeCipherSuites

public void setExcludeCipherSuites(String[] cipherSuites)
Parameters:
cipherSuites - The array of cipher suite names to exclude from SSLEngine.setEnabledCipherSuites(String[])

getIncludeCipherSuites

public String[] getIncludeCipherSuites()
Returns:
The array of cipher suite names to include in SSLEngine.setEnabledCipherSuites(String[])

setIncludeCipherSuites

public void setIncludeCipherSuites(String[] cipherSuites)
Parameters:
cipherSuites - The array of cipher suite names to include in SSLEngine.setEnabledCipherSuites(String[])

getKeyStore

public String getKeyStore()
Returns:
The file or URL of the SSL Key store.

setKeyStore

public void setKeyStore(String keyStorePath)
Parameters:
keyStorePath - The file or URL of the SSL Key store.

getKeyStoreProvider

public String getKeyStoreProvider()
Returns:
The provider of the key store

setKeyStoreProvider

public void setKeyStoreProvider(String keyStoreProvider)
Parameters:
keyStoreProvider - The provider of the key store

getKeyStoreType

public String getKeyStoreType()
Returns:
The type of the key store (default "JKS")

setKeyStoreType

public void setKeyStoreType(String keyStoreType)
Parameters:
keyStoreType - The type of the key store (default "JKS")

getKeyStoreInputStream

public InputStream getKeyStoreInputStream()
Get the _keyStoreInputStream.

Returns:
the _keyStoreInputStream

setKeyStoreInputStream

public void setKeyStoreInputStream(InputStream keyStoreInputStream)
Set the keyStoreInputStream.

Parameters:
keyStoreInputStream - the InputStream to the KeyStore

getCertAlias

public String getCertAlias()
Returns:
Alias of SSL certificate for the connector

setCertAlias

public void setCertAlias(String certAlias)
Parameters:
certAlias - Alias of SSL certificate for the connector

getTrustStore

public String getTrustStore()
Returns:
The file name or URL of the trust store location

setTrustStore

public void setTrustStore(String trustStorePath)
Parameters:
trustStorePath - The file name or URL of the trust store location

getTrustStoreProvider

public String getTrustStoreProvider()
Returns:
The provider of the trust store

setTrustStoreProvider

public void setTrustStoreProvider(String trustStoreProvider)
Parameters:
trustStoreProvider - The provider of the trust store

getTrustStoreType

public String getTrustStoreType()
Returns:
The type of the trust store (default "JKS")

setTrustStoreType

public void setTrustStoreType(String trustStoreType)
Parameters:
trustStoreType - The type of the trust store (default "JKS")

getTrustStoreInputStream

public InputStream getTrustStoreInputStream()
Get the _trustStoreInputStream.

Returns:
the _trustStoreInputStream

setTrustStoreInputStream

public void setTrustStoreInputStream(InputStream trustStoreInputStream)
Set the _trustStoreInputStream.

Parameters:
trustStoreInputStream - the InputStream to the TrustStore

getNeedClientAuth

public boolean getNeedClientAuth()
Returns:
True if SSL needs client authentication.
See Also:
SSLEngine.getNeedClientAuth()

setNeedClientAuth

public void setNeedClientAuth(boolean needClientAuth)
Parameters:
needClientAuth - True if SSL needs client authentication.
See Also:
SSLEngine.getNeedClientAuth()

getWantClientAuth

public boolean getWantClientAuth()
Returns:
True if SSL wants client authentication.
See Also:
SSLEngine.getWantClientAuth()

setWantClientAuth

public void setWantClientAuth(boolean wantClientAuth)
Parameters:
wantClientAuth - True if SSL wants client authentication.
See Also:
SSLEngine.getWantClientAuth()

getValidateCerts

@Deprecated
public boolean getValidateCerts()
Deprecated. 

Returns:
true if SSL certificate has to be validated

isValidateCerts

public boolean isValidateCerts()
Returns:
true if SSL certificate has to be validated

setValidateCerts

public void setValidateCerts(boolean validateCerts)
Parameters:
validateCerts - true if SSL certificates have to be validated

isAllowRenegotiate

public boolean isAllowRenegotiate()
Returns:
True if SSL re-negotiation is allowed (default false)

setAllowRenegotiate

public void setAllowRenegotiate(boolean allowRenegotiate)
Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered a vulnerability in SSL/TLS with re-negotiation. If your JVM does not have CVE-2009-3555 fixed, then re-negotiation should not be allowed. CVE-2009-3555 was fixed in Sun java 1.6 with a ban of renegotiates in u19 and with RFC5746 in u22.

Parameters:
allowRenegotiate - true if re-negotiation is allowed (default false)

setKeyStorePassword

public void setKeyStorePassword(String password)
Parameters:
password - The password for the key store

setKeyManagerPassword

public void setKeyManagerPassword(String password)
Parameters:
password - The password (if any) for the specific key within the key store

setTrustStorePassword

public void setTrustStorePassword(String password)
Parameters:
password - The password for the trust store

getProvider

public String getProvider()
Returns:
The SSL provider name, which if set is passed to SSLContext.getInstance(String, String)

setProvider

public void setProvider(String provider)
Parameters:
provider - The SSL provider name, which if set is passed to SSLContext.getInstance(String, String)

getProtocol

public String getProtocol()
Returns:
The SSL protocol (default "TLS") passed to SSLContext.getInstance(String, String)

setProtocol

public void setProtocol(String protocol)
Parameters:
protocol - The SSL protocol (default "TLS") passed to SSLContext.getInstance(String, String)

getSecureRandomAlgorithm

public String getSecureRandomAlgorithm()
Returns:
The algorithm name, which if set is passed to SecureRandom.getInstance(String) to obtain the SecureRandom instance passed to SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)

setSecureRandomAlgorithm

public void setSecureRandomAlgorithm(String algorithm)
Parameters:
algorithm - The algorithm name, which if set is passed to SecureRandom.getInstance(String) to obtain the SecureRandom instance passed to SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)

getSslKeyManagerFactoryAlgorithm

public String getSslKeyManagerFactoryAlgorithm()
Returns:
The algorithm name (default "SunX509") used by the KeyManagerFactory

setSslKeyManagerFactoryAlgorithm

public void setSslKeyManagerFactoryAlgorithm(String algorithm)
Parameters:
algorithm - The algorithm name (default "SunX509") used by the KeyManagerFactory

getTrustManagerFactoryAlgorithm

public String getTrustManagerFactoryAlgorithm()
Returns:
The algorithm name (default "SunX509") used by the TrustManagerFactory

setTrustManagerFactoryAlgorithm

public void setTrustManagerFactoryAlgorithm(String algorithm)
Parameters:
algorithm - The algorithm name (default "SunX509") used by the TrustManagerFactory

getCrlPath

public String getCrlPath()
Returns:
Path to file that contains Certificate Revocation List

setCrlPath

public void setCrlPath(String crlPath)
Parameters:
crlPath - Path to file that contains Certificate Revocation List

getMaxCertPathLength

public int getMaxCertPathLength()
Returns:
Maximum number of intermediate certificates in the certification path (-1 for unlimited)

setMaxCertPathLength

public void setMaxCertPathLength(int maxCertPathLength)
Parameters:
maxCertPathLength - maximum number of intermediate certificates in the certification path (-1 for unlimited)

getSslContext

public SSLContext getSslContext()
Returns:
The SSLContext

setSslContext

public void setSslContext(SSLContext sslContext)
Parameters:
sslContext - Set a preconfigured SSLContext

createSSLContext

protected void createSSLContext()
                         throws Exception
Throws:
Exception

getKeyStore

protected KeyStore getKeyStore(InputStream storeStream,
                               String storePath,
                               String storeType,
                               String storeProvider,
                               String storePassword)
                        throws Exception
Loads keystore using an input stream or a file path in the same order of precedence. Required for integrations to be able to override the mechanism used to load a keystore in order to provide their own implementation.

Parameters:
storeStream - keystore input stream
storePath - path of keystore file
storeType - keystore type
storeProvider - keystore provider
storePassword - keystore password
Returns:
created keystore
Throws:
Exception

loadCRL

protected Collection<? extends CRL> loadCRL(String crlPath)
                                     throws Exception
Loads certificate revocation list (CRL) from a file. Required for integrations to be able to override the mechanism used to load CRL in order to provide their own implementation.

Parameters:
crlPath - path of certificate revocation list file
Returns:
Throws:
Exception

getKeyManagers

protected KeyManager[] getKeyManagers(KeyStore keyStore)
                               throws Exception
Throws:
Exception

getTrustManagers

protected TrustManager[] getTrustManagers(KeyStore trustStore,
                                          Collection<? extends CRL> crls)
                                   throws Exception
Throws:
Exception

checkConfig

public boolean checkConfig()
Check configuration. Ensures that if keystore has been configured but there's no truststore, that keystore is used as truststore.

Returns:
true SslContextFactory configuration can be used in server connector.

selectCipherSuites

public String[] selectCipherSuites(String[] enabledCipherSuites,
                                   String[] supportedCipherSuites)
Select cipher suites to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported cipher suite lists.

Parameters:
enabledCipherSuites - Array of enabled cipher suites
supportedCipherSuites - Array of supported cipher suites
Returns:
Array of cipher suites to enable

checkStarted

protected void checkStarted()
Check if the lifecycle has been started and throw runtime exception

isEnableCRLDP

public boolean isEnableCRLDP()
Returns:
true if CRL Distribution Points support is enabled

setEnableCRLDP

public void setEnableCRLDP(boolean enableCRLDP)
Enables CRL Distribution Points Support

Parameters:
enableCRLDP - true - turn on, false - turns off

isEnableOCSP

public boolean isEnableOCSP()
Returns:
true if On-Line Certificate Status Protocol support is enabled

setEnableOCSP

public void setEnableOCSP(boolean enableOCSP)
Enables On-Line Certificate Status Protocol support

Parameters:
enableOCSP - true - turn on, false - turn off

getOcspResponderURL

public String getOcspResponderURL()
Returns:
Location of the OCSP Responder

setOcspResponderURL

public void setOcspResponderURL(String ocspResponderURL)
Set the location of the OCSP Responder.

Parameters:
ocspResponderURL - location of the OCSP Responder
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 1995-2011 Mort Bay Consulting. All Rights Reserved.