org.eclipse.jetty.server.ssl
Class SslSocketConnector

java.lang.Object
  org.eclipse.jetty.util.component.AbstractLifeCycle
      org.eclipse.jetty.http.HttpBuffers
          org.eclipse.jetty.server.AbstractConnector
              org.eclipse.jetty.server.bio.SocketConnector
                  org.eclipse.jetty.server.ssl.SslSocketConnector

All Implemented Interfaces:

Connector, SslConnector, Dumpable, LifeCycle

public class SslSocketConnector
extends SocketConnector
implements SslConnector

SSL Socket Connector. This specialization of SocketConnector is an abstract listener that can be used as the basis for a specific JSSE listener. The original of this class was heavily based on the work from Court Demas, which in turn is based on the work from Forge Research. Since JSSE, this class has evolved significantly from that early work.

Nested Class Summary

class

SslSocketConnector.SslConnectorEndPoint

Nested classes/interfaces inherited from class org.eclipse.jetty.server.bio.SocketConnector

SocketConnector.ConnectorEndPoint

Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

AbstractLifeCycle.AbstractLifeCycleListener

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle

LifeCycle.Listener

Field Summary

Fields inherited from class org.eclipse.jetty.server.bio.SocketConnector

_connections, _localPort, _serverSocket

Fields inherited from class org.eclipse.jetty.server.AbstractConnector

_lowResourceMaxIdleTime, _maxIdleTime, _soLingerTime

Fields inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

_listeners, FAILED, RUNNING, STARTED, STARTING, STOPPED, STOPPING

Fields inherited from interface org.eclipse.jetty.server.ssl.SslConnector

DEFAULT_KEYSTORE, DEFAULT_KEYSTORE_ALGORITHM, DEFAULT_TRUSTSTORE_ALGORITHM, KEYPASSWORD_PROPERTY, PASSWORD_PROPERTY

Constructor Summary

SslSocketConnector()
Constructor.

SslSocketConnector(SslContextFactory sslContextFactory)

Method Summary

void	accept(int acceptorID)
protected void	configure(Socket socket)
void	customize(EndPoint endpoint, Request request) Allow the Listener a chance to customise the request.
protected void	doStart()
protected void	doStop()
String	getAlgorithm() Deprecated.
String[]	getExcludeCipherSuites() Deprecated.
int	getHandshakeTimeout()
String[]	getIncludeCipherSuites() Deprecated.
String	getKeystore() Deprecated.
String	getKeystoreType() Deprecated.
boolean	getNeedClientAuth() Deprecated.
String	getProtocol() Deprecated.
String	getProvider() Deprecated.
String	getSecureRandomAlgorithm() Deprecated.
SSLContext	getSslContext() Deprecated.
SslContextFactory	getSslContextFactory()
String	getSslKeyManagerFactoryAlgorithm() Deprecated.
String	getSslTrustManagerFactoryAlgorithm() Deprecated.
String	getTruststore() Deprecated.
String	getTruststoreType() Deprecated.
boolean	getWantClientAuth() Deprecated.
boolean	isAllowRenegotiate()
boolean	isConfidential(Request request) By default, we're confidential, given we speak SSL.
boolean	isIntegral(Request request) By default, we're integral, given we speak SSL.
protected ServerSocket	newServerSocket(String host, int port, int backlog)
void	setAlgorithm(String algorithm) Deprecated.
void	setAllowRenegotiate(boolean allowRenegotiate) Set if SSL re-negotiation is allowed.
void	setExcludeCipherSuites(String[] cipherSuites) Deprecated.
void	setHandshakeTimeout(int msec) Set the time in milliseconds for so_timeout during ssl handshaking
void	setIncludeCipherSuites(String[] cipherSuites) Deprecated.
void	setKeyPassword(String password) Deprecated.
void	setKeystore(String keystore) Deprecated.
void	setKeystoreType(String keystoreType) Deprecated.
void	setNeedClientAuth(boolean needClientAuth) Deprecated.
void	setPassword(String password) Deprecated.
void	setProtocol(String protocol) Deprecated.
void	setProvider(String provider) Deprecated.
void	setSecureRandomAlgorithm(String algorithm) Deprecated.
void	setSslContext(SSLContext sslContext) Deprecated.
void	setSslKeyManagerFactoryAlgorithm(String algorithm) Deprecated.
void	setSslTrustManagerFactoryAlgorithm(String algorithm) Deprecated.
void	setTrustPassword(String password) Deprecated.
void	setTruststore(String truststore) Deprecated.
void	setTruststoreType(String truststoreType) Deprecated.
void	setWantClientAuth(boolean wantClientAuth) Deprecated.

Methods inherited from class org.eclipse.jetty.server.bio.SocketConnector

close, getConnection, getLocalPort, newConnection, open

Methods inherited from class org.eclipse.jetty.server.AbstractConnector

checkForwardedHeaders, connectionClosed, connectionOpened, connectionUpgraded, dump, dump, getAcceptorPriorityOffset, getAcceptors, getAcceptQueueSize, getConfidentialPort, getConfidentialScheme, getConnections, getConnectionsDurationMax, getConnectionsDurationMean, getConnectionsDurationStdDev, getConnectionsDurationTotal, getConnectionsOpen, getConnectionsOpenMax, getConnectionsRequestsMax, getConnectionsRequestsMean, getConnectionsRequestsStdDev, getForwardedForHeader, getForwardedHostHeader, getForwardedProtoHeader, getForwardedServerHeader, getHost, getHostHeader, getIntegralPort, getIntegralScheme, getLeftMostValue, getLowResourceMaxIdleTime, getLowResourcesMaxIdleTime, getMaxIdleTime, getName, getPort, getRequests, getResolveNames, getReuseAddress, getServer, getSoLingerTime, getStatsOn, getStatsOnMs, getThreadPool, isForwarded, isLowResources, join, persist, setAcceptorPriorityOffset, setAcceptors, setAcceptQueueSize, setConfidentialPort, setConfidentialScheme, setForwarded, setForwardedForHeader, setForwardedHostHeader, setForwardedProtoHeader, setForwardedServerHeader, setHost, setHostHeader, setIntegralPort, setIntegralScheme, setLowResourceMaxIdleTime, setLowResourcesMaxIdleTime, setMaxIdleTime, setName, setPort, setResolveNames, setReuseAddress, setServer, setSoLingerTime, setStatsOn, setThreadPool, statsReset, stopAccept, toString

Methods inherited from class org.eclipse.jetty.http.HttpBuffers

getMaxBuffers, getRequestBuffers, getRequestBufferSize, getRequestBufferType, getRequestHeaderSize, getRequestHeaderType, getResponseBuffers, getResponseBufferSize, getResponseBufferType, getResponseHeaderSize, getResponseHeaderType, setMaxBuffers, setRequestBuffers, setRequestBufferSize, setRequestBufferType, setRequestHeaderSize, setRequestHeaderType, setResponseBuffers, setResponseBufferSize, setResponseBufferType, setResponseHeaderSize, setResponseHeaderType

Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

addLifeCycleListener, getState, getState, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.eclipse.jetty.server.Connector

close, getConfidentialPort, getConfidentialScheme, getConnection, getConnections, getConnectionsDurationMax, getConnectionsDurationMean, getConnectionsDurationStdDev, getConnectionsDurationTotal, getConnectionsOpen, getConnectionsOpenMax, getConnectionsRequestsMax, getConnectionsRequestsMean, getConnectionsRequestsStdDev, getHost, getIntegralPort, getIntegralScheme, getLocalPort, getLowResourceMaxIdleTime, getMaxIdleTime, getName, getPort, getRequestBuffers, getRequestBufferSize, getRequestHeaderSize, getRequests, getResolveNames, getResponseBuffers, getResponseBufferSize, getResponseHeaderSize, getServer, getStatsOn, getStatsOnMs, isLowResources, open, persist, setHost, setLowResourceMaxIdleTime, setMaxIdleTime, setPort, setRequestBufferSize, setRequestHeaderSize, setResponseBufferSize, setResponseHeaderSize, setServer, setStatsOn, statsReset

Methods inherited from interface org.eclipse.jetty.util.component.LifeCycle

addLifeCycleListener, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop

Constructor Detail

SslSocketConnector

public SslSocketConnector()

Constructor.

SslSocketConnector

public SslSocketConnector(SslContextFactory sslContextFactory)

Method Detail

isAllowRenegotiate

public boolean isAllowRenegotiate()

Specified by:

isAllowRenegotiate in interface SslConnector

Returns:

True if SSL re-negotiation is allowed (default false)

setAllowRenegotiate

public void setAllowRenegotiate(boolean allowRenegotiate)

Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered a vulnerability in SSL/TLS with re-negotiation. If your JVM does not have CVE-2009-3555 fixed, then re-negotiation should not be allowed.

Specified by:

setAllowRenegotiate in interface SslConnector

Parameters:

allowRenegotiate - true if re-negotiation is allowed (default false)

accept

public void accept(int acceptorID)
            throws IOException,
                   InterruptedException

Overrides:

accept in class SocketConnector

Throws:

IOException

InterruptedException

configure

protected void configure(Socket socket)
                  throws IOException

Overrides:

configure in class AbstractConnector

Throws:

IOException

customize

public void customize(EndPoint endpoint,
                      Request request)
               throws IOException

Allow the Listener a chance to customise the request. before the server does its stuff.
This allows the required attributes to be set for SSL requests.
The requirements of the Servlet specs are:

• an attribute named "javax.servlet.request.ssl_id" of type String (since Spec 3.0).
• an attribute named "javax.servlet.request.cipher_suite" of type String.
• an attribute named "javax.servlet.request.key_size" of type Integer.
• an attribute named "javax.servlet.request.X509Certificate" of type java.security.cert.X509Certificate[]. This is an array of objects of type X509Certificate, the order of this array is defined as being in ascending order of trust. The first certificate in the chain is the one set by the client, the next is the one used to authenticate the first, and so on.

Specified by:

customize in interface Connector

Overrides:

customize in class SocketConnector

Parameters:

endpoint - The Socket the request arrived on. This should be a SocketEndPoint wrapping a SSLSocket.

request - HttpRequest to be customised.

Throws:

IOException

getExcludeCipherSuites

@Deprecated
public String[] getExcludeCipherSuites()

Deprecated.

Specified by:

getExcludeCipherSuites in interface SslConnector

Returns:

The array of Ciphersuite names to exclude from SSLEngine.setEnabledCipherSuites(String[])

See Also:

SslConnector.getExcludeCipherSuites()

getIncludeCipherSuites

@Deprecated
public String[] getIncludeCipherSuites()

Deprecated.

Specified by:

getIncludeCipherSuites in interface SslConnector

Returns:

The array of Ciphersuite names to include in SSLEngine.setEnabledCipherSuites(String[])

See Also:

SslConnector.getIncludeCipherSuites()

getKeystore

@Deprecated
public String getKeystore()

Deprecated.

Specified by:

getKeystore in interface SslConnector

Returns:

The file or URL of the SSL Key store.

See Also:

SslConnector.getKeystore()

getKeystoreType

@Deprecated
public String getKeystoreType()

Deprecated.

Specified by:

getKeystoreType in interface SslConnector

Returns:

The type of the key store (default "JKS")

See Also:

SslConnector.getKeystoreType()

getNeedClientAuth

@Deprecated
public boolean getNeedClientAuth()

Deprecated.

Specified by:

getNeedClientAuth in interface SslConnector

Returns:

True if SSL needs client authentication.

See Also:

SslConnector.getNeedClientAuth()

getProtocol

@Deprecated
public String getProtocol()

Deprecated.

Specified by:

getProtocol in interface SslConnector

Returns:

The SSL protocol (default "TLS") passed to SSLContext.getInstance(String, String)

See Also:

SslConnector.getProtocol()

getProvider

@Deprecated
public String getProvider()

Deprecated.

Specified by:

getProvider in interface SslConnector

Returns:

The SSL provider name, which if set is passed to SSLContext.getInstance(String, String)

See Also:

SslConnector.getProvider()

getSecureRandomAlgorithm

@Deprecated
public String getSecureRandomAlgorithm()

Deprecated.

Specified by:

getSecureRandomAlgorithm in interface SslConnector

Returns:

The algorithm name, which if set is passed to SecureRandom.getInstance(String) to obtain the SecureRandom instance passed to SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)

See Also:

SslConnector.getSecureRandomAlgorithm()

getSslKeyManagerFactoryAlgorithm

@Deprecated
public String getSslKeyManagerFactoryAlgorithm()

Deprecated.

Specified by:

getSslKeyManagerFactoryAlgorithm in interface SslConnector

Returns:

The algorithm name (default "SunX509") used by the KeyManagerFactory

See Also:

SslConnector.getSslKeyManagerFactoryAlgorithm()

getSslTrustManagerFactoryAlgorithm

@Deprecated
public String getSslTrustManagerFactoryAlgorithm()

Deprecated.

Specified by:

getSslTrustManagerFactoryAlgorithm in interface SslConnector

Returns:

The algorithm name (default "SunX509") used by the TrustManagerFactory

See Also:

SslConnector.getSslTrustManagerFactoryAlgorithm()

getTruststore

@Deprecated
public String getTruststore()

Deprecated.

Specified by:

getTruststore in interface SslConnector

Returns:

The file name or URL of the trust store location

See Also:

SslConnector.getTruststore()

getSslContextFactory

public SslContextFactory getSslContextFactory()

Specified by:

getSslContextFactory in interface SslConnector

Returns:

the instance of SslContextFactory associated with the connector

See Also:

SslConnector.getSslContextFactory()

getTruststoreType

@Deprecated
public String getTruststoreType()

Deprecated.

Specified by:

getTruststoreType in interface SslConnector

Returns:

The type of the trust store (default "JKS")

See Also:

SslConnector.getTruststoreType()

getWantClientAuth

@Deprecated
public boolean getWantClientAuth()

Deprecated.

Specified by:

getWantClientAuth in interface SslConnector

Returns:

True if SSL wants client authentication.

See Also:

SslConnector.getWantClientAuth()

isConfidential

public boolean isConfidential(Request request)

By default, we're confidential, given we speak SSL. But, if we've been told about an confidential port, and said port is not our port, then we're not. This allows separation of listeners providing INTEGRAL versus CONFIDENTIAL constraints, such as one SSL listener configured to require client certs providing CONFIDENTIAL, whereas another SSL listener not requiring client certs providing mere INTEGRAL constraints.

Specified by:

isConfidential in interface Connector

Overrides:

isConfidential in class AbstractConnector

Parameters:

request - A request

Returns:

true if the request is confidential. This normally means the https schema has been used.

isIntegral

public boolean isIntegral(Request request)

By default, we're integral, given we speak SSL. But, if we've been told about an integral port, and said port is not our port, then we're not. This allows separation of listeners providing INTEGRAL versus CONFIDENTIAL constraints, such as one SSL listener configured to require client certs providing CONFIDENTIAL, whereas another SSL listener not requiring client certs providing mere INTEGRAL constraints.

Specified by:

isIntegral in interface Connector

Overrides:

isIntegral in class AbstractConnector

Parameters:

request - A request

Returns:

true if the request is integral. This normally means the https schema has been used.

doStart

protected void doStart()
                throws Exception

Overrides:

doStart in class SocketConnector

Throws:

Exception

doStop

protected void doStop()
               throws Exception

Overrides:

doStop in class SocketConnector

Throws:

Exception

See Also:

SocketConnector.doStop()

newServerSocket

protected ServerSocket newServerSocket(String host,
                                       int port,
                                       int backlog)
                                throws IOException

Overrides:

newServerSocket in class SocketConnector

Parameters:

host - The host name that this server should listen on

port - the port that this server should listen on

backlog - See ServerSocket.bind(java.net.SocketAddress, int)

Returns:

A new socket object bound to the supplied address with all other settings as per the current configuration of this connector.

Throws:

IOException

See Also:

setWantClientAuth(boolean), setNeedClientAuth(boolean)

setExcludeCipherSuites

@Deprecated
public void setExcludeCipherSuites(String[] cipherSuites)

Deprecated.

Specified by:

setExcludeCipherSuites in interface SslConnector

Parameters:

cipherSuites - The array of Ciphersuite names to exclude from SSLEngine.setEnabledCipherSuites(String[])

See Also:

SslConnector.setExcludeCipherSuites(java.lang.String[])

setIncludeCipherSuites

@Deprecated
public void setIncludeCipherSuites(String[] cipherSuites)

Deprecated.

Specified by:

setIncludeCipherSuites in interface SslConnector

Parameters:

cipherSuites - The array of Ciphersuite names to include in SSLEngine.setEnabledCipherSuites(String[])

See Also:

SslConnector.setIncludeCipherSuites(java.lang.String[])

setKeyPassword

@Deprecated
public void setKeyPassword(String password)

Deprecated.

Specified by:

setKeyPassword in interface SslConnector

Parameters:

password - The password (if any) for the specific key within the key store

See Also:

SslConnector.setKeyPassword(java.lang.String)

setKeystore

@Deprecated
public void setKeystore(String keystore)

Deprecated.

Specified by:

setKeystore in interface SslConnector

Parameters:

keystore - The resource path to the keystore, or null for built in keystores.

setKeystoreType

@Deprecated
public void setKeystoreType(String keystoreType)

Deprecated.

Specified by:

setKeystoreType in interface SslConnector

Parameters:

keystoreType - The type of the key store (default "JKS")

See Also:

SslConnector.setKeystoreType(java.lang.String)

setNeedClientAuth

@Deprecated
public void setNeedClientAuth(boolean needClientAuth)

Deprecated.

Set the value of the needClientAuth property

Specified by:

setNeedClientAuth in interface SslConnector

Parameters:

needClientAuth - true iff we require client certificate authentication.

See Also:

SSLEngine.getNeedClientAuth()

setPassword

@Deprecated
public void setPassword(String password)

Deprecated.

Specified by:

setPassword in interface SslConnector

Parameters:

password - The password for the key store

See Also:

SslConnector.setPassword(java.lang.String)

setTrustPassword

@Deprecated
public void setTrustPassword(String password)

Deprecated.

Specified by:

setTrustPassword in interface SslConnector

Parameters:

password - The password for the trust store

See Also:

SslConnector.setTrustPassword(java.lang.String)

setProtocol

@Deprecated
public void setProtocol(String protocol)

Deprecated.

Specified by:

setProtocol in interface SslConnector

Parameters:

protocol - The SSL protocol (default "TLS") passed to SSLContext.getInstance(String, String)

See Also:

SslConnector.setProtocol(java.lang.String)

setProvider

@Deprecated
public void setProvider(String provider)

Deprecated.

Specified by:

setProvider in interface SslConnector

Parameters:

provider - The SSL provider name, which if set is passed to SSLContext.getInstance(String, String)

See Also:

SslConnector.setProvider(java.lang.String)

setSecureRandomAlgorithm

@Deprecated
public void setSecureRandomAlgorithm(String algorithm)

Deprecated.

Specified by:

setSecureRandomAlgorithm in interface SslConnector

Parameters:

algorithm - The algorithm name, which if set is passed to SecureRandom.getInstance(String) to obtain the SecureRandom instance passed to SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)

See Also:

SslConnector.setSecureRandomAlgorithm(java.lang.String)

setSslKeyManagerFactoryAlgorithm

@Deprecated
public void setSslKeyManagerFactoryAlgorithm(String algorithm)

Deprecated.

Specified by:

setSslKeyManagerFactoryAlgorithm in interface SslConnector

Parameters:

algorithm - The algorithm name (default "SunX509") used by the KeyManagerFactory

See Also:

SslConnector.setSslKeyManagerFactoryAlgorithm(java.lang.String)

setSslTrustManagerFactoryAlgorithm

@Deprecated
public void setSslTrustManagerFactoryAlgorithm(String algorithm)

Deprecated.

Specified by:

setSslTrustManagerFactoryAlgorithm in interface SslConnector

Parameters:

algorithm - The algorithm name (default "SunX509") used by the TrustManagerFactory

See Also:

SslConnector.setSslTrustManagerFactoryAlgorithm(java.lang.String)

setTruststore

@Deprecated
public void setTruststore(String truststore)

Deprecated.

Specified by:

setTruststore in interface SslConnector

Parameters:

truststore - The file name or URL of the trust store location

See Also:

SslConnector.setTruststore(java.lang.String)

setTruststoreType

@Deprecated
public void setTruststoreType(String truststoreType)

Deprecated.

Specified by:

setTruststoreType in interface SslConnector

Parameters:

truststoreType - The type of the trust store (default "JKS")

See Also:

SslConnector.setTruststoreType(java.lang.String)

setSslContext

@Deprecated
public void setSslContext(SSLContext sslContext)

Deprecated.

Specified by:

setSslContext in interface SslConnector

Parameters:

sslContext - Set a preconfigured SSLContext

See Also:

SslConnector.setSslContext(javax.net.ssl.SSLContext)

getSslContext

@Deprecated
public SSLContext getSslContext()

Deprecated.

Specified by:

getSslContext in interface SslConnector

Returns:

The SSLContext

See Also:

SslConnector.setSslContext(javax.net.ssl.SSLContext)

setWantClientAuth

@Deprecated
public void setWantClientAuth(boolean wantClientAuth)

Deprecated.

Set the value of the _wantClientAuth property. This property is used internally when opening server sockets.

Specified by:

setWantClientAuth in interface SslConnector

Parameters:

wantClientAuth - true if we want client certificate authentication.

See Also:

SSLServerSocket.setWantClientAuth(boolean)

setHandshakeTimeout

public void setHandshakeTimeout(int msec)

Set the time in milliseconds for so_timeout during ssl handshaking

Parameters:

msec - a non-zero value will be used to set so_timeout during ssl handshakes. A zero value means the maxIdleTime is used instead.

getHandshakeTimeout

public int getHandshakeTimeout()

getAlgorithm

@Deprecated
public String getAlgorithm()

Deprecated.

Unsupported. TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)

setAlgorithm

@Deprecated
public void setAlgorithm(String algorithm)

Deprecated.

Unsupported. TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)