replacements.put("connectionTimeout", "soTimeout");
replacements.put("randomFile", "randomfile");
replacements.put("rootFile", "rootfile");
- replacements.put("sslProtocols", "protocols");
}
package org.apache.coyote;
import java.net.InetAddress;
-import java.util.HashMap;
-import java.util.Iterator;
import java.util.concurrent.Executor;
import javax.management.MBeanRegistration;
// ----------------------------------------------- Generic property handling
/**
- * Attributes provide a way for configuration to be passed to sub-components
- * without the {@link ProtocolHandler} being aware of the properties
- * available on those sub-components. One example of such a sub-component is
- * the {@link org.apache.tomcat.util.net.ServerSocketFactory}.
- */
- protected HashMap<String, Object> attributes =
- new HashMap<String, Object>();
-
-
- /**
- * Generic property setter called when a property for which a specific
- * setter already exists within the {@link ProtocolHandler} needs to be
- * made available to sub-components. The specific setter will call this
- * method to populate the attributes.
- */
- @Override
- public void setAttribute(String name, Object value) {
- if (getLog().isTraceEnabled()) {
- getLog().trace(sm.getString("abstractProtocolHandler.setAttribute",
- name, value));
- }
- attributes.put(name, value);
- }
-
-
- /**
- * Used by sub-components to retrieve configuration information.
- */
- @Override
- public Object getAttribute(String key) {
- Object value = attributes.get(key);
- if (getLog().isTraceEnabled()) {
- getLog().trace(sm.getString("abstractProtocolHandler.getAttribute",
- key, value));
- }
- return value;
- }
-
-
- /**
- * Used by sub-components to retrieve configuration information.
- */
- @Override
- public Iterator<String> getAttributeNames() {
- return attributes.keySet().iterator();
- }
-
-
- /**
* Generic property setter used by the digester. Other code should not need
* to use this. The digester will only use this method if it can't find a
* more specific setter. That means the property belongs to the Endpoint,
* ensures that it is visible to both.
*/
public boolean setProperty(String name, String value) {
- setAttribute(name, value);
return endpoint.setProperty(name, value);
}
* to use this.
*/
public String getProperty(String name) {
- // Since all calls to setProperty() will place the property in the
- // attributes list, just retrieve it from there.
- return (String)getAttribute(name);
+ return endpoint.getProperty(name);
}
public InetAddress getAddress() { return endpoint.getAddress(); }
public void setAddress(InetAddress ia) {
endpoint.setAddress(ia);
- setAttribute("address", ia.toString());
}
public int getPort() { return endpoint.getPort(); }
public void setPort(int port) {
endpoint.setPort(port);
- setAttribute("port", Integer.toString(port));
}
public void setConnectionTimeout(int timeout) {
// Note that the endpoint uses the alternative name
endpoint.setSoTimeout(timeout);
- String str = Integer.toString(timeout);
- setAttribute("connectionTimeout", str);
- // Also set the attribute for the alternative name
- setAttribute("soTimeout", str);
}
/*
package org.apache.coyote;
-import java.util.Iterator;
import java.util.concurrent.Executor;
public interface ProtocolHandler {
/**
- * Pass config info.
- */
- public void setAttribute(String name, Object value);
- public Object getAttribute(String name);
- public Iterator<String> getAttributeNames();
-
-
- /**
* The adapter, used to call the connector.
*/
public void setAdapter(Adapter adapter);
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.JIoEndpoint;
import org.apache.tomcat.util.net.JIoEndpoint.Handler;
+import org.apache.tomcat.util.net.SSLImplementation;
import org.apache.tomcat.util.net.SocketStatus;
import org.apache.tomcat.util.net.SocketWrapper;
}
@Override
+ public SSLImplementation getSslImplementation() {
+ // AJP does not support SSL
+ return null;
+ }
+
+ @Override
public void recycle() {
recycledProcessors.clear();
}
}
}
}
-
}
}
package org.apache.coyote.http11;
import org.apache.tomcat.util.net.SSLImplementation;
-import org.apache.tomcat.util.net.jsse.JSSEImplementation;
public abstract class AbstractHttp11JsseProtocol
extends AbstractHttp11Protocol {
return endpoint.getAllowUnsafeLegacyRenegotiation();
}
+ private String sslImplemenationName = null;
+ public String getSslImplemenationName() { return sslImplemenationName; }
+ public void setSslImplemenationName(String s) {
+ this.sslImplemenationName = s;
+ }
// ------------------------------------------------------- Lifecycle methods
@Override
public void init() throws Exception {
+ // SSL implementation needs to be in place before end point is
+ // initialized
+ sslImplementation = SSLImplementation.getInstance(sslImplemenationName);
super.init();
- sslImplementation = new JSSEImplementation();
}
}
public boolean getSecure() { return secure; }
public void setSecure(boolean b) {
secure = b;
- setAttribute("secure", "" + b);
}
}
public void setMaxKeepAliveRequests(int mkar) {
endpoint.setMaxKeepAliveRequests(mkar);
- setAttribute("maxKeepAliveRequests", "" + mkar);
}
import org.apache.tomcat.util.net.NioChannel;
import org.apache.tomcat.util.net.NioEndpoint;
import org.apache.tomcat.util.net.NioEndpoint.Handler;
+import org.apache.tomcat.util.net.SSLImplementation;
import org.apache.tomcat.util.net.SecureNioChannel;
import org.apache.tomcat.util.net.SocketStatus;
public void setAcceptorThreadPriority(int threadPriority) {
((NioEndpoint)endpoint).setAcceptorThreadPriority(threadPriority);
- setAttribute("acceptorThreadPriority", "" + threadPriority);
}
public void setPollerThreadPriority(int threadPriority) {
((NioEndpoint)endpoint).setPollerThreadPriority(threadPriority);
- setAttribute("pollerThreadPriority", "" + threadPriority);
}
public int getAcceptorThreadPriority() {
public void setSocketCloseDelay( int d ) {
socketCloseDelay=d;
- setAttribute("socketCloseDelay", "" + d);
}
public void setOomParachute(int oomParachute) {
((NioEndpoint)endpoint).setOomParachute(oomParachute);
- setAttribute("oomParachute", Integer.valueOf(oomParachute));
}
// -------------------- SSL related properties --------------------
recycledProcessors.clear();
}
+ public SSLImplementation getSslImplementation() {
+ return proto.sslImplementation;
+ }
+
@Override
public void release(SocketChannel socket) {
if (log.isDebugEnabled())
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.JIoEndpoint;
import org.apache.tomcat.util.net.JIoEndpoint.Handler;
+import org.apache.tomcat.util.net.SSLImplementation;
import org.apache.tomcat.util.net.SocketStatus;
import org.apache.tomcat.util.net.SocketWrapper;
return global;
}
+ public SSLImplementation getSslImplementation() {
+ return proto.sslImplementation;
+ }
+
@Override
public void recycle() {
recycledProcessors.clear();
import java.io.OutputStreamWriter;
import java.net.InetAddress;
import java.net.InetSocketAddress;
+import java.util.ArrayList;
+import java.util.HashMap;
import java.util.StringTokenizer;
import java.util.concurrent.Executor;
import java.util.concurrent.TimeUnit;
protected abstract boolean getDeferAccept();
+
+ /**
+ * Attributes provide a way for configuration to be passed to sub-components
+ * without the {@link ProtocolHandler} being aware of the properties
+ * available on those sub-components. One example of such a sub-component is
+ * the {@link org.apache.tomcat.util.net.ServerSocketFactory}.
+ */
+ protected HashMap<String, Object> attributes =
+ new HashMap<String, Object>();
+ /**
+ * Generic property setter called when a property for which a specific
+ * setter already exists within the {@link ProtocolHandler} needs to be
+ * made available to sub-components. The specific setter will call this
+ * method to populate the attributes.
+ */
+ public void setAttribute(String name, Object value) {
+ if (getLog().isTraceEnabled()) {
+ getLog().trace(sm.getString("abstractProtocolHandler.setAttribute",
+ name, value));
+ }
+ attributes.put(name, value);
+ }
/**
- * Generic properties, introspected
+ * Used by sub-components to retrieve configuration information.
*/
+ public Object getAttribute(String key) {
+ Object value = attributes.get(key);
+ if (getLog().isTraceEnabled()) {
+ getLog().trace(sm.getString("abstractProtocolHandler.getAttribute",
+ key, value));
+ }
+ return value;
+ }
+
+
+
public boolean setProperty(String name, String value) {
+ setAttribute(name, value);
final String socketName = "socket.";
try {
if (name.startsWith(socketName)) {
return false;
}
}
-
+ public String getProperty(String name) {
+ return (String) getAttribute(name);
+ }
+
/**
* Return the amount of threads that are managed by the pool.
*
private String[] sslEnabledProtocolsarr = new String[0];
- public String[] getSslEnabledProtocolsArray() { return this.sslEnabledProtocolsarr;}
+ public String[] getSslEnabledProtocolsArray() {
+ return this.sslEnabledProtocolsarr;
+ }
public void setSslEnabledProtocols(String s) {
- StringTokenizer t = new StringTokenizer(s,",");
- sslEnabledProtocolsarr = new String[t.countTokens()];
- for (int i=0; i<sslEnabledProtocolsarr.length; i++ ) sslEnabledProtocolsarr[i] = t.nextToken();
+ if (s == null) {
+ this.sslEnabledProtocolsarr = new String[0];
+ } else {
+ ArrayList<String> sslEnabledProtocols = new ArrayList<String>();
+ StringTokenizer t = new StringTokenizer(s,",");
+ while (t.hasMoreTokens()) {
+ String p = t.nextToken().trim();
+ if (p.length() > 0) {
+ sslEnabledProtocols.add(p);
+ }
+ }
+ sslEnabledProtocolsarr = sslEnabledProtocols.toArray(
+ new String[sslEnabledProtocols.size()]);
+ }
}
}
* @author db@eng.sun.com
* @author Harish Prabandham
*/
+public class DefaultServerSocketFactory implements ServerSocketFactory {
-// Default implementation of server sockets.
+ private AbstractEndpoint endpoint;
-//
-// WARNING: Some of the APIs in this class are used by J2EE.
-// Please talk to harishp@eng.sun.com before making any changes.
-//
-class DefaultServerSocketFactory extends ServerSocketFactory {
-
- DefaultServerSocketFactory () {
- /* NOTHING */
+ public DefaultServerSocketFactory(AbstractEndpoint endpoint) {
+ this.endpoint = endpoint;
}
@Override
- public ServerSocket createSocket (int port)
- throws IOException {
+ public ServerSocket createSocket (int port) throws IOException {
return new ServerSocket (port);
}
@Override
public ServerSocket createSocket (int port, int backlog)
- throws IOException {
+ throws IOException {
return new ServerSocket (port, backlog);
}
@Override
public ServerSocket createSocket (int port, int backlog,
- InetAddress ifAddress)
- throws IOException {
+ InetAddress ifAddress) throws IOException {
return new ServerSocket (port, backlog, ifAddress);
}
-
+
@Override
- public Socket acceptSocket(ServerSocket socket)
- throws IOException {
+ public Socket acceptSocket(ServerSocket socket) throws IOException {
return socket.accept();
}
-
+
@Override
- public void handshake(Socket sock)
- throws IOException {
+ public void handshake(Socket sock) throws IOException {
// NOOP
}
-
}
*/
public interface Handler extends AbstractEndpoint.Handler {
public SocketState process(SocketWrapper<Socket> socket);
- public SocketState process(SocketWrapper<Socket> socket, SocketStatus status);
+ public SocketState process(SocketWrapper<Socket> socket,
+ SocketStatus status);
+ public SSLImplementation getSslImplementation();
}
acceptorThreadCount = 1;
}
if (serverSocketFactory == null) {
- serverSocketFactory = ServerSocketFactory.getDefault();
- }
- if (isSSLEnabled()) {
- serverSocketFactory.setAttribute(SSL_ATTR_ALGORITHM,
- getAlgorithm());
- serverSocketFactory.setAttribute(SSL_ATTR_CLIENT_AUTH,
- getClientAuth());
- serverSocketFactory.setAttribute(SSL_ATTR_KEYSTORE_FILE,
- getKeystoreFile());
- serverSocketFactory.setAttribute(SSL_ATTR_KEYSTORE_PASS,
- getKeystorePass());
- serverSocketFactory.setAttribute(SSL_ATTR_KEYSTORE_TYPE,
- getKeystoreType());
- serverSocketFactory.setAttribute(SSL_ATTR_KEYSTORE_PROVIDER,
- getKeystoreProvider());
- serverSocketFactory.setAttribute(SSL_ATTR_SSL_PROTOCOL,
- getSslProtocol());
- serverSocketFactory.setAttribute(SSL_ATTR_CIPHERS,
- getCiphers());
- serverSocketFactory.setAttribute(SSL_ATTR_KEY_ALIAS,
- getKeyAlias());
- serverSocketFactory.setAttribute(SSL_ATTR_KEY_PASS,
- getKeyPass());
- serverSocketFactory.setAttribute(SSL_ATTR_TRUSTSTORE_FILE,
- getTruststoreFile());
- serverSocketFactory.setAttribute(SSL_ATTR_TRUSTSTORE_PASS,
- getTruststorePass());
- serverSocketFactory.setAttribute(SSL_ATTR_TRUSTSTORE_TYPE,
- getTruststoreType());
- serverSocketFactory.setAttribute(SSL_ATTR_TRUSTSTORE_PROVIDER,
- getTruststoreProvider());
- serverSocketFactory.setAttribute(SSL_ATTR_TRUSTSTORE_ALGORITHM,
- getTruststoreAlgorithm());
- serverSocketFactory.setAttribute(SSL_ATTR_CRL_FILE,
- getCrlFile());
- serverSocketFactory.setAttribute(SSL_ATTR_TRUST_MAX_CERT_LENGTH,
- getTrustMaxCertLength());
- serverSocketFactory.setAttribute(SSL_ATTR_SESSION_CACHE_SIZE,
- getSessionCacheSize());
- serverSocketFactory.setAttribute(SSL_ATTR_SESSION_TIMEOUT,
- getSessionTimeout());
- serverSocketFactory.setAttribute(SSL_ATTR_ALLOW_UNSAFE_RENEG,
- getAllowUnsafeLegacyRenegotiation());
+ if (isSSLEnabled()) {
+ serverSocketFactory =
+ handler.getSslImplementation().getServerSocketFactory(this);
+ } else {
+ serverSocketFactory = new DefaultServerSocketFactory(this);
+ }
}
if (serverSocket == null) {
try {
if (getAddress() == null) {
- serverSocket = serverSocketFactory.createSocket(getPort(), getBacklog());
+ serverSocket = serverSocketFactory.createSocket(getPort(),
+ getBacklog());
} else {
- serverSocket = serverSocketFactory.createSocket(getPort(), getBacklog(), getAddress());
+ serverSocket = serverSocketFactory.createSocket(getPort(),
+ getBacklog(), getAddress());
}
} catch (BindException orig) {
String msg;
throw be;
}
}
- //if( serverTimeout >= 0 )
- // serverSocket.setSoTimeout( serverTimeout );
initialized = true;
-
}
@Override
* Configure the socket.
*/
protected boolean setSocketOptions(Socket socket) {
- serverSocketFactory.initSocket(socket);
-
try {
// 1: Set socket options: timeout, linger, etc
socketProperties.setProperties(socket);
public SocketState event(NioChannel socket, SocketStatus status);
public void release(NioChannel socket);
public void release(SocketChannel socket);
+ public SSLImplementation getSslImplementation();
}
public abstract String getImplementationName();
- public abstract ServerSocketFactory getServerSocketFactory();
+ public abstract ServerSocketFactory getServerSocketFactory(
+ AbstractEndpoint endpoint);
public abstract SSLSupport getSSLSupport(Socket sock);
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-
package org.apache.tomcat.util.net;
import java.io.IOException;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.Socket;
-import java.util.Hashtable;
/**
- * This class creates server sockets. It may be subclassed by other factories,
- * which create particular types of server sockets. This provides a general
- * framework for the addition of public socket-level functionality. It it is the
- * server side analogue of a socket factory, and similarly provides a way to
- * capture a variety of policies related to the sockets being constructed.
- * <P>
- * Like socket factories, Server Socket factory instances have two categories of
- * methods. First are methods used to create sockets. Second are methods which
- * set properties used in the production of sockets, such as networking options.
- * There is also an environment specific default server socket factory;
- * frameworks will often use their own customized factory.
- * <P>
- * <hr>
- * <em> It may be desirable to move this interface into the
- * <b>java.net</b> package, so that is not an extension but the preferred
- * interface. Should this be serializable, making it a JavaBean which can
- * be saved along with its networking configuration?
- * </em>
- *
- * @author db@eng.sun.com
- * @author Harish Prabandham
+ * The common interface through which the {@link JIoEndpoint} interacts with
+ * both non-SSL and SSL sockets.
*/
-public abstract class ServerSocketFactory implements Cloneable {
-
- //
- // NOTE: JDK 1.1 bug in class GC, this can get collected
- // even though it's always accessible via getDefault().
- //
-
- private static ServerSocketFactory theFactory;
- protected Hashtable<String, Object> attributes = new Hashtable<String, Object>();
-
- /**
- * Constructor is used only by subclasses.
- */
- protected ServerSocketFactory() {
- /* NOTHING */
- }
-
- /**
- * General mechanism to pass attributes from the ServerConnector to the
- * socket factory. Note that the "preferred" mechanism is to use bean
- * setters and explicit methods, but this allows easy configuration via
- * server.xml or simple Properties
- */
- public void setAttribute(String name, Object value) {
- if (name != null && value != null)
- attributes.put(name, value);
- }
-
- /**
- * Returns a copy of the environment's default socket factory.
- */
- public static synchronized ServerSocketFactory getDefault() {
- //
- // optimize typical case: no synch needed
- //
-
- if (theFactory == null) {
- //
- // Different implementations of this method could
- // work rather differently. For example, driving
- // this from a system property, or using a different
- // implementation than JavaSoft's.
- //
-
- theFactory = new DefaultServerSocketFactory();
- }
-
- try {
- return (ServerSocketFactory) theFactory.clone();
- } catch (CloneNotSupportedException e) {
- throw new RuntimeException(e.getMessage());
- }
- }
+public interface ServerSocketFactory {
/**
* Returns a server socket which uses all network interfaces on the host,
* @exception InstantiationException
* for construction errors
*/
- public abstract ServerSocket createSocket(int port) throws IOException,
+ ServerSocket createSocket(int port) throws IOException,
InstantiationException;
/**
* @exception InstantiationException
* for construction errors
*/
- public abstract ServerSocket createSocket(int port, int backlog)
- throws IOException, InstantiationException;
+ ServerSocket createSocket(int port, int backlog) throws IOException,
+ InstantiationException;
/**
* Returns a server socket which uses only the specified network interface
* @exception InstantiationException
* for construction errors
*/
- public abstract ServerSocket createSocket(int port, int backlog,
- InetAddress ifAddress) throws IOException, InstantiationException;
-
- public void initSocket(Socket s) {
- }
+ ServerSocket createSocket(int port, int backlog, InetAddress ifAddress)
+ throws IOException, InstantiationException;
/**
* Wrapper function for accept(). This allows us to trap and translate
- * exceptions if necessary
+ * exceptions if necessary.
*
* @exception IOException
- * ;
*/
- public abstract Socket acceptSocket(ServerSocket socket) throws IOException;
+ Socket acceptSocket(ServerSocket socket) throws IOException;
/**
- * Extra function to initiate the handshake. Sometimes necessary for SSL
+ * Triggers the SSL handshake. This will be a no-op for non-SSL sockets.
*
* @exception IOException
- * ;
*/
- public abstract void handshake(Socket sock) throws IOException;
+ void handshake(Socket sock) throws IOException;
}
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
+import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.SSLSupport;
import org.apache.tomcat.util.net.ServerSocketFactory;
/**
* Returns the ServerSocketFactory to use.
*/
- public ServerSocketFactory getSocketFactory() {
- return new JSSESocketFactory();
+ public ServerSocketFactory getSocketFactory(AbstractEndpoint endpoint) {
+ return new JSSESocketFactory(endpoint);
}
/**
import javax.net.ssl.SSLSession;
+import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.SSLImplementation;
import org.apache.tomcat.util.net.SSLSupport;
import org.apache.tomcat.util.net.ServerSocketFactory;
}
@Override
- public ServerSocketFactory getServerSocketFactory() {
- ServerSocketFactory ssf = factory.getSocketFactory();
+ public ServerSocketFactory getServerSocketFactory(AbstractEndpoint endpoint) {
+ ServerSocketFactory ssf = factory.getSocketFactory(endpoint);
return ssf;
}
import org.apache.catalina.Globals;
import org.apache.tomcat.util.net.AbstractEndpoint;
+import org.apache.tomcat.util.net.ServerSocketFactory;
import org.apache.tomcat.util.res.StringManager;
/**
* @author Jan Luehe
* @author Bill Barker
*/
-public class JSSESocketFactory
- extends org.apache.tomcat.util.net.ServerSocketFactory {
+public class JSSESocketFactory implements ServerSocketFactory {
private static final StringManager sm =
StringManager.getManager("org.apache.tomcat.util.net.jsse.res");
static final org.apache.juli.logging.Log log =
org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
+ private AbstractEndpoint endpoint;
+
protected boolean initialized;
protected SSLServerSocketFactory sslProxy = null;
protected String[] enabledCiphers;
protected boolean wantClientAuth = false;
- public JSSESocketFactory () {
- // NOOP
+ public JSSESocketFactory (AbstractEndpoint endpoint) {
+ this.endpoint = endpoint;
}
@Override
* Gets the SSL server's keystore password.
*/
protected String getKeystorePassword() {
- String keyPass = (String)attributes.get(
- AbstractEndpoint.SSL_ATTR_KEY_PASS);
+ String keyPass = endpoint.getKeyPass();
if (keyPass == null) {
keyPass = DEFAULT_KEY_PASS;
}
- String keystorePass = (String)attributes.get(
- AbstractEndpoint.SSL_ATTR_KEYSTORE_PASS);
+ String keystorePass = endpoint.getKeystorePass();
if (keystorePass == null) {
keystorePass = keyPass;
}
protected KeyStore getKeystore(String type, String provider, String pass)
throws IOException {
- String keystoreFile = (String)attributes.get(
- AbstractEndpoint.SSL_ATTR_KEYSTORE_FILE);
+ String keystoreFile = endpoint.getKeystoreFile();
if (keystoreFile == null)
keystoreFile = defaultKeystoreFile;
String keystoreProvider) throws IOException {
KeyStore trustStore = null;
- String truststoreFile = (String)attributes.get(
- AbstractEndpoint.SSL_ATTR_TRUSTSTORE_FILE);
+ String truststoreFile = endpoint.getTruststoreFile();
if(truststoreFile == null) {
truststoreFile = System.getProperty("javax.net.ssl.trustStore");
}
log.debug("Truststore = " + truststoreFile);
}
- String truststorePassword = (String)attributes.get(
- AbstractEndpoint.SSL_ATTR_TRUSTSTORE_PASS);
+ String truststorePassword = endpoint.getTruststorePass();
if( truststorePassword == null) {
truststorePassword =
System.getProperty("javax.net.ssl.trustStorePassword");
log.debug("TrustPass = " + truststorePassword);
}
- String truststoreType = (String)attributes.get(
- AbstractEndpoint.SSL_ATTR_TRUSTSTORE_TYPE);
+ String truststoreType = endpoint.getTruststoreType();
if( truststoreType == null) {
truststoreType = System.getProperty("javax.net.ssl.trustStoreType");
}
log.debug("trustType = " + truststoreType);
}
- String truststoreProvider =
- (String)attributes.get(
- AbstractEndpoint.SSL_ATTR_TRUSTSTORE_PROVIDER);
+ String truststoreProvider = endpoint.getTruststoreProvider();
if( truststoreProvider == null) {
truststoreProvider =
System.getProperty("javax.net.ssl.trustStoreProvider");
void init() throws IOException {
try {
- String clientAuthStr = (String) attributes.get(
- AbstractEndpoint.SSL_ATTR_CLIENT_AUTH);
+ String clientAuthStr = endpoint.getClientAuth();
if("true".equalsIgnoreCase(clientAuthStr) ||
"yes".equalsIgnoreCase(clientAuthStr)) {
requireClientAuth = true;
}
// SSL protocol variant (e.g., TLS, SSL v3, etc.)
- String protocol = (String) attributes.get(
- AbstractEndpoint.SSL_ATTR_SSL_PROTOCOL);
+ String protocol = endpoint.getSslProtocol();
if (protocol == null) {
protocol = defaultProtocol;
}
// Certificate encoding algorithm (e.g., SunX509)
- String algorithm = (String) attributes.get(
- AbstractEndpoint.SSL_ATTR_ALGORITHM);
+ String algorithm = endpoint.getAlgorithm();
if (algorithm == null) {
algorithm = KeyManagerFactory.getDefaultAlgorithm();
}
- String keystoreType = (String) attributes.get(
- AbstractEndpoint.SSL_ATTR_KEYSTORE_TYPE);
+ String keystoreType = endpoint.getKeystoreType();
if (keystoreType == null) {
keystoreType = defaultKeystoreType;
}
- String keystoreProvider =
- (String) attributes.get(
- AbstractEndpoint.SSL_ATTR_KEYSTORE_PROVIDER);
+ String keystoreProvider = endpoint.getKeystoreProvider();
- String trustAlgorithm =
- (String)attributes.get(
- AbstractEndpoint.SSL_ATTR_TRUSTSTORE_ALGORITHM);
+ String trustAlgorithm = endpoint.getTruststoreAlgorithm();
if( trustAlgorithm == null ) {
trustAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
}
SSLContext context = SSLContext.getInstance(protocol);
context.init(getKeyManagers(keystoreType, keystoreProvider,
algorithm,
- (String) attributes.get(AbstractEndpoint.SSL_ATTR_KEY_ALIAS)),
+ endpoint.getKeyAlias()),
getTrustManagers(keystoreType, keystoreProvider,
trustAlgorithm),
new SecureRandom());
// Configure SSL session cache
int sessionCacheSize;
- if (attributes.get(
- AbstractEndpoint.SSL_ATTR_SESSION_CACHE_SIZE) != null) {
+ if (endpoint.getSessionCacheSize() != null) {
sessionCacheSize = Integer.parseInt(
- (String)attributes.get(
- AbstractEndpoint.SSL_ATTR_SESSION_CACHE_SIZE));
+ endpoint.getSessionCacheSize());
} else {
sessionCacheSize = defaultSessionCacheSize;
}
int sessionTimeout;
- if (attributes.get(
- AbstractEndpoint.SSL_ATTR_SESSION_TIMEOUT) != null) {
- sessionTimeout = Integer.parseInt(
- (String)attributes.get(
- AbstractEndpoint.SSL_ATTR_SESSION_TIMEOUT));
+ if (endpoint.getSessionTimeout() != null) {
+ sessionTimeout = Integer.parseInt(endpoint.getSessionTimeout());
} else {
sessionTimeout = defaultSessionTimeout;
}
sslProxy = context.getServerSocketFactory();
// Determine which cipher suites to enable
- String requestedCiphers = (String)attributes.get(
- AbstractEndpoint.SSL_ATTR_CIPHERS);
+ String requestedCiphers = endpoint.getCiphers();
enabledCiphers = getEnabledCiphers(requestedCiphers,
sslProxy.getSupportedCipherSuites());
- allowUnsafeLegacyRenegotiation =
- "true".equals(attributes.get(
- AbstractEndpoint.SSL_ATTR_ALLOW_UNSAFE_RENEG));
+ allowUnsafeLegacyRenegotiation = "true".equals(
+ endpoint.getAllowUnsafeLegacyRenegotiation());
// Check the SSL config is OK
checkConfig();
protected TrustManager[] getTrustManagers(String keystoreType,
String keystoreProvider, String algorithm)
throws Exception {
- String crlf = (String) attributes.get(
- AbstractEndpoint.SSL_ATTR_CRL_FILE);
+ String crlf = endpoint.getCrlFile();
TrustManager[] tms = null;
CertStore store = CertStore.getInstance("Collection", csp);
xparams.addCertStore(store);
xparams.setRevocationEnabled(true);
- String trustLength = (String)attributes.get(
- AbstractEndpoint.SSL_ATTR_TRUST_MAX_CERT_LENGTH);
+ String trustLength = endpoint.getTrustMaxCertLength();
if(trustLength != null) {
try {
xparams.setMaxPathLength(Integer.parseInt(trustLength));
* Determines the SSL protocol variants to be enabled.
*
* @param socket The socket to get supported list from.
- * @param requestedProtocols Comma-separated list of requested SSL
- * protocol variants
+ * @param requestedProtocols Array of requested protocol names all of which
+ * must be non-null and non-zero length
*
* @return Array of SSL protocol variants to be enabled, or null if none of
* the requested protocol variants are supported
*/
protected String[] getEnabledProtocols(SSLServerSocket socket,
- String requestedProtocols){
+ String[] requestedProtocols){
String[] supportedProtocols = socket.getSupportedProtocols();
String[] enabledProtocols = null;
- if (requestedProtocols != null) {
+ if (requestedProtocols != null && requestedProtocols.length > 0) {
Vector<String> vec = null;
- String protocol = requestedProtocols;
- int index = requestedProtocols.indexOf(',');
- if (index != -1) {
- int fromIndex = 0;
- while (index != -1) {
- protocol =
- requestedProtocols.substring(fromIndex, index).trim();
- if (protocol.length() > 0) {
- /*
- * Check to see if the requested protocol is among the
- * supported protocols, i.e., may be enabled
- */
- for (int i=0; supportedProtocols != null
- && i<supportedProtocols.length; i++) {
- if (supportedProtocols[i].equals(protocol)) {
- if (vec == null) {
- vec = new Vector<String>();
- }
- vec.addElement(protocol);
- break;
- }
- }
- }
- fromIndex = index+1;
- index = requestedProtocols.indexOf(',', fromIndex);
- } // while
- protocol = requestedProtocols.substring(fromIndex);
- }
-
- if (protocol != null) {
- protocol = protocol.trim();
- if (protocol.length() > 0) {
- /*
- * Check to see if the requested protocol is among the
- * supported protocols, i.e., may be enabled
- */
- for (int i=0; supportedProtocols != null
- && i<supportedProtocols.length; i++) {
- if (supportedProtocols[i].equals(protocol)) {
- if (vec == null) {
- vec = new Vector<String>();
- }
- vec.addElement(protocol);
- break;
+ for (String protocol : requestedProtocols) {
+ /*
+ * Check to see if the requested protocol is among the supported
+ * protocols, i.e., may be enabled
+ */
+ for (int i=0; supportedProtocols != null &&
+ i < supportedProtocols.length; i++) {
+ if (supportedProtocols[i].equals(protocol)) {
+ if (vec == null) {
+ vec = new Vector<String>();
}
+ vec.addElement(protocol);
+ break;
}
}
- }
+ }
if (vec != null) {
enabledProtocols = new String[vec.size()];
socket.setEnabledCipherSuites(enabledCiphers);
}
- String requestedProtocols = (String) attributes.get("protocols");
+ String[] requestedProtocols = endpoint.getSslEnabledProtocolsArray();
setEnabledProtocols(socket, getEnabledProtocols(socket,
requestedProtocols));
connector uses OpenSSL. Therefore, in addition to using different attributes
to configure SSL, the APR/native connector also requires keys and certificates
to be provided in a different format.</p>
-
+
<p>The BIO and NIO connectors use the following attributes to configure SSL:
</p>
</attribute>
<attribute name="sslEnabledProtocols" required="false">
- <p><strong>NIO only</strong>. The version of the SSL protocols to use. If
- not specified, the default is "<code>TLSv1,SSLv3,SSLv2Hello</code>".</p>
+ <p>The list of SSL protocols to use. If not specified, the JVM default is
+ used.</p>
+ </attribute>
+
+ <attribute name="sslImplemenationName" required="false">
+ <p>The class name of the SSL implementation to use. If not specified, the
+ default of <code>org.apache.tomcat.util.net.jsse.JSSEImplementation</code>
+ will be used which wraps JVM's default JSSE provider. Note that the
+ JVM can be configured to use a different JSSE provider as the default.</p>
</attribute>
<attribute name="sslProtocol" required="false">
projects / tomcat7.0 / commitdiff