From c535ab2f1eb23a787e7032495258cddbfea20d8b Mon Sep 17 00:00:00 2001 From: fhanik Date: Wed, 18 Oct 2006 17:10:44 +0000 Subject: [PATCH] Implemented SSLEngine attribute on the Java HTTP connectors. This allows one to specify secure=true and scheme=https to prevent tomcat from redirecting when using a SSL accelerator in front of tomcat git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk@465303 13f79535-47bb-0310-9956-ffa450edef68 --- .../apache/coyote/http11/Http11NioProcessor.java | 2 +- .../apache/coyote/http11/Http11NioProtocol.java | 6 +++ java/org/apache/coyote/http11/Http11Protocol.java | 7 ++- java/org/apache/tomcat/util/net/NioEndpoint.java | 15 ++++-- webapps/docs/config/http.xml | 22 +++++++-- webapps/docs/ssl-howto.xml | 54 ++++++++-------------- 6 files changed, 63 insertions(+), 43 deletions(-) diff --git a/java/org/apache/coyote/http11/Http11NioProcessor.java b/java/org/apache/coyote/http11/Http11NioProcessor.java index 19700de97..122b8e7e3 100644 --- a/java/org/apache/coyote/http11/Http11NioProcessor.java +++ b/java/org/apache/coyote/http11/Http11NioProcessor.java @@ -103,7 +103,7 @@ public class Http11NioProcessor implements ActionHook { response.setOutputBuffer(outputBuffer); request.setResponse(response); - ssl = endpoint.getSecure(); + ssl = "on".equalsIgnoreCase(endpoint.getSSLEngine()); initializeFilters(); diff --git a/java/org/apache/coyote/http11/Http11NioProtocol.java b/java/org/apache/coyote/http11/Http11NioProtocol.java index 84c14c0e1..a8ff9e3c7 100644 --- a/java/org/apache/coyote/http11/Http11NioProtocol.java +++ b/java/org/apache/coyote/http11/Http11NioProtocol.java @@ -516,6 +516,8 @@ public class Http11NioProtocol implements ProtocolHandler, MBeanRegistration public String getKeystoreFile() { return ep.getKeystoreFile();} public void setKeystoreFile(String s ) { ep.setKeystoreFile(s);} + public void setKeystore(String s) { setKeystoreFile(s);} + public String getKeystore(){ return getKeystoreFile();} public String getAlgorithm() { return ep.getAlgorithm();} public void setAlgorithm(String s ) { ep.setAlgorithm(s);} @@ -535,6 +537,10 @@ public class Http11NioProtocol implements ProtocolHandler, MBeanRegistration public String getCiphers() { return ep.getCiphers();} public void setCiphers(String s) { ep.setCiphers(s);} + public String getSSLEngine() { return ep.getSSLEngine(); } + public void setSSLEngine(String SSLEngine) { ep.setSSLEngine(SSLEngine); } + + // -------------------- Connection handler -------------------- diff --git a/java/org/apache/coyote/http11/Http11Protocol.java b/java/org/apache/coyote/http11/Http11Protocol.java index ca219d04c..5e83b83f2 100644 --- a/java/org/apache/coyote/http11/Http11Protocol.java +++ b/java/org/apache/coyote/http11/Http11Protocol.java @@ -146,7 +146,7 @@ public class Http11Protocol // Verify the validity of the configured socket factory try { - if (secure) { + if ("on".equalsIgnoreCase(getSSLEngine())) { sslImplementation = SSLImplementation.getInstance(sslImplementationName); socketFactory = sslImplementation.getServerSocketFactory(); @@ -251,7 +251,10 @@ public class Http11Protocol protected boolean secure; public boolean getSecure() { return secure; } public void setSecure(boolean b) { secure = b; } - + + protected String SSLEngine = "off"; + public String getSSLEngine() { return SSLEngine;} + public void setSSLEngine(String SSLEngine) {this.SSLEngine = SSLEngine;} /** * Name of the socket factory. diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java b/java/org/apache/tomcat/util/net/NioEndpoint.java index 9c994f58c..fc611a0de 100644 --- a/java/org/apache/tomcat/util/net/NioEndpoint.java +++ b/java/org/apache/tomcat/util/net/NioEndpoint.java @@ -350,8 +350,10 @@ public class NioEndpoint { // -------------------- SSL related properties -------------------- protected String keystoreFile = System.getProperty("user.home")+"/.keystore"; public String getKeystoreFile() { return keystoreFile;} - public void setKeystoreFile(String s ) { this.keystoreFile = s;} - + public void setKeystoreFile(String s ) { this.keystoreFile = s; } + public void setKeystore(String s ) { setKeystoreFile(s);} + public String getKeystore() { return getKeystoreFile();} + protected String algorithm = "SunX509"; public String getAlgorithm() { return algorithm;} public void setAlgorithm(String s ) { this.algorithm = s;} @@ -396,6 +398,13 @@ public class NioEndpoint { } } + /** + * SSL engine. + */ + protected String SSLEngine = "off"; + public String getSSLEngine() { return SSLEngine;} + public void setSSLEngine(String SSLEngine) {this.SSLEngine = SSLEngine;} + protected boolean secure = false; public boolean getSecure() { return secure;} public void setSecure(boolean b) { secure = b;} @@ -500,7 +509,7 @@ public class NioEndpoint { } // Initialize SSL if needed - if (secure) { + if ("on".equalsIgnoreCase(getSSLEngine())) { // Initialize SSL char[] passphrase = getKeystorePass().toCharArray(); diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index 8cd4ef115..9d5471b6e 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -148,19 +148,35 @@ number specified here.

+ +

+ Use this attribute to enable SSL traffic on a connector. + To turn on SSL handshake/encryption/decryption on a connector + set this value to on. + The default value is off. + When turning this value on you will want to set the + scheme and the secure attributes as well + to pass the correct request.getScheme() and + request.isSecure() values to the servlets + See SSL Support for more information. +

+ +

Set this attribute to the name of the protocol you wish to have returned by calls to request.getScheme(). For example, you would set this attribute to "https" for an SSL Connector. The default value is "http". - See SSL Support for more information.

+

Set this attribute to true if you wish to have calls to request.isSecure() to return true - for requests received by this Connector (you would want this on an - SSL Connector). The default value is false.

+ for requests received by this Connector. You would want this on an + SSL Connector or a non SSL connector that is receiving data from a + SSL accelerator, like a crypto card, a SSL appliance or even a webserver. + The default value is false.

 diff --git a/webapps/docs/ssl-howto.xml b/webapps/docs/ssl-howto.xml index 39d268494..47ff1bc70 100644 --- a/webapps/docs/ssl-howto.xml +++ b/webapps/docs/ssl-howto.xml @@ -17,8 +17,9 @@
-

IMPORTANT NOTE: This Howto refers to usage of JSSE. When using APR, Tomcat will - use OpenSSL, which uses a different configuration.

+

IMPORTANT NOTE: This Howto refers to usage of JSSE, that comes included with + jdk 1.5 and higher. When using APR, Tomcat will + use OpenSSL, which uses a different configuration.

The description below uses the variable name $CATALINA_HOME @@ -33,11 +34,6 @@

To install and configure SSL support on Tomcat 6, you need to follow these simple steps. For more information, read the rest of this HOW-TO.

    -
  1. If you are running a 1.3 JVM, download JSSE 1.0.3 (or later) from - http://java.sun.com/products/jsse/ - and either make it an installed extension on the system, or else - set an environment variable JSSE_HOME that points at the - directory into which you installed JSSE.


  2. Create a certificate keystore by executing the following command:

    Windows:

    @@ -177,30 +173,6 @@ hosts are commonly used with SSL in a production environment.

    - -

    Note that JSSE is bundled with Sun's JDK 1.4 and later, so if you're using -JDK 1.4 and later, you can skip this step.

    - - -

    Download the Java Secure Socket Extensions (JSSE) package, -version 1.0.3 or later, from -http://java.sun.com/products/jsse/. -If you built Tomcat from source, you have probably already downloaded this -package.

    - -

    After expanding the package, there are two ways to make it available to -Tomcat (choose one or the other):

    -
      -
    • Make JSSE an installed extension by copying all three JAR files - (jcert.jar, jnet.jar, and jsse.jar) - into your $JAVA_HOME/jre/lib/ext directory.
      • -
    • Create a new environment variable JSSE_HOME that contains - the absolute path to the directory into which you unpacked the - JSSE binary distribution.
      • -
    - -     -

    Tomcat currently operates only on JKS or PKCS12 @@ -297,9 +269,11 @@ file installed with Tomcat. It will look something like this:

    <-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <!-- <Connector - port="8443" minProcessors="5" maxProcessors="75" - enableLookups="true" disableUploadTimeout="true" - acceptCount="100" debug="0" scheme="https" secure="true"; + port="8443" minSpareThreads="5" maxSpareThreads="75" + enableLookups="true" disableUploadTimeout="true" + acceptCount="100" maxThreads="200" + scheme="https" secure="true" SSLEngine="on" + keystoreFile="${user.home}/.keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS"/> --> @@ -344,6 +318,18 @@ values, depending on how you configured your keystore earlier:

    to request a client Certificate, but not fail if one isn't presented. + SSLEngine + + Use this attribute to enable SSL traffic on a connector. + To turn on SSL handshake/encryption/decryption on a connector + set this value to on. + The default value is off. + When turning this value on you will want to set the + scheme and the secure attributes as well + to pass the correct request.getScheme() and + request.isSecure() values to the servlets + + keystoreFile Add this attribute if the keystore file you created is not in -- 2.11.0