org.mortbay.jetty.security

Class SslSocketConnector

java.lang.Object

org.mortbay.component.AbstractLifeCycle

org.mortbay.jetty.AbstractBuffers

org.mortbay.jetty.AbstractConnector

org.mortbay.jetty.bio.SocketConnector

org.mortbay.jetty.security.SslSocketConnector

All Implemented Interfaces:

org.mortbay.component.LifeCycle, Buffers, Connector

public class SslSocketConnector
extends SocketConnector

JSSE Socket Listener. This specialization of HttpListener is an abstract listener that can be used as the basis for a specific JSSE listener. This is heavily based on the work from Court Demas, which in turn is based on the work from Forge Research.

Author:

Greg Wilkins (gregw@mortbay.com), Court Demas (court@kiwiconsulting.com), Forge Research Pty Ltd ACN 003 491 576, Jan Hlavat�

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
class	SslSocketConnector.SslConnection

Nested classes/interfaces inherited from class org.mortbay.jetty.bio.SocketConnector

SocketConnector.Connection

Nested classes/interfaces inherited from class org.mortbay.jetty.AbstractBuffers

AbstractBuffers.ThreadBuffers

Nested classes/interfaces inherited from interface org.mortbay.component.LifeCycle

org.mortbay.component.LifeCycle.Listener

Field Summary

Fields

Modifier and Type	Field and Description
static String	DEFAULT_KEYSTORE Default value for the keystore location path.
static String	KEYPASSWORD_PROPERTY String name of key password property.
static String	PASSWORD_PROPERTY String name of keystore password property.

Fields inherited from class org.mortbay.jetty.bio.SocketConnector

_connections, _serverSocket

Fields inherited from class org.mortbay.jetty.AbstractConnector

_lowResourceMaxIdleTime, _maxIdleTime, _soLingerTime

Fields inherited from class org.mortbay.component.AbstractLifeCycle

_listeners

Constructor Summary

Constructors

Constructor and Description
SslSocketConnector() Constructor.

Method Summary

Modifier and Type	Method and Description
void	accept(int acceptorID)
protected void	configure(Socket socket)
protected SSLServerSocketFactory	createFactory()
void	customize(EndPoint endpoint, Request request) Allow the Listener a chance to customise the request.
String[]	getExcludeCipherSuites()
int	getHandshakeTimeout()
String	getKeystore()
String	getKeystoreType()
boolean	getNeedClientAuth()
String	getProtocol()
String	getProvider()
String	getSecureRandomAlgorithm()
String	getSslKeyManagerFactoryAlgorithm()
String	getSslTrustManagerFactoryAlgorithm()
String	getTruststore()
String	getTruststoreType()
boolean	getWantClientAuth()
boolean	isAllowRenegotiate()
boolean	isConfidential(Request request) By default, we're confidential, given we speak SSL.
boolean	isIntegral(Request request) By default, we're integral, given we speak SSL.
protected ServerSocket	newServerSocket(String host, int port, int backlog)
void	setAllowRenegotiate(boolean allowRenegotiate) Set if SSL re-negotiation is allowed.
void	setExcludeCipherSuites(String[] cipherSuites)
void	setHandshakeTimeout(int msec) Set the time in milliseconds for so_timeout during ssl handshaking
void	setKeyPassword(String password)
void	setKeystore(String keystore)
void	setKeystoreType(String keystoreType)
void	setNeedClientAuth(boolean needClientAuth) Set the value of the needClientAuth property
void	setPassword(String password)
void	setProtocol(String protocol)
void	setProvider(String _provider)
void	setSecureRandomAlgorithm(String algorithm)
void	setSslKeyManagerFactoryAlgorithm(String algorithm)
void	setSslTrustManagerFactoryAlgorithm(String algorithm)
void	setTrustPassword(String password)
void	setTruststore(String truststore)
void	setTruststoreType(String truststoreType)
void	setWantClientAuth(boolean wantClientAuth) Set the value of the _wantClientAuth property.

Methods inherited from class org.mortbay.jetty.bio.SocketConnector

close, doStart, doStop, getConnection, getLocalPort, newBuffer, newHttpConnection, open

Methods inherited from class org.mortbay.jetty.AbstractConnector

checkForwardedHeaders, connectionClosed, connectionOpened, getAcceptorPriorityOffset, getAcceptors, getAcceptQueueSize, getConfidentialPort, getConfidentialScheme, getConnections, getConnectionsDurationAve, getConnectionsDurationMax, getConnectionsDurationMin, getConnectionsDurationTotal, getConnectionsOpen, getConnectionsOpenMax, getConnectionsOpenMin, getConnectionsRequestsAve, getConnectionsRequestsMax, getConnectionsRequestsMin, getForwardedForHeader, getForwardedHostHeader, getForwardedServerHeader, getHost, getHostHeader, getIntegralPort, getIntegralScheme, getLeftMostValue, getLowResourceMaxIdleTime, getMaxIdleTime, getName, getPort, getRequests, getResolveNames, getReuseAddress, getServer, getSoLingerTime, getStatsOn, getStatsOnMs, getThreadPool, isForwarded, join, newContinuation, persist, setAcceptorPriorityOffset, setAcceptors, setAcceptQueueSize, setConfidentialPort, setConfidentialScheme, setForwarded, setForwardedForHeader, setForwardedHostHeader, setForwardedServerHeader, setHost, setHostHeader, setIntegralPort, setIntegralScheme, setLowResourceMaxIdleTime, setMaxIdleTime, setName, setPort, setResolveNames, setReuseAddress, setServer, setSoLingerTime, setStatsOn, setThreadPool, statsReset, stopAccept, toString

Methods inherited from class org.mortbay.jetty.AbstractBuffers

getBuffer, getHeaderBufferSize, getRequestBufferSize, getResponseBufferSize, returnBuffer, setHeaderBufferSize, setRequestBufferSize, setResponseBufferSize

Methods inherited from class org.mortbay.component.AbstractLifeCycle

addLifeCycleListener, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.mortbay.jetty.Connector

getHeaderBufferSize, getRequestBufferSize, getResponseBufferSize, setHeaderBufferSize, setRequestBufferSize, setResponseBufferSize

Methods inherited from interface org.mortbay.component.LifeCycle

addLifeCycleListener, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop

Methods inherited from interface org.mortbay.io.Buffers

getBuffer, returnBuffer

Field Detail

DEFAULT_KEYSTORE

public static final String DEFAULT_KEYSTORE

Default value for the keystore location path.

KEYPASSWORD_PROPERTY

public static final String KEYPASSWORD_PROPERTY

String name of key password property.

See Also:

Constant Field Values

PASSWORD_PROPERTY

public static final String PASSWORD_PROPERTY

String name of keystore password property.

See Also:

Constant Field Values

Constructor Detail

SslSocketConnector

public SslSocketConnector()

Constructor.

Method Detail

isAllowRenegotiate

public boolean isAllowRenegotiate()

Returns:

True if SSL re-negotiation is allowed (default false)

setAllowRenegotiate

public void setAllowRenegotiate(boolean allowRenegotiate)

Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered a vulnerability in SSL/TLS with re-negotiation. If your JVM does not have CVE-2009-3555 fixed, then re-negotiation should not be allowed.

Parameters:

allowRenegotiate - true if re-negotiation is allowed (default false)

accept

public void accept(int acceptorID)
            throws IOException,
                   InterruptedException

Overrides:

accept in class SocketConnector

Throws:

IOException

InterruptedException

configure

protected void configure(Socket socket)
                  throws IOException

Overrides:

configure in class AbstractConnector

Throws:

IOException

createFactory

protected SSLServerSocketFactory createFactory()
                                        throws Exception

Throws:

Exception

customize

public void customize(EndPoint endpoint,
                      Request request)
               throws IOException

Allow the Listener a chance to customise the request. before the server does its stuff.
This allows the required attributes to be set for SSL requests.
The requirements of the Servlet specs are:

• an attribute named "javax.servlet.request.cipher_suite" of type String.
• an attribute named "javax.servlet.request.key_size" of type Integer.
• an attribute named "javax.servlet.request.X509Certificate" of type java.security.cert.X509Certificate[]. This is an array of objects of type X509Certificate, the order of this array is defined as being in ascending order of trust. The first certificate in the chain is the one set by the client, the next is the one used to authenticate the first, and so on.

Specified by:

customize in interface Connector

Overrides:

customize in class SocketConnector

Parameters:

endpoint - The Socket the request arrived on. This should be a SocketEndPoint wrapping a SSLSocket.

request - HttpRequest to be customised.

Throws:

IOException

getExcludeCipherSuites

public String[] getExcludeCipherSuites()

getKeystore

public String getKeystore()

getKeystoreType

public String getKeystoreType()

getNeedClientAuth

public boolean getNeedClientAuth()

getProtocol

public String getProtocol()

getProvider

public String getProvider()

getSecureRandomAlgorithm

public String getSecureRandomAlgorithm()

getSslKeyManagerFactoryAlgorithm

public String getSslKeyManagerFactoryAlgorithm()

getSslTrustManagerFactoryAlgorithm

public String getSslTrustManagerFactoryAlgorithm()

getTruststore

public String getTruststore()

getTruststoreType

public String getTruststoreType()

getWantClientAuth

public boolean getWantClientAuth()

isConfidential

public boolean isConfidential(Request request)

By default, we're confidential, given we speak SSL. But, if we've been told about an confidential port, and said port is not our port, then we're not. This allows separation of listeners providing INTEGRAL versus CONFIDENTIAL constraints, such as one SSL listener configured to require client certs providing CONFIDENTIAL, whereas another SSL listener not requiring client certs providing mere INTEGRAL constraints.

Specified by:

isConfidential in interface Connector

Overrides:

isConfidential in class AbstractConnector

Parameters:

request - A request

Returns:

true if the request is confidential. This normally means the https schema has been used.

isIntegral

public boolean isIntegral(Request request)

By default, we're integral, given we speak SSL. But, if we've been told about an integral port, and said port is not our port, then we're not. This allows separation of listeners providing INTEGRAL versus CONFIDENTIAL constraints, such as one SSL listener configured to require client certs providing CONFIDENTIAL, whereas another SSL listener not requiring client certs providing mere INTEGRAL constraints.

Specified by:

isIntegral in interface Connector

Overrides:

isIntegral in class AbstractConnector

Parameters:

request - A request

Returns:

true if the request is integral. This normally means the https schema has been used.

newServerSocket

protected ServerSocket newServerSocket(String host,
                                       int port,
                                       int backlog)
                                throws IOException

Overrides:

newServerSocket in class SocketConnector

Parameters:

addr - The address that this server should listen on

backlog - See ServerSocket.bind(java.net.SocketAddress, int)

Returns:

A new socket object bound to the supplied address with all other settings as per the current configuration of this connector.

Throws:

IOException

See Also:

setWantClientAuth(boolean), setNeedClientAuth(boolean), #setCipherSuites

setExcludeCipherSuites

public void setExcludeCipherSuites(String[] cipherSuites)

setKeyPassword

public void setKeyPassword(String password)

setKeystore

public void setKeystore(String keystore)

Parameters:

keystore - The resource path to the keystore, or null for built in keystores.

setKeystoreType

public void setKeystoreType(String keystoreType)

setNeedClientAuth

public void setNeedClientAuth(boolean needClientAuth)

Set the value of the needClientAuth property

Parameters:

needClientAuth - true iff we require client certificate authentication.

setPassword

public void setPassword(String password)

setTrustPassword

public void setTrustPassword(String password)

setProtocol

public void setProtocol(String protocol)

setProvider

public void setProvider(String _provider)

setSecureRandomAlgorithm

public void setSecureRandomAlgorithm(String algorithm)

setSslKeyManagerFactoryAlgorithm

public void setSslKeyManagerFactoryAlgorithm(String algorithm)

setSslTrustManagerFactoryAlgorithm

public void setSslTrustManagerFactoryAlgorithm(String algorithm)

setTruststore

public void setTruststore(String truststore)

setTruststoreType

public void setTruststoreType(String truststoreType)

setWantClientAuth

public void setWantClientAuth(boolean wantClientAuth)

Set the value of the _wantClientAuth property. This property is used when opening server sockets.

Parameters:

wantClientAuth - true iff we want client certificate authentication.

See Also:

SSLServerSocket.setWantClientAuth(boolean)

setHandshakeTimeout

public void setHandshakeTimeout(int msec)

Set the time in milliseconds for so_timeout during ssl handshaking

Parameters:

msec - a non-zero value will be used to set so_timeout during ssl handshakes. A zero value means the maxIdleTime is used instead.

getHandshakeTimeout

public int getHandshakeTimeout()