Java Code Examples for org.apache.tomcat.util.net.SSLHostConfig

@Test
public void sslCiphersConfiguration() throws Exception {
	Ssl ssl = new Ssl();
	ssl.setKeyStore("test.jks");
	ssl.setKeyStorePassword("secret");
	ssl.setCiphers(new String[] { "ALPHA", "BRAVO", "CHARLIE" });

	TomcatEmbeddedServletContainerFactory factory = getFactory();
	factory.setSsl(ssl);

	Tomcat tomcat = getTomcat(factory);
	Connector connector = tomcat.getConnector();

	SSLHostConfig[] sslHostConfigs = connector.getProtocolHandler()
			.findSslHostConfigs();
	assertThat(sslHostConfigs[0].getCiphers()).isEqualTo("ALPHA:BRAVO:CHARLIE");
}
 

@Test
public void sslEnabledMultipleProtocolsConfiguration() throws Exception {
	Ssl ssl = getSsl(null, "password", "src/test/resources/test.jks");
	ssl.setEnabledProtocols(new String[] { "TLSv1.1", "TLSv1.2" });
	ssl.setCiphers(new String[] { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "BRAVO" });

	TomcatEmbeddedServletContainerFactory factory = getFactory();
	factory.setSsl(ssl);

	this.container = factory
			.getEmbeddedServletContainer(sessionServletRegistration());
	this.container.start();
	Tomcat tomcat = ((TomcatEmbeddedServletContainer) this.container).getTomcat();
	Connector connector = tomcat.getConnector();

	SSLHostConfig sslHostConfig = connector.getProtocolHandler()
			.findSslHostConfigs()[0];
	assertThat(sslHostConfig.getSslProtocol()).isEqualTo("TLS");
	assertThat(sslHostConfig.getEnabledProtocols())
			.containsExactlyInAnyOrder("TLSv1.1", "TLSv1.2");
}
 

@Test
public void sslEnabledProtocolsConfiguration() throws Exception {
	Ssl ssl = getSsl(null, "password", "src/test/resources/test.jks");
	ssl.setEnabledProtocols(new String[] { "TLSv1.2" });
	ssl.setCiphers(new String[] { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "BRAVO" });

	TomcatEmbeddedServletContainerFactory factory = getFactory();
	factory.setSsl(ssl);

	this.container = factory
			.getEmbeddedServletContainer(sessionServletRegistration());
	Tomcat tomcat = ((TomcatEmbeddedServletContainer) this.container).getTomcat();
	Connector connector = tomcat.getConnector();

	this.container.start();
	SSLHostConfig sslHostConfig = connector.getProtocolHandler()
			.findSslHostConfigs()[0];
	assertThat(sslHostConfig.getSslProtocol()).isEqualTo("TLS");
	assertThat(sslHostConfig.getEnabledProtocols()).containsExactly("TLSv1.2");
}
 

private Connector makeConnector() {
  Connector connector = new Connector(Http11Nio2Protocol.class.getName());

  if (keystoreFile == null) {

    // HTTP connector
    connector.setPort(port);
    connector.setSecure(false);
    connector.setScheme("http");

  } else {

    // HTTPS connector
    connector.setPort(securePort);
    connector.setSecure(true);
    connector.setScheme("https");
    connector.setAttribute("SSLEnabled", "true");
    SSLHostConfig sslHostConfig = new SSLHostConfig();
    SSLHostConfigCertificate cert =
        new SSLHostConfigCertificate(sslHostConfig, SSLHostConfigCertificate.Type.RSA);
    cert.setCertificateKeystoreFile(keystoreFile.toAbsolutePath().toString());
    cert.setCertificateKeystorePassword(keystorePassword);
    cert.setCertificateKeyAlias(keyAlias);
    sslHostConfig.addCertificate(cert);
    connector.addSslHostConfig(sslHostConfig);
  }

  connector.addUpgradeProtocol(new Http2Protocol());

  // Keep quiet about the server type
  connector.setXpoweredBy(false);

  // Basic tuning params:
  connector.setAttribute("maxThreads", 400);
  connector.setAttribute("acceptCount", 50);
  //connector.setAttribute("connectionTimeout", 2000);
  connector.setAttribute("maxKeepAliveRequests", 100);

  // Avoid running out of ephemeral ports under heavy load?
  connector.setAttribute("socket.soReuseAddress", true);

  connector.setMaxPostSize(0);
  connector.setAttribute("disableUploadTimeout", false);

  // Allow long URLs
  connector.setAttribute("maxHttpHeaderSize", 65536);

  // Enable response compression
  connector.setAttribute("compression", "on");
  // Defaults are text/html,text/xml,text/plain,text/css
  connector.setAttribute("compressableMimeType", "text/html,text/xml,text/plain,text/css,text/csv,application/json");

  return connector;
}
 

/**
 * Instantiates a new SSL host config helper.
 *
 * @param protocol the protocol
 * @param info the info
 * @throws IllegalAccessException the illegal access exception
 * @throws InvocationTargetException the invocation target exception
 */
public SslHostConfigHelper(AbstractHttp11JsseProtocol<?> protocol, ConnectorInfo info)
    throws IllegalAccessException, InvocationTargetException {
  SSLHostConfig[] sslHostConfigs = protocol.findSslHostConfigs();
  List<SslHostConfigInfo> sslHostConfigInfos = new ArrayList<>(sslHostConfigs.length);
  info.setSslHostConfigInfos(sslHostConfigInfos);

  for (SSLHostConfig sslHostConfig : sslHostConfigs) {
    sslHostConfigInfos.add(toSslHostConfigInfo(sslHostConfig));
  }
}
 

/**
 * To SslHostConfig info.
 * 
 * @param sslHostConfig the SslHostConfig
 * @return the SslHostConfig info
 * @throws IllegalAccessException the illegal access exception
 * @throws InvocationTargetException the invocation target exception
 */
private SslHostConfigInfo toSslHostConfigInfo(SSLHostConfig sslHostConfig)
    throws IllegalAccessException, InvocationTargetException {
  SslHostConfigInfo sslHostConfigInfo = new SslHostConfigInfo();
  BeanUtils.copyProperties(sslHostConfigInfo, sslHostConfig);

  Set<SSLHostConfigCertificate> certificates = sslHostConfig.getCertificates();
  List<CertificateInfo> certificateInfos = new ArrayList<>(certificates.size());
  sslHostConfigInfo.setCertificateInfos(certificateInfos);
  for (SSLHostConfigCertificate sslHostConfigCertificate : certificates) {
    certificateInfos.add(toCertificateInfo(sslHostConfigCertificate));
  }

  return sslHostConfigInfo;
}
 

/**
 * Configure Tomcat's {@link AbstractHttp11JsseProtocol} for SSL.
 * @param protocol the protocol
 * @param ssl the ssl details
 */
protected void configureSsl(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) {
	protocol.setSSLEnabled(true);
	protocol.setSslProtocol(ssl.getProtocol());
	configureSslClientAuth(protocol, ssl);
	protocol.setKeystorePass(ssl.getKeyStorePassword());
	protocol.setKeyPass(ssl.getKeyPassword());
	protocol.setKeyAlias(ssl.getKeyAlias());
	String ciphers = StringUtils.arrayToCommaDelimitedString(ssl.getCiphers());
	protocol.setCiphers(StringUtils.hasText(ciphers) ? ciphers : null);
	if (ssl.getEnabledProtocols() != null) {
		try {
			for (SSLHostConfig sslHostConfig : protocol.findSslHostConfigs()) {
				sslHostConfig.setProtocols(StringUtils
						.arrayToCommaDelimitedString(ssl.getEnabledProtocols()));
			}
		}
		catch (NoSuchMethodError ex) {
			// Tomcat 8.0.x or earlier
			Assert.isTrue(
					protocol.setProperty("sslEnabledProtocols",
							StringUtils.arrayToCommaDelimitedString(
									ssl.getEnabledProtocols())),
					"Failed to set sslEnabledProtocols");
		}
	}
	if (getSslStoreProvider() != null) {
		TomcatURLStreamHandlerFactory instance = TomcatURLStreamHandlerFactory
				.getInstance();
		instance.addUserFactory(
				new SslStoreProviderUrlStreamHandlerFactory(getSslStoreProvider()));
		protocol.setKeystoreFile(
				SslStoreProviderUrlStreamHandlerFactory.KEY_STORE_URL);
		protocol.setTruststoreFile(
				SslStoreProviderUrlStreamHandlerFactory.TRUST_STORE_URL);
	}
	else {
		configureSslKeyStore(protocol, ssl);
		configureSslTrustStore(protocol, ssl);
	}
}
 

@Override
public void addSslHostConfig(SSLHostConfig sslHostConfig) {}
 

@Override
@SuppressWarnings("ZeroLengthArrayAllocation")
public SSLHostConfig[] findSslHostConfigs() {
    return new SSLHostConfig[0];
}
 

private SSLHostConfig getSslHostConfig(EncryptedSslHttp11NioProtocol protocol) {
    SSLHostConfig[] sslHostConfigs = protocol.getEndpoint().findSslHostConfigs();
    return sslHostConfigs[0];
}
 

private SSLHostConfig getSslHostConfig(EncryptedSslHttp11Nio2Protocol protocol) {
    SSLHostConfig[] sslHostConfigs = protocol.getEndpoint().findSslHostConfigs();
    return sslHostConfigs[0];
}