org.xnio.SslClientAuthMode Java Examples
The following examples show how to use
org.xnio.SslClientAuthMode.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: UndertowSslConnection.java From lams with GNU General Public License v2.0 | 6 votes |
|
/** {@inheritDoc} */
@Override
public <T> T setOption(final Option<T> option, final T value) throws IllegalArgumentException, IOException {
if (option == Options.SSL_CLIENT_AUTH_MODE) {
try {
return option.cast(engine.getNeedClientAuth() ? SslClientAuthMode.REQUIRED : engine.getWantClientAuth() ? SslClientAuthMode.REQUESTED : SslClientAuthMode.NOT_REQUESTED);
} finally {
engine.setNeedClientAuth(value == SslClientAuthMode.REQUIRED);
engine.setWantClientAuth(value == SslClientAuthMode.REQUESTED);
}
} else if (option == Options.SECURE) {
throw new IllegalArgumentException();
} else {
return delegate.setOption(option, value);
}
}
Example #2
| Source File: DatawaveAuthenticationMechanism.java From datawave with Apache License 2.0 | 6 votes |
|
private Certificate[] getPeerCertificates(HttpServerExchange exchange, SSLSessionInfo sslSession, SecurityContext securityContext)
throws SSLPeerUnverifiedException {
try {
return sslSession.getPeerCertificates();
} catch (RenegotiationRequiredException e) {
// we only renegotiate if authentication is required
if (forceRenegotiation && securityContext.isAuthenticationRequired()) {
try {
sslSession.renegotiate(exchange, SslClientAuthMode.REQUESTED);
return sslSession.getPeerCertificates();
} catch (IOException | RenegotiationRequiredException e1) {
// ignore
}
}
}
throw new SSLPeerUnverifiedException("");
}
Example #3
| Source File: Http2SslSessionInfo.java From lams with GNU General Public License v2.0 | 6 votes |
|
@Override
public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException, RenegotiationRequiredException {
try {
return channel.getSslSession().getPeerCertificates();
} catch (SSLPeerUnverifiedException e) {
try {
SslClientAuthMode sslClientAuthMode = channel.getOption(Options.SSL_CLIENT_AUTH_MODE);
if (sslClientAuthMode == SslClientAuthMode.NOT_REQUESTED) {
throw new RenegotiationRequiredException();
}
} catch (IOException e1) {
//ignore, will not actually happen
}
throw e;
}
}
Example #4
| Source File: Http2SslSessionInfo.java From lams with GNU General Public License v2.0 | 6 votes |
|
@Override
public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException, RenegotiationRequiredException {
try {
return channel.getSslSession().getPeerCertificateChain();
} catch (SSLPeerUnverifiedException e) {
try {
SslClientAuthMode sslClientAuthMode = channel.getOption(Options.SSL_CLIENT_AUTH_MODE);
if (sslClientAuthMode == SslClientAuthMode.NOT_REQUESTED) {
throw new RenegotiationRequiredException();
}
} catch (IOException e1) {
//ignore, will not actually happen
}
throw e;
}
}
Example #5
| Source File: ConnectionSSLSessionInfo.java From lams with GNU General Public License v2.0 | 6 votes |
|
@Override
public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException, RenegotiationRequiredException {
if(unverified != null) {
throw unverified;
}
if(renegotiationRequiredException != null) {
throw renegotiationRequiredException;
}
try {
return channel.getSslSession().getPeerCertificates();
} catch (SSLPeerUnverifiedException e) {
try {
SslClientAuthMode sslClientAuthMode = channel.getOption(Options.SSL_CLIENT_AUTH_MODE);
if (sslClientAuthMode == SslClientAuthMode.NOT_REQUESTED) {
renegotiationRequiredException = RENEGOTIATION_REQUIRED_EXCEPTION;
throw renegotiationRequiredException;
}
} catch (IOException e1) {
//ignore, will not actually happen
}
unverified = PEER_UNVERIFIED_EXCEPTION;
throw unverified;
}
}
Example #6
| Source File: ConnectionSSLSessionInfo.java From lams with GNU General Public License v2.0 | 6 votes |
|
@Override
public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException, RenegotiationRequiredException {
if(unverified != null) {
throw unverified;
}
if(renegotiationRequiredException != null) {
throw renegotiationRequiredException;
}
try {
return channel.getSslSession().getPeerCertificateChain();
} catch (SSLPeerUnverifiedException e) {
try {
SslClientAuthMode sslClientAuthMode = channel.getOption(Options.SSL_CLIENT_AUTH_MODE);
if (sslClientAuthMode == SslClientAuthMode.NOT_REQUESTED) {
renegotiationRequiredException = RENEGOTIATION_REQUIRED_EXCEPTION;
throw renegotiationRequiredException;
}
} catch (IOException e1) {
//ignore, will not actually happen
}
unverified = PEER_UNVERIFIED_EXCEPTION;
throw unverified;
}
}
Example #7
| Source File: ManagementHttpServer.java From wildfly-core with GNU Lesser General Public License v2.1 | 6 votes |
|
private static ManagementHttpServer create(Builder builder) {
SSLContext sslContext = null;
SslClientAuthMode sslClientAuthMode = builder.sslClientAuthMode;
if (builder.secureBindAddress != null) {
sslContext = getSSLContext(builder);
if (sslContext == null) {
throw ROOT_LOGGER.sslRequestedNoSslContext();
}
}
HttpOpenListener openListener = new HttpOpenListener(bufferPool);
int secureRedirectPort = builder.secureBindAddress != null ? builder.secureBindAddress.getPort() : -1;
// WFLY-2870 -- redirect not supported if bindAddress and secureBindAddress are using different InetAddress
boolean redirectSupported = (builder.bindAddress == null || builder.secureBindAddress == null || builder.bindAddress.getAddress().equals(builder.secureBindAddress.getAddress()));
if (!redirectSupported && secureRedirectPort > 0) {
HttpServerLogger.ROOT_LOGGER.httpsRedirectNotSupported(builder.bindAddress.getAddress(), builder.secureBindAddress.getAddress());
secureRedirectPort = -1;
}
final ExtensionHandlers extensionHandlers = setupOpenListener(openListener, secureRedirectPort, builder);
return new ManagementHttpServer(openListener, builder.bindAddress, builder.secureBindAddress, sslContext, sslClientAuthMode, builder.worker, builder.httpAuthenticationFactory, builder.securityRealm, extensionHandlers);
}
Example #8
| Source File: UndertowHTTPServerEngine.java From cxf with Apache License 2.0 | 5 votes |
|
public Undertow.Builder decorateUndertowSocketConnection(Undertow.Builder builder) {
if (this.tlsServerParameters != null && this.tlsServerParameters.getClientAuthentication() != null
&& this.tlsServerParameters.getClientAuthentication().isRequired()) {
builder = builder.setSocketOption(Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUIRED);
}
if (this.tlsServerParameters != null && this.tlsServerParameters.getClientAuthentication() != null
&& this.tlsServerParameters.getClientAuthentication().isWant()
&& !this.tlsServerParameters.getClientAuthentication().isRequired()) {
builder = builder.setSocketOption(Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUESTED);
}
return builder;
}
Example #9
| Source File: ServerFactory.java From seed with Mozilla Public License 2.0 | 5 votes |
|
private Undertow.Builder configureHttps(Undertow.Builder builder, SSLProvider sslProvider) {
LOGGER.info("Undertow listening for HTTPS on {}:{}", serverConfig.getHost(), serverConfig.getSecurePort());
CryptoConfig.SSLConfig sslConfig = sslProvider.sslConfig();
return builder
.addHttpsListener(serverConfig.getSecurePort(), serverConfig.getHost(), sslProvider.sslContext()
.orElseThrow(() -> SeedException.createNew(UndertowErrorCode.MISSING_SSL_CONTEXT)
.put("ksName", sslConfig.getKeystore())))
.setSocketOption(Options.SSL_CLIENT_AUTH_MODE,
SslClientAuthMode.valueOf(sslConfig.getClientAuthMode().toString()));
}
Example #10
| Source File: UndertowHttpManagementService.java From wildfly-core with GNU Lesser General Public License v2.1 | 5 votes |
|
private static SslClientAuthMode getSslClientAuthMode(final SecurityRealm securityRealm) {
Set<AuthMechanism> supportedMechanisms = securityRealm.getSupportedAuthenticationMechanisms();
if (supportedMechanisms.contains(AuthMechanism.CLIENT_CERT)) {
if (supportedMechanisms.contains(AuthMechanism.DIGEST)
|| supportedMechanisms.contains(AuthMechanism.PLAIN)) {
// Username / Password auth is possible so don't mandate a client certificate.
return SslClientAuthMode.REQUESTED;
} else {
return SslClientAuthMode.REQUIRED;
}
}
return null;
}
Example #11
| Source File: ManagementHttpServer.java From wildfly-core with GNU Lesser General Public License v2.1 | 5 votes |
|
private ManagementHttpServer(HttpOpenListener openListener, InetSocketAddress httpAddress, InetSocketAddress secureAddress, SSLContext sslContext,
SslClientAuthMode sslClientAuthMode, XnioWorker worker, HttpAuthenticationFactory httpAuthenticationFactory, SecurityRealm securityRealm, ExtensionHandlers extensionExtensionHandlers) {
this.openListener = openListener;
this.httpAddress = httpAddress;
this.secureAddress = secureAddress;
this.sslContext = sslContext;
this.sslClientAuthMode = sslClientAuthMode;
this.worker = worker;
this.httpAuthenticationFactory = httpAuthenticationFactory;
this.securityRealm = securityRealm;
this.extensionHandlers = extensionExtensionHandlers;
}
Example #12
| Source File: ConnectionSSLSessionInfo.java From lams with GNU General Public License v2.0 | 5 votes |
|
public void renegotiateNoRequest(HttpServerExchange exchange, SslClientAuthMode newAuthMode) throws IOException {
AbstractServerConnection.ConduitState oldState = serverConnection.resetChannel();
try {
SslClientAuthMode sslClientAuthMode = channel.getOption(Options.SSL_CLIENT_AUTH_MODE);
if (sslClientAuthMode == SslClientAuthMode.NOT_REQUESTED) {
SslHandshakeWaiter waiter = new SslHandshakeWaiter();
channel.getHandshakeSetter().set(waiter);
//we use requested, to place nicely with other auth modes
channel.setOption(Options.SSL_CLIENT_AUTH_MODE, newAuthMode);
channel.getSslSession().invalidate();
channel.startHandshake();
serverConnection.getOriginalSinkConduit().flush();
ByteBuffer buff = ByteBuffer.wrap(new byte[1]);
long end = System.currentTimeMillis() + MAX_RENEGOTIATION_WAIT;
while (!waiter.isDone() && serverConnection.isOpen() && System.currentTimeMillis() < end) {
int read = serverConnection.getSourceChannel().read(buff);
if (read != 0) {
throw new SSLPeerUnverifiedException("");
}
if (!waiter.isDone()) {
serverConnection.getSourceChannel().awaitReadable(end - System.currentTimeMillis(), TimeUnit.MILLISECONDS);
}
}
if(!waiter.isDone()) {
if(serverConnection.isOpen()) {
IoUtils.safeClose(serverConnection);
throw UndertowMessages.MESSAGES.rengotiationTimedOut();
} else {
IoUtils.safeClose(serverConnection);
throw UndertowMessages.MESSAGES.rengotiationFailed();
}
}
}
} finally {
if (oldState != null) {
serverConnection.restoreChannel(oldState);
}
}
}
Example #13
| Source File: ConnectionSSLSessionInfo.java From lams with GNU General Public License v2.0 | 5 votes |
|
@Override
public void renegotiate(HttpServerExchange exchange, SslClientAuthMode sslClientAuthMode) throws IOException {
unverified = null;
renegotiationRequiredException = null;
if (exchange.isRequestComplete()) {
renegotiateNoRequest(exchange, sslClientAuthMode);
} else {
renegotiateBufferRequest(exchange, sslClientAuthMode);
}
}
Example #14
| Source File: UndertowSslConnection.java From lams with GNU General Public License v2.0 | 5 votes |
|
/** {@inheritDoc} */
@Override
public <T> T getOption(final Option<T> option) throws IOException {
if (option == Options.SSL_CLIENT_AUTH_MODE) {
return option.cast(engine.getNeedClientAuth() ? SslClientAuthMode.REQUIRED : engine.getWantClientAuth() ? SslClientAuthMode.REQUESTED : SslClientAuthMode.NOT_REQUESTED);
} else {
return option == Options.SECURE ? (T)Boolean.TRUE : delegate.getOption(option);
}
}
Example #15
| Source File: BasicSSLSessionInfo.java From lams with GNU General Public License v2.0 | 4 votes |
|
@Override
public void renegotiate(HttpServerExchange exchange, SslClientAuthMode sslClientAuthMode) throws IOException {
throw UndertowMessages.MESSAGES.renegotiationNotSupported();
}
Example #16
| Source File: Server.java From light-4j with Apache License 2.0 | 4 votes |
|
static private boolean bind(HttpHandler handler, int port) {
ServerConfig serverConfig = getServerConfig();
try {
Undertow.Builder builder = Undertow.builder();
if (serverConfig.enableHttps) {
port = port < 0 ? serverConfig.getHttpsPort() : port;
sslContext = createSSLContext();
builder.addHttpsListener(port, serverConfig.getIp(), sslContext);
} else if (serverConfig.enableHttp) {
port = port < 0 ? serverConfig.getHttpPort() : port;
builder.addHttpListener(port, serverConfig.getIp());
} else {
throw new RuntimeException(
"Unable to start the server as both http and https are disabled in server.yml");
}
if (serverConfig.enableHttp2) {
builder.setServerOption(UndertowOptions.ENABLE_HTTP2, true);
}
if (serverConfig.isEnableTwoWayTls()) {
builder.setSocketOption(Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUIRED);
}
// set and validate server options
serverOptionInit();
server = builder.setBufferSize(serverConfig.getBufferSize()).setIoThreads(serverConfig.getIoThreads())
// above seems slightly faster in some configurations
.setSocketOption(Options.BACKLOG, serverConfig.getBacklog())
.setServerOption(UndertowOptions.ALWAYS_SET_KEEP_ALIVE, false) // don't send a keep-alive header for
// HTTP/1.1 requests, as it is not required
.setServerOption(UndertowOptions.ALWAYS_SET_DATE, serverConfig.isAlwaysSetDate())
.setServerOption(UndertowOptions.RECORD_REQUEST_START_TIME, false)
.setServerOption(UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL, serverConfig.isAllowUnescapedCharactersInUrl())
// This is to overcome a bug in JDK 11.0.1, 11.0.2. For more info https://issues.jboss.org/browse/UNDERTOW-1422
.setSocketOption(Options.SSL_ENABLED_PROTOCOLS, Sequence.of("TLSv1.2"))
.setHandler(Handlers.header(handler, Headers.SERVER_STRING, serverConfig.getServerString())).setWorkerThreads(serverConfig.getWorkerThreads()).build();
server.start();
System.out.println("HOST IP " + System.getenv(STATUS_HOST_IP));
} catch (Exception e) {
if (!serverConfig.dynamicPort || usedPorts.size() >= (serverConfig.maxPort - serverConfig.minPort)) {
String triedPortsMessage = serverConfig.dynamicPort ? serverConfig.minPort + " to " + (serverConfig.maxPort) : port + "";
String errMessage = "No ports available to bind to. Tried: " + triedPortsMessage;
System.out.println(errMessage);
logger.error(errMessage);
throw new RuntimeException(errMessage, e);
}
System.out.println("Failed to bind to port " + port + ". Trying " + ++port);
if (logger.isInfoEnabled())
logger.info("Failed to bind to port " + port + ". Trying " + ++port);
return false;
}
// application level service registry. only be used without docker container.
if (serverConfig.enableRegistry) {
// assuming that registry is defined in service.json, otherwise won't start the server.
serviceUrls = new ArrayList<>();
serviceUrls.add(register(serverConfig.getServiceId(), port));
// check if any serviceIds from startup hook that need to be registered.
if(serviceIds.size() > 0) {
for(String id: serviceIds) {
serviceUrls.add(register(id, port));
}
}
// start heart beat if registry is enabled
SwitcherUtil.setSwitcherValue(Constants.REGISTRY_HEARTBEAT_SWITCHER, true);
if (logger.isInfoEnabled()) logger.info("Registry heart beat switcher is on");
}
if (serverConfig.enableHttp) {
System.out.println("Http Server started on ip:" + serverConfig.getIp() + " Port:" + port);
if (logger.isInfoEnabled())
logger.info("Http Server started on ip:" + serverConfig.getIp() + " Port:" + port);
} else {
System.out.println("Http port disabled.");
if (logger.isInfoEnabled())
logger.info("Http port disabled.");
}
if (serverConfig.enableHttps) {
System.out.println("Https Server started on ip:" + serverConfig.getIp() + " Port:" + port);
if (logger.isInfoEnabled())
logger.info("Https Server started on ip:" + serverConfig.getIp() + " Port:" + port);
} else {
System.out.println("Https port disabled.");
if (logger.isInfoEnabled())
logger.info("Https port disabled.");
}
return true;
}
Example #17
| Source File: Http2SslSessionInfo.java From lams with GNU General Public License v2.0 | 4 votes |
|
@Override
public void renegotiate(HttpServerExchange exchange, SslClientAuthMode sslClientAuthMode) throws IOException {
throw UndertowMessages.MESSAGES.renegotiationNotSupported();
}
Example #18
| Source File: ManagementHttpServer.java From wildfly-core with GNU Lesser General Public License v2.1 | 3 votes |
|
/**
* Set the SSL client authentication mode.
*
* Note: This should only be used for {@link SecurityRealm} provided {@link SSLContext} instances.
*
* @param sslClientAuthMode the SSL client authentication mode.
* @return {@code this} to allow chaining of commands.
*/
public Builder setSSLClientAuthMode(SslClientAuthMode sslClientAuthMode) {
assertNotBuilt();
this.sslClientAuthMode = sslClientAuthMode;
return this;
}
Example #19
| Source File: SSLSessionInfo.java From lams with GNU General Public License v2.0 | 2 votes |
|
/** * Renegotiate in a blocking manner. This will set the client aut * * TODO: we also need a non-blocking version * * @throws IOException * @param exchange The exchange * @param sslClientAuthMode The client cert mode to use when renegotiating */ void renegotiate(HttpServerExchange exchange, SslClientAuthMode sslClientAuthMode) throws IOException;
