You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/10/22 11:25:39 UTC
[2/3] git commit: Disable SSLv2Hello
Disable SSLv2Hello
Conflicts:
rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a71f52c5
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a71f52c5
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a71f52c5
Branch: refs/heads/3.0.x-fixes
Commit: a71f52c5fac33b0fd11a3578a1df8c976511ff6b
Parents: 8e2af97
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Oct 22 10:19:02 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Oct 22 10:20:17 2014 +0100
----------------------------------------------------------------------
.../http_jetty/JettyHTTPServerEngine.java | 240 +++++++++++++++++++
1 file changed, 240 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/a71f52c5/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
index 8577077..c31aad8 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
@@ -477,6 +477,246 @@ public class JettyHTTPServerEngine
++servantCount;
}
+<<<<<<< HEAD
+=======
+ private void addServerMBean() {
+ if (mBeanContainer == null) {
+ return;
+ }
+
+ try {
+ Object o = getContainer(server);
+ o.getClass().getMethod("addEventListener", Container.Listener.class).invoke(o, mBeanContainer);
+ if (Server.getVersion().startsWith("8")) {
+ return;
+ }
+ mBeanContainer.getClass().getMethod("beanAdded", Container.class, Object.class)
+ .invoke(mBeanContainer, null, server);
+ } catch (RuntimeException rex) {
+ throw rex;
+ } catch (Exception r) {
+ throw new RuntimeException(r);
+ }
+ }
+ private void removeServerMBean() {
+ try {
+ mBeanContainer.getClass().getMethod("beanRemoved", Container.class, Object.class)
+ .invoke(mBeanContainer, null, server);
+ } catch (RuntimeException rex) {
+ throw rex;
+ } catch (Exception r) {
+ throw new RuntimeException(r);
+ }
+ }
+
+ private Connector createConnector(String hosto, int porto) {
+ // now we just use the SelectChannelConnector as the default connector
+ SslContextFactory sslcf = null;
+ if (tlsServerParameters != null) {
+ sslcf = new SslContextFactory() {
+ protected void doStart() throws Exception {
+ setSslContext(createSSLContext(this));
+ super.doStart();
+ }
+ public void checkKeyStore() {
+ //we'll handle this later
+ }
+ };
+ decorateCXFJettySslSocketConnector(sslcf);
+ }
+ AbstractConnector result = null;
+ if (!Server.getVersion().startsWith("8")) {
+ result = createConnectorJetty9(sslcf, hosto, porto);
+ } else {
+ result = createConnectorJetty8(sslcf, hosto, porto);
+ }
+
+ try {
+ result.getClass().getMethod("setPort", Integer.TYPE).invoke(result, porto);
+ if (hosto != null) {
+ result.getClass().getMethod("setHost", String.class).invoke(result, hosto);
+ }
+ result.getClass().getMethod("setReuseAddress", Boolean.TYPE).invoke(result, isReuseAddress());
+ } catch (RuntimeException rex) {
+ throw rex;
+ } catch (Exception ex) {
+ throw new RuntimeException(ex);
+ }
+
+ return result;
+ }
+
+ AbstractConnector createConnectorJetty9(SslContextFactory sslcf, String hosto, int porto) {
+ //Jetty 9
+ AbstractConnector result = null;
+ try {
+ Class<?> configClass = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConfiguration",
+ Server.class);
+ Object httpConfig = configClass.newInstance();
+ httpConfig.getClass().getMethod("setSendServerVersion", Boolean.TYPE)
+ .invoke(httpConfig, getSendServerVersion());
+
+ Object httpFactory = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConnectionFactory",
+ Server.class)
+ .getConstructor(configClass).newInstance(httpConfig);
+
+ Collection<Object> connectionFactories = new ArrayList<Object>();
+ result = (AbstractConnector)ClassLoaderUtils.loadClass("org.eclipse.jetty.server.ServerConnector",
+ Server.class)
+ .getConstructor(Server.class)
+ .newInstance(server);
+
+ if (tlsServerParameters != null) {
+ Class<?> src = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SecureRequestCustomizer",
+ Server.class);
+ httpConfig.getClass().getMethod("addCustomizer", src.getInterfaces()[0])
+ .invoke(httpConfig, src.newInstance());
+ Object scf = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SslConnectionFactory",
+ Server.class).getConstructor(SslContextFactory.class,
+ String.class)
+ .newInstance(sslcf, "HTTP/1.1");
+ connectionFactories.add(scf);
+ result.getClass().getMethod("setDefaultProtocol", String.class).invoke(result, "SSL-HTTP/1.1");
+ }
+ connectionFactories.add(httpFactory);
+ result.getClass().getMethod("setConnectionFactories", Collection.class)
+ .invoke(result, connectionFactories);
+
+ if (getMaxIdleTime() > 0) {
+ result.getClass().getMethod("setIdleTimeout", Long.TYPE).invoke(result, new Long(getMaxIdleTime()));
+ }
+
+ } catch (RuntimeException rex) {
+ throw rex;
+ } catch (Exception ex) {
+ throw new RuntimeException(ex);
+ }
+ return result;
+ }
+ AbstractConnector createConnectorJetty8(SslContextFactory sslcf, String hosto, int porto) {
+ //Jetty 8
+ AbstractConnector result = null;
+ try {
+ if (sslcf == null) {
+ result = (AbstractConnector)ClassLoaderUtils
+ .loadClass("org.eclipse.jetty.server.nio.SelectChannelConnector",
+ Server.class).newInstance();
+ } else {
+ result = (AbstractConnector)ClassLoaderUtils
+ .loadClass("org.eclipse.jetty.server.ssl.SslSelectChannelConnector",
+ Server.class).getConstructor(SslContextFactory.class)
+ .newInstance(sslcf);
+ }
+ Server.class.getMethod("setSendServerVersion", Boolean.TYPE).invoke(server, getSendServerVersion());
+ if (getMaxIdleTime() > 0) {
+ result.getClass().getMethod("setMaxIdleTime", Integer.TYPE).invoke(result, getMaxIdleTime());
+ }
+ } catch (RuntimeException rex) {
+ throw rex;
+ } catch (Exception ex) {
+ throw new RuntimeException(ex);
+ }
+ return result;
+ }
+
+
+ protected SSLContext createSSLContext(SslContextFactory scf) throws Exception {
+ String proto = tlsServerParameters.getSecureSocketProtocol() == null
+ ? "TLS" : tlsServerParameters.getSecureSocketProtocol();
+
+ if (!"SSLv3".equals(proto)) {
+ scf.addExcludeProtocols("SSLv3");
+ }
+ if (!"SSLv2Hello".equals(proto)) {
+ scf.addExcludeProtocols("SSLv2Hello");
+ }
+
+ SSLContext context = tlsServerParameters.getJsseProvider() == null
+ ? SSLContext.getInstance(proto)
+ : SSLContext.getInstance(proto, tlsServerParameters.getJsseProvider());
+
+ KeyManager keyManagers[] = tlsServerParameters.getKeyManagers();
+ if (tlsServerParameters.getCertAlias() != null) {
+ keyManagers = getKeyManagersWithCertAlias(keyManagers);
+ }
+ context.init(tlsServerParameters.getKeyManagers(),
+ tlsServerParameters.getTrustManagers(),
+ tlsServerParameters.getSecureRandom());
+
+ String[] cs =
+ SSLUtils.getCiphersuites(
+ tlsServerParameters.getCipherSuites(),
+ SSLUtils.getServerSupportedCipherSuites(context),
+ tlsServerParameters.getCipherSuitesFilter(),
+ LOG, true);
+
+ scf.setExcludeCipherSuites(cs);
+ return context;
+ }
+ protected KeyManager[] getKeyManagersWithCertAlias(KeyManager keyManagers[]) throws Exception {
+ if (tlsServerParameters.getCertAlias() != null) {
+ for (int idx = 0; idx < keyManagers.length; idx++) {
+ if (keyManagers[idx] instanceof X509KeyManager) {
+ keyManagers[idx] = new AliasedX509ExtendedKeyManager(
+ tlsServerParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]);
+ }
+ }
+ }
+ return keyManagers;
+ }
+ protected void setClientAuthentication(SslContextFactory con,
+ ClientAuthentication clientAuth) {
+ con.setWantClientAuth(true);
+ if (clientAuth != null) {
+ if (clientAuth.isSetWant()) {
+ con.setWantClientAuth(clientAuth.isWant());
+ }
+ if (clientAuth.isSetRequired()) {
+ con.setNeedClientAuth(clientAuth.isRequired());
+ }
+ }
+ }
+ /**
+ * This method sets the security properties for the CXF extension
+ * of the JettySslConnector.
+ */
+ private void decorateCXFJettySslSocketConnector(
+ SslContextFactory con
+ ) {
+ setClientAuthentication(con,
+ tlsServerParameters.getClientAuthentication());
+ con.setCertAlias(tlsServerParameters.getCertAlias());
+ }
+
+
+ private static Container getContainer(Object server) {
+ if (server instanceof Container) {
+ return (Container)server;
+ }
+ try {
+ return (Container)server.getClass().getMethod("getContainer").invoke(server);
+ } catch (RuntimeException t) {
+ throw t;
+ } catch (Throwable t) {
+ throw new RuntimeException(t);
+ }
+ }
+
+ private static void logConnector(Connector connector) {
+ try {
+ String h = (String)connector.getClass().getMethod("getHost").invoke(connector);
+ int port = (Integer)connector.getClass().getMethod("getPort").invoke(connector);
+ LOG.finer("connector.host: "
+ + h == null
+ ? "null"
+ : "\"" + h + "\"");
+ LOG.finer("connector.port: " + port);
+ } catch (Throwable t) {
+ //ignore
+ }
+ }
+
+>>>>>>> 0d63846... Disable SSLv2Hello
protected void setupThreadPool() {
AbstractConnector aconn = (AbstractConnector) connector;
if (isSetThreadingParameters()) {