You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by am...@apache.org on 2005/12/07 07:15:03 UTC
svn commit: r354734 - in /geronimo/trunk:
applications/console-standard/src/java/org/apache/geronimo/console/webmanager/
applications/console-standard/src/webapp/WEB-INF/view/webmanager/connector/
modules/tomcat/src/java/org/apache/geronimo/tomcat/
Author: ammulder
Date: Tue Dec 6 22:14:55 2005
New Revision: 354734
URL: http://svn.apache.org/viewcvs?rev=354734&view=rev
Log:
Better trust store settings and information GERONIMO-1181 GERONIMO-1071
(Thanks Vamsavardhana!)
Added:
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatSecureConnector.java
Modified:
geronimo/trunk/applications/console-standard/src/java/org/apache/geronimo/console/webmanager/ConnectorPortlet.java
geronimo/trunk/applications/console-standard/src/webapp/WEB-INF/view/webmanager/connector/editHTTPS.jsp
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/HttpsConnectorGBean.java
Modified: geronimo/trunk/applications/console-standard/src/java/org/apache/geronimo/console/webmanager/ConnectorPortlet.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/applications/console-standard/src/java/org/apache/geronimo/console/webmanager/ConnectorPortlet.java?rev=354734&r1=354733&r2=354734&view=diff
==============================================================================
--- geronimo/trunk/applications/console-standard/src/java/org/apache/geronimo/console/webmanager/ConnectorPortlet.java (original)
+++ geronimo/trunk/applications/console-standard/src/java/org/apache/geronimo/console/webmanager/ConnectorPortlet.java Tue Dec 6 22:14:55 2005
@@ -107,6 +107,9 @@
String keystorePass = actionRequest.getParameter("keystorePassword");
String secureProtocol = actionRequest.getParameter("secureProtocol");
String algorithm = actionRequest.getParameter("algorithm");
+ String truststoreType = actionRequest.getParameter("truststoreType");
+ String truststoreFile = actionRequest.getParameter("truststoreFile");
+ String truststorePass = actionRequest.getParameter("truststorePassword");
boolean clientAuth = isValid(actionRequest.getParameter("clientAuth"));
SecureConnector secure = (SecureConnector) connector;
if(isValid(keystoreType)) {secure.setKeystoreType(keystoreType);}
@@ -119,7 +122,9 @@
if(isValid(privateKeyPass)) {setProperty(secure, "keyPassword", privateKeyPass);}
}
else if (server.equals(WEB_SERVER_TOMCAT)) {
- //todo: Any Tomcat specific processing?
+ if(isValid(truststoreType)) {setProperty(secure, "truststoreType", truststoreType);}
+ if(isValid(truststoreFile)) {setProperty(secure, "truststoreFileName", truststoreFile);}
+ if(isValid(truststorePass)) {setProperty(secure, "truststorePassword", truststorePass);}
}
else {
//todo: Handle "should not occur" condition
@@ -172,6 +177,9 @@
String keystorePass = actionRequest.getParameter("keystorePassword");
String secureProtocol = actionRequest.getParameter("secureProtocol");
String algorithm = actionRequest.getParameter("algorithm");
+ String truststoreType = actionRequest.getParameter("truststoreType");
+ String truststoreFile = actionRequest.getParameter("truststoreFile");
+ String truststorePass = actionRequest.getParameter("truststorePassword");
boolean clientAuth = isValid(actionRequest.getParameter("clientAuth"));
SecureConnector secure = (SecureConnector) connector;
if(isValid(keystoreType)) {secure.setKeystoreType(keystoreType);}
@@ -184,7 +192,9 @@
if(isValid(privateKeyPass)) {setProperty(secure, "keyPassword", privateKeyPass);}
}
else if (server.equals(WEB_SERVER_TOMCAT)) {
- //todo: Any Tomcat specific processing?
+ if(isValid(truststoreType)) {setProperty(secure, "truststoreType", truststoreType);}
+ if(isValid(truststorePass)) {setProperty(secure, "truststorePassword", truststorePass);}
+ if(isValid(truststoreFile)) {setProperty(secure, "truststoreFileName", truststoreFile);}
}
else {
//todo: Handle "should not occur" condition
@@ -342,6 +352,12 @@
renderRequest.setAttribute("secureProtocol",secure.getSecureProtocol());
if(secure.isClientAuthRequired()) {
renderRequest.setAttribute("clientAuth", Boolean.TRUE);
+ }
+ if(server.equals(WEB_SERVER_TOMCAT)) {
+ String truststoreFile = (String)getProperty(secure, "truststoreFileName");
+ String truststoreType = (String)getProperty(secure, "truststoreType");
+ renderRequest.setAttribute("truststoreFile", truststoreFile);
+ renderRequest.setAttribute("truststoreType", truststoreType);
}
}
Modified: geronimo/trunk/applications/console-standard/src/webapp/WEB-INF/view/webmanager/connector/editHTTPS.jsp
URL: http://svn.apache.org/viewcvs/geronimo/trunk/applications/console-standard/src/webapp/WEB-INF/view/webmanager/connector/editHTTPS.jsp?rev=354734&r1=354733&r2=354734&view=diff
==============================================================================
--- geronimo/trunk/applications/console-standard/src/webapp/WEB-INF/view/webmanager/connector/editHTTPS.jsp (original)
+++ geronimo/trunk/applications/console-standard/src/webapp/WEB-INF/view/webmanager/connector/editHTTPS.jsp Tue Dec 6 22:14:55 2005
@@ -138,6 +138,51 @@
the keystore type. There is normally no reason not to use the default (<tt>JKS</tt>).</td>
</tr>
+<!-- Trust material (Tomcat only) -->
+<c:if test="${server eq 'tomcat'}">
+<!-- Truststore File Field -->
+ <tr>
+ <td><div align="right">Truststore File: </div></td>
+ <td>
+ <input name="truststoreFile" type="text" size="30" value="${truststoreFile}">
+ </td>
+ </tr>
+ <tr>
+ <td><div align="right"></div></td>
+ <td>The file that holds the truststore (relative to the Geronimo install dir)</td>
+ </tr>
+
+<!-- Truststore Password Field -->
+ <tr>
+ <td><div align="right"><c:if test="${mode eq 'save'}">Change </c:if>Truststore Password: </div></td>
+ <td>
+ <input name="truststorePassword" type="password" size="10">
+ </td>
+ </tr>
+ <tr>
+ <td><div align="right"></div></td>
+ <td><c:choose><c:when test="${mode eq 'save'}">Change</c:when><c:otherwise>Set</c:otherwise></c:choose>
+ the password used to verify the truststore file.<c:if test="${mode eq 'save'}"> Leave
+ this empty if you don't want to change the current password.</c:if></td>
+ </tr>
+
+<!-- Truststore Type Field -->
+ <tr>
+ <td><div align="right">Truststore Type: </div></td>
+ <td>
+ <select name="truststoreType">
+ <option<c:if test="${truststoreType eq 'JKS' || logLevel eq ''}"> selected</c:if>>JKS</option>
+ <option<c:if test="${truststoreType eq 'PKCS12'}"> selected</c:if>>PKCS12</option>
+ </select>
+ </td>
+ </tr>
+ <tr>
+ <td><div align="right"></div></td>
+ <td><c:choose><c:when test="${mode eq 'save'}">Change</c:when><c:otherwise>Set</c:otherwise></c:choose>
+ the truststore type. There is normally no reason not to use the default (<tt>JKS</tt>).</td>
+ </tr>
+</c:if>
+
<!-- Algorithm Field -->
<tr>
<td><div align="right">HTTPS Algorithm: </div></td>
@@ -180,9 +225,17 @@
</tr>
<tr>
<td><div align="right"></div></td>
- <td>If set, then clients connecting through this connector must supply a valid client certificate. By default, the
- validity is based on the CA certificates in the server keystore (<i>need to confirm not the JVM default
- trust keystore</i>).</td>
+ <td>If set, then clients connecting through this connector must supply a valid client certificate. The
+ validity is checked using the CA certificates stored in the first of these to be found:
+ <ol>
+ <c:if test="${server eq 'tomcat'}">
+ <li>The trust store configured above</li>
+ </c:if>
+ <li>A keystore file specified by the <tt>javax.net.ssl.trustStore</tt> system property</li>
+ <li><i>java-home</i><tt>/lib/security/jssecacerts</tt></li>
+ <li><i>java-home</i><tt>/lib/security/cacerts</tt></li>
+ </ol>
+ </td>
</tr>
Modified: geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/HttpsConnectorGBean.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/HttpsConnectorGBean.java?rev=354734&r1=354733&r2=354734&view=diff
==============================================================================
--- geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/HttpsConnectorGBean.java (original)
+++ geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/HttpsConnectorGBean.java Tue Dec 6 22:14:55 2005
@@ -16,7 +16,7 @@
*
* @version $Revision: 1.0$
*/
-public class HttpsConnectorGBean extends ConnectorGBean implements SecureConnector {
+public class HttpsConnectorGBean extends ConnectorGBean implements TomcatSecureConnector {
private final ServerInfo serverInfo;
private String keystoreFileName;
private String truststoreFileName;
@@ -82,7 +82,7 @@
truststoreFileName = name;
connector.setAttribute("truststoreFile", serverInfo.resolvePath(truststoreFileName));
}
-
+
/**
* Sets the password used to access the keystore, and by default, used to
* access the server private key inside the keystore. Not all connectors
@@ -123,7 +123,7 @@
public void setTruststoreType(String type) {
connector.setAttribute("truststoreType", type);
}
-
+
/**
* Gets the certificate algorithm used to access the keystore. This may
* be different for different JVM vendors, but should not usually be
@@ -206,7 +206,7 @@
infoFactory.addAttribute("keystoreType", String.class, true, true);
infoFactory.addAttribute("truststoreType", String.class, true, true);
infoFactory.addAttribute("clientAuthRequired", boolean.class, true, true);
- infoFactory.addInterface(SecureConnector.class);
+ infoFactory.addInterface(TomcatSecureConnector.class);
infoFactory.addReference("ServerInfo", ServerInfo.class, "GBean");
infoFactory.setConstructor(new String[] { "name", "protocol", "host", "port", "TomcatContainer", "ServerInfo"});
Added: geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatSecureConnector.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatSecureConnector.java?rev=354734&view=auto
==============================================================================
--- geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatSecureConnector.java (added)
+++ geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatSecureConnector.java Tue Dec 6 22:14:55 2005
@@ -0,0 +1,53 @@
+/**
+ *
+ * Copyright 2003-2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.tomcat;
+
+import org.apache.geronimo.management.geronimo.SecureConnector;
+
+/**
+ * @version $Rev: 46019 $ $Date: 2004-09-14 05:56:06 -0400 (Tue, 14 Sep 2004) $
+ */
+public interface TomcatSecureConnector extends SecureConnector {
+ /**
+ * Gets the name of the keystore file that holds the trusted CA certificates
+ * used for client certificate authentication.
+ * This is relative to the Geronimo home directory.
+ */
+ public String getTruststoreFileName();
+ /**
+ * Sets the name of the keystore file that holds the trusted CA certificates
+ * used for client certificate authentication.
+ * This is relative to the Geronimo home directory.
+ */
+ public void setTruststoreFileName(String name);
+ /**
+ * Sets the password used to verify integrity of truststore.
+ */
+ public void setTruststorePassword(String password);
+ /**
+ * Gets the format of the entries in the keystore. The default format for
+ * Java keystores is JKS, though some connector implementations support
+ * PCKS12 (and possibly other formats).
+ */
+ public String getTruststoreType();
+ /**
+ * Sets the format of the entries in the keystore. The default format for
+ * Java keystores is JKS, though some connector implementations support
+ * PCKS12 (and possibly other formats).
+ */
+ public void setTruststoreType(String type);
+}