Examples with SecureRequestCustomizer org.eclipse.jetty.server.SecureRequestCustomizer used on opensource projects

Example 26 with SecureRequestCustomizer

use of org.eclipse.jetty.server.SecureRequestCustomizer in project vespa by vespa-engine.

the class ConnectorFactory method newHttpConnectionFactory.

private HttpConnectionFactory newHttpConnectionFactory() {
    HttpConfiguration httpConfig = new HttpConfiguration();
    httpConfig.setSendDateHeader(true);
    httpConfig.setSendServerVersion(false);
    httpConfig.setSendXPoweredBy(false);
    httpConfig.setHeaderCacheSize(connectorConfig.headerCacheSize());
    httpConfig.setOutputBufferSize(connectorConfig.outputBufferSize());
    httpConfig.setRequestHeaderSize(connectorConfig.requestHeaderSize());
    httpConfig.setResponseHeaderSize(connectorConfig.responseHeaderSize());
    if (connectorConfig.ssl().enabled()) {
        httpConfig.addCustomizer(new SecureRequestCustomizer());
    }
    return new HttpConnectionFactory(httpConfig);
}

Example 27 with SecureRequestCustomizer

use of org.eclipse.jetty.server.SecureRequestCustomizer in project activemq-artemis by apache.

the class WebServerComponent method configure.

@Override
public void configure(ComponentDTO config, String artemisInstance, String artemisHome) throws Exception {
    webServerConfig = (WebServerDTO) config;
    uri = new URI(webServerConfig.bind);
    server = new Server();
    String scheme = uri.getScheme();
    if ("https".equals(scheme)) {
        SslContextFactory sslFactory = new SslContextFactory();
        sslFactory.setKeyStorePath(webServerConfig.keyStorePath == null ? artemisInstance + "/etc/keystore.jks" : webServerConfig.keyStorePath);
        sslFactory.setKeyStorePassword(webServerConfig.getKeyStorePassword() == null ? "password" : webServerConfig.getKeyStorePassword());
        if (webServerConfig.clientAuth != null) {
            sslFactory.setNeedClientAuth(webServerConfig.clientAuth);
            if (webServerConfig.clientAuth) {
                sslFactory.setTrustStorePath(webServerConfig.trustStorePath);
                sslFactory.setTrustStorePassword(webServerConfig.getTrustStorePassword());
            }
        }
        SslConnectionFactory sslConnectionFactory = new SslConnectionFactory(sslFactory, "HTTP/1.1");
        HttpConfiguration https = new HttpConfiguration();
        https.addCustomizer(new SecureRequestCustomizer());
        HttpConnectionFactory httpFactory = new HttpConnectionFactory(https);
        connector = new ServerConnector(server, sslConnectionFactory, httpFactory);
    } else {
        connector = new ServerConnector(server);
    }
    connector.setPort(uri.getPort());
    connector.setHost(uri.getHost());
    server.setConnectors(new Connector[] { connector });
    handlers = new HandlerList();
    Path homeWarDir = Paths.get(artemisHome != null ? artemisHome : ".").resolve(webServerConfig.path).toAbsolutePath();
    Path instanceWarDir = Paths.get(artemisInstance != null ? artemisInstance : ".").resolve(webServerConfig.path).toAbsolutePath();
    if (webServerConfig.apps != null && webServerConfig.apps.size() > 0) {
        webContexts = new ArrayList<>();
        for (AppDTO app : webServerConfig.apps) {
            Path dirToUse = homeWarDir;
            if (new File(instanceWarDir.toFile().toString() + File.separator + app.war).exists()) {
                dirToUse = instanceWarDir;
            }
            WebAppContext webContext = deployWar(app.url, app.war, dirToUse);
            webContexts.add(webContext);
            if (app.war.startsWith("console")) {
                consoleUrl = webServerConfig.bind + "/" + app.url;
            }
        }
    }
    ResourceHandler homeResourceHandler = new ResourceHandler();
    homeResourceHandler.setResourceBase(homeWarDir.toString());
    homeResourceHandler.setDirectoriesListed(false);
    homeResourceHandler.setWelcomeFiles(new String[] { "index.html" });
    ContextHandler homeContext = new ContextHandler();
    homeContext.setContextPath("/");
    homeContext.setResourceBase(homeWarDir.toString());
    homeContext.setHandler(homeResourceHandler);
    homeContext.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed", "false");
    ResourceHandler instanceResourceHandler = new ResourceHandler();
    instanceResourceHandler.setResourceBase(instanceWarDir.toString());
    instanceResourceHandler.setDirectoriesListed(false);
    instanceResourceHandler.setWelcomeFiles(new String[] { "index.html" });
    ContextHandler instanceContext = new ContextHandler();
    instanceContext.setContextPath("/");
    instanceContext.setResourceBase(instanceWarDir.toString());
    instanceContext.setHandler(instanceResourceHandler);
    homeContext.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed", "false");
    DefaultHandler defaultHandler = new DefaultHandler();
    defaultHandler.setServeIcon(false);
    handlers.addHandler(homeContext);
    handlers.addHandler(instanceContext);
    handlers.addHandler(defaultHandler);
    server.setHandler(handlers);
}

Example 28 with SecureRequestCustomizer

use of org.eclipse.jetty.server.SecureRequestCustomizer in project serverless by bluenimble.

the class JettyPlugin method init.

@Override
public void init(final ApiServer server) throws Exception {
    Log.setLog(new JettyLogger(this));
    // load favicon
    InputStream favicon = null;
    try {
        favicon = new FileInputStream(new File(home, FavIcon));
        FavIconContent = IOUtils.toByteArray(favicon);
    } finally {
        IOUtils.closeQuietly(favicon);
    }
    Integer poolIdleTimeout = Json.getInteger(pool, Pool.IdleTimeout, 300);
    /*
		It is very important to limit the task queue of Jetty. By default, the queue is unbounded! As a result, 
		if under high load in excess of the processing power of the webapp, jetty will keep a lot of requests on the queue. 
		Even after the load has stopped, Jetty will appear to have stopped responding to new requests as it still has lots of requests on 
		the queue to handle.
		
		For a high reliability system, it should reject the excess requests immediately (fail fast) by using a queue with 
		a bounded capability. The capability (maximum queue length) should be calculated according to the "no-response" time tolerable. 
		For example, if the webapp can handle 100 requests per second, and if you can allow it one minute to recover from excessive high load, 
		you can set the queue capability to 60*100=6000. If it is set too low, it will reject requests too soon and can't handle normal load 
		spike.
		
		Below is a sample configuration:
		
		<Configure id="Server" class="org.eclipse.jetty.server.Server">
		    <Set name="ThreadPool">
		      <New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
		        <!-- specify a bounded queue -->
		        <Arg>
		           <New class="java.util.concurrent.ArrayBlockingQueue">
		              <Arg type="int">6000</Arg>
		           </New>
		      </Arg>
		        <Set name="minThreads">10</Set>
		        <Set name="maxThreads">200</Set>
		        <Set name="detailedDump">false</Set>
		      </New>
		    </Set>
		</Configure>
		Configure the number of threads according to the webapp. 
		That is, how many threads it needs in order to achieve the best performance. 
		Configure with mind to limiting memory usage maximum available. Typically >50 and <500.
		 */
    int capacity = server.weight() + 2;
    QueuedThreadPool tp = new QueuedThreadPool(capacity, capacity, poolIdleTimeout * 1000, new ArrayBlockingQueue<Runnable>(capacity * 2));
    tp.setDetailedDump(false);
    tp.setThreadsPriority(Thread.NORM_PRIORITY);
    httpServer = new Server(tp);
    ServerConnector connector = new ServerConnector(httpServer);
    connector.setPort(port);
    connector.setIdleTimeout(idleTimeout * 1000);
    httpServer.addConnector(connector);
    if (ssl != null && !Lang.isNullOrEmpty(ssl.getString(Ssl.Keystore)) && !Lang.isNullOrEmpty(ssl.getString(Ssl.Password))) {
        HttpConfiguration https = new HttpConfiguration();
        https.addCustomizer(new SecureRequestCustomizer());
        SslContextFactory sslContextFactory = new SslContextFactory();
        sslContextFactory.setKeyStorePath(new File(ssl.getString(Ssl.Keystore)).getAbsolutePath());
        sslContextFactory.setKeyStorePassword(Json.getString(ssl, Ssl.Password));
        sslContextFactory.setKeyManagerPassword(Json.getString(ssl, Ssl.StorePassword, Json.getString(ssl, Ssl.Password)));
        sslContextFactory.setKeyStoreType(Json.getString(ssl, Ssl.StoreType, "JKS"));
        String[] aCiphers = null;
        // include ciphers
        JsonArray ciphers = Json.getArray(Json.getObject(ssl, Ssl.ciphers.class.getSimpleName()), Ssl.ciphers.Include);
        if (ciphers != null && !ciphers.isEmpty()) {
            aCiphers = new String[ciphers.count()];
            for (int i = 0; i < ciphers.count(); i++) {
                aCiphers[i] = (String) ciphers.get(i);
            }
            sslContextFactory.setIncludeCipherSuites(aCiphers);
        }
        // exclude ciphers
        ciphers = Json.getArray(Json.getObject(ssl, Ssl.ciphers.class.getSimpleName()), Ssl.ciphers.Exclude);
        if (ciphers != null && !ciphers.isEmpty()) {
            aCiphers = new String[ciphers.count()];
            for (int i = 0; i < ciphers.count(); i++) {
                aCiphers[i] = (String) ciphers.get(i);
            }
            sslContextFactory.setExcludeCipherSuites(aCiphers);
        }
        ServerConnector sslConnector = new ServerConnector(httpServer, new SslConnectionFactory(sslContextFactory, "http/1.1"), new HttpConnectionFactory(https));
        int sslPort = Json.getInteger(ssl, Ssl.Port, 443);
        sslConnector.setPort(sslPort);
        sslConnector.setIdleTimeout(Json.getInteger(ssl, Ssl.IdleTimeout, idleTimeout) * 1000);
        httpServer.addConnector(sslConnector);
    }
    for (Connector cn : httpServer.getConnectors()) {
        for (ConnectionFactory x : cn.getConnectionFactories()) {
            if (x instanceof HttpConnectionFactory) {
                ((HttpConnectionFactory) x).getHttpConfiguration().setSendServerVersion(false);
                ((HttpConnectionFactory) x).getHttpConfiguration().setSendXPoweredBy(false);
            }
        }
    }
    ServletContextHandler sContext = new ServletContextHandler(ServletContextHandler.NO_SESSIONS);
    sContext.setContextPath(context);
    if (gzip) {
        sContext.setGzipHandler(new GzipHandler());
    }
    httpServer.setHandler(sContext);
    ServletHolder apiHolder = new ServletHolder(new HttpServlet() {

        private static final long serialVersionUID = -4391155835460802144L;

        @Override
        protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
            if (FavIconPath.equals(req.getRequestURI())) {
                resp.getOutputStream().write(FavIconContent);
                return;
            }
            execute(req, resp);
        }

        @Override
        protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
            execute(req, resp);
        }

        @Override
        protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
            execute(req, resp);
        }

        @Override
        protected void doDelete(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
            execute(req, resp);
        }

        protected void execute(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
            try {
                ApiRequest request = new HttpApiRequest(req, tracer());
                request.getNode().set(ApiRequest.Fields.Node.Id, server.id());
                request.getNode().set(ApiRequest.Fields.Node.Type, server.type());
                request.getNode().set(ApiRequest.Fields.Node.Version, server.version());
                server.execute(request, new HttpApiResponse(request.getNode(), request.getId(), resp), CodeExecutor.Mode.Async);
            } catch (Exception e) {
                throw new ServletException(e.getMessage(), e);
            }
        }
    });
    sContext.addServlet(apiHolder, Lang.SLASH + Lang.STAR);
    // cross origin
    FilterHolder holder = new FilterHolder(CORSFilter.class);
    holder.setName("CORS");
    holder.setInitParameter("cors.supportedMethods", "GET, POST, HEAD, PUT, DELETE, PATCH, OPTIONS");
    holder.setInitParameter("cors.exposedHeaders", "Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With,BN-Execution-Time,BN-Node-Id,BN-Node-Type");
    sContext.addFilter(holder, "/*", EnumSet.of(DispatcherType.INCLUDE, DispatcherType.FORWARD, DispatcherType.REQUEST, DispatcherType.ERROR));
    // monitor
    if (monitor) {
        MBeanContainer mbContainer = new MBeanContainer(ManagementFactory.getPlatformMBeanServer());
        httpServer.addEventListener(mbContainer);
        httpServer.addBean(mbContainer);
        httpServer.addBean(Log.getLog());
    }
    // start server
    httpServer.start();
    httpServer.join();
}

Example 29 with SecureRequestCustomizer

use of org.eclipse.jetty.server.SecureRequestCustomizer in project killbill by killbill.

the class HttpServer method configureSslConnector.

private ServerConnector configureSslConnector(final HttpConfiguration httpConfiguration, final boolean isStatsOn, final int localSslPort, final String sslKeyStorePath, final String sslKeyStorePassword) {
    // SSL Context Factory for HTTPS
    final SslContextFactory sslContextFactory = new SslContextFactory();
    sslContextFactory.setKeyStorePath(sslKeyStorePath);
    sslContextFactory.setKeyStorePassword(sslKeyStorePassword);
    // HTTPS Configuration
    final HttpConfiguration httpsConfig = new HttpConfiguration(httpConfiguration);
    httpsConfig.addCustomizer(new SecureRequestCustomizer());
    // HTTPS connector
    final ServerConnector https = new ServerConnector(server, new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(httpsConfig));
    https.setPort(localSslPort);
    if (isStatsOn) {
        final ConnectorStatistics stats = new ConnectorStatistics();
        https.addBean(stats);
    }
    return https;
}

Example 30 with SecureRequestCustomizer

use of org.eclipse.jetty.server.SecureRequestCustomizer in project ninja by ninjaframework.

the class NinjaJetty method doConfigure.

@Override
protected void doConfigure() throws Exception {
    // current value or system property or conf/application.conf or default value
    jettyConfiguration(overlayedNinjaProperties.get(KEY_NINJA_JETTY_CONFIGURATION, this.jettyConfiguration, DEFAULT_JETTY_CONFIGURATION));
    // build jetty server, context, and servlet
    if (this.jettyConfiguration != null) {
        String[] configs = this.jettyConfiguration.split(",");
        for (String config : configs) {
            jetty = buildServerOrApplyConfiguration(config, jetty);
        }
        // since we don't know host and port, try to get it from jetty
        tryToSetHostAndPortFromJetty();
    } else {
        // create very simple jetty configuration
        jetty = new Server();
        if (port > -1) {
            // build http cleartext connector
            ServerConnector http = new ServerConnector(jetty);
            http.setPort(port);
            http.setIdleTimeout(idleTimeout);
            if (host != null) {
                http.setHost(host);
            }
            jetty.addConnector(http);
        }
        if (sslPort > -1) {
            // build https secure connector
            // http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/tree/examples/embedded/src/main/java/org/eclipse/jetty/embedded/ManyConnectors.java
            HttpConfiguration httpConfig = new HttpConfiguration();
            httpConfig.setSecureScheme("https");
            httpConfig.setSecurePort(sslPort);
            httpConfig.setOutputBufferSize(32768);
            HttpConfiguration httpsConfig = new HttpConfiguration(httpConfig);
            httpsConfig.addCustomizer(new SecureRequestCustomizer());
            // unfortunately jetty seems to only work when we pass a keystore
            // and truststore (as opposed to our own prepared SSLContext)
            // call createSSLContext() to simply verify configuration is correct
            this.createSSLContext();
            SslContextFactory sslContextFactory = new SslContextFactory();
            sslContextFactory.setKeyStore(StandaloneHelper.loadKeyStore(this.sslKeystoreUri, this.sslKeystorePassword.toCharArray()));
            sslContextFactory.setKeyManagerPassword(this.sslKeystorePassword);
            sslContextFactory.setTrustStore(StandaloneHelper.loadKeyStore(this.sslTruststoreUri, this.sslTruststorePassword.toCharArray()));
            ServerConnector https = new ServerConnector(jetty, new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(httpsConfig));
            https.setPort(sslPort);
            https.setIdleTimeout(idleTimeout);
            jetty.addConnector(https);
        }
    }
    this.ninjaServletListener.setNinjaProperties(ninjaProperties);
    if (overrideModuleOpt.isPresent()) {
        this.ninjaServletListener.setOverrideModule(overrideModuleOpt.get());
    }
    this.contextHandler = new ServletContextHandler(jetty, getContextPath());
    this.contextHandler.addEventListener(ninjaServletListener);
    this.contextHandler.addFilter(NinjaServletFilter.class, "/*", null);
    this.contextHandler.addServlet(DefaultServlet.class, "/");
    // Note: adding websockets support (e.g. upgrade filter) last (after user filters)
    // is how jetty, tomcat, and wildfly all do it. We mimic it here.
    WebSocketServerContainerInitializer.configureContext(this.contextHandler);
    // disable directory browsing
    this.contextHandler.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed", "false");
    // Add an error handler that does not print stack traces in case
    // something happens that is not under control of Ninja
    this.contextHandler.setErrorHandler(new SilentErrorHandler());
}