Examples with SslContextFactory org.eclipse.jetty.util.ssl.SslContextFactory used on opensource projects

Example 6 with SslContextFactory

use of org.eclipse.jetty.util.ssl.SslContextFactory in project hive by apache.

the class ThriftHttpCLIService method run.

/**
   * Configure Jetty to serve http requests. Example of a client connection URL:
   * http://localhost:10000/servlets/thrifths2/ A gateway may cause actual target URL to differ,
   * e.g. http://gateway:port/hive2/servlets/thrifths2/
   */
@Override
public void run() {
    try {
        // HTTP Server
        httpServer = new org.eclipse.jetty.server.Server();
        // Server thread pool
        // Start with minWorkerThreads, expand till maxWorkerThreads and reject subsequent requests
        String threadPoolName = "HiveServer2-HttpHandler-Pool";
        ExecutorService executorService = new ThreadPoolExecutorWithOomHook(minWorkerThreads, maxWorkerThreads, workerKeepAliveTime, TimeUnit.SECONDS, new SynchronousQueue<Runnable>(), new ThreadFactoryWithGarbageCleanup(threadPoolName), oomHook);
        ExecutorThreadPool threadPool = new ExecutorThreadPool(executorService);
        httpServer.setThreadPool(threadPool);
        // Connector configs
        SelectChannelConnector connector = new SelectChannelConnector();
        // Configure header size
        int requestHeaderSize = hiveConf.getIntVar(ConfVars.HIVE_SERVER2_THRIFT_HTTP_REQUEST_HEADER_SIZE);
        int responseHeaderSize = hiveConf.getIntVar(ConfVars.HIVE_SERVER2_THRIFT_HTTP_RESPONSE_HEADER_SIZE);
        connector.setRequestHeaderSize(requestHeaderSize);
        connector.setResponseHeaderSize(responseHeaderSize);
        boolean useSsl = hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_USE_SSL);
        String schemeName = useSsl ? "https" : "http";
        // Change connector if SSL is used
        if (useSsl) {
            String keyStorePath = hiveConf.getVar(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PATH).trim();
            String keyStorePassword = ShimLoader.getHadoopShims().getPassword(hiveConf, HiveConf.ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PASSWORD.varname);
            if (keyStorePath.isEmpty()) {
                throw new IllegalArgumentException(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PATH.varname + " Not configured for SSL connection");
            }
            SslContextFactory sslContextFactory = new SslContextFactory();
            String[] excludedProtocols = hiveConf.getVar(ConfVars.HIVE_SSL_PROTOCOL_BLACKLIST).split(",");
            LOG.info("HTTP Server SSL: adding excluded protocols: " + Arrays.toString(excludedProtocols));
            sslContextFactory.addExcludeProtocols(excludedProtocols);
            LOG.info("HTTP Server SSL: SslContextFactory.getExcludeProtocols = " + Arrays.toString(sslContextFactory.getExcludeProtocols()));
            sslContextFactory.setKeyStorePath(keyStorePath);
            sslContextFactory.setKeyStorePassword(keyStorePassword);
            connector = new SslSelectChannelConnector(sslContextFactory);
        }
        connector.setPort(portNum);
        // Linux:yes, Windows:no
        connector.setReuseAddress(true);
        int maxIdleTime = (int) hiveConf.getTimeVar(ConfVars.HIVE_SERVER2_THRIFT_HTTP_MAX_IDLE_TIME, TimeUnit.MILLISECONDS);
        connector.setMaxIdleTime(maxIdleTime);
        httpServer.addConnector(connector);
        // Thrift configs
        hiveAuthFactory = new HiveAuthFactory(hiveConf);
        TProcessor processor = new TCLIService.Processor<Iface>(this);
        TProtocolFactory protocolFactory = new TBinaryProtocol.Factory();
        // Set during the init phase of HiveServer2 if auth mode is kerberos
        // UGI for the hive/_HOST (kerberos) principal
        UserGroupInformation serviceUGI = cliService.getServiceUGI();
        // UGI for the http/_HOST (SPNego) principal
        UserGroupInformation httpUGI = cliService.getHttpUGI();
        String authType = hiveConf.getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION);
        TServlet thriftHttpServlet = new ThriftHttpServlet(processor, protocolFactory, authType, serviceUGI, httpUGI, hiveAuthFactory);
        // Context handler
        final ServletContextHandler context = new ServletContextHandler(ServletContextHandler.SESSIONS);
        context.setContextPath("/");
        if (hiveConf.getBoolean(ConfVars.HIVE_SERVER2_XSRF_FILTER_ENABLED.varname, false)) {
            // context.addFilter(Utils.getXSRFFilterHolder(null, null), "/" ,
            //    FilterMapping.REQUEST);
            // Filtering does not work here currently, doing filter in ThriftHttpServlet
            LOG.debug("XSRF filter enabled");
        } else {
            LOG.warn("XSRF filter disabled");
        }
        String httpPath = getHttpPath(hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_THRIFT_HTTP_PATH));
        httpServer.setHandler(context);
        context.addServlet(new ServletHolder(thriftHttpServlet), httpPath);
        // TODO: check defaults: maxTimeout, keepalive, maxBodySize, bodyRecieveDuration, etc.
        // Finally, start the server
        httpServer.start();
        String msg = "Started " + ThriftHttpCLIService.class.getSimpleName() + " in " + schemeName + " mode on port " + portNum + " path=" + httpPath + " with " + minWorkerThreads + "..." + maxWorkerThreads + " worker threads";
        LOG.info(msg);
        httpServer.join();
    } catch (Throwable t) {
        LOG.error("Error starting HiveServer2: could not start " + ThriftHttpCLIService.class.getSimpleName(), t);
        System.exit(-1);
    }
}

Example 7 with SslContextFactory

use of org.eclipse.jetty.util.ssl.SslContextFactory in project storm by apache.

the class UIHelpers method mkSslConnector.

private static SslSocketConnector mkSslConnector(Integer port, String ksPath, String ksPassword, String ksType, String keyPassword, String tsPath, String tsPassword, String tsType, Boolean needClientAuth, Boolean wantClientAuth) {
    SslContextFactory factory = new SslContextFactory();
    factory.setExcludeCipherSuites("SSL_RSA_WITH_RC4_128_MD5", "SSL_RSA_WITH_RC4_128_SHA");
    factory.setExcludeProtocols("SSLv3");
    factory.setAllowRenegotiate(false);
    factory.setKeyStorePath(ksPath);
    factory.setKeyStoreType(ksType);
    factory.setKeyStorePassword(ksPassword);
    factory.setKeyManagerPassword(keyPassword);
    if (tsPath != null && tsPassword != null && tsType != null) {
        factory.setTrustStore(tsPath);
        factory.setTrustStoreType(tsType);
        factory.setTrustStorePassword(tsPassword);
    }
    if (needClientAuth != null && needClientAuth) {
        factory.setNeedClientAuth(true);
    } else if (wantClientAuth != null && wantClientAuth) {
        factory.setWantClientAuth(true);
    }
    SslSocketConnector sslConnector = new SslSocketConnector(factory);
    sslConnector.setPort(port);
    return sslConnector;
}

Example 8 with SslContextFactory

use of org.eclipse.jetty.util.ssl.SslContextFactory in project zeppelin by apache.

the class ZeppelinClient method createNewWebsocketClient.

private WebSocketClient createNewWebsocketClient() {
    SslContextFactory sslContextFactory = new SslContextFactory();
    WebSocketClient client = new WebSocketClient(sslContextFactory);
    client.setMaxIdleTimeout(5 * MIN * 1000);
    client.setMaxTextMessageBufferSize(Client.getMaxNoteSize());
    client.getPolicy().setMaxTextMessageSize(Client.getMaxNoteSize());
    //TODO(khalid): other client settings
    return client;
}

Example 9 with SslContextFactory

use of org.eclipse.jetty.util.ssl.SslContextFactory in project dropwizard by dropwizard.

the class HttpsConnectorFactoryTest method testBuild.

@Test
public void testBuild() throws Exception {
    final HttpsConnectorFactory https = new HttpsConnectorFactory();
    https.setBindHost("127.0.0.1");
    https.setPort(8443);
    https.setKeyStorePath("/etc/app/server.ks");
    https.setKeyStoreType("JKS");
    https.setKeyStorePassword("correct_horse");
    https.setKeyStoreProvider("BC");
    https.setTrustStorePath("/etc/app/server.ts");
    https.setTrustStoreType("JKS");
    https.setTrustStorePassword("battery_staple");
    https.setTrustStoreProvider("BC");
    https.setKeyManagerPassword("new_overlords");
    https.setNeedClientAuth(true);
    https.setWantClientAuth(true);
    https.setCertAlias("alt_server");
    https.setCrlPath(new File("/etc/ctr_list.txt"));
    https.setEnableCRLDP(true);
    https.setEnableOCSP(true);
    https.setMaxCertPathLength(4);
    https.setOcspResponderUrl(new URI("http://windc1/ocsp"));
    https.setJceProvider("BC");
    https.setAllowRenegotiation(false);
    https.setEndpointIdentificationAlgorithm("HTTPS");
    https.setValidateCerts(true);
    https.setValidatePeers(true);
    https.setSupportedProtocols(ImmutableList.of("TLSv1.1", "TLSv1.2"));
    https.setSupportedCipherSuites(ImmutableList.of("TLS_DHE_RSA.*", "TLS_ECDHE.*"));
    final Server server = new Server();
    final MetricRegistry metrics = new MetricRegistry();
    final ThreadPool threadPool = new QueuedThreadPool();
    final Connector connector = https.build(server, metrics, "test-https-connector", threadPool);
    assertThat(connector).isInstanceOf(ServerConnector.class);
    final ServerConnector serverConnector = (ServerConnector) connector;
    assertThat(serverConnector.getPort()).isEqualTo(8443);
    assertThat(serverConnector.getHost()).isEqualTo("127.0.0.1");
    assertThat(serverConnector.getName()).isEqualTo("test-https-connector");
    assertThat(serverConnector.getServer()).isSameAs(server);
    assertThat(serverConnector.getScheduler()).isInstanceOf(ScheduledExecutorScheduler.class);
    assertThat(serverConnector.getExecutor()).isSameAs(threadPool);
    final Jetty93InstrumentedConnectionFactory jetty93SslConnectionFacttory = (Jetty93InstrumentedConnectionFactory) serverConnector.getConnectionFactory("ssl");
    assertThat(jetty93SslConnectionFacttory).isInstanceOf(Jetty93InstrumentedConnectionFactory.class);
    assertThat(jetty93SslConnectionFacttory.getTimer()).isSameAs(metrics.timer("org.eclipse.jetty.server.HttpConnectionFactory.127.0.0.1.8443.connections"));
    final SslContextFactory sslContextFactory = ((SslConnectionFactory) jetty93SslConnectionFacttory.getConnectionFactory()).getSslContextFactory();
    assertThat(getField(SslContextFactory.class, "_keyStoreResource", true).get(sslContextFactory)).isEqualTo(Resource.newResource("/etc/app/server.ks"));
    assertThat(sslContextFactory.getKeyStoreType()).isEqualTo("JKS");
    assertThat(getField(SslContextFactory.class, "_keyStorePassword", true).get(sslContextFactory).toString()).isEqualTo("correct_horse");
    assertThat(sslContextFactory.getKeyStoreProvider()).isEqualTo("BC");
    assertThat(getField(SslContextFactory.class, "_trustStoreResource", true).get(sslContextFactory)).isEqualTo(Resource.newResource("/etc/app/server.ts"));
    assertThat(sslContextFactory.getKeyStoreType()).isEqualTo("JKS");
    assertThat(getField(SslContextFactory.class, "_trustStorePassword", true).get(sslContextFactory).toString()).isEqualTo("battery_staple");
    assertThat(sslContextFactory.getKeyStoreProvider()).isEqualTo("BC");
    assertThat(getField(SslContextFactory.class, "_keyManagerPassword", true).get(sslContextFactory).toString()).isEqualTo("new_overlords");
    assertThat(sslContextFactory.getNeedClientAuth()).isTrue();
    assertThat(sslContextFactory.getWantClientAuth()).isTrue();
    assertThat(sslContextFactory.getCertAlias()).isEqualTo("alt_server");
    assertThat(sslContextFactory.getCrlPath()).isEqualTo(new File("/etc/ctr_list.txt").getAbsolutePath());
    assertThat(sslContextFactory.isEnableCRLDP()).isTrue();
    assertThat(sslContextFactory.isEnableOCSP()).isTrue();
    assertThat(sslContextFactory.getMaxCertPathLength()).isEqualTo(4);
    assertThat(sslContextFactory.getOcspResponderURL()).isEqualTo("http://windc1/ocsp");
    assertThat(sslContextFactory.getProvider()).isEqualTo("BC");
    assertThat(sslContextFactory.isRenegotiationAllowed()).isFalse();
    assertThat(getField(SslContextFactory.class, "_endpointIdentificationAlgorithm", true).get(sslContextFactory)).isEqualTo("HTTPS");
    assertThat(sslContextFactory.isValidateCerts()).isTrue();
    assertThat(sslContextFactory.isValidatePeerCerts()).isTrue();
    assertThat(sslContextFactory.getIncludeProtocols()).containsOnly("TLSv1.1", "TLSv1.2");
    assertThat(sslContextFactory.getIncludeCipherSuites()).containsOnly("TLS_DHE_RSA.*", "TLS_ECDHE.*");
    final ConnectionFactory httpConnectionFactory = serverConnector.getConnectionFactory("http/1.1");
    assertThat(httpConnectionFactory).isInstanceOf(HttpConnectionFactory.class);
    final HttpConfiguration httpConfiguration = ((HttpConnectionFactory) httpConnectionFactory).getHttpConfiguration();
    assertThat(httpConfiguration.getSecureScheme()).isEqualTo("https");
    assertThat(httpConfiguration.getSecurePort()).isEqualTo(8443);
    assertThat(httpConfiguration.getCustomizers()).hasAtLeastOneElementOfType(SecureRequestCustomizer.class);
    connector.stop();
    server.stop();
}

Example 10 with SslContextFactory

use of org.eclipse.jetty.util.ssl.SslContextFactory in project dropwizard by dropwizard.

the class HttpsConnectorFactoryTest method testExcludedProtocols.

@Test
public void testExcludedProtocols() {
    List<String> excludedProtocols = ImmutableList.of("SSLv3", "TLS1");
    HttpsConnectorFactory factory = new HttpsConnectorFactory();
    // necessary to avoid a prompt for a password
    factory.setKeyStorePassword("password");
    factory.setExcludedProtocols(excludedProtocols);
    SslContextFactory sslContextFactory = factory.configureSslContextFactory(new SslContextFactory());
    assertThat(ImmutableList.copyOf(sslContextFactory.getExcludeProtocols())).isEqualTo(excludedProtocols);
}