use of org.eclipse.jetty.server.SecureRequestCustomizer in project helix by apache.
the class HelixRestServer method setupSslServer.
public void setupSslServer(int port, SslContextFactory sslContextFactory) {
if (_server != null && port > 0) {
try {
HttpConfiguration https = new HttpConfiguration();
https.addCustomizer(new SecureRequestCustomizer());
ServerConnector sslConnector = new ServerConnector(_server, new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(https));
sslConnector.setPort(port);
_server.addConnector(sslConnector);
LOG.info("Helix SSL rest server is ready to start.");
} catch (Exception ex) {
LOG.error("Failed to setup Helix SSL rest server, " + ex);
}
}
}
use of org.eclipse.jetty.server.SecureRequestCustomizer in project i2p.i2p by i2p.
the class RouterConsoleRunner method startConsole.
/**
* http://irc.codehaus.org/display/JETTY/Porting+to+jetty6
*
*<pre>
* Server
* HandlerCollection
* HostCheckHandler (extends GzipHandler)
* ContextHandlerCollection
* LocaleWebAppHandler (routerconsole)
* SessionHandler
* SecurityHandler
* ServletHandler
* servlets...
* WebAppContext (i2psnark)
* WebAppContext (i2ptunnel)
* WebAppContext (imagegen)
* WebAppContext (susidns)
* WebAppContext (susimail)
* WebAppContext (for each plugin with a .war)
* DefaultHandler
* RequestLogHandler (opt)
*</pre>
*
* Porting to Jetty 9:
*
* http://dev.eclipse.org/mhonarc/lists/jetty-dev/msg01952.html
* You are missing a few facts about Jetty 9.1 ...
* First, there are no longer any blocking connectors.
* Its all async / nio connectors now. (mainly because that's the direction that the servlet api 3.1 is taking)
*
* Next, there is only 1 connector. The ServerConnector.
* However, it takes 1 or more ConnectionFactory implementations to know how to handle the incoming connection.
* We have factories for HTTP (0.9 thru 1.1), SPDY, SSL-http, and SSL-npn so far.
* This list of factories will expand as the future of connectivity to web servers is ever growing (think HTTP/2)
*
* Use the embedded examples for help understanding this.
* http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/tree/examples/embedded/src/main/java/org/eclipse/jetty/embedded/ManyConnectors.java?id=jetty-9.1.0.RC0
*/
public void startConsole() {
File workDir = new SecureDirectory(_context.getTempDir(), "jetty-work");
boolean workDirRemoved = FileUtil.rmdir(workDir, false);
if (!workDirRemoved)
System.err.println("ERROR: Unable to remove Jetty temporary work directory");
boolean workDirCreated = workDir.mkdirs();
if (!workDirCreated)
System.err.println("ERROR: Unable to create Jetty temporary work directory");
// so Jetty can find WebAppConfiguration
System.setProperty("jetty.class.path", _context.getBaseDir() + "/lib/routerconsole.jar");
// FIXME
// http://dev.eclipse.org/mhonarc/lists/jetty-users/msg03487.html
// _server.setGracefulShutdown(1000);
// In Jetty 6, QTP was not concurrent, so we switched to
// ThreadPoolExecutor with a fixed-size queue, a set maxThreads,
// and a RejectedExecutionPolicy of CallerRuns.
// Unfortunately, CallerRuns causes lockups in Jetty NIO (ticket #1395)
// In addition, no flavor of TPE gives us what QTP does:
// - TPE direct handoff (which we were using) never queues.
// This doesn't provide any burst management when maxThreads is reached.
// CallerRuns was an attempt to work around that.
// - TPE unbounded queue does not adjust the number of threads.
// This doesn't provide automatic resource management.
// - TPE bounded queue does not add threads until the queue is full.
// This doesn't provide good responsiveness to even small bursts.
// QTP adds threads as soon as the queue is non-empty.
// QTP as of Jetty 7 uses concurrent.
// QTP unbounded queue is the default in Jetty.
// So switch back to QTP with a bounded queue.
//
// ref:
// http://docs.oracle.com/javase/6/docs/api/java/util/concurrent/ThreadPoolExecutor.html
// https://wiki.eclipse.org/Jetty/Howto/High_Load
//
// try {
// ThreadPool ctp = new CustomThreadPoolExecutor();
// // Gone in Jetty 7
// //ctp.prestartAllCoreThreads();
// _server.setThreadPool(ctp);
// } catch (Throwable t) {
// class not found...
// System.out.println("INFO: Jetty concurrent ThreadPool unavailable, using QueuedThreadPool");
LinkedBlockingQueue<Runnable> lbq = new LinkedBlockingQueue<Runnable>(4 * MAX_THREADS);
// min and max threads will be reset below
QueuedThreadPool qtp = new QueuedThreadPool(MAX_THREADS, MIN_THREADS, MAX_IDLE_TIME, lbq);
qtp.setName(THREAD_NAME);
qtp.setDaemon(true);
_server = new Server(qtp);
// }
HandlerCollection hColl = new HandlerCollection();
ContextHandlerCollection chColl = new ContextHandlerCollection();
HostCheckHandler chCollWrapper = new HostCheckHandler(_context);
chCollWrapper.setHandler(chColl);
// gone in Jetty 7
// _server.addHandler(hColl);
_server.setHandler(hColl);
hColl.addHandler(chCollWrapper);
hColl.addHandler(new DefaultHandler());
String log = _context.getProperty("routerconsole.log");
if (log != null) {
File logFile = new File(log);
if (!logFile.isAbsolute())
logFile = new File(_context.getLogDir(), "logs/" + log);
try {
RequestLogHandler rhl = new RequestLogHandler();
rhl.setRequestLog(new NCSARequestLog(logFile.getAbsolutePath()));
hColl.addHandler(rhl);
} catch (Exception ioe) {
System.err.println("ERROR: Unable to create Jetty log: " + ioe);
}
}
boolean rewrite = false;
Properties props = webAppProperties();
if (props.isEmpty()) {
props.setProperty(PREFIX + ROUTERCONSOLE + ENABLED, "true");
rewrite = true;
}
// Get an absolute path with a trailing slash for the webapps dir
// We assume relative to the base install dir for backward compatibility
File app = new File(_webAppsDir);
if (!app.isAbsolute()) {
app = new File(_context.getBaseDir(), _webAppsDir);
try {
_webAppsDir = app.getCanonicalPath();
} catch (IOException ioe) {
}
}
if (!_webAppsDir.endsWith("/"))
_webAppsDir += '/';
Set<String> listenHosts = new HashSet<String>(8);
HandlerWrapper rootWebApp = null;
ServletHandler rootServletHandler = null;
List<Connector> connectors = new ArrayList<Connector>(4);
try {
int boundAddresses = 0;
SortedSet<String> addresses = Addresses.getAllAddresses();
boolean hasIPV4 = addresses.contains("0.0.0.0");
boolean hasIPV6 = addresses.contains("0:0:0:0:0:0:0:0");
// add standard listeners
int lport = 0;
if (_listenPort != null) {
try {
lport = Integer.parseInt(_listenPort);
} catch (NumberFormatException nfe) {
}
if (lport <= 0)
System.err.println("Bad routerconsole port " + _listenPort);
}
if (lport > 0) {
List<String> hosts = new ArrayList<String>(2);
StringTokenizer tok = new StringTokenizer(_listenHost, " ,");
while (tok.hasMoreTokens()) {
String host = tok.nextToken().trim();
try {
// connectors are bad
if ((!hasIPV6) && Addresses.isIPv6Address(host))
throw new IOException("IPv6 addresses unsupported");
if ((!hasIPV4) && Addresses.isIPv4Address(host))
throw new IOException("IPv4 addresses unsupported");
ServerSocket testSock = null;
try {
// On Windows, this was passing and Jetty was still failing,
// possibly due to %scope_id ???
// https://issues.apache.org/jira/browse/ZOOKEEPER-667
// so do exactly what Jetty does in SelectChannelConnector.open()
testSock = new ServerSocket();
InetSocketAddress isa = new InetSocketAddress(host, 0);
testSock.bind(isa);
} finally {
if (testSock != null)
try {
testSock.close();
} catch (IOException ioe) {
}
}
HttpConfiguration httpConfig = new HttpConfiguration();
// number of acceptors, (default) number of selectors
ServerConnector lsnr = new ServerConnector(_server, 1, 0, new HttpConnectionFactory(httpConfig));
// lsnr.setUseDirectBuffers(false); // default true seems to be leaky
lsnr.setHost(host);
lsnr.setPort(lport);
// default 10 sec
lsnr.setIdleTimeout(90 * 1000);
// all with same name will use the same thread pool
lsnr.setName("ConsoleSocket");
// _server.addConnector(lsnr);
connectors.add(lsnr);
boundAddresses++;
hosts.add(host);
} catch (Exception ioe) {
System.err.println("Unable to bind routerconsole to " + host + " port " + _listenPort + ": " + ioe);
System.err.println("You may ignore this warning if the console is still available at http://localhost:" + _listenPort);
}
}
if (hosts.isEmpty()) {
_context.portMapper().register(PortMapper.SVC_CONSOLE, lport);
} else {
// put IPv4 first
Collections.sort(hosts, new HostComparator());
_context.portMapper().register(PortMapper.SVC_CONSOLE, hosts.get(0), lport);
// note that we could still fail in connector.start() below
listenHosts.addAll(hosts);
}
}
// add SSL listeners
int sslPort = 0;
if (_sslListenPort != null) {
try {
sslPort = Integer.parseInt(_sslListenPort);
} catch (NumberFormatException nfe) {
}
if (sslPort <= 0)
System.err.println("Bad routerconsole SSL port " + _sslListenPort);
}
if (sslPort > 0) {
File keyStore = new File(_context.getConfigDir(), "keystore/console.ks");
// Put the list of hosts together early, so we can put it in the selfsigned cert.
StringTokenizer tok = new StringTokenizer(_sslListenHost, " ,");
Set<String> altNames = new HashSet<String>(4);
while (tok.hasMoreTokens()) {
String s = tok.nextToken().trim();
if (!s.equals("0.0.0.0") && !s.equals("::") && !s.equals("0:0:0:0:0:0:0:0"))
altNames.add(s);
}
String allowed = _context.getProperty(PROP_ALLOWED_HOSTS);
if (allowed != null) {
tok = new StringTokenizer(allowed, " ,");
while (tok.hasMoreTokens()) {
altNames.add(tok.nextToken().trim());
}
}
if (verifyKeyStore(keyStore, altNames)) {
// the keystore path and password
SslContextFactory sslFactory = new SslContextFactory(keyStore.getAbsolutePath());
sslFactory.setKeyStorePassword(_context.getProperty(PROP_KEYSTORE_PASSWORD, KeyStoreUtil.DEFAULT_KEYSTORE_PASSWORD));
// the X.509 cert password (if not present, verifyKeyStore() returned false)
sslFactory.setKeyManagerPassword(_context.getProperty(PROP_KEY_PASSWORD, "thisWontWork"));
sslFactory.addExcludeProtocols(I2PSSLSocketFactory.EXCLUDE_PROTOCOLS.toArray(new String[I2PSSLSocketFactory.EXCLUDE_PROTOCOLS.size()]));
sslFactory.addExcludeCipherSuites(I2PSSLSocketFactory.EXCLUDE_CIPHERS.toArray(new String[I2PSSLSocketFactory.EXCLUDE_CIPHERS.size()]));
List<String> hosts = new ArrayList<String>(2);
tok = new StringTokenizer(_sslListenHost, " ,");
while (tok.hasMoreTokens()) {
String host = tok.nextToken().trim();
// doing it this way means we don't have to escape an IPv6 host with []
try {
// connectors are bad
if ((!hasIPV6) && Addresses.isIPv6Address(host))
throw new IOException("IPv6 addresses unsupported");
if ((!hasIPV4) && Addresses.isIPv4Address(host))
throw new IOException("IPv4 addresses unsupported");
ServerSocket testSock = null;
try {
// see comments above
testSock = new ServerSocket();
InetSocketAddress isa = new InetSocketAddress(host, 0);
testSock.bind(isa);
} finally {
if (testSock != null)
try {
testSock.close();
} catch (IOException ioe) {
}
}
HttpConfiguration httpConfig = new HttpConfiguration();
httpConfig.setSecureScheme("https");
httpConfig.setSecurePort(sslPort);
httpConfig.addCustomizer(new SecureRequestCustomizer());
// number of acceptors, (default) number of selectors
ServerConnector ssll = new ServerConnector(_server, 1, 0, new SslConnectionFactory(sslFactory, "http/1.1"), new HttpConnectionFactory(httpConfig));
// sssll.setUseDirectBuffers(false); // default true seems to be leaky
ssll.setHost(host);
ssll.setPort(sslPort);
// default 10 sec
ssll.setIdleTimeout(90 * 1000);
// all with same name will use the same thread pool
ssll.setName("ConsoleSocket");
// _server.addConnector(ssll);
connectors.add(ssll);
boundAddresses++;
hosts.add(host);
} catch (Exception e) {
System.err.println("Unable to bind routerconsole to " + host + " port " + sslPort + " for SSL: " + e);
if (SystemVersion.isGNU())
System.err.println("Probably because GNU classpath does not support Sun keystores");
System.err.println("You may ignore this warning if the console is still available at https://localhost:" + sslPort);
}
}
if (hosts.isEmpty()) {
_context.portMapper().register(PortMapper.SVC_HTTPS_CONSOLE, sslPort);
} else {
// put IPv4 first
Collections.sort(hosts, new HostComparator());
_context.portMapper().register(PortMapper.SVC_HTTPS_CONSOLE, hosts.get(0), sslPort);
// note that we could still fail in connector.start() below
listenHosts.addAll(hosts);
}
} else {
System.err.println("Unable to create or access keystore for SSL: " + keyStore.getAbsolutePath());
}
}
if (boundAddresses <= 0) {
System.err.println("Unable to bind routerconsole to any address on port " + _listenPort + (sslPort > 0 ? (" or SSL port " + sslPort) : ""));
return;
}
// Each address spawns a Connector and an Acceptor thread
// If the min is less than this, we have no thread for the handlers or the expiration thread.
qtp.setMinThreads(MIN_THREADS + (2 * boundAddresses));
qtp.setMaxThreads(MAX_THREADS + (2 * boundAddresses));
File tmpdir = new SecureDirectory(workDir, ROUTERCONSOLE + "-" + (_listenPort != null ? _listenPort : _sslListenPort));
tmpdir.mkdir();
rootServletHandler = new ServletHandler();
rootWebApp = new LocaleWebAppHandler(_context, "/", _webAppsDir + ROUTERCONSOLE + ".war", tmpdir, rootServletHandler);
try {
// Not sure who is supposed to call this, but unless we do,
// all the jsps die NPE, because JspFactory.getDefaultContext() returns null.
// We probably have to do this because we don't bundle the Jetty annotations jar and scanner.
// This is only with Tomcat 8, not with the Jetty (Eclipse) jsp impl.
// Got a clue from this ancient post for Tomcat 6:
// https://bz.apache.org/bugzilla/show_bug.cgi?id=39804
// see also apps/jetty/build.xml
Class.forName("org.eclipse.jetty.apache.jsp.JettyJasperInitializer");
} catch (ClassNotFoundException cnfe) {
System.err.println("Warning: JettyJasperInitializer not found");
}
WebAppContext wac = (WebAppContext) (rootWebApp.getHandler());
initialize(_context, wac);
WebAppStarter.setWebAppConfiguration(wac);
chColl.addHandler(rootWebApp);
} catch (Exception ioe) {
ioe.printStackTrace();
}
// fix up the allowed hosts set (see HostCheckHandler)
if (listenHosts.contains("0.0.0.0") || listenHosts.contains("::") || listenHosts.contains("0:0:0:0:0:0:0:0")) {
// empty set says all are valid
listenHosts.clear();
} else {
listenHosts.add("localhost");
listenHosts.add("127.0.0.1");
listenHosts.add("::1");
listenHosts.add("0:0:0:0:0:0:0:1");
String allowed = _context.getProperty(PROP_ALLOWED_HOSTS);
if (allowed != null) {
StringTokenizer tok = new StringTokenizer(allowed, " ,");
while (tok.hasMoreTokens()) {
listenHosts.add(tok.nextToken());
}
}
}
chCollWrapper.setListenHosts(listenHosts);
// https://bugs.eclipse.org/bugs/show_bug.cgi?id=364936
// WARN:oejw.WebAppContext:Failed startup of context o.e.j.w.WebAppContext{/,jar:file:/.../webapps/routerconsole.war!/},/.../webapps/routerconsole.war
// java.lang.IllegalStateException: zip file closed
Resource.setDefaultUseCaches(false);
try {
// start does a mapContexts()
_server.start();
} catch (Throwable me) {
// NoClassFoundDefError from a webapp is a throwable, not an exception
System.err.println("Error starting the Router Console server: " + me);
me.printStackTrace();
}
if (_server.isRunning()) {
// Add and start the connectors one-by-one
boolean error = false;
for (Connector conn : connectors) {
try {
_server.addConnector(conn);
// start after adding so it gets the right thread pool
conn.start();
} catch (Throwable me) {
try {
_server.removeConnector(conn);
} catch (Throwable t) {
t.printStackTrace();
}
System.err.println("WARNING: Error starting " + conn + ": " + me);
me.printStackTrace();
error = true;
}
}
if (error) {
String port = (_listenPort != null) ? _listenPort : ((_sslListenPort != null) ? _sslListenPort : Integer.toString(DEFAULT_LISTEN_PORT));
System.err.println("WARNING: Error starting one or more listeners of the Router Console server.\n" + "If your console is still accessible at http://127.0.0.1:" + port + "/,\n" + "this may be a problem only with binding to the IPV6 address ::1.\n" + "If so, you may ignore this error, or remove the\n" + "\"::1,\" in the \"clientApp.0.args\" line of the clients.config file.");
}
}
// Start all the other webapps after the server is up,
// so things start faster.
// Jetty 6 starts the connector before the router console is ready
// This also prevents one webapp from breaking the whole thing
List<String> notStarted = new ArrayList<String>();
if (_server.isRunning()) {
File dir = new File(_webAppsDir);
File[] files = dir.listFiles(WAR_FILTER);
if (files != null) {
for (int i = 0; i < files.length; i++) {
String appName = files[i].getName();
appName = appName.substring(0, appName.lastIndexOf(".war"));
String enabled = props.getProperty(PREFIX + appName + ENABLED);
if (appName.equals("addressbook")) {
// addressbook.war is now empty, thread is started by SusiDNS
if (enabled != null) {
props.remove(PREFIX + "addressbook" + ENABLED);
rewrite = true;
}
} else if (!"false".equals(enabled)) {
try {
String path = files[i].getCanonicalPath();
WebAppStarter.startWebApp(_context, chColl, appName, path);
if (enabled == null) {
// do this so configclients.jsp knows about all apps from reading the config
props.setProperty(PREFIX + appName + ENABLED, "true");
rewrite = true;
}
} catch (Throwable t) {
System.err.println("ERROR: Failed to start " + appName + ' ' + t);
t.printStackTrace();
notStarted.add(appName);
}
} else {
notStarted.add(appName);
}
}
changeState(RUNNING);
if (_mgr != null)
_mgr.register(this);
}
} else {
System.err.println("ERROR: Router console did not start, not starting webapps");
changeState(START_FAILED);
}
if (rewrite)
storeWebAppProperties(_context, props);
if (rootServletHandler != null && notStarted.size() > 0) {
// map each not-started webapp to the error page
ServletHolder noWebApp = rootServletHandler.getServlet("net.i2p.router.web.jsp.nowebapp_jsp");
for (int i = 0; i < notStarted.size(); i++) {
// we want a new handler for each one since if the webapp is started we remove the handler???
try {
if (noWebApp != null) {
String path = '/' + notStarted.get(i);
// LocaleWebAppsHandler adds a .jsp
rootServletHandler.addServletWithMapping(noWebApp, path + ".jsp");
rootServletHandler.addServletWithMapping(noWebApp, path + "/*");
} else {
System.err.println("Can't find nowebapp.jsp?");
}
} catch (Throwable me) {
System.err.println(me);
me.printStackTrace();
}
}
}
Thread t = new I2PAppThread(new StatSummarizer(), "StatSummarizer", true);
t.setPriority(Thread.NORM_PRIORITY - 1);
t.start();
ConsoleUpdateManager um = new ConsoleUpdateManager(_context, _mgr, null);
um.start();
NewsManager nm = new NewsManager(_context, _mgr, null);
nm.startup();
if (PluginStarter.pluginsEnabled(_context)) {
t = new I2PAppThread(new PluginStarter(_context), "PluginStarter", true);
t.setPriority(Thread.NORM_PRIORITY - 1);
t.start();
}
// RouterAppManager registers its own hook
if (_mgr == null)
_context.addShutdownTask(new ServerShutdown());
ConfigServiceHandler.registerSignalHandler(_context);
}
use of org.eclipse.jetty.server.SecureRequestCustomizer in project goodies by sonatype.
the class JettyServerProvider method sslConnector.
protected ServerConnector sslConnector(final Server server) {
sslContextFactory = new SslContextFactory();
String keystore;
try {
keystore = resourceFile(sslKeystore);
} catch (Exception e) {
keystore = sslKeystore;
}
sslContextFactory.setKeyStorePath(keystore);
sslContextFactory.setKeyStorePassword(sslKeystorePassword);
sslContextFactory.setKeyManagerPassword(sslKeystorePassword);
if (sslTruststore != null) {
String truststore;
try {
truststore = resourceFile(sslTruststore);
} catch (Exception e) {
truststore = sslTruststore;
}
sslContextFactory.setTrustStorePath(truststore);
sslContextFactory.setTrustStorePassword(sslTruststorePassword);
sslContextFactory.setNeedClientAuth(sslNeedClientAuth);
}
final HttpConfiguration httpConfig = createConnectorConfiguration();
httpConfig.addCustomizer(new SecureRequestCustomizer());
final ServerConnector serverConnector = new ServerConnector(server, new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(httpConfig));
serverConnector.setIdleTimeout(30000);
serverConnector.setHost(host);
if (port != -1) {
serverConnector.setPort(port);
}
return serverConnector;
}
use of org.eclipse.jetty.server.SecureRequestCustomizer in project nifi-registry by apache.
the class JettyServer method configureConnectors.
private void configureConnectors() {
// create the http configuration
final HttpConfiguration httpConfiguration = new HttpConfiguration();
httpConfiguration.setRequestHeaderSize(HEADER_BUFFER_SIZE);
httpConfiguration.setResponseHeaderSize(HEADER_BUFFER_SIZE);
if (properties.getPort() != null) {
final Integer port = properties.getPort();
if (port < 0 || (int) Math.pow(2, 16) <= port) {
throw new IllegalStateException("Invalid HTTP port: " + port);
}
logger.info("Configuring Jetty for HTTP on port: " + port);
// create the connector
final ServerConnector http = new ServerConnector(server, new HttpConnectionFactory(httpConfiguration));
// set host and port
if (StringUtils.isNotBlank(properties.getHttpHost())) {
http.setHost(properties.getHttpHost());
}
http.setPort(port);
// add this connector
server.addConnector(http);
} else if (properties.getSslPort() != null) {
final Integer port = properties.getSslPort();
if (port < 0 || (int) Math.pow(2, 16) <= port) {
throw new IllegalStateException("Invalid HTTPs port: " + port);
}
if (StringUtils.isBlank(properties.getKeyStorePath())) {
throw new IllegalStateException(NiFiRegistryProperties.SECURITY_KEYSTORE + " must be provided to configure Jetty for HTTPs");
}
logger.info("Configuring Jetty for HTTPs on port: " + port);
// add some secure config
final HttpConfiguration httpsConfiguration = new HttpConfiguration(httpConfiguration);
httpsConfiguration.setSecureScheme("https");
httpsConfiguration.setSecurePort(properties.getSslPort());
httpsConfiguration.addCustomizer(new SecureRequestCustomizer());
// build the connector
final ServerConnector https = new ServerConnector(server, new SslConnectionFactory(createSslContextFactory(), "http/1.1"), new HttpConnectionFactory(httpsConfiguration));
// set host and port
if (StringUtils.isNotBlank(properties.getHttpsHost())) {
https.setHost(properties.getHttpsHost());
}
https.setPort(port);
// add this connector
server.addConnector(https);
}
}
use of org.eclipse.jetty.server.SecureRequestCustomizer in project drill by axbaretto.
the class WebServer method createHttpsConnector.
/**
* Create an HTTPS connector for given jetty server instance. If the admin has
* specified keystore/truststore settings they will be used else a self-signed
* certificate is generated and used.
* <p>
* This is a shameless copy of
* {@link org.apache.drill.exec.server.rest.Webserver#createHttpsConnector( )}.
* The two should be merged at some point. The primary issue is that the Drill
* version is tightly coupled to Drillbit configuration.
*
* @return Initialized {@link ServerConnector} for HTTPS connections.
* @throws Exception
*/
private ServerConnector createHttpsConnector(Config config) throws Exception {
LOG.info("Setting up HTTPS connector for web server");
final SslContextFactory sslContextFactory = new SslContextFactory();
// if (config.hasPath(ExecConstants.HTTP_KEYSTORE_PATH) &&
// !Strings.isNullOrEmpty(config.getString(ExecConstants.HTTP_KEYSTORE_PATH)))
// {
// LOG.info("Using configured SSL settings for web server");
// sslContextFactory.setKeyStorePath(config.getString(ExecConstants.HTTP_KEYSTORE_PATH));
// sslContextFactory.setKeyStorePassword(config.getString(ExecConstants.HTTP_KEYSTORE_PASSWORD));
//
// // TrustStore and TrustStore password are optional
// if (config.hasPath(ExecConstants.HTTP_TRUSTSTORE_PATH)) {
// sslContextFactory.setTrustStorePath(config.getString(ExecConstants.HTTP_TRUSTSTORE_PATH));
// if (config.hasPath(ExecConstants.HTTP_TRUSTSTORE_PASSWORD)) {
// sslContextFactory.setTrustStorePassword(config.getString(ExecConstants.HTTP_TRUSTSTORE_PASSWORD));
// }
// }
// } else {
LOG.info("Using generated self-signed SSL settings for web server");
final SecureRandom random = new SecureRandom();
// Generate a private-public key pair
final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(1024, random);
final KeyPair keyPair = keyPairGenerator.generateKeyPair();
final DateTime now = DateTime.now();
// Create builder for certificate attributes
final X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE).addRDN(BCStyle.OU, "Apache Drill (auth-generated)").addRDN(BCStyle.O, "Apache Software Foundation (auto-generated)").addRDN(BCStyle.CN, "Drill AM");
final Date notBefore = now.minusMinutes(1).toDate();
final Date notAfter = now.plusYears(5).toDate();
final BigInteger serialNumber = new BigInteger(128, random);
// Create a certificate valid for 5years from now.
final X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(// attributes
nameBuilder.build(), serialNumber, notBefore, notAfter, nameBuilder.build(), keyPair.getPublic());
// Sign the certificate using the private key
final ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair.getPrivate());
final X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(certificateBuilder.build(contentSigner));
// Check the validity
certificate.checkValidity(now.toDate());
// Make sure the certificate is self-signed.
certificate.verify(certificate.getPublicKey());
// Generate a random password for keystore protection
final String keyStorePasswd = RandomStringUtils.random(20);
final KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(null, null);
keyStore.setKeyEntry("DrillAutoGeneratedCert", keyPair.getPrivate(), keyStorePasswd.toCharArray(), new java.security.cert.Certificate[] { certificate });
sslContextFactory.setKeyStore(keyStore);
sslContextFactory.setKeyStorePassword(keyStorePasswd);
// }
final HttpConfiguration httpsConfig = new HttpConfiguration();
httpsConfig.addCustomizer(new SecureRequestCustomizer());
// SSL Connector
final ServerConnector sslConnector = new ServerConnector(jettyServer, new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(httpsConfig));
sslConnector.setPort(config.getInt(DrillOnYarnConfig.HTTP_PORT));
return sslConnector;
}
Aggregations