Author: fschumacher Date: Fri Mar 13 19:54:59 2015 New Revision: 1666560 URL: http://svn.apache.org/r1666560 Log: Defer the initialization of StartTLS settings to the startInternal stage. That way logging is possible and errors in tls/ssl will lead to stopping the context.
Merge r1666552 from /tomcat/trunk Modified: tomcat/tc8.0.x/trunk/ (props changed) tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java Propchange: tomcat/tc8.0.x/trunk/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Fri Mar 13 19:54:59 2015 @@ -1 +1 @@ -/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892 ,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,1655558,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,1657 907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661867,1661972,1661990,1662200,1662308-1662309,1662548,1662614,1662736,1662985,1662988-1662989,1663264,1663277,1663298,1663324,1663534,1663562,1663676,1663715,1663754,1663768,1663772,1663781,1663893,1663995,1664143,1664163,1664174,1664301,1664317,1664347,1664657,1664659,1664710,1664863-1664864,1664866,1665085,1665292,1665559,1665653,1665661,1665672,1665694,1665697,1665736,1665779,1665976-1665977,1665980-1665981,1665985-1665986,1665989,1665998,1666004,1666008,1666013,1666017,1666024,1666116,1666386-1666387,1666494,1666496 +/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892 ,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,1655558,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,1657 907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661867,1661972,1661990,1662200,1662308-1662309,1662548,1662614,1662736,1662985,1662988-1662989,1663264,1663277,1663298,1663324,1663534,1663562,1663676,1663715,1663754,1663768,1663772,1663781,1663893,1663995,1664143,1664163,1664174,1664301,1664317,1664347,1664657,1664659,1664710,1664863-1664864,1664866,1665085,1665292,1665559,1665653,1665661,1665672,1665694,1665697,1665736,1665779,1665976-1665977,1665980-1665981,1665985-1665986,1665989,1665998,1666004,1666008,1666013,1666017,1666024,1666116,1666386-1666387,1666494,1666496,1666552 Modified: tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1666560&r1=1666559&r2=1666560&view=diff ============================================================================== --- tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original) +++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java Fri Mar 13 19:54:59 2015 @@ -462,7 +462,7 @@ public class JNDIRealm extends RealmBase * The list of enabled cipher suites used for establishing tls connections. * <code>null</code> means to use the default cipher suites. */ - private String[] cipherSuites = null; + private String[] cipherSuitesArray = null; /** * Verifier for hostnames in a StartTLS secured connection. <code>null</code> @@ -475,6 +475,29 @@ public class JNDIRealm extends RealmBase */ private SSLSocketFactory sslSocketFactory = null; + /** + * Name of the class of the {@link SSLSocketFactory}. <code>null</code> + * means to use the default factory. + */ + private String sslSocketFactoryClassName; + + /** + * Comma separated list of cipher suites to use for StartTLS. If empty, the + * default suites are used. + */ + private String cipherSuites; + + /** + * Name of the class of the {@link HostnameVerifier}. <code>null</code> + * means to use the default verifier. + */ + private String hostNameVerifierClassName; + + /** + * The ssl Protocol which will be used by StartTLS. + */ + private String sslProtocol; + // ------------------------------------------------------------- Properties /** @@ -1081,7 +1104,18 @@ public class JNDIRealm extends RealmBase * StartTLS */ private String[] getCipherSuitesArray() { - return cipherSuites; + if (cipherSuites == null || cipherSuitesArray != null) { + return cipherSuitesArray; + } + if (this.cipherSuites.trim().isEmpty()) { + containerLog.warn(sm.getString("jndiRealm.emptyCipherSuites")); + this.cipherSuitesArray = null; + } else { + this.cipherSuitesArray = cipherSuites.trim().split("\\s*,\\s*"); + containerLog.debug(sm.getString("jndiRealm.cipherSuites", + Arrays.asList(this.cipherSuitesArray))); + } + return this.cipherSuitesArray; } /** @@ -1092,14 +1126,7 @@ public class JNDIRealm extends RealmBase * comma separated list of allowed cipher suites */ public void setCipherSuites(String suites) { - if (suites == null || suites.trim().isEmpty()) { - containerLog.warn(sm.getString("jndiRealm.emptyCipherSuites")); - this.cipherSuites = null; - } else { - this.cipherSuites = suites.trim().split("\\s*,\\s*"); - containerLog.debug(sm.getString("jndiRealm.cipherSuites", - Arrays.asList(this.cipherSuites))); - } + this.cipherSuites = suites; } /** @@ -1123,23 +1150,10 @@ public class JNDIRealm extends RealmBase * class name of the {@link HostnameVerifier} to be constructed */ public void setHostnameVerifierClassName(String verifierClassName) { - if (verifierClassName == null || verifierClassName.trim().equals("")) { - return; - } - try { - Object o = constructInstance(verifierClassName); - if (o instanceof HostnameVerifier) { - this.hostnameVerifier = (HostnameVerifier) o; - } else { - containerLog - .warn(sm.getString("jndiRealm.invalidHostnameVerifier", - verifierClassName)); - } - } catch (ClassNotFoundException | SecurityException - | InstantiationException | IllegalAccessException - | IllegalArgumentException e) { - containerLog.warn(sm.getString("jndiRealm.invalidHostnameVerifier", - verifierClassName), e); + if (hostNameVerifierClassName != null) { + this.hostNameVerifierClassName = verifierClassName.trim(); + } else { + this.hostNameVerifierClassName = null; } } @@ -1148,7 +1162,29 @@ public class JNDIRealm extends RealmBase * verification when opening connections using StartTLS. */ public HostnameVerifier getHostnameVerifier() { - return this.getHostnameVerifier(); + if (this.hostnameVerifier != null) { + return this.hostnameVerifier; + } + if (this.hostNameVerifierClassName == null + || hostNameVerifierClassName.equals("")) { + return null; + } + try { + Object o = constructInstance(hostNameVerifierClassName); + if (o instanceof HostnameVerifier) { + this.hostnameVerifier = (HostnameVerifier) o; + return this.hostnameVerifier; + } else { + throw new IllegalArgumentException(sm.getString( + "jndiRealm.invalidHostnameVerifier", + hostNameVerifierClassName)); + } + } catch (ClassNotFoundException | SecurityException + | InstantiationException | IllegalAccessException e) { + throw new IllegalArgumentException(sm.getString( + "jndiRealm.invalidHostnameVerifier", + hostNameVerifierClassName), e); + } } /** @@ -1161,23 +1197,7 @@ public class JNDIRealm extends RealmBase * class name of the factory to be constructed */ public void setSslSocketFactoryClassName(String factoryClassName) { - if (factoryClassName == null || factoryClassName.trim().equals("")) { - return; - } - try { - Object o = constructInstance(factoryClassName); - if (o instanceof SSLSocketFactory) { - this.sslSocketFactory = (SSLSocketFactory) o; - } else { - containerLog.warn(sm.getString( - "jndiRealm.invalidSslSocketFactory", factoryClassName)); - } - } catch (ClassNotFoundException | SecurityException - | InstantiationException | IllegalAccessException - | IllegalArgumentException e) { - containerLog.warn(sm.getString("jndiRealm.invalidSslSocketFactory", - factoryClassName)); - } + this.sslSocketFactoryClassName = factoryClassName; } /** @@ -1187,17 +1207,7 @@ public class JNDIRealm extends RealmBase * one of the allowed ssl protocol names */ public void setSslProtocol(String protocol) { - try { - SSLContext sslContext = SSLContext.getInstance(protocol); - sslContext.init(null, null, null); - this.sslSocketFactory = sslContext.getSocketFactory(); - } catch (NoSuchAlgorithmException | KeyManagementException e) { - List<String> allowedProtocols = Arrays - .asList(getSupportedSslProtocols()); - throw new IllegalArgumentException( - sm.getString("jndiRealm.invalidSslProtocol", protocol, - allowedProtocols), e); - } + this.sslProtocol = protocol; } /** @@ -1207,9 +1217,8 @@ public class JNDIRealm extends RealmBase private String[] getSupportedSslProtocols() { try { SSLContext sslContext = SSLContext.getDefault(); - sslContext.init(null, null, null); return sslContext.getSupportedSSLParameters().getProtocols(); - } catch (NoSuchAlgorithmException | KeyManagementException e) { + } catch (NoSuchAlgorithmException e) { throw new RuntimeException(sm.getString("jndiRealm.exception"), e); } } @@ -2364,6 +2373,58 @@ public class JNDIRealm extends RealmBase } } + private SSLSocketFactory getSSLSocketFactory() { + if (sslSocketFactory != null) { + return sslSocketFactory; + } + final SSLSocketFactory result; + if (this.sslSocketFactoryClassName != null + && !sslSocketFactoryClassName.trim().equals("")) { + result = createSSLSocketFactoryFromClassName(this.sslSocketFactoryClassName); + } else { + result = createSSLContextFactoryFromProtocol(sslProtocol); + } + this.sslSocketFactory = result; + return result; + } + + private SSLSocketFactory createSSLSocketFactoryFromClassName(String className) { + try { + Object o = constructInstance(className); + if (o instanceof SSLSocketFactory) { + return sslSocketFactory; + } else { + throw new IllegalArgumentException(sm.getString( + "jndiRealm.invalidSslSocketFactory", + className)); + } + } catch (ClassNotFoundException | SecurityException + | InstantiationException | IllegalAccessException e) { + throw new IllegalArgumentException(sm.getString( + "jndiRealm.invalidSslSocketFactory", + className), e); + } + } + + private SSLSocketFactory createSSLContextFactoryFromProtocol(String protocol) { + try { + SSLContext sslContext; + if (protocol != null) { + sslContext = SSLContext.getInstance(protocol); + sslContext.init(null, null, null); + } else { + sslContext = SSLContext.getDefault(); + } + return sslContext.getSocketFactory(); + } catch (NoSuchAlgorithmException | KeyManagementException e) { + List<String> allowedProtocols = Arrays + .asList(getSupportedSslProtocols()); + throw new IllegalArgumentException( + sm.getString("jndiRealm.invalidSslProtocol", protocol, + allowedProtocols), e); + } + } + /** * Create a tls enabled LdapContext and set the StartTlsResponse tls * instance variable. @@ -2390,14 +2451,14 @@ public class JNDIRealm extends RealmBase result = new InitialLdapContext(env, null); tls = (StartTlsResponse) result .extendedOperation(new StartTlsRequest()); - if (hostnameVerifier != null) { - tls.setHostnameVerifier(hostnameVerifier); + if (getHostnameVerifier() != null) { + tls.setHostnameVerifier(getHostnameVerifier()); } if (getCipherSuitesArray() != null) { tls.setEnabledCipherSuites(getCipherSuitesArray()); } try { - SSLSession negotiate = tls.negotiate(sslSocketFactory); + SSLSession negotiate = tls.negotiate(getSSLSocketFactory()); containerLog.debug(sm.getString("jndiRealm.negotiatedTls", negotiate.getProtocol())); } catch (IOException e) { --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org