Author: fhanik
Date: Wed Oct 18 10:10:44 2006
New Revision: 465303
URL: http://svn.apache.org/viewvc?view=rev&rev=465303
Log:
Implemented SSLEngine attribute on the Java HTTP connectors.
This allows one to specify secure=true and scheme=https to prevent tomcat from
redirecting
when using a SSL accelerator in front of tomcat
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java?view=diff&rev=465303&r1=465302&r2=465303
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
Wed Oct 18 10:10:44 2006
@@ -103,7 +103,7 @@
response.setOutputBuffer(outputBuffer);
request.setResponse(response);
- ssl = endpoint.getSecure();
+ ssl = "on".equalsIgnoreCase(endpoint.getSSLEngine());
initializeFilters();
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java?view=diff&rev=465303&r1=465302&r2=465303
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
Wed Oct 18 10:10:44 2006
@@ -516,6 +516,8 @@
public String getKeystoreFile() { return ep.getKeystoreFile();}
public void setKeystoreFile(String s ) { ep.setKeystoreFile(s);}
+ public void setKeystore(String s) { setKeystoreFile(s);}
+ public String getKeystore(){ return getKeystoreFile();}
public String getAlgorithm() { return ep.getAlgorithm();}
public void setAlgorithm(String s ) { ep.setAlgorithm(s);}
@@ -534,6 +536,10 @@
public String getCiphers() { return ep.getCiphers();}
public void setCiphers(String s) { ep.setCiphers(s);}
+
+ public String getSSLEngine() { return ep.getSSLEngine(); }
+ public void setSSLEngine(String SSLEngine) { ep.setSSLEngine(SSLEngine); }
+
// -------------------- Connection handler --------------------
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java?view=diff&rev=465303&r1=465302&r2=465303
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java Wed
Oct 18 10:10:44 2006
@@ -146,7 +146,7 @@
// Verify the validity of the configured socket factory
try {
- if (secure) {
+ if ("on".equalsIgnoreCase(getSSLEngine())) {
sslImplementation =
SSLImplementation.getInstance(sslImplementationName);
socketFactory = sslImplementation.getServerSocketFactory();
@@ -251,7 +251,10 @@
protected boolean secure;
public boolean getSecure() { return secure; }
public void setSecure(boolean b) { secure = b; }
-
+
+ protected String SSLEngine = "off";
+ public String getSSLEngine() { return SSLEngine;}
+ public void setSSLEngine(String SSLEngine) {this.SSLEngine = SSLEngine;}
/**
* Name of the socket factory.
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?view=diff&rev=465303&r1=465302&r2=465303
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Wed
Oct 18 10:10:44 2006
@@ -350,8 +350,10 @@
// -------------------- SSL related properties --------------------
protected String keystoreFile =
System.getProperty("user.home")+"/.keystore";
public String getKeystoreFile() { return keystoreFile;}
- public void setKeystoreFile(String s ) { this.keystoreFile = s;}
-
+ public void setKeystoreFile(String s ) { this.keystoreFile = s; }
+ public void setKeystore(String s ) { setKeystoreFile(s);}
+ public String getKeystore() { return getKeystoreFile();}
+
protected String algorithm = "SunX509";
public String getAlgorithm() { return algorithm;}
public void setAlgorithm(String s ) { this.algorithm = s;}
@@ -396,6 +398,13 @@
}
}
+ /**
+ * SSL engine.
+ */
+ protected String SSLEngine = "off";
+ public String getSSLEngine() { return SSLEngine;}
+ public void setSSLEngine(String SSLEngine) {this.SSLEngine = SSLEngine;}
+
protected boolean secure = false;
public boolean getSecure() { return secure;}
public void setSecure(boolean b) { secure = b;}
@@ -500,7 +509,7 @@
}
// Initialize SSL if needed
- if (secure) {
+ if ("on".equalsIgnoreCase(getSSLEngine())) {
// Initialize SSL
char[] passphrase = getKeystorePass().toCharArray();
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml?view=diff&rev=465303&r1=465302&r2=465303
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Wed Oct 18 10:10:44 2006
@@ -148,19 +148,35 @@
number specified here.</p>
</attribute>
+ <attribute name="SSLEngine" required="false">
+ <p>
+ Use this attribute to enable SSL traffic on a connector.
+ To turn on SSL handshake/encryption/decryption on a connector
+ set this value to <code>on</code>.
+ The default value is <code>off</code>.
+ When turning this value <code>on</code> you will want to set the
+ <code>scheme</code> and the <code>secure</code> attributes as well
+ to pass the correct <code>request.getScheme()</code> and
+ <code>request.isSecure()</code> values to the servlets
+ See <a href="#SSL Support">SSL Support</a> for more information.
+ </p>
+ </attribute>
+
<attribute name="scheme" required="false">
<p>Set this attribute to the name of the protocol you wish to have
returned by calls to <code>request.getScheme()</code>. For
example, you would set this attribute to "<code>https</code>"
for an SSL Connector. The default value is "<code>http</code>".
- See <a href="#SSL Support">SSL Support</a> for more information.</p>
+ </p>
</attribute>
<attribute name="secure" required="false">
<p>Set this attribute to <code>true</code> if you wish to have
calls to <code>request.isSecure()</code> to return <code>true</code>
- for requests received by this Connector (you would want this on an
- SSL Connector). The default value is <code>false</code>.</p>
+ for requests received by this Connector. You would want this on an
+ SSL Connector or a non SSL connector that is receiving data from a
+ SSL accelerator, like a crypto card, a SSL appliance or even a webserver.
+ The default value is <code>false</code>.</p>
</attribute>
<attribute name="URIEncoding" required="false">
Modified: tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml?view=diff&rev=465303&r1=465302&r2=465303
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml Wed Oct 18 10:10:44 2006
@@ -17,8 +17,9 @@
<section name="Quick Start">
- <p><b>IMPORTANT NOTE: This Howto refers to usage of JSSE. When using APR,
Tomcat will
- use OpenSSL, which uses a different configuration.</b></p>
+ <p><b>IMPORTANT NOTE: This Howto refers to usage of JSSE, that comes
included with
+ jdk 1.5 and higher. When using APR, Tomcat will
+ use OpenSSL, which uses a different configuration.</b></p>
<blockquote><em>
<p>The description below uses the variable name $CATALINA_HOME
@@ -33,11 +34,6 @@
<p>To install and configure SSL support on Tomcat 6, you need to follow
these simple steps. For more information, read the rest of this HOW-TO.</p>
<ol>
-<li>If you are running a 1.3 JVM, download JSSE 1.0.3 (or later) from
- <a
href="http://java.sun.com/products/jsse/";>http://java.sun.com/products/jsse/</a>
- and either make it an <em>installed extension</em> on the system, or else
- set an environment variable <code>JSSE_HOME</code> that points at the
- directory into which you installed JSSE. </li><br/><br/>
<li>Create a certificate keystore by executing the following command:
<p>Windows:</p>
<source>
@@ -177,30 +173,6 @@
<section name="Configuration">
-<subsection name="Download and Install JSSE (if needed)">
-<p>Note that JSSE is bundled with Sun's JDK 1.4 and later, so if you're using
-JDK 1.4 and later, you can skip this step.</p>
-
-
-<p>Download the <em>Java Secure Socket Extensions</em> (JSSE) package,
-version 1.0.3 or later, from
-<a
href="http://java.sun.com/products/jsse/";>http://java.sun.com/products/jsse/</a>.
-If you built Tomcat from source, you have probably already downloaded this
-package.</p>
-
-<p>After expanding the package, there are two ways to make it available to
-Tomcat (choose one or the other):</p>
-<ul>
-<li>Make JSSE an <em>installed extension</em> by copying all three JAR files
- (<code>jcert.jar</code>, <code>jnet.jar</code>, and <code>jsse.jar</code>)
- into your <code>$JAVA_HOME/jre/lib/ext</code> directory.</li>
-<li>Create a new environment variable <code>JSSE_HOME</code> that contains
- the absolute path to the directory into which you unpacked the
- JSSE binary distribution.</li>
-</ul>
-
-</subsection>
-
<subsection name="Prepare the Certificate Keystore">
<p>Tomcat currently operates only on <code>JKS</code> or <code>PKCS12</code>
@@ -297,9 +269,11 @@
<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<!--
<Connector
- port="8443" minProcessors="5" maxProcessors="75"
- enableLookups="true" disableUploadTimeout="true"
- acceptCount="100" debug="0" scheme="https" secure="true";
+ port="8443" minSpareThreads="5" maxSpareThreads="75"
+ enableLookups="true" disableUploadTimeout="true"
+ acceptCount="100" maxThreads="200"
+ scheme="https" secure="true" SSLEngine="on"
+ keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
-->
</source>
@@ -344,6 +318,18 @@
to request a client Certificate, but not fail if one isn't presented.
</td>
</tr>
+ <tr><td><code>SSLEngine</code></td>
+ <td>
+ Use this attribute to enable SSL traffic on a connector.
+ To turn on SSL handshake/encryption/decryption on a connector
+ set this value to <code>on</code>.
+ The default value is <code>off</code>.
+ When turning this value <code>on</code> you will want to set the
+ <code>scheme</code> and the <code>secure</code> attributes as well
+ to pass the correct <code>request.getScheme()</code> and
+ <code>request.isSecure()</code> values to the servlets
+ </td>
+ </tr>
<tr>
<td><code>keystoreFile</code></td>
<td>Add this attribute if the keystore file you created is not in
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
