下面列出了怎么用org.springframework.boot.web.server.Ssl的API类实例代码及写法,或者点击链接到github查看源代码。
@Override
protected String getManagementBaseUrl() {
String baseUrl = instance.getManagementBaseUrl();
if (!StringUtils.isEmpty(baseUrl)) {
return baseUrl;
}
if (isManagementPortEqual()) {
return UriComponentsBuilder.fromHttpUrl(getServiceUrl()).path("/").path(getDispatcherServletPrefix())
.path(getManagementContextPath()).toUriString();
}
Ssl ssl = (management.getSsl() != null) ? management.getSsl() : server.getSsl();
return UriComponentsBuilder.newInstance().scheme(getScheme(ssl)).host(getManagementHost())
.port(getLocalManagementPort()).path(getManagementContextPath()).toUriString();
}
@Override
public HttpServerOptions apply(HttpServerOptions options) {
Ssl ssl = factory.getSsl();
if (ssl == null) {
return options;
}
options.setSsl(ssl.isEnabled());
options.setKeyCertOptions(keyCertOptionsAdapter(ssl));
options.setTrustOptions(trustOptionsAdapter(ssl));
propertyMapper.from(ssl.getClientAuth())
.whenNonNull()
.as(this::clientAuthAdapter)
.to(options::setClientAuth);
propertyMapper.from(ssl.getEnabledProtocols())
.whenNonNull()
.as(Arrays::asList)
.as(LinkedHashSet::new)
.to(options::setEnabledSecureTransportProtocols);
propertyMapper.from(ssl.getCiphers())
.whenNonNull()
.as(Arrays::stream)
.to(stream -> stream.forEach(options::addEnabledCipherSuite));
return options;
}
private ClientAuth clientAuthAdapter(Ssl.ClientAuth clientAuth) {
switch (clientAuth) {
case WANT:
return ClientAuth.REQUEST;
case NEED:
return ClientAuth.REQUIRED;
default:
return ClientAuth.NONE;
}
}
private KeyCertOptions keyCertOptionsAdapter(Ssl ssl) {
if ("JKS".equalsIgnoreCase(ssl.getKeyStoreType())) {
return getJksOptions(ssl.getKeyStore(), ssl.getKeyStorePassword());
} else if ("PKCS12".equalsIgnoreCase(ssl.getKeyStoreType())) {
return getPfxOptions(ssl.getKeyStore(), ssl.getKeyStorePassword());
}
return null;
}
private TrustOptions trustOptionsAdapter(Ssl ssl) {
if ("JKS".equalsIgnoreCase(ssl.getTrustStoreType())) {
return getJksOptions(ssl.getTrustStore(), ssl.getTrustStorePassword());
} else if ("PKCS12".equalsIgnoreCase(ssl.getTrustStoreType())) {
return getPfxOptions(ssl.getTrustStore(), ssl.getTrustStorePassword());
}
return null;
}
@Test
public void shouldSetNoneClientAuth() {
given(mockSsl.getClientAuth()).willReturn(Ssl.ClientAuth.NONE);
customizer.apply(mockHttpServerOptions);
verify(mockHttpServerOptions).setClientAuth(ClientAuth.NONE);
}
@Test
public void shouldSetWantClientAuth() {
given(mockSsl.getClientAuth()).willReturn(Ssl.ClientAuth.WANT);
customizer.apply(mockHttpServerOptions);
verify(mockHttpServerOptions).setClientAuth(ClientAuth.REQUEST);
}
@Test
public void shouldSetNeedClientAuth() {
given(mockSsl.getClientAuth()).willReturn(Ssl.ClientAuth.NEED);
customizer.apply(mockHttpServerOptions);
verify(mockHttpServerOptions).setClientAuth(ClientAuth.REQUIRED);
}
@Override
public void customize(final JettyServletWebServerFactory factory) {
LOGGER.info("Customizing Jetty server for integration tests...");
factory.addServerCustomizers((server) -> {
final Ssl sslProperties = serverProperties.getSsl();
if (sslProperties != null) {
createSslContextFactory(sslProperties);
ServerConnector con = (ServerConnector) server.getConnectors()[0];
int existingConnectorPort = con.getLocalPort();
// create the http configuration
final HttpConfiguration httpConfiguration = new HttpConfiguration();
httpConfiguration.setRequestHeaderSize(HEADER_BUFFER_SIZE);
httpConfiguration.setResponseHeaderSize(HEADER_BUFFER_SIZE);
// add some secure config
final HttpConfiguration httpsConfiguration = new HttpConfiguration(httpConfiguration);
httpsConfiguration.setSecureScheme("https");
httpsConfiguration.setSecurePort(existingConnectorPort);
httpsConfiguration.addCustomizer(new SecureRequestCustomizer());
// build the connector with the endpoint identification algorithm set to null
final ServerConnector httpsConnector = new ServerConnector(server,
new SslConnectionFactory(createSslContextFactory(sslProperties), "http/1.1"),
new HttpConnectionFactory(httpsConfiguration));
server.removeConnector(con);
server.addConnector(httpsConnector);
}
});
LOGGER.info("JettyServer is customized");
}
private static com.linecorp.armeria.spring.Ssl toArmeriaSslConfiguration(Ssl ssl) {
if (!ssl.isEnabled()) {
return new com.linecorp.armeria.spring.Ssl();
}
ClientAuth clientAuth = null;
if (ssl.getClientAuth() != null) {
switch (ssl.getClientAuth()) {
case NEED:
clientAuth = ClientAuth.REQUIRE;
break;
case WANT:
clientAuth = ClientAuth.OPTIONAL;
break;
}
}
return new com.linecorp.armeria.spring.Ssl()
.setEnabled(ssl.isEnabled())
.setClientAuth(clientAuth)
.setCiphers(ssl.getCiphers() != null ? ImmutableList.copyOf(ssl.getCiphers()) : null)
.setEnabledProtocols(ssl.getEnabledProtocols() != null ? ImmutableList.copyOf(
ssl.getEnabledProtocols()) : null)
.setKeyAlias(ssl.getKeyAlias())
.setKeyPassword(ssl.getKeyPassword())
.setKeyStore(ssl.getKeyStore())
.setKeyStorePassword(ssl.getKeyStorePassword())
.setKeyStoreType(ssl.getKeyStoreType())
.setKeyStoreProvider(ssl.getKeyStoreProvider())
.setTrustStore(ssl.getTrustStore())
.setTrustStorePassword(ssl.getTrustStorePassword())
.setTrustStoreType(ssl.getTrustStoreType())
.setTrustStoreProvider(ssl.getTrustStoreProvider());
}
@Test
void shouldConfigureTlsWithSelfSignedCertificate() {
final ArmeriaReactiveWebServerFactory factory = factory();
final Ssl ssl = new Ssl();
ssl.setEnabled(true);
factory.setSsl(ssl);
runEchoServer(factory, server -> validateEchoResponse(sendPostRequest(httpsClient(server))));
}
private Ssl getSsl() {
Ssl ssl = new Ssl();
ssl.setKeyStore("/root/.keystore");
ssl.setKeyStorePassword("123456");
ssl.setKeyStoreType("PKCS12");
ssl.setKeyAlias("tomcat");
return ssl;
}
protected String getManagementBaseUrl() {
String baseUrl = instance.getManagementBaseUrl();
if (!StringUtils.isEmpty(baseUrl)) {
return baseUrl;
}
if (isManagementPortEqual()) {
return this.getServiceUrl();
}
Ssl ssl = (management.getSsl() != null) ? management.getSsl() : server.getSsl();
return UriComponentsBuilder.newInstance().scheme(getScheme(ssl)).host(getManagementHost())
.port(getLocalManagementPort()).toUriString();
}
@Test
public void test_ssl() {
server.setSsl(new Ssl());
server.getSsl().setEnabled(true);
when(pathMappedEndpoints.getPath(EndpointId.of("health"))).thenReturn("/actuator/health");
publishApplicationReadyEvent(factory, 8080, null);
Application app = factory.createApplication();
assertThat(app.getManagementUrl()).isEqualTo("https://" + getHostname() + ":8080/actuator");
assertThat(app.getHealthUrl()).isEqualTo("https://" + getHostname() + ":8080/actuator/health");
assertThat(app.getServiceUrl()).isEqualTo("https://" + getHostname() + ":8080/");
}
@Test
public void test_ssl_management() {
management.setSsl(new Ssl());
management.getSsl().setEnabled(true);
when(pathMappedEndpoints.getPath(EndpointId.of("health"))).thenReturn("/actuator/alive");
publishApplicationReadyEvent(factory, 8080, 9090);
Application app = factory.createApplication();
assertThat(app.getManagementUrl()).isEqualTo("https://" + getHostname() + ":9090/actuator");
assertThat(app.getHealthUrl()).isEqualTo("https://" + getHostname() + ":9090/actuator/alive");
assertThat(app.getServiceUrl()).isEqualTo("http://" + getHostname() + ":8080/");
}
@Override
public void customize(NettyReactiveWebServerFactory serverFactory) {
Ssl ssl = new Ssl();
ssl.setEnabled(true);
ssl.setKeyStore("classpath:sample.jks");
ssl.setKeyAlias("alias");
ssl.setKeyPassword("password");
ssl.setKeyStorePassword("secret");
Http2 http2 = new Http2();
http2.setEnabled(false);
serverFactory.addServerCustomizers(new SslServerCustomizer(ssl, http2, null));
serverFactory.setPort(8443);
}
private SslContextFactory createSslContextFactory(Ssl properties) {
// Calling SslContextFactory.Server() calls setEndpointIdentificationAlgorithm(null).
// This ensures that Jetty server does not attempt to validate a hostname in the client certificate's SAN.
final SslContextFactory.Server contextFactory = new SslContextFactory.Server();
// if needClientAuth is false then set want to true so we can optionally use certs
if(properties.getClientAuth() == Ssl.ClientAuth.NEED) {
LOGGER.info("Setting Jetty's SSLContextFactory needClientAuth to true");
contextFactory.setNeedClientAuth(true);
} else {
LOGGER.info("Setting Jetty's SSLContextFactory wantClientAuth to true");
contextFactory.setWantClientAuth(true);
}
/* below code sets JSSE system properties when values are provided */
// keystore properties
if (StringUtils.isNotBlank(properties.getKeyStore())) {
contextFactory.setKeyStorePath(properties.getKeyStore());
}
if (StringUtils.isNotBlank(properties.getKeyStoreType())) {
contextFactory.setKeyStoreType(properties.getKeyStoreType());
}
final String keystorePassword = properties.getKeyStorePassword();
final String keyPassword = properties.getKeyPassword();
if (StringUtils.isNotBlank(keystorePassword)) {
// if no key password was provided, then assume the keystore password is the same as the key password.
final String defaultKeyPassword = (StringUtils.isBlank(keyPassword)) ? keystorePassword : keyPassword;
contextFactory.setKeyManagerPassword(keystorePassword);
contextFactory.setKeyStorePassword(defaultKeyPassword);
} else if (StringUtils.isNotBlank(keyPassword)) {
// since no keystore password was provided, there will be no keystore integrity check
contextFactory.setKeyStorePassword(keyPassword);
}
// truststore properties
if (StringUtils.isNotBlank(properties.getTrustStore())) {
contextFactory.setTrustStorePath(properties.getTrustStore());
}
if (StringUtils.isNotBlank(properties.getTrustStoreType())) {
contextFactory.setTrustStoreType(properties.getTrustStoreType());
}
if (StringUtils.isNotBlank(properties.getTrustStorePassword())) {
contextFactory.setTrustStorePassword(properties.getTrustStorePassword());
}
return contextFactory;
}
protected String getScheme(@Nullable Ssl ssl) {
return ((ssl != null) && ssl.isEnabled()) ? "https" : "http";
}