From fe41a2e6e0e2b9eb37515a63ff84aff827733386 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 8 Oct 2019 13:03:28 +0200 Subject: fix problem with SSL Client Auth. and ConnectionPools --- .../eaaf/core/impl/utils/HttpClientFactory.java | 55 ++++++++++++++++------ 1 file changed, 41 insertions(+), 14 deletions(-) (limited to 'eaaf_core_utils') diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/HttpClientFactory.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/HttpClientFactory.java index d1cde6fa..a8cfa7c1 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/HttpClientFactory.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/HttpClientFactory.java @@ -23,7 +23,11 @@ import org.apache.http.client.CredentialsProvider; import org.apache.http.client.RedirectStrategy; import org.apache.http.client.config.RequestConfig; import org.apache.http.client.methods.HttpUriRequest; +import org.apache.http.config.Registry; +import org.apache.http.config.RegistryBuilder; +import org.apache.http.conn.socket.ConnectionSocketFactory; import org.apache.http.conn.socket.LayeredConnectionSocketFactory; +import org.apache.http.conn.socket.PlainConnectionSocketFactory; import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.impl.client.BasicCredentialsProvider; @@ -62,6 +66,8 @@ public class HttpClientFactory implements IHttpClientFactory { public static final String PROP_CONFIG_CLIENT_AUTH_SSL_KEYSTORE_PATH = "client.auth.ssl.keystore.path"; public static final String PROP_CONFIG_CLIENT_AUTH_SSL_KEYSTORE_PASSORD = "client.auth.ssl.keystore.password"; public static final String PROP_CONFIG_CLIENT_AUTH_SSL_KEYSTORE_TYPE = "client.auth.ssl.keystore.type"; + public static final String PROP_CONFIG_CLIENT_AUTH_SSL_KEY_PASSWORD = "client.auth.ssl.key.password"; + public static final String PROP_CONFIG_CLIENT_AUTH_SSL_KEY_ALIAS = "client.auth.ssl.key.alias"; // default configuration values public static final String DEFAULT_CONFIG_CLIENT_HTTP_CONNECTION_TIMEOUT_SOCKET = "15"; @@ -199,9 +205,6 @@ public class HttpClientFactory implements IHttpClientFactory { .build(); httpClientBuilder.setDefaultRequestConfig(requestConfig); - //set pool connection if required - injectConnectionPoolIfRequired(); - ClientAuthMode clientAuthMode = ClientAuthMode.fromString( basicConfig.getBasicConfiguration(PROP_CONFIG_CLIENT_MODE, ClientAuthMode.NONE.getMode())); if (clientAuthMode == null) { @@ -215,7 +218,11 @@ public class HttpClientFactory implements IHttpClientFactory { injectBasicAuthenticationIfRequired(clientAuthMode); //inject authentication if required - injectSSLContext(clientAuthMode); + final LayeredConnectionSocketFactory sslConnectionFactory = getSSLContext(clientAuthMode); + + //set pool connection if required + injectConnectionPoolIfRequired(sslConnectionFactory); + } @@ -247,7 +254,7 @@ public class HttpClientFactory implements IHttpClientFactory { private SSLContext buildSSLContextWithSSLClientAuthentication() throws KeyManagementException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, EAAFConfigurationException { log.trace("Injecting SSL client-authentication into http client ... "); final KeyStore keystore = getSSLAuthKeyStore(); - final String keyPasswordString = basicConfig.getBasicConfiguration(PROP_CONFIG_CLIENT_AUTH_SSL_KEYSTORE_PASSORD); + final String keyPasswordString = basicConfig.getBasicConfiguration(PROP_CONFIG_CLIENT_AUTH_SSL_KEY_PASSWORD); log.trace("Open SSL Client-Auth keystore with password: {}", keyPasswordString); final char[] keyPassword = (keyPasswordString == null) ? StringUtils.EMPTY.toCharArray() : keyPasswordString.toCharArray(); return SSLContexts.custom().loadKeyMaterial(keystore, keyPassword).build(); @@ -295,7 +302,7 @@ public class HttpClientFactory implements IHttpClientFactory { } - private void injectSSLContext(ClientAuthMode clientAuthMode) { + private LayeredConnectionSocketFactory getSSLContext(ClientAuthMode clientAuthMode) { SSLContext sslContext = null; try { if (clientAuthMode.equals(ClientAuthMode.SSL)) { @@ -316,37 +323,57 @@ public class HttpClientFactory implements IHttpClientFactory { log.warn("HTTP client-builder deactivates SSL Host-name verification!"); } - + final LayeredConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContext , hostnameVerifier); - httpClientBuilder.setSSLSocketFactory(sslSocketFactory ); + return sslSocketFactory; + } catch (final NoSuchAlgorithmException | KeyManagementException | UnrecoverableKeyException | KeyStoreException | EAAFConfigurationException e) { log.warn("HTTP client-builder can NOT initialze SSL-Context", e); - + } log.info("HTTP client-builder successfuly initialized"); + return null; } - private void injectConnectionPoolIfRequired() { + private void injectConnectionPoolIfRequired(LayeredConnectionSocketFactory sslConnectionFactory) { if (basicConfig.getBasicConfigurationBoolean( PROP_CONFIG_CLIENT_HTTP_CONNECTION_POOL_USE, true)) { - final PoolingHttpClientConnectionManager pool = new PoolingHttpClientConnectionManager(); + PoolingHttpClientConnectionManager pool; + + //set socketFactoryRegistry if SSLConnectionFactory is Set + if (sslConnectionFactory != null) { + final Registry socketFactoryRegistry = RegistryBuilder.create() + .register("http", PlainConnectionSocketFactory.getSocketFactory()) + .register("https", sslConnectionFactory) + .build(); + log.trace("Inject SSLSocketFactory into pooled connection"); + pool = new PoolingHttpClientConnectionManager(socketFactoryRegistry); + + } else { + pool = new PoolingHttpClientConnectionManager(); + + } + pool.setDefaultMaxPerRoute(Integer.valueOf(basicConfig.getBasicConfiguration( PROP_CONFIG_CLIENT_HTTP_CONNECTION_POOL_MAXPERROUTE, DEFAULT_CONFIG_CLIENT_HTTP_CONNECTION_POOL_MAXPERROUTE))); pool.setMaxTotal(Integer.valueOf(basicConfig.getBasicConfiguration( PROP_CONFIG_CLIENT_HTTP_CONNECTION_POOL_MAXTOTAL, DEFAULT_CONFIG_CLIENT_HTTP_CONNECTION_POOL_MAXTOTAL))); - - - + httpClientBuilder.setConnectionManager(pool); log.debug("Initalize http-client pool with, maxTotal: {} maxPerRoute: {}", pool.getMaxTotal(), pool.getDefaultMaxPerRoute()); + } else if (sslConnectionFactory != null) { + log.trace("Inject SSLSocketFactory without connection pool"); + httpClientBuilder.setSSLSocketFactory(sslConnectionFactory ); + } + } -- cgit v1.2.3