Apply TLS configuration to reactive web servers

This commit applies the SSL configuration to the following reactive web
servers: Jetty, Tomcat, Undertow, Reactor Netty.

Closes gh-9431

Author: bclozel

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/JettyReactiveWebServerFactory.java

@@ -97,11 +97,13 @@ protected Server createJettyServer(JettyHttpHandlerAdapter servlet) {
 		ServletContextHandler contextHandler = new ServletContextHandler(server, "",
 				false, false);
 		contextHandler.addServlet(servletHolder, "/");
+		this.logger.info("Server initialized with port: " + port);
+		SslServerCustomizer sslServerCustomizer = new SslServerCustomizer(port,
+				getSsl(), getSslStoreProvider());
+		sslServerCustomizer.customize(server);
 		for (JettyServerCustomizer customizer : getServerCustomizers()) {
 			customizer.customize(server);
 		}
-		JettyReactiveWebServerFactory.logger
-				.info("Server initialized with port: " + port);
 		return server;
 	}
 

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/JettyServletWebServerFactory.java

@@ -36,20 +36,16 @@
 import javax.servlet.http.HttpServletResponse;
 
 import org.eclipse.jetty.http.HttpMethod;
-import org.eclipse.jetty.http.HttpVersion;
 import org.eclipse.jetty.http.MimeTypes;
 import org.eclipse.jetty.server.AbstractConnector;
 import org.eclipse.jetty.server.ConnectionFactory;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.ForwardedRequestCustomizer;
 import org.eclipse.jetty.server.Handler;
 import org.eclipse.jetty.server.HttpConfiguration;
-import org.eclipse.jetty.server.HttpConnectionFactory;
 import org.eclipse.jetty.server.Request;
-import org.eclipse.jetty.server.SecureRequestCustomizer;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
-import org.eclipse.jetty.server.SslConnectionFactory;
 import org.eclipse.jetty.server.handler.ErrorHandler;
 import org.eclipse.jetty.server.handler.HandlerWrapper;
 import org.eclipse.jetty.server.handler.gzip.GzipHandler;
@@ -62,7 +58,6 @@
 import org.eclipse.jetty.util.resource.JarResource;
 import org.eclipse.jetty.util.resource.Resource;
 import org.eclipse.jetty.util.resource.ResourceCollection;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.eclipse.jetty.util.thread.ThreadPool;
 import org.eclipse.jetty.webapp.AbstractConfiguration;
 import org.eclipse.jetty.webapp.Configuration;
@@ -71,18 +66,13 @@
 import org.springframework.boot.web.server.Compression;
 import org.springframework.boot.web.server.ErrorPage;
 import org.springframework.boot.web.server.MimeMappings;
-import org.springframework.boot.web.server.Ssl;
-import org.springframework.boot.web.server.Ssl.ClientAuth;
 import org.springframework.boot.web.server.WebServer;
-import org.springframework.boot.web.server.WebServerException;
 import org.springframework.boot.web.servlet.ServletContextInitializer;
 import org.springframework.boot.web.servlet.server.AbstractServletWebServerFactory;
 import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
 import org.springframework.context.ResourceLoaderAware;
 import org.springframework.core.io.ResourceLoader;
 import org.springframework.util.Assert;
-import org.springframework.util.ObjectUtils;
-import org.springframework.util.ResourceUtils;
 import org.springframework.util.StringUtils;
 
 /**
@@ -163,13 +153,9 @@ public WebServer getWebServer(ServletContextInitializer... initializers) {
 		configureWebAppContext(context, initializers);
 		server.setHandler(addHandlerWrappers(context));
 		this.logger.info("Server initialized with port: " + port);
-		if (getSsl() != null && getSsl().isEnabled()) {
-			SslContextFactory sslContextFactory = new SslContextFactory();
-			configureSsl(sslContextFactory, getSsl());
-			AbstractConnector connector = createSslConnector(server, sslContextFactory,
-					port);
-			server.setConnectors(new Connector[] { connector });
-		}
+		SslServerCustomizer sslServerCustomizer = new SslServerCustomizer(port,
+				getSsl(), getSslStoreProvider());
+		sslServerCustomizer.customize(server);
 		for (JettyServerCustomizer customizer : getServerCustomizers()) {
 			customizer.customize(server);
 		}
@@ -181,7 +167,7 @@ public WebServer getWebServer(ServletContextInitializer... initializers) {
 
 	private Server createServer(InetSocketAddress address) {
 		Server server = new Server(getThreadPool());
-		server.setConnectors(new Connector[] { createConnector(address, server) });
+		server.setConnectors(new Connector[] {createConnector(address, server)});
 		return server;
 	}
 
@@ -199,20 +185,6 @@ private AbstractConnector createConnector(InetSocketAddress address, Server serv
 		return connector;
 	}
 
-	private AbstractConnector createSslConnector(Server server,
-			SslContextFactory sslContextFactory, int port) {
-		HttpConfiguration config = new HttpConfiguration();
-		config.setSendServerVersion(false);
-		config.addCustomizer(new SecureRequestCustomizer());
-		HttpConnectionFactory connectionFactory = new HttpConnectionFactory(config);
-		SslConnectionFactory sslConnectionFactory = new SslConnectionFactory(
-				sslContextFactory, HttpVersion.HTTP_1_1.asString());
-		ServerConnector serverConnector = new ServerConnector(server,
-				sslConnectionFactory, connectionFactory);
-		serverConnector.setPort(port);
-		return serverConnector;
-	}
-
 	private Handler addHandlerWrappers(Handler handler) {
 		if (getCompression() != null && getCompression().getEnabled()) {
 			handler = applyWrapper(handler, createGzipHandler());
@@ -242,96 +214,6 @@ private HandlerWrapper createGzipHandler() {
 		return handler;
 	}
 
-	/**
-	 * Configure the SSL connection.
-	 * @param factory the Jetty {@link SslContextFactory}.
-	 * @param ssl the ssl details.
-	 */
-	protected void configureSsl(SslContextFactory factory, Ssl ssl) {
-		factory.setProtocol(ssl.getProtocol());
-		configureSslClientAuth(factory, ssl);
-		configureSslPasswords(factory, ssl);
-		factory.setCertAlias(ssl.getKeyAlias());
-		if (!ObjectUtils.isEmpty(ssl.getCiphers())) {
-			factory.setIncludeCipherSuites(ssl.getCiphers());
-			factory.setExcludeCipherSuites();
-		}
-		if (ssl.getEnabledProtocols() != null) {
-			factory.setIncludeProtocols(ssl.getEnabledProtocols());
-		}
-		if (getSslStoreProvider() != null) {
-			try {
-				factory.setKeyStore(getSslStoreProvider().getKeyStore());
-				factory.setTrustStore(getSslStoreProvider().getTrustStore());
-			}
-			catch (Exception ex) {
-				throw new IllegalStateException("Unable to set SSL store", ex);
-			}
-		}
-		else {
-			configureSslKeyStore(factory, ssl);
-			configureSslTrustStore(factory, ssl);
-		}
-	}
-
-	private void configureSslClientAuth(SslContextFactory factory, Ssl ssl) {
-		if (ssl.getClientAuth() == ClientAuth.NEED) {
-			factory.setNeedClientAuth(true);
-			factory.setWantClientAuth(true);
-		}
-		else if (ssl.getClientAuth() == ClientAuth.WANT) {
-			factory.setWantClientAuth(true);
-		}
-	}
-
-	private void configureSslPasswords(SslContextFactory factory, Ssl ssl) {
-		if (ssl.getKeyStorePassword() != null) {
-			factory.setKeyStorePassword(ssl.getKeyStorePassword());
-		}
-		if (ssl.getKeyPassword() != null) {
-			factory.setKeyManagerPassword(ssl.getKeyPassword());
-		}
-	}
-
-	private void configureSslKeyStore(SslContextFactory factory, Ssl ssl) {
-		try {
-			URL url = ResourceUtils.getURL(ssl.getKeyStore());
-			factory.setKeyStoreResource(Resource.newResource(url));
-		}
-		catch (IOException ex) {
-			throw new WebServerException(
-					"Could not find key store '" + ssl.getKeyStore() + "'", ex);
-		}
-		if (ssl.getKeyStoreType() != null) {
-			factory.setKeyStoreType(ssl.getKeyStoreType());
-		}
-		if (ssl.getKeyStoreProvider() != null) {
-			factory.setKeyStoreProvider(ssl.getKeyStoreProvider());
-		}
-	}
-
-	private void configureSslTrustStore(SslContextFactory factory, Ssl ssl) {
-		if (ssl.getTrustStorePassword() != null) {
-			factory.setTrustStorePassword(ssl.getTrustStorePassword());
-		}
-		if (ssl.getTrustStore() != null) {
-			try {
-				URL url = ResourceUtils.getURL(ssl.getTrustStore());
-				factory.setTrustStoreResource(Resource.newResource(url));
-			}
-			catch (IOException ex) {
-				throw new WebServerException(
-						"Could not find trust store '" + ssl.getTrustStore() + "'", ex);
-			}
-		}
-		if (ssl.getTrustStoreType() != null) {
-			factory.setTrustStoreType(ssl.getTrustStoreType());
-		}
-		if (ssl.getTrustStoreProvider() != null) {
-			factory.setTrustStoreProvider(ssl.getTrustStoreProvider());
-		}
-	}
-
 	/**
 	 * Configure the given Jetty {@link WebAppContext} for use.
 	 * @param context the context to configure
@@ -456,7 +338,7 @@ protected final void addJspServlet(WebAppContext context) {
 		context.getServletHandler().addServlet(holder);
 		ServletMapping mapping = new ServletMapping();
 		mapping.setServletName("jsp");
-		mapping.setPathSpecs(new String[] { "*.jsp", "*.jspx" });
+		mapping.setPathSpecs(new String[] {"*.jsp", "*.jspx"});
 		context.getServletHandler().addServletMapping(mapping);
 	}
 

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/SslServerCustomizer.java

@@ -0,0 +1,175 @@
+/*
+ * Copyright 2012-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.web.embedded.jetty;
+
+import java.io.IOException;
+import java.net.URL;
+
+import org.eclipse.jetty.http.HttpVersion;
+import org.eclipse.jetty.server.AbstractConnector;
+import org.eclipse.jetty.server.Connector;
+import org.eclipse.jetty.server.HttpConfiguration;
+import org.eclipse.jetty.server.HttpConnectionFactory;
+import org.eclipse.jetty.server.SecureRequestCustomizer;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.server.SslConnectionFactory;
+import org.eclipse.jetty.util.resource.Resource;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
+
+import org.springframework.boot.web.server.Ssl;
+import org.springframework.boot.web.server.SslStoreProvider;
+import org.springframework.boot.web.server.WebServerException;
+import org.springframework.util.ObjectUtils;
+import org.springframework.util.ResourceUtils;
+
+/**
+ * {@link JettyServerCustomizer} that configures SSL on the
+ * given Jetty server instance.
+ *
+ * @author Brian Clozel
+ */
+class SslServerCustomizer implements JettyServerCustomizer {
+
+	private final int port;
+
+	private final Ssl ssl;
+
+	private final SslStoreProvider sslStoreProvider;
+
+	SslServerCustomizer(int port, Ssl ssl, SslStoreProvider sslStoreProvider) {
+		this.port = port;
+		this.ssl = ssl;
+		this.sslStoreProvider = sslStoreProvider;
+	}
+
+	@Override
+	public void customize(Server server) {
+		if (this.ssl != null && this.ssl.isEnabled()) {
+			SslContextFactory sslContextFactory = new SslContextFactory();
+			configureSsl(sslContextFactory, this.ssl, this.sslStoreProvider);
+			AbstractConnector connector = createSslConnector(server, sslContextFactory,
+					this.port);
+			server.setConnectors(new Connector[] { connector });
+		}
+	}
+
+	private AbstractConnector createSslConnector(Server server,
+			SslContextFactory sslContextFactory, int port) {
+		HttpConfiguration config = new HttpConfiguration();
+		config.setSendServerVersion(false);
+		config.addCustomizer(new SecureRequestCustomizer());
+		HttpConnectionFactory connectionFactory = new HttpConnectionFactory(config);
+		SslConnectionFactory sslConnectionFactory = new SslConnectionFactory(
+				sslContextFactory, HttpVersion.HTTP_1_1.asString());
+		ServerConnector serverConnector = new ServerConnector(server,
+				sslConnectionFactory, connectionFactory);
+		serverConnector.setPort(port);
+		return serverConnector;
+	}
+
+	/**
+	 * Configure the SSL connection.
+	 * @param factory the Jetty {@link SslContextFactory}.
+	 * @param ssl the ssl details.
+	 * @param sslStoreProvider the ssl store provider
+	 */
+	protected void configureSsl(SslContextFactory factory, Ssl ssl, SslStoreProvider sslStoreProvider) {
+		factory.setProtocol(ssl.getProtocol());
+		configureSslClientAuth(factory, ssl);
+		configureSslPasswords(factory, ssl);
+		factory.setCertAlias(ssl.getKeyAlias());
+		if (!ObjectUtils.isEmpty(ssl.getCiphers())) {
+			factory.setIncludeCipherSuites(ssl.getCiphers());
+			factory.setExcludeCipherSuites();
+		}
+		if (ssl.getEnabledProtocols() != null) {
+			factory.setIncludeProtocols(ssl.getEnabledProtocols());
+		}
+		if (sslStoreProvider != null) {
+			try {
+				factory.setKeyStore(sslStoreProvider.getKeyStore());
+				factory.setTrustStore(sslStoreProvider.getTrustStore());
+			}
+			catch (Exception ex) {
+				throw new IllegalStateException("Unable to set SSL store", ex);
+			}
+		}
+		else {
+			configureSslKeyStore(factory, ssl);
+			configureSslTrustStore(factory, ssl);
+		}
+	}
+
+	private void configureSslClientAuth(SslContextFactory factory, Ssl ssl) {
+		if (ssl.getClientAuth() == Ssl.ClientAuth.NEED) {
+			factory.setNeedClientAuth(true);
+			factory.setWantClientAuth(true);
+		}
+		else if (ssl.getClientAuth() == Ssl.ClientAuth.WANT) {
+			factory.setWantClientAuth(true);
+		}
+	}
+
+	private void configureSslPasswords(SslContextFactory factory, Ssl ssl) {
+		if (ssl.getKeyStorePassword() != null) {
+			factory.setKeyStorePassword(ssl.getKeyStorePassword());
+		}
+		if (ssl.getKeyPassword() != null) {
+			factory.setKeyManagerPassword(ssl.getKeyPassword());
+		}
+	}
+
+	private void configureSslKeyStore(SslContextFactory factory, Ssl ssl) {
+		try {
+			URL url = ResourceUtils.getURL(ssl.getKeyStore());
+			factory.setKeyStoreResource(Resource.newResource(url));
+		}
+		catch (IOException ex) {
+			throw new WebServerException(
+					"Could not find key store '" + ssl.getKeyStore() + "'", ex);
+		}
+		if (ssl.getKeyStoreType() != null) {
+			factory.setKeyStoreType(ssl.getKeyStoreType());
+		}
+		if (ssl.getKeyStoreProvider() != null) {
+			factory.setKeyStoreProvider(ssl.getKeyStoreProvider());
+		}
+	}
+
+	private void configureSslTrustStore(SslContextFactory factory, Ssl ssl) {
+		if (ssl.getTrustStorePassword() != null) {
+			factory.setTrustStorePassword(ssl.getTrustStorePassword());
+		}
+		if (ssl.getTrustStore() != null) {
+			try {
+				URL url = ResourceUtils.getURL(ssl.getTrustStore());
+				factory.setTrustStoreResource(Resource.newResource(url));
+			}
+			catch (IOException ex) {
+				throw new WebServerException(
+						"Could not find trust store '" + ssl.getTrustStore() + "'", ex);
+			}
+		}
+		if (ssl.getTrustStoreType() != null) {
+			factory.setTrustStoreType(ssl.getTrustStoreType());
+		}
+		if (ssl.getTrustStoreProvider() != null) {
+			factory.setTrustStoreProvider(ssl.getTrustStoreProvider());
+		}
+	}
+}