From a2f838c8ea5c73db9651fec9cdf9d71a60efda06 Mon Sep 17 00:00:00 2001
From: Gaetan Boismal <gaetan.boismal@forgerock.com>
Date: Mon, 28 Nov 2016 15:59:48 +0000
Subject: [PATCH] OPENDJ-3532 Use JVM trust manager in connection handler by default
---
/dev/null | 66 ----------------
opendj-maven-plugin/src/main/resources/config/xml/org/forgerock/opendj/server/config/HTTPConnectionHandlerConfiguration.xml | 22 +----
opendj-maven-plugin/src/main/resources/config/xml/org/forgerock/opendj/server/config/AdministrationConnectorConfiguration.xml | 8 +
opendj-server-legacy/src/main/java/org/opends/server/protocols/ldap/LDAPConnectionHandler.java | 22 ++---
opendj-maven-plugin/src/main/resources/config/xml/org/forgerock/opendj/server/config/LDAPConnectionHandlerConfiguration.xml | 27 +-----
opendj-server-legacy/src/main/java/org/forgerock/opendj/reactive/LDAPConnectionHandler2.java | 17 +--
opendj-server-legacy/src/main/java/org/opends/server/protocols/http/HTTPConnectionHandler.java | 21 ++---
7 files changed, 40 insertions(+), 143 deletions(-)
diff --git a/opendj-maven-plugin/src/main/resources/config/xml/org/forgerock/opendj/server/config/AdministrationConnectorConfiguration.xml b/opendj-maven-plugin/src/main/resources/config/xml/org/forgerock/opendj/server/config/AdministrationConnectorConfiguration.xml
index d649098..6ee0cca 100644
--- a/opendj-maven-plugin/src/main/resources/config/xml/org/forgerock/opendj/server/config/AdministrationConnectorConfiguration.xml
+++ b/opendj-maven-plugin/src/main/resources/config/xml/org/forgerock/opendj/server/config/AdministrationConnectorConfiguration.xml
@@ -97,7 +97,7 @@
</ldap:attribute>
</adm:profile>
</adm:property>
- <adm:property name="trust-manager-provider" mandatory="true">
+ <adm:property name="trust-manager-provider">
<adm:synopsis>
Specifies the name of the trust manager that is used with
the
@@ -108,7 +108,11 @@
<adm:server-restart />
</adm:requires-admin-action>
<adm:default-behavior>
- <adm:undefined />
+ <adm:alias>
+ <adm:synopsis>
+ Use the trust manager provided by the JVM.
+ </adm:synopsis>
+ </adm:alias>
</adm:default-behavior>
<adm:syntax>
<adm:aggregation relation-name="trust-manager-provider"
diff --git a/opendj-maven-plugin/src/main/resources/config/xml/org/forgerock/opendj/server/config/HTTPConnectionHandlerConfiguration.xml b/opendj-maven-plugin/src/main/resources/config/xml/org/forgerock/opendj/server/config/HTTPConnectionHandlerConfiguration.xml
index 62acaf2..07c047f 100644
--- a/opendj-maven-plugin/src/main/resources/config/xml/org/forgerock/opendj/server/config/HTTPConnectionHandlerConfiguration.xml
+++ b/opendj-maven-plugin/src/main/resources/config/xml/org/forgerock/opendj/server/config/HTTPConnectionHandlerConfiguration.xml
@@ -41,22 +41,6 @@
</adm:implies>
</adm:condition>
</adm:constraint>
- <adm:constraint>
- <adm:synopsis>
- A Trust Manager Provider must be specified when this
- <adm:user-friendly-name />
- is enabled and it is configured to use SSL.
- </adm:synopsis>
- <adm:condition>
- <adm:implies>
- <adm:contains property="enabled" value="true" />
- <adm:implies>
- <adm:contains property="use-ssl" value="true" />
- <adm:is-present property="trust-manager-provider" />
- </adm:implies>
- </adm:implies>
- </adm:condition>
- </adm:constraint>
<adm:profile name="ldap">
<ldap:object-class>
<ldap:name>ds-cfg-http-connection-handler</ldap:name>
@@ -142,7 +126,11 @@
</adm:none>
</adm:requires-admin-action>
<adm:default-behavior>
- <adm:undefined />
+ <adm:alias>
+ <adm:synopsis>
+ Use the trust manager provided by the JVM.
+ </adm:synopsis>
+ </adm:alias>
</adm:default-behavior>
<adm:syntax>
<adm:aggregation relation-name="trust-manager-provider"
diff --git a/opendj-maven-plugin/src/main/resources/config/xml/org/forgerock/opendj/server/config/LDAPConnectionHandlerConfiguration.xml b/opendj-maven-plugin/src/main/resources/config/xml/org/forgerock/opendj/server/config/LDAPConnectionHandlerConfiguration.xml
index a3292b4..5b9d489 100644
--- a/opendj-maven-plugin/src/main/resources/config/xml/org/forgerock/opendj/server/config/LDAPConnectionHandlerConfiguration.xml
+++ b/opendj-maven-plugin/src/main/resources/config/xml/org/forgerock/opendj/server/config/LDAPConnectionHandlerConfiguration.xml
@@ -13,7 +13,7 @@
information: "Portions Copyright [year] [name of copyright owner]".
Copyright 2007-2009 Sun Microsystems, Inc.
- Portions copyright 2011-2013 ForgeRock AS.
+ Portions copyright 2011-2016 ForgeRock AS.
! -->
<adm:managed-object name="ldap-connection-handler"
plural-name="ldap-connection-handlers"
@@ -50,25 +50,6 @@
</adm:constraint>
<adm:constraint>
<adm:synopsis>
- A Trust Manager Provider must be specified when this
- <adm:user-friendly-name />
- is enabled and it is configured to use SSL or StartTLS.
- </adm:synopsis>
- <adm:condition>
- <adm:implies>
- <adm:contains property="enabled" value="true" />
- <adm:implies>
- <adm:or>
- <adm:contains property="use-ssl" value="true" />
- <adm:contains property="allow-start-tls" value="true" />
- </adm:or>
- <adm:is-present property="trust-manager-provider" />
- </adm:implies>
- </adm:implies>
- </adm:condition>
- </adm:constraint>
- <adm:constraint>
- <adm:synopsis>
A
<adm:user-friendly-name />
cannot be configured to support SSL and StartTLS at the same time.
@@ -176,7 +157,11 @@
</adm:none>
</adm:requires-admin-action>
<adm:default-behavior>
- <adm:undefined />
+ <adm:alias>
+ <adm:synopsis>
+ Use the trust manager provided by the JVM.
+ </adm:synopsis>
+ </adm:alias>
</adm:default-behavior>
<adm:syntax>
<adm:aggregation relation-name="trust-manager-provider"
diff --git a/opendj-server-legacy/src/main/java/org/forgerock/opendj/reactive/LDAPConnectionHandler2.java b/opendj-server-legacy/src/main/java/org/forgerock/opendj/reactive/LDAPConnectionHandler2.java
index c254f8a..1d0eee8 100644
--- a/opendj-server-legacy/src/main/java/org/forgerock/opendj/reactive/LDAPConnectionHandler2.java
+++ b/opendj-server-legacy/src/main/java/org/forgerock/opendj/reactive/LDAPConnectionHandler2.java
@@ -44,6 +44,7 @@
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
+import javax.net.ssl.TrustManager;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.slf4j.LocalizedLogger;
@@ -70,7 +71,6 @@
import org.opends.server.api.DirectoryThread;
import org.opends.server.api.KeyManagerProvider;
import org.opends.server.api.ServerShutdownListener;
-import org.opends.server.api.TrustManagerProvider;
import org.opends.server.api.plugin.PluginResult;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.PluginConfigManager;
@@ -78,7 +78,6 @@
import org.opends.server.core.ServerContext;
import org.opends.server.core.WorkQueueStrategy;
import org.opends.server.extensions.NullKeyManagerProvider;
-import org.opends.server.extensions.NullTrustManagerProvider;
import org.opends.server.monitors.ClientConnectionMonitorProvider;
import org.opends.server.protocols.ldap.LDAPStatistics;
import org.opends.server.types.DirectoryException;
@@ -897,7 +896,8 @@
private SSLContext createSSLContext(LDAPConnectionHandlerCfg config) throws DirectoryException {
try {
DN keyMgrDN = config.getKeyManagerProviderDN();
- KeyManagerProvider<?> keyManagerProvider = DirectoryServer.getKeyManagerProvider(keyMgrDN);
+ final ServerContext serverContext = DirectoryServer.getInstance().getServerContext();
+ KeyManagerProvider<?> keyManagerProvider = serverContext.getKeyManagerProvider(keyMgrDN);
if (keyManagerProvider == null) {
logger.error(ERR_NULL_KEY_PROVIDER_MANAGER, keyMgrDN, friendlyName);
disableAndWarnIfUseSSL(config);
@@ -928,14 +928,11 @@
friendlyName);
}
- DN trustMgrDN = config.getTrustManagerProviderDN();
- TrustManagerProvider<?> trustManagerProvider = DirectoryServer.getTrustManagerProvider(trustMgrDN);
- if (trustManagerProvider == null) {
- trustManagerProvider = new NullTrustManagerProvider();
- }
-
+ final DN trustMgrDN = config.getTrustManagerProviderDN();
+ final TrustManager[] trustManagers =
+ trustMgrDN == null ? null : serverContext.getTrustManagerProvider(trustMgrDN).getTrustManagers();
SSLContext sslContext = SSLContext.getInstance(SSL_CONTEXT_INSTANCE_NAME);
- sslContext.init(keyManagers, trustManagerProvider.getTrustManagers(), null);
+ sslContext.init(keyManagers, trustManagers, null);
return sslContext;
} catch (Exception e) {
logger.traceException(e);
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/extensions/NullTrustManagerProvider.java b/opendj-server-legacy/src/main/java/org/opends/server/extensions/NullTrustManagerProvider.java
deleted file mode 100644
index dafd8ab..0000000
--- a/opendj-server-legacy/src/main/java/org/opends/server/extensions/NullTrustManagerProvider.java
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * The contents of this file are subject to the terms of the Common Development and
- * Distribution License (the License). You may not use this file except in compliance with the
- * License.
- *
- * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
- * specific language governing permission and limitations under the License.
- *
- * When distributing Covered Software, include this CDDL Header Notice in each file and include
- * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
- * Header, with the fields enclosed by brackets [] replaced by your own identifying
- * information: "Portions Copyright [year] [name of copyright owner]".
- *
- * Copyright 2006-2008 Sun Microsystems, Inc.
- * Portions Copyright 2014-2016 ForgeRock AS.
- */
-package org.opends.server.extensions;
-
-import javax.net.ssl.TrustManager;
-
-import org.forgerock.opendj.server.config.server.TrustManagerProviderCfg;
-import org.opends.server.api.TrustManagerProvider;
-import org.forgerock.opendj.config.server.ConfigException;
-import org.opends.server.types.DirectoryException;
-import org.opends.server.types.InitializationException;
-
-/**
- * This class provides an implementation of a trust manager provider that does
- * not actually have the ability to provide a trust manager. It will be used
- * when no other trust manager provider has been defined in the server
- * configuration.
- */
-public class NullTrustManagerProvider
- extends TrustManagerProvider<TrustManagerProviderCfg>
-{
- /**
- * Creates a new instance of this null trust manager provider. The
- * <CODE>initializeTrustManagerProvider</CODE> method must be called on the
- * resulting object before it may be used.
- */
- public NullTrustManagerProvider()
- {
- // No implementation is required.
- }
-
- @Override
- public void initializeTrustManagerProvider(
- TrustManagerProviderCfg configuration)
- throws ConfigException, InitializationException
- {
- // No implementation is required.
- }
-
- @Override
- public void finalizeTrustManagerProvider()
- {
- // No implementation is required.
- }
-
- /**
- * Retrieves a <CODE>TrustManager</CODE> object that may be used for
- * interactions requiring access to a trust manager.
- *
- * @return A <CODE>TrustManager</CODE> object that may be used for
- * interactions requiring access to a trust manager.
- *
- * @throws DirectoryException If a problem occurs while attempting to obtain
- * the set of trust managers.
- */
- @Override
- public TrustManager[] getTrustManagers()
- throws DirectoryException
- {
- return new TrustManager[0];
- }
-}
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/protocols/http/HTTPConnectionHandler.java b/opendj-server-legacy/src/main/java/org/opends/server/protocols/http/HTTPConnectionHandler.java
index 42442c4..e5219b0 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/protocols/http/HTTPConnectionHandler.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/protocols/http/HTTPConnectionHandler.java
@@ -41,6 +41,7 @@
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
+import javax.net.ssl.TrustManager;
import org.forgerock.http.ApiProducer;
import org.forgerock.http.DescribedHttpApplication;
@@ -82,11 +83,9 @@
import org.opends.server.api.ConnectionHandler;
import org.opends.server.api.KeyManagerProvider;
import org.opends.server.api.ServerShutdownListener;
-import org.opends.server.api.TrustManagerProvider;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.ServerContext;
import org.opends.server.extensions.NullKeyManagerProvider;
-import org.opends.server.extensions.NullTrustManagerProvider;
import org.opends.server.loggers.HTTPAccessLogger;
import org.opends.server.monitors.ClientConnectionMonitorProvider;
import org.opends.server.protocols.internal.InternalClientConnection;
@@ -848,9 +847,9 @@
{
return null;
}
-
- DN keyMgrDN = config.getKeyManagerProviderDN();
- KeyManagerProvider<?> keyManagerProvider = DirectoryServer.getKeyManagerProvider(keyMgrDN);
+ final ServerContext serverContext = DirectoryServer.getInstance().getServerContext();
+ final DN keyMgrDN = config.getKeyManagerProviderDN();
+ KeyManagerProvider<?> keyManagerProvider = serverContext.getKeyManagerProvider(keyMgrDN);
if (keyManagerProvider == null)
{
logger.error(ERR_NULL_KEY_PROVIDER_MANAGER, keyMgrDN, friendlyName);
@@ -891,14 +890,10 @@
}
DN trustMgrDN = config.getTrustManagerProviderDN();
- TrustManagerProvider<?> trustManagerProvider = DirectoryServer.getTrustManagerProvider(trustMgrDN);
- if (trustManagerProvider == null)
- {
- trustManagerProvider = new NullTrustManagerProvider();
- }
-
- SSLContext sslContext = SSLContext.getInstance(SSL_CONTEXT_INSTANCE_NAME);
- sslContext.init(keyManagers, trustManagerProvider.getTrustManagers(), null);
+ final TrustManager[] trustManagers =
+ trustMgrDN == null ? null : serverContext.getTrustManagerProvider(trustMgrDN).getTrustManagers();
+ final SSLContext sslContext = SSLContext.getInstance(SSL_CONTEXT_INSTANCE_NAME);
+ sslContext.init(keyManagers, trustManagers, null);
return sslContext;
}
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/protocols/ldap/LDAPConnectionHandler.java b/opendj-server-legacy/src/main/java/org/opends/server/protocols/ldap/LDAPConnectionHandler.java
index 0a5dce2..c584f27 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/protocols/ldap/LDAPConnectionHandler.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/protocols/ldap/LDAPConnectionHandler.java
@@ -33,6 +33,7 @@
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
+import javax.net.ssl.TrustManager;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.slf4j.LocalizedLogger;
@@ -52,7 +53,6 @@
import org.opends.server.core.ServerContext;
import org.opends.server.core.WorkQueueStrategy;
import org.opends.server.extensions.NullKeyManagerProvider;
-import org.opends.server.extensions.NullTrustManagerProvider;
import org.opends.server.extensions.TLSByteChannel;
import org.opends.server.monitors.ClientConnectionMonitorProvider;
import org.opends.server.types.*;
@@ -1290,9 +1290,9 @@
{
try
{
- DN keyMgrDN = config.getKeyManagerProviderDN();
- KeyManagerProvider<?> keyManagerProvider = DirectoryServer
- .getKeyManagerProvider(keyMgrDN);
+ final ServerContext serverContext = DirectoryServer.getInstance().getServerContext();
+ final DN keyMgrDN = config.getKeyManagerProviderDN();
+ KeyManagerProvider<?> keyManagerProvider = serverContext.getKeyManagerProvider(keyMgrDN);
if (keyManagerProvider == null)
{
logger.error(ERR_NULL_KEY_PROVIDER_MANAGER, keyMgrDN, friendlyName);
@@ -1332,16 +1332,10 @@
}
DN trustMgrDN = config.getTrustManagerProviderDN();
- TrustManagerProvider<?> trustManagerProvider = DirectoryServer
- .getTrustManagerProvider(trustMgrDN);
- if (trustManagerProvider == null)
- {
- trustManagerProvider = new NullTrustManagerProvider();
- }
-
- SSLContext sslContext = SSLContext.getInstance(SSL_CONTEXT_INSTANCE_NAME);
- sslContext.init(keyManagers, trustManagerProvider.getTrustManagers(),
- null);
+ final TrustManager[] trustManagers =
+ trustMgrDN == null ? null : serverContext.getTrustManagerProvider(trustMgrDN).getTrustManagers();
+ final SSLContext sslContext = SSLContext.getInstance(SSL_CONTEXT_INSTANCE_NAME);
+ sslContext.init(keyManagers, trustManagers, null);
return sslContext;
}
catch (Exception e)
diff --git a/opendj-server-legacy/src/test/java/org/opends/server/extensions/NullTrustManagerProviderTestCase.java b/opendj-server-legacy/src/test/java/org/opends/server/extensions/NullTrustManagerProviderTestCase.java
deleted file mode 100644
index ac5b58e..0000000
--- a/opendj-server-legacy/src/test/java/org/opends/server/extensions/NullTrustManagerProviderTestCase.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * The contents of this file are subject to the terms of the Common Development and
- * Distribution License (the License). You may not use this file except in compliance with the
- * License.
- *
- * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
- * specific language governing permission and limitations under the License.
- *
- * When distributing Covered Software, include this CDDL Header Notice in each file and include
- * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
- * Header, with the fields enclosed by brackets [] replaced by your own identifying
- * information: "Portions Copyright [year] [name of copyright owner]".
- *
- * Copyright 2006-2008 Sun Microsystems, Inc.
- * Portions Copyright 2015 ForgeRock AS.
- */
-package org.opends.server.extensions;
-
-
-
-import org.testng.annotations.BeforeClass;
-import org.testng.annotations.Test;
-
-import org.opends.server.TestCaseUtils;
-
-import static org.testng.Assert.*;
-
-
-
-/**
- * A set of test cases for the null trust manager provider.
- */
-public class NullTrustManagerProviderTestCase
- extends ExtensionsTestCase
-{
- /**
- * Ensures that the Directory Server is running.
- *
- * @throws Exception If an unexpected problem occurs.
- */
- @BeforeClass
- public void startServer()
- throws Exception
- {
- TestCaseUtils.startServer();
- }
-
-
-
- /**
- * Tests the null trust manager provider by creating a new instance,
- * initializing it, and getting the trust managers.
- *
- * @throws Exception If an unexpected problem occurs.
- */
- @Test
- public void testNullTrustManagerProvider()
- throws Exception
- {
- NullTrustManagerProvider provider = new NullTrustManagerProvider();
- provider.initializeTrustManagerProvider(null);
- assertNotNull(provider.getTrustManagers());
- provider.finalizeTrustManagerProvider();
- }
-}
-
--
Gitblit v1.10.0