play framework

Merge lp:~nicolas-lunatech/play/play-ssl into lp:play/1.1

play-ssl
Merge into 1.1-unstable

Proposed by Nicolas Leroux on 2010-09-16

Status:	Merged
Merged at revision:	1091
Proposed branch:	lp:~nicolas-lunatech/play/play-ssl
Merge into:	lp:play/1.1
Diff against target:	400 lines (+276/-8) 8 files modified framework/src/play/server/HttpServerPipelineFactory.java (+1/-1) framework/src/play/server/PlayHandler.java (+56/-1) framework/src/play/server/Server.java (+11/-5) framework/src/play/server/ssl/SslHttpServerContextFactory.java (+121/-0) framework/src/play/server/ssl/SslHttpServerPipelineFactory.java (+45/-0) samples-and-tests/forum/conf/application.conf (+2/-1) samples-and-tests/forum/conf/host.cert (+22/-0) samples-and-tests/forum/conf/host.key (+18/-0)
To merge this branch:	bzr merge lp:~nicolas-lunatech/play/play-ssl
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Nicolas Leroux (community)			Approve on 2010-09-30
Review via email: mp+35751@code.launchpad.net

Revision history for this message

Nicolas Leroux (nicolas-lunatech) on 2010-09-30:

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Erwan Loisant

Guillaume Bort

Nicolas Leroux

Stephane Godbillon

Sébastien Crème

Tom Turner

arden

play framework

Merge lp:~nicolas-lunatech/play/play-ssl into lp:play/1.1

Commit message

Description of the change

Preview Diff

Subscribers

 === added file 'framework/lib/bcprov-jdk16-145.jar'
 Binary files framework/lib/bcprov-jdk16-145.jar	1970-01-01 00:00:00 +0000 and framework/lib/bcprov-jdk16-145.jar	2010-09-16 22:21:44 +0000 differ
 === modified file 'framework/src/play/server/HttpServerPipelineFactory.java'
 --- framework/src/play/server/HttpServerPipelineFactory.java	2010-09-16 20:29:16 +0000
 +++ framework/src/play/server/HttpServerPipelineFactory.java	2010-09-16 22:21:44 +0000
@@ -22,7 +22,7 @@
          pipeline.addLast("encoder", new HttpResponseEncoder());
          pipeline.addLast("chunkedWriter", new ChunkedWriteHandler());
--        pipeline.addLast("handler", new PlayHandler());
++        pipeline.addLast("handler", new PlayHandler(false));
          return pipeline;
 === modified file 'framework/src/play/server/PlayHandler.java'
 --- framework/src/play/server/PlayHandler.java	2010-09-16 20:52:26 +0000
 +++ framework/src/play/server/PlayHandler.java	2010-09-16 22:21:44 +0000
@@ -7,6 +7,7 @@
  import org.jboss.netty.buffer.ChannelBuffers;
  import org.jboss.netty.channel.*;
  import org.jboss.netty.handler.codec.http.*;
++import org.jboss.netty.handler.ssl.SslHandler;
  import org.jboss.netty.handler.stream.ChunkedFile;
  import org.jboss.netty.handler.stream.ChunkedStream;
  import play.Invoker;
@@ -32,6 +33,7 @@
  import play.vfs.VirtualFile;
  import java.io.*;
++import java.net.InetAddress;
  import java.net.InetSocketAddress;
  import java.net.URLDecoder;
  import java.net.URLEncoder;
@@ -40,11 +42,51 @@
  import play.data.validation.Validation;
++import javax.net.ssl.SSLException;
++
  import static org.jboss.netty.handler.codec.http.HttpHeaders.Names.*;
  public class PlayHandler extends SimpleChannelUpstreamHandler {
      private final static String signature = "Play! Framework;" + Play.version + ";" + Play.mode.name().toLowerCase();
++    private boolean isSecure = false;
++
++    public PlayHandler(boolean isSecure) {
++        this.isSecure = isSecure;
++    }
++
++    @Override
++    public void channelConnected(
++            ChannelHandlerContext ctx, ChannelStateEvent e) throws Exception {
++        if (isSecure) {
++            ctx.setAttachment(e.getValue());
++            // Get the SslHandler in the current pipeline.
++            final SslHandler sslHandler = ctx.getPipeline().get(SslHandler.class);
++            sslHandler.setEnableRenegotiation(false);
++            // Get notified when SSL handshake is done.
++            ChannelFuture handshakeFuture = sslHandler.handshake();
++            handshakeFuture.addListener(new SslListener(sslHandler));
++        }
++    }
++
++    private static final class SslListener implements ChannelFutureListener {
++
++        private final SslHandler sslHandler;
++
++        SslListener(SslHandler sslHandler) {
++            this.sslHandler = sslHandler;
++        }
++
++        public void operationComplete(ChannelFuture future) throws Exception {
++            if (!future.isSuccess()) {
++                Logger.warn(future.getCause(), "Invalid certificate ");
++
++                if (future.getChannel().isOpen()) {
++                    future.getChannel().close();
++                }
++            }
++        }
++    }
      @Override
      public void messageReceived(ChannelHandlerContext ctx, MessageEvent e) throws Exception {
@@ -493,7 +535,20 @@
      @Override
      public void exceptionCaught(ChannelHandlerContext ctx, ExceptionEvent e)
              throws Exception {
--        e.getChannel().close();
++        Logger.error(e.getCause(), "");
++        // We have to redirect to https://, as it was targeting http://
++        // Redirect to the root as we don't know the url at that point
++        if (e.getCause() instanceof javax.net.ssl.SSLException) {
++            InetSocketAddress inet = ((InetSocketAddress) ctx.getAttachment());
++            ctx.getPipeline().remove("ssl");
++            HttpResponse nettyResponse = new DefaultHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.TEMPORARY_REDIRECT);
++            nettyResponse.setHeader(LOCATION, "https://" + inet.getHostName() + ":" + Play.configuration.getProperty("http.port") + "/");
++            nettyResponse.setHeader(SERVER, signature);
++            ChannelFuture writeFuture = ctx.getChannel().write(nettyResponse);
++            writeFuture.addListener(ChannelFutureListener.CLOSE);
++        } else {
++            e.getChannel().close();
++        }
+     }
      public static void serve404(NotFound e, ChannelHandlerContext ctx, Request request, HttpRequest nettyRequest) {
 === modified file 'framework/src/play/server/Server.java'
 --- framework/src/play/server/Server.java	2010-09-16 20:29:16 +0000
 +++ framework/src/play/server/Server.java	2010-09-16 22:21:44 +0000
@@ -6,6 +6,7 @@
  import play.Logger;
  import play.Play;
  import play.Play.Mode;
++import play.server.ssl.SslHttpServerPipelineFactory;
  import java.io.File;
  import java.net.InetAddress;
@@ -18,6 +19,7 @@
      public Server() {
          final Properties p = Play.configuration;
          int httpPort = Integer.parseInt(p.getProperty("http.port", "9000"));
++        boolean isSecure = Boolean.parseBoolean(p.getProperty("http.secure", "false"));
          InetAddress address = null;
          if (System.getProperties().containsKey("http.port")) {
              httpPort = Integer.parseInt(System.getProperty("http.port"));
@@ -35,12 +37,16 @@
+         }
          ServerBootstrap bootstrap = new ServerBootstrap(new NioServerSocketChannelFactory(
--            Executors.newCachedThreadPool(), Executors.newCachedThreadPool())
++                Executors.newCachedThreadPool(), Executors.newCachedThreadPool())
          );
--	try {
--             bootstrap.setPipelineFactory(new HttpServerPipelineFactory());
--             bootstrap.bind(new InetSocketAddress(address, httpPort));
--             bootstrap.setOption("child.tcpNoDelay", true);
++        try {
++            if (isSecure) {
++                bootstrap.setPipelineFactory(new SslHttpServerPipelineFactory());
++            } else {
++                bootstrap.setPipelineFactory(new HttpServerPipelineFactory());
++            }
++            bootstrap.bind(new InetSocketAddress(address, httpPort));
++            bootstrap.setOption("child.tcpNoDelay", true);
              if (Play.mode == Mode.DEV) {
                  if (address == null) {
 === added directory 'framework/src/play/server/ssl'
 === added file 'framework/src/play/server/ssl/SslHttpServerContextFactory.java'
 --- framework/src/play/server/ssl/SslHttpServerContextFactory.java	1970-01-01 00:00:00 +0000
 +++ framework/src/play/server/ssl/SslHttpServerContextFactory.java	2010-09-16 22:21:44 +0000
@@ -0,0 +1,121 @@
++package play.server.ssl;
++
++import org.bouncycastle.openssl.PEMReader;
++import org.bouncycastle.openssl.PasswordFinder;
++import play.Logger;
++import play.Play;
++
++import java.security.cert.X509Certificate;
++import javax.net.ssl.*;
++import java.io.FileInputStream;
++import java.io.FileReader;
++import java.io.IOException;
++import java.net.Socket;
++import java.security.*;
++import java.util.Enumeration;
++
++public class SslHttpServerContextFactory {
++
++    private static final String PROTOCOL = "SSL";
++    private static final SSLContext SERVER_CONTEXT;
++
++    static {
++
++        String algorithm = Security.getProperty("ssl.KeyManagerFactory.algorithm");
++        if (algorithm == null) {
++            algorithm = "SunX509";
++        }
++
++        SSLContext serverContext = null;
++        KeyStore ks = null;
++        try {
++
++            // Look if we have key and cert files. If we do, we use our own keymanager
++            if (Play.getFile(System.getProperty("certificate.file", "conf/host.key")).exists() && Play.getFile(System.getProperty("certificate.file", "conf/host.cert")).exists()) {
++                Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
++            } else {
++                // Try to load it from the keystore
++                ks = KeyStore.getInstance(System.getProperty("certificate.algorithm", "JKS"));
++                // Load the file from the conf
++                char[] certificatePassword = System.getProperty("certificate.password", "secret").toCharArray();
++
++                ks.load(new FileInputStream(Play.getFile(System.getProperty("certificate.file", "conf/certificate.jks"))),
++                        certificatePassword);
++
++                // Set up key manager factory to use our key store
++                KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
++                char[] keyStorePassword = System.getProperty("keystore.password", "secret").toCharArray();
++
++                kmf.init(ks, keyStorePassword);
++
++            }
++            // Initialize the SSLContext to work with our key managers.
++            serverContext = SSLContext.getInstance(PROTOCOL);
++            serverContext.init(new KeyManager[]{PEMKeyManager.instance}, null, null);
++
++        } catch (Exception e) {
++            throw new Error(
++                    "Failed to initialize the server-side SSLContext", e);
++        }
++
++        SERVER_CONTEXT = serverContext;
++    }
++
++    public static SSLContext getServerContext() {
++        return SERVER_CONTEXT;
++    }
++
++    public static class PEMKeyManager extends X509ExtendedKeyManager {
++
++        static PEMKeyManager instance = new PEMKeyManager();
++        PrivateKey key;
++        X509Certificate cert;
++
++        public PEMKeyManager() {
++            try {
++                PEMReader keyReader = new PEMReader(new FileReader(Play.getFile(System.getProperty("certificate.file", "conf/host.key"))), new PasswordFinder() {
++                    public char[] getPassword() {
++                        return System.getProperty("certificate.password", "secret").toCharArray();
++                    }
++                });
++                key = ((KeyPair) keyReader.readObject()).getPrivate();
++
++                PEMReader reader = new PEMReader(new FileReader(Play.getFile(System.getProperty("certificate.file", "conf/host.cert"))));
++                cert = (X509Certificate) reader.readObject();
++            } catch (Exception e) {
++                e.printStackTrace();
++                Logger.error(e, "");
++            }
++        }
++
++        public String chooseEngineServerAlias(java.lang.String s, java.security.Principal[] principals, javax.net.ssl.SSLEngine sslEngine) {
++            return "";
++        }
++
++
++        public String[] getClientAliases(String s, Principal[] principals) {
++            return new String[]{""};
++        }
++
++        public String chooseClientAlias(String[] strings, Principal[] principals, Socket socket) {
++            return "";
++        }
++
++        public String[] getServerAliases(String s, Principal[] principals) {
++            return new String[]{""};
++        }
++
++        public String chooseServerAlias(String s, Principal[] principals, Socket socket) {
++            return "";
++        }
++
++        public java.security.cert.X509Certificate[] getCertificateChain(String s) {
++            return new java.security.cert.X509Certificate[]{cert};
++        }
++
++        public PrivateKey getPrivateKey(String s) {
++            return key;
++        }
++    }
++
++}
 === added file 'framework/src/play/server/ssl/SslHttpServerPipelineFactory.java'
 --- framework/src/play/server/ssl/SslHttpServerPipelineFactory.java	1970-01-01 00:00:00 +0000
 +++ framework/src/play/server/ssl/SslHttpServerPipelineFactory.java	2010-09-16 22:21:44 +0000
@@ -0,0 +1,45 @@
++package play.server.ssl;
++
++import org.jboss.netty.channel.ChannelPipeline;
++import org.jboss.netty.channel.ChannelPipelineFactory;
++import org.jboss.netty.handler.codec.http.HttpRequestDecoder;
++import org.jboss.netty.handler.codec.http.HttpResponseEncoder;
++import org.jboss.netty.handler.ssl.SslHandler;
++import org.jboss.netty.handler.stream.ChunkedWriteHandler;
++import play.Logger;
++import play.Play;
++import play.server.PlayHandler;
++import play.server.StreamChunkAggregator;
++
++import javax.net.ssl.SSLEngine;
++
++import static org.jboss.netty.channel.Channels.pipeline;
++
++public class SslHttpServerPipelineFactory implements ChannelPipelineFactory {
++
++    public ChannelPipeline getPipeline() throws Exception {
++
++        Integer max = Integer.valueOf(Play.configuration.getProperty("play.netty.maxContentLength", "-1"));
++
++        ChannelPipeline pipeline = pipeline();
++
++        // Add SSL handler first to encrypt and decrypt everything.
++        SSLEngine engine =
++            SslHttpServerContextFactory.getServerContext().createSSLEngine();
++        engine.setUseClientMode(false);
++        engine.setNeedClientAuth(true);
++        engine.setWantClientAuth(true);
++        engine.setEnableSessionCreation(true);
++
++        pipeline.addLast("ssl", new SslHandler(engine));
++        pipeline.addLast("decoder", new HttpRequestDecoder());
++        pipeline.addLast("aggregator", new StreamChunkAggregator(max));
++        pipeline.addLast("encoder", new HttpResponseEncoder());
++        pipeline.addLast("chunkedWriter", new ChunkedWriteHandler());
++
++        pipeline.addLast("handler", new PlayHandler(true));
++
++        return pipeline;
++    }
++}
++
 === modified file 'samples-and-tests/forum/conf/application.conf'
 --- samples-and-tests/forum/conf/application.conf	2010-09-16 20:29:16 +0000
 +++ samples-and-tests/forum/conf/application.conf	2010-09-16 22:21:44 +0000
@@ -33,6 +33,7 @@
  # If you need to change the HTTP port, uncomment this (default is set to 9000)
+ #
  http.port=9000
++#http.secure=true
  # Database configuration
@@ -72,7 +73,7 @@
  # Specify log level for your application.
  # If you want a very customized log, create a log4j.properties file in the conf directory
+ #
--# application.log=INFO
++application.log=TRACE
  # JPA Configuration (hibernate)
 === added file 'samples-and-tests/forum/conf/certificate.jks'
 Binary files samples-and-tests/forum/conf/certificate.jks	1970-01-01 00:00:00 +0000 and samples-and-tests/forum/conf/certificate.jks	2010-09-16 22:21:44 +0000 differ
 === added file 'samples-and-tests/forum/conf/host.cert'
 --- samples-and-tests/forum/conf/host.cert	1970-01-01 00:00:00 +0000
 +++ samples-and-tests/forum/conf/host.cert	2010-09-16 22:21:44 +0000
@@ -0,0 +1,22 @@
++-----BEGIN CERTIFICATE-----
++MIIDkDCCAvmgAwIBAgIJAL53x0ZWC+dlMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
++VQQGEwJOTDEMMAoGA1UECBMDYmxhMRIwEAYDVQQHEwlSb3R0ZXJkYW0xDzANBgNV
++BAoTBkJsIGJsYTENMAsGA1UECxMEYmxvZTEXMBUGA1UEAxMOTmljb2xhcyBMZXJv
++dXgxIzAhBgkqhkiG9w0BCQEWFG5pY29sYXNAbHVuYXRlY2guY29tMB4XDTEwMDkx
++NjE5MTc0OVoXDTExMDkxNjE5MTc0OVowgY0xCzAJBgNVBAYTAk5MMQwwCgYDVQQI
++EwNibGExEjAQBgNVBAcTCVJvdHRlcmRhbTEPMA0GA1UEChMGQmwgYmxhMQ0wCwYD
++VQQLEwRibG9lMRcwFQYDVQQDEw5OaWNvbGFzIExlcm91eDEjMCEGCSqGSIb3DQEJ
++ARYUbmljb2xhc0BsdW5hdGVjaC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
++AoGBANqoWYHygUWuXdPqr+ylzMQ6hsOHZrTnlIzMLBCML6cKNF5/UXrJi2balxRY
++X3qtqiybqb892DePrPeqf5YkKQFhK3X36gja7MLevQE33aVyHUL3vk0ukap+Imlx
++qyU8vP+XYqLsFNeNsZk5ja8CFGJNIDvewcan9lbF2ORTVxs7AgMBAAGjgfUwgfIw
++HQYDVR0OBBYEFJFi+d3AofaeS9i0a4yI7ido/i2eMIHCBgNVHSMEgbowgbeAFJFi
+++d3AofaeS9i0a4yI7ido/i2eoYGTpIGQMIGNMQswCQYDVQQGEwJOTDEMMAoGA1UE
++CBMDYmxhMRIwEAYDVQQHEwlSb3R0ZXJkYW0xDzANBgNVBAoTBkJsIGJsYTENMAsG
++A1UECxMEYmxvZTEXMBUGA1UEAxMOTmljb2xhcyBMZXJvdXgxIzAhBgkqhkiG9w0B
++CQEWFG5pY29sYXNAbHVuYXRlY2guY29tggkAvnfHRlYL52UwDAYDVR0TBAUwAwEB
++/zANBgkqhkiG9w0BAQUFAAOBgQAn4iUXzZNpJ2SSBJaMLxWUlYlERFtAuTCh2yYy
++50YwrpzwupTZuC0IkMivY7YOvuSi5yRG+Ez83D28HNH+5OwVqpcecUuEjmUw96NN
++XysBNWf9uCYZhCizCxHcX6I+96T8y2jOcq9fdY3nc5YV6uCe4flnO1HbZ1QJeTqv
++UzjByw==
++-----END CERTIFICATE-----
 === added file 'samples-and-tests/forum/conf/host.key'
 --- samples-and-tests/forum/conf/host.key	1970-01-01 00:00:00 +0000
 +++ samples-and-tests/forum/conf/host.key	2010-09-16 22:21:44 +0000
@@ -0,0 +1,18 @@
++-----BEGIN RSA PRIVATE KEY-----
++Proc-Type: 4,ENCRYPTED
++DEK-Info: DES-EDE3-CBC,60E301A3F6B3843F
++
++5NL1bfRscfkczeOCrv9sbPXN3na9L1Vsy3OoV7GVkzalfO8HolUR8GewhDhhX5w5
++oAis7OPBA7045taH4fzWC0hWxwfHJkFvXTHmQrf6u8hRe7b6pkfmHDPQauFFL1eS
++LRtEotL9naVLZSGycE/tmoYOEy9xEhTzdM4G+uB3BpGA5e/JiibiEBxgoUWnLJBr
++vN98BH4PuN8eUMntInOWiJbn7Lo0+YuNQo2kUYsIZ2rLlTw8FVQKLfm9Ekz7iw55
++Zh4+b+S+fIpn4YSy2Fafzivq9mbWyzMzi0fSRyP8FZ/TeP7MAbj/D/uaVZFGD65l
++gkX9mEmt1FF9J4DEukkKVrXljbHhXQu87SYKE717GLWBeK4U34G+KkiiRlK9iba2
++x7bEki4PvFkf83j9KjhPUNiS1wzWJWG4JDz1tXIwrbCYPatldtWs9k3qcJgwXjDo
++FbC4ccW6qbcBp8fmsaoOKM0ImN9jHS8TaGUpZhyWAf3b4usGAri5759O9e4sEdu3
++cCV7m9OeZgRXGXo4odo32MB6IDg/BtfvtFgee0rIBrv6GbuH13pm5N4tQPTg2vg0
++66VULPpIcxZ5Qnd8yICtLJ4av/EBjCXZircy5g1V3WmbphDFb+WcVJTrnb76XsbB
++7Q8SFH6v7ug5JgF3tyv8EoRV7sKGk/hvBadu2gXuw7h9+UqFUbXjWHzbq1Hb9aaG
++5zpURtV/d7vYMjpiImJQre3oMFDXGgHUcH8iFE1fiz0uvGzJlZ4H7nX9bpxamWpx
++j60x+wr49SyoxurrYnzSLpjNEurocn91lO9CmtfcksoLXwXxsBDKQA==
++-----END RSA PRIVATE KEY-----