List of usage examples for io.netty.handler.ssl SslContextBuilder clientAuth
ClientAuth clientAuth
To view the source code for io.netty.handler.ssl SslContextBuilder clientAuth.
Click Source Link
From source file:org.curioswitch.common.server.framework.ServerModule.java
License:Open Source License
@SuppressWarnings("FutureReturnValueIgnored") @Provides// w ww. j ava 2 s. c o m @Singleton static Server armeriaServer(Set<BindableService> grpcServices, Set<GrpcServiceDefinition> grpcServiceDefinitions, Set<HttpServiceDefinition> httpServiceDefinitions, Set<StaticSiteServiceDefinition> staticSites, Set<Consumer<ServerBuilder>> serverCustomizers, Set<PostServerCustomizer> postServerCustomizers, Set<WatchedPath> watchedPaths, Function<Service<HttpRequest, HttpResponse>, LoggingService<HttpRequest, HttpResponse>> loggingService, MetricsHttpService metricsHttpService, CollectorRegistry collectorRegistry, MeterRegistry meterRegistry, Tracing tracing, Lazy<FirebaseAuthorizer> firebaseAuthorizer, Lazy<JwtAuthorizer.Factory> jwtAuthorizer, Lazy<JavascriptStaticService> javascriptStaticService, Optional<SelfSignedCertificate> selfSignedCertificate, Optional<TrustManagerFactory> caTrustManager, Optional<SslCommonNamesProvider> sslCommonNamesProvider, FileWatcher.Builder fileWatcherBuilder, Lazy<StackdriverReporter> stackdriverReporter, ServerConfig serverConfig, FirebaseAuthConfig authConfig, HttpsOnlyService.Factory httpsOnlyServiceFactory, JavascriptStaticConfig javascriptStaticConfig, MonitoringConfig monitoringConfig, SecurityConfig securityConfig, Set<ServerShutDownDelayer> serverShutDownDelayers, @CloseOnStop Set<Closeable> closeOnStopDependencies, // Eagerly trigger bindings that are present, not actually used here. @EagerInit Set<Object> eagerInitializedDependencies) { for (WatchedPath watched : watchedPaths) { fileWatcherBuilder.registerPath(watched.getPath(), watched.getHandler()); } if (!sslCommonNamesProvider.isPresent() && !serverConfig.getRpcAclsPath().isEmpty() && !serverConfig.isDisableSslAuthorization()) { Path path = Paths.get(serverConfig.getRpcAclsPath()).toAbsolutePath(); RpcAclsCommonNamesProvider commonNamesProvider = new RpcAclsCommonNamesProvider(path); fileWatcherBuilder.registerPath(path, commonNamesProvider::processFile); if (path.toFile().exists()) { commonNamesProvider.processFile(path); } sslCommonNamesProvider = Optional.of(commonNamesProvider); } ServerBuilder sb = new ServerBuilder().https(serverConfig.getPort()); if (selfSignedCertificate.isPresent()) { SelfSignedCertificate certificate = selfSignedCertificate.get(); try { SslContextBuilder sslContext = serverSslContext( ResourceUtil.openStream(certificate.certificate().getAbsolutePath()), ResourceUtil.openStream(certificate.privateKey().getAbsolutePath())) .trustManager(InsecureTrustManagerFactory.INSTANCE); if (!serverConfig.isDisableSslAuthorization()) { sslContext.clientAuth(ClientAuth.OPTIONAL); } sb.tls(sslContext.build()); } catch (SSLException e) { // Can't happen. throw new IllegalStateException(e); } } else if (serverConfig.getTlsCertificatePath().isEmpty() || serverConfig.getTlsPrivateKeyPath().isEmpty() || !caTrustManager.isPresent()) { throw new IllegalStateException( "No TLS configuration provided, Curiostack does not support non-TLS servers. " + "Use gradle-curio-cluster-plugin to set up a namespace and TLS."); } else { try { SslContextBuilder sslContext = serverSslContext( ResourceUtil.openStream(serverConfig.getTlsCertificatePath()), ResourceUtil.openStream(serverConfig.getTlsPrivateKeyPath())) .trustManager(caTrustManager.get()); if (!serverConfig.isDisableSslAuthorization()) { sslContext.clientAuth(ClientAuth.OPTIONAL); } sb.tls(sslContext.build()); } catch (SSLException e) { throw new IllegalStateException("Could not load TLS certificate.", e); } } serverCustomizers.forEach(c -> c.accept(sb)); Optional<Function<Service<HttpRequest, HttpResponse>, IpFilteringService>> ipFilter = Optional.empty(); if (!serverConfig.getIpFilterRules().isEmpty()) { ipFilter = Optional.of(IpFilteringService.newDecorator(serverConfig.getIpFilterRules())); } if (!serverConfig.isDisableDocService()) { DocServiceBuilder docService = new DocServiceBuilder(); if (!authConfig.getServiceAccountBase64().isEmpty()) { docService.injectedScript("armeria.registerHeaderProvider(function() {\n" + " return firebase.auth().currentUser.getIdToken().then(token => { authorization: 'bearer ' + token });\n" + "});"); } sb.serviceUnder("/internal/docs", internalService(docService.build(), ipFilter, serverConfig)); } SettableHealthChecker settableHealthChecker = new SettableHealthChecker(true); List<HealthChecker> healthCheckers = serverShutDownDelayers.isEmpty() ? ImmutableList.of() : ImmutableList.of(settableHealthChecker); sb.service("/internal/health", internalService(new HttpHealthCheckService(healthCheckers), ipFilter, serverConfig)); sb.service("/internal/dropwizard", internalService(metricsHttpService, ipFilter, serverConfig)); sb.service("/internal/metrics", internalService(new PrometheusExpositionService(collectorRegistry), ipFilter, serverConfig)); if (sslCommonNamesProvider.isPresent()) { SslCommonNamesProvider namesProvider = sslCommonNamesProvider.get(); sb.service("/internal/rpcacls", internalService((ctx, req) -> HttpResponse.of(HttpStatus.OK, MediaType.PLAIN_TEXT_UTF_8, String.join("\n", namesProvider.get())), ipFilter, serverConfig)); } if (!grpcServices.isEmpty()) { GrpcServiceDefinition definition = new GrpcServiceDefinition.Builder().addAllServices(grpcServices) .decorator(Function.identity()).path(serverConfig.getGrpcPath()).build(); grpcServiceDefinitions = ImmutableSet.<GrpcServiceDefinition>builder().addAll(grpcServiceDefinitions) .add(definition).build(); } for (GrpcServiceDefinition definition : grpcServiceDefinitions) { GrpcServiceBuilder serviceBuilder = new GrpcServiceBuilder() .supportedSerializationFormats(GrpcSerializationFormats.values()).enableUnframedRequests(true); definition.services().forEach(serviceBuilder::addService); if (!serverConfig.isDisableGrpcServiceDiscovery()) { serviceBuilder.addService(ProtoReflectionService.newInstance()); } definition.customizer().accept(serviceBuilder); ServiceWithRoutes<HttpRequest, HttpResponse> service = serviceBuilder.build(); if (definition.path().equals("/")) { Optional<SslCommonNamesProvider> sslCommonNamesProvider0 = sslCommonNamesProvider; sb.service(service, s -> decorateService(s.decorate(definition.decorator()), tracing, firebaseAuthorizer, jwtAuthorizer, sslCommonNamesProvider0, serverConfig, authConfig)); } else { sb.serviceUnder(definition.path(), decorateService(service.decorate(definition.decorator()), tracing, firebaseAuthorizer, jwtAuthorizer, sslCommonNamesProvider, serverConfig, authConfig)); } } for (HttpServiceDefinition definition : httpServiceDefinitions) { sb.service(definition.route(), decorateService(definition.service(), tracing, firebaseAuthorizer, jwtAuthorizer, sslCommonNamesProvider, serverConfig, authConfig)); } if (javascriptStaticConfig.getVersion() != 0) { sb.service("/static/jsconfig-" + javascriptStaticConfig.getVersion(), javascriptStaticService.get()); } for (StaticSiteServiceDefinition staticSite : staticSites) { sb.serviceUnder(staticSite.urlRoot(), StaticSiteService.of(staticSite.staticPath(), staticSite.classpathRoot())); } if (ipFilter.isPresent() && !serverConfig.getIpFilterInternalOnly()) { sb.decorator(ipFilter.get()); } if (securityConfig.getHttpsOnly()) { sb.decorator(httpsOnlyServiceFactory.newDecorator()); } sb.decorator(loggingService); sb.meterRegistry(meterRegistry); if (serverConfig.getEnableGracefulShutdown()) { sb.gracefulShutdownTimeout(Duration.ofSeconds(10), Duration.ofSeconds(30)); } postServerCustomizers.forEach((c) -> c.accept(sb)); sb.serverListener(new ServerListener() { @Override public void serverStarting(Server server) { } @Override public void serverStarted(Server server) { } @Override public void serverStopping(Server server) { } @Override public void serverStopped(Server server) { closeOnStopDependencies.forEach(c -> { try { c.close(); } catch (IOException e) { logger.info("Exception closing {}", c); } }); } }); Server server = sb.build(); server.start().whenComplete((unused, t) -> { if (t != null) { logger.error("Error starting server.", t); } else { logger.info("Server started on ports: " + server.activePorts()); } }); Runtime.getRuntime().addShutdownHook(new Thread(() -> { logger.info("Received shutdown signal."); settableHealthChecker.setHealthy(false); if (!serverShutDownDelayers.isEmpty()) { Futures.getUnchecked(Futures.successfulAsList(serverShutDownDelayers.stream() .map(ServerShutDownDelayer::readyForShutdown).collect(toImmutableList()))); } logger.info("Server shutting down."); server.stop().join(); })); if (!fileWatcherBuilder.isEmpty()) { FileWatcher fileWatcher = fileWatcherBuilder.build(); fileWatcher.start(); Runtime.getRuntime().addShutdownHook(new Thread(fileWatcher::close)); } if (monitoringConfig.isReportTraces()) { server.nextEventLoop().scheduleAtFixedRate(stackdriverReporter.get()::flush, 0, monitoringConfig.getTraceReportInterval().getSeconds(), TimeUnit.SECONDS); } return server; }
From source file:org.dvlyyon.nbi.gnmi.GnmiServer.java
License:Open Source License
private Server getTLSServer(GnmiServerContextInf cmd, BindableService service, AuthInterceptor interceptor) throws Exception { int port = cmd.getServerPort(); SslContextBuilder contextBuilder = GrpcSslContexts.forServer(new File(cmd.getServerCACertificate()), new File(cmd.getServerKey())); if (cmd.getClientCACertificate() != null) contextBuilder = contextBuilder.trustManager(new File(cmd.getClientCACertificate())); contextBuilder = cmd.requireClientCert() ? contextBuilder.clientAuth(ClientAuth.REQUIRE) : contextBuilder.clientAuth(ClientAuth.OPTIONAL); server = NettyServerBuilder.forPort(port).sslContext(contextBuilder.build()) .addService(ServerInterceptors.intercept(service, interceptor)).build(); logger.info("Server started, listening on " + port); return server; }
From source file:org.springframework.boot.web.embedded.netty.SslServerCustomizer.java
License:Apache License
protected SslContextBuilder getContextBuilder() { SslContextBuilder builder = SslContextBuilder .forServer(getKeyManagerFactory(this.ssl, this.sslStoreProvider)) .trustManager(getTrustManagerFactory(this.ssl, this.sslStoreProvider)); if (this.ssl.getEnabledProtocols() != null) { builder.protocols(this.ssl.getEnabledProtocols()); }// w w w. j a v a2 s .c o m if (this.ssl.getCiphers() != null) { builder.ciphers(Arrays.asList(this.ssl.getCiphers())); } if (this.ssl.getClientAuth() == Ssl.ClientAuth.NEED) { builder.clientAuth(ClientAuth.REQUIRE); } else if (this.ssl.getClientAuth() == Ssl.ClientAuth.WANT) { builder.clientAuth(ClientAuth.OPTIONAL); } return builder; }