Add SSL support to DevMode.
Issue: 1806
Patch by: jat
Review by: conroy, tobyr
Review at http://gwt-code-reviews.appspot.com/1324801
git-svn-id: https://google-web-toolkit.googlecode.com/svn/trunk@9628 8db76d5a-ed1c-0410-87a9-c151d255dfc7
diff --git a/dev/core/src/com/google/gwt/core/ext/ServletContainerLauncher.java b/dev/core/src/com/google/gwt/core/ext/ServletContainerLauncher.java
index c599507..cd47771 100644
--- a/dev/core/src/com/google/gwt/core/ext/ServletContainerLauncher.java
+++ b/dev/core/src/com/google/gwt/core/ext/ServletContainerLauncher.java
@@ -58,6 +58,18 @@
public String getName() {
return "Web Server";
}
+ /**
+ * Return true if this servlet container launcher is configured for secure
+ * operation (ie, HTTPS). This value is only queried after arguments, if any,
+ * have been processed.
+ *
+ * The default implementation just returns false.
+ *
+ * @return true if HTTPS is in use
+ */
+ public boolean isSecure() {
+ return false;
+ }
/**
* Process any supplied arguments.
diff --git a/dev/core/src/com/google/gwt/dev/DevMode.java b/dev/core/src/com/google/gwt/dev/DevMode.java
index db3e200..7d186b2 100644
--- a/dev/core/src/com/google/gwt/dev/DevMode.java
+++ b/dev/core/src/com/google/gwt/dev/DevMode.java
@@ -62,6 +62,9 @@
* Handles the -server command line flag.
*/
protected static class ArgHandlerServer extends ArgHandlerString {
+
+ private static final String DEFAULT_SCL = JettyLauncher.class.getName();
+
private HostedModeOptions options;
public ArgHandlerServer(HostedModeOptions options) {
@@ -73,7 +76,7 @@
if (options.isNoServer()) {
return null;
} else {
- return new String[]{getTag(), JettyLauncher.class.getName()};
+ return new String[]{getTag(), DEFAULT_SCL};
}
}
@@ -106,6 +109,9 @@
sclArgs = null;
sclClassName = arg;
}
+ if (sclClassName.length() == 0) {
+ sclClassName = DEFAULT_SCL;
+ }
Throwable t;
try {
Class<?> clazz = Class.forName(sclClassName, true,
@@ -479,6 +485,13 @@
}
}
+ isHttps = scl.isSecure();
+
+ // Tell the UI if the web server is secure
+ if (isHttps) {
+ ui.setWebServerSecure(serverLogger);
+ }
+
/*
* TODO: This is a hack to pass the base log level to the SCL. We'll have
* to figure out a better way to do this for SCLs in general.
diff --git a/dev/core/src/com/google/gwt/dev/DevModeBase.java b/dev/core/src/com/google/gwt/dev/DevModeBase.java
index 2bb3092..1cfd74a 100644
--- a/dev/core/src/com/google/gwt/dev/DevModeBase.java
+++ b/dev/core/src/com/google/gwt/dev/DevModeBase.java
@@ -676,8 +676,9 @@
private static final Random RNG = new Random();
- public static String normalizeURL(String unknownUrlText, int port, String host) {
- if (unknownUrlText.indexOf(":") != -1) {
+ public static String normalizeURL(String unknownUrlText, boolean isHttps,
+ int port, String host) {
+ if (unknownUrlText.contains("://")) {
// Assume it's a full url.
return unknownUrlText;
}
@@ -687,14 +688,18 @@
unknownUrlText = unknownUrlText.substring(1);
}
- if (port != 80) {
- // CHECKSTYLE_OFF: Not really an assembled error message, so no space
- // after ':'.
- return "http://" + host + ":" + port + "/" + unknownUrlText;
- // CHECKSTYLE_ON
- } else {
- return "http://" + host + "/" + unknownUrlText;
+ String protocol = "http";
+ String portString = ":" + port;
+ if (isHttps) {
+ protocol += "s";
+ if (port == 443) {
+ portString = "";
+ }
+ } else if (port == 80) {
+ portString = "";
}
+
+ return protocol + "://" + host + portString + "/" + unknownUrlText;
}
/**
@@ -728,6 +733,8 @@
protected String connectAddress;
+ protected boolean isHttps;
+
protected BrowserListener listener;
protected final HostedModeBaseOptions options;
@@ -1203,7 +1210,8 @@
ensureCodeServerListener();
Map<String, URL> startupUrls = new HashMap<String, URL>();
for (String prenormalized : options.getStartupURLs()) {
- String startupURL = normalizeURL(prenormalized, getPort(), getHost());
+ String startupURL = normalizeURL(prenormalized, isHttps, getPort(),
+ getHost());
logger.log(TreeLogger.DEBUG, "URL " + prenormalized + " normalized as "
+ startupURL, null);
try {
diff --git a/dev/core/src/com/google/gwt/dev/RunWebApp.java b/dev/core/src/com/google/gwt/dev/RunWebApp.java
index d4987b2..d5604ce 100644
--- a/dev/core/src/com/google/gwt/dev/RunWebApp.java
+++ b/dev/core/src/com/google/gwt/dev/RunWebApp.java
@@ -140,7 +140,8 @@
options.addStartupURL("/");
}
for (String startupUrl : options.getStartupURLs()) {
- startupUrl = DevModeBase.normalizeURL(startupUrl, port, "localhost");
+ startupUrl = DevModeBase.normalizeURL(startupUrl, false, port,
+ "localhost");
try {
BrowserLauncher.browse(startupUrl);
} catch (IOException e) {
diff --git a/dev/core/src/com/google/gwt/dev/SwingUI.java b/dev/core/src/com/google/gwt/dev/SwingUI.java
index ca66ef5..fbffa35 100644
--- a/dev/core/src/com/google/gwt/dev/SwingUI.java
+++ b/dev/core/src/com/google/gwt/dev/SwingUI.java
@@ -290,6 +290,20 @@
}
});
}
+
+ @Override
+ public void setWebServerSecure(TreeLogger serverLogger) {
+ if (webServerLog != null && serverLogger == webServerLog.getLogger()) {
+ EventQueue.invokeLater(new Runnable() {
+ public void run() {
+ // TODO(jat): if the web server has an icon, should combine with the
+ // secure icon or perhaps switch to a different one.
+ ImageIcon secureIcon = loadImageIcon("secure24.png");
+ tabs.setIconAt(1, secureIcon);
+ }
+ });
+ }
+ }
protected int getNextSessionCounter(File logdir) {
synchronized (sessionCounterLock) {
diff --git a/dev/core/src/com/google/gwt/dev/shell/jetty/JettyLauncher.java b/dev/core/src/com/google/gwt/dev/shell/jetty/JettyLauncher.java
index 1034031..42ee9e5 100644
--- a/dev/core/src/com/google/gwt/dev/shell/jetty/JettyLauncher.java
+++ b/dev/core/src/com/google/gwt/dev/shell/jetty/JettyLauncher.java
@@ -21,6 +21,7 @@
import com.google.gwt.core.ext.UnableToCompleteException;
import com.google.gwt.core.ext.TreeLogger.Type;
import com.google.gwt.dev.util.InstalledHelpInfo;
+import com.google.gwt.dev.util.Util;
import org.mortbay.component.AbstractLifeCycle;
import org.mortbay.jetty.AbstractConnector;
@@ -31,6 +32,7 @@
import org.mortbay.jetty.HttpFields.Field;
import org.mortbay.jetty.handler.RequestLogHandler;
import org.mortbay.jetty.nio.SelectChannelConnector;
+import org.mortbay.jetty.security.SslSocketConnector;
import org.mortbay.jetty.webapp.WebAppClassLoader;
import org.mortbay.jetty.webapp.WebAppContext;
import org.mortbay.log.Log;
@@ -475,6 +477,15 @@
}
/**
+ * Represents the type of SSL client certificate authentication desired.
+ */
+ private enum ClientAuth {
+ NONE,
+ WANT,
+ REQUIRE,
+ }
+
+ /**
* System property to suppress warnings about loading web app classes from the
* system classpath.
*/
@@ -495,18 +506,118 @@
System.setProperty("build.compiler", antJavaC);
}
+ /**
+ * Setup a connector for the bind address/port.
+ *
+ * @param connector
+ * @param bindAddress
+ * @param port
+ */
+ private static void setupConnector(AbstractConnector connector,
+ String bindAddress, int port) {
+ if (bindAddress != null) {
+ connector.setHost(bindAddress.toString());
+ }
+ connector.setPort(port);
+
+ // Don't share ports with an existing process.
+ connector.setReuseAddress(false);
+
+ // Linux keeps the port blocked after shutdown if we don't disable this.
+ connector.setSoLingerTime(0);
+ }
+
// default value used if setBaseLogLevel isn't called
private TreeLogger.Type baseLogLevel = TreeLogger.INFO;
private String bindAddress = null;
+ private ClientAuth clientAuth;
+
+ private String keyStore;
+
+ private String keyStorePassword;
+
private final Object privateInstanceLock = new Object();
+ private boolean useSsl;
+
@Override
public String getName() {
return "Jetty";
}
+ @Override
+ public boolean isSecure() {
+ return useSsl;
+ }
+
+ @Override
+ public boolean processArguments(TreeLogger logger, String arguments) {
+ if (arguments != null && arguments.length() > 0) {
+ // TODO(jat): better parsing of the args
+ for (String arg : arguments.split(",")) {
+ int equals = arg.indexOf('=');
+ String tag;
+ String value = null;
+ if (equals < 0) {
+ tag = arg;
+ } else {
+ tag = arg.substring(0, equals);
+ value = arg.substring(equals + 1);
+ }
+ if ("ssl".equals(tag)) {
+ useSsl = true;
+ URL keyStoreUrl = getClass().getResource("localhost.keystore");
+ if (keyStoreUrl == null) {
+ logger.log(TreeLogger.ERROR, "Default GWT keystore not found");
+ return false;
+ }
+ keyStore = keyStoreUrl.toExternalForm();
+ keyStorePassword = "localhost";
+ } else if ("keystore".equals(tag)) {
+ useSsl = true;
+ keyStore = value;
+ } else if ("password".equals(tag)) {
+ useSsl = true;
+ keyStorePassword = value;
+ } else if ("pwfile".equals(tag)) {
+ useSsl = true;
+ keyStorePassword = Util.readFileAsString(new File(value)).trim();
+ if (keyStorePassword == null) {
+ logger.log(TreeLogger.ERROR,
+ "Unable to read keystore password from '" + value + "'");
+ return false;
+ }
+ } else if ("clientAuth".equals(tag)) {
+ useSsl = true;
+ try {
+ clientAuth = ClientAuth.valueOf(value);
+ } catch (IllegalArgumentException e) {
+ logger.log(TreeLogger.WARN, "Ignoring invalid clientAuth of '"
+ + value + "'");
+ }
+ } else {
+ logger.log(TreeLogger.ERROR, "Unexpected argument to "
+ + JettyLauncher.class.getSimpleName() + ": " + arg);
+ return false;
+ }
+ }
+ if (useSsl) {
+ if (keyStore == null) {
+ logger.log(TreeLogger.ERROR, "A keystore is required to use SSL");
+ return false;
+ }
+ if (keyStorePassword == null) {
+ logger.log(TreeLogger.ERROR,
+ "A keystore password is required to use SSL");
+ return false;
+ }
+ }
+ }
+ return true;
+ }
+
/*
* TODO: This is a hack to pass the base log level to the SCL. We'll have to
* figure out a better way to do this for SCLs in general. Please do not
@@ -540,19 +651,10 @@
// Turn off XML validation.
System.setProperty("org.mortbay.xml.XmlParser.Validating", "false");
- AbstractConnector connector = getConnector();
- if (bindAddress != null) {
- connector.setHost(bindAddress.toString());
- }
- connector.setPort(port);
-
- // Don't share ports with an existing process.
- connector.setReuseAddress(false);
-
- // Linux keeps the port blocked after shutdown if we don't disable this.
- connector.setSoLingerTime(0);
-
Server server = new Server();
+
+ AbstractConnector connector = getConnector(logger);
+ setupConnector(connector, bindAddress, port);
server.addConnector(connector);
// Create a new web app in the war directory.
@@ -582,7 +684,36 @@
"/");
}
- protected AbstractConnector getConnector() {
+ protected AbstractConnector getConnector(TreeLogger logger) {
+ if (useSsl) {
+ TreeLogger sslLogger = logger.branch(TreeLogger.INFO,
+ "Listening for SSL connections");
+ sslLogger.log(TreeLogger.TRACE, "Using keystore " + keyStore);
+ SslSocketConnector conn = new SslSocketConnector();
+ if (clientAuth != null) {
+ switch (clientAuth) {
+ case NONE:
+ conn.setWantClientAuth(false);
+ conn.setNeedClientAuth(false);
+ break;
+ case WANT:
+ sslLogger.log(TreeLogger.TRACE, "Requesting client certificates");
+ conn.setWantClientAuth(true);
+ conn.setNeedClientAuth(false);
+ break;
+ case REQUIRE:
+ sslLogger.log(TreeLogger.TRACE, "Requiring client certificates");
+ conn.setWantClientAuth(true);
+ conn.setNeedClientAuth(true);
+ break;
+ }
+ }
+ conn.setKeystore(keyStore);
+ conn.setTruststore(keyStore);
+ conn.setKeyPassword(keyStorePassword);
+ conn.setTrustPassword(keyStorePassword);
+ return conn;
+ }
return new SelectChannelConnector();
}
diff --git a/dev/core/src/com/google/gwt/dev/shell/jetty/README-SSL.txt b/dev/core/src/com/google/gwt/dev/shell/jetty/README-SSL.txt
new file mode 100644
index 0000000..a257373
--- /dev/null
+++ b/dev/core/src/com/google/gwt/dev/shell/jetty/README-SSL.txt
@@ -0,0 +1,35 @@
+To use SSL, you will need a certificate. A self-signed certificate for
+localhost is included, but if you want to use a different address you will
+need to create another. To generate a self-signed certificate for an arbitrary
+host name, you can use (for example):
+
+ keytool -keystore keystore -alias jetty -genkey -keyalg RSA -validity 365
+
+Be sure and give the CN as the name that will be used with -bindAddress (which
+will be 127.0.0.1 if not provided).
+
+Note that self-signed certificates will cause the browser to prompt the user
+to accept the certificate -- this should be fine for development, but if not
+you can purchase a real web server certificate from a trusted CA and convert
+it to keystore format using openssl and keytool.
+
+You can use your own keystore like this:
+ -server :keystore=/path/to/keystore,password=password
+OR
+ -server :keystore=/path/to/keystore,pwfile=/path/to/password/file
+
+Using the password option exposes the password to other users on your system,
+so the pwfile option is recommended instead if you care about keeping the
+password secret.
+
+You can also set the clientAuth parameter to request or require client
+certificates (which must have a suitable certificate chain in the keystore),
+like this:
+ -server :keystore=/path/to/keystore,password=password,clientAuth=WANT
+OR
+ -server :keystore=/path/to/keystore,password=password,clientAuth=REQUIRE
+
+You can use a default localhost-only self-signed certificate by just using
+ -server :ssl
+
+
diff --git a/dev/core/src/com/google/gwt/dev/shell/jetty/localhost.keystore b/dev/core/src/com/google/gwt/dev/shell/jetty/localhost.keystore
new file mode 100644
index 0000000..928d8ac
--- /dev/null
+++ b/dev/core/src/com/google/gwt/dev/shell/jetty/localhost.keystore
Binary files differ
diff --git a/dev/core/src/com/google/gwt/dev/shell/secure24.png b/dev/core/src/com/google/gwt/dev/shell/secure24.png
new file mode 100644
index 0000000..7fda062
--- /dev/null
+++ b/dev/core/src/com/google/gwt/dev/shell/secure24.png
Binary files differ
diff --git a/dev/core/src/com/google/gwt/dev/ui/DevModeUI.java b/dev/core/src/com/google/gwt/dev/ui/DevModeUI.java
index f08ea6c..f538a1e 100644
--- a/dev/core/src/com/google/gwt/dev/ui/DevModeUI.java
+++ b/dev/core/src/com/google/gwt/dev/ui/DevModeUI.java
@@ -157,6 +157,17 @@
}
/**
+ * Show in the UI that the web server, identified by the logger returned from
+ * {@link #getWebServerLogger(String, byte[])}, is operating in a secure
+ * fashion.
+ *
+ * @param serverLogger
+ */
+ public void setWebServerSecure(TreeLogger serverLogger) {
+ // do nothing by default
+ }
+
+ /**
* Call callback for a given event.
*
* @param eventType type of event
diff --git a/eclipse/samples/Showcase/Showcase-SSL.launch b/eclipse/samples/Showcase/Showcase-SSL.launch
new file mode 100644
index 0000000..c2a9d50
--- /dev/null
+++ b/eclipse/samples/Showcase/Showcase-SSL.launch
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<launchConfiguration type="org.eclipse.jdt.launching.localJavaApplication">
+<listAttribute key="org.eclipse.debug.core.MAPPED_RESOURCE_PATHS">
+<listEntry value="/gwt-dev/core/src/com/google/gwt/dev/DevMode.java"/>
+</listAttribute>
+<listAttribute key="org.eclipse.debug.core.MAPPED_RESOURCE_TYPES">
+<listEntry value="1"/>
+</listAttribute>
+<booleanAttribute key="org.eclipse.debug.core.appendEnvironmentVariables" value="true"/>
+<listAttribute key="org.eclipse.jdt.launching.CLASSPATH">
+<listEntry value="<?xml version="1.0" encoding="UTF-8"?> <runtimeClasspathEntry containerPath="org.eclipse.jdt.launching.JRE_CONTAINER" javaProject="Showcase" path="1" type="4"/> "/>
+<listEntry value="<?xml version="1.0" encoding="UTF-8"?> <runtimeClasspathEntry internalArchive="/Showcase/core/src" path="3" type="2"/> "/>
+<listEntry value="<?xml version="1.0" encoding="UTF-8"?> <runtimeClasspathEntry internalArchive="/gwt-user/core/src" path="3" type="2"/> "/>
+<listEntry value="<?xml version="1.0" encoding="UTF-8"?> <runtimeClasspathEntry internalArchive="/gwt-user/core/super" path="3" type="2"/> "/>
+<listEntry value="<?xml version="1.0" encoding="UTF-8"?> <runtimeClasspathEntry internalArchive="/gwt-dev/core/super" path="3" type="2"/> "/>
+<listEntry value="<?xml version="1.0" encoding="UTF-8"?> <runtimeClasspathEntry id="org.eclipse.jdt.launching.classpathentry.defaultClasspath"> <memento exportedEntriesOnly="false" project="Showcase"/> </runtimeClasspathEntry> "/>
+</listAttribute>
+<booleanAttribute key="org.eclipse.jdt.launching.DEFAULT_CLASSPATH" value="false"/>
+<stringAttribute key="org.eclipse.jdt.launching.MAIN_TYPE" value="com.google.gwt.dev.DevMode"/>
+<stringAttribute key="org.eclipse.jdt.launching.PROGRAM_ARGUMENTS" value="-port auto -codeServerPort auto -server :ssl -startupUrl Showcase.html com.google.gwt.sample.showcase.Showcase"/>
+<stringAttribute key="org.eclipse.jdt.launching.PROJECT_ATTR" value="Showcase"/>
+<stringAttribute key="org.eclipse.jdt.launching.VM_ARGUMENTS" value="-ea -Xmx512M -Dgwt.devjar=${gwt_devjar}"/>
+</launchConfiguration>
