@Override
public void init(GatewayConfig config, Map<String, String> options)
throws ServiceLifecycleException {
// set any JSSE or security related system properties
System.setProperty(EPHEMERAL_DH_KEY_SIZE_PROPERTY, config.getEphemeralDHKeySize());
try {
if (!ks.isCredentialStoreForClusterAvailable(GATEWAY_CREDENTIAL_STORE_NAME)) {
log.creatingCredentialStoreForGateway();
ks.createCredentialStoreForCluster(GATEWAY_CREDENTIAL_STORE_NAME);
// LET'S NOT GENERATE A DIFFERENT KEY PASSPHRASE BY DEFAULT ANYMORE
// IF A DEPLOYMENT WANTS TO CHANGE THE KEY PASSPHRASE TO MAKE IT MORE SECURE THEN
// THEY CAN ADD THE ALIAS EXPLICITLY WITH THE CLI
// as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
} else {
log.credentialStoreForGatewayFoundNotCreating();
}
} catch (KeystoreServiceException e) {
throw new ServiceLifecycleException(
"Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.",
e);
}
try {
if (!ks.isKeystoreForGatewayAvailable()) {
log.creatingKeyStoreForGateway();
ks.createKeystoreForGateway();
char[] passphrase = null;
try {
passphrase = as.getGatewayIdentityPassphrase();
} catch (AliasServiceException e) {
throw new ServiceLifecycleException(
"Error accessing credential store for the gateway.", e);
}
if (passphrase == null) {
passphrase = ms.getMasterSecret();
}
ks.addSelfSignedCertForGateway("gateway-identity", passphrase);
} else {
log.keyStoreForGatewayFoundNotCreating();
}
logAndValidateCertificate();
} catch (KeystoreServiceException e) {
throw new ServiceLifecycleException(
"Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.",
e);
}
keystoreType = config.getKeystoreType();
sslExcludeProtocols = config.getExcludedSSLProtocols();
clientAuthNeeded = config.isClientAuthNeeded();
truststorePath = config.getTruststorePath();
trustAllCerts = config.getTrustAllCerts();
trustStoreType = config.getTruststoreType();
}
private void logAndValidateCertificate() throws ServiceLifecycleException {
// let's log the hostname (CN) and cert expiry from the gateway's public cert to aid in SSL
// debugging
Certificate cert;
try {
cert = as.getCertificateForGateway("gateway-identity");
} catch (AliasServiceException e) {
throw new ServiceLifecycleException(
"Cannot Retreive Gateway SSL Certificate. Server will not start.", e);
}
if (cert != null) {
if (cert instanceof X509Certificate) {
X500Principal x500Principal = ((X509Certificate) cert).getSubjectX500Principal();
X500PrincipalParser parser = new X500PrincipalParser(x500Principal);
log.certificateHostNameForGateway(parser.getCN());
Date notBefore = ((X509Certificate) cert).getNotBefore();
Date notAfter = ((X509Certificate) cert).getNotAfter();
log.certificateValidityPeriod(notBefore, notAfter);
// let's not even start if the current date is not within the validity period for the SSL
// cert
try {
((X509Certificate) cert).checkValidity();
} catch (CertificateExpiredException e) {
throw new ServiceLifecycleException(
"Gateway SSL Certificate is Expired. Server will not start.", e);
} catch (CertificateNotYetValidException e) {
throw new ServiceLifecycleException(
"Gateway SSL Certificate is not yet valid. Server will not start.", e);
}
} else {
throw new ServiceLifecycleException(
"Public certificate for the gateway cannot be found with the alias gateway-identity. Plase check the identity certificate alias.");
}
} else {
throw new ServiceLifecycleException(
"Public certificate for the gateway is not of the expected type of X509Certificate. Something is wrong with the gateway keystore.");
}
}
public void doGet(URI url, HttpServletRequest request, HttpServletResponse response)
throws IOException, URISyntaxException {
String sourcePathInfo = request.getPathInfo();
String sourcePattern = getConfig().getInitParameter("pattern");
String targetPattern = getConfig().getInitParameter("target");
// TODO: Some of the compilation should be done at servlet init for performance reasons.
Template sourceTemplate = Parser.parseTemplate(sourcePattern);
Template targetTemplate = Parser.parseTemplate(targetPattern);
Resolver resolver = new DispatchParamResolver(getConfig(), request);
URI sourceUri = new URI(sourcePathInfo);
URI targetUri = Rewriter.rewrite(sourceUri, sourceTemplate, targetTemplate, resolver, null);
// //TODO: This should be more at filter init.
// Pattern sourceRegex = UrlRewriter.compileUrlRegex( sourcePattern );
// Matcher matcher = sourceRegex.matcher( sourcePathInfo );
// String targetUrl = MessageFormat.format( targetPattern, Regex.toGroupArray( matcher ) );
// System.out.println( "Source URI: " + expect.getRequestURI() );
// System.out.println( "Source URL: " + expect.getRequestURL() );
// System.out.println( "Source Query: " + expect.getQueryString() );
// System.out.println( "Source pathInfo: " + sourcePathInfo );
// System.out.println( "Source pattern: " + sourcePattern );
// System.out.println( "Target pattern: " + targetPattern );
// System.out.println( "Resolved target: " + targetUrl );
StringBuilder paramStr = new StringBuilder();
Enumeration paramNames = request.getParameterNames();
if (paramNames.hasMoreElements()) {
paramStr.append("?");
}
while (paramNames.hasMoreElements()) {
String paramName = (String) paramNames.nextElement();
String paramValue = request.getParameter(paramName);
paramStr.append(paramName);
paramStr.append("=");
paramStr.append(URLEncoder.encode(paramValue, "UTF-8"));
if (paramNames.hasMoreElements()) {
paramStr.append("&");
}
}
String urlStr = targetUri.toString() + paramStr.toString();
try {
URL clientUrl = new URL(urlStr);
// System.out.println( "Resolved query: " + clientUrl );
AuthenticatedURL.Token token = new AuthenticatedURL.Token();
KerberosAuthenticator authenticator = new KerberosAuthenticator();
auditor.audit(Action.DISPATCH, urlStr, ResourceType.URI, ActionOutcome.UNAVAILABLE);
HttpURLConnection conn = new AuthenticatedURL(authenticator).openConnection(clientUrl, token);
// System.out.println( "STATUS=" + conn.getResponseCode() );
InputStream input = conn.getInputStream();
if (input != null) {
OutputStream output = response.getOutputStream();
try {
IOUtils.copy(input, output);
} finally {
output.flush();
input.close();
}
}
auditor.audit(Action.DISPATCH, urlStr, ResourceType.URI, ActionOutcome.SUCCESS);
} catch (AuthenticationException e) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
LOG.failedToEstablishConnectionToUrl(urlStr, e);
auditor.audit(
Action.DISPATCH,
urlStr,
ResourceType.URI,
ActionOutcome.FAILURE,
RES.responseStatus(HttpServletResponse.SC_UNAUTHORIZED));
} catch (FileNotFoundException e) {
response.sendError(HttpServletResponse.SC_NOT_FOUND);
LOG.failedToEstablishConnectionToUrl(urlStr, e);
auditor.audit(
Action.DISPATCH,
urlStr,
ResourceType.URI,
ActionOutcome.FAILURE,
RES.responseStatus(HttpServletResponse.SC_NOT_FOUND));
}
}