Example #1
0
 protected static OptionMap getOptions(ModelNode properties) {
   final OptionMap optionMap;
   if (properties.isDefined() && properties.asInt() > 0) {
     OptionMap.Builder builder = OptionMap.builder();
     final ClassLoader loader = SecurityActions.getClassLoader(ConnectorResource.class);
     for (Property property : properties.asPropertyList()) {
       String name = property.getName();
       if (!name.contains(".")) {
         name = "org.xnio.Options." + name;
       }
       final Option option = Option.fromString(name, loader);
       builder.set(
           option,
           option.parseValue(property.getValue().get(CommonAttributes.VALUE).asString(), loader));
     }
     optionMap = builder.getMap();
   } else {
     optionMap = OptionMap.EMPTY;
   }
   return optionMap;
 }
 /** {@inheritDoc} */
 @Override
 public <T> T getOption(final Option<T> option) throws IOException {
   if (option == Options.SSL_CLIENT_AUTH_MODE) {
     return option.cast(
         engine.getNeedClientAuth()
             ? SslClientAuthMode.REQUIRED
             : engine.getWantClientAuth()
                 ? SslClientAuthMode.REQUESTED
                 : SslClientAuthMode.NOT_REQUESTED);
   } else {
     return option == Options.SECURE ? (T) Boolean.TRUE : delegate.getOption(option);
   }
 }
 /** {@inheritDoc} */
 @Override
 public <T> T setOption(final Option<T> option, final T value)
     throws IllegalArgumentException, IOException {
   if (option == Options.SSL_CLIENT_AUTH_MODE) {
     try {
       return option.cast(
           engine.getNeedClientAuth()
               ? SslClientAuthMode.REQUIRED
               : engine.getWantClientAuth()
                   ? SslClientAuthMode.REQUESTED
                   : SslClientAuthMode.NOT_REQUESTED);
     } finally {
       engine.setNeedClientAuth(value == SslClientAuthMode.REQUIRED);
       engine.setWantClientAuth(value == SslClientAuthMode.REQUESTED);
     }
   } else if (option == Options.SECURE) {
     throw new IllegalArgumentException();
   } else {
     return delegate.setOption(option, value);
   }
 }
Example #4
0
/** @author Stuart Douglas */
public class UndertowOptions {

  /** The maximum size in bytes of a http request header. */
  public static final Option<Integer> MAX_HEADER_SIZE =
      Option.simple(UndertowOptions.class, "MAX_HEADER_SIZE", Integer.class);
  /** The default size we allow for the HTTP header. */
  public static final int DEFAULT_MAX_HEADER_SIZE = 50 * 1024;

  /** The default maximum size of the HTTP entity body. */
  public static final Option<Long> MAX_ENTITY_SIZE =
      Option.simple(UndertowOptions.class, "MAX_ENTITY_SIZE", Long.class);

  /** We do not have a default upload limit */
  public static final long DEFAULT_MAX_ENTITY_SIZE = -1;

  /** If we should buffer pipelined requests. Defaults to false. */
  public static final Option<Boolean> BUFFER_PIPELINED_DATA =
      Option.simple(UndertowOptions.class, "BUFFER_PIPELINED_DATA", Boolean.class);

  /** The idle timeout in milliseconds after which the channel will be closed. */
  public static final Option<Long> IDLE_TIMEOUT =
      Option.simple(UndertowOptions.class, "IDLE_TIMEOUT", Long.class);

  /**
   * The maximum number of parameters that will be parsed. This is used to protect against hash
   * vulnerabilities.
   *
   * <p>This applies to both query parameters, and to POST data, but is not cumulative (i.e. you can
   * potentially have max parameters * 2 total parameters).
   *
   * <p>Defaults to 1000
   */
  public static final Option<Integer> MAX_PARAMETERS =
      Option.simple(UndertowOptions.class, "MAX_PARAMETERS", Integer.class);

  /**
   * The maximum number of headers that will be parsed. This is used to protect against hash
   * vulnerabilities.
   *
   * <p>Defaults to 200
   */
  public static final Option<Integer> MAX_HEADERS =
      Option.simple(UndertowOptions.class, "MAX_HEADERS", Integer.class);

  /**
   * The maximum number of cookies that will be parsed. This is used to protect against hash
   * vulnerabilities.
   *
   * <p>Defaults to 200
   */
  public static final Option<Integer> MAX_COOKIES =
      Option.simple(UndertowOptions.class, "MAX_COOKIES", Integer.class);

  /**
   * If a request comes in with encoded / characters (i.e. %2F), will these be decoded.
   *
   * <p>This can cause security problems if a front end proxy does not perform the same decoding,
   * and as a result this is disabled by default.
   *
   * <p>Defaults to false
   *
   * @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
   */
  public static final Option<Boolean> ALLOW_ENCODED_SLASH =
      Option.simple(UndertowOptions.class, "ALLOW_ENCODED_SLASH", Boolean.class);

  /**
   * If this is true then the parser will decode the URL and query parameters using the selected
   * character encoding (UTF-8 by default). If this is false they will not be decoded. This will
   * allow a later handler to decode them into whatever charset is desired.
   *
   * <p>Defaults to true.
   */
  public static final Option<Boolean> DECODE_URL =
      Option.simple(UndertowOptions.class, "DECODE_URL", Boolean.class);

  /**
   * If this is true then the parser will decode the URL and query parameters using the selected
   * character encoding (UTF-8 by default). If this is false they will not be decoded. This will
   * allow a later handler to decode them into whatever charset is desired.
   *
   * <p>Defaults to true.
   */
  public static final Option<String> URL_CHARSET =
      Option.simple(UndertowOptions.class, "URL_CHARSET", String.class);

  /**
   * If this is true then a Connection: keep-alive header will be added to responses, even when it
   * is not strictly required by the specification.
   *
   * <p>Defaults to true
   */
  public static final Option<Boolean> ALWAYS_SET_KEEP_ALIVE =
      Option.simple(UndertowOptions.class, "ALWAYS_SET_KEEP_ALIVE", Boolean.class);

  /**
   * If this is true then a Date header will be added to all responses. The HTTP spec says this
   * header should be added to all responses, unless the server does not have an accurate clock.
   *
   * <p>Defaults to true
   */
  public static final Option<Boolean> ALWAYS_SET_DATE =
      Option.simple(UndertowOptions.class, "ALWAYS_SET_DATE", Boolean.class);

  /**
   * Maximum size of a buffered request, in bytes
   *
   * <p>Requests are not usually buffered, the most common case is when performing SSL renegotiation
   * for a POST request, and the post data must be fully buffered in order to perform the
   * renegotiation.
   *
   * <p>Defaults to 16384.
   */
  public static final Option<Integer> MAX_BUFFERED_REQUEST_SIZE =
      Option.simple(UndertowOptions.class, "MAX_BUFFERED_REQUEST_SIZE", Integer.class);

  /**
   * If this is true then Undertow will record the request start time, to allow for request time to
   * be logged
   *
   * <p>This has a small but measurable performance impact
   *
   * <p>default is false
   */
  public static final Option<Boolean> RECORD_REQUEST_START_TIME =
      Option.simple(UndertowOptions.class, "RECORD_REQUEST_START_TIME", Boolean.class);

  /**
   * If this is true then Undertow will allow non-escaped equals characters in unquoted cookie
   * values.
   *
   * <p>Unquoted cookie values may not contain equals characters. If present the value ends before
   * the equals sign. The remainder of the cookie value will be dropped.
   *
   * <p>default is false
   */
  public static final Option<Boolean> ALLOW_EQUALS_IN_COOKIE_VALUE =
      Option.simple(UndertowOptions.class, "ALLOW_EQUALS_IN_COOKIE_VALUE", Boolean.class);

  private UndertowOptions() {}
}
/** @author Stuart Douglas */
class UndertowSslConnection extends SslConnection {

  private static final Set<Option<?>> SUPPORTED_OPTIONS =
      Option.setBuilder().add(Options.SECURE, Options.SSL_CLIENT_AUTH_MODE).create();

  private final StreamConnection delegate;
  private final SslConduit sslConduit;
  private final ChannelListener.SimpleSetter<SslConnection> handshakeSetter =
      new ChannelListener.SimpleSetter<>();
  private final SSLEngine engine;

  /**
   * Construct a new instance.
   *
   * @param delegate the underlying connection
   */
  UndertowSslConnection(StreamConnection delegate, SSLEngine engine, ByteBufferPool bufferPool) {
    super(delegate.getIoThread());
    this.delegate = delegate;
    this.engine = engine;
    sslConduit = new SslConduit(this, delegate, engine, bufferPool, new HandshakeCallback());
    setSourceConduit(sslConduit);
    setSinkConduit(sslConduit);
  }

  @Override
  public void startHandshake() throws IOException {
    sslConduit.startHandshake();
  }

  @Override
  public SSLSession getSslSession() {
    return sslConduit.getSslSession();
  }

  @Override
  public ChannelListener.Setter<? extends SslConnection> getHandshakeSetter() {
    return handshakeSetter;
  }

  @Override
  protected void notifyWriteClosed() {
    sslConduit.notifyWriteClosed();
  }

  @Override
  protected void notifyReadClosed() {
    sslConduit.notifyReadClosed();
  }

  @Override
  public SocketAddress getPeerAddress() {
    return delegate.getPeerAddress();
  }

  @Override
  public SocketAddress getLocalAddress() {
    return delegate.getLocalAddress();
  }

  public SSLEngine getSSLEngine() {
    return sslConduit.getSSLEngine();
  }

  SslConduit getSslConduit() {
    return sslConduit;
  }

  /** {@inheritDoc} */
  @Override
  public <T> T setOption(final Option<T> option, final T value)
      throws IllegalArgumentException, IOException {
    if (option == Options.SSL_CLIENT_AUTH_MODE) {
      try {
        return option.cast(
            engine.getNeedClientAuth()
                ? SslClientAuthMode.REQUIRED
                : engine.getWantClientAuth()
                    ? SslClientAuthMode.REQUESTED
                    : SslClientAuthMode.NOT_REQUESTED);
      } finally {
        engine.setNeedClientAuth(value == SslClientAuthMode.REQUIRED);
        engine.setWantClientAuth(value == SslClientAuthMode.REQUESTED);
      }
    } else if (option == Options.SECURE) {
      throw new IllegalArgumentException();
    } else {
      return delegate.setOption(option, value);
    }
  }

  /** {@inheritDoc} */
  @Override
  public <T> T getOption(final Option<T> option) throws IOException {
    if (option == Options.SSL_CLIENT_AUTH_MODE) {
      return option.cast(
          engine.getNeedClientAuth()
              ? SslClientAuthMode.REQUIRED
              : engine.getWantClientAuth()
                  ? SslClientAuthMode.REQUESTED
                  : SslClientAuthMode.NOT_REQUESTED);
    } else {
      return option == Options.SECURE ? (T) Boolean.TRUE : delegate.getOption(option);
    }
  }

  /** {@inheritDoc} */
  @Override
  public boolean supportsOption(final Option<?> option) {
    return SUPPORTED_OPTIONS.contains(option) || delegate.supportsOption(option);
  }

  @Override
  protected boolean readClosed() {
    return super.readClosed();
  }

  @Override
  protected boolean writeClosed() {
    return super.writeClosed();
  }

  protected void closeAction() {
    sslConduit.close();
  }

  private final class HandshakeCallback implements Runnable {

    @Override
    public void run() {
      final ChannelListener<? super SslConnection> listener = handshakeSetter.get();
      if (listener == null) {
        return;
      }
      ChannelListeners.<SslConnection>invokeChannelListener(UndertowSslConnection.this, listener);
    }
  }
}