public void testServerParametersClientAuthentication() throws Exception {
SSLContext controlContext = SSLContext.getInstance("TLS");
controlContext.init(null, null, null);
SSLEngine controlEngine = controlContext.createSSLEngine();
SSLServerSocket controlServerSocket =
(SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();
SSLContextParameters scp = new SSLContextParameters();
SSLContextServerParameters scsp = new SSLContextServerParameters();
scp.setServerParameters(scsp);
SSLContext context = scp.createSSLContext();
SSLEngine engine = context.createSSLEngine();
SSLServerSocket serverSocket =
(SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(controlServerSocket.getWantClientAuth(), serverSocket.getWantClientAuth());
assertEquals(controlServerSocket.getNeedClientAuth(), serverSocket.getNeedClientAuth());
assertEquals(controlEngine.getWantClientAuth(), engine.getWantClientAuth());
assertEquals(controlEngine.getNeedClientAuth(), engine.getNeedClientAuth());
// ClientAuthentication - NONE
scsp.setClientAuthentication(ClientAuthentication.NONE.name());
context = scp.createSSLContext();
engine = context.createSSLEngine();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(false, serverSocket.getWantClientAuth());
assertEquals(false, serverSocket.getNeedClientAuth());
assertEquals(false, engine.getWantClientAuth());
assertEquals(false, engine.getNeedClientAuth());
// ClientAuthentication - WANT
scsp.setClientAuthentication(ClientAuthentication.WANT.name());
context = scp.createSSLContext();
engine = context.createSSLEngine();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(true, serverSocket.getWantClientAuth());
assertEquals(false, serverSocket.getNeedClientAuth());
assertEquals(true, engine.getWantClientAuth());
assertEquals(false, engine.getNeedClientAuth());
// ClientAuthentication - REQUIRE
scsp.setClientAuthentication(ClientAuthentication.REQUIRE.name());
context = scp.createSSLContext();
engine = context.createSSLEngine();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(false, serverSocket.getWantClientAuth());
assertEquals(true, serverSocket.getNeedClientAuth());
assertEquals(false, engine.getWantClientAuth());
assertEquals(true, engine.getNeedClientAuth());
}
/** {@inheritDoc} */
@Override
public <T> T getOption(final Option<T> option) throws IOException {
if (option == Options.SSL_CLIENT_AUTH_MODE) {
return option.cast(
engine.getNeedClientAuth()
? SslClientAuthMode.REQUIRED
: engine.getWantClientAuth()
? SslClientAuthMode.REQUESTED
: SslClientAuthMode.NOT_REQUESTED);
} else {
return option == Options.SECURE ? (T) Boolean.TRUE : delegate.getOption(option);
}
}
/**
* Start a new handshake operation for this channel.
*
* @see #handshake()
* @throws SSLException
*/
protected void reHandshake() throws SSLException {
if (sslEngine.getWantClientAuth()) {
CoyoteLogger.UTIL_LOGGER.debug("No client cert sent for want");
} else {
if (!sslEngine.getNeedClientAuth()) {
sslEngine.setNeedClientAuth(true);
} else {
CoyoteLogger.UTIL_LOGGER.debug("Already need client cert");
}
}
handshakeComplete = false;
handshakeStatus = sslEngine.getHandshakeStatus();
try {
doHandshake();
} catch (Exception e) {
throw new SSLException(e);
}
}
/** {@inheritDoc} */
@Override
public <T> T setOption(final Option<T> option, final T value)
throws IllegalArgumentException, IOException {
if (option == Options.SSL_CLIENT_AUTH_MODE) {
try {
return option.cast(
engine.getNeedClientAuth()
? SslClientAuthMode.REQUIRED
: engine.getWantClientAuth()
? SslClientAuthMode.REQUESTED
: SslClientAuthMode.NOT_REQUESTED);
} finally {
engine.setNeedClientAuth(value == SslClientAuthMode.REQUIRED);
engine.setWantClientAuth(value == SslClientAuthMode.REQUESTED);
}
} else if (option == Options.SECURE) {
throw new IllegalArgumentException();
} else {
return delegate.setOption(option, value);
}
}
