Java tutorial
/* * Copyright (c) 2003, 2008, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package javax.rmi.ssl; import java.io.IOException; import java.net.ServerSocket; import java.net.Socket; import java.rmi.server.RMIServerSocketFactory; import java.util.Arrays; import java.util.List; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLServerSocketFactory; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; /** * <p>An <code>SslRMIServerSocketFactory</code> instance is used by the RMI * runtime in order to obtain server sockets for RMI calls via SSL.</p> * * <p>This class implements <code>RMIServerSocketFactory</code> over * the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) * protocols.</p> * * <p>This class creates SSL sockets using the default * <code>SSLSocketFactory</code> (see {@link * SSLSocketFactory#getDefault}) or the default * <code>SSLServerSocketFactory</code> (see {@link * SSLServerSocketFactory#getDefault}) unless the * constructor taking an <code>SSLContext</code> is * used in which case the SSL sockets are created using * the <code>SSLSocketFactory</code> returned by * {@link SSLContext#getSocketFactory} or the * <code>SSLServerSocketFactory</code> returned by * {@link SSLContext#getServerSocketFactory}. * * When an <code>SSLContext</code> is not supplied all the instances of this * class share the same keystore, and the same truststore (when client * authentication is required by the server). This behavior can be modified * by supplying an already initialized <code>SSLContext</code> instance. * * @see javax.net.ssl.SSLSocketFactory * @see javax.net.ssl.SSLServerSocketFactory * @see javax.rmi.ssl.SslRMIClientSocketFactory * @since 1.5 */ public class SslRMIServerSocketFactory implements RMIServerSocketFactory { /** * <p>Creates a new <code>SslRMIServerSocketFactory</code> with * the default SSL socket configuration.</p> * * <p>SSL connections accepted by server sockets created by this * factory have the default cipher suites and protocol versions * enabled and do not require client authentication.</p> */ public SslRMIServerSocketFactory() { this(null, null, false); } /** * <p>Creates a new <code>SslRMIServerSocketFactory</code> with * the specified SSL socket configuration.</p> * * @param enabledCipherSuites names of all the cipher suites to * enable on SSL connections accepted by server sockets created by * this factory, or <code>null</code> to use the cipher suites * that are enabled by default * * @param enabledProtocols names of all the protocol versions to * enable on SSL connections accepted by server sockets created by * this factory, or <code>null</code> to use the protocol versions * that are enabled by default * * @param needClientAuth <code>true</code> to require client * authentication on SSL connections accepted by server sockets * created by this factory; <code>false</code> to not require * client authentication * * @exception IllegalArgumentException when one or more of the cipher * suites named by the <code>enabledCipherSuites</code> parameter is * not supported, when one or more of the protocols named by the * <code>enabledProtocols</code> parameter is not supported or when * a problem is encountered while trying to check if the supplied * cipher suites and protocols to be enabled are supported. * * @see SSLSocket#setEnabledCipherSuites * @see SSLSocket#setEnabledProtocols * @see SSLSocket#setNeedClientAuth */ public SslRMIServerSocketFactory(String[] enabledCipherSuites, String[] enabledProtocols, boolean needClientAuth) throws IllegalArgumentException { this(null, enabledCipherSuites, enabledProtocols, needClientAuth); } /** * <p>Creates a new <code>SslRMIServerSocketFactory</code> with the * specified <code>SSLContext</code> and SSL socket configuration.</p> * * @param context the SSL context to be used for creating SSL sockets. * If <code>context</code> is null the default <code>SSLSocketFactory</code> * or the default <code>SSLServerSocketFactory</code> will be used to * create SSL sockets. Otherwise, the socket factory returned by * <code>SSLContext.getSocketFactory()</code> or * <code>SSLContext.getServerSocketFactory()</code> will be used instead. * * @param enabledCipherSuites names of all the cipher suites to * enable on SSL connections accepted by server sockets created by * this factory, or <code>null</code> to use the cipher suites * that are enabled by default * * @param enabledProtocols names of all the protocol versions to * enable on SSL connections accepted by server sockets created by * this factory, or <code>null</code> to use the protocol versions * that are enabled by default * * @param needClientAuth <code>true</code> to require client * authentication on SSL connections accepted by server sockets * created by this factory; <code>false</code> to not require * client authentication * * @exception IllegalArgumentException when one or more of the cipher * suites named by the <code>enabledCipherSuites</code> parameter is * not supported, when one or more of the protocols named by the * <code>enabledProtocols</code> parameter is not supported or when * a problem is encountered while trying to check if the supplied * cipher suites and protocols to be enabled are supported. * * @see SSLSocket#setEnabledCipherSuites * @see SSLSocket#setEnabledProtocols * @see SSLSocket#setNeedClientAuth * @since 1.7 */ public SslRMIServerSocketFactory(SSLContext context, String[] enabledCipherSuites, String[] enabledProtocols, boolean needClientAuth) throws IllegalArgumentException { // Initialize the configuration parameters. // this.enabledCipherSuites = enabledCipherSuites == null ? null : enabledCipherSuites.clone(); this.enabledProtocols = enabledProtocols == null ? null : enabledProtocols.clone(); this.needClientAuth = needClientAuth; // Force the initialization of the default at construction time, // rather than delaying it to the first time createServerSocket() // is called. // this.context = context; final SSLSocketFactory sslSocketFactory = context == null ? getDefaultSSLSocketFactory() : context.getSocketFactory(); SSLSocket sslSocket = null; if (this.enabledCipherSuites != null || this.enabledProtocols != null) { try { sslSocket = (SSLSocket) sslSocketFactory.createSocket(); } catch (Exception e) { final String msg = "Unable to check if the cipher suites " + "and protocols to enable are supported"; throw (IllegalArgumentException) new IllegalArgumentException(msg).initCause(e); } } // Check if all the cipher suites and protocol versions to enable // are supported by the underlying SSL/TLS implementation and if // true create lists from arrays. // if (this.enabledCipherSuites != null) { sslSocket.setEnabledCipherSuites(this.enabledCipherSuites); enabledCipherSuitesList = Arrays.asList(this.enabledCipherSuites); } if (this.enabledProtocols != null) { sslSocket.setEnabledProtocols(this.enabledProtocols); enabledProtocolsList = Arrays.asList(this.enabledProtocols); } } /** * <p>Returns the names of the cipher suites enabled on SSL * connections accepted by server sockets created by this factory, * or <code>null</code> if this factory uses the cipher suites * that are enabled by default.</p> * * @return an array of cipher suites enabled, or <code>null</code> * * @see SSLSocket#setEnabledCipherSuites */ public final String[] getEnabledCipherSuites() { return enabledCipherSuites == null ? null : enabledCipherSuites.clone(); } /** * <p>Returns the names of the protocol versions enabled on SSL * connections accepted by server sockets created by this factory, * or <code>null</code> if this factory uses the protocol versions * that are enabled by default.</p> * * @return an array of protocol versions enabled, or * <code>null</code> * * @see SSLSocket#setEnabledProtocols */ public final String[] getEnabledProtocols() { return enabledProtocols == null ? null : enabledProtocols.clone(); } /** * <p>Returns <code>true</code> if client authentication is * required on SSL connections accepted by server sockets created * by this factory.</p> * * @return <code>true</code> if client authentication is required * * @see SSLSocket#setNeedClientAuth */ public final boolean getNeedClientAuth() { return needClientAuth; } /** * <p>Creates a server socket that accepts SSL connections * configured according to this factory's SSL socket configuration * parameters.</p> */ public ServerSocket createServerSocket(int port) throws IOException { final SSLSocketFactory sslSocketFactory = context == null ? getDefaultSSLSocketFactory() : context.getSocketFactory(); return new ServerSocket(port) { public Socket accept() throws IOException { Socket socket = super.accept(); SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket(socket, socket.getInetAddress().getHostName(), socket.getPort(), true); sslSocket.setUseClientMode(false); if (enabledCipherSuites != null) { sslSocket.setEnabledCipherSuites(enabledCipherSuites); } if (enabledProtocols != null) { sslSocket.setEnabledProtocols(enabledProtocols); } sslSocket.setNeedClientAuth(needClientAuth); return sslSocket; } }; } /** * <p>Indicates whether some other object is "equal to" this one.</p> * * <p>Two <code>SslRMIServerSocketFactory</code> objects are equal * if they have been constructed with the same SSL context and * SSL socket configuration parameters.</p> * * <p>A subclass should override this method (as well as * {@link #hashCode()}) if it adds instance state that affects * equality.</p> */ public boolean equals(Object obj) { if (obj == null) return false; if (obj == this) return true; if (!(obj instanceof SslRMIServerSocketFactory)) return false; SslRMIServerSocketFactory that = (SslRMIServerSocketFactory) obj; return (getClass().equals(that.getClass()) && checkParameters(that)); } private boolean checkParameters(SslRMIServerSocketFactory that) { // SSL context // if (context == null ? that.context != null : !context.equals(that.context)) return false; // needClientAuth flag // if (needClientAuth != that.needClientAuth) return false; // enabledCipherSuites // if ((enabledCipherSuites == null && that.enabledCipherSuites != null) || (enabledCipherSuites != null && that.enabledCipherSuites == null)) return false; if (enabledCipherSuites != null && that.enabledCipherSuites != null) { List<String> thatEnabledCipherSuitesList = Arrays.asList(that.enabledCipherSuites); if (!enabledCipherSuitesList.equals(thatEnabledCipherSuitesList)) return false; } // enabledProtocols // if ((enabledProtocols == null && that.enabledProtocols != null) || (enabledProtocols != null && that.enabledProtocols == null)) return false; if (enabledProtocols != null && that.enabledProtocols != null) { List<String> thatEnabledProtocolsList = Arrays.asList(that.enabledProtocols); if (!enabledProtocolsList.equals(thatEnabledProtocolsList)) return false; } return true; } /** * <p>Returns a hash code value for this * <code>SslRMIServerSocketFactory</code>.</p> * * @return a hash code value for this * <code>SslRMIServerSocketFactory</code>. */ public int hashCode() { return getClass().hashCode() + (context == null ? 0 : context.hashCode()) + (needClientAuth ? Boolean.TRUE.hashCode() : Boolean.FALSE.hashCode()) + (enabledCipherSuites == null ? 0 : enabledCipherSuitesList.hashCode()) + (enabledProtocols == null ? 0 : enabledProtocolsList.hashCode()); } // We use a static field because: // // SSLSocketFactory.getDefault() always returns the same object // (at least on Sun's implementation), and we want to make sure // that the Javadoc & the implementation stay in sync. // // If someone needs to have different SslRMIServerSocketFactory // factories with different underlying SSLSocketFactory objects // using different keystores and truststores, he/she can always // use the constructor that takes an SSLContext as input. // private static SSLSocketFactory defaultSSLSocketFactory = null; private static synchronized SSLSocketFactory getDefaultSSLSocketFactory() { if (defaultSSLSocketFactory == null) defaultSSLSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault(); return defaultSSLSocketFactory; } private final String[] enabledCipherSuites; private final String[] enabledProtocols; private final boolean needClientAuth; private List<String> enabledCipherSuitesList; private List<String> enabledProtocolsList; private SSLContext context; }