[jetty-dev] SslSelectChannelConnector Refactor Suggestion

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] SslSelectChannelConnector Refactor Suggestion

From: Chad La Joie <chad.lajoie@xxxxxxxxx>
Date: Mon, 13 Jul 2009 12:49:42 +0200
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-dev>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>
Organization: SWITCH
User-agent: Thunderbird 2.0.0.22 (Macintosh/20090605)

Hey all, I'd like to suggest a small refactor of theSslSelectChannelConnector class.


Background:

I have an application that does not use standard PKIX validation duringclient-cert auth. Instead there is a separate client descriptor filewhich contains, amongst other things, the certs which may be used byclients. Therefore we have custom connectors for Tomcat and Jetty 6that use a "delegate to application" trust store (that it, the truststore says anything is good and it's up to the application to do theactual validation).

Now, I am NOT even beginning to suggest such functionality be integratedwith any container. It works for us because we have a controlledenvironment but I recognize it could cause all sorts of issues ifdeployed generally. However, in trying to extendSslSelectChannelConnector in Jetty 7 the task is made more difficultbecause the reading in of the truststore (and keystore) are conflatedwith the creation of the SSLContext. So my suggestion would be to breakthis apart. Specifically I'd suggest the following:

- Change the [get|set][Keystore|Truststore] methods to be[get|set][Keystore|Truststore]Path and operate on Strings as they do now.

- Add methods get[Keystore|Truststore] which are responsible for doingsomething and returning a KeyStore object


- Use the new methods in createSSLContext

Doing this obviously helps me out but I think it also has some otherminor benefits:- The XML declaration of the connector may be a bit clearer since theproperty names 'KeystorePath' or 'TruststorePath' are a bit moreself-documenting.- The createSSLContext shrinks down quite a bit (~50 lines of code aremoved elsewhere)- A common "read in keystore" method could be used by both getKeystoreand getTruststore and thus eliminate duplicate code.

If this sounds okay and you'd be interested in it I'll prepare a patchand submit it. Just let me know, I'm certainly willing to do the bit ofwork required to make the change.


Thanks.

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad.lajoie@xxxxxxxxx, http://www.switch.ch

Follow-Ups:
- Re: [jetty-dev] SslSelectChannelConnector Refactor Suggestion
  - From: Greg Wilkins

Prev by Date: Re: [jetty-dev] maintenance mode and jetty6
Next by Date: Re: [jetty-dev] Welcome Joakim Erdfelt as a new rt.jetty Committer]
Previous by thread: [jetty-dev] maintenance mode and jetty6
Next by thread: Re: [jetty-dev] SslSelectChannelConnector Refactor Suggestion
Index(es):
- Date
- Thread

Breadcrumbs