Re: [jetty-dev] SslSelectChannelConnector Refactor Suggestion

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-dev] SslSelectChannelConnector Refactor Suggestion

From: Greg Wilkins <gregw@xxxxxxxxxxx>
Date: Tue, 14 Jul 2009 09:26:36 +1000
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-dev>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Thunderbird 2.0.0.22 (X11/20090608)

Chad,

This sounds like a good idea.... and now is the time to do any more
API changes before we go to a 7.0.0   (yes I know we did and RC0, but I
think that was a tad early/optimistic).

So a patch for this would be very welcome.  Can you also create a
bugzilla at eclipse to attach the patch to, as that should ask you
to ok the IP for inclusion.

   https://bugs.eclipse.org/bugs/

click   "Report a new bug" --> RT --> jetty

thanks in advance






Chad La Joie wrote:
> Hey all, I'd like to suggest a small refactor of the
> SslSelectChannelConnector class.
> 
> Background:
> I have an application that does not use standard PKIX validation during
> client-cert auth.  Instead there is a separate client descriptor file
> which contains, amongst other things, the certs which may be used by
> clients.  Therefore we have custom connectors for Tomcat and Jetty 6
> that use a "delegate to application" trust store (that it, the trust
> store says anything is good and it's up to the application to do the
> actual validation).
> 
> Now, I am NOT even beginning to suggest such functionality be integrated
> with any container.  It works for us because we have a controlled
> environment but I recognize it could cause all sorts of issues if
> deployed generally.  However, in trying to extend
> SslSelectChannelConnector in Jetty 7 the task is made more difficult
> because the reading in of the truststore (and keystore) are conflated
> with the creation of the SSLContext.  So my suggestion would be to break
> this apart.  Specifically I'd suggest the following:
> 
> - Change the [get|set][Keystore|Truststore] methods to be
> [get|set][Keystore|Truststore]Path and operate on Strings as they do now.
> 
> - Add methods get[Keystore|Truststore] which are responsible for doing
> something and returning a KeyStore object
> 
> - Use the new methods in createSSLContext
> 
> Doing this obviously helps me out but I think it also has some other
> minor benefits:
> -  The XML declaration of the connector may be a bit clearer since the
> property names 'KeystorePath' or 'TruststorePath' are a bit more
> self-documenting.
> - The createSSLContext shrinks down quite a bit (~50 lines of code are
> moved elsewhere)
> - A common "read in keystore" method could be used by both getKeystore
> and getTruststore and thus eliminate duplicate code.
> 
> If this sounds okay and you'd be interested in it I'll prepare a patch
> and submit it.  Just let me know, I'm certainly willing to do the bit of
> work required to make the change.
> 
> Thanks.
>

Follow-Ups:
- Re: [jetty-dev] SslSelectChannelConnector Refactor Suggestion
  - From: Chad La Joie

References:
- [jetty-dev] SslSelectChannelConnector Refactor Suggestion
  - From: Chad La Joie

Prev by Date: [jetty-dev] jetty dependency's and 'releasing' within eclipse
Next by Date: Re: [jetty-dev] SslSelectChannelConnector Refactor Suggestion
Previous by thread: [jetty-dev] SslSelectChannelConnector Refactor Suggestion
Next by thread: Re: [jetty-dev] SslSelectChannelConnector Refactor Suggestion
Index(es):
- Date
- Thread

Breadcrumbs