ServerHttpRequest exposes SSL certificates
Issue: SPR-15964
This commit is contained in:
@@ -59,6 +59,9 @@ public abstract class AbstractServerHttpRequest implements ServerHttpRequest {
|
||||
@Nullable
|
||||
private MultiValueMap<String, HttpCookie> cookies;
|
||||
|
||||
@Nullable
|
||||
private SslInfo sslInfo;
|
||||
|
||||
|
||||
/**
|
||||
* Constructor with the URI and headers for the request.
|
||||
@@ -152,6 +155,23 @@ public abstract class AbstractServerHttpRequest implements ServerHttpRequest {
|
||||
*/
|
||||
protected abstract MultiValueMap<String, HttpCookie> initCookies();
|
||||
|
||||
@Nullable
|
||||
@Override
|
||||
public SslInfo getSslInfo() {
|
||||
if (this.sslInfo == null) {
|
||||
this.sslInfo = initSslInfo();
|
||||
}
|
||||
return this.sslInfo;
|
||||
}
|
||||
|
||||
/**
|
||||
* Obtain SSL session information from the underlying "native" request.
|
||||
* @return the SSL information or {@code null} if not available
|
||||
* @since 5.0.2
|
||||
*/
|
||||
@Nullable
|
||||
protected abstract SslInfo initSslInfo();
|
||||
|
||||
/**
|
||||
* Return the underlying server response.
|
||||
* <p><strong>Note:</strong> This is exposed mainly for internal framework
|
||||
|
||||
@@ -52,9 +52,6 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
|
||||
|
||||
private final MultiValueMap<String, HttpCookie> cookies;
|
||||
|
||||
@Nullable
|
||||
private final InetSocketAddress remoteAddress;
|
||||
|
||||
@Nullable
|
||||
private String uriPath;
|
||||
|
||||
@@ -71,7 +68,6 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
|
||||
|
||||
this.uri = original.getURI();
|
||||
this.httpMethodValue = original.getMethodValue();
|
||||
this.remoteAddress = original.getRemoteAddress();
|
||||
this.body = original.getBody();
|
||||
|
||||
this.httpHeaders = new HttpHeaders();
|
||||
@@ -135,8 +131,7 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
|
||||
public ServerHttpRequest build() {
|
||||
URI uriToUse = getUriToUse();
|
||||
return new DefaultServerHttpRequest(uriToUse, this.contextPath, this.httpHeaders,
|
||||
this.httpMethodValue, this.cookies, this.remoteAddress, this.body,
|
||||
this.originalRequest);
|
||||
this.httpMethodValue, this.cookies, this.body, this.originalRequest);
|
||||
|
||||
}
|
||||
|
||||
@@ -162,6 +157,9 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
|
||||
@Nullable
|
||||
private final InetSocketAddress remoteAddress;
|
||||
|
||||
@Nullable
|
||||
private final SslInfo sslInfo;
|
||||
|
||||
private final Flux<DataBuffer> body;
|
||||
|
||||
private final ServerHttpRequest originalRequest;
|
||||
@@ -169,13 +167,13 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
|
||||
|
||||
public DefaultServerHttpRequest(URI uri, @Nullable String contextPath,
|
||||
HttpHeaders headers, String methodValue, MultiValueMap<String, HttpCookie> cookies,
|
||||
@Nullable InetSocketAddress remoteAddress,
|
||||
Flux<DataBuffer> body, ServerHttpRequest originalRequest) {
|
||||
|
||||
super(uri, contextPath, headers);
|
||||
this.methodValue = methodValue;
|
||||
this.cookies = cookies;
|
||||
this.remoteAddress = remoteAddress;
|
||||
this.remoteAddress = originalRequest.getRemoteAddress();
|
||||
this.sslInfo = originalRequest.getSslInfo();
|
||||
this.body = body;
|
||||
this.originalRequest = originalRequest;
|
||||
}
|
||||
@@ -197,6 +195,12 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
|
||||
return this.remoteAddress;
|
||||
}
|
||||
|
||||
@Nullable
|
||||
@Override
|
||||
protected SslInfo initSslInfo() {
|
||||
return this.sslInfo;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Flux<DataBuffer> getBody() {
|
||||
return this.body;
|
||||
|
||||
@@ -0,0 +1,102 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.http.server.reactive;
|
||||
|
||||
import java.security.cert.Certificate;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import javax.net.ssl.SSLSession;
|
||||
|
||||
import org.springframework.lang.Nullable;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author Rossen Stoyanchev
|
||||
* @since 5.0
|
||||
*/
|
||||
final class DefaultSslInfo implements SslInfo {
|
||||
|
||||
@Nullable
|
||||
private final String sessionId;
|
||||
|
||||
private final X509Certificate[] peerCertificates;
|
||||
|
||||
|
||||
DefaultSslInfo(String sessionId, X509Certificate[] peerCertificates) {
|
||||
Assert.notNull(peerCertificates, "No SSL certificates");
|
||||
this.sessionId = sessionId;
|
||||
this.peerCertificates = peerCertificates;
|
||||
}
|
||||
|
||||
DefaultSslInfo(SSLSession session) {
|
||||
Assert.notNull(session, "SSLSession is required");
|
||||
this.sessionId = initSessionId(session);
|
||||
this.peerCertificates = initCertificates(session);
|
||||
}
|
||||
|
||||
@Nullable
|
||||
private static String initSessionId(SSLSession session) {
|
||||
byte [] bytes = session.getId();
|
||||
if (bytes == null) {
|
||||
return null;
|
||||
}
|
||||
StringBuilder sb = new StringBuilder();
|
||||
for (byte b : bytes) {
|
||||
String digit = Integer.toHexString(b);
|
||||
if (digit.length() < 2) {
|
||||
sb.append('0');
|
||||
}
|
||||
if (digit.length() > 2) {
|
||||
digit = digit.substring(digit.length() - 2);
|
||||
}
|
||||
sb.append(digit);
|
||||
}
|
||||
return sb.toString();
|
||||
}
|
||||
|
||||
private static X509Certificate[] initCertificates(SSLSession session) {
|
||||
Certificate[] certificates;
|
||||
try {
|
||||
certificates = session.getPeerCertificates();
|
||||
}
|
||||
catch (Throwable ex) {
|
||||
throw new IllegalStateException("Failed to get SSL certificates", ex);
|
||||
}
|
||||
List<X509Certificate> result = new ArrayList<>(certificates.length);
|
||||
for (Certificate certificate : certificates) {
|
||||
if (certificate instanceof X509Certificate) {
|
||||
result.add((X509Certificate) certificate);
|
||||
}
|
||||
}
|
||||
return result.toArray(new X509Certificate[result.size()]);
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
@Nullable
|
||||
public String getSessionId() {
|
||||
return this.sessionId;
|
||||
}
|
||||
|
||||
@Override
|
||||
public X509Certificate[] getPeerCertificates() {
|
||||
return this.peerCertificates;
|
||||
}
|
||||
|
||||
}
|
||||
@@ -19,6 +19,7 @@ package org.springframework.http.server.reactive;
|
||||
import java.net.InetSocketAddress;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import javax.net.ssl.SSLSession;
|
||||
|
||||
import io.netty.channel.ChannelPipeline;
|
||||
import io.netty.handler.codec.http.HttpHeaderNames;
|
||||
@@ -31,6 +32,7 @@ import org.springframework.core.io.buffer.DataBuffer;
|
||||
import org.springframework.core.io.buffer.NettyDataBufferFactory;
|
||||
import org.springframework.http.HttpCookie;
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.lang.Nullable;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.util.LinkedMultiValueMap;
|
||||
import org.springframework.util.MultiValueMap;
|
||||
@@ -108,6 +110,7 @@ class ReactorServerHttpRequest extends AbstractServerHttpRequest {
|
||||
return headers;
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public String getMethodValue() {
|
||||
return this.request.method().name();
|
||||
@@ -130,6 +133,16 @@ class ReactorServerHttpRequest extends AbstractServerHttpRequest {
|
||||
return this.request.remoteAddress();
|
||||
}
|
||||
|
||||
@Nullable
|
||||
protected SslInfo initSslInfo() {
|
||||
SslHandler sslHandler = this.request.context().channel().pipeline().get(SslHandler.class);
|
||||
if (sslHandler != null) {
|
||||
SSLSession session = sslHandler.engine().getSession();
|
||||
return new DefaultSslInfo(session);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Flux<DataBuffer> getBody() {
|
||||
return this.request.receive().retain().map(this.bufferFactory::wrap);
|
||||
|
||||
@@ -61,6 +61,14 @@ public interface ServerHttpRequest extends HttpRequest, ReactiveHttpInputMessage
|
||||
@Nullable
|
||||
InetSocketAddress getRemoteAddress();
|
||||
|
||||
/**
|
||||
* Return the SSL session information if the request has been transmitted
|
||||
* over a secure protocol including SSL certificates, if available.
|
||||
* @return the session information or {@code null}
|
||||
* @since 5.0.2
|
||||
*/
|
||||
@Nullable
|
||||
SslInfo getSslInfo();
|
||||
|
||||
/**
|
||||
* Return a builder to mutate properties of this request by wrapping it
|
||||
|
||||
@@ -96,6 +96,12 @@ public class ServerHttpRequestDecorator implements ServerHttpRequest {
|
||||
return getDelegate().getRemoteAddress();
|
||||
}
|
||||
|
||||
@Nullable
|
||||
@Override
|
||||
public SslInfo getSslInfo() {
|
||||
return getDelegate().getSslInfo();
|
||||
}
|
||||
|
||||
@Override
|
||||
public Flux<DataBuffer> getBody() {
|
||||
return getDelegate().getBody();
|
||||
|
||||
@@ -21,6 +21,7 @@ import java.net.InetSocketAddress;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import java.nio.charset.Charset;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.Enumeration;
|
||||
import java.util.Map;
|
||||
import javax.servlet.AsyncContext;
|
||||
@@ -89,7 +90,6 @@ class ServletServerHttpRequest extends AbstractServerHttpRequest {
|
||||
this.bodyPublisher.registerReadListener();
|
||||
}
|
||||
|
||||
|
||||
private static URI initUri(HttpServletRequest request) {
|
||||
Assert.notNull(request, "'request' must not be null");
|
||||
try {
|
||||
@@ -172,6 +172,16 @@ class ServletServerHttpRequest extends AbstractServerHttpRequest {
|
||||
return new InetSocketAddress(this.request.getRemoteHost(), this.request.getRemotePort());
|
||||
}
|
||||
|
||||
@Nullable
|
||||
protected SslInfo initSslInfo() {
|
||||
if (!this.request.isSecure()) {
|
||||
return null;
|
||||
}
|
||||
return new DefaultSslInfo(
|
||||
(String) request.getAttribute("javax.servlet.request.ssl_session_id"),
|
||||
(X509Certificate[]) request.getAttribute("java.security.cert.X509Certificate"));
|
||||
}
|
||||
|
||||
@Override
|
||||
public Flux<DataBuffer> getBody() {
|
||||
return Flux.from(this.bodyPublisher);
|
||||
|
||||
@@ -0,0 +1,34 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.http.server.reactive;
|
||||
|
||||
import java.security.cert.X509Certificate;
|
||||
|
||||
import org.springframework.lang.Nullable;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author Rossen Stoyanchev
|
||||
* @since 5.0.2
|
||||
*/
|
||||
public interface SslInfo {
|
||||
|
||||
@Nullable
|
||||
String getSessionId();
|
||||
|
||||
X509Certificate[] getPeerCertificates();
|
||||
|
||||
}
|
||||
@@ -23,6 +23,7 @@ import java.net.InetSocketAddress;
|
||||
import java.net.URI;
|
||||
import java.nio.ByteBuffer;
|
||||
import java.util.function.IntPredicate;
|
||||
import javax.net.ssl.SSLSession;
|
||||
|
||||
import io.undertow.connector.ByteBufferPool;
|
||||
import io.undertow.connector.PooledByteBuffer;
|
||||
@@ -101,6 +102,16 @@ class UndertowServerHttpRequest extends AbstractServerHttpRequest {
|
||||
return this.exchange.getSourceAddress();
|
||||
}
|
||||
|
||||
@Nullable
|
||||
@Override
|
||||
protected SslInfo initSslInfo() {
|
||||
SSLSession session = this.exchange.getConnection().getSslSession();
|
||||
if (session != null) {
|
||||
return new DefaultSslInfo(session);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Flux<DataBuffer> getBody() {
|
||||
return Flux.from(this.body);
|
||||
|
||||
Reference in New Issue
Block a user