ServerHttpRequest exposes SSL certificates

Issue: SPR-15964
This commit is contained in:
Rossen Stoyanchev
2017-11-10 16:43:12 -05:00
parent 9a894ab61e
commit 87375fe6f8
11 changed files with 271 additions and 13 deletions

View File

@@ -59,6 +59,9 @@ public abstract class AbstractServerHttpRequest implements ServerHttpRequest {
@Nullable
private MultiValueMap<String, HttpCookie> cookies;
@Nullable
private SslInfo sslInfo;
/**
* Constructor with the URI and headers for the request.
@@ -152,6 +155,23 @@ public abstract class AbstractServerHttpRequest implements ServerHttpRequest {
*/
protected abstract MultiValueMap<String, HttpCookie> initCookies();
@Nullable
@Override
public SslInfo getSslInfo() {
if (this.sslInfo == null) {
this.sslInfo = initSslInfo();
}
return this.sslInfo;
}
/**
* Obtain SSL session information from the underlying "native" request.
* @return the SSL information or {@code null} if not available
* @since 5.0.2
*/
@Nullable
protected abstract SslInfo initSslInfo();
/**
* Return the underlying server response.
* <p><strong>Note:</strong> This is exposed mainly for internal framework

View File

@@ -52,9 +52,6 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
private final MultiValueMap<String, HttpCookie> cookies;
@Nullable
private final InetSocketAddress remoteAddress;
@Nullable
private String uriPath;
@@ -71,7 +68,6 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
this.uri = original.getURI();
this.httpMethodValue = original.getMethodValue();
this.remoteAddress = original.getRemoteAddress();
this.body = original.getBody();
this.httpHeaders = new HttpHeaders();
@@ -135,8 +131,7 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
public ServerHttpRequest build() {
URI uriToUse = getUriToUse();
return new DefaultServerHttpRequest(uriToUse, this.contextPath, this.httpHeaders,
this.httpMethodValue, this.cookies, this.remoteAddress, this.body,
this.originalRequest);
this.httpMethodValue, this.cookies, this.body, this.originalRequest);
}
@@ -162,6 +157,9 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
@Nullable
private final InetSocketAddress remoteAddress;
@Nullable
private final SslInfo sslInfo;
private final Flux<DataBuffer> body;
private final ServerHttpRequest originalRequest;
@@ -169,13 +167,13 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
public DefaultServerHttpRequest(URI uri, @Nullable String contextPath,
HttpHeaders headers, String methodValue, MultiValueMap<String, HttpCookie> cookies,
@Nullable InetSocketAddress remoteAddress,
Flux<DataBuffer> body, ServerHttpRequest originalRequest) {
super(uri, contextPath, headers);
this.methodValue = methodValue;
this.cookies = cookies;
this.remoteAddress = remoteAddress;
this.remoteAddress = originalRequest.getRemoteAddress();
this.sslInfo = originalRequest.getSslInfo();
this.body = body;
this.originalRequest = originalRequest;
}
@@ -197,6 +195,12 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
return this.remoteAddress;
}
@Nullable
@Override
protected SslInfo initSslInfo() {
return this.sslInfo;
}
@Override
public Flux<DataBuffer> getBody() {
return this.body;

View File

@@ -0,0 +1,102 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.http.server.reactive;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.net.ssl.SSLSession;
import org.springframework.lang.Nullable;
import org.springframework.util.Assert;
/**
*
* @author Rossen Stoyanchev
* @since 5.0
*/
final class DefaultSslInfo implements SslInfo {
@Nullable
private final String sessionId;
private final X509Certificate[] peerCertificates;
DefaultSslInfo(String sessionId, X509Certificate[] peerCertificates) {
Assert.notNull(peerCertificates, "No SSL certificates");
this.sessionId = sessionId;
this.peerCertificates = peerCertificates;
}
DefaultSslInfo(SSLSession session) {
Assert.notNull(session, "SSLSession is required");
this.sessionId = initSessionId(session);
this.peerCertificates = initCertificates(session);
}
@Nullable
private static String initSessionId(SSLSession session) {
byte [] bytes = session.getId();
if (bytes == null) {
return null;
}
StringBuilder sb = new StringBuilder();
for (byte b : bytes) {
String digit = Integer.toHexString(b);
if (digit.length() < 2) {
sb.append('0');
}
if (digit.length() > 2) {
digit = digit.substring(digit.length() - 2);
}
sb.append(digit);
}
return sb.toString();
}
private static X509Certificate[] initCertificates(SSLSession session) {
Certificate[] certificates;
try {
certificates = session.getPeerCertificates();
}
catch (Throwable ex) {
throw new IllegalStateException("Failed to get SSL certificates", ex);
}
List<X509Certificate> result = new ArrayList<>(certificates.length);
for (Certificate certificate : certificates) {
if (certificate instanceof X509Certificate) {
result.add((X509Certificate) certificate);
}
}
return result.toArray(new X509Certificate[result.size()]);
}
@Override
@Nullable
public String getSessionId() {
return this.sessionId;
}
@Override
public X509Certificate[] getPeerCertificates() {
return this.peerCertificates;
}
}

View File

@@ -19,6 +19,7 @@ package org.springframework.http.server.reactive;
import java.net.InetSocketAddress;
import java.net.URI;
import java.net.URISyntaxException;
import javax.net.ssl.SSLSession;
import io.netty.channel.ChannelPipeline;
import io.netty.handler.codec.http.HttpHeaderNames;
@@ -31,6 +32,7 @@ import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.core.io.buffer.NettyDataBufferFactory;
import org.springframework.http.HttpCookie;
import org.springframework.http.HttpHeaders;
import org.springframework.lang.Nullable;
import org.springframework.util.Assert;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
@@ -108,6 +110,7 @@ class ReactorServerHttpRequest extends AbstractServerHttpRequest {
return headers;
}
@Override
public String getMethodValue() {
return this.request.method().name();
@@ -130,6 +133,16 @@ class ReactorServerHttpRequest extends AbstractServerHttpRequest {
return this.request.remoteAddress();
}
@Nullable
protected SslInfo initSslInfo() {
SslHandler sslHandler = this.request.context().channel().pipeline().get(SslHandler.class);
if (sslHandler != null) {
SSLSession session = sslHandler.engine().getSession();
return new DefaultSslInfo(session);
}
return null;
}
@Override
public Flux<DataBuffer> getBody() {
return this.request.receive().retain().map(this.bufferFactory::wrap);

View File

@@ -61,6 +61,14 @@ public interface ServerHttpRequest extends HttpRequest, ReactiveHttpInputMessage
@Nullable
InetSocketAddress getRemoteAddress();
/**
* Return the SSL session information if the request has been transmitted
* over a secure protocol including SSL certificates, if available.
* @return the session information or {@code null}
* @since 5.0.2
*/
@Nullable
SslInfo getSslInfo();
/**
* Return a builder to mutate properties of this request by wrapping it

View File

@@ -96,6 +96,12 @@ public class ServerHttpRequestDecorator implements ServerHttpRequest {
return getDelegate().getRemoteAddress();
}
@Nullable
@Override
public SslInfo getSslInfo() {
return getDelegate().getSslInfo();
}
@Override
public Flux<DataBuffer> getBody() {
return getDelegate().getBody();

View File

@@ -21,6 +21,7 @@ import java.net.InetSocketAddress;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.Charset;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.Map;
import javax.servlet.AsyncContext;
@@ -89,7 +90,6 @@ class ServletServerHttpRequest extends AbstractServerHttpRequest {
this.bodyPublisher.registerReadListener();
}
private static URI initUri(HttpServletRequest request) {
Assert.notNull(request, "'request' must not be null");
try {
@@ -172,6 +172,16 @@ class ServletServerHttpRequest extends AbstractServerHttpRequest {
return new InetSocketAddress(this.request.getRemoteHost(), this.request.getRemotePort());
}
@Nullable
protected SslInfo initSslInfo() {
if (!this.request.isSecure()) {
return null;
}
return new DefaultSslInfo(
(String) request.getAttribute("javax.servlet.request.ssl_session_id"),
(X509Certificate[]) request.getAttribute("java.security.cert.X509Certificate"));
}
@Override
public Flux<DataBuffer> getBody() {
return Flux.from(this.bodyPublisher);

View File

@@ -0,0 +1,34 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.http.server.reactive;
import java.security.cert.X509Certificate;
import org.springframework.lang.Nullable;
/**
*
* @author Rossen Stoyanchev
* @since 5.0.2
*/
public interface SslInfo {
@Nullable
String getSessionId();
X509Certificate[] getPeerCertificates();
}

View File

@@ -23,6 +23,7 @@ import java.net.InetSocketAddress;
import java.net.URI;
import java.nio.ByteBuffer;
import java.util.function.IntPredicate;
import javax.net.ssl.SSLSession;
import io.undertow.connector.ByteBufferPool;
import io.undertow.connector.PooledByteBuffer;
@@ -101,6 +102,16 @@ class UndertowServerHttpRequest extends AbstractServerHttpRequest {
return this.exchange.getSourceAddress();
}
@Nullable
@Override
protected SslInfo initSslInfo() {
SSLSession session = this.exchange.getConnection().getSslSession();
if (session != null) {
return new DefaultSslInfo(session);
}
return null;
}
@Override
public Flux<DataBuffer> getBody() {
return Flux.from(this.body);