diff --git a/http/sslfilter/src/main/java/org/apache/felix/http/sslfilter/internal/SslFilter.java b/http/sslfilter/src/main/java/org/apache/felix/http/sslfilter/internal/SslFilter.java
index 8bb5759c93659aff09b4950fc91c2c544867774d..2541dee4d9b81844ec822bf86a2205ad8074e3ef 100644
--- a/http/sslfilter/src/main/java/org/apache/felix/http/sslfilter/internal/SslFilter.java
+++ b/http/sslfilter/src/main/java/org/apache/felix/http/sslfilter/internal/SslFilter.java
@@ -22,7 +22,6 @@ import static org.apache.felix.http.sslfilter.internal.SslFilterConstants.HDR_X_
import static org.apache.felix.http.sslfilter.internal.SslFilterConstants.HDR_X_FORWARDED_SSL_CERTIFICATE;
import java.io.IOException;
-import java.security.cert.CertificateException;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
@@ -52,7 +51,7 @@ import org.slf4j.LoggerFactory;
})
public class SslFilter implements Preprocessor {
- private final Logger logger = LoggerFactory.getLogger(this.getClass());
+ public static final Logger LOGGER = LoggerFactory.getLogger(SslFilter.class);
@ObjectClassDefinition(name = "Apache Felix Http Service SSL Filter",
description = "Configuration for the Http Service SSL Filter. Please consult the documentation of your proxy for the actual headers and values to use.")
@@ -90,7 +89,7 @@ public class SslFilter implements Preprocessor {
@Modified
public void updateConfig(final Config config) {
this.config = config;
- logger.info("SSL filter (re)configured with: " +
+ LOGGER.info("SSL filter (re)configured with: " +
"rewrite absolute urls = {}; SSL forward header = '{}'; SSL forward value = '{}'; SSL certificate header = '{}'",
config.rewrite_absolute_urls(), config.ssl_forward_header(), config.ssl_forward_value(), config.ssl_forward_cert_header());
}
@@ -114,13 +113,8 @@ public class SslFilter implements Preprocessor {
HttpServletResponse httpResp = (HttpServletResponse) res;
if (cfg.ssl_forward_value().equalsIgnoreCase(httpReq.getHeader(cfg.ssl_forward_header()))) {
- try {
- httpResp = new SslFilterResponse(httpResp, httpReq, cfg);
- // In case this fails, we fall back to the original HTTP request, which is better than nothing...
- httpReq = new SslFilterRequest(httpReq, httpReq.getHeader(cfg.ssl_forward_cert_header()));
- } catch (final CertificateException e) {
- logger.warn("Failed to create SSL filter request! Problem parsing client certificates?! Client certificate will *not* be forwarded...", e);
- }
+ httpResp = new SslFilterResponse(httpResp, httpReq, cfg);
+ httpReq = new SslFilterRequest(httpReq, httpReq.getHeader(cfg.ssl_forward_cert_header()));
}
// forward the request making sure any certificate is removed again after the request processing gets back here
diff --git a/http/sslfilter/src/main/java/org/apache/felix/http/sslfilter/internal/SslFilterConstants.java b/http/sslfilter/src/main/java/org/apache/felix/http/sslfilter/internal/SslFilterConstants.java
index 0da3a362282178bb1e9ef53ed0fba77edfe99adf..db7c4d3b88610063a7b548ed6d75585d807002d9 100644
--- a/http/sslfilter/src/main/java/org/apache/felix/http/sslfilter/internal/SslFilterConstants.java
+++ b/http/sslfilter/src/main/java/org/apache/felix/http/sslfilter/internal/SslFilterConstants.java
@@ -21,8 +21,7 @@ package org.apache.felix.http.sslfilter.internal;
/**
* Provides constants used in the SSL filter.
*/
-interface SslFilterConstants
-{
+interface SslFilterConstants {
/**
* If there is an SSL certificate associated with the request, it must be exposed by the servlet container to the
* servlet programmer as an array of objects of type java.security.cert.X509Certificate and accessible via a
@@ -59,6 +58,7 @@ interface SslFilterConstants
* HTTP protocol/scheme.
*/
String HTTP = "http";
+
/**
* Default port used for HTTP.
*/
@@ -68,11 +68,16 @@ interface SslFilterConstants
* HTTPS protocol/scheme.
*/
String HTTPS = "https";
+
/**
* Default port used for HTTPS.
*/
int HTTPS_PORT = 443;
- String UTF_8 = "UTF-8";
String X_509 = "X.509";
+
+ /**
+ * The HTTP scheme prefix in an URL
+ */
+ String HTTP_SCHEME_PREFIX = "http://";
}
diff --git a/http/sslfilter/src/main/java/org/apache/felix/http/sslfilter/internal/SslFilterRequest.java b/http/sslfilter/src/main/java/org/apache/felix/http/sslfilter/internal/SslFilterRequest.java
index 93357b3e24ec8efe60be62fe4f18d30e05b2069a..7a7931ea226d390e6d7e566a9b6bfcda7bde140c 100644
--- a/http/sslfilter/src/main/java/org/apache/felix/http/sslfilter/internal/SslFilterRequest.java
+++ b/http/sslfilter/src/main/java/org/apache/felix/http/sslfilter/internal/SslFilterRequest.java
@@ -21,12 +21,14 @@ package org.apache.felix.http.sslfilter.internal;
import static org.apache.felix.http.sslfilter.internal.SslFilterConstants.ATTR_SSL_CERTIFICATE;
import static org.apache.felix.http.sslfilter.internal.SslFilterConstants.HDR_X_FORWARDED_PORT;
import static org.apache.felix.http.sslfilter.internal.SslFilterConstants.HTTPS;
-import static org.apache.felix.http.sslfilter.internal.SslFilterConstants.UTF_8;
+import static org.apache.felix.http.sslfilter.internal.SslFilterConstants.HTTPS_PORT;
+import static org.apache.felix.http.sslfilter.internal.SslFilterConstants.HTTP_SCHEME_PREFIX;
import static org.apache.felix.http.sslfilter.internal.SslFilterConstants.X_509;
import java.io.ByteArrayInputStream;
+import java.io.IOException;
import java.io.InputStream;
-import java.io.UnsupportedEncodingException;
+import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
@@ -37,34 +39,26 @@ import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletRequestWrapper;
class SslFilterRequest extends HttpServletRequestWrapper {
- // The HTTP scheme prefix in an URL
- private static final String HTTP_SCHEME_PREFIX = "http://";
// pattern to convert the header to a PEM certificate for parsing
// by replacing spaces with line breaks
private static final Pattern HEADER_TO_CERT = Pattern.compile("(?! CERTIFICATE)(?= ) ");
@SuppressWarnings("unchecked")
- SslFilterRequest(final HttpServletRequest request, final String clientCertHeader) throws CertificateException {
+ SslFilterRequest(final HttpServletRequest request, final String clientCertHeader) {
super(request);
- // TODO jawi: perhaps we should make this class a little smarter wrt the given request:
- // it now always assumes it should rewrite its URL, while this might not always be the
- // case...
-
- if (clientCertHeader != null && !"".equals(clientCertHeader.trim())) {
+ if (clientCertHeader != null && clientCertHeader.trim().length() > 0) {
final String clientCert = HEADER_TO_CERT.matcher(clientCertHeader).replaceAll("\n");
- try {
- CertificateFactory fac = CertificateFactory.getInstance(X_509);
-
- InputStream instream = new ByteArrayInputStream(clientCert.getBytes(UTF_8));
-
- Collection<X509Certificate> certs = (Collection<X509Certificate>) fac.generateCertificates(instream);
- request.setAttribute(ATTR_SSL_CERTIFICATE, certs.toArray(new X509Certificate[certs.size()]));
- } catch (UnsupportedEncodingException e) {
- // Any JRE should support UTF-8...
- throw new InternalError("UTF-8 not supported?!");
+ try (InputStream instream = new ByteArrayInputStream(clientCert.getBytes(StandardCharsets.UTF_8))) {
+ final CertificateFactory fac = CertificateFactory.getInstance(X_509);
+ Collection<X509Certificate> certs = (Collection<X509Certificate>) fac.generateCertificates(instream);
+ request.setAttribute(ATTR_SSL_CERTIFICATE, certs.toArray(new X509Certificate[certs.size()]));
+ } catch ( final IOException ignore) {
+ // ignore - can only happen on close
+ } catch ( final CertificateException ce) {
+ SslFilter.LOGGER.warn("Failed to create SSL filter request! Problem parsing client certificates?! Client certificate will *not* be forwarded...", ce);
}
}
}
@@ -85,13 +79,13 @@ class SslFilterRequest extends HttpServletRequestWrapper {
@Override
public StringBuffer getRequestURL() {
- StringBuffer tmp = new StringBuffer(super.getRequestURL());
+ final StringBuffer result = super.getRequestURL();
// In case the request happened over http, simply insert an additional 's'
// to make the request appear to be done over https...
- if (tmp.indexOf(HTTP_SCHEME_PREFIX) == 0) {
- tmp.insert(4, 's');
+ if (result.indexOf(HTTP_SCHEME_PREFIX) == 0) {
+ result.insert(4, 's');
}
- return tmp;
+ return result;
}
@Override
@@ -99,11 +93,10 @@ class SslFilterRequest extends HttpServletRequestWrapper {
int port;
try {
- String fwdPort = getHeader(HDR_X_FORWARDED_PORT);
- port = Integer.parseInt(fwdPort);
- } catch (Exception e) {
+ port = Integer.parseInt(getHeader(HDR_X_FORWARDED_PORT));
+ } catch (final Exception e) {
// Use default port
- port = 443;
+ port = HTTPS_PORT;
}
return port;
}
diff --git a/http/sslfilter/src/main/java/org/apache/felix/http/sslfilter/internal/SslFilterResponse.java b/http/sslfilter/src/main/java/org/apache/felix/http/sslfilter/internal/SslFilterResponse.java
index 89ae257e23e5be713c8284a17ca8d27c7f14efa2..a0e5723b9deed89cbd0ec171e93a89b51702c807 100644
--- a/http/sslfilter/src/main/java/org/apache/felix/http/sslfilter/internal/SslFilterResponse.java
+++ b/http/sslfilter/src/main/java/org/apache/felix/http/sslfilter/internal/SslFilterResponse.java
@@ -61,7 +61,7 @@ class SslFilterResponse extends HttpServletResponseWrapper {
this.serverName = request.getServerName();
this.serverPort = request.getServerPort();
- String value = request.getHeader(config.ssl_forward_header());
+ final String value = request.getHeader(config.ssl_forward_header());
if ((HDR_X_FORWARDED_PROTO.equalsIgnoreCase(config.ssl_forward_header()) && HTTP.equalsIgnoreCase(value)) ||
(HDR_X_FORWARDED_SSL.equalsIgnoreCase(config.ssl_forward_header()) && !config.ssl_forward_value().equalsIgnoreCase(value))) {
diff --git a/http/sslfilter/src/test/java/org/apache/felix/http/sslfilter/internal/SslFilterRequestTest.java b/http/sslfilter/src/test/java/org/apache/felix/http/sslfilter/internal/SslFilterRequestTest.java
index 8cc4f43855c192882b4f508f2a136804ea575860..d930a5cdb468e68b9283b94058d59c40ce44ba20 100644
--- a/http/sslfilter/src/test/java/org/apache/felix/http/sslfilter/internal/SslFilterRequestTest.java
+++ b/http/sslfilter/src/test/java/org/apache/felix/http/sslfilter/internal/SslFilterRequestTest.java
@@ -72,12 +72,10 @@ public class SslFilterRequestTest
when(req.getRequestURL()).thenReturn(new StringBuffer("http://some/page"));
assertEquals("http://some/page", req.getRequestURL().toString());
assertEquals("https://some/page", sreq.getRequestURL().toString());
- assertEquals("http://some/page", req.getRequestURL().toString());
when(req.getRequestURL()).thenReturn(new StringBuffer("https://some/page"));
assertEquals("https://some/page", req.getRequestURL().toString());
assertEquals("https://some/page", sreq.getRequestURL().toString());
- assertEquals("https://some/page", req.getRequestURL().toString());
}
@Test
diff --git a/http/sslfilter/src/test/java/org/apache/felix/http/sslfilter/internal/SslFilterResponseTest.java b/http/sslfilter/src/test/java/org/apache/felix/http/sslfilter/internal/SslFilterResponseTest.java
index 945b988845e49016e374195a2a1f9ff8450df47f..bff83c3906b681e9ced3b043e39bdd68fec9febf 100644
--- a/http/sslfilter/src/test/java/org/apache/felix/http/sslfilter/internal/SslFilterResponseTest.java
+++ b/http/sslfilter/src/test/java/org/apache/felix/http/sslfilter/internal/SslFilterResponseTest.java
@@ -515,7 +515,6 @@ public class SslFilterResponseTest
committed = true;
}
- @SuppressWarnings("deprecation")
@Override
public void setStatus(int sc, String sm) {
status = sc;
@@ -578,7 +577,6 @@ public class SslFilterResponseTest
return headers.get(name);
}
- @SuppressWarnings("deprecation")
@Override
public String encodeUrl(String url) {
throw new UnsupportedOperationException();
@@ -589,7 +587,6 @@ public class SslFilterResponseTest
throw new UnsupportedOperationException();
}
- @SuppressWarnings("deprecation")
@Override
public String encodeRedirectUrl(String url) {
throw new UnsupportedOperationException();