Backport Jetty/Tomcat SSL support

Fixes gh-1570
Cherry-picked from 0960908 and 258c6f1

Author: philwebb

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java

@@ -33,6 +33,7 @@
 import org.springframework.boot.context.embedded.EmbeddedServletContainerCustomizer;
 import org.springframework.boot.context.embedded.EmbeddedServletContainerCustomizerBeanPostProcessor;
 import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
+import org.springframework.boot.context.embedded.Ssl;
 import org.springframework.boot.context.embedded.tomcat.TomcatConnectorCustomizer;
 import org.springframework.boot.context.embedded.tomcat.TomcatContextCustomizer;
 import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
@@ -59,6 +60,8 @@ public class ServerProperties implements EmbeddedServletContainerCustomizer {
 
 	private String contextPath;
 
+	private Ssl ssl;
+
 	@NotNull
 	private String servletPath = "/";
 
@@ -132,6 +135,14 @@ public void setSessionTimeout(Integer sessionTimeout) {
 		this.sessionTimeout = sessionTimeout;
 	}
 
+	public Ssl getSsl() {
+		return this.ssl;
+	}
+
+	public void setSsl(Ssl ssl) {
+		this.ssl = ssl;
+	}
+
 	public void setLoader(String value) {
 		// no op to support Tomcat running as a traditional container (not embedded)
 	}
@@ -150,12 +161,41 @@ public void customize(ConfigurableEmbeddedServletContainer container) {
 		if (getSessionTimeout() != null) {
 			container.setSessionTimeout(getSessionTimeout());
 		}
+		if (getSsl() != null) {
+			container.setSsl(getSsl());
+		}
 		if (container instanceof TomcatEmbeddedServletContainerFactory) {
 			getTomcat()
 					.customizeTomcat((TomcatEmbeddedServletContainerFactory) container);
 		}
 	}
 
+	public String[] getPathsArray(Collection<String> paths) {
+		String[] result = new String[paths.size()];
+		int i = 0;
+		for (String path : paths) {
+			result[i++] = getPath(path);
+		}
+		return result;
+	}
+
+	public String[] getPathsArray(String[] paths) {
+		String[] result = new String[paths.length];
+		int i = 0;
+		for (String path : paths) {
+			result[i++] = getPath(path);
+		}
+		return result;
+	}
+
+	public String getPath(String path) {
+		String prefix = getServletPrefix();
+		if (!path.startsWith("/")) {
+			path = "/" + path;
+		}
+		return prefix + path;
+	}
+
 	public static class Tomcat {
 
 		private String accessLogPattern;
@@ -330,31 +370,4 @@ public void customize(Connector connector) {
 		}
 
 	}
-
-	public String[] getPathsArray(Collection<String> paths) {
-		String[] result = new String[paths.size()];
-		int i = 0;
-		for (String path : paths) {
-			result[i++] = getPath(path);
-		}
-		return result;
-	}
-
-	public String[] getPathsArray(String[] paths) {
-		String[] result = new String[paths.length];
-		int i = 0;
-		for (String path : paths) {
-			result[i++] = getPath(path);
-		}
-		return result;
-	}
-
-	public String getPath(String path) {
-		String prefix = getServletPrefix();
-		if (!path.startsWith("/")) {
-			path = "/" + path;
-		}
-		return prefix + path;
-	}
-
 }

spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc

@@ -56,6 +56,18 @@ content into your application; rather pick only the properties that you need.
 	server.session-timeout= # session timeout in seconds
 	server.context-path= # the context path, defaults to '/'
 	server.servlet-path= # the servlet path, defaults to '/'
+	server.ssl.client-auth= # want or need
+	server.ssl.key-alias=
+	server.ssl.key-password=
+	server.ssl.key-store=
+	server.ssl.key-store-password=
+	server.ssl.key-store-provider=
+	server.ssl.key-store-type=
+	server.ssl.protocol=TLS
+	server.ssl.trust-store=
+	server.ssl.trust-store-password=
+	server.ssl.trust-store-provider=
+	server.ssl.trust-store-type=
 	server.tomcat.access-log-pattern= # log pattern of the access log
 	server.tomcat.access-log-enabled=false # is access logging enabled
 	server.tomcat.internal-proxies=10\.\d{1,3}\.\d{1,3}\.\d{1,3}|\

spring-boot-docs/src/main/asciidoc/howto.adoc

@@ -389,6 +389,27 @@ and then inject the actual (``local'') port as a `@Value`. For example:
 
 
 
+[[howto-configure-ssl]]
+=== Configure SSL
+SSL can be configured declaratively by setting the various `server.ssl.*` properties,
+typically in `application.properties` or `application.yml`. For example:
+
+[source,properties,indent=0,subs="verbatim,quotes,attributes"]
+----
+	server.port = 8443
+	server.ssl.key-store = classpath:keystore.jks
+	server.ssl.key-store-password = secret
+	server.ssl.key-password = another-secret
+----
+
+See {sc-spring-boot}/context/embedded/Ssl.{sc-ext}[`Ssl`] for details of all of the
+supported properties.
+
+NOTE: Tomcat requires the key store (and trust store if you're using one) to be directly
+accessible on the filesystem, i.e. it cannot be read from within a jar file.
+
+
+
 [[howto-configure-tomcat]]
 === Configure Tomcat
 Generally you can follow the advice from
@@ -401,56 +422,6 @@ nuclear option is to add your own `TomcatEmbeddedServletContainerFactory`.
 
 
 
-[[howto-terminate-ssl-in-tomcat]]
-=== Terminate SSL in Tomcat
-Use an `EmbeddedServletContainerCustomizer` and in that add a `TomcatConnectorCustomizer`
-that sets up the connector to be secure:
-
-[source,java,indent=0,subs="verbatim,quotes,attributes"]
-----
-	@Bean
-	public EmbeddedServletContainerCustomizer containerCustomizer(){
-		return new MyCustomizer();
-	}
-
-	// ...
-
-	private static class MyCustomizer implements EmbeddedServletContainerCustomizer {
-
-		@Override
-		public void customize(ConfigurableEmbeddedServletContainer factory) {
-			if(factory instanceof TomcatEmbeddedServletContainerFactory) {
-				customizeTomcat((TomcatEmbeddedServletContainerFactory) factory);
-			}
-		}
-
-		public void customizeTomcat(TomcatEmbeddedServletContainerFactory factory) {
-			factory.addConnectorCustomizers(new TomcatConnectorCustomizer() {
-				@Override
-				public void customize(Connector connector) {
-					connector.setPort(serverPort);
-					connector.setSecure(true);
-					connector.setScheme("https");
-					connector.setAttribute("keyAlias", "tomcat");
-					connector.setAttribute("keystorePass", "password");
-					try {
-						connector.setAttribute("keystoreFile",
-							ResourceUtils.getFile("src/ssl/tomcat.keystore").getAbsolutePath());
-					} catch (FileNotFoundException e) {
-						throw new IllegalStateException("Cannot load keystore", e);
-					}
-					connector.setAttribute("clientAuth", "false");
-					connector.setAttribute("sslProtocol", "TLS");
-					connector.setAttribute("SSLEnabled", true);
-				}
-			});
-		}
-
-	}
-----
-
-
-
 [[howto-enable-multiple-connectors-in-tomcat]]
 === Enable Multiple Connectors Tomcat
 Add a `org.apache.catalina.connector.Connector` to the

spring-boot-samples/pom.xml

@@ -44,6 +44,7 @@
 		<module>spring-boot-sample-secure</module>
 		<module>spring-boot-sample-servlet</module>
 		<module>spring-boot-sample-simple</module>
+		<module>spring-boot-sample-tomcat-ssl</module>
 		<module>spring-boot-sample-tomcat</module>
 		<module>spring-boot-sample-tomcat-multi-connectors</module>
 		<module>spring-boot-sample-tomcat8-jsp</module>

spring-boot-samples/spring-boot-sample-tomcat-ssl/pom.xml

@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<!-- Your own application should inherit from spring-boot-starter-parent -->
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-samples</artifactId>
+		<version>1.1.7.BUILD-SNAPSHOT</version>
+	</parent>
+	<artifactId>spring-boot-sample-tomcat-ssl</artifactId>
+	<name>Spring Boot Tomcat Sample</name>
+	<description>Spring Boot Tomcat SSL Sample</description>
+	<url>http://projects.spring.io/spring-boot/</url>
+	<organization>
+		<name>Pivotal Software, Inc.</name>
+		<url>http://www.spring.io</url>
+	</organization>
+	<properties>
+		<main.basedir>${basedir}/../..</main.basedir>
+	</properties>
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-tomcat</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-webmvc</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.httpcomponents</groupId>
+			<artifactId>httpclient</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.yaml</groupId>
+			<artifactId>snakeyaml</artifactId>
+		</dependency>
+	</dependencies>
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+</project>

spring-boot-samples/spring-boot-sample-tomcat-ssl/sample.jks

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2012-2014 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample.tomcat;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
+
+@ComponentScan
+@Configuration
+@EnableAutoConfiguration
+@EnableConfigurationProperties
+public class SampleTomcatSslApplication {
+
+	public static void main(String[] args) throws Exception {
+		SpringApplication.run(SampleTomcatSslApplication.class, args);
+	}
+
+}

spring-boot-samples/spring-boot-sample-tomcat-ssl/src/main/java/sample/tomcat/SampleTomcatSslApplication.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright 2012-2014 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample.tomcat.web;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+@Controller
+public class SampleController {
+
+	@RequestMapping("/")
+	@ResponseBody
+	public String helloWorld() {
+		return "Hello, world";
+	}
+
+}

spring-boot-samples/spring-boot-sample-tomcat-ssl/src/main/java/sample/tomcat/web/SampleController.java

@@ -0,0 +1,4 @@
+server.port = 8443
+server.ssl.key-store = sample.jks
+server.ssl.key-store-password = secret
+server.ssl.key-password = password