Refactor web server support to use SslBundles

Update Tomcat, Jetty, Undertow and Netty servers so that an SslBundle
is used to apply SSL configuration. Existing `Ssl` properties are
internally adapted to an `SslBundle` using the `WebServerSslBundle`
class. Additionally, if `Ssl.getBundle()` returns a non-null value the
the `SslBundles` bean will be used to find a registered bundle by name.

See gh-34814

Author: scottfrederick

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -2064,6 +2064,10 @@
         "level": "error"
       }
     },
+    {
+      "name": "management.server.ssl.bundle",
+      "description": "The name of a configured SSL bundle."
+    },
     {
       "name": "management.server.ssl.certificate",
       "description": "Path to a PEM-encoded SSL certificate file."

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/rsocket/RSocketServerAutoConfiguration.java

@@ -37,6 +37,7 @@
 import org.springframework.boot.rsocket.netty.NettyRSocketServerFactory;
 import org.springframework.boot.rsocket.server.RSocketServerCustomizer;
 import org.springframework.boot.rsocket.server.RSocketServerFactory;
+import org.springframework.boot.ssl.SslBundles;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Configuration;
@@ -54,6 +55,7 @@
  * server port is configured, a new standalone RSocket server is created.
  *
  * @author Brian Clozel
+ * @author Scott Frederick
  * @since 2.2.0
  */
 @AutoConfiguration(after = RSocketStrategiesAutoConfiguration.class)
@@ -85,7 +87,7 @@ static class EmbeddedServerConfiguration {
 		@Bean
 		@ConditionalOnMissingBean
 		RSocketServerFactory rSocketServerFactory(RSocketProperties properties, ReactorResourceFactory resourceFactory,
-				ObjectProvider<RSocketServerCustomizer> customizers) {
+				ObjectProvider<RSocketServerCustomizer> customizers, ObjectProvider<SslBundles> sslBundles) {
 			NettyRSocketServerFactory factory = new NettyRSocketServerFactory();
 			factory.setResourceFactory(resourceFactory);
 			factory.setTransport(properties.getServer().getTransport());
@@ -94,6 +96,7 @@ RSocketServerFactory rSocketServerFactory(RSocketProperties properties, ReactorR
 			map.from(properties.getServer().getPort()).to(factory::setPort);
 			map.from(properties.getServer().getFragmentSize()).to(factory::setFragmentSize);
 			map.from(properties.getServer().getSsl()).to(factory::setSsl);
+			factory.setSslBundles(sslBundles.getIfAvailable());
 			factory.setRSocketServerCustomizers(customizers.orderedStream().toList());
 			return factory;
 		}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/ReactiveWebServerFactoryAutoConfiguration.java

@@ -19,6 +19,7 @@
 import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.BeanFactory;
 import org.springframework.beans.factory.BeanFactoryAware;
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
 import org.springframework.beans.factory.support.BeanDefinitionRegistry;
 import org.springframework.beans.factory.support.RootBeanDefinition;
@@ -31,6 +32,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.ssl.SslBundles;
 import org.springframework.boot.web.server.WebServerFactoryCustomizerBeanPostProcessor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Import;
@@ -45,6 +47,7 @@
  * {@link EnableAutoConfiguration Auto-configuration} for a reactive web server.
  *
  * @author Brian Clozel
+ * @author Scott Frederick
  * @since 2.0.0
  */
 @AutoConfigureOrder(Ordered.HIGHEST_PRECEDENCE)
@@ -60,8 +63,9 @@
 public class ReactiveWebServerFactoryAutoConfiguration {
 
 	@Bean
-	public ReactiveWebServerFactoryCustomizer reactiveWebServerFactoryCustomizer(ServerProperties serverProperties) {
-		return new ReactiveWebServerFactoryCustomizer(serverProperties);
+	public ReactiveWebServerFactoryCustomizer reactiveWebServerFactoryCustomizer(ServerProperties serverProperties,
+			ObjectProvider<SslBundles> sslBundles) {
+		return new ReactiveWebServerFactoryCustomizer(serverProperties, sslBundles.getIfAvailable());
 	}
 
 	@Bean

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/ReactiveWebServerFactoryCustomizer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@
 
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.boot.context.properties.PropertyMapper;
+import org.springframework.boot.ssl.SslBundles;
 import org.springframework.boot.web.reactive.server.ConfigurableReactiveWebServerFactory;
 import org.springframework.boot.web.server.WebServerFactoryCustomizer;
 import org.springframework.core.Ordered;
@@ -28,15 +29,33 @@
  *
  * @author Brian Clozel
  * @author Yunkun Huang
+ * @author Scott Frederick
  * @since 2.0.0
  */
 public class ReactiveWebServerFactoryCustomizer
 		implements WebServerFactoryCustomizer<ConfigurableReactiveWebServerFactory>, Ordered {
 
 	private final ServerProperties serverProperties;
 
+	private final SslBundles sslBundles;
+
+	/**
+	 * Create a new {@link ReactiveWebServerFactoryCustomizer} instance.
+	 * @param serverProperties the server properties
+	 */
 	public ReactiveWebServerFactoryCustomizer(ServerProperties serverProperties) {
+		this(serverProperties, null);
+	}
+
+	/**
+	 * Create a new {@link ReactiveWebServerFactoryCustomizer} instance.
+	 * @param serverProperties the server properties
+	 * @param sslBundles the SSL bundles
+	 * @since 3.1.0
+	 */
+	public ReactiveWebServerFactoryCustomizer(ServerProperties serverProperties, SslBundles sslBundles) {
 		this.serverProperties = serverProperties;
+		this.sslBundles = sslBundles;
 	}
 
 	@Override
@@ -53,6 +72,7 @@ public void customize(ConfigurableReactiveWebServerFactory factory) {
 		map.from(this.serverProperties::getCompression).to(factory::setCompression);
 		map.from(this.serverProperties::getHttp2).to(factory::setHttp2);
 		map.from(this.serverProperties.getShutdown()).to(factory::setShutdown);
+		map.from(() -> this.sslBundles).to(factory::setSslBundles);
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/servlet/ServletWebServerFactoryAutoConfiguration.java

@@ -33,8 +33,10 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
+import org.springframework.boot.autoconfigure.ssl.SslAutoConfiguration;
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.ssl.SslBundles;
 import org.springframework.boot.web.server.ErrorPageRegistrarBeanPostProcessor;
 import org.springframework.boot.web.server.WebServerFactoryCustomizerBeanPostProcessor;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
@@ -57,9 +59,10 @@
  * @author Ivan Sopov
  * @author Brian Clozel
  * @author Stephane Nicoll
+ * @author Scott Frederick
  * @since 2.0.0
  */
-@AutoConfiguration
+@AutoConfiguration(after = SslAutoConfiguration.class)
 @AutoConfigureOrder(Ordered.HIGHEST_PRECEDENCE)
 @ConditionalOnClass(ServletRequest.class)
 @ConditionalOnWebApplication(type = Type.SERVLET)
@@ -73,9 +76,9 @@ public class ServletWebServerFactoryAutoConfiguration {
 	@Bean
 	public ServletWebServerFactoryCustomizer servletWebServerFactoryCustomizer(ServerProperties serverProperties,
 			ObjectProvider<WebListenerRegistrar> webListenerRegistrars,
-			ObjectProvider<CookieSameSiteSupplier> cookieSameSiteSuppliers) {
+			ObjectProvider<CookieSameSiteSupplier> cookieSameSiteSuppliers, ObjectProvider<SslBundles> sslBundles) {
 		return new ServletWebServerFactoryCustomizer(serverProperties, webListenerRegistrars.orderedStream().toList(),
-				cookieSameSiteSuppliers.orderedStream().toList());
+				cookieSameSiteSuppliers.orderedStream().toList(), sslBundles.getIfAvailable());
 	}
 
 	@Bean

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/servlet/ServletWebServerFactoryCustomizer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,6 +21,7 @@
 
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.boot.context.properties.PropertyMapper;
+import org.springframework.boot.ssl.SslBundles;
 import org.springframework.boot.web.server.WebServerFactoryCustomizer;
 import org.springframework.boot.web.servlet.WebListenerRegistrar;
 import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory;
@@ -36,6 +37,7 @@
  * @author Stephane Nicoll
  * @author Olivier Lamy
  * @author Yunkun Huang
+ * @author Scott Frederick
  * @since 2.0.0
  */
 public class ServletWebServerFactoryCustomizer
@@ -47,20 +49,24 @@ public class ServletWebServerFactoryCustomizer
 
 	private final List<CookieSameSiteSupplier> cookieSameSiteSuppliers;
 
+	private final SslBundles sslBundles;
+
 	public ServletWebServerFactoryCustomizer(ServerProperties serverProperties) {
 		this(serverProperties, Collections.emptyList());
 	}
 
 	public ServletWebServerFactoryCustomizer(ServerProperties serverProperties,
 			List<WebListenerRegistrar> webListenerRegistrars) {
-		this(serverProperties, webListenerRegistrars, null);
+		this(serverProperties, webListenerRegistrars, null, null);
 	}
 
 	ServletWebServerFactoryCustomizer(ServerProperties serverProperties,
-			List<WebListenerRegistrar> webListenerRegistrars, List<CookieSameSiteSupplier> cookieSameSiteSuppliers) {
+			List<WebListenerRegistrar> webListenerRegistrars, List<CookieSameSiteSupplier> cookieSameSiteSuppliers,
+			SslBundles sslBundles) {
 		this.serverProperties = serverProperties;
 		this.webListenerRegistrars = webListenerRegistrars;
 		this.cookieSameSiteSuppliers = cookieSameSiteSuppliers;
+		this.sslBundles = sslBundles;
 	}
 
 	@Override
@@ -84,12 +90,11 @@ public void customize(ConfigurableServletWebServerFactory factory) {
 		map.from(this.serverProperties::getServerHeader).to(factory::setServerHeader);
 		map.from(this.serverProperties.getServlet()::getContextParameters).to(factory::setInitParameters);
 		map.from(this.serverProperties.getShutdown()).to(factory::setShutdown);
-		for (WebListenerRegistrar registrar : this.webListenerRegistrars) {
-			registrar.register(factory);
-		}
-		if (!CollectionUtils.isEmpty(this.cookieSameSiteSuppliers)) {
-			factory.setCookieSameSiteSuppliers(this.cookieSameSiteSuppliers);
-		}
+		map.from(() -> this.sslBundles).to(factory::setSslBundles);
+		map.from(() -> this.cookieSameSiteSuppliers)
+			.whenNot(CollectionUtils::isEmpty)
+			.to(factory::setCookieSameSiteSuppliers);
+		this.webListenerRegistrars.forEach((registrar) -> registrar.register(factory));
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -2639,6 +2639,10 @@
         "level": "error"
       }
     },
+    {
+      "name": "spring.rsocket.server.ssl.bundle",
+      "description": "The name of a configured SSL bundle."
+    },
     {
       "name": "spring.rsocket.server.ssl.certificate",
       "description": "Path to a PEM-encoded SSL certificate file."

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/rsocket/RSocketServerAutoConfigurationTests.java

@@ -16,13 +16,16 @@
 
 package org.springframework.boot.autoconfigure.rsocket;
 
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
+import org.springframework.boot.autoconfigure.ssl.SslAutoConfiguration;
 import org.springframework.boot.rsocket.context.RSocketPortInfoApplicationContextInitializer;
 import org.springframework.boot.rsocket.context.RSocketServerBootstrap;
 import org.springframework.boot.rsocket.server.RSocketServerCustomizer;
 import org.springframework.boot.rsocket.server.RSocketServerFactory;
+import org.springframework.boot.ssl.NoSuchSslBundleException;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.runner.ApplicationContextRunner;
 import org.springframework.boot.test.context.runner.ReactiveWebApplicationContextRunner;
@@ -44,6 +47,7 @@
  *
  * @author Brian Clozel
  * @author Verónica Vásquez
+ * @author Scott Frederick
  */
 class RSocketServerAutoConfigurationTests {
 
@@ -134,6 +138,32 @@ void shouldUseSslWhenRocketServerSslIsConfigured() {
 				.hasFieldOrPropertyWithValue("ssl.keyPassword", "password"));
 	}
 
+	@Test
+	@Disabled
+	void shouldUseSslWhenRocketServerSslIsConfiguredWithSslBundle() {
+		reactiveWebContextRunner()
+			.withPropertyValues("spring.rsocket.server.port=0", "spring.rsocket.server.ssl.bundle=test-bundle",
+					"spring.ssl.bundle.jks.test-bundle.keystore.location=classpath:rsocket/test.jks",
+					"spring.ssl.bundle.jks.test-bundle.key.password=password")
+			.run((context) -> assertThat(context).hasSingleBean(RSocketServerFactory.class)
+				.hasSingleBean(RSocketServerBootstrap.class)
+				.hasSingleBean(RSocketServerCustomizer.class)
+				.getBean(RSocketServerFactory.class)
+				.hasFieldOrPropertyWithValue("sslBundle.details.keyStore", "classpath:rsocket/test.jks")
+				.hasFieldOrPropertyWithValue("sslBundle.details.keyPassword", "password"));
+	}
+
+	@Test
+	void shouldFailWhenSslIsConfiguredWithMissingBundle() {
+		reactiveWebContextRunner()
+			.withPropertyValues("spring.rsocket.server.port=0", "spring.rsocket.server.ssl.bundle=test-bundle")
+			.run((context) -> {
+				assertThat(context).hasFailed();
+				assertThat(context.getStartupFailure()).hasRootCauseInstanceOf(NoSuchSslBundleException.class)
+					.withFailMessage("SSL bundle name 'test-bundle' is not valid");
+			});
+	}
+
 	@Test
 	void shouldUseCustomServerBootstrap() {
 		contextRunner().withUserConfiguration(CustomServerBootstrapConfig.class)
@@ -164,7 +194,7 @@ private ApplicationContextRunner contextRunner() {
 
 	private ReactiveWebApplicationContextRunner reactiveWebContextRunner() {
 		return new ReactiveWebApplicationContextRunner().withUserConfiguration(BaseConfiguration.class)
-			.withConfiguration(AutoConfigurations.of(RSocketServerAutoConfiguration.class));
+			.withConfiguration(AutoConfigurations.of(RSocketServerAutoConfiguration.class, SslAutoConfiguration.class));
 	}
 
 	@Configuration(proxyBeanMethods = false)

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/reactive/ReactiveWebServerFactoryAutoConfigurationTests.java

@@ -26,6 +26,8 @@
 import reactor.netty.http.server.HttpServer;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
+import org.springframework.boot.autoconfigure.ssl.SslAutoConfiguration;
+import org.springframework.boot.ssl.NoSuchSslBundleException;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.runner.ReactiveWebApplicationContextRunner;
 import org.springframework.boot.testsupport.web.servlet.DirtiesUrlFactories;
@@ -64,13 +66,15 @@
  * @author Brian Clozel
  * @author Raheela Aslam
  * @author Madhura Bhave
+ * @author Scott Frederick
  */
 @DirtiesUrlFactories
 class ReactiveWebServerFactoryAutoConfigurationTests {
 
 	private final ReactiveWebApplicationContextRunner contextRunner = new ReactiveWebApplicationContextRunner(
 			AnnotationConfigReactiveWebServerApplicationContext::new)
-		.withConfiguration(AutoConfigurations.of(ReactiveWebServerFactoryAutoConfiguration.class));
+		.withConfiguration(
+				AutoConfigurations.of(ReactiveWebServerFactoryAutoConfiguration.class, SslAutoConfiguration.class));
 
 	@Test
 	void createFromConfigClass() {
@@ -118,6 +122,17 @@ void defaultWebServerIsTomcat() {
 				.isInstanceOf(TomcatReactiveWebServerFactory.class));
 	}
 
+	@Test
+	void webServerFailsWithInvalidSslBundle() {
+		this.contextRunner.withUserConfiguration(HttpHandlerConfiguration.class)
+			.withPropertyValues("server.port=0", "server.ssl.bundle=test-bundle")
+			.run((context) -> {
+				assertThat(context).hasFailed();
+				assertThat(context.getStartupFailure().getCause()).isInstanceOf(NoSuchSslBundleException.class)
+					.withFailMessage("test");
+			});
+	}
+
 	@Test
 	void tomcatConnectorCustomizerBeanIsAddedToFactory() {
 		ReactiveWebApplicationContextRunner runner = new ReactiveWebApplicationContextRunner(