Add SSL bundle support to WebClient auto-configuration

Introduce `WebClientSsl` interface and auto-configuration to allow a
WebClient builder to have custom SSL configuration applied.

The previous `ClientHttpConnectorConfiguration` has been been changed
to now create `ClientHttpConnectorFactory` instances which can be used
directly or by `AutoConfiguredWebClientSsl`.

Closes gh-18556

Author: philwebb

spring-boot-project/spring-boot-autoconfigure/build.gradle

@@ -59,6 +59,7 @@ dependencies {
 		exclude group: "commons-logging", module: "commons-logging"
 	}
 	optional("org.apache.httpcomponents.client5:httpclient5")
+	optional("org.apache.httpcomponents.core5:httpcore5-reactive");
 	optional("org.apache.kafka:kafka-streams")
 	optional("org.apache.tomcat.embed:tomcat-embed-core")
 	optional("org.apache.tomcat.embed:tomcat-embed-el")

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/function/client/AutoConfiguredWebClientSsl.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright 2012-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.web.reactive.function.client;
+
+import java.util.function.Consumer;
+
+import org.springframework.boot.ssl.SslBundle;
+import org.springframework.boot.ssl.SslBundles;
+import org.springframework.http.client.reactive.ClientHttpConnector;
+import org.springframework.web.reactive.function.client.WebClient;
+
+/**
+ * An auto-configured {@link WebClientSsl} implementation.
+ *
+ * @author Phillip Webb
+ */
+class AutoConfiguredWebClientSsl implements WebClientSsl {
+
+	private final ClientHttpConnectorFactory<?> clientHttpConnectorFactory;
+
+	private final SslBundles sslBundles;
+
+	AutoConfiguredWebClientSsl(ClientHttpConnectorFactory<?> clientHttpConnectorFactory, SslBundles sslBundles) {
+		this.clientHttpConnectorFactory = clientHttpConnectorFactory;
+		this.sslBundles = sslBundles;
+	}
+
+	@Override
+	public Consumer<WebClient.Builder> fromBundle(String bundleName) {
+		return fromBundle(this.sslBundles.getBundle(bundleName));
+	}
+
+	@Override
+	public Consumer<WebClient.Builder> fromBundle(SslBundle bundle) {
+		return (builder) -> {
+			ClientHttpConnector connector = this.clientHttpConnectorFactory.createClientHttpConnector(bundle);
+			builder.clientConnector(connector);
+		};
+	}
+
+}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/function/client/ClientHttpConnectorAutoConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2022 the original author or authors.
+ * Copyright 2012-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,9 +17,12 @@
 package org.springframework.boot.autoconfigure.web.reactive.function.client;
 
 import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.boot.autoconfigure.AutoConfigureAfter;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.ssl.SslAutoConfiguration;
 import org.springframework.boot.web.reactive.function.client.WebClientCustomizer;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Import;
@@ -36,19 +39,30 @@
  * HTTP client library.
  *
  * @author Brian Clozel
+ * @author Phillip Webb
  * @since 2.1.0
  */
 @AutoConfiguration
 @ConditionalOnClass(WebClient.class)
-@Import({ ClientHttpConnectorConfiguration.ReactorNetty.class, ClientHttpConnectorConfiguration.JettyClient.class,
-		ClientHttpConnectorConfiguration.HttpClient5.class, ClientHttpConnectorConfiguration.JdkClient.class })
+@AutoConfigureAfter(SslAutoConfiguration.class)
+@Import({ ClientHttpConnectorFactoryConfiguration.ReactorNetty.class,
+		ClientHttpConnectorFactoryConfiguration.JettyClient.class,
+		ClientHttpConnectorFactoryConfiguration.HttpClient5.class,
+		ClientHttpConnectorFactoryConfiguration.JdkClient.class })
 public class ClientHttpConnectorAutoConfiguration {
 
+	@Bean
+	@Lazy
+	@ConditionalOnMissingBean(ClientHttpConnector.class)
+	ClientHttpConnector webClientHttpConnector(ClientHttpConnectorFactory<?> clientHttpConnectorFactory) {
+		return clientHttpConnectorFactory.createClientHttpConnector();
+	}
+
 	@Bean
 	@Lazy
 	@Order(0)
 	@ConditionalOnBean(ClientHttpConnector.class)
-	public WebClientCustomizer clientConnectorCustomizer(ClientHttpConnector clientHttpConnector) {
+	public WebClientCustomizer webClientHttpConnectorCustomizer(ClientHttpConnector clientHttpConnector) {
 		return (builder) -> builder.clientConnector(clientHttpConnector);
 	}
 

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/function/client/ClientHttpConnectorFactory.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2012-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.web.reactive.function.client;
+
+import org.springframework.boot.ssl.SslBundle;
+import org.springframework.http.client.reactive.ClientHttpConnector;
+
+/**
+ * Internal factory used to create {@link ClientHttpConnector} instances.
+ *
+ * @param <T> the {@link ClientHttpConnector} type
+ * @author Phillip Webb
+ */
+@FunctionalInterface
+interface ClientHttpConnectorFactory<T extends ClientHttpConnector> {
+
+	default T createClientHttpConnector() {
+		return createClientHttpConnector(null);
+	}
+
+	T createClientHttpConnector(SslBundle sslBundle);
+
+}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/function/client/ClientHttpConnectorConfiguration.java renamed to spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/function/client/ClientHttpConnectorFactoryConfiguration.java

@@ -18,10 +18,7 @@
 
 import org.apache.hc.client5.http.impl.async.HttpAsyncClients;
 import org.apache.hc.core5.http.nio.AsyncRequestProducer;
-import org.eclipse.jetty.client.HttpClient;
-import org.eclipse.jetty.client.http.HttpClientTransportOverHTTP;
-import org.eclipse.jetty.io.ClientConnector;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
+import org.apache.hc.core5.reactive.ReactiveResponseConsumer;
 
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
@@ -30,13 +27,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
-import org.springframework.context.annotation.Lazy;
-import org.springframework.http.client.reactive.ClientHttpConnector;
-import org.springframework.http.client.reactive.HttpComponentsClientHttpConnector;
-import org.springframework.http.client.reactive.JdkClientHttpConnector;
-import org.springframework.http.client.reactive.JettyClientHttpConnector;
 import org.springframework.http.client.reactive.JettyResourceFactory;
-import org.springframework.http.client.reactive.ReactorClientHttpConnector;
 import org.springframework.http.client.reactive.ReactorResourceFactory;
 
 /**
@@ -47,30 +38,26 @@
  *
  * @author Brian Clozel
  */
-@Configuration(proxyBeanMethods = false)
-class ClientHttpConnectorConfiguration {
+class ClientHttpConnectorFactoryConfiguration {
 
 	@Configuration(proxyBeanMethods = false)
 	@ConditionalOnClass(reactor.netty.http.client.HttpClient.class)
-	@ConditionalOnMissingBean(ClientHttpConnector.class)
+	@ConditionalOnMissingBean(ClientHttpConnectorFactory.class)
 	@Import(ReactorNettyConfigurations.ReactorResourceFactoryConfiguration.class)
 	static class ReactorNetty {
 
 		@Bean
-		@Lazy
-		ReactorClientHttpConnector reactorClientHttpConnector(ReactorResourceFactory reactorResourceFactory,
+		ReactorClientHttpConnectorFactory reactorClientHttpConnectorFactory(
+				ReactorResourceFactory reactorResourceFactory,
 				ObjectProvider<ReactorNettyHttpClientMapper> mapperProvider) {
-			ReactorNettyHttpClientMapper mapper = mapperProvider.orderedStream()
-				.reduce((before, after) -> (client) -> after.configure(before.configure(client)))
-				.orElse((client) -> client);
-			return new ReactorClientHttpConnector(reactorResourceFactory, mapper::configure);
+			return new ReactorClientHttpConnectorFactory(reactorResourceFactory, mapperProvider::orderedStream);
 		}
 
 	}
 
 	@Configuration(proxyBeanMethods = false)
 	@ConditionalOnClass(org.eclipse.jetty.reactive.client.ReactiveRequest.class)
-	@ConditionalOnMissingBean(ClientHttpConnector.class)
+	@ConditionalOnMissingBean(ClientHttpConnectorFactory.class)
 	static class JettyClient {
 
 		@Bean
@@ -80,40 +67,32 @@ JettyResourceFactory jettyClientResourceFactory() {
 		}
 
 		@Bean
-		@Lazy
-		JettyClientHttpConnector jettyClientHttpConnector(JettyResourceFactory jettyResourceFactory) {
-			SslContextFactory.Client sslContextFactory = new SslContextFactory.Client();
-			ClientConnector connector = new ClientConnector();
-			connector.setSslContextFactory(sslContextFactory);
-			HttpClientTransportOverHTTP transport = new HttpClientTransportOverHTTP(connector);
-			HttpClient httpClient = new HttpClient(transport);
-			return new JettyClientHttpConnector(httpClient, jettyResourceFactory);
+		JettyClientHttpConnectorFactory jettyClientHttpConnectorFactory(JettyResourceFactory jettyResourceFactory) {
+			return new JettyClientHttpConnectorFactory(jettyResourceFactory);
 		}
 
 	}
 
 	@Configuration(proxyBeanMethods = false)
-	@ConditionalOnClass({ HttpAsyncClients.class, AsyncRequestProducer.class })
-	@ConditionalOnMissingBean(ClientHttpConnector.class)
+	@ConditionalOnClass({ HttpAsyncClients.class, AsyncRequestProducer.class, ReactiveResponseConsumer.class })
+	@ConditionalOnMissingBean(ClientHttpConnectorFactory.class)
 	static class HttpClient5 {
 
 		@Bean
-		@Lazy
-		HttpComponentsClientHttpConnector httpComponentsClientHttpConnector() {
-			return new HttpComponentsClientHttpConnector();
+		HttpComponentsClientHttpConnectorFactory httpComponentsClientHttpConnectorFactory() {
+			return new HttpComponentsClientHttpConnectorFactory();
 		}
 
 	}
 
 	@Configuration(proxyBeanMethods = false)
 	@ConditionalOnClass(java.net.http.HttpClient.class)
-	@ConditionalOnMissingBean(ClientHttpConnector.class)
+	@ConditionalOnMissingBean(ClientHttpConnectorFactory.class)
 	static class JdkClient {
 
 		@Bean
-		@Lazy
-		JdkClientHttpConnector jdkClientHttpConnector() {
-			return new JdkClientHttpConnector();
+		JdkClientHttpConnectorFactory jdkClientHttpConnectorFactory() {
+			return new JdkClientHttpConnectorFactory();
 		}
 
 	}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/function/client/HttpComponentsClientHttpConnectorFactory.java

@@ -0,0 +1,73 @@
+/*
+ * Copyright 2012-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.web.reactive.function.client;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLException;
+
+import org.apache.hc.client5.http.impl.async.HttpAsyncClientBuilder;
+import org.apache.hc.client5.http.impl.async.HttpAsyncClients;
+import org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManagerBuilder;
+import org.apache.hc.client5.http.nio.AsyncClientConnectionManager;
+import org.apache.hc.core5.http.nio.ssl.BasicClientTlsStrategy;
+import org.apache.hc.core5.net.NamedEndpoint;
+import org.apache.hc.core5.reactor.ssl.SSLSessionVerifier;
+import org.apache.hc.core5.reactor.ssl.TlsDetails;
+
+import org.springframework.boot.ssl.SslBundle;
+import org.springframework.boot.ssl.SslOptions;
+import org.springframework.http.client.reactive.HttpComponentsClientHttpConnector;
+
+/**
+ * {@link ClientHttpConnectorFactory} for {@link HttpComponentsClientHttpConnector}.
+ *
+ * @author Phillip Webb
+ */
+class HttpComponentsClientHttpConnectorFactory
+		implements ClientHttpConnectorFactory<HttpComponentsClientHttpConnector> {
+
+	@Override
+	public HttpComponentsClientHttpConnector createClientHttpConnector(SslBundle sslBundle) {
+		HttpAsyncClientBuilder builder = HttpAsyncClients.custom();
+		if (sslBundle != null) {
+			SslOptions options = sslBundle.getOptions();
+			SSLContext sslContext = sslBundle.createSslContext();
+			SSLSessionVerifier sessionVerifier = new SSLSessionVerifier() {
+
+				@Override
+				public TlsDetails verify(NamedEndpoint endpoint, SSLEngine sslEngine) throws SSLException {
+					if (options.getCiphers() != null) {
+						sslEngine.setEnabledCipherSuites(options.getCiphers().toArray(String[]::new));
+					}
+					if (options.getEnabledProtocols() != null) {
+						sslEngine.setEnabledProtocols(options.getEnabledProtocols().toArray(String[]::new));
+					}
+					return null;
+				}
+
+			};
+			BasicClientTlsStrategy tlsStrategy = new BasicClientTlsStrategy(sslContext, sessionVerifier);
+			AsyncClientConnectionManager connectionManager = PoolingAsyncClientConnectionManagerBuilder.create()
+				.setTlsStrategy(tlsStrategy)
+				.build();
+			builder.setConnectionManager(connectionManager);
+		}
+		return new HttpComponentsClientHttpConnector(builder.build());
+	}
+
+}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/function/client/JdkClientHttpConnectorFactory.java

@@ -0,0 +1,54 @@
+/*
+ * Copyright 2012-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.web.reactive.function.client;
+
+import java.net.http.HttpClient;
+import java.net.http.HttpClient.Builder;
+import java.util.Set;
+
+import javax.net.ssl.SSLParameters;
+
+import org.springframework.boot.ssl.SslBundle;
+import org.springframework.http.client.reactive.JdkClientHttpConnector;
+import org.springframework.http.client.reactive.JettyClientHttpConnector;
+import org.springframework.util.CollectionUtils;
+
+/**
+ * {@link ClientHttpConnectorFactory} for {@link JettyClientHttpConnector}.
+ *
+ * @author Phillip Webb
+ */
+class JdkClientHttpConnectorFactory implements ClientHttpConnectorFactory<JdkClientHttpConnector> {
+
+	@Override
+	public JdkClientHttpConnector createClientHttpConnector(SslBundle sslBundle) {
+		Builder builder = HttpClient.newBuilder();
+		if (sslBundle != null) {
+			builder.sslContext(sslBundle.createSslContext());
+			SSLParameters parameters = new SSLParameters();
+			parameters.setCipherSuites(asArray(sslBundle.getOptions().getCiphers()));
+			parameters.setProtocols(asArray(sslBundle.getOptions().getEnabledProtocols()));
+			builder.sslParameters(parameters);
+		}
+		return new JdkClientHttpConnector(builder.build());
+	}
+
+	private String[] asArray(Set<String> set) {
+		return (CollectionUtils.isEmpty(set)) ? null : set.toArray(String[]::new);
+	}
+
+}