Upgrade to Tomcat 8.0.28 and test support for SSL config from classpath

wilkinsona · wilkinsona · commit d33d068fae30 · 2015-10-12T13:36:32.000+01:00
Prior to 8.0.28 Tomcat required the key store and trust store (if any) to be available directly on the filesystem, i.e. classpath: resources would not work. Tomcat 8.0.28 removed this limitation. This commit updates to Tomcat 8.0.28, updates the tests to verify the new Tomcat capability and removes the obsolete documentation of the restriction. Closes gh-4048
diff --git a/spring-boot-dependencies/pom.xml b/spring-boot-dependencies/pom.xml
@@ -134,7 +134,7 @@
 		<thymeleaf-extras-conditionalcomments.version>2.1.1.RELEASE</thymeleaf-extras-conditionalcomments.version>
 		<thymeleaf-layout-dialect.version>1.2.9</thymeleaf-layout-dialect.version>
 		<thymeleaf-extras-data-attribute.version>1.3</thymeleaf-extras-data-attribute.version>
-		<tomcat.version>8.0.26</tomcat.version>
+		<tomcat.version>8.0.28</tomcat.version>
 		<undertow.version>1.1.8.Final</undertow.version>
 		<velocity.version>1.7</velocity.version>
 		<velocity-tools.version>2.0</velocity-tools.version>
diff --git a/spring-boot-docs/src/main/asciidoc/howto.adoc b/spring-boot-docs/src/main/asciidoc/howto.adoc
@@ -423,10 +423,6 @@ typically in `application.properties` or `application.yml`. For example:
 See {sc-spring-boot}/context/embedded/Ssl.{sc-ext}[`Ssl`] for details of all of the
 supported properties.
 
-NOTE: Tomcat requires the key store (and trust store if you're using one) to be directly
-accessible on the filesystem, i.e. it cannot be read from within a jar file. This
-limitation doesn't apply to Jetty and Undertow.
-
 Using configuration like the example above means the application will no longer support
 plain HTTP connector at port 8080. Spring Boot doesn't support the configuration of both
 an HTTP connector and an HTTPS connector via `application.properties`. If you want to
diff --git a/spring-boot-samples/spring-boot-sample-tomcat-ssl/src/main/resources/application.properties b/spring-boot-samples/spring-boot-sample-tomcat-ssl/src/main/resources/application.properties
@@ -1,4 +1,4 @@
 server.port = 8443
-server.ssl.key-store = sample.jks
+server.ssl.key-store = classpath:sample.jks
 server.ssl.key-store-password = secret
-server.ssl.key-password = password
+server.ssl.key-password = password
diff --git a/spring-boot-samples/spring-boot-sample-tomcat-ssl/src/main/resources/sample.jks b/spring-boot-samples/spring-boot-sample-tomcat-ssl/src/main/resources/sample.jks
diff --git a/spring-boot/src/main/java/org/springframework/boot/context/embedded/tomcat/TomcatEmbeddedServletContainerFactory.java b/spring-boot/src/main/java/org/springframework/boot/context/embedded/tomcat/TomcatEmbeddedServletContainerFactory.java
@@ -285,8 +285,7 @@ else if (ssl.getClientAuth() == ClientAuth.WANT) {
 
 	private void configureSslKeyStore(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) {
 		try {
-			File file = ResourceUtils.getFile(ssl.getKeyStore());
-			protocol.setKeystoreFile(file.getAbsolutePath());
+			protocol.setKeystoreFile(ResourceUtils.getURL(ssl.getKeyStore()).toString());
 		}
 		catch (FileNotFoundException ex) {
 			throw new EmbeddedServletContainerException(
@@ -303,8 +302,8 @@ private void configureSslKeyStore(AbstractHttp11JsseProtocol<?> protocol, Ssl ss
 	private void configureSslTrustStore(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) {
 		if (ssl.getTrustStore() != null) {
 			try {
-				File file = ResourceUtils.getFile(ssl.getTrustStore());
-				protocol.setTruststoreFile(file.getAbsolutePath());
+				protocol.setTruststoreFile(
+						ResourceUtils.getURL(ssl.getTrustStore()).toString());
 			}
 			catch (FileNotFoundException ex) {
 				throw new EmbeddedServletContainerException(
diff --git a/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java b/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java
@@ -311,14 +311,19 @@ public void errorPage() throws Exception {
 	}
 
 	@Test
-	public void basicSsl() throws Exception {
+	public void basicSslFromClassPath() throws Exception {
+		testBasicSslWithKeyStore("classpath:test.jks");
+	}
+
+	@Test
+	public void basicSslFromFileSystem() throws Exception {
 		testBasicSslWithKeyStore("src/test/resources/test.jks");
 	}
 
 	@Test
 	public void sslDisabled() throws Exception {
 		AbstractEmbeddedServletContainerFactory factory = getFactory();
-		Ssl ssl = getSsl(null, "password", "src/test/resources/test.jks");
+		Ssl ssl = getSsl(null, "password", "classpath:test.jks");
 		ssl.setEnabled(false);
 		factory.setSsl(ssl);
 		this.container = factory.getEmbeddedServletContainer(
@@ -374,8 +379,8 @@ protected final void testBasicSslWithKeyStore(String keyStore) throws Exception
 	public void pkcs12KeyStoreAndTrustStore() throws Exception {
 		AbstractEmbeddedServletContainerFactory factory = getFactory();
 		addTestTxtFile(factory);
-		factory.setSsl(getSsl(ClientAuth.NEED, null, "src/test/resources/test.p12",
-				"src/test/resources/test.p12"));
+		factory.setSsl(getSsl(ClientAuth.NEED, null, "classpath:test.p12",
+				"classpath:test.p12"));
 		this.container = factory.getEmbeddedServletContainer();
 		this.container.start();
 		KeyStore keyStore = KeyStore.getInstance("pkcs12");
@@ -398,8 +403,8 @@ public void sslNeedsClientAuthenticationSucceedsWithClientCertificate()
 			throws Exception {
 		AbstractEmbeddedServletContainerFactory factory = getFactory();
 		addTestTxtFile(factory);
-		factory.setSsl(getSsl(ClientAuth.NEED, "password", "src/test/resources/test.jks",
-				"src/test/resources/test.jks"));
+		factory.setSsl(getSsl(ClientAuth.NEED, "password", "classpath:test.jks",
+				"classpath:test.jks"));
 		this.container = factory.getEmbeddedServletContainer();
 		this.container.start();
 		KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
@@ -422,8 +427,7 @@ public void sslNeedsClientAuthenticationFailsWithoutClientCertificate()
 			throws Exception {
 		AbstractEmbeddedServletContainerFactory factory = getFactory();
 		addTestTxtFile(factory);
-		factory.setSsl(
-				getSsl(ClientAuth.NEED, "password", "src/test/resources/test.jks"));
+		factory.setSsl(getSsl(ClientAuth.NEED, "password", "classpath:test.jks"));
 		this.container = factory.getEmbeddedServletContainer();
 		this.container.start();
 		SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
@@ -441,8 +445,7 @@ public void sslWantsClientAuthenticationSucceedsWithClientCertificate()
 			throws Exception {
 		AbstractEmbeddedServletContainerFactory factory = getFactory();
 		addTestTxtFile(factory);
-		factory.setSsl(
-				getSsl(ClientAuth.WANT, "password", "src/test/resources/test.jks"));
+		factory.setSsl(getSsl(ClientAuth.WANT, "password", "classpath:test.jks"));
 		this.container = factory.getEmbeddedServletContainer();
 		this.container.start();
 		KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
@@ -465,8 +468,7 @@ public void sslWantsClientAuthenticationSucceedsWithoutClientCertificate()
 			throws Exception {
 		AbstractEmbeddedServletContainerFactory factory = getFactory();
 		addTestTxtFile(factory);
-		factory.setSsl(
-				getSsl(ClientAuth.WANT, "password", "src/test/resources/test.jks"));
+		factory.setSsl(getSsl(ClientAuth.WANT, "password", "classpath:test.jks"));
 		this.container = factory.getEmbeddedServletContainer();
 		this.container.start();
 		SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
