webdav: Drop plain https connector

Drops the Java https connector and renames https-jglobus to
https.

In the past, the main benefit of having a non-JGlobus connector was that it
didn't use the old PureTLS implementation, and optionally supported
asynchronous I/O. With the rewritten support for JGlobus, the two connectors
were much more similar than in the past, sharing both the I/O path and the TLS
implementation. The only difference between them in dCache 2.11 is how they
deal with certificates, and the JGlobus based one is more powerful in that
respect.

The webdav.authn.protocol=https-jglobus value is now just an alias for https.
webdav.authn.keystore, webdav.authn.keystore.password, webdav.authn.truststore,
and webdav.authn.truststore.password are now forbidden properties.

Target: trunk
Require-notes: yes
Require-book: yes
Acked-by: Paul Millar <paul.millar@desy.de>
Patch: https://rb.dcache.org/r/7420/

modules/dcache-webdav/src/main/resources/org/dcache/webdav/webdav.xml

@@ -337,35 +337,6 @@
     </beans>
 
     <beans profile="connector-https">
-        <bean id="server-connector" class="org.eclipse.jetty.server.ServerConnector">
-            <description>HTTPS connector</description>
-            <constructor-arg ref="jetty"/>
-            <constructor-arg value="${webdav.limits.acceptors}"/>
-            <constructor-arg value="-1"/>
-            <constructor-arg>
-                <bean class="org.eclipse.jetty.util.ssl.SslContextFactory">
-                    <property name="keyStorePath" value="${webdav.authn.keystore}"/>
-                    <property name="keyStoreType" value="PKCS12"/>
-                    <property name="keyStorePassword" value="${webdav.authn.keystore.password}"/>
-                    <property name="trustStorePath" value="${webdav.authn.truststore}"/>
-                    <property name="trustStorePassword" value="${webdav.authn.truststore.password}"/>
-                    <property name="wantClientAuth" value="${webdav.authn.accept-client-cert}"/>
-                    <property name="needClientAuth" value="${webdav.authn.require-client-cert}"/>
-                    <property name="excludeCipherSuites" ref="banned-ciphers"/>
-                </bean>
-            </constructor-arg>
-
-            <property name="host" value="#{ '${webdav.net.listen}'.equals('any') ? null : '${webdav.net.listen}' }"/>
-            <property name="port" value="${webdav.net.port}"/>
-            <property name="acceptQueueSize" value="${webdav.limits.backlog}"/>
-            <property name="idleTimeout"
-                      value="#{T(java.util.concurrent.TimeUnit).MILLISECONDS.convert(
-                                  ${webdav.limits.idle-time},
-                                  '${webdav.limits.idle-time.unit}')}" />
-        </bean>
-    </beans>
-
-    <beans profile="connector-https-jglobus">
         <bean id="server-connector" class="org.dcache.util.jetty.GlobusConnectorFactoryBean">
             <description>HTTPS connector supporting grid certificates</description>
 

packages/system-test/src/main/skel/etc/layouts/system-test.conf

@@ -142,16 +142,6 @@ webdav.redirect.on-read=false
 webdav.redirect.on-write=false
 webdav.net.internal=127.0.0.1
 
-[dCacheDomain/webdav]
-webdav.cell.name=WebDAV-S-jglobus-${host.name}
-webdav.net.port=2882
-webdav.authz.anonymous-operations=READONLY
-webdav.authn.basic=true
-webdav.authn.protocol=https-jglobus
-webdav.redirect.on-read=false
-webdav.redirect.on-write=false
-webdav.net.internal=127.0.0.1
-
 [dCacheDomain/srm]
 srm.net.host=localhost
 srm.persistence.enable.history=true

skel/share/defaults/webdav.properties

@@ -329,19 +329,18 @@ webdav.authz.allowed-paths = /
 #
 #   Specifies whether the HTTP or the HTTPS protocol is used. For
 #   HTTPS, a server certificate and a trust store need to be
-#   created.
-#
-#   Alternatively to https, the https-jglobus option provides HTTPS
-#   support through the JGlobus library. JGlobus accesses the host and
-#   CA certificates in /etc/grid-security/ directly. In contrast to
-#   the plain Java SSL implementation JGlobus accepts proxy
-#   certificates, including VOMS proxy certificates. The protocol
-#   between the client and the server is however the same for https
-#   and https-jglobus.
+#   created. By default these are stored under /etc/grid-security/.
 #
+#   The value https-jglobus is deprecated and is an alias for https.
+
 (forbidden)webdavProtocol = Use webdav.authn.protocol
 (one-of?http|https|https-jglobus)webdav.authn.protocol = http
 
+(immutable)webdav.authn.profile-for-http = http
+(immutable)webdav.authn.profile-for-https = https
+(immutable)webdav.authn.profile-for-https-jglobus = https
+(immutable)webdav.authn.profile = ${webdav.authn.profile-for-${webdav.authn.protocol}}
+
 #  ---- Server certificate
 #
 #   This parameter specifies the path to the file containing the
@@ -351,16 +350,16 @@ webdav.authz.allowed-paths = /
 #   WebDAV door. Use the 'bin/dcache import hostcert' command to
 #   perform this task.
 #
-(forbidden)webdavKeyStore = Use webdav.authn.keystore
-webdav.authn.keystore = ${dcache.authn.keystore}
+(forbidden)webdavKeyStore = Use webdav.authn.hostcert.* instead
+(forbidden)webdav.authn.keystore = Use webdav.authn.hostcert.* instead
 
 #  ---- Password for server certificate
 #
 #   This parameter specifies the password with which the PKCS12 encoded
 #   server certificate is encrypted.
 #
-(forbidden)webdavKeyStorePassword = Use webdav.authn.keystore.password
-webdav.authn.keystore.password = ${dcache.authn.keystore.password}
+(forbidden)webdavKeyStorePassword = Use webdav.authn.hostcert.* instead
+(forbidden)webdav.authn.keystore.password = Use webdav.authn.hostcert.* instead
 
 #  ---- Trusted CA certificates
 #
@@ -371,16 +370,16 @@ webdav.authn.keystore.password = ${dcache.authn.keystore.password}
 #   Keystore file before they can be used with the WebDAV door. Use
 #   the 'bin/dcache import cacerts' command to perform this task.
 #
-(forbidden)webdavTrustStore = Use webdav.authn.truststore
-webdav.authn.truststore = ${dcache.authn.truststore}
+(forbidden)webdavTrustStore = Use webdav.authn.capath instead
+(forbidden)webdav.authn.truststore = Use webdav.authn.capath instead
 
 #  ---- Password for trusted CA certificates
 #
 #   This parameter specifies the password with which the Java Keystore
 #   containing the trusted CA certificates is encrypted.
 #
-(forbidden)webdavTrustStorePassword = Use webdav.authn.truststore.password
-webdav.authn.truststore.password = ${dcache.authn.truststore.password}
+(forbidden)webdavTrustStorePassword = Use webdav.authn.capath instead
+(forbidden)webdav.authn.truststore.password = Use webdav.authn.capath instead
 
 #  ---- Whether client certificates are accepted for HTTPS
 #
@@ -410,17 +409,17 @@ webdav.authn.truststore.password = ${dcache.authn.truststore.password}
 (forbidden)webdavBasicAuthentication = Use webdav.authn.basic
 (one-of?true|false)webdav.authn.basic = false
 
-# Host certificate for https-jglobus authentication
+# Host (server) certificate for https authentication
 webdav.authn.hostcert.cert=${dcache.authn.hostcert.cert}
 
-# Host key for https-jglobus authentication
+# Host (server) key for https authentication
 webdav.authn.hostcert.key=${dcache.authn.hostcert.key}
 
 # How often to check the host certificate for updates
 webdav.authn.hostcert.refresh=${dcache.authn.hostcert.refresh}
 (one-of?MILLISECONDS|SECONDS|MINUTES|HOURS|DAYS|${dcache.authn.hostcert.refresh.unit})webdav.authn.hostcert.refresh.unit=${dcache.authn.hostcert.refresh.unit}
 
-# Path to directory with trusted CA certificates for https-jglobus authentication
+# Path to directory with trusted CA certificates for https authentication
 webdav.authn.capath=${dcache.authn.capath}
 
 # How often to check the CA certificates for updates

skel/share/services/webdav.batch

@@ -40,7 +40,7 @@ check -strong webdav.mover.transfer-confirmation-timeout.unit
 check -strong webdav.authn.accept-client-cert
 check -strong webdav.authn.require-client-cert
 check -strong webdav.authn.basic
-check -strong webdav.authn.protocol
+check -strong webdav.authn.profile
 check -strong webdav.static-content.dir.local
 check -strong webdav.static-content.dir.default
 check -strong webdav.static-content.location
@@ -82,16 +82,6 @@ set env have_truststore ${rc}
 onerror shutdown
 
 define env verify-https.exe enddefine
-  check -strong webdav.authn.keystore
-  check webdav.authn.keystore.password
-  check -strong webdav.authn.truststore
-  check webdav.authn.truststore.password
-
-  exec env failMissingKeyStore.exe -ifnotok=have_keystore
-  exec env failMissingTrustStore.exe -ifnotok=have_truststore
-enddefine
-
-define env verify-https-jglobus.exe enddefine
   check -strong webdav.authn.hostcert.refresh
   check -strong webdav.authn.hostcert.refresh.unit
   check -strong webdav.authn.capath.refresh
@@ -101,22 +91,10 @@ define env verify-https-jglobus.exe enddefine
   check -strong webdav.authn.capath
 enddefine
 
-define env failMissingKeyStore.exe enddefine
-   say -level=esay "The key-store file ${webdav.authn.keystore} is missing.  Please generate it with:"
-   say -level=esay "     dcache import hostcert --out=${webdav.authn.keystore}"
-   exit 1
-enddefine
-
-define env failMissingTrustStore.exe enddefine
-   say -level=esay "The TrustStore file ${webdav.authn.truststore} is missing.  Please generate it with:"
-   say -level=esay "     dcache import cacerts --out=${webdav.authn.truststore}"
-   exit 1
-enddefine
-
-exec env verify-${webdav.authn.protocol}.exe
+exec env verify-${webdav.authn.profile}.exe
 
 onerror shutdown
 create org.dcache.cells.UniversalSpringCell ${webdav.cell.name} \
    "classpath:org/dcache/webdav/webdav.xml \
-    -profiles=connector-${webdav.authn.protocol},missing-files-${webdav.enable.missing-files} \
+    -profiles=connector-${webdav.authn.profile},missing-files-${webdav.enable.missing-files} \
     -export=${webdav.cell.export} -cellClass=WebDAVDoor"