-
Notifications
You must be signed in to change notification settings - Fork 297
/
tomcat.clj
131 lines (121 loc) · 4.55 KB
/
tomcat.clj
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
; Copyright 2013 Relevance, Inc.
; Copyright 2014-2019 Cognitect, Inc.
; The use and distribution terms for this software are covered by the
; Eclipse Public License 1.0 (http://opensource.org/licenses/eclipse-1.0)
; which can be found in the file epl-v10.html at the root of this distribution.
;
; By using this software in any fashion, you are agreeing to be bound by
; the terms of this license.
;
; You must not remove this notice, or any other, from this software.
(ns io.pedestal.http.tomcat
(:require [clojure.java.io :as io])
(:import (org.apache.catalina.startup Tomcat)
(org.apache.catalina.connector Connector)
(javax.servlet Servlet)))
;; These SSL configs are fixed to static values:
;; setSecure - true
;; setScheme - https
;; SSLEnabled - true
;; sslProtocol - TLS
;;
;; Upon compatibility to other web servers, four SSL config parameters
;; are only given by keyword below:
;; :ssl-port, :client-auth, :key-password, :keystore
;;
;; Tomcat has many other ssl configs. Those tomcat specific settings
;; can be given by either string or keyword keys. Below are all
;; supported keys.
(def ssl-opt-keys
#{:algorithm
:allowUnsafeLegacyRenegotiation
:useServerCipherSuitesOrder
:ciphers
:clientCertProvider
:crlFile
:keyAlias
:keystoreProvider
:keystoreType
:keyPass
:sessionCacheSize
:sessionTimeout
:sslImplementationName
:trustManagerClassName
:trustMaxCertLength
:truststoreAlgorithm
:truststoreFile
:truststorePass
:truststoreProvider
:truststoreType})
(defn apply-ssl-opts
[^Connector connector opts]
(let [opt-map (reduce-kv (fn [m k v] (assoc m (keyword k) v)) {} opts)
clean-opts (filter #(ssl-opt-keys (key %)) opt-map)]
(doseq [[opt v] clean-opts]
(.setAttribute connector (name opt) v))
connector))
(defn ssl-conn-factory
[opts]
(let [opts (merge {:ssl-port 8443
:client-auth :none}
opts)
connector (doto (Connector.)
(.setPort (:ssl-port opts))
(.setSecure true)
(.setScheme "https")
(.setAttribute "SSLEnabled" true)
(.setAttribute "sslProtocol" "TLS")
(.setAttribute "clientAuth" (not= :none (:client-auth opts)))
(.setAttribute "socket.soReuseAddress" true))]
(when (and (:keystore opts) (:key-password opts))
(.setAttribute connector "keystoreFile" (:keystore opts))
(.setAttribute connector "keyPass" (:key-password opts))
(.setAttribute connector "keystorePass" (:key-password opts)))
(apply-ssl-opts connector (dissoc opts :keystore :key-password))
connector))
(defn- create-server
"Constructs a Tomcat Server instance."
[^Servlet servlet options]
(let [{:keys [port] :or {port 8080}} options
basedir (str "tmp/tomcat." port)
public (io/file basedir "public")
{:keys [ssl? ssl-port]} (:container-options options)
ssl-connector (when (or ssl? ssl-port)
(ssl-conn-factory (:container-options options)))]
(.mkdirs (io/file basedir "webapps"))
(.mkdirs public)
(let [tomcat (doto (Tomcat.)
(.setPort port)
(.setBaseDir basedir))
context (.addContext tomcat "/" (.getAbsolutePath public))]
;; Configure the core HTTP connector
(doto (.getConnector tomcat)
(.setXpoweredBy false)
(.setAttribute "socket.soReuseAddress" true))
(Tomcat/addServlet context "default" servlet)
(.addServletMappingDecoded context "/*" "default")
(when ssl-connector
(-> tomcat .getService (.addConnector ssl-connector)))
tomcat)))
(defn start
[^Tomcat server
{:keys [join?]
:or {join? true}}]
(.start server)
(when join? (.await (.getServer server))))
(defn stop [^Tomcat server]
(.stop server))
(defn server
([service-map]
(server service-map {}))
([service-map options]
(let [server (create-server (:io.pedestal.http/servlet service-map) options)]
{:server server
:start-fn #(start server options)
:stop-fn #(stop server)})))
;; :ssl? - allow connections over HTTPS
;; :ssl-port - the SSL port to listen on (defaults to 8443, implies :ssl?)
;; :keystore - the keystore to use for SSL connections
;; :key-password - the password to the keystore
;; :client-auth - SSL client certificate authenticate, may be set to :need,
;; :want or :none (defaults to :none)"