[WFLY-7039] Add ssl-context references to the reverse proxy handler h…

…ost resource as an alternative to security-realm references.
wildfly · Sep 6, 2016 · 2691520 · 2691520
1 parent f114207
commit 2691520
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 9 deletions.
diff --git a/undertow/src/main/java/org/wildfly/extension/undertow/UndertowSubsystemParser_4_0.java b/undertow/src/main/java/org/wildfly/extension/undertow/UndertowSubsystemParser_4_0.java
@@ -246,6 +246,7 @@ public class UndertowSubsystemParser_4_0 extends PersistentResourceXMLParser {
                                                                 ReverseProxyHandlerHost.SCHEME,
                                                                 ReverseProxyHandlerHost.PATH,
                                                                 ReverseProxyHandlerHost.INSTANCE_ID,
+                                                                ReverseProxyHandlerHost.SSL_CONTEXT,
                                                                 ReverseProxyHandlerHost.SECURITY_REALM))
                                 )
 

diff --git a/undertow/src/main/java/org/wildfly/extension/undertow/filters/ModClusterDefinition.java b/undertow/src/main/java/org/wildfly/extension/undertow/filters/ModClusterDefinition.java
@@ -62,7 +62,7 @@
  */
 public class ModClusterDefinition extends AbstractHandlerDefinition {
 
-    protected static final String MOD_CLUSTER_FILTER_CAPABILITY_NAME = "org.wildfly.undertow.mod_cluster_filter";
+    private static final String MOD_CLUSTER_FILTER_CAPABILITY_NAME = "org.wildfly.undertow.mod_cluster_filter";
     static final String SSL_CONTEXT_CAPABILITY = "org.wildfly.security.ssl-context";
 
     public static final AttributeDefinition MANAGEMENT_SOCKET_BINDING = new SimpleAttributeDefinitionBuilder(Constants.MANAGEMENT_SOCKET_BINDING, ModelType.STRING)

diff --git a/undertow/src/main/java/org/wildfly/extension/undertow/handlers/ReverseProxyHandlerHost.java b/undertow/src/main/java/org/wildfly/extension/undertow/handlers/ReverseProxyHandlerHost.java
@@ -57,7 +57,6 @@
 import org.wildfly.extension.undertow.UndertowExtension;
 import org.wildfly.extension.undertow.UndertowService;
 import org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler;
-import org.wildfly.extension.undertow.filters.ModClusterDefinition;
 import org.xnio.OptionMap;
 import org.xnio.Options;
 import org.xnio.Xnio;
@@ -75,6 +74,9 @@
  */
 public class ReverseProxyHandlerHost extends PersistentResourceDefinition {
 
+    private static final String REVERSE_PROXY_HANDLER_HOST_CAPABILITY_NAME = "org.wildfly.undertow.reverse-proxy.host";
+    private static final String SSL_CONTEXT_CAPABILITY = "org.wildfly.security.ssl-context";
+
     public static final ReverseProxyHandlerHost INSTANCE = new ReverseProxyHandlerHost();
 
     public static final ServiceName SERVICE_NAME = UndertowService.HANDLER.append("reverse-proxy", "host");
@@ -103,7 +105,15 @@ public class ReverseProxyHandlerHost extends PersistentResourceDefinition {
             .setAllowExpression(true)
             .build();
 
+    public static final SimpleAttributeDefinition SSL_CONTEXT = new SimpleAttributeDefinitionBuilder(Constants.SSL_CONTEXT, ModelType.STRING, true)
+            .setAlternatives(Constants.SECURITY_REALM)
+            .setCapabilityReference(SSL_CONTEXT_CAPABILITY, REVERSE_PROXY_HANDLER_HOST_CAPABILITY_NAME, true)
+            .setFlags(AttributeAccess.Flag.RESTART_ALL_SERVICES)
+            .setValidator(new StringLengthValidator(1))
+            .build();
+
     public static final SimpleAttributeDefinition SECURITY_REALM = new SimpleAttributeDefinitionBuilder(Constants.SECURITY_REALM, ModelType.STRING)
+            .setAlternatives(Constants.SSL_CONTEXT)
             .setAllowNull(true)
             .setFlags(AttributeAccess.Flag.RESTART_ALL_SERVICES)
             .setValidator(new StringLengthValidator(1))
@@ -116,7 +126,7 @@ private ReverseProxyHandlerHost() {
 
     @Override
     public Collection<AttributeDefinition> getAttributes() {
-        return Arrays.asList(OUTBOUND_SOCKET_BINDING, SCHEME, INSTANCE_ID, PATH, SECURITY_REALM);
+        return Arrays.asList(OUTBOUND_SOCKET_BINDING, SCHEME, INSTANCE_ID, PATH, SSL_CONTEXT, SECURITY_REALM);
     }
 
 
@@ -154,7 +164,8 @@ protected void performRuntime(OperationContext context, ModelNode operation, Mod
             final String scheme = SCHEME.resolveModelAttribute(context, model).asString();
             final String path = PATH.resolveModelAttribute(context, model).asString();
             final String jvmRoute;
-            final ModelNode securityRealm = ModClusterDefinition.SECURITY_REALM.resolveModelAttribute(context, model);
+            final ModelNode securityRealm = SECURITY_REALM.resolveModelAttribute(context, model);
+            final ModelNode sslContext = SSL_CONTEXT.resolveModelAttribute(context, model);
             if (model.hasDefined(Constants.INSTANCE_ID)) {
                 jvmRoute = INSTANCE_ID.resolveModelAttribute(context, model).asString();
             } else {
@@ -165,6 +176,11 @@ protected void performRuntime(OperationContext context, ModelNode operation, Mod
                     .addDependency(UndertowService.HANDLER.append(proxyName), HttpHandler.class, service.proxyHandler)
                     .addDependency(OutboundSocketBinding.OUTBOUND_SOCKET_BINDING_BASE_SERVICE_NAME.append(socketBinding), OutboundSocketBinding.class, service.socketBinding);
 
+            if (sslContext.isDefined()) {
+                builder.addDependency(
+                        context.getCapabilityServiceName(SSL_CONTEXT_CAPABILITY, sslContext.asString(), SSLContext.class),
+                        SSLContext.class, service.sslContext);
+            }
             if(securityRealm.isDefined()) {
                 SecurityRealm.ServiceUtil.addDependency(builder, service.securityRealm, securityRealm.asString(), false);
             }
@@ -178,6 +194,7 @@ private static final class ReverseProxyHostService implements Service<ReversePro
         private final InjectedValue<HttpHandler> proxyHandler = new InjectedValue<>();
         private final InjectedValue<OutboundSocketBinding> socketBinding = new InjectedValue<>();
         private final InjectedValue<SecurityRealm> securityRealm = new InjectedValue<>();
+        private final InjectedValue<SSLContext> sslContext = new InjectedValue<>();
 
         private final String instanceId;
         private final String scheme;
@@ -200,11 +217,17 @@ public void start(StartContext startContext) throws StartException {
 
             final LoadBalancingProxyClient client = (LoadBalancingProxyClient) proxyHandler.getProxyClient();
             try {
-                if (securityRealm.getOptionalValue() == null) {
+                SSLContext sslContext = this.sslContext.getOptionalValue();
+                if (sslContext == null) {
+                    SecurityRealm securityRealm = this.securityRealm.getOptionalValue();
+                    if (securityRealm != null) {
+                        sslContext = securityRealm.getSSLContext();
+                    }
+                }
+
+                if (sslContext == null) {
                     client.addHost(getUri(), instanceId);
                 } else {
-
-                    SSLContext sslContext = securityRealm.getOptionalValue().getSSLContext();
                     OptionMap.Builder builder = OptionMap.builder();
                     builder.set(Options.USE_DIRECT_BUFFERS, true);
                     OptionMap combined = builder.getMap();

diff --git a/undertow/src/main/resources/org/wildfly/extension/undertow/LocalDescriptions.properties b/undertow/src/main/resources/org/wildfly/extension/undertow/LocalDescriptions.properties
@@ -282,7 +282,8 @@ undertow.handler.reverse-proxy.connection-idle-timeout=The amount of time a conn
 undertow.handler.reverse-proxy.host.add=Adds a reverse proxy handler host
 undertow.handler.reverse-proxy.host.remove=Removes a reverse proxy handler host
 undertow.handler.reverse-proxy.host.security-realm=The security realm that provides the SSL configuration for the connection to the host
-
+undertow.handler.reverse-proxy.host.ssl-context=Reference to the SSLContext to be used by this handler.
+undertow.handler.reverse-proxy.host.security-realm.deprecated=Use the ssl-context attribute to reference a configured SSLContext directly.
 
 undertow.filter.basic-auth=Basic auth configuration
 undertow.filter.basic-auth.add=Add basic auth

diff --git a/undertow/src/main/resources/schema/wildfly-undertow_4_0.xsd b/undertow/src/main/resources/schema/wildfly-undertow_4_0.xsd
@@ -466,6 +466,7 @@
         <xs:attribute name="scheme" use="optional" type="xs:string" default="http"/>
         <xs:attribute name="path" use="optional" type="xs:string" default=""/>
         <xs:attribute name="instance-id" use="optional" type="xs:string"/>
+        <xs:attribute name="ssl-context" type="xs:string" />
         <xs:attribute name="security-realm" type="xs:string" use="optional" />
     </xs:complexType>
 

diff --git a/undertow/src/test/resources/org/wildfly/extension/undertow/undertow-4.0.xml b/undertow/src/test/resources/org/wildfly/extension/undertow/undertow-4.0.xml
@@ -103,7 +103,7 @@
         <file name="welcome-content" path="${jboss.home.dir}/welcome-content" directory-listing="true" case-sensitive="false" follow-symlink="true" safe-symlink-paths="/path/to/folder /second/path"/>
         <reverse-proxy connection-idle-timeout="60"
                        connections-per-thread="30" name="reverse-proxy">
-            <host name="localhost" scheme="ajp" outbound-socket-binding="ajp-remote" instance-id="myRoute" path="/test" security-realm="foo"/>
+            <host name="localhost" scheme="ajp" outbound-socket-binding="ajp-remote" instance-id="myRoute" path="/test" ssl-context="foo"/>
             <!-- ajp://localhost:8080 -->
         </reverse-proxy>
     </handlers>