blob: 1cd8749ac0397d67d0163c4c3a2b34d67ce1f281 [file] [log] [blame]
* @(#) $Id$
* Copyright 2004 The Apache Software Foundation
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* See the License for the specific language governing permissions and
* limitations under the License.
package org.apache.mina.filter;
import org.apache.mina.common.ByteBuffer;
import org.apache.mina.common.ByteBufferProxy;
import org.apache.mina.common.IoFilterAdapter;
import org.apache.mina.common.IoFilterChain;
import org.apache.mina.common.IoFuture;
import org.apache.mina.common.IoHandler;
import org.apache.mina.common.IoSession;
import org.apache.mina.common.WriteFuture;
import org.apache.mina.util.SessionLog;
* An SSL filter that encrypts and decrypts the data exchanged in the session.
* This filter uses an {@link SSLEngine} which was introduced in Java 5, so
* Java version 5 or above is mandatory to use this filter. And please note that
* this filter only works for TCP/IP connections.
* <p>
* This filter logs debug information using {@link SessionLog}.
* <h2>Implementing StartTLS</h2>
* <p>
* You can use {@link #DISABLE_ENCRYPTION_ONCE} attribute to implement StartTLS:
* <pre>
* public void messageReceived(IoSession session, Object message) {
* if (message instanceof MyStartTLSRequest) {
* // Insert SSLFilter to get ready for handshaking
* session.getFilterChain().addFirst(sslFilter);
* // Disable encryption temporarilly.
* // This attribute will be removed by SSLFilter
* // inside the Session.write() call below.
* session.setAttribute(SSLFilter.DISABLE_ENCRYPTION_ONCE, Boolean.TRUE);
* // Write StartTLSResponse which won't be encrypted.
* session.write(new MyStartTLSResponse(OK));
* // Now DISABLE_ENCRYPTION_ONCE attribute is cleared.
* assert session.getAttribute(SSLFilter.DISABLE_ENCRYPTION_ONCE) == null;
* }
* }
* </pre>
* @author The Apache Directory Project (
* @version $Rev$, $Date$
public class SSLFilter extends IoFilterAdapter
* A session attribute key that stores underlying {@link SSLSession}
* for each session.
public static final String SSL_SESSION = SSLFilter.class.getName() + ".SSLSession";
* A session attribute key that makes next one write request bypass
* this filter (not encrypting the data). This is a marker attribute,
* which means that you can put whatever as its value. ({@link Boolean#TRUE}
* is preferred.) The attribute is automatically removed from the session
* attribute map as soon as {@link IoSession#write(Object)} is invoked,
* and therefore should be put again if you want to make more messages
* bypass this filter. This is especially useful when you implement
* StartTLS.
public static final String DISABLE_ENCRYPTION_ONCE = SSLFilter.class.getName() + ".DisableEncryptionOnce";
* A session attribute key that makes this filter to emit a
* {@link IoHandler#messageReceived(IoSession, Object)} event with a
* special message ({@link #SESSION_SECURED} or {@link #SESSION_UNSECURED}).
* This is a marker attribute, which means that you can put whatever as its
* value. ({@link Boolean#TRUE} is preferred.) By default, this filter
* doesn't emit any events related with SSL session flow control.
public static final String USE_NOTIFICATION = SSLFilter.class.getName() + ".UseNotification";
* A special message object which is emitted with a {@link IoHandler#messageReceived(IoSession, Object)}
* event when the session is secured and its {@link #USE_NOTIFICATION}
* attribute is set.
public static final SSLFilterMessage SESSION_SECURED = new SSLFilterMessage( "SESSION_SECURED" );
* A special message object which is emitted with a {@link IoHandler#messageReceived(IoSession, Object)}
* event when the session is not secure anymore and its {@link #USE_NOTIFICATION}
* attribute is set.
public static final SSLFilterMessage SESSION_UNSECURED = new SSLFilterMessage( "SESSION_UNSECURED" );
private static final String NEXT_FILTER = SSLFilter.class.getName() + ".NextFilter";
private static final String SSL_HANDLER = SSLFilter.class.getName() + ".SSLHandler";
// SSL Context
private SSLContext sslContext;
private boolean client;
private boolean needClientAuth;
private boolean wantClientAuth;
private String[] enabledCipherSuites;
private String[] enabledProtocols;
* Creates a new SSL filter using the specified {@link SSLContext}.
public SSLFilter( SSLContext sslContext )
if( sslContext == null )
throw new NullPointerException( "sslContext" );
this.sslContext = sslContext;
* Returns the underlying {@link SSLSession} for the specified session.
* @return <tt>null</tt> if no {@link SSLSession} is initialized yet.
public SSLSession getSSLSession( IoSession session )
return ( SSLSession ) session.getAttribute( SSL_SESSION );
* (Re)starts SSL session for the specified <tt>session</tt> if not started yet.
* Please note that SSL session is automatically started by default, and therefore
* you don't need to call this method unless you've used TLS closure.
* @return <tt>true</tt> if the SSL session has been started, <tt>false</tt> if already started.
* @throws SSLException if failed to start the SSL session
public boolean startSSL( IoSession session ) throws SSLException
SSLHandler handler = getSSLSessionHandler( session );
synchronized( handler )
if( handler.isOutboundDone() )
NextFilter nextFilter = ( NextFilter ) session.getAttribute( NEXT_FILTER );
handler.handshake( nextFilter );
return true;
return false;
* Returns <tt>true</tt> if and only if the specified <tt>session</tt> is
* encrypted/decrypted over SSL/TLS currently. This method will start
* to retun <tt>false</tt> after TLS <tt>close_notify</tt> message
* is sent and any messages written after then is not goinf to get encrypted.
public boolean isSSLStarted( IoSession session )
SSLHandler handler = getSSLSessionHandler( session );
synchronized( handler )
return !handler.isOutboundDone();
* Stops the SSL session by sending TLS <tt>close_notify</tt> message to
* initiate TLS closure.
* @param session the {@link IoSession} to initiate TLS closure
* @throws SSLException if failed to initiate TLS closure
* @throws IllegalArgumentException if this filter is not managing the specified session
public WriteFuture stopSSL( IoSession session ) throws SSLException
SSLHandler handler = getSSLSessionHandler( session );
NextFilter nextFilter = ( NextFilter ) session.getAttribute( NEXT_FILTER );
synchronized( handler )
return initiateClosure( nextFilter, session );
* Returns <tt>true</tt> if the engine is set to use client mode
* when handshaking.
public boolean isUseClientMode()
return client;
* Configures the engine to use client (or server) mode when handshaking.
public void setUseClientMode( boolean clientMode )
this.client = clientMode;
* Returns <tt>true</tt> if the engine will <em>require</em> client authentication.
* This option is only useful to engines in the server mode.
public boolean isNeedClientAuth()
return needClientAuth;
* Configures the engine to <em>require</em> client authentication.
* This option is only useful for engines in the server mode.
public void setNeedClientAuth( boolean needClientAuth )
this.needClientAuth = needClientAuth;
* Returns <tt>true</tt> if the engine will <em>request</em> client authentication.
* This option is only useful to engines in the server mode.
public boolean isWantClientAuth()
return wantClientAuth;
* Configures the engine to <em>request</em> client authentication.
* This option is only useful for engines in the server mode.
public void setWantClientAuth( boolean wantClientAuth )
this.wantClientAuth = wantClientAuth;
* Returns the list of cipher suites to be enabled when {@link SSLEngine}
* is initialized.
* @return <tt>null</tt> means 'use {@link SSLEngine}'s default.'
public String[] getEnabledCipherSuites()
return enabledCipherSuites;
* Sets the list of cipher suites to be enabled when {@link SSLEngine}
* is initialized.
* @param cipherSuites <tt>null</tt> means 'use {@link SSLEngine}'s default.'
public void setEnabledCipherSuites( String[] cipherSuites )
this.enabledCipherSuites = cipherSuites;
* Returns the list of protocols to be enabled when {@link SSLEngine}
* is initialized.
* @return <tt>null</tt> means 'use {@link SSLEngine}'s default.'
public String[] getEnabledProtocols()
return enabledProtocols;
* Sets the list of protocols to be enabled when {@link SSLEngine}
* is initialized.
* @param protocols <tt>null</tt> means 'use {@link SSLEngine}'s default.'
public void setEnabledProtocols( String[] protocols )
this.enabledProtocols = protocols;
public void onPreAdd( IoFilterChain parent, String name, NextFilter nextFilter ) throws SSLException
if( parent.contains( SSLFilter.class ) )
throw new IllegalStateException( "A filter chain cannot contain more than one SSLFilter." );
public void onPostAdd( IoFilterChain parent, String name, NextFilter nextFilter ) throws SSLException
IoSession session = parent.getSession();
session.setAttribute( NEXT_FILTER, nextFilter );
// Create an SSL handler and start handshake.
SSLHandler handler =
new SSLHandler( this, sslContext, session );
session.setAttribute( SSL_HANDLER, handler );
handler.handshake( nextFilter );
public void onPreRemove( IoFilterChain parent, String name, NextFilter nextFilter ) throws SSLException
IoSession session = parent.getSession();
stopSSL( session );
session.removeAttribute( NEXT_FILTER );
session.removeAttribute( SSL_HANDLER );
// IoFilter impl.
public void sessionClosed( NextFilter nextFilter, IoSession session ) throws SSLException
SSLHandler handler = getSSLSessionHandler( session );
synchronized( handler )
if( isSSLStarted( session ) )
if( SessionLog.isDebugEnabled( session ) )
SessionLog.debug( session, " Closed: " + getSSLSessionHandler( session ) );
// release resources
// notify closed session
nextFilter.sessionClosed( session );
public void messageReceived( NextFilter nextFilter, IoSession session,
Object message ) throws SSLException
SSLHandler handler = getSSLSessionHandler( session );
synchronized( handler )
if( !isSSLStarted( session ) )
if( handler.isInboundDone() )
nextFilter.messageReceived( session, message );
ByteBuffer buf = ( ByteBuffer ) message;
if( SessionLog.isDebugEnabled( session ) )
SessionLog.debug( session, " Data Read: " + handler + " (" + buf+ ')' );
// forward read encrypted data to SSL handler
handler.messageReceived( nextFilter, buf.buf() );
// Handle data to be forwarded to application or written to net
handleSSLData( nextFilter, handler );
if( handler.isInboundDone() )
if( handler.isOutboundDone() )
if( SessionLog.isDebugEnabled( session ) )
session, " SSL Session closed." );
initiateClosure( nextFilter, session );
if( buf.hasRemaining() )
nextFilter.messageReceived( session, buf );
catch( SSLException ssle )
if( !handler.isInitialHandshakeComplete() )
SSLException newSSLE = new SSLHandshakeException(
"Initial SSL handshake failed." );
newSSLE.initCause( ssle );
ssle = newSSLE;
throw ssle;
public void messageSent( NextFilter nextFilter, IoSession session,
Object message )
if( message instanceof EncryptedBuffer )
EncryptedBuffer buf = ( EncryptedBuffer ) message;
nextFilter.messageSent( session, buf.originalBuffer );
// ignore extra buffers used for handshaking
public void filterWrite( NextFilter nextFilter, IoSession session, WriteRequest writeRequest ) throws SSLException
SSLHandler handler = getSSLSessionHandler( session );
synchronized( handler )
if( !isSSLStarted( session ) )
nextFilter.filterWrite( session, writeRequest );
// Don't encrypt the data if encryption is disabled.
if( session.containsAttribute( DISABLE_ENCRYPTION_ONCE ) )
// Remove the marker attribute because it is temporary.
session.removeAttribute( DISABLE_ENCRYPTION_ONCE );
nextFilter.filterWrite( session, writeRequest );
// Otherwise, encrypt the buffer.
ByteBuffer buf = ( ByteBuffer ) writeRequest.getMessage();
if( SessionLog.isDebugEnabled( session ) )
SessionLog.debug( session, " Filtered Write: " + handler );
if( handler.isWritingEncryptedData() )
// data already encrypted; simply return buffer
if( SessionLog.isDebugEnabled( session ) )
SessionLog.debug( session, " already encrypted: " + buf );
nextFilter.filterWrite( session, writeRequest );
if( handler.isInitialHandshakeComplete() )
// SSL encrypt
if( SessionLog.isDebugEnabled( session ) )
SessionLog.debug( session, " encrypt: " + buf );
int pos = buf.position();
handler.encrypt( buf.buf() );
buf.position( pos );
ByteBuffer encryptedBuffer = new EncryptedBuffer(
SSLHandler.copy( handler.getOutNetBuffer() ), buf );
if( SessionLog.isDebugEnabled( session ) )
SessionLog.debug( session, " encrypted buf: " + encryptedBuffer);
nextFilter.filterWrite( session, new WriteRequest( encryptedBuffer, writeRequest.getFuture() ) );
if( !session.isConnected() )
if( SessionLog.isDebugEnabled( session ) )
SessionLog.debug( session, " Write request on closed session." );
if( SessionLog.isDebugEnabled( session ) )
SessionLog.debug( session, " Handshaking is not complete yet. Buffering write request." );
handler.scheduleWrite( nextFilter, writeRequest );
public void filterClose( final NextFilter nextFilter, final IoSession session ) throws SSLException
SSLHandler handler = getSSLSessionHandler( session );
WriteFuture future = null;
synchronized( handler )
if( isSSLStarted( session ) )
future = initiateClosure( nextFilter, session );
if( future == null )
nextFilter.filterClose( session );
future.setCallback( new IoFuture.Callback()
public void operationComplete( IoFuture future )
nextFilter.filterClose( session );
private WriteFuture initiateClosure( NextFilter nextFilter, IoSession session ) throws SSLException
SSLHandler handler = getSSLSessionHandler( session );
// if already shut down
if( !handler.closeOutbound() )
return WriteFuture.newNotWrittenFuture();
// there might be data to write out here?
WriteFuture future = handler.writeNetBuffer( nextFilter );
if( handler.isInboundDone() )
if( session.containsAttribute( USE_NOTIFICATION ) )
nextFilter.messageReceived( session, SESSION_UNSECURED );
return future;
// Utiliities
private void handleSSLData( NextFilter nextFilter, SSLHandler handler ) throws SSLException
// Flush any buffered write requests occurred before handshaking.
if( handler.isInitialHandshakeComplete() )
// Write encrypted data to be written (if any)
handler.writeNetBuffer( nextFilter );
// handle app. data read (if any)
handleAppDataRead( nextFilter, handler );
private void handleAppDataRead( NextFilter nextFilter, SSLHandler handler )
IoSession session = handler.getSession();
if( !handler.getAppBuffer().hasRemaining() )
if( SessionLog.isDebugEnabled( session ) )
SessionLog.debug( session, " appBuffer: " + handler.getAppBuffer() );
// forward read app data
ByteBuffer readBuffer = SSLHandler.copy( handler.getAppBuffer() );
if( SessionLog.isDebugEnabled( session ) )
SessionLog.debug( session, " app data read: " + readBuffer + " (" + readBuffer.getHexDump() + ')' );
nextFilter.messageReceived( session, readBuffer );
private SSLHandler getSSLSessionHandler( IoSession session )
SSLHandler handler = ( SSLHandler ) session.getAttribute( SSL_HANDLER );
if( handler == null )
throw new IllegalStateException();
if( handler.getParent() != this )
throw new IllegalArgumentException( "Not managed by this filter." );
return handler;
* A message that is sent from {@link SSLFilter} when the connection became
* secure or is not secure anymore.
* @author The Apache Directory Project (
* @version $Rev$, $Date$
public static class SSLFilterMessage
private final String name;
private SSLFilterMessage( String name )
{ = name;
public String toString()
return name;
private static class EncryptedBuffer extends ByteBufferProxy
private final ByteBuffer originalBuffer;
private EncryptedBuffer( ByteBuffer buf, ByteBuffer originalBuffer )
super( buf );
this.originalBuffer = originalBuffer;