javatomcatajptomcat8.5

Misssing ServerSocketFactory in tomcat 8.5


As per the below link

https://github.com/spring-projects/spring-boot/issues/6164, the following features are removed from tomcat 8.5

a) Class org.apache.tomcat.util.net.ServerSocketFactory no longer exists

b) Class org.apache.tomcat.util.net.jsse.JSSESocketFactory no longer exists

c) Method JSSEImplementaton.getServerSockerFactory(AbstractEndpoint) no longer exists

d) Method JSSEImplementaton.getSSLUtil(AbstractEndpoint) no longer exists

These make our upgrade from tomcat 8.0 to tomcat 8.5.x difficult.

We have two requirements

  1. Tomcat AJP protocol receives encrypted content coming from the HTTP server and gives an encrypted response. This was possible with tomcat 8, by using custom classes implementing tomcat's ServerSocketFactory interface.
  2. Store certificates file for tomcat https in a custom keystore (an XML file)

How these can be achieved in tomcat 8.5? Any suggestions appreciated. (We were doing it in Tomcat 8 using custom SocketFcatory implementing tomcat's interface)


Solution

  • After the connector refactoring the JIoEndpoint that allowed to specify arbitrary ServerSocketFactory is no longer available.

    However the AJP connector is almost ready to accept SSL connections if you allow some changes to Tomcat's codebase: the AbstractAjpProtocol class just lacks an implementation of the addSslHostConfig and findSslHostConfigs or better it has implementations that don't store or return anything with a very explicit comment:

    SSL is not supported in AJP

    If you change them as in AbstractHttp11Protocol, you'll be able to configure an AJP connector the same way you configure a HTTP/1.1 connector:

    <Connector SSLEnabled="true" port="8009" protocol="AJP/1.3">
        <SSLHostConfig ...>
            <Certificate ... />
        </SSLHostConfig>
    </Connector>
    

    Regarding the certificate storage you can implement your own KeyStoreSpi and security provider and use:

    <Certificate certificateKeystoreProvider="your_provider"
                 certificateKeystoreType="your_type"
                 ... />