--- a/project/build.scala Thu Apr 05 15:38:42 2012 +0200
+++ b/project/build.scala Mon Apr 09 13:33:46 2012 +0200
@@ -40,6 +40,7 @@
val aalto_xml = "com.fasterxml" % "aalto-xml" % "0.9.7"
// val akka_remote = "com.typesafe.akka" % "akka-remote" % "2.0-M3"
// val finagle_http = "com.twitter" %% "finagle-http" % "1.9.12"
+ val subcut = "org.scala-tools.subcut" %% "subcut" % "1.0"
}
// some usefull repositories
@@ -115,6 +116,7 @@
jena, arq, rdfa,
grizzled,
scalaz,
+ subcut,
jsslutils,
argot,
guava,
--- a/src/main/scala/GraphCache.scala Thu Apr 05 15:38:42 2012 +0200
+++ b/src/main/scala/GraphCache.scala Mon Apr 09 13:33:46 2012 +0200
@@ -32,6 +32,9 @@
import com.google.common.cache.{LoadingCache, CacheLoader, CacheBuilder, Cache}
import java.io.{File, FileOutputStream}
import com.weiglewilczek.slf4s.Logging
+import javax.net.ssl.SSLContext
+import org.apache.http.conn.ssl.SSLSocketFactory
+import org.apache.http.conn.scheme.Scheme
/**
@@ -66,7 +69,20 @@
client.getParams.setParameter(CoreConnectionPNames.CONNECTION_TIMEOUT, 3000)
client.getParams.setParameter(CoreConnectionPNames.SO_TIMEOUT, 15000)
}
-
+
+ val sslClientSecure = Option(System.getProperty("rww.clientTLSsecurity")).map{
+ case "secure" => true
+ case _ => false
+ }.getOrElse(false)
+
+
+ if (!sslClientSecure) {
+ val ssl = SSLContext.getInstance("TLS");
+ val sf = new SSLSocketFactory(ssl, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
+ val scheme = new Scheme("https", 443, sf);
+ http.client.getConnectionManager().getSchemeRegistry().register(scheme);
+ }
+
def basePath = null //should be cache dir?
def sanityCheck() = true //cache dire exists? But is this needed for functioning?
--- a/src/main/scala/ReadWriteWebMain.scala Thu Apr 05 15:38:42 2012 +0200
+++ b/src/main/scala/ReadWriteWebMain.scala Mon Apr 09 13:33:46 2012 +0200
@@ -1,6 +1,5 @@
package org.w3.readwriteweb
-import auth.X509CertSigner._
import auth.{X509CertSigner, RDFAuthZ, X509view}
import org.w3.readwriteweb.util._
@@ -11,11 +10,8 @@
import org.clapper.argot._
import ArgotConverters._
import javax.servlet.http.{HttpServletResponse, HttpServletRequest}
-import com.weiglewilczek.slf4s.Logging
-import java.lang.{Class, String}
-import java.net.InetAddress
-import java.io.{FileDescriptor, File}
-import java.security.{Permission, KeyStore}
+import java.lang.String
+import java.io.File
trait ReadWriteWebArgs {
val logger: Logger = LoggerFactory.getLogger(this.getClass)
@@ -30,14 +26,25 @@
|PROPERTIES
|
| * Keystore properties that need to be set if https is started
- | -Djetty.ssl.keyStoreType=type : the type of the keystore, JKS by default usually
- | -Djetty.ssl.keyStore=path : specify path to key store (for https server certificate)
- | -Djetty.ssl.keyStorePassword=password : specify password for keystore store (optional)
+ | -Dnetty.ssl.keyStoreType=type : the type of the keystore, JKS by default usually
+ | -Dnetty.ssl.keyStore=path : specify path to key store (for https server certificate)
+ | -Dnetty.ssl.keyStorePassword=password : specify password for keystore store (optional)
+ | (for jetty, replace "netty" with "jetty")
+ |
+ | * application arguments:
+ | --http start server as plain http server
+ | --https start server as in secured mode using https (TLS)
+ | --language [turtle, rdfxml] save RDF in one of the given formats on disk
+ | --clientTLS [secure, insecure] client connections abide by CA verification
+ | * secure : if server certificate is not signed by well known CA don't accept
+ | * insecure: if the server certificate is not signed by well known CA ignore and continue
+ | * [todo: add more flexible server certificate verification mechanisms]
|
|NOTES
|
| - Trust stores are not needed because we use the WebID protocol, and client certs are nearly never signed by CAs
| - one of --http or --https must be selected
+ |
""".stripMargin);
val parser = new ArgotParser("read-write-web",postUsage=postUsageMsg)
@@ -61,8 +68,24 @@
}
}
- val httpPort = parser.option[Int]("http", "Port","start the http server on port")
- val httpsPort = parser.option[Int]("https","port","start the https server on port")
+ val clientTLSsecurity = parser.option[Boolean](List("clientTLS"),"c","client TLS connection security level") {
+ (sValue, opt) =>
+ sValue match {
+ case "insecure" => {
+ //todo: work with system property as a hack for the moment, as passing around conexts is going to require
+ // a lot of rewriting
+ System.setProperty("rww.clientTLSsecurity","insecure")
+ false
+ }
+ case _ => {
+ System.setProperty("rww.clientTLSsecurity","secure")
+ true
+ }
+ }
+ }
+
+ val httpPort = parser.option[Int]("http", "Port","start the http server on port")
+ val httpsPort = parser.option[Int]("https","port","start the https server on port")
val rootDirectory = parser.parameter[File]("rootDirectory", "root directory", false) {
(sValue, opt) => {
--- a/src/main/scala/auth/WebIdClaim.scala Thu Apr 05 15:38:42 2012 +0200
+++ b/src/main/scala/auth/WebIdClaim.scala Mon Apr 09 13:33:46 2012 +0200
@@ -28,12 +28,12 @@
import Scalaz._
import java.security.PublicKey
import com.hp.hpl.jena.rdf.model.Model
-import java.net.URL
import com.hp.hpl.jena.query._
import java.math.BigInteger
import com.hp.hpl.jena.datatypes.xsd.XSDDatatype
+import scalaz.{Failure, Validation}
import org.w3.readwriteweb.CacheControl
-import scalaz.{Failure, Validation}
+import java.net.URL
/**
@@ -69,7 +69,6 @@
class WebIDClaim(val san: String, val key: PublicKey) {
import WebIDClaim._
- import XSDDatatype._
private def rsaTest(webid: WebID, rsakey: RSAPublicKey): (Model) => Validation[WebIDVerificationFailure, WebID] = {
model =>
--- a/src/main/scala/netty/ReadWriteWebNetty.scala Thu Apr 05 15:38:42 2012 +0200
+++ b/src/main/scala/netty/ReadWriteWebNetty.scala Mon Apr 09 13:33:46 2012 +0200
@@ -117,10 +117,7 @@
} catch {
case _ => NotFound
}
-
}
-
-
}
object publicStatic extends cycle.Plan with cycle.ThreadPool with ServerErrorResponse with StaticFiles {