Add HTTP/2 support to Jetty

In addition to HTTP/1.1 also HTTP/2 is supported with and without TLS.

When using TLS also ALPN is supported which can upgrade an HTTP/1.1
request to an HTTP/2 request if the client supports it.

Furthermore, a new property 'scout.jetty.useTls' is introduced to enable
TLS without providing a path to a keystore. In this situation a new
self-signed in memory certificate is created on each server startup.
The creation of a self-signed certificate is only active in development.

359560

Author: mvilliger

org.eclipse.scout.dev.jetty/pom.xml

@@ -39,6 +39,15 @@
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-plus</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty.http2</groupId>
+      <artifactId>http2-server</artifactId>
+    </dependency>
+    <dependency>
+      <!-- alpn implementation, needed to enable HTTP/2 over TLS, see https://xy2401.com/local-docs/java/jetty.9.4.24.v20191120/alpn-chapter.html -->
+      <groupId>org.eclipse.jetty</groupId>
+      <artifactId>jetty-alpn-java-server</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.eclipse.scout.rt</groupId>
       <artifactId>org.eclipse.scout.rt.platform</artifactId>

org.eclipse.scout.dev.jetty/src/main/java/org/eclipse/scout/dev/jetty/JettyConfiguration.java

@@ -9,8 +9,12 @@
  */
 package org.eclipse.scout.dev.jetty;
 
+import org.eclipse.scout.rt.platform.BEANS;
+import org.eclipse.scout.rt.platform.config.AbstractBooleanConfigProperty;
 import org.eclipse.scout.rt.platform.config.AbstractPortConfigProperty;
 import org.eclipse.scout.rt.platform.config.AbstractStringConfigProperty;
+import org.eclipse.scout.rt.platform.config.CONFIG;
+import org.eclipse.scout.rt.platform.util.StringUtility;
 
 public final class JettyConfiguration {
 
@@ -46,7 +50,31 @@ public String getKey() {
 
     @Override
     public String description() {
-      return "Setting this property enables the jetty https connector. For example 'file:/dev/my-https.jks'";
+      return "Setting this property enables the jetty https connector using this keystore. "
+          + "For example 'classpath:/dev/my-https.jks' or 'file:///C:/Users/usr/Desktop/my-store.jks' or 'C:/Users/usr/Desktop/my-store.jks'.";
+    }
+  }
+
+  /**
+   * @since 24.1
+   */
+  public static class ScoutJettyUseTlsProperty extends AbstractBooleanConfigProperty {
+
+    @Override
+    public String getKey() {
+      return "scout.jetty.useTls";
+    }
+
+    @Override
+    public String description() {
+      return "Specifies if the Jetty server should use TLS. If true, the server must either be started in development mode (then a new self-singed certificate is created automatically),"
+          + "or a Java KeyStore must be configured using property '" + BEANS.get(ScoutJettyKeyStorePathProperty.class).getKey() + "'."
+          + "By default this property is true, if a Java KeyStore has been specified.";
+    }
+
+    @Override
+    public Boolean getDefaultValue() {
+      return StringUtility.hasText(CONFIG.getPropertyValue(ScoutJettyKeyStorePathProperty.class));
     }
   }
 
@@ -61,10 +89,10 @@ public String getKey() {
 
     @Override
     public String description() {
-      return "Setting this property to a valid X-500 name will automatically generate a self-signed SSL certificate and store it in the keystore file path specified.\n"
-          + "This property is the X500 name (DN) for which the certificate is issued.\n"
+      return "Specifies the X-500 name to use in the self-signed certificate when starting Jetty in development mode with TLS enabled."
           + "For example 'CN=my-host.my-domain.com,C=US,ST=CA,L=Sunnyvale,O=My Company Inc.'.\n"
-          + "Use in development only!";
+          + "This property is only used in development mode and only if the property '" + BEANS.get(ScoutJettyUseTlsProperty.class).getKey() + "' is true "
+          + "and no existing Java keystore is specified (property '" + BEANS.get(ScoutJettyKeyStorePathProperty.class).getKey() + "').";
     }
   }
 
@@ -94,7 +122,7 @@ public String getKey() {
 
     @Override
     public String description() {
-      return "Https private key password. Supports obfuscated values prefixed with 'OBF:'.";
+      return "The password (if any) for the specific key within the key store. Supports obfuscated values prefixed with 'OBF:'.";
     }
   }
 
@@ -109,7 +137,7 @@ public String getKey() {
 
     @Override
     public String description() {
-      return "Https certificate alias in keystore.";
+      return "Https certificate alias of the key in the keystore to use.";
     }
   }
 }

org.eclipse.scout.dev.jetty/src/main/java/org/eclipse/scout/dev/jetty/JettyServer.java

@@ -14,9 +14,13 @@
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.net.MalformedURLException;
+import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.security.KeyStore;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashSet;
@@ -31,7 +35,9 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.eclipse.jetty.http.HttpVersion;
+import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory;
+import org.eclipse.jetty.http2.server.HTTP2CServerConnectionFactory;
+import org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory;
 import org.eclipse.jetty.server.Handler;
 import org.eclipse.jetty.server.HttpConfiguration;
 import org.eclipse.jetty.server.HttpConnectionFactory;
@@ -50,9 +56,12 @@
 import org.eclipse.scout.dev.jetty.JettyConfiguration.ScoutJettyKeyStorePasswordProperty;
 import org.eclipse.scout.dev.jetty.JettyConfiguration.ScoutJettyKeyStorePathProperty;
 import org.eclipse.scout.dev.jetty.JettyConfiguration.ScoutJettyPrivateKeyPasswordProperty;
+import org.eclipse.scout.dev.jetty.JettyConfiguration.ScoutJettyUseTlsProperty;
 import org.eclipse.scout.rt.platform.BEANS;
+import org.eclipse.scout.rt.platform.Platform;
 import org.eclipse.scout.rt.platform.config.CONFIG;
 import org.eclipse.scout.rt.platform.config.PlatformConfigProperties.PlatformDevModeProperty;
+import org.eclipse.scout.rt.platform.config.PropertiesHelper;
 import org.eclipse.scout.rt.platform.exception.PlatformException;
 import org.eclipse.scout.rt.platform.exception.ProcessingException;
 import org.eclipse.scout.rt.platform.security.ICertificateProvider;
@@ -111,7 +120,7 @@ protected String getContextPath() {
   }
 
   protected boolean isUseTls() {
-    return CONFIG.getPropertyValue(ScoutJettyKeyStorePathProperty.class) != null;
+    return CONFIG.getPropertyValue(ScoutJettyUseTlsProperty.class);
   }
 
   protected void startInternal() throws Exception {
@@ -233,7 +242,8 @@ protected ServerConnector createHttpServerConnector(int port) {
     HttpConfiguration httpConfig = new HttpConfiguration();
     httpConfig.setSendServerVersion(false);
     httpConfig.setSendDateHeader(false);
-    ServerConnector http = new ServerConnector(m_server, new HttpConnectionFactory(httpConfig));
+    httpConfig.setSendXPoweredBy(false);
+    ServerConnector http = new ServerConnector(m_server, new HttpConnectionFactory(httpConfig), new HTTP2CServerConnectionFactory(httpConfig));
     http.setPort(port);
     return http;
   }
@@ -244,25 +254,59 @@ protected ServerConnector createHttpsServerConnector(int port) {
     httpsConfig.addCustomizer(new SecureRequestCustomizer());
     httpsConfig.setSendServerVersion(false);
     httpsConfig.setSendDateHeader(false);
-    ServerConnector https = new ServerConnector(m_server, new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(httpsConfig));
+    httpsConfig.setSendXPoweredBy(false);
+
+    HttpConnectionFactory http11 = new HttpConnectionFactory(httpsConfig);
+    HTTP2ServerConnectionFactory http2 = new HTTP2ServerConnectionFactory(httpsConfig);
+
+    ALPNServerConnectionFactory alpn = new ALPNServerConnectionFactory();
+    alpn.setDefaultProtocol(http11.getProtocol());
+
+    SslConnectionFactory tls = new SslConnectionFactory(sslContextFactory, alpn.getProtocol());
+    ServerConnector https = new ServerConnector(m_server, tls, alpn, http2, http11);
+
     https.setPort(port);
     return https;
   }
 
   protected SslContextFactory.Server createSslContextFactory() {
     SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
-    String keyStorePath = resolveKeyStorePath(CONFIG.getPropertyValue(ScoutJettyKeyStorePathProperty.class));
-    String autoCertName = CONFIG.getPropertyValue(ScoutJettyAutoCreateSelfSignedCertificateProperty.class);
-    String storepass = CONFIG.getPropertyValue(ScoutJettyKeyStorePasswordProperty.class);
-    String keypass = CONFIG.getPropertyValue(ScoutJettyPrivateKeyPasswordProperty.class);
+    Path keyStorePath = resolveKeyStorePath(CONFIG.getPropertyValue(ScoutJettyKeyStorePathProperty.class));
+    String keyStoreUri = keyStorePath == null ? null : keyStorePath.toUri().toString();
+    String storePass = ObjectUtility.nvl(CONFIG.getPropertyValue(ScoutJettyKeyStorePasswordProperty.class), "");
+    String keyPass = ObjectUtility.nvl(CONFIG.getPropertyValue(ScoutJettyPrivateKeyPasswordProperty.class), "");
     String certAlias = CONFIG.getPropertyValue(ScoutJettyCertificateAliasProperty.class);
-    if (autoCertName != null) {
-      BEANS.optional(ICertificateProvider.class).ifPresent(p -> p.autoCreateSelfSignedCertificate(keyStorePath, storepass.toCharArray(), keypass.toCharArray(), certAlias, autoCertName));
+
+    boolean keyStoreExists = keyStorePath != null && Files.isRegularFile(keyStorePath);
+    if (Platform.get().inDevelopmentMode() && !keyStoreExists) {
+      String autoCertNamePropValue = CONFIG.getPropertyValue(ScoutJettyAutoCreateSelfSignedCertificateProperty.class);
+      String autoCertName = StringUtility.hasText(autoCertNamePropValue) ? autoCertNamePropValue : "CN=localhost";
+      if (!StringUtility.hasText(certAlias)) {
+        certAlias = "localhost";
+      }
+
+      LOG.info("No existing keystore was provided to setup TLS. Creating a self-signed certificate '{}'.", autoCertName);
+      ICertificateProvider certificateProvider = BEANS.optional(ICertificateProvider.class)
+          .orElseThrow(() -> new PlatformException("No certificate-provider available to create a self-signed certificate to use for TLS."
+              + " Add a certificate-provider or specify an existing keystore using property '{}'.", BEANS.get(ScoutJettyKeyStorePathProperty.class).getKey()));
+      if (keyStorePath == null) {
+        // no path available: create in memory only
+        KeyStore ks = certificateProvider.createSelfSignedCertificate(certAlias, autoCertName, storePass.toCharArray(), keyPass.toCharArray());
+        sslContextFactory.setKeyStore(ks);
+      }
+      else {
+        // a non-existing key-store path was provided: create a new keystore file at that location
+        LOG.info("Storing created keystore in '{}'.", keyStoreUri);
+        certificateProvider.autoCreateSelfSignedCertificate(keyStoreUri, storePass.toCharArray(), keyPass.toCharArray(), certAlias, autoCertName);
+        sslContextFactory.setKeyStorePath(keyStoreUri);
+      }
+    }
+    else {
+      LOG.info("Setup TLS certificate using alias '{}' from keystore '{}'.", certAlias, keyStoreUri);
+      sslContextFactory.setKeyStorePath(keyStoreUri);
     }
-    LOG.info("Setup SSL certificate using alias '{}' from keystore '{}'.", certAlias, keyStorePath);
-    sslContextFactory.setKeyStorePath(keyStorePath);
-    sslContextFactory.setKeyStorePassword(storepass);
-    sslContextFactory.setKeyManagerPassword(keypass);
+    sslContextFactory.setKeyStorePassword(storePass);
+    sslContextFactory.setKeyManagerPassword(keyPass);
     sslContextFactory.setCertAlias(certAlias);
     sslContextFactory.setEndpointIdentificationAlgorithm("https");
     sslContextFactory.setIncludeCipherSuites(
@@ -291,25 +335,31 @@ protected SslContextFactory.Server createSslContextFactory() {
     return sslContextFactory;
   }
 
-  protected String resolveKeyStorePath(String path) {
-    if (path != null && path.startsWith("classpath:")) {
-      String subPath = path.substring(10);
-      URL res;
-      res = getClass().getResource(subPath);
+  protected Path resolveKeyStorePath(String path) {
+    if (!StringUtility.hasText(path)) {
+      return null;
+    }
+    if (path.startsWith(PropertiesHelper.CLASSPATH_PREFIX)) {
+      String subPath = path.substring(PropertiesHelper.CLASSPATH_PREFIX.length());
+      URL res = getClass().getResource(subPath);
       if (res == null) {
         res = getClass().getClassLoader().getResource(subPath);
       }
       if (res == null) {
         res = ClassLoader.getSystemClassLoader().getResource(subPath);
       }
       if (res == null) {
-        throw new ProcessingException("Missing resource defined by config property: {}={}",
-            BEANS.get(ScoutJettyKeyStorePathProperty.class).getKey(),
-            path);
+        throw new ProcessingException("Missing resource defined by config property: {}={}", BEANS.get(ScoutJettyKeyStorePathProperty.class).getKey(), path);
       }
-      return res.toExternalForm();
+      path = res.toExternalForm();
+    }
+    try {
+      return Paths.get(URI.create(path));
+    }
+    catch (Exception e) {
+      LOG.debug("Path '{}' is no valid URI. Trying to read as file path.", path, e);
+      return Paths.get(path);
     }
-    return path;
   }
 
   protected static class P_WebAppContext extends WebAppContext {
@@ -382,7 +432,7 @@ public Set<String> getResourcePaths(String path) {
    * redirected.
    * <p>
    * Example for contextPath = <code>/myapp</code>:
-   * <table border=1 cellspacing=0 cellpadding=3>
+   * <table border=1>
    * <tr>
    * <th>Request URI</th>
    * <th>Redirected to</th>

org.eclipse.scout.rt.platform.test/src/test/java/org/eclipse/scout/rt/platform/util/ConnectionErrorDetectorTest.java

@@ -9,6 +9,8 @@
  */
 package org.eclipse.scout.rt.platform.util;
 
+import static org.junit.Assert.assertEquals;
+
 import java.io.IOException;
 import java.io.InterruptedIOException;
 import java.net.SocketException;
@@ -33,12 +35,14 @@ public class ConnectionErrorDetectorTest {
   @Parameters
   public static List<IScoutTestParameter> getParameters() {
     List<IScoutTestParameter> parametersList = new LinkedList<>();
+    parametersList.add(new ExceptionTestParameter(null, false));
     parametersList.add(new ExceptionTestParameter(new SocketException(CONNECTION_RESET_MESSAGE), true));
     parametersList.add(new ExceptionTestParameter(new SocketException(BROKEN_PIPE_MESSAGE), true));
     parametersList.add(new ExceptionTestParameter(new SocketException("unknown error"), false));
 
     parametersList.add(new ExceptionTestParameter(new EofException(CONNECTION_RESET_MESSAGE), true));
     parametersList.add(new ExceptionTestParameter(new EofException(BROKEN_PIPE_MESSAGE), true));
+    parametersList.add(new ExceptionTestParameter(new EofException("cancel_stream_error"), true));
     parametersList.add(new ExceptionTestParameter(new EofException("unknown error"), false));
 
     parametersList.add(new ExceptionTestParameter(new ClientAbortException(CONNECTION_RESET_MESSAGE), true));
@@ -50,6 +54,8 @@ public static List<IScoutTestParameter> getParameters() {
     parametersList.add(new ExceptionTestParameter(new InterruptedIOException("unknown error"), false));
 
     parametersList.add(new ExceptionTestParameter(new IOException(CONNECTION_RESET_MESSAGE), true));
+    parametersList.add(new ExceptionTestParameter(new IOException("Connection reset"), true));
+    parametersList.add(new ExceptionTestParameter(new IOException("An established connection was aborted by the software in your host machine"), true));
     parametersList.add(new ExceptionTestParameter(new IOException(BROKEN_PIPE_MESSAGE), true));
     parametersList.add(new ExceptionTestParameter(new IOException("unknown error"), false));
 
@@ -86,7 +92,7 @@ private static CycledCauseException createUndetectedCycledCauseException() {
     return cycledCauseException;
   }
 
-  private final ExceptionTestParameter m_testParameter;
+  public final ExceptionTestParameter m_testParameter;
 
   public ConnectionErrorDetectorTest(ExceptionTestParameter testParameter) {
     m_testParameter = testParameter;
@@ -95,12 +101,7 @@ public ConnectionErrorDetectorTest(ExceptionTestParameter testParameter) {
   @Test
   public void testIsConnectionError() {
     ConnectionErrorDetector connectionErrorDetector = BEANS.get(ConnectionErrorDetector.class);
-    if (m_testParameter.isDetectable()) {
-      Assert.assertTrue(connectionErrorDetector.isConnectionError(m_testParameter.getException()));
-    }
-    else {
-      Assert.assertFalse(connectionErrorDetector.isConnectionError(m_testParameter.getException()));
-    }
+    assertEquals(m_testParameter.isDetectable(), connectionErrorDetector.isConnectionError(m_testParameter.getException()));
   }
 
   private static class ClientAbortException extends IOException {
@@ -148,13 +149,13 @@ public synchronized Throwable getCause() {
     }
   }
 
-  private static class ExceptionTestParameter extends AbstractScoutTestParameter {
+  public static class ExceptionTestParameter extends AbstractScoutTestParameter {
 
     private Exception m_exception;
     private boolean m_isDetectable;
 
     public ExceptionTestParameter(Exception exception, boolean isDetectable) {
-      super(exception.getClass().getSimpleName() + ":" + exception.getMessage());
+      super(exception == null ? "null" : exception.getClass().getSimpleName() + ":" + exception.getMessage());
       m_exception = exception;
       m_isDetectable = isDetectable;
     }