) () -> supply());
+
+ private static final DefaultSslContextProvider DEFAULT_SSL_CONTEXT_PROVIDER = new DefaultSslContextProvider() {
+ @Override
+ public SSLContext getDefaultSslContext() {
+ return SslConfigurator.getDefaultContext();
+ }
+ };
+
+ /**
+ * Set the SSL context that will be used when creating secured transport connections
+ * to server endpoints from {@link WebTarget web targets} created by the client
+ * instance that is using this SSL context. The SSL context is expected to have all the
+ * security infrastructure initialized, including the key and trust managers.
+ *
+ * Setting a SSL context instance resets any {@link #keyStore(java.security.KeyStore, char[])
+ * key store} or {@link #trustStore(java.security.KeyStore) trust store} values previously
+ * specified.
+ *
+ *
+ * @param sslContext secure socket protocol implementation which acts as a factory
+ * for secure socket factories or {@link javax.net.ssl.SSLEngine
+ * SSL engines}. Must not be {@code null}.
+ * @return an updated ssl client context builder instance.
+ * @throws NullPointerException in case the {@code sslContext} parameter is {@code null}.
+ * @see #keyStore(java.security.KeyStore, char[])
+ * @see #keyStore(java.security.KeyStore, String)
+ * @see #trustStore
+ */
+ public SslContextClientBuilder sslContext(SSLContext sslContext) {
+ if (sslContext == null) {
+ throw new NullPointerException(LocalizationMessages.NULL_SSL_CONTEXT());
+ }
+ this.sslContext = sslContext;
+ sslConfigurator = null;
+ return this;
+ }
+
+ /**
+ * Set the client-side key store. Key store contains client's private keys, and the certificates with their
+ * corresponding public keys.
+ *
+ * Setting a key store instance resets any {@link #sslContext(javax.net.ssl.SSLContext) SSL context instance}
+ * value previously specified.
+ *
+ *
+ * Note that for improved security of working with password data and avoid storing passwords in Java string
+ * objects, the {@link #keyStore(java.security.KeyStore, char[])} version of the method can be utilized.
+ * Also note that a custom key store is only required if you want to enable a custom setup of a 2-way SSL
+ * connections (client certificate authentication).
+ *
+ *
+ * @param keyStore client-side key store. Must not be {@code null}.
+ * @param password client key password. Must not be {@code null}.
+ * @return an updated ssl client context builder instance.
+ * @throws NullPointerException in case any of the supplied parameters is {@code null}.
+ * @see #sslContext
+ * @see #keyStore(java.security.KeyStore, char[])
+ * @see #trustStore
+ */
+ public SslContextClientBuilder keyStore(KeyStore keyStore, char[] password) {
+ if (keyStore == null) {
+ throw new NullPointerException(LocalizationMessages.NULL_KEYSTORE());
+ }
+ if (password == null) {
+ throw new NullPointerException(LocalizationMessages.NULL_KEYSTORE_PASWORD());
+ }
+ if (sslConfigurator == null) {
+ sslConfigurator = SslConfigurator.newInstance();
+ }
+ sslConfigurator.keyStore(keyStore);
+ sslConfigurator.keyPassword(password);
+ sslContext = null;
+ return this;
+ }
+
+ /**
+ * Set the client-side trust store. Trust store is expected to contain certificates from other parties
+ * the client is you expect to communicate with, or from Certificate Authorities that are trusted to
+ * identify other parties.
+ *
+ * Setting a trust store instance resets any {@link #sslContext(javax.net.ssl.SSLContext) SSL context instance}
+ * value previously specified.
+ *
+ *
+ * In case a custom trust store or custom SSL context is not specified, the trust management will be
+ * configured to use the default Java runtime settings.
+ *
+ *
+ * @param trustStore client-side trust store. Must not be {@code null}.
+ * @return an updated ssl client context builder instance.
+ * @throws NullPointerException in case the supplied trust store parameter is {@code null}.
+ * @see #sslContext
+ * @see #keyStore(java.security.KeyStore, char[])
+ * @see #keyStore(java.security.KeyStore, String)
+ */
+ public SslContextClientBuilder trustStore(KeyStore trustStore) {
+ if (trustStore == null) {
+ throw new NullPointerException(LocalizationMessages.NULL_TRUSTSTORE());
+ }
+ if (sslConfigurator == null) {
+ sslConfigurator = SslConfigurator.newInstance();
+ }
+ sslConfigurator.trustStore(trustStore);
+ sslContext = null;
+ return this;
+ }
+
+ /**
+ * Set the client-side key store. Key store contains client's private keys, and the certificates with their
+ * corresponding public keys.
+ *
+ * Setting a key store instance resets any {@link #sslContext(javax.net.ssl.SSLContext) SSL context instance}
+ * value previously specified.
+ *
+ *
+ * Note that for improved security of working with password data and avoid storing passwords in Java string
+ * objects, the {@link #keyStore(java.security.KeyStore, char[])} version of the method can be utilized.
+ * Also note that a custom key store is only required if you want to enable a custom setup of a 2-way SSL
+ * connections (client certificate authentication).
+ *
+ *
+ * @param keyStore client-side key store. Must not be {@code null}.
+ * @param password client key password. Must not be {@code null}.
+ * @return an updated ssl client context builder instance.
+ * @throws NullPointerException in case any of the supplied parameters is {@code null}.
+ * @see #sslContext
+ * @see #keyStore(java.security.KeyStore, char[])
+ * @see #trustStore
+ */
+ public SslContextClientBuilder keyStore(final KeyStore keyStore, final String password) {
+ return keyStore(keyStore, password.toCharArray());
+ }
+
+ /**
+ * Get information about used {@link SSLContext}.
+ *
+ * @return {@code true} when used {@code SSLContext} is acquired from {@link SslConfigurator#getDefaultContext()},
+ * {@code false} otherwise.
+ */
+ public boolean isDefaultSslContext() {
+ return sslContext == null && sslConfigurator == null;
+ }
+
+ /**
+ * Supply SSLContext from this builder.
+ * @return {@link SSLContext}
+ */
+ @Override
+ public SSLContext get() {
+ return suppliedValue.get();
+ }
+
+ /**
+ * Build SSLContext from the Builder.
+ * @return {@link SSLContext}
+ */
+ public SSLContext build() {
+ return suppliedValue.get();
+ }
+
+ /**
+ * Set the default SSL context provider.
+ * @param defaultSslContextProvider the default SSL context provider.
+ * @return an updated ssl client context builder instance.
+ */
+ protected SslContextClientBuilder defaultSslContextProvider(DefaultSslContextProvider defaultSslContextProvider) {
+ this.defaultSslContextProvider = defaultSslContextProvider;
+ return this;
+ }
+
+ /**
+ * Supply the {@link SSLContext} to the supplier. Can throw illegal state exception when there is a problem with creating or
+ * obtaining default SSL context.
+ * @return SSLContext
+ */
+ private SSLContext supply() {
+ final SSLContext providedValue;
+ if (sslContext != null) {
+ providedValue = sslContext;
+ } else if (sslConfigurator != null) {
+ final SslConfigurator sslConfiguratorCopy = sslConfigurator.copy();
+ providedValue = sslConfiguratorCopy.createSSLContext();
+ } else {
+ providedValue = null;
+ }
+
+ final SSLContext returnValue;
+ if (providedValue == null) {
+ if (defaultSslContextProvider != null) {
+ returnValue = defaultSslContextProvider.getDefaultSslContext();
+ } else {
+ final DefaultSslContextProvider lookedUpSslContextProvider;
+
+ final Iterator iterator =
+ ServiceFinder.find(DefaultSslContextProvider.class).iterator();
+
+ if (iterator.hasNext()) {
+ lookedUpSslContextProvider = iterator.next();
+ } else {
+ lookedUpSslContextProvider = DEFAULT_SSL_CONTEXT_PROVIDER;
+ }
+
+ returnValue = lookedUpSslContextProvider.getDefaultSslContext();
+ }
+ } else {
+ returnValue = providedValue;
+ }
+
+ return returnValue;
+ }
+}
diff --git a/core-client/src/main/java/org/glassfish/jersey/client/internal/HttpUrlConnector.java b/core-client/src/main/java/org/glassfish/jersey/client/internal/HttpUrlConnector.java
index 3e29e2be8a..2054dcf079 100644
--- a/core-client/src/main/java/org/glassfish/jersey/client/internal/HttpUrlConnector.java
+++ b/core-client/src/main/java/org/glassfish/jersey/client/internal/HttpUrlConnector.java
@@ -39,12 +39,14 @@
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Future;
+import java.util.function.Supplier;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.ws.rs.ProcessingException;
@@ -111,7 +113,7 @@ public class HttpUrlConnector implements Connector {
private final boolean fixLengthStreaming;
private final boolean setMethodWorkaround;
private final boolean isRestrictedHeaderPropertySet;
- private final LazyValue sslSocketFactory;
+ private LazyValue sslSocketFactory;
private final ConnectorExtension connectorExtension
= new HttpUrlExpect100ContinueConnectorExtension();
@@ -135,13 +137,6 @@ public HttpUrlConnector(
final boolean fixLengthStreaming,
final boolean setMethodWorkaround) {
- sslSocketFactory = Values.lazy(new Value() {
- @Override
- public SSLSocketFactory get() {
- return client.getSslContext().getSocketFactory();
- }
- });
-
this.connectionFactory = connectionFactory;
this.chunkSize = chunkSize;
this.fixLengthStreaming = fixLengthStreaming;
@@ -331,6 +326,7 @@ protected void secureConnection(final JerseyClient client, final HttpURLConnecti
*/
private void secureConnection(
final ClientRequest clientRequest, final HttpURLConnection uc, final SSLParamConfigurator sniConfig) {
+ setSslContextFactory(clientRequest.getClient(), clientRequest);
secureConnection(clientRequest.getClient(), uc); // keep this for compatibility
if (sniConfig.isSNIRequired() && uc instanceof HttpsURLConnection) { // set SNI
@@ -341,6 +337,18 @@ private void secureConnection(
}
}
+ private void setSslContextFactory(Client client, ClientRequest request) {
+ final Supplier supplier = request.resolveProperty(ClientProperties.SSL_CONTEXT_SUPPLIER, Supplier.class);
+
+ sslSocketFactory = Values.lazy(new Value() {
+ @Override
+ public SSLSocketFactory get() {
+ final SSLContext ctx = supplier == null ? client.getSslContext() : supplier.get();
+ return ctx.getSocketFactory();
+ }
+ });
+ }
+
private ClientResponse _apply(final ClientRequest request) throws IOException {
final HttpURLConnection uc;
final Optional proxy = ClientProxy.proxyFromRequest(request);
diff --git a/core-common/src/main/java/org/glassfish/jersey/internal/util/collection/Value.java b/core-common/src/main/java/org/glassfish/jersey/internal/util/collection/Value.java
index ee2380073c..891ec3a706 100644
--- a/core-common/src/main/java/org/glassfish/jersey/internal/util/collection/Value.java
+++ b/core-common/src/main/java/org/glassfish/jersey/internal/util/collection/Value.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012, 2019 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2023 Oracle and/or its affiliates. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0, which is available at
@@ -16,13 +16,15 @@
package org.glassfish.jersey.internal.util.collection;
+import java.util.function.Supplier;
+
/**
* A generic value provider.
*
* @param value type.
* @author Marek Potociar
*/
-public interface Value {
+public interface Value extends Supplier {
/**
* Get the stored value.
*
diff --git a/docs/src/main/docbook/appendix-properties.xml b/docs/src/main/docbook/appendix-properties.xml
index dd3cc080e1..622a34b085 100644
--- a/docs/src/main/docbook/appendix-properties.xml
+++ b/docs/src/main/docbook/appendix-properties.xml
@@ -1076,6 +1076,21 @@
+
+ &jersey.client.ClientProperties.SSL_CONTEXT_SUPPLIER;
+ jersey.config.client.ssl.context.supplier
+
+
+ The javax.net.ssl.SSLContext java.util.function.Supplier to be used to set ssl
+ context in the current HTTP request. Has precedence over the
+ Client#getSslContext().
+
+
+ Currently supported by the default HttpUrlConnector and by
+ NettyConnector only.
+
+
+
&jersey.client.ClientProperties.USE_ENCODING;
jersey.config.client.useEncoding
diff --git a/docs/src/main/docbook/jersey.ent b/docs/src/main/docbook/jersey.ent
index 990f12a01b..d4653a10ed 100644
--- a/docs/src/main/docbook/jersey.ent
+++ b/docs/src/main/docbook/jersey.ent
@@ -351,6 +351,7 @@
ClientProperties.READ_TIMEOUT" >
ClientProperties.REQUEST_ENTITY_PROCESSING" >
ClientProperties.SUPPRESS_HTTP_COMPLIANCE_VALIDATION" >
+ClientProperties.SSL_CONTEXT_SUPPLIER" >
ClientProperties.USE_ENCODING" >
ClientProperties.DIGESTAUTH_URI_CACHE_SIZELIMIT" >
ClientProperties.EXPECT_100_CONTINUE" >
diff --git a/tests/e2e-tls/src/test/java/org/glassfish/jersey/tests/e2e/tls/SslContextPerRequestTest.java b/tests/e2e-tls/src/test/java/org/glassfish/jersey/tests/e2e/tls/SslContextPerRequestTest.java
new file mode 100644
index 0000000000..9ae957e9a7
--- /dev/null
+++ b/tests/e2e-tls/src/test/java/org/glassfish/jersey/tests/e2e/tls/SslContextPerRequestTest.java
@@ -0,0 +1,210 @@
+/*
+ * Copyright (c) 2023 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package org.glassfish.jersey.tests.e2e.tls;
+
+import org.glassfish.jersey.client.ClientConfig;
+import org.glassfish.jersey.client.ClientProperties;
+import org.glassfish.jersey.client.HttpUrlConnectorProvider;
+import org.glassfish.jersey.client.RequestEntityProcessing;
+import org.glassfish.jersey.client.SslContextClientBuilder;
+import org.glassfish.jersey.client.spi.ConnectorProvider;
+import org.glassfish.jersey.netty.connector.NettyClientProperties;
+import org.glassfish.jersey.netty.connector.NettyConnectorProvider;
+import org.glassfish.jersey.server.ResourceConfig;
+import org.glassfish.jersey.test.JerseyTest;
+import org.glassfish.jersey.test.grizzly.GrizzlyTestContainerFactory;
+import org.glassfish.jersey.test.spi.TestContainerFactory;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLParameters;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.ProcessingException;
+import javax.ws.rs.client.Client;
+import javax.ws.rs.client.ClientBuilder;
+import javax.ws.rs.client.Invocation;
+import javax.ws.rs.client.WebTarget;
+import javax.ws.rs.core.Application;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.UriBuilder;
+import java.io.InputStream;
+import java.net.URI;
+import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.util.Optional;
+import java.util.function.Supplier;
+import java.util.stream.Stream;
+
+public class SslContextPerRequestTest extends JerseyTest {
+
+ private SSLContext serverSslContext;
+ private SSLParameters serverSslParameters;
+ private static final String MESSAGE = "Message for Netty with SSL";
+
+ @Override
+ protected TestContainerFactory getTestContainerFactory() {
+ return new GrizzlyTestContainerFactory();
+ }
+
+ @Path("secure")
+ public static class TestResource {
+ @GET
+ public String get(@Context HttpHeaders headers) {
+ return MESSAGE;
+ }
+ }
+
+ @Override
+ protected Application configure() {
+ return new ResourceConfig(TestResource.class);
+ }
+
+ @Override
+ protected URI getBaseUri() {
+ return UriBuilder
+ .fromUri("https://localhost")
+ .port(getPort())
+ .build();
+ }
+
+ @Override
+ protected Optional getSslContext() {
+ if (serverSslContext == null) {
+ serverSslContext = SslUtils.createServerSslContext();
+ }
+
+ return Optional.of(serverSslContext);
+ }
+
+ @Override
+ protected Optional getSslParameters() {
+ if (serverSslParameters == null) {
+ serverSslParameters = new SSLParameters();
+ serverSslParameters.setNeedClientAuth(false);
+ }
+
+ return Optional.of(serverSslParameters);
+ }
+
+ public static Stream connectorProviders() {
+ return Stream.of(
+ new HttpUrlConnectorProvider(),
+ new NettyConnectorProvider()
+ );
+ }
+
+ @ParameterizedTest
+ @MethodSource("connectorProviders")
+ public void sslOnRequestTest(ConnectorProvider connectorProvider) throws NoSuchAlgorithmException {
+ Supplier clientSslContext = SslUtils.createClientSslContext();
+
+ ClientConfig config = new ClientConfig();
+ config.connectorProvider(connectorProvider);
+ config.property(ClientProperties.REQUEST_ENTITY_PROCESSING, RequestEntityProcessing.BUFFERED);
+
+ Client client = ClientBuilder.newBuilder().withConfig(config).build();
+
+ WebTarget target = client.target(getBaseUri()).path("secure");
+
+ String s;
+
+ s = target.request()
+ .property(ClientProperties.SSL_CONTEXT_SUPPLIER, clientSslContext)
+ .get(String.class);
+ Assertions.assertEquals(MESSAGE, s);
+
+ try {
+ Invocation.Builder builder = target.request()
+ .property(ClientProperties.SSL_CONTEXT_SUPPLIER,
+ new SslContextClientBuilder().sslContext(SSLContext.getDefault()));
+
+ if (NettyConnectorProvider.class.isInstance(connectorProvider)) {
+ builder = builder.header(HttpHeaders.HOST, "TestHost"); // New Netty channel without SSL yet
+ }
+ s = builder.get(String.class);
+ Assertions.fail("The SSL Exception has not been thrown");
+ } catch (ProcessingException pe) {
+ // expected
+ }
+
+ s = target.request()
+ .property(ClientProperties.SSL_CONTEXT_SUPPLIER, clientSslContext)
+ .get(String.class);
+ Assertions.assertEquals(MESSAGE, s);
+ }
+
+ @ParameterizedTest
+ @MethodSource("connectorProviders")
+ public void testSslOnClient(ConnectorProvider connectorProvider) {
+ Supplier clientSslContext = SslUtils.createClientSslContext();
+
+ ClientConfig config = new ClientConfig();
+ config.connectorProvider(connectorProvider);
+
+ Client client = ClientBuilder.newBuilder().withConfig(config)
+ .sslContext(clientSslContext.get())
+ .build();
+
+ WebTarget target = client.target(getBaseUri()).path("secure");
+
+ String s = target.request().get(String.class);
+ Assertions.assertEquals(MESSAGE, s);
+ }
+
+ private static class SslUtils {
+
+ private static final String SERVER_IDENTITY_PATH = "server-identity.jks";
+ private static final char[] SERVER_IDENTITY_PASSWORD = "secret".toCharArray();
+
+ private static final String CLIENT_TRUSTSTORE_PATH = "client-truststore.jks";
+ private static final char[] CLIENT_TRUSTSTORE_PASSWORD = "secret".toCharArray();
+
+ private static final String KEYSTORE_TYPE = "PKCS12";
+
+ private SslUtils() {}
+
+ public static SSLContext createServerSslContext() {
+ return new SslContextClientBuilder()
+ .keyStore(getKeyStore(SERVER_IDENTITY_PATH, SERVER_IDENTITY_PASSWORD), SERVER_IDENTITY_PASSWORD)
+ .get();
+ }
+
+ public static Supplier createClientSslContext() {
+ return new SslContextClientBuilder()
+ .trustStore(getKeyStore(CLIENT_TRUSTSTORE_PATH, CLIENT_TRUSTSTORE_PASSWORD));
+
+ }
+
+ private static KeyStore getKeyStore(String path, char[] keyStorePassword) {
+ try (InputStream inputStream = getResource(path)) {
+ KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
+ keyStore.load(inputStream, keyStorePassword);
+ return keyStore;
+ } catch (Exception e) {
+ throw new ProcessingException(e);
+ }
+ }
+
+ private static InputStream getResource(String path) {
+ return SslUtils.class.getClassLoader().getResourceAsStream(path);
+ }
+ }
+}
diff --git a/tests/e2e-tls/src/test/resources/client-truststore.jks b/tests/e2e-tls/src/test/resources/client-truststore.jks
new file mode 100644
index 0000000000..539185fda4
Binary files /dev/null and b/tests/e2e-tls/src/test/resources/client-truststore.jks differ
diff --git a/tests/e2e-tls/src/test/resources/server-identity.jks b/tests/e2e-tls/src/test/resources/server-identity.jks
new file mode 100644
index 0000000000..76a21aaedd
Binary files /dev/null and b/tests/e2e-tls/src/test/resources/server-identity.jks differ