Package org.wildfly.security.ssl

Class SSLContextBuilder

  • public final class SSLContextBuilder
extends Object
    A class which allows building and configuration of a single client- or server-side SSL context. The builder requires, at a minimum, that a key manager be set; all other parameters have default values as follows:
    Author:
    David M. Lloyd

    • Constructor Detail

      • SSLContextBuilder

        public SSLContextBuilder()

    • Method Detail

      • setSecurityDomain

        public SSLContextBuilder setSecurityDomain​(SecurityDomain securityDomain)
        Set the security domain to use to authenticate clients.
        Parameters:
        securityDomain - the security domain to use to authenticate clients, or null to disable client certificate authentication

      • setCipherSuiteSelector

        public SSLContextBuilder setCipherSuiteSelector​(CipherSuiteSelector cipherSuiteSelector)
        Set the cipher suite selector to use for this context.
        Parameters:
        cipherSuiteSelector - the cipher suite selector (not null)

      • setProtocolSelector

        public SSLContextBuilder setProtocolSelector​(ProtocolSelector protocolSelector)
        Set the protocol selector to use for this context.
        Parameters:
        protocolSelector - the protocol selector to use for this context (not null)

      • setUseCipherSuitesOrder

        public SSLContextBuilder setUseCipherSuitesOrder​(boolean useCipherSuitesOrder)
        Sets whether the local cipher suites preference should be honored.
        Parameters:
        useCipherSuitesOrder - whether the local cipher suites preference should be honored.

      • setWantClientAuth

        public SSLContextBuilder setWantClientAuth​(boolean wantClientAuth)
        Force the SSLContext created by this builder to want client authentication. The SSLContext returned by this builder will be configured to want client authentication if this value is set to true OR of a SecurityDomain is associated.
        Parameters:
        wantClientAuth - should the SSLContext be forced to want client authentication.

      • setNeedClientAuth

        public SSLContextBuilder setNeedClientAuth​(boolean needClientAuth)
        Force the SSLContext created by this builder to need client authentication. The SSLContext returned by this builder will be configured to need client authentication if this value is set to true.
        Parameters:
        needClientAuth - should the SSLContext be forced to need client authentication.

      • setAuthenticationOptional

        public SSLContextBuilder setAuthenticationOptional​(boolean authenticationOptional)
        Where a SecurityDomain is associated with this Builder if the client presents a certificate an attempt will be made to obtain a SecurityIdentity by using the certificate for authentication, setting this flag to true allows for a failed authentication to be silently ignored. This setting does not bypass any certificate checking performed by the underlying TrustManager so failure there will still cause the connection attempt to be aborted. The reason this setting would be used would be to enable a fallback to another authentication mechanism after the connection is established. Note: Where this is no security domain associated there is no authentication step so this value will be ignored.
        Parameters:
        authenticationOptional - should the authentication step be allowed to silently fail.

      • setSessionCacheSize

        public SSLContextBuilder setSessionCacheSize​(int sessionCacheSize)
        Sets the size of the cache used for storing SSLSession objects.
        Parameters:
        sessionCacheSize - the size of the cache used for storing SSLSession objects.
        Returns:
        The SSLContextBuilder to allow chaining of method calls.

      • setSessionTimeout

        public SSLContextBuilder setSessionTimeout​(int sessionTimeout)
        Sets the timeout limit for SSLSession objects.
        Parameters:
        sessionTimeout - the timeout limit for SSLSession objects.
        Returns:
        The SSLContextBuilder to allow chaining of method calls.

      • setKeyManagerSecurityFactory

        public SSLContextBuilder setKeyManagerSecurityFactory​(SecurityFactory<X509ExtendedKeyManager> keyManagerSecurityFactory)
        Set the factory for the key manager which should be used to hold identities for this context.
        Parameters:
        keyManagerSecurityFactory - the security factory which produces the key manager (not null)

      • setKeyManager

        public SSLContextBuilder setKeyManager​(X509ExtendedKeyManager keyManager)
        Set the key manager which should be used to hold identities for this context.
        Parameters:
        keyManager - the security factory which produces the key manager (not null)

      • setTrustManagerSecurityFactory

        public SSLContextBuilder setTrustManagerSecurityFactory​(SecurityFactory<X509TrustManager> trustManagerSecurityFactory)
        Set the factory for the trust manager which should be used for the initial trust decisions during connection.
        Parameters:
        trustManagerSecurityFactory - the factory for the trust manager which should be used for the initial trust decisions during connection (not null).

      • setTrustManager

        public SSLContextBuilder setTrustManager​(X509TrustManager trustManager)
        Set the trust manager which should be used to hold identities for this context.
        Parameters:
        trustManager - the trust manager which should be used to hold identities for this context (not null).

      • setProviderSupplier

        public SSLContextBuilder setProviderSupplier​(Supplier<Provider[]> providerSupplier)
        Set the provider supplier.
        Parameters:
        providerSupplier - the provider supplier (not null)

      • setProviderName

        public SSLContextBuilder setProviderName​(String name)
        Set the provider name.
        Parameters:
        name - the provider name (if null and provider is allowed)
        Returns:
        this builder

      • setClientMode

        public SSLContextBuilder setClientMode​(boolean clientMode)
        Set the client mode of the target SSL context.
        Parameters:
        clientMode - true to use client mode, false otherwise
        Returns:
        this builder

      • setWrap

        public SSLContextBuilder setWrap​(boolean wrap)
        Set if the configured SSL engine and sockets created using the SSL context should be wrapped to prevent modification to the configuration. Defaults to true.
        Parameters:
        wrap - should the engine or socket created by the SSL context be wrapped to prevent modification to the configuration.
        Returns:
        this builder

      • build

        public SecurityFactory<SSLContext> build()
        Build a security factory for the new context. The factory will cache the constructed instance.
        Returns:
        the security factory