Package org.wildfly.security.ssl

Class SSLContextBuilder

java.lang.Object
org.wildfly.security.ssl.SSLContextBuilder
public final class SSLContextBuilder extends Object
A class which allows building and configuration of a single client- or server-side SSL context. The builder requires, at a minimum, that a key manager be set; all other parameters have default values as follows:
Author:
David M. Lloyd

  • Constructor Details

    • SSLContextBuilder

      public SSLContextBuilder()

  • Method Details

    • setSecurityDomain

      public SSLContextBuilder setSecurityDomain(SecurityDomain securityDomain)
      Set the security domain to use to authenticate clients.
      Parameters:
      securityDomain - the security domain to use to authenticate clients, or null to disable client certificate authentication

    • setCipherSuiteSelector

      public SSLContextBuilder setCipherSuiteSelector(CipherSuiteSelector cipherSuiteSelector)
      Set the cipher suite selector to use for this context.
      Parameters:
      cipherSuiteSelector - the cipher suite selector (not null)

    • setProtocolSelector

      public SSLContextBuilder setProtocolSelector(ProtocolSelector protocolSelector)
      Set the protocol selector to use for this context.
      Parameters:
      protocolSelector - the protocol selector to use for this context (not null)

    • setUseCipherSuitesOrder

      public SSLContextBuilder setUseCipherSuitesOrder(boolean useCipherSuitesOrder)
      Sets whether the local cipher suites preference should be honored.
      Parameters:
      useCipherSuitesOrder - whether the local cipher suites preference should be honored.

    • setWantClientAuth

      public SSLContextBuilder setWantClientAuth(boolean wantClientAuth)
      Force the SSLContext created by this builder to want client authentication. The SSLContext returned by this builder will be configured to want client authentication if this value is set to true OR of a SecurityDomain is associated.
      Parameters:
      wantClientAuth - should the SSLContext be forced to want client authentication.

    • setNeedClientAuth

      public SSLContextBuilder setNeedClientAuth(boolean needClientAuth)
      Force the SSLContext created by this builder to need client authentication. The SSLContext returned by this builder will be configured to need client authentication if this value is set to true.
      Parameters:
      needClientAuth - should the SSLContext be forced to need client authentication.

    • setAuthenticationOptional

      public SSLContextBuilder setAuthenticationOptional(boolean authenticationOptional)
      Where a SecurityDomain is associated with this Builder if the client presents a certificate an attempt will be made to obtain a SecurityIdentity by using the certificate for authentication, setting this flag to true allows for a failed authentication to be silently ignored. This setting does not bypass any certificate checking performed by the underlying TrustManager so failure there will still cause the connection attempt to be aborted. The reason this setting would be used would be to enable a fallback to another authentication mechanism after the connection is established. Note: Where this is no security domain associated there is no authentication step so this value will be ignored.
      Parameters:
      authenticationOptional - should the authentication step be allowed to silently fail.

    • setSessionCacheSize

      public SSLContextBuilder setSessionCacheSize(int sessionCacheSize)
      Sets the size of the cache used for storing SSLSession objects.
      Parameters:
      sessionCacheSize - the size of the cache used for storing SSLSession objects.
      Returns:
      The SSLContextBuilder to allow chaining of method calls.

    • setSessionTimeout

      public SSLContextBuilder setSessionTimeout(int sessionTimeout)
      Sets the timeout limit for SSLSession objects.
      Parameters:
      sessionTimeout - the timeout limit for SSLSession objects.
      Returns:
      The SSLContextBuilder to allow chaining of method calls.

    • setKeyManagerSecurityFactory

      public SSLContextBuilder setKeyManagerSecurityFactory(SecurityFactory<X509ExtendedKeyManager> keyManagerSecurityFactory)
      Set the factory for the key manager which should be used to hold identities for this context.
      Parameters:
      keyManagerSecurityFactory - the security factory which produces the key manager (not null)

    • setKeyManager

      public SSLContextBuilder setKeyManager(X509ExtendedKeyManager keyManager)
      Set the key manager which should be used to hold identities for this context.
      Parameters:
      keyManager - the security factory which produces the key manager (not null)

    • setTrustManagerSecurityFactory

      public SSLContextBuilder setTrustManagerSecurityFactory(SecurityFactory<X509TrustManager> trustManagerSecurityFactory)
      Set the factory for the trust manager which should be used for the initial trust decisions during connection.
      Parameters:
      trustManagerSecurityFactory - the factory for the trust manager which should be used for the initial trust decisions during connection (not null).

    • setTrustManager

      public SSLContextBuilder setTrustManager(X509TrustManager trustManager)
      Set the trust manager which should be used to hold identities for this context.
      Parameters:
      trustManager - the trust manager which should be used to hold identities for this context (not null).

    • setProviderSupplier

      public SSLContextBuilder setProviderSupplier(Supplier<Provider[]> providerSupplier)
      Set the provider supplier.
      Parameters:
      providerSupplier - the provider supplier (not null)

    • setProviderName

      public SSLContextBuilder setProviderName(String name)
      Set the provider name.
      Parameters:
      name - the provider name (if null and provider is allowed)
      Returns:
      this builder

    • setClientMode

      public SSLContextBuilder setClientMode(boolean clientMode)
      Set the client mode of the target SSL context.
      Parameters:
      clientMode - true to use client mode, false otherwise
      Returns:
      this builder

    • setWrap

      public SSLContextBuilder setWrap(boolean wrap)
      Set if the configured SSL engine and sockets created using the SSL context should be wrapped to prevent modification to the configuration. Defaults to true.
      Parameters:
      wrap - should the engine or socket created by the SSL context be wrapped to prevent modification to the configuration.
      Returns:
      this builder

    • setMechanismConfigurationSelector

      public SSLContextBuilder setMechanismConfigurationSelector(MechanismConfigurationSelector mechanismConfigurationSelector)
      Set selector of mechanism configuration for ServerAuthenticationContext, which will be used for SSL client authentication.
      Parameters:
      mechanismConfigurationSelector - mechanism configuration selector to be used by ServerAuthenticationContext in SSL authentication.
      Returns:
      this builder

    • build

      public SecurityFactory<SSLContext> build()
      Build a security factory for the new context. The factory will cache the constructed instance.
      Returns:
      the security factory