From eadb0ebe5eb0d1e5fcff88e8322f5e3a44d6c93f Mon Sep 17 00:00:00 2001
From: Johan Lundberg <lundberg@nordu.net>
Date: Thu, 9 Apr 2015 18:53:06 +0200
Subject: Added Jetty configuration and start command.

---
 Dockerfile                 | 12 +++++++--
 README                     |  5 ++++
 jetty_conf/idp.xml         | 10 +++++++
 jetty_conf/jetty-https.xml | 66 ++++++++++++++++++++++++++++++++++++++++++++++
 jetty_conf/jetty-ssl.xml   | 64 ++++++++++++++++++++++++++++++++++++++++++++
 jetty_conf/ssl.mod         | 34 ++++++++++++++++++++++++
 jetty_conf/start.ini       | 28 ++++++++++++++++++++
 start.sh                   |  8 ++++--
 8 files changed, 223 insertions(+), 4 deletions(-)
 create mode 100644 README
 create mode 100644 jetty_conf/idp.xml
 create mode 100644 jetty_conf/jetty-https.xml
 create mode 100644 jetty_conf/jetty-ssl.xml
 create mode 100644 jetty_conf/ssl.mod
 create mode 100644 jetty_conf/start.ini

diff --git a/Dockerfile b/Dockerfile
index 74be2e3..11bee0f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,8 +7,8 @@ RUN apt-get update && \
     apt-get install -y wget
 
 # Download and install jetty
-ENV JETTY_VERSION 9.2.7
-ENV RELEASE_DATE v20150116
+ENV JETTY_VERSION 9.2.10
+ENV RELEASE_DATE v20150310
 RUN wget http://download.eclipse.org/jetty/stable-9/dist/jetty-distribution-${JETTY_VERSION}.${RELEASE_DATE}.tar.gz && \
     tar -xzvf jetty-distribution-${JETTY_VERSION}.${RELEASE_DATE}.tar.gz && \
     rm -rf jetty-distribution-${JETTY_VERSION}.${RELEASE_DATE}.tar.gz && \
@@ -19,6 +19,14 @@ RUN useradd jetty && \
     chown -R jetty:jetty /opt/jetty && \
     rm -rf /opt/jetty/webapps.demo
 
+# Add configuration files
+ADD jetty_conf /jetty_conf
+RUN mv /jetty_conf/start.ini /opt/jetty/start.ini && \
+    mv /jetty_conf/jetty-ssl.xml /opt/jetty/etc/jetty-ssl.xml && \
+    mv /jetty_conf/jetty-https.xml /opt/jetty/etc/jetty-https.xml && \
+    mv /jetty_conf/ssl.mod /opt/jetty/modules/ssl.mod && \
+    mv /jetty_conf/idp.xml /opt/jetty/webapps/idp.xml
+
 # Download shibboleth-idp
 ENV IDP_VERSION 3.0.0
 RUN wget https://shibboleth.net/downloads/identity-provider/${IDP_VERSION}/shibboleth-identity-provider-${IDP_VERSION}.tar.gz && \
diff --git a/README b/README
new file mode 100644
index 0000000..bf20a2e
--- /dev/null
+++ b/README
@@ -0,0 +1,5 @@
+How to run:
+
+docker run -it -e ENTITY_ID=entityid -e HOSTNAME=hostname -e SCOPE=scope -e COOKIE_PASSWORD=cookiepass -e TLS_PASSWORD=tlspass -v docker-shibboleth-idp/conf/:/opt/shibboleth-idp/conf/ -v docker-shibboleth-idp/credentials/:/opt/shibboleth-idp/credentials/ -v docker-shibboleth-idp/edit-webapp/:/opt/shibboleth-idp/edit-webapp/ -v docker-shibboleth-idp/logs/:/opt/jetty/logs/ shibidp install
+
+docker run -d -e PKCS12_PASSWORD=pkcs12pass -v docker-shibboleth-idp/conf/:/opt/shibboleth-idp/conf/ -v docker-shibboleth-idp/credentials/:/opt/shibboleth-idp/credentials/ -v docker-shibboleth-idp/edit-webapp/:/opt/shibboleth-idp/edit-webapp/ -v docker-shibboleth-idp/logs/:/opt/jetty/logs/ -p 443:8443 shibidp
diff --git a/jetty_conf/idp.xml b/jetty_conf/idp.xml
new file mode 100644
index 0000000..cdeed1e
--- /dev/null
+++ b/jetty_conf/idp.xml
@@ -0,0 +1,10 @@
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+  <Set name="war">
+    <SystemProperty name="idp.home" />
+    /war/idp.war
+  </Set>
+  <Set name="contextPath">/idp</Set>
+  <Set name="extractWAR">false</Set>
+  <Set name="copyWebDir">false</Set>
+  <Set name="copyWebInf">true</Set>
+</Configure>
diff --git a/jetty_conf/jetty-https.xml b/jetty_conf/jetty-https.xml
new file mode 100644
index 0000000..8078f9b
--- /dev/null
+++ b/jetty_conf/jetty-https.xml
@@ -0,0 +1,66 @@
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd" >
+<!-- ============================================================= -->
+<!-- Configure HTTPS connectors.                              -->
+<!-- This configuration must be used in conjunction with jetty.xml -->
+<!-- and jetty-ssl.xml.                                       -->
+<!-- ============================================================= -->
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+  <!-- ============================================================= -->
+  <!-- Anonymous (no client TLS) HTTPS connector                -->
+  <!-- ============================================================= -->
+  <Call id="httpsConnector" name="addConnector">
+    <Arg>
+      <New class="org.eclipse.jetty.server.ServerConnector">
+        <Arg name="server">
+          <Ref refid="Server" />
+        </Arg>
+        <Arg name="acceptors" type="int">
+          <Property name="ssl.acceptors" default="-1" />
+        </Arg>
+        <Arg name="selectors" type="int">
+          <Property name="ssl.selectors" default="-1" />
+        </Arg>
+        <Arg name="factories">
+          <Array type="org.eclipse.jetty.server.ConnectionFactory">
+            <Item>
+              <New class="org.eclipse.jetty.server.SslConnectionFactory">
+                <Arg name="next">http/1.1</Arg>
+                <Arg name="sslContextFactory">
+                  <Ref refid="sslContextFactory" />
+                </Arg>
+              </New>
+            </Item>
+            <Item>
+              <New class="org.eclipse.jetty.server.HttpConnectionFactory">
+                <Arg name="config">
+                  <Ref refid="sslHttpConfig" />
+                </Arg>
+              </New>
+            </Item>
+          </Array>
+        </Arg>
+        <Set name="host">
+          <Property name="jetty.host" />
+        </Set>
+        <Set name="port">
+          <Property name="https.port" />
+        </Set>
+        <Set name="idleTimeout">
+          <Property name="https.timeout" default="30000" />
+        </Set>
+        <Set name="soLingerTime">
+          <Property name="https.soLingerTime" default="-1" />
+        </Set>
+        <Set name="acceptorPriorityDelta">
+          <Property name="ssl.acceptorPriorityDelta" default="0" />
+        </Set>
+        <Set name="selectorPriorityDelta">
+          <Property name="ssl.selectorPriorityDelta" default="0" />
+        </Set>
+        <Set name="acceptQueueSize">
+          <Property name="https.acceptQueueSize" default="0" />
+        </Set>
+      </New>
+    </Arg>
+  </Call>
+</Configure>
diff --git a/jetty_conf/jetty-ssl.xml b/jetty_conf/jetty-ssl.xml
new file mode 100644
index 0000000..b822ae5
--- /dev/null
+++ b/jetty_conf/jetty-ssl.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd" >
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+  <!-- ============================================================= -->
+  <!-- TLS context factory without client auth                  -->
+  <!-- ============================================================= -->
+  <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
+    <Set name="KeyStorePath">
+      <Property name="jetty.keystore" />
+    </Set>
+    <Set name="KeyStoreType">
+      <Property name="jetty.keystore.type" />
+    </Set>
+    <Set name="KeyStorePassword">
+      <Property name="jetty.keystore.password" />
+    </Set>
+    <Set name="EndpointIdentificationAlgorithm" />
+    <Set name="NeedClientAuth">false</Set>
+    <Set name="WantClientAuth">false</Set>
+    <Set name="excludeProtocols">
+      <Array type="String">
+        <Item>SSLv3</Item>
+      </Array>
+    </Set>
+    <Set name="IncludeCipherSuites">
+      <Array type="String">
+        <Item>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</Item>
+        <Item>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</Item>
+        <Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
+        <Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
+        <Item>TLS_RSA_WITH_AES_128_GCM_SHA256</Item>
+        <Item>TLS_RSA_WITH_AES_256_GCM_SHA256</Item>
+        <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item>
+        <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</Item>
+        <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
+        <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item>
+        <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item>
+        <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</Item>
+        <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
+        <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
+        <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
+        <Item>TLS_RSA_WITH_AES_256_CBC_SHA384</Item>
+        <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
+        <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
+      </Array>
+    </Set>
+  </New>
+  <!-- =========================================================== -->
+  <!-- Create a TLS specific HttpConfiguration based on the   -->
+  <!-- common HttpConfiguration defined in jetty.xml          -->
+  <!-- Add a SecureRequestCustomizer to extract certificate and    -->
+  <!-- session information                                    -->
+  <!-- =========================================================== -->
+  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
+    <Arg>
+      <Ref refid="httpConfig" />
+    </Arg>
+    <Call name="addCustomizer">
+      <Arg>
+        <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
+      </Arg>
+    </Call>
+  </New>
+</Configure>
diff --git a/jetty_conf/ssl.mod b/jetty_conf/ssl.mod
new file mode 100644
index 0000000..77ceb76
--- /dev/null
+++ b/jetty_conf/ssl.mod
@@ -0,0 +1,34 @@
+#
+# SSL Keystore module
+#
+
+[depend]
+server
+
+[xml]
+etc/jetty-ssl.xml
+
+[ini-template]
+### SSL Keystore Configuration
+# define the port to use for secure redirection
+jetty.secure.port=8443
+
+## Setup a demonstration keystore and truststore
+jetty.keystore=/opt/shibboleth-idp/credentials/idp-browser.p12
+
+## Set the demonstration passwords.
+## Note that OBF passwords are not secure, just protected from casual observation
+## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html
+jetty.keystore.password=
+
+### Set the client auth behavior
+## Set to true if client certificate authentication is required
+# jetty.ssl.needClientAuth=true
+## Set to true if client certificate authentication is desired
+# jetty.ssl.wantClientAuth=true
+
+## Parameters to control the number and priority of acceptors and selectors
+# ssl.selectors=1
+# ssl.acceptors=1
+# ssl.selectorPriorityDelta=0
+# ssl.acceptorPriorityDelta=0
diff --git a/jetty_conf/start.ini b/jetty_conf/start.ini
new file mode 100644
index 0000000..460dd32
--- /dev/null
+++ b/jetty_conf/start.ini
@@ -0,0 +1,28 @@
+# Required Jetty modules
+--module=server
+--module=deploy
+--module=annotations
+--module=resources
+--module=logging
+--module=requestlog
+--module=https
+--module=ssl
+--module=servlets
+--module=jsp
+--module=jstl
+--module=ext
+--module=plus
+
+# Allows setting Java system properties (-Dname=value)
+# and JVM flags (-X, -XX) in this file
+# NOTE: spawns child Java process
+--exec
+
+# IDP home
+-Didp.home=/opt/shibboleth-idp
+
+# Maximum amount of memory that Jetty may use, at least 512M is recommended
+-Xmx512m
+# Maximum amount of memory allowed for the JVM permanent generation
+-XX:MaxPermSize=128m
+
diff --git a/start.sh b/start.sh
index 3b48694..5c341f5 100644
--- a/start.sh
+++ b/start.sh
@@ -7,13 +7,17 @@ case "$*" in
     start)
         # Upgrade/Recreate war
         ./bin/install.sh -Didp.src.dir /opt/shibboleth-identity-provider-${IDP_VERSION}/ -Didp.target.dir /opt/shibboleth-idp
+	# Set Jetty tls cert password
+	sed -i "/jetty.keystore.password=/c\jetty.keystore.password=$PKCS12_PASSWORD" /opt/jetty/modules/ssl.mod
+	# Start Jetty
+	cd /opt/jetty/ && /usr/bin/java -jar start.jar
     ;;
     install)
-# Fresh install
+        # Fresh install
 cat>/tmp/entity_id<<EOF
 idp.entityID= ${ENTITY_ID}
 EOF
-    ./bin/install.sh -Didp.src.dir /opt/shibboleth-identity-provider-${IDP_VERSION}/ -Didp.target.dir /opt/shibboleth-idp -Didp.host.name ${HOSTNAME} -Didp.scope ${SCOPE} -Didp.sealer.password ${COOKIE_PASSWORD} -Didp.keystore.password ${TLS_PASSWORD} -Didp.merge.properties /tmp/entity_id -Didp.noprompt
+        ./bin/install.sh -Didp.src.dir /opt/shibboleth-identity-provider-${IDP_VERSION}/ -Didp.target.dir /opt/shibboleth-idp -Didp.host.name ${HOSTNAME} -Didp.scope ${SCOPE} -Didp.sealer.password ${COOKIE_PASSWORD} -Didp.keystore.password ${TLS_PASSWORD} -Didp.merge.properties /tmp/entity_id -Didp.noprompt
     ;;
     debug)
         /bin/bash
-- 
cgit v1.1