/* * Copyright (c) 2016, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ import com.sun.net.httpserver.BasicAuthenticator; import com.sun.net.httpserver.Filter; import com.sun.net.httpserver.Headers; import com.sun.net.httpserver.HttpContext; import com.sun.net.httpserver.HttpExchange; import com.sun.net.httpserver.HttpHandler; import com.sun.net.httpserver.HttpServer; import com.sun.net.httpserver.HttpsConfigurator; import com.sun.net.httpserver.HttpsParameters; import com.sun.net.httpserver.HttpsServer; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.io.OutputStreamWriter; import java.io.PrintWriter; import java.io.Writer; import java.math.BigInteger; import java.net.HttpURLConnection; import java.net.InetAddress; import java.net.InetSocketAddress; import java.net.MalformedURLException; import java.net.ServerSocket; import java.net.Socket; import java.net.SocketAddress; import java.net.URL; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.time.Instant; import java.util.ArrayList; import java.util.Arrays; import java.util.Base64; import java.util.HexFormat; import java.util.List; import java.util.Objects; import java.util.Random; import java.util.concurrent.CopyOnWriteArrayList; import java.util.stream.Collectors; import javax.net.ssl.SSLContext; import sun.net.www.HeaderParser; /** * A simple HTTP server that supports Digest authentication. * By default this server will echo back whatever is present * in the request body. * @author danielfuchs */ public class HTTPTestServer extends HTTPTest { final HttpServer serverImpl; // this server endpoint final HTTPTestServer redirect; // the target server where to redirect 3xx final HttpHandler delegate; // unused private HTTPTestServer(HttpServer server, HTTPTestServer target, HttpHandler delegate) { this.serverImpl = server; this.redirect = target; this.delegate = delegate; } public static void main(String[] args) throws IOException { HTTPTestServer server = create(HTTPTest.DEFAULT_PROTOCOL_TYPE, HTTPTest.DEFAULT_HTTP_AUTH_TYPE, HTTPTest.AUTHENTICATOR, HTTPTest.DEFAULT_SCHEME_TYPE); try { System.out.println("Server created at " + server.getAddress()); System.out.println("Strike to exit"); System.in.read(); } finally { System.out.println("stopping server"); server.stop(); } } private static String toString(Headers headers) { return headers.entrySet().stream() .map((e) -> e.getKey() + ": " + e.getValue()) .collect(Collectors.joining("\n")); } public static HTTPTestServer create(HttpProtocolType protocol, HttpAuthType authType, HttpTestAuthenticator auth, HttpSchemeType schemeType) throws IOException { return create(protocol, authType, auth, schemeType, null); } public static HTTPTestServer create(HttpProtocolType protocol, HttpAuthType authType, HttpTestAuthenticator auth, HttpSchemeType schemeType, HttpHandler delegate) throws IOException { return create(protocol, authType, auth, schemeType, null, "MD5"); } public static HTTPTestServer create(HttpProtocolType protocol, HttpAuthType authType, HttpTestAuthenticator auth, HttpSchemeType schemeType, HttpHandler delegate, String algorithm) throws IOException { Objects.requireNonNull(authType); Objects.requireNonNull(auth); switch(authType) { // A server that performs Server Digest authentication. case SERVER: return createServer(protocol, authType, auth, schemeType, delegate, algorithm, "/"); // A server that pretends to be a Proxy and performs // Proxy Digest authentication. If protocol is HTTPS, // then this will create a HttpsProxyTunnel that will // handle the CONNECT request for tunneling. case PROXY: return createProxy(protocol, authType, auth, schemeType, delegate, "/"); // A server that sends 307 redirect to a server that performs // Digest authentication. // Note: 301 doesn't work here because it transforms POST into GET. case SERVER307: return createServerAndRedirect(protocol, HttpAuthType.SERVER, auth, schemeType, delegate, 307); // A server that sends 305 redirect to a proxy that performs // Digest authentication. case PROXY305: return createServerAndRedirect(protocol, HttpAuthType.PROXY, auth, schemeType, delegate, 305); default: throw new InternalError("Unknown server type: " + authType); } } /** * The SocketBindableFactory ensures that the local port used by an HttpServer * or a proxy ServerSocket previously created by the current test/VM will not * get reused by a subsequent test in the same VM. This is to avoid having the * AuthCache reuse credentials from previous tests - which would invalidate the * assumptions made by the current test on when the default authenticator should * be called. */ private static abstract class SocketBindableFactory { private static final int MAX = 10; private static final CopyOnWriteArrayList addresses = new CopyOnWriteArrayList<>(); protected B createInternal() throws IOException { final int max = addresses.size() + MAX; final List toClose = new ArrayList<>(); try { for (int i = 1; i <= max; i++) { B bindable = createBindable(); SocketAddress address = getAddress(bindable); String key = toString(address); if (addresses.addIfAbsent(key)) { System.out.println("Socket bound to: " + key + " after " + i + " attempt(s)"); return bindable; } System.out.println("warning: address " + key + " already used. Retrying bind."); // keep the port bound until we get a port that we haven't // used already toClose.add(bindable); } } finally { // if we had to retry, then close the socket we're not // going to use. for (B b : toClose) { try { close(b); } catch (Exception x) { /* ignore */ } } } throw new IOException("Couldn't bind socket after " + max + " attempts: " + "addresses used before: " + addresses); } private static String toString(SocketAddress address) { // We don't rely on address.toString(): sometimes it can be // "/127.0.0.1:port", sometimes it can be "localhost/127.0.0.1:port" // Instead we compose our own string representation: InetSocketAddress candidate = (InetSocketAddress) address; String hostAddr = candidate.getAddress().getHostAddress(); if (hostAddr.contains(":")) hostAddr = "[" + hostAddr + "]"; return hostAddr + ":" + candidate.getPort(); } protected abstract B createBindable() throws IOException; protected abstract SocketAddress getAddress(B bindable); protected abstract void close(B bindable) throws IOException; } /* * Used to create ServerSocket for a proxy. */ private static final class ServerSocketFactory extends SocketBindableFactory { private static final ServerSocketFactory instance = new ServerSocketFactory(); static ServerSocket create() throws IOException { return instance.createInternal(); } @Override protected ServerSocket createBindable() throws IOException { InetAddress address = InetAddress.getLoopbackAddress(); return new ServerSocket(0, 0, address); } @Override protected SocketAddress getAddress(ServerSocket socket) { return socket.getLocalSocketAddress(); } @Override protected void close(ServerSocket socket) throws IOException { socket.close(); } } /* * Used to create HttpServer for a NTLMTestServer. */ private static abstract class WebServerFactory extends SocketBindableFactory { @Override protected S createBindable() throws IOException { S server = newHttpServer(); InetAddress address = InetAddress.getLoopbackAddress(); server.bind(new InetSocketAddress(address, 0), 0); return server; } @Override protected SocketAddress getAddress(S server) { return server.getAddress(); } @Override protected void close(S server) throws IOException { server.stop(1); } /* * Returns a HttpServer or a HttpsServer in different subclasses. */ protected abstract S newHttpServer() throws IOException; } private static final class HttpServerFactory extends WebServerFactory { private static final HttpServerFactory instance = new HttpServerFactory(); static HttpServer create() throws IOException { return instance.createInternal(); } @Override protected HttpServer newHttpServer() throws IOException { return HttpServer.create(); } } private static final class HttpsServerFactory extends WebServerFactory { private static final HttpsServerFactory instance = new HttpsServerFactory(); static HttpsServer create() throws IOException { return instance.createInternal(); } @Override protected HttpsServer newHttpServer() throws IOException { return HttpsServer.create(); } } static HttpServer createHttpServer(HttpProtocolType protocol) throws IOException { switch (protocol) { case HTTP: return HttpServerFactory.create(); case HTTPS: return configure(HttpsServerFactory.create()); default: throw new InternalError("Unsupported protocol " + protocol); } } static HttpsServer configure(HttpsServer server) throws IOException { try { SSLContext ctx = SSLContext.getDefault(); server.setHttpsConfigurator(new Configurator(ctx)); } catch (NoSuchAlgorithmException ex) { throw new IOException(ex); } return server; } static void setContextAuthenticator(HttpContext ctxt, HttpTestAuthenticator auth) { final String realm = auth.getRealm(); com.sun.net.httpserver.Authenticator authenticator = new BasicAuthenticator(realm) { @Override public boolean checkCredentials(String username, String pwd) { return auth.getUserName().equals(username) && new String(auth.getPassword(username)).equals(pwd); } }; ctxt.setAuthenticator(authenticator); } public static HTTPTestServer createServer(HttpProtocolType protocol, HttpAuthType authType, HttpTestAuthenticator auth, HttpSchemeType schemeType, HttpHandler delegate, String algorithm, String path) throws IOException { Objects.requireNonNull(authType); Objects.requireNonNull(auth); HttpServer impl = createHttpServer(protocol); final HTTPTestServer server = new HTTPTestServer(impl, null, delegate); final HttpHandler hh = server.createHandler(schemeType, auth, authType); HttpContext ctxt = impl.createContext(path, hh); server.configureAuthentication(ctxt, schemeType, auth, authType, algorithm); impl.start(); return server; } public static HTTPTestServer createProxy(HttpProtocolType protocol, HttpAuthType authType, HttpTestAuthenticator auth, HttpSchemeType schemeType, HttpHandler delegate, String path) throws IOException { Objects.requireNonNull(authType); Objects.requireNonNull(auth); HttpServer impl = createHttpServer(protocol); final HTTPTestServer server = protocol == HttpProtocolType.HTTPS ? new HttpsProxyTunnel(impl, null, delegate) : new HTTPTestServer(impl, null, delegate); final HttpHandler hh = server.createHandler(schemeType, auth, authType); HttpContext ctxt = impl.createContext(path, hh); server.configureAuthentication(ctxt, schemeType, auth, authType, null); impl.start(); return server; } public static HTTPTestServer createServerAndRedirect( HttpProtocolType protocol, HttpAuthType targetAuthType, HttpTestAuthenticator auth, HttpSchemeType schemeType, HttpHandler targetDelegate, int code300) throws IOException { Objects.requireNonNull(targetAuthType); Objects.requireNonNull(auth); // The connection between client and proxy can only // be a plain connection: SSL connection to proxy // is not supported by our client connection. HttpProtocolType targetProtocol = targetAuthType == HttpAuthType.PROXY ? HttpProtocolType.HTTP : protocol; HTTPTestServer redirectTarget = (targetAuthType == HttpAuthType.PROXY) ? createProxy(protocol, targetAuthType, auth, schemeType, targetDelegate, "/") : createServer(targetProtocol, targetAuthType, auth, schemeType, targetDelegate, "MD5", "/"); HttpServer impl = createHttpServer(protocol); final HTTPTestServer redirectingServer = new HTTPTestServer(impl, redirectTarget, null); InetSocketAddress redirectAddr = redirectTarget.getAddress(); URL locationURL = url(targetProtocol, redirectAddr, "/"); final HttpHandler hh = redirectingServer.create300Handler(locationURL, HttpAuthType.SERVER, code300); impl.createContext("/", hh); impl.start(); return redirectingServer; } public InetSocketAddress getAddress() { return serverImpl.getAddress(); } public InetSocketAddress getProxyAddress() { return serverImpl.getAddress(); } public void stop() { serverImpl.stop(0); if (redirect != null) { redirect.stop(); } } protected void writeResponse(HttpExchange he) throws IOException { if (delegate == null) { he.sendResponseHeaders(HttpURLConnection.HTTP_OK, 0); he.getResponseBody().write(he.getRequestBody().readAllBytes()); } else { delegate.handle(he); } } private HttpHandler createHandler(HttpSchemeType schemeType, HttpTestAuthenticator auth, HttpAuthType authType) { return new HttpNoAuthHandler(authType); } private void configureAuthentication(HttpContext ctxt, HttpSchemeType schemeType, HttpTestAuthenticator auth, HttpAuthType authType, String algorithm) { switch(schemeType) { case DIGEST: // DIGEST authentication is handled by the handler. ctxt.getFilters().add(new HttpDigestFilter(auth, authType, algorithm)); break; case BASIC: // BASIC authentication is handled by the filter. ctxt.getFilters().add(new HttpBasicFilter(auth, authType)); break; case BASICSERVER: switch(authType) { case PROXY: case PROXY305: // HttpServer can't support Proxy-type authentication // => we do as if BASIC had been specified, and we will // handle authentication in the handler. ctxt.getFilters().add(new HttpBasicFilter(auth, authType)); break; case SERVER: case SERVER307: // Basic authentication is handled by HttpServer // directly => the filter should not perform // authentication again. setContextAuthenticator(ctxt, auth); ctxt.getFilters().add(new HttpNoAuthFilter(authType)); break; default: throw new InternalError("Invalid combination scheme=" + schemeType + " authType=" + authType); } case NONE: // No authentication at all. ctxt.getFilters().add(new HttpNoAuthFilter(authType)); break; default: throw new InternalError("No such scheme: " + schemeType); } } private HttpHandler create300Handler(URL proxyURL, HttpAuthType type, int code300) throws MalformedURLException { return new Http3xxHandler(proxyURL, type, code300); } // Abstract HTTP filter class. private abstract static class AbstractHttpFilter extends Filter { final HttpAuthType authType; final String type; public AbstractHttpFilter(HttpAuthType authType, String type) { this.authType = authType; this.type = type; } String getLocation() { return "Location"; } String getAuthenticate() { return authType == HttpAuthType.PROXY ? "Proxy-Authenticate" : "WWW-Authenticate"; } String getAuthorization() { return authType == HttpAuthType.PROXY ? "Proxy-Authorization" : "Authorization"; } int getUnauthorizedCode() { return authType == HttpAuthType.PROXY ? HttpURLConnection.HTTP_PROXY_AUTH : HttpURLConnection.HTTP_UNAUTHORIZED; } String getKeepAlive() { return "keep-alive"; } String getConnection() { return authType == HttpAuthType.PROXY ? "Proxy-Connection" : "Connection"; } protected abstract boolean isAuthentified(HttpExchange he) throws IOException; protected abstract void requestAuthentication(HttpExchange he) throws IOException; protected void accept(HttpExchange he, Chain chain) throws IOException { chain.doFilter(he); } @Override public String description() { return "Filter for " + type; } @Override public void doFilter(HttpExchange he, Chain chain) throws IOException { try { System.out.println(type + ": Got " + he.getRequestMethod() + ": " + he.getRequestURI() + "\n" + HTTPTestServer.toString(he.getRequestHeaders())); if (!isAuthentified(he)) { try { requestAuthentication(he); he.sendResponseHeaders(getUnauthorizedCode(), 0); System.out.println(type + ": Sent back " + getUnauthorizedCode()); } finally { he.close(); } } else { accept(he, chain); } } catch (RuntimeException | Error | IOException t) { System.err.println(type + ": Unexpected exception while handling request: " + t); t.printStackTrace(System.err); he.close(); throw t; } } } private final static class DigestResponse { final String realm; final String username; final String nonce; final String cnonce; final String nc; final String uri; final String algorithm; final String response; final String qop; final String opaque; public DigestResponse(String realm, String username, String nonce, String cnonce, String nc, String uri, String algorithm, String qop, String opaque, String response) { this.realm = realm; this.username = username; this.nonce = nonce; this.cnonce = cnonce; this.nc = nc; this.uri = uri; this.algorithm = algorithm; this.qop = qop; this.opaque = opaque; this.response = response; } String getAlgorithm(String defval) { return algorithm == null ? defval : algorithm; } String getQoP(String defval) { return qop == null ? defval : qop; } // Code stolen from DigestAuthentication: private static String encode(String src, char[] passwd, MessageDigest md) { try { md.update(src.getBytes("ISO-8859-1")); } catch (java.io.UnsupportedEncodingException uee) { assert false; } if (passwd != null) { byte[] passwdBytes = new byte[passwd.length]; for (int i=0; i authorization = he.getRequestHeaders().get(getAuthorization()); for (String a : authorization) { System.out.println(type + ": processing " + a); int sp = a.indexOf(' '); if (sp < 0) return false; String scheme = a.substring(0, sp); if (!"Basic".equalsIgnoreCase(scheme)) { System.out.println(type + ": Unsupported scheme '" + scheme +"'"); return false; } if (a.length() <= sp+1) { System.out.println(type + ": value too short for '" + scheme +"'"); return false; } a = a.substring(sp+1); return validate(a); } return false; } return false; } boolean validate(String a) { byte[] b = Base64.getDecoder().decode(a); String userpass = new String (b); int colon = userpass.indexOf (':'); String uname = userpass.substring (0, colon); String pass = userpass.substring (colon+1); return auth.getUserName().equals(uname) && new String(auth.getPassword(uname)).equals(pass); } @Override public String description() { return "Filter for " + type; } } // An HTTP Filter that performs Digest authentication private class HttpDigestFilter extends AbstractHttpFilter { // This is a very basic DIGEST - used only for the purpose of testing // the client implementation. Therefore we can get away with never // updating the server nonce as it makes the implementation of the // server side digest simpler. private final HttpTestAuthenticator auth; private final byte[] nonce; private final String ns; private final String algorithm; public HttpDigestFilter(HttpTestAuthenticator auth, HttpAuthType authType, String algorithm) { super(authType, authType == HttpAuthType.SERVER ? "Digest Server" : "Digest Proxy"); this.auth = auth; nonce = new byte[16]; new Random(Instant.now().toEpochMilli()).nextBytes(nonce); ns = new BigInteger(1, nonce).toString(16); this.algorithm = (algorithm == null) ? "MD5" : algorithm; } @Override protected void requestAuthentication(HttpExchange he) throws IOException { he.getResponseHeaders().add(getAuthenticate(), "Digest realm=\"" + auth.getRealm() + "\"," + "\r\n qop=\"auth\", " + "algorithm=\"" + algorithm + "\", " + "\r\n nonce=\"" + ns +"\""); System.out.println(type + ": Requesting Digest Authentication " + he.getResponseHeaders().getFirst(getAuthenticate())); } @Override protected boolean isAuthentified(HttpExchange he) { if (he.getRequestHeaders().containsKey(getAuthorization())) { List authorization = he.getRequestHeaders().get(getAuthorization()); for (String a : authorization) { System.out.println(type + ": processing " + a); int sp = a.indexOf(' '); if (sp < 0) return false; String scheme = a.substring(0, sp); if (!"Digest".equalsIgnoreCase(scheme)) { System.out.println(type + ": Unsupported scheme '" + scheme +"'"); return false; } if (a.length() <= sp+1) { System.out.println(type + ": value too short for '" + scheme +"'"); return false; } a = a.substring(sp+1); DigestResponse dgr = DigestResponse.create(a); return validate(he.getRequestMethod(), dgr); } return false; } return false; } boolean validate(String reqMethod, DigestResponse dg) { if (!this.algorithm.equalsIgnoreCase(dg.getAlgorithm("MD5"))) { System.out.println(type + ": Unsupported algorithm " + dg.algorithm); return false; } if (!"auth".equalsIgnoreCase(dg.getQoP("auth"))) { System.out.println(type + ": Unsupported qop " + dg.qop); return false; } try { if (!dg.nonce.equals(ns)) { System.out.println(type + ": bad nonce returned by client: " + nonce + " expected " + ns); return false; } if (dg.response == null) { System.out.println(type + ": missing digest response."); return false; } char[] pa = auth.getPassword(dg.username); return verify(reqMethod, dg, pa); } catch(IllegalArgumentException | SecurityException | NoSuchAlgorithmException e) { System.out.println(type + ": " + e.getMessage()); return false; } } boolean verify(String reqMethod, DigestResponse dg, char[] pw) throws NoSuchAlgorithmException { String response = DigestResponse.computeDigest(true, reqMethod, pw, algorithm, dg); if (!dg.response.equals(response)) { System.out.println(type + ": bad response returned by client: " + dg.response + " expected " + response); return false; } else { System.out.println(type + ": verified response " + response); } return true; } @Override public String description() { return "Filter for DIGEST authentication"; } } // Abstract HTTP handler class. private abstract static class AbstractHttpHandler implements HttpHandler { final HttpAuthType authType; final String type; public AbstractHttpHandler(HttpAuthType authType, String type) { this.authType = authType; this.type = type; } String getLocation() { return "Location"; } @Override public void handle(HttpExchange he) throws IOException { try { sendResponse(he); } catch (RuntimeException | Error | IOException t) { System.err.println(type + ": Unexpected exception while handling request: " + t); t.printStackTrace(System.err); throw t; } finally { he.close(); } } protected abstract void sendResponse(HttpExchange he) throws IOException; } private class HttpNoAuthHandler extends AbstractHttpHandler { public HttpNoAuthHandler(HttpAuthType authType) { super(authType, authType == HttpAuthType.SERVER ? "NoAuth Server" : "NoAuth Proxy"); } @Override protected void sendResponse(HttpExchange he) throws IOException { HTTPTestServer.this.writeResponse(he); } } // A dummy HTTP Handler that redirects all incoming requests // by sending a back 3xx response code (301, 305, 307 etc..) private class Http3xxHandler extends AbstractHttpHandler { private final URL redirectTargetURL; private final int code3XX; public Http3xxHandler(URL proxyURL, HttpAuthType authType, int code300) { super(authType, "Server" + code300); this.redirectTargetURL = proxyURL; this.code3XX = code300; } int get3XX() { return code3XX; } @Override public void sendResponse(HttpExchange he) throws IOException { System.out.println(type + ": Got " + he.getRequestMethod() + ": " + he.getRequestURI() + "\n" + HTTPTestServer.toString(he.getRequestHeaders())); System.out.println(type + ": Redirecting to " + (authType == HttpAuthType.PROXY305 ? "proxy" : "server")); he.getResponseHeaders().add(getLocation(), redirectTargetURL.toExternalForm().toString()); he.sendResponseHeaders(get3XX(), 0); System.out.println(type + ": Sent back " + get3XX() + " " + getLocation() + ": " + redirectTargetURL.toExternalForm().toString()); } } static class Configurator extends HttpsConfigurator { public Configurator(SSLContext ctx) { super(ctx); } @Override public void configure (HttpsParameters params) { params.setSSLParameters (getSSLContext().getSupportedSSLParameters()); } } // This is a bit hacky: HttpsProxyTunnel is an HTTPTestServer hidden // behind a fake proxy that only understands CONNECT requests. // The fake proxy is just a server socket that intercept the // CONNECT and then redirect streams to the real server. static class HttpsProxyTunnel extends HTTPTestServer implements Runnable { final ServerSocket ss; private volatile boolean stop; public HttpsProxyTunnel(HttpServer server, HTTPTestServer target, HttpHandler delegate) throws IOException { super(server, target, delegate); System.out.flush(); System.err.println("WARNING: HttpsProxyTunnel is an experimental test class"); ss = ServerSocketFactory.create(); start(); } final void start() throws IOException { Thread t = new Thread(this, "ProxyThread"); t.setDaemon(true); t.start(); } @Override public void stop() { try (var toClose = ss) { stop = true; System.out.println("Server " + ss + " stop requested"); super.stop(); } catch (IOException ex) { if (DEBUG) ex.printStackTrace(System.out); } } // Pipe the input stream to the output stream. private synchronized Thread pipe(InputStream is, OutputStream os, char tag) { return new Thread("TunnelPipe("+tag+")") { @Override public void run() { try { try { int len; byte[] buf = new byte[16 * 1024]; while ((len = is.read(buf)) != -1) { os.write(buf, 0, len); os.flush(); // if DEBUG prints a + or a - for each transferred // character. if (DEBUG) System.out.print(String.valueOf(tag).repeat(len)); } is.close(); } finally { os.close(); } } catch (IOException ex) { if (DEBUG) ex.printStackTrace(System.out); } } }; } @Override public InetSocketAddress getProxyAddress() { return new InetSocketAddress(ss.getInetAddress(), ss.getLocalPort()); } // This is a bit shaky. It doesn't handle continuation // lines, but our client shouldn't send any. // Read a line from the input stream, swallowing the final // \r\n sequence. Stops at the first \n, doesn't complain // if it wasn't preceded by '\r'. // String readLine(InputStream r) throws IOException { StringBuilder b = new StringBuilder(); int c; while ((c = r.read()) != -1) { if (c == '\n') break; b.appendCodePoint(c); } if (b.length() == 0) { return ""; } if (b.codePointAt(b.length() -1) == '\r') { b.delete(b.length() -1, b.length()); } return b.toString(); } @Override public void run() { Socket clientConnection = null; while (!stop) { System.out.println("Tunnel: Waiting for client at: " + ss); final Socket previous = clientConnection; try { clientConnection = ss.accept(); } catch (IOException io) { try { ss.close(); } catch (IOException ex) { if (DEBUG) { ex.printStackTrace(System.out); } } // log the reason that caused the server to stop accepting connections if (!stop) { System.err.println("Server will stop accepting connections due to an exception:"); io.printStackTrace(); } break; } finally { // close the previous connection if (previous != null) { try { previous.close(); } catch (IOException e) { // ignore if (DEBUG) { System.out.println("Ignoring exception that happened while closing " + "an older connection:"); e.printStackTrace(System.out); } } } } System.out.println("Tunnel: Client accepted"); try { // We have only 1 client... process the current client // request and wait until it has finished before // accepting a new connection request. processRequestAndWaitToComplete(clientConnection); } catch (IOException ioe) { // close the client connection try { clientConnection.close(); } catch (IOException io) { // ignore if (DEBUG) { System.out.println("Ignoring exception that happened during client" + " connection close:"); io.printStackTrace(System.out); } } finally { clientConnection = null; } } catch (Throwable t) { // don't close the client connection for non-IOExceptions, instead // just log it and move on to accept next connection if (!stop) { t.printStackTrace(); } } } } private void processRequestAndWaitToComplete(final Socket clientConnection) throws IOException, InterruptedException { final Socket targetConnection; InputStream ccis = clientConnection.getInputStream(); OutputStream ccos = clientConnection.getOutputStream(); Writer w = new OutputStreamWriter( clientConnection.getOutputStream(), "UTF-8"); PrintWriter pw = new PrintWriter(w); System.out.println("Tunnel: Reading request line"); String requestLine = readLine(ccis); System.out.println("Tunnel: Request line: " + requestLine); if (requestLine.startsWith("CONNECT ")) { // We should probably check that the next word following // CONNECT is the host:port of our HTTPS serverImpl. // Some improvement for a followup! // Read all headers until we find the empty line that // signals the end of all headers. while(!requestLine.equals("")) { System.out.println("Tunnel: Reading header: " + (requestLine = readLine(ccis))); } targetConnection = new Socket( serverImpl.getAddress().getAddress(), serverImpl.getAddress().getPort()); // Then send the 200 OK response to the client System.out.println("Tunnel: Sending " + "HTTP/1.1 200 OK\r\n\r\n"); pw.print("HTTP/1.1 200 OK\r\nContent-Length: 0\r\n\r\n"); pw.flush(); } else { // This should not happen. If it does then consider it a // client error and throw an IOException System.out.println("Tunnel: Throwing an IOException due to unexpected" + " request line: " + requestLine); throw new IOException("Client request error - Unexpected request line"); } // Pipe the input stream of the client connection to the // output stream of the target connection and conversely. // Now the client and target will just talk to each other. System.out.println("Tunnel: Starting tunnel pipes"); Thread t1 = pipe(ccis, targetConnection.getOutputStream(), '+'); Thread t2 = pipe(targetConnection.getInputStream(), ccos, '-'); t1.start(); t2.start(); // wait for the request to complete t1.join(); t2.join(); } } }