Added Jetty configuration and start command.

8 files changed, 223 insertions, 4 deletions

diff --git a/Dockerfile b/Dockerfile
index 74be2e3..11bee0f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,8 +7,8 @@ RUN apt-get update && \
     apt-get install -y wget
 
 # Download and install jetty
-ENV JETTY_VERSION 9.2.7
-ENV RELEASE_DATE v20150116
+ENV JETTY_VERSION 9.2.10
+ENV RELEASE_DATE v20150310
 RUN wget http://download.eclipse.org/jetty/stable-9/dist/jetty-distribution-${JETTY_VERSION}.${RELEASE_DATE}.tar.gz && \
     tar -xzvf jetty-distribution-${JETTY_VERSION}.${RELEASE_DATE}.tar.gz && \
     rm -rf jetty-distribution-${JETTY_VERSION}.${RELEASE_DATE}.tar.gz && \
@@ -19,6 +19,14 @@ RUN useradd jetty && \
     chown -R jetty:jetty /opt/jetty && \
     rm -rf /opt/jetty/webapps.demo
 
+# Add configuration files
+ADD jetty_conf /jetty_conf
+RUN mv /jetty_conf/start.ini /opt/jetty/start.ini && \
+    mv /jetty_conf/jetty-ssl.xml /opt/jetty/etc/jetty-ssl.xml && \
+    mv /jetty_conf/jetty-https.xml /opt/jetty/etc/jetty-https.xml && \
+    mv /jetty_conf/ssl.mod /opt/jetty/modules/ssl.mod && \
+    mv /jetty_conf/idp.xml /opt/jetty/webapps/idp.xml
+
 # Download shibboleth-idp
 ENV IDP_VERSION 3.0.0
 RUN wget https://shibboleth.net/downloads/identity-provider/${IDP_VERSION}/shibboleth-identity-provider-${IDP_VERSION}.tar.gz && \
diff --git a/README b/README
new file mode 100644
index 0000000..bf20a2e
--- /dev/null
+++ b/README
@@ -0,0 +1,5 @@
+How to run:
+
+docker run -it -e ENTITY_ID=entityid -e HOSTNAME=hostname -e SCOPE=scope -e COOKIE_PASSWORD=cookiepass -e TLS_PASSWORD=tlspass -v docker-shibboleth-idp/conf/:/opt/shibboleth-idp/conf/ -v docker-shibboleth-idp/credentials/:/opt/shibboleth-idp/credentials/ -v docker-shibboleth-idp/edit-webapp/:/opt/shibboleth-idp/edit-webapp/ -v docker-shibboleth-idp/logs/:/opt/jetty/logs/ shibidp install
+
+docker run -d -e PKCS12_PASSWORD=pkcs12pass -v docker-shibboleth-idp/conf/:/opt/shibboleth-idp/conf/ -v docker-shibboleth-idp/credentials/:/opt/shibboleth-idp/credentials/ -v docker-shibboleth-idp/edit-webapp/:/opt/shibboleth-idp/edit-webapp/ -v docker-shibboleth-idp/logs/:/opt/jetty/logs/ -p 443:8443 shibidp
diff --git a/jetty_conf/idp.xml b/jetty_conf/idp.xml
new file mode 100644
index 0000000..cdeed1e
--- /dev/null
+++ b/jetty_conf/idp.xml
@@ -0,0 +1,10 @@
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+  <Set name="war">
+    <SystemProperty name="idp.home" />
+    /war/idp.war
+  </Set>
+  <Set name="contextPath">/idp</Set>
+  <Set name="extractWAR">false</Set>
+  <Set name="copyWebDir">false</Set>
+  <Set name="copyWebInf">true</Set>
+</Configure>
diff --git a/jetty_conf/jetty-https.xml b/jetty_conf/jetty-https.xml
new file mode 100644
index 0000000..8078f9b
--- /dev/null
+++ b/jetty_conf/jetty-https.xml
@@ -0,0 +1,66 @@
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd" >

+<!-- ============================================================= -->

+<!-- Configure HTTPS connectors.                              -->

+<!-- This configuration must be used in conjunction with jetty.xml -->

+<!-- and jetty-ssl.xml.                                       -->

+<!-- ============================================================= -->

+<Configure id="Server" class="org.eclipse.jetty.server.Server">

+  <!-- ============================================================= -->

+  <!-- Anonymous (no client TLS) HTTPS connector                -->

+  <!-- ============================================================= -->

+  <Call id="httpsConnector" name="addConnector">

+    <Arg>

+      <New class="org.eclipse.jetty.server.ServerConnector">

+        <Arg name="server">

+          <Ref refid="Server" />

+        </Arg>

+        <Arg name="acceptors" type="int">

+          <Property name="ssl.acceptors" default="-1" />

+        </Arg>

+        <Arg name="selectors" type="int">

+          <Property name="ssl.selectors" default="-1" />

+        </Arg>

+        <Arg name="factories">

+          <Array type="org.eclipse.jetty.server.ConnectionFactory">

+            <Item>

+              <New class="org.eclipse.jetty.server.SslConnectionFactory">

+                <Arg name="next">http/1.1</Arg>

+                <Arg name="sslContextFactory">

+                  <Ref refid="sslContextFactory" />

+                </Arg>

+              </New>

+            </Item>

+            <Item>

+              <New class="org.eclipse.jetty.server.HttpConnectionFactory">

+                <Arg name="config">

+                  <Ref refid="sslHttpConfig" />

+                </Arg>

+              </New>

+            </Item>

+          </Array>

+        </Arg>

+        <Set name="host">

+          <Property name="jetty.host" />

+        </Set>

+        <Set name="port">

+          <Property name="https.port" />

+        </Set>

+        <Set name="idleTimeout">

+          <Property name="https.timeout" default="30000" />

+        </Set>

+        <Set name="soLingerTime">

+          <Property name="https.soLingerTime" default="-1" />

+        </Set>

+        <Set name="acceptorPriorityDelta">

+          <Property name="ssl.acceptorPriorityDelta" default="0" />

+        </Set>

+        <Set name="selectorPriorityDelta">

+          <Property name="ssl.selectorPriorityDelta" default="0" />

+        </Set>

+        <Set name="acceptQueueSize">

+          <Property name="https.acceptQueueSize" default="0" />

+        </Set>

+      </New>

+    </Arg>

+  </Call>

+</Configure>
diff --git a/jetty_conf/jetty-ssl.xml b/jetty_conf/jetty-ssl.xml
new file mode 100644
index 0000000..b822ae5
--- /dev/null
+++ b/jetty_conf/jetty-ssl.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0"?>

+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd" >

+<Configure id="Server" class="org.eclipse.jetty.server.Server">

+  <!-- ============================================================= -->

+  <!-- TLS context factory without client auth                  -->

+  <!-- ============================================================= -->

+  <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">

+    <Set name="KeyStorePath">

+      <Property name="jetty.keystore" />

+    </Set>

+    <Set name="KeyStoreType">

+      <Property name="jetty.keystore.type" />

+    </Set>

+    <Set name="KeyStorePassword">

+      <Property name="jetty.keystore.password" />

+    </Set>

+    <Set name="EndpointIdentificationAlgorithm" />

+    <Set name="NeedClientAuth">false</Set>

+    <Set name="WantClientAuth">false</Set>

+    <Set name="excludeProtocols">

+      <Array type="String">

+        <Item>SSLv3</Item>

+      </Array>

+    </Set>

+    <Set name="IncludeCipherSuites">

+      <Array type="String">

+        <Item>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</Item>

+        <Item>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</Item>

+        <Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>

+        <Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>

+        <Item>TLS_RSA_WITH_AES_128_GCM_SHA256</Item>

+        <Item>TLS_RSA_WITH_AES_256_GCM_SHA256</Item>

+        <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item>

+        <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</Item>

+        <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>

+        <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item>

+        <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item>

+        <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</Item>

+        <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>

+        <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>

+        <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>

+        <Item>TLS_RSA_WITH_AES_256_CBC_SHA384</Item>

+        <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>

+        <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>

+      </Array>

+    </Set>

+  </New>

+  <!-- =========================================================== -->

+  <!-- Create a TLS specific HttpConfiguration based on the   -->

+  <!-- common HttpConfiguration defined in jetty.xml          -->

+  <!-- Add a SecureRequestCustomizer to extract certificate and    -->

+  <!-- session information                                    -->

+  <!-- =========================================================== -->

+  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">

+    <Arg>

+      <Ref refid="httpConfig" />

+    </Arg>

+    <Call name="addCustomizer">

+      <Arg>

+        <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />

+      </Arg>

+    </Call>

+  </New>

+</Configure>
diff --git a/jetty_conf/ssl.mod b/jetty_conf/ssl.mod
new file mode 100644
index 0000000..77ceb76
--- /dev/null
+++ b/jetty_conf/ssl.mod
@@ -0,0 +1,34 @@
+#
+# SSL Keystore module
+#
+
+[depend]
+server
+
+[xml]
+etc/jetty-ssl.xml
+
+[ini-template]
+### SSL Keystore Configuration
+# define the port to use for secure redirection
+jetty.secure.port=8443
+
+## Setup a demonstration keystore and truststore
+jetty.keystore=/opt/shibboleth-idp/credentials/idp-browser.p12
+
+## Set the demonstration passwords.
+## Note that OBF passwords are not secure, just protected from casual observation
+## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html
+jetty.keystore.password=
+
+### Set the client auth behavior
+## Set to true if client certificate authentication is required
+# jetty.ssl.needClientAuth=true
+## Set to true if client certificate authentication is desired
+# jetty.ssl.wantClientAuth=true
+
+## Parameters to control the number and priority of acceptors and selectors
+# ssl.selectors=1
+# ssl.acceptors=1
+# ssl.selectorPriorityDelta=0
+# ssl.acceptorPriorityDelta=0
diff --git a/jetty_conf/start.ini b/jetty_conf/start.ini
new file mode 100644
index 0000000..460dd32
--- /dev/null
+++ b/jetty_conf/start.ini
@@ -0,0 +1,28 @@
+# Required Jetty modules
+--module=server
+--module=deploy
+--module=annotations
+--module=resources
+--module=logging
+--module=requestlog
+--module=https
+--module=ssl
+--module=servlets
+--module=jsp
+--module=jstl
+--module=ext
+--module=plus
+
+# Allows setting Java system properties (-Dname=value)
+# and JVM flags (-X, -XX) in this file
+# NOTE: spawns child Java process
+--exec
+
+# IDP home
+-Didp.home=/opt/shibboleth-idp
+
+# Maximum amount of memory that Jetty may use, at least 512M is recommended
+-Xmx512m
+# Maximum amount of memory allowed for the JVM permanent generation
+-XX:MaxPermSize=128m
+
diff --git a/start.sh b/start.sh
index 3b48694..5c341f5 100644
--- a/start.sh
+++ b/start.sh
@@ -7,13 +7,17 @@ case "$*" in
     start)
         # Upgrade/Recreate war
         ./bin/install.sh -Didp.src.dir /opt/shibboleth-identity-provider-${IDP_VERSION}/ -Didp.target.dir /opt/shibboleth-idp
+	# Set Jetty tls cert password
+	sed -i "/jetty.keystore.password=/c\jetty.keystore.password=$PKCS12_PASSWORD" /opt/jetty/modules/ssl.mod
+	# Start Jetty
+	cd /opt/jetty/ && /usr/bin/java -jar start.jar
     ;;
     install)
-# Fresh install
+        # Fresh install
 cat>/tmp/entity_id<<EOF
 idp.entityID= ${ENTITY_ID}
 EOF
-    ./bin/install.sh -Didp.src.dir /opt/shibboleth-identity-provider-${IDP_VERSION}/ -Didp.target.dir /opt/shibboleth-idp -Didp.host.name ${HOSTNAME} -Didp.scope ${SCOPE} -Didp.sealer.password ${COOKIE_PASSWORD} -Didp.keystore.password ${TLS_PASSWORD} -Didp.merge.properties /tmp/entity_id -Didp.noprompt
+        ./bin/install.sh -Didp.src.dir /opt/shibboleth-identity-provider-${IDP_VERSION}/ -Didp.target.dir /opt/shibboleth-idp -Didp.host.name ${HOSTNAME} -Didp.scope ${SCOPE} -Didp.sealer.password ${COOKIE_PASSWORD} -Didp.keystore.password ${TLS_PASSWORD} -Didp.merge.properties /tmp/entity_id -Didp.noprompt
     ;;
     debug)
         /bin/bash