Commit Jetty configuration to repo

jetty-base/etc/idp-backchannel.xml

@@ -0,0 +1,62 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+  <!-- ============================================================= -->
+  <!-- TLS context factory with optional client auth                 -->
+  <!-- and no container trust (delegate to application)              -->
+  <!-- for backchannel (SOAP) communication to IdP                   -->
+  <!-- ============================================================= -->
+  <New id="shibContextFactory" class="net.shibboleth.utilities.jetty94.DelegateToApplicationSslContextFactory">
+    <Set name="KeyStorePath"><Property name="idp.backchannel.keyStorePath" default="credentials/idp-backchannel.p12" /></Set>
+    <Set name="KeyStoreType"><Property name="idp.backchannel.keyStoreType" default="PKCS12" /></Set>
+    <Set name="KeyStorePassword"><Property name="idp.backchannel.keyStorePassword" default="changeit" /></Set>
+    <Set name="EndpointIdentificationAlgorithm"></Set>
+    <Set name="renegotiationAllowed">false</Set>
+    <Set name="useCipherSuitesOrder">true</Set>
+  </New>
+
+  <New id="shibHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
+    <Arg><Ref refid="httpConfig"/></Arg>
+    <Call name="addCustomizer">
+      <Arg>
+        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
+          <Arg type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
+        </New>
+      </Arg>
+    </Call>
+  </New>
+
+  <!-- ============================================================= -->
+  <!-- IdP SOAP protocol connector                                   -->
+  <!-- ============================================================= -->
+  <Call id="shibConnector" name="addConnector">
+    <Arg>
+      <New class="org.eclipse.jetty.server.ServerConnector">
+        <Arg name="server"><Ref refid="Server" /></Arg>
+        <Arg name="acceptors" type="int"><Property name="jetty.ssl.acceptors" default="-1"/></Arg>
+        <Arg name="selectors" type="int"><Property name="jetty.ssl.selectors" default="-1"/></Arg>
+        <Arg name="factories">
+          <Array type="org.eclipse.jetty.server.ConnectionFactory">
+            <Item>
+              <New class="org.eclipse.jetty.server.SslConnectionFactory">
+                <Arg name="next">http/1.1</Arg>
+                <Arg name="sslContextFactory"><Ref refid="shibContextFactory"/></Arg>
+              </New>
+            </Item>
+            <Item>
+              <New class="org.eclipse.jetty.server.HttpConnectionFactory">
+                <Arg name="config"><Ref refid="shibHttpConfig"/></Arg>
+              </New>
+            </Item>
+          </Array>
+        </Arg>
+        <Set name="host"><Property name="jetty.ssl.host" default="0.0.0.0" /></Set>
+        <Set name="port"><Property name="idp.backchannel.port" default="8443" /></Set>
+        <Set name="idleTimeout"><Property name="jetty.ssl.timeout" default="30000"/></Set>
+        <Set name="acceptorPriorityDelta"><Property name="jetty.ssl.acceptorPriorityDelta" default="0"/></Set>
+        <Set name="acceptQueueSize"><Property name="jetty.ssl.acceptQueueSize" default="0"/></Set>
+      </New>
+    </Arg>
+  </Call>
+
+</Configure>

jetty-base/etc/jetty-requestlog.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
+
+<!-- =============================================================== -->
+<!-- Configure the Jetty Request Log                                 -->
+<!-- =============================================================== -->
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+
+  <!-- =========================================================== -->
+  <!-- Configure Request Log for Server                            -->
+  <!-- Use RequestLogHandler for a context specific RequestLog     -->
+  <!-- =========================================================== -->
+  <Set name="RequestLog">
+    <New id="RequestLog" class="org.eclipse.jetty.server.CustomRequestLog">
+      <!-- Writer -->
+      <Arg>
+        <New class="org.eclipse.jetty.server.Slf4jRequestLogWriter" />
+      </Arg>
+
+      <!-- Format String -->
+      <Arg>
+        <Property name="jetty.requestlog.formatString" deprecated="jetty.customrequestlog.formatString">
+          <Default>
+            <Get class="org.eclipse.jetty.server.CustomRequestLog" name="EXTENDED_NCSA_FORMAT"/>
+          </Default>
+        </Property>
+      </Arg>
+    </New>
+  </Set>
+</Configure>

jetty-base/modules/idp.mod

@@ -0,0 +1,19 @@
+[description]
+Shibboleth IdP
+
+[depend]
+ee9-annotations
+ee9-deploy
+ext
+ee9-webapp
+http
+http-forwarded
+ee9-jsp
+ee9-jstl
+ee9-plus
+resources
+server
+ee9-servlets
+
+[files]
+tmp/

jetty-base/resources/logback.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration scan="true">
+  <appender name="jetty" class="ch.qos.logback.core.rolling.RollingFileAppender">
+    <File>${idp.home}/logs/jetty.log</File>
+    <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+      <FileNamePattern>${idp.home}/logs/jetty-%d{yyyy-MM-dd}.log.gz</FileNamePattern>
+    </rollingPolicy>
+    <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+      <charset>UTF-8</charset>
+      <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n</Pattern>
+    </encoder>
+  </appender>
+
+  <appender name="jetty-access" class="ch.qos.logback.core.rolling.RollingFileAppender">
+    <file>${idp.home}/logs/access.log</file>
+    <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+      <fileNamePattern>${idp.home}/logs/access-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+    </rollingPolicy>
+    <encoder>
+      <pattern>%msg%n</pattern>
+    </encoder>
+  </appender>
+
+  <root level="INFO">
+    <appender-ref ref="jetty" />
+  </root>
+
+  <logger name="org.eclipse.jetty.server.RequestLog" level="INFO" additivity="false">
+    <appender-ref ref="jetty-access" />
+  </logger>
+
+  <logger name="org.springframework" level="OFF" />
+  <logger name="ch.qos.logback" level="WARN" />
+</configuration>

jetty-base/start.d/custom.ini

@@ -0,0 +1 @@
+jetty.ssl.sniHostCheck=false

jetty-base/start.d/idp.ini

@@ -0,0 +1,49 @@
+# ---------------------------------------
+# Module: idp
+# Shibboleth IdP
+# ---------------------------------------
+--module=logging-logback
+--module=idp
+
+## Keystore file path (relative to $jetty.base)
+# jetty.sslContext.keyStorePath=../credentials/idp-userfacing.p12
+## Truststore file path (relative to $jetty.base)
+# jetty.sslContext.trustStorePath=../credentials/idp-userfacing.p12
+
+## Keystore type
+# jetty.sslContext.keyStoreType=PKCS12
+## Truststore type and provider
+# jetty.sslContext.trustStoreType=PKCS12
+
+## Keystore password
+# jetty.sslContext.keyStorePassword=changeit
+## Truststore password
+# jetty.sslContext.trustStorePassword=changeit
+## KeyManager password
+# jetty.sslContext.keyManagerPassword=changeit
+
+## Deny SSL renegotiation
+# jetty.sslContext.renegotiationAllowed=false
+
+## Connector host/address to bind to
+# jetty.ssl.host=0.0.0.0
+
+## Connector port to listen on
+# jetty.ssl.port=443
+
+## Route request logging through standard logging API
+etc/jetty-requestlog.xml
+
+# Allows use of default IdP command line tools.
+jetty.http.host=127.0.0.1
+
+# Default jetty.http.port is 8080
+# jetty.http.port=80
+
+jetty.server.default.showContexts=false
+
+#
+# Uncomment the next line to enable the rewrote module
+# --module=rewrite
+# Documentation at
+# https://jetty.org/docs/jetty/12/operations-guide/modules/standard.html#rewrite

jetty-base/start.d/start.ini

@@ -0,0 +1,33 @@
+# Any other required Jetty modules...
+
+# Allows setting Java system properties (-Dname=value)
+# and JVM flags (-X, -XX) in this file
+# NOTE: spawns child Java process
+--exec
+# Uncomment if IdP is installed somewhere other than /opt/shibboleth-idp
+-Didp.home=/opt/shibboleth-idp
+# Maximum amount of memory that Jetty may use, at least 1.5G is recommended
+# for handling larger (> 25M) metadata files but you will need to test on
+# your particular metadata configuration. If MDQ metadata on demand is used,
+# requirements may be much lower.
+-Xmx2G
+# Prevent blocking for entropy.
+-Djava.security.egd=file:/dev/urandom
+# Set Java tmp location
+-Djava.io.tmpdir=tmp
+# May be needed in certain cases depending on content of TLS certificate.
+#jetty.ssl.sniHostCheck=false
+
+# Set up the Elastic APM agent
+# https://www.elastic.co/guide/en/apm/agent/java/current/setup-javaagent.html
+-javaagent:/opt/jetty-base/elastic-apm/elastic-apm-agent.jar
+
+# Uncomment to allow debugging using JDWP
+#-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005
+
+# Uncomment the following block to allow memory heap debugging using JMX
+#-Djava.rmi.server.hostname=127.0.0.1
+#-Dcom.sun.management.jmxremote.port=8090
+#-Dcom.sun.management.jmxremote.rmi.port=8090
+#-Dcom.sun.management.jmxremote.ssl=false
+#-Dcom.sun.management.jmxremote.authenticate=false

jetty-base/webapps/idp.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
+<!-- =============================================================== -->
+<!-- Configure the Shibboleth IdP webapp                             -->
+<!-- =============================================================== -->
+<Configure class="org.eclipse.jetty.ee9.webapp.WebAppContext">
+  <Set name="war"><SystemProperty name="idp.home" default="/opt/shibboleth-idp" />/war/idp.war</Set>
+  <Set name="contextPath"><SystemProperty name="idp.context.path" default="/idp" /></Set>
+  <Set name="extractWAR">false</Set>
+  <Set name="copyWebDir">false</Set>
+  <Set name="copyWebInf">true</Set>
+</Configure>