Skip to content

Commit 4c14978

Browse files
committed
refactor: Extract TlsHttpsConfigurator to internal package
Moves the inline TLS protocol pin from OpenApiServer to its own file under com.retailsvc.http.internal so the ASVS gate can match it by path (src/main/java/.../internal/.*(Ssl|Tls|Https).*\.java) without also flagging unrelated edits to OpenApiServer.
1 parent c0083b8 commit 4c14978

3 files changed

Lines changed: 31 additions & 27 deletions

File tree

docs/superpowers/plans/2026-05-21-owasp-asvs.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@
3737
- Create: `src/main/java/com/retailsvc/http/internal/TlsHttpsConfigurator.java`
3838
- Modify: `src/main/java/com/retailsvc/http/OpenApiServer.java` (delete nested class at lines 481–498, adjust imports, add new import)
3939

40-
- [ ] **Step 1: Create the new file**
40+
- [x] **Step 1: Create the new file**
4141

4242
Write `src/main/java/com/retailsvc/http/internal/TlsHttpsConfigurator.java`:
4343

@@ -69,13 +69,13 @@ public final class TlsHttpsConfigurator extends HttpsConfigurator {
6969
}
7070
```
7171

72-
- [ ] **Step 2: Remove the nested class from `OpenApiServer.java`**
72+
- [x] **Step 2: Remove the nested class from `OpenApiServer.java`**
7373

7474
In `src/main/java/com/retailsvc/http/OpenApiServer.java`:
7575

7676
Delete the entire block that currently sits at lines 480–498 (the Javadoc comment plus the `private static final class TlsHttpsConfigurator` body, inclusive of its closing `}`). The final `}` on line 499 (closing the outer `OpenApiServer` class) stays.
7777

78-
- [ ] **Step 3: Adjust imports in `OpenApiServer.java`**
78+
- [x] **Step 3: Adjust imports in `OpenApiServer.java`**
7979

8080
Remove these two imports (currently at lines 27 and 44):
8181

@@ -103,15 +103,15 @@ grep -n "HttpsConfigurator" src/main/java/com/retailsvc/http/OpenApiServer.java
103103

104104
If the only remaining matches are inside the (deleted) line range, also delete the `HttpsConfigurator` import.
105105

106-
- [ ] **Step 4: Run the full test suite**
106+
- [x] **Step 4: Run the full test suite**
107107

108108
```bash
109109
mvn clean verify
110110
```
111111

112112
Expected: BUILD SUCCESS. 432 unit tests pass, 55 integration tests pass — identical counts to the pre-refactor branch. `OpenApiServerHttpsIT#negotiatesTls13` still confirms TLS 1.3 negotiation.
113113

114-
- [ ] **Step 5: Commit**
114+
- [x] **Step 5: Commit**
115115

116116
```bash
117117
git add src/main/java/com/retailsvc/http/internal/TlsHttpsConfigurator.java \

src/main/java/com/retailsvc/http/OpenApiServer.java

Lines changed: 1 addition & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515
import com.retailsvc.http.internal.Router;
1616
import com.retailsvc.http.internal.SecurityFilter;
1717
import com.retailsvc.http.internal.TextTypeMapper;
18+
import com.retailsvc.http.internal.TlsHttpsConfigurator;
1819
import com.retailsvc.http.internal.gson.GsonJsonMapper;
1920
import com.retailsvc.http.spec.Operation;
2021
import com.retailsvc.http.spec.Spec;
@@ -23,8 +24,6 @@
2324
import com.retailsvc.http.validate.DefaultValidator;
2425
import com.sun.net.httpserver.HttpContext;
2526
import com.sun.net.httpserver.HttpServer;
26-
import com.sun.net.httpserver.HttpsConfigurator;
27-
import com.sun.net.httpserver.HttpsParameters;
2827
import com.sun.net.httpserver.HttpsServer;
2928
import java.io.IOException;
3029
import java.net.InetAddress;
@@ -41,7 +40,6 @@
4140
import java.util.TreeSet;
4241
import java.util.stream.Collectors;
4342
import javax.net.ssl.SSLContext;
44-
import javax.net.ssl.SSLParameters;
4543
import org.slf4j.Logger;
4644
import org.slf4j.LoggerFactory;
4745

@@ -483,23 +481,4 @@ private static TypeMapper tryLoadGsonMapper() {
483481
return new GsonJsonMapper();
484482
}
485483
}
486-
487-
/**
488-
* Pins HTTPS to TLS 1.2 and 1.3 only, regardless of operator-level {@code java.security}
489-
* overrides, and explicitly leaves client-cert auth off (no mTLS in v1).
490-
*/
491-
private static final class TlsHttpsConfigurator extends HttpsConfigurator {
492-
TlsHttpsConfigurator(SSLContext context) {
493-
super(context);
494-
}
495-
496-
@Override
497-
public void configure(HttpsParameters params) {
498-
SSLParameters sslParams = getSSLContext().getDefaultSSLParameters();
499-
sslParams.setProtocols(new String[] {"TLSv1.3", "TLSv1.2"});
500-
sslParams.setNeedClientAuth(false);
501-
sslParams.setWantClientAuth(false);
502-
params.setSSLParameters(sslParams);
503-
}
504-
}
505484
}
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
package com.retailsvc.http.internal;
2+
3+
import com.sun.net.httpserver.HttpsConfigurator;
4+
import com.sun.net.httpserver.HttpsParameters;
5+
import javax.net.ssl.SSLContext;
6+
import javax.net.ssl.SSLParameters;
7+
8+
/**
9+
* Pins HTTPS to TLS 1.2 and 1.3 only, regardless of operator-level {@code java.security} overrides,
10+
* and explicitly leaves client-cert auth off (no mTLS in v1).
11+
*/
12+
public final class TlsHttpsConfigurator extends HttpsConfigurator {
13+
public TlsHttpsConfigurator(SSLContext context) {
14+
super(context);
15+
}
16+
17+
@Override
18+
public void configure(HttpsParameters params) {
19+
SSLParameters sslParams = getSSLContext().getDefaultSSLParameters();
20+
sslParams.setProtocols(new String[] {"TLSv1.3", "TLSv1.2"});
21+
sslParams.setNeedClientAuth(false);
22+
sslParams.setWantClientAuth(false);
23+
params.setSSLParameters(sslParams);
24+
}
25+
}

0 commit comments

Comments
 (0)