From d33d068fae305eea3b742bccdceca6b289dfddbd Mon Sep 17 00:00:00 2001
From: Andy Wilkinson <awilkinson@pivotal.io>
Date: Mon, 12 Oct 2015 13:36:32 +0100
Subject: [PATCH] Upgrade to Tomcat 8.0.28 and test support for SSL config from
 classpath

Prior to 8.0.28 Tomcat required the key store and trust store (if any)
to be available directly on the filesystem, i.e. classpath: resources
would not work. Tomcat 8.0.28 removed this limitation.

This commit updates to Tomcat 8.0.28, updates the tests to verify
the new Tomcat capability and removes the obsolete documentation of
the restriction.

Closes gh-4048
---
 spring-boot-dependencies/pom.xml              |   2 +-
 spring-boot-docs/src/main/asciidoc/howto.adoc |   4 ---
 .../src/main/resources/application.properties |   4 +--
 .../{ => src/main/resources}/sample.jks       | Bin
 ...TomcatEmbeddedServletContainerFactory.java |   7 ++---
 ...tEmbeddedServletContainerFactoryTests.java |  26 ++++++++++--------
 6 files changed, 20 insertions(+), 23 deletions(-)
 rename spring-boot-samples/spring-boot-sample-tomcat-ssl/{ => src/main/resources}/sample.jks (100%)

diff --git a/spring-boot-dependencies/pom.xml b/spring-boot-dependencies/pom.xml
index ef30eaf3db1..d9e597b2038 100644
--- a/spring-boot-dependencies/pom.xml
+++ b/spring-boot-dependencies/pom.xml
@@ -134,7 +134,7 @@
 		<thymeleaf-extras-conditionalcomments.version>2.1.1.RELEASE</thymeleaf-extras-conditionalcomments.version>
 		<thymeleaf-layout-dialect.version>1.2.9</thymeleaf-layout-dialect.version>
 		<thymeleaf-extras-data-attribute.version>1.3</thymeleaf-extras-data-attribute.version>
-		<tomcat.version>8.0.26</tomcat.version>
+		<tomcat.version>8.0.28</tomcat.version>
 		<undertow.version>1.1.8.Final</undertow.version>
 		<velocity.version>1.7</velocity.version>
 		<velocity-tools.version>2.0</velocity-tools.version>
diff --git a/spring-boot-docs/src/main/asciidoc/howto.adoc b/spring-boot-docs/src/main/asciidoc/howto.adoc
index 57a39a8b96b..6d8617570b2 100644
--- a/spring-boot-docs/src/main/asciidoc/howto.adoc
+++ b/spring-boot-docs/src/main/asciidoc/howto.adoc
@@ -423,10 +423,6 @@ typically in `application.properties` or `application.yml`. For example:
 See {sc-spring-boot}/context/embedded/Ssl.{sc-ext}[`Ssl`] for details of all of the
 supported properties.
 
-NOTE: Tomcat requires the key store (and trust store if you're using one) to be directly
-accessible on the filesystem, i.e. it cannot be read from within a jar file. This
-limitation doesn't apply to Jetty and Undertow.
-
 Using configuration like the example above means the application will no longer support
 plain HTTP connector at port 8080. Spring Boot doesn't support the configuration of both
 an HTTP connector and an HTTPS connector via `application.properties`. If you want to
diff --git a/spring-boot-samples/spring-boot-sample-tomcat-ssl/src/main/resources/application.properties b/spring-boot-samples/spring-boot-sample-tomcat-ssl/src/main/resources/application.properties
index c8897283947..37199bfd256 100644
--- a/spring-boot-samples/spring-boot-sample-tomcat-ssl/src/main/resources/application.properties
+++ b/spring-boot-samples/spring-boot-sample-tomcat-ssl/src/main/resources/application.properties
@@ -1,4 +1,4 @@
 server.port = 8443
-server.ssl.key-store = sample.jks
+server.ssl.key-store = classpath:sample.jks
 server.ssl.key-store-password = secret
-server.ssl.key-password = password
\ No newline at end of file
+server.ssl.key-password = password
diff --git a/spring-boot-samples/spring-boot-sample-tomcat-ssl/sample.jks b/spring-boot-samples/spring-boot-sample-tomcat-ssl/src/main/resources/sample.jks
similarity index 100%
rename from spring-boot-samples/spring-boot-sample-tomcat-ssl/sample.jks
rename to spring-boot-samples/spring-boot-sample-tomcat-ssl/src/main/resources/sample.jks
diff --git a/spring-boot/src/main/java/org/springframework/boot/context/embedded/tomcat/TomcatEmbeddedServletContainerFactory.java b/spring-boot/src/main/java/org/springframework/boot/context/embedded/tomcat/TomcatEmbeddedServletContainerFactory.java
index 329e5a6fbc3..c49d94313c9 100644
--- a/spring-boot/src/main/java/org/springframework/boot/context/embedded/tomcat/TomcatEmbeddedServletContainerFactory.java
+++ b/spring-boot/src/main/java/org/springframework/boot/context/embedded/tomcat/TomcatEmbeddedServletContainerFactory.java
@@ -285,8 +285,7 @@ public class TomcatEmbeddedServletContainerFactory
 
 	private void configureSslKeyStore(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) {
 		try {
-			File file = ResourceUtils.getFile(ssl.getKeyStore());
-			protocol.setKeystoreFile(file.getAbsolutePath());
+			protocol.setKeystoreFile(ResourceUtils.getURL(ssl.getKeyStore()).toString());
 		}
 		catch (FileNotFoundException ex) {
 			throw new EmbeddedServletContainerException(
@@ -303,8 +302,8 @@ public class TomcatEmbeddedServletContainerFactory
 	private void configureSslTrustStore(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) {
 		if (ssl.getTrustStore() != null) {
 			try {
-				File file = ResourceUtils.getFile(ssl.getTrustStore());
-				protocol.setTruststoreFile(file.getAbsolutePath());
+				protocol.setTruststoreFile(
+						ResourceUtils.getURL(ssl.getTrustStore()).toString());
 			}
 			catch (FileNotFoundException ex) {
 				throw new EmbeddedServletContainerException(
diff --git a/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java b/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java
index db955bbd591..6e2e3846c20 100644
--- a/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java
+++ b/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java
@@ -311,14 +311,19 @@ public abstract class AbstractEmbeddedServletContainerFactoryTests {
 	}
 
 	@Test
-	public void basicSsl() throws Exception {
+	public void basicSslFromClassPath() throws Exception {
+		testBasicSslWithKeyStore("classpath:test.jks");
+	}
+
+	@Test
+	public void basicSslFromFileSystem() throws Exception {
 		testBasicSslWithKeyStore("src/test/resources/test.jks");
 	}
 
 	@Test
 	public void sslDisabled() throws Exception {
 		AbstractEmbeddedServletContainerFactory factory = getFactory();
-		Ssl ssl = getSsl(null, "password", "src/test/resources/test.jks");
+		Ssl ssl = getSsl(null, "password", "classpath:test.jks");
 		ssl.setEnabled(false);
 		factory.setSsl(ssl);
 		this.container = factory.getEmbeddedServletContainer(
@@ -374,8 +379,8 @@ public abstract class AbstractEmbeddedServletContainerFactoryTests {
 	public void pkcs12KeyStoreAndTrustStore() throws Exception {
 		AbstractEmbeddedServletContainerFactory factory = getFactory();
 		addTestTxtFile(factory);
-		factory.setSsl(getSsl(ClientAuth.NEED, null, "src/test/resources/test.p12",
-				"src/test/resources/test.p12"));
+		factory.setSsl(getSsl(ClientAuth.NEED, null, "classpath:test.p12",
+				"classpath:test.p12"));
 		this.container = factory.getEmbeddedServletContainer();
 		this.container.start();
 		KeyStore keyStore = KeyStore.getInstance("pkcs12");
@@ -398,8 +403,8 @@ public abstract class AbstractEmbeddedServletContainerFactoryTests {
 			throws Exception {
 		AbstractEmbeddedServletContainerFactory factory = getFactory();
 		addTestTxtFile(factory);
-		factory.setSsl(getSsl(ClientAuth.NEED, "password", "src/test/resources/test.jks",
-				"src/test/resources/test.jks"));
+		factory.setSsl(getSsl(ClientAuth.NEED, "password", "classpath:test.jks",
+				"classpath:test.jks"));
 		this.container = factory.getEmbeddedServletContainer();
 		this.container.start();
 		KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
@@ -422,8 +427,7 @@ public abstract class AbstractEmbeddedServletContainerFactoryTests {
 			throws Exception {
 		AbstractEmbeddedServletContainerFactory factory = getFactory();
 		addTestTxtFile(factory);
-		factory.setSsl(
-				getSsl(ClientAuth.NEED, "password", "src/test/resources/test.jks"));
+		factory.setSsl(getSsl(ClientAuth.NEED, "password", "classpath:test.jks"));
 		this.container = factory.getEmbeddedServletContainer();
 		this.container.start();
 		SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
@@ -441,8 +445,7 @@ public abstract class AbstractEmbeddedServletContainerFactoryTests {
 			throws Exception {
 		AbstractEmbeddedServletContainerFactory factory = getFactory();
 		addTestTxtFile(factory);
-		factory.setSsl(
-				getSsl(ClientAuth.WANT, "password", "src/test/resources/test.jks"));
+		factory.setSsl(getSsl(ClientAuth.WANT, "password", "classpath:test.jks"));
 		this.container = factory.getEmbeddedServletContainer();
 		this.container.start();
 		KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
@@ -465,8 +468,7 @@ public abstract class AbstractEmbeddedServletContainerFactoryTests {
 			throws Exception {
 		AbstractEmbeddedServletContainerFactory factory = getFactory();
 		addTestTxtFile(factory);
-		factory.setSsl(
-				getSsl(ClientAuth.WANT, "password", "src/test/resources/test.jks"));
+		factory.setSsl(getSsl(ClientAuth.WANT, "password", "classpath:test.jks"));
 		this.container = factory.getEmbeddedServletContainer();
 		this.container.start();
 		SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(