Jetty Version | Current Jetty Dependency | Clojars Project |
---|---|---|
Jetty 9 | 9.4.55.v20240627 | |
Jetty 10 | 10.0.23 | |
Jetty 11 | 11.0.23 | |
Jetty 12 | - | Available once Jetty 12 stabilises. |
Eclipse Jetty is the web server at the heart of our product, Kpow for Apache Kafka®.
Slipway is a Clojure companion to embedded Jetty with Websocket support.
Slipway configuration models Jetty instead of exposing a simplified DSL. This approach allows leverage of all Jetty capabilities while providing sensible defaults for basic behaviour. If in doubt, read the Jetty docs.
Use the Community Edition of Kpow with our local-repo to see Slipway in action.
Slipway is based on, and in some cases includes code from the following projects:
We appreciate the open-source work of Ning Sun and James that forms the base of this project.
Jetty is a mature, stable, commercially supported project with an active, experienced team of core contributors.
Ubiquitous in the enterprise Java world, Jetty has many eyes raising issues and driving improvement.
Jetty is a great choice of web-server for a general purpose web-application.
Kpow is a web-application with a SPA UI served by websockets.
We have a hard requirement to support customers on Java 8 and Java 11+.
Kpow has seemingly every possible Jetty configuration option in use by at least one end-user.
We incorporate automated NVD scanning and feedback from external security teams.
Slipway provides first-class, extensible support for:
Choose a project by Jetty version, then open a REPL.
Start slipway with a ring-handler and a map of configuration options:
(require '[slipway :as slipway])
(require '[slipway.server :as server])
(require '[slipway.connector.http :as http])
(defn handler [_] {:status 200 :body "Hello world"})
(def http-connector #::http{:port 3000})
(slipway/start handler #::server{:connectors [http-connector]})
Your hello world application is now running on http://localhost:3000.
Various configurations of Slipway can be found in the example.clj namespace.
The stateful start!/stop! functions within that namespace are not considered canonical for Slipway, they are a convenience for our integration tests.
(require '[slipway.example :as example])
(example/start! [:http :hash-auth])
Your sample application with property file based auth is now available on http://localhost:3000.
Login with jetty/jetty, admin/admin, plain/plain, other/other, or user/password as defined in hash-realm.properties.
After login the default home-page presents some useful links for user info and error pages.
Jetty is sophisticated as it addresses a complex domain with flexibility and configurability.
Slipway holds close to Jetty idioms for configuration rather than presenting a simplified DSL.
Slipway takes a map of namespaced configuration.
The top-level namespace provides configuration to determine if slipway joins the Jetty threadpool.
#:slipway{:join? "join the Jetty threadpool, blocks the calling thread until jetty exits, default false"}
Configuration of core server options.
#:slipway.server{:handler "the base Jetty handler implementation (:default defmethod impl found in slipway.handler)"
:connectors "the connectors supported by this server"
:thread-pool "the thread-pool used by this server (leave null for reasonable defaults)"
:error-handler "the error-handler used by this server for Jetty level errors"}
Slipway provides the following default server-handler implementations:
Use a custom server-handler by implementing a new server/handler defmethod and configuring the dispatch key.
Slipway accepts a list of server-connectors, allowing you to run multi-connector setups, e.g.
(ns slipway.example
(:require [slipway.connector.http :as http]
[slipway.connector.https :as https]
[slipway.server :as server]))
(def http-connector #::http{:port 3000})
(def https-connector #::https{:port 3443
:keystore "dev-resources/my-keystore.jks"
:keystore-type "PKCS12"
:keystore-password "password"
:truststore "dev-resources/my-truststore.jks"
:truststore-password "password"
:truststore-type "PKCS12"})
(def server #::server{:connectors [http-connector https-connector]})
Leave nil for the sensible default threadpool or provide a concrete org.eclipse.jetty.util.thread.ThreadPool
.
Provide a concrete org.eclipse.jetty.server.handler.ErrorHandler
to manage Jetty-level errors (not to be confused with ring / application level errors which will be handled separately within your application).
Slipway provides a utility namespace for general-purpose ErrorHandler creation and error logging:
Configuration of the default server-handler (same for all versions of Jetty).
#:slipway.handler{:context-path "the root context path, default '/'"
:ws-path "the path serving the websocket upgrade handler, default '/chsk'"
:null-path-info? "true if /path is not redirected to /path/, default true"}
Configuration of websockets options.
Jetty 10/11 provides more configurability of websockets, as you can see in the different options below:
;; Jetty 10 / Jetty 11 Websockets
#:slipway.websockets{:idle-timeout "max websocket idle time (in ms), default 500000"
:input-buffer-size "max websocket input buffer size (in bytes)"
:output-buffer-size "max websocket output buffer size (in bytes)"
:max-text-message-size "max websocket text message size (in bytes, default 65536)"
:max-binary-message-size "max websocket binary message size (in bytes)"
:max-frame-size "max websocket frame size (in bytes)"
:auto-fragment "websocket auto fragment (boolean)"}
;; Jetty 9 Websockets
#:slipway.websockets{:idle-timeout "max websocket idle time (in ms), default 500000"
:input-buffer-size "max websocket input buffer size"
:max-text-message-size "max websocket text message size"
:max-binary-message-size "max websocket binary message size"}
See the Jetty docs to understand how to tune websockets for your own purposes.
Configuration of http session options.
#:slipway.session{:secure-request-only? "set the secure flag on session cookies (default true)"
:http-only? "set the http-only flag on session cookies (default true)"
:same-site "set session cookie same-site policy to :none, :lax, or :strict (default :strict)"
:max-inactive-interval "max session idle time (in s, default -1)"
:tracking-modes "a set (colloection) of #{:cookie, :ssl, or :url}"
:cookie-name "the name of the session cookie"
:session-id-manager "the meta manager used for cross context session management"
:refresh-cookie-age "max time before a session cookie is re-set (in s)"
:path-parameter-name "name of path parameter used for URL session tracking"}
Configuration of Jetty auth options.
See examples below for configuration guides to JAAS and HASH authentication.
#:slipway.security{:realm "the Jetty authentication realm"
:hash-user-file "the path to a Jetty Hash User File"
:login-service "a Jetty LoginService identifier, 'jaas' and 'hash' supported by default"
:identity-service "a concrete Jetty IdentityService"
:authenticator "a concrete Jetty Authenticator (e.g. FormAuthenticator or BasicAuthenticator)"
Configuration of an HTTP server connector.
#:slipway.connector.http{:host "the network interface this connector binds to as an IP address or a hostname. If null or 0.0.0.0, then bind to all interfaces. Default null/all interfaces."
:port "port this connector listens on. If set to 0 a random port is assigned which may be obtained with getLocalPort(), default 80"
:idle-timeout "max idle time for a connection, roughly translates to the Socket.setSoTimeout. Default 200000 ms"
:http-forwarded? "if true, add the ForwardRequestCustomizer. See Jetty Forward HTTP docs"
:proxy-protocol? "if true, add the ProxyConnectionFactory. See Jetty Proxy Protocol docs"
:http-config "a concrete HttpConfiguration object to replace the default config entirely"
:configurator "a fn taking the final connector as argument, allowing further configuration"}
Configuration of an HTTPS server connector.
#:slipway.connector.https{:host "the network interface this connector binds to as an IP address or a hostname. If null or 0.0.0.0, then bind to all interfaces. Default null/all interfaces"
:port "port this connector listens on. If set to 0 a random port is assigned which may be obtained with getLocalPort(), default 443"
:idle-timeout "max idle time for a connection, roughly translates to the Socket.setSoTimeout. Default 200000 ms"
:http-forwarded? "if true, add the ForwardRequestCustomizer. See Jetty Forward HTTP docs"
:proxy-protocol? "if true, add the ProxyConnectionFactor. See Jetty Proxy Protocol docs"
:http-config "a concrete HttpConfiguration object to replace the default config entirely"
:configurator "a fn taking the final connector as argument, allowing further configuration"
:keystore "keystore to use, either path (String) or concrete KeyStore"
:keystore-type "type of keystore, e.g. JKS"
:keystore-password "password of the keystore"
:key-manager-password "password for the specific key within the keystore"
:truststore "truststore to use, either path (String) or concrete KeyStore"
:truststore-password "password of the truststore"
:truststore-type "type of the truststore, eg. JKS"
:include-protocols "a list of protocol name patterns to include in SSLEngine"
:exclude-protocols "a list of protocol name patterns to exclude from SSLEngine"
:replace-exclude-protocols? "if true will replace existing exclude-protocols, otherwise will add them"
:exclude-ciphers "a list of cipher suite names to exclude from SSLEngine"
:replace-exclude-ciphers? "if true will replace existing exclude-ciphers, otherwise will add them"
:security-provider "the security provider name"
:client-auth "either :need or :want to set the corresponding need/wantClientAuth field"
:ssl-context "a concrete pre-configured SslContext"
:sni-required? "true if a SNI certificate is required, default false"
:sni-host-check? "true if the SNI Host name must match, default false"}
Configuration of the Gzip Handler.
#:slipway.handler.gzip{:enabled? "is gzip enabled? default true"
:included-mime-types "mime types to include (without charset or other parameters), leave nil for default types"
:excluded-mime-types "mime types to exclude (replacing any previous exclusion set)"
:min-gzip-size "min response size to trigger dynamic compression (in bytes, default 1024)"}
Slipway supports Sente out-of-the box.
The entry-point can be found in the slipway/sente.clj namespace.
(defn start-server
[opts]
(let [server (sente/make-channel-socket-server! (slipway.sente/get-sch-adapter) opts)
{:keys [ch-recv send-fn connected-uids ajax-get-or-ws-handshake-fn]} server]
{:ws-handshake ajax-get-or-ws-handshake-fn
:ch-chsk ch-recv
:chsk-send! (partial send-msg connected-uids send-fn)
:connected-uids connected-uids}))
Refer to Sente's getting started guide for more information.
JAAS implements a Java version of the standard Pluggable Authentication Module (PAM) framework.
JAAS can be used for two purposes:
For more information visit the Jetty documentation.
Various configurations of Slipway with JAAS auth can be found in the example.clj namespace.
Start your application (JAR or REPL session) with the additional JVM option
-Djava.security.auth.login.config=/some/path/to/jaas.config
For example configurations refer to this tutorial.
The simplest JAAS authentication module. A static list of hashed users in a file.
Example jaas.config
: ('my-realm' must be the same as the configured :realm)
my-realm {
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
debug="true"
file="dev-resources/jaas/hash-realm.properties";
};
Example hash-realm.properties
:
# This file defines users passwords and roles for a HashUserRealm
#
# The format is
# <username>: <password>[,<rolename> ...]
#
# Passwords may be clear text, obfuscated or checksummed. The class
# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
# passwords or password checksums
#
# If DIGEST Authentication is used, the password must be in a recoverable
# format, either plain text or OBF:.
#
jetty: MD5:164c88b302622e17050af52c89945d44,kafka-users,content-administrators
admin: CRYPT:adpexzg3FUZAk,server-administrators,content-administrators,kafka-admins
other: OBF:1xmk1w261u9r1w1c1xmq,kafka-admins,kafka-users
plain: plain,content-administrators
user: password,kafka-users
# This entry is for digest auth. The credential is a MD5 hash of username:realmname:password
digest: MD5:6e120743ad67abfbc385bc2bb754e297,kafka-users
Example jaas.config
: ('my-realm' must be the same as the configured :realm)
my-realm {
org.eclipse.jetty.jaas.spi.LdapLoginModule required
useLdaps="false"
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname="localhost"
port="10389"
bindDn="uid=admin,ou=system"
bindPassword="AES:ARClD4Hz3A2VpdCGqZArl/OglnIawMHRzW0cVjraODxIeg=="
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="OU=Users,DC=example,DC=com"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="userPassword"
roleBaseDn="OU=Groups,DC=example,DC=com"
roleNameAttribute="roleName"
roleMemberAttribute="uniqueMember"
roleObjectClass="groupOfUniqueNames";
};
Distributed under the MIT License.
We are very welcoming of any bug tickets and/or minor fixes, but we do not currently welcome larger functional contributions.
Slipway is at the heart of our commercial software and as such we take a conservative approach to modelling Jetty's capabilities.
Copyright (c) 2022 Factor House
Can you improve this documentation? These fine people already did:
Derek Troy-West, Thomas Crowley & d-t-wEdit on GitHub
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close