Update to Jetty 9, drop AJP

.classpath

 	<classpathentry kind="lib" path="ext/slf4j-api-1.6.6.jar" sourcepath="ext/src/slf4j-api-1.6.6.jar" />
 	<classpathentry kind="lib" path="ext/slf4j-log4j12-1.6.6.jar" sourcepath="ext/src/slf4j-log4j12-1.6.6.jar" />
 	<classpathentry kind="lib" path="ext/mail-1.4.3.jar" sourcepath="ext/src/mail-1.4.3.jar" />
-	<classpathentry kind="lib" path="ext/javax.servlet-api-3.0.1.jar" sourcepath="ext/src/javax.servlet-api-3.0.1.jar" />
-	<classpathentry kind="lib" path="ext/jetty-webapp-8.1.13.v20130916.jar" sourcepath="ext/src/jetty-webapp-8.1.13.v20130916.jar" />
-	<classpathentry kind="lib" path="ext/jetty-ajp-8.1.13.v20130916.jar" sourcepath="ext/src/jetty-ajp-8.1.13.v20130916.jar" />
+	<classpathentry kind="lib" path="ext/javax.servlet-api-3.1.0.jar" sourcepath="ext/src/javax.servlet-api-3.1.0.jar" />
+	<classpathentry kind="lib" path="ext/jetty-all-9.1.4.v20140401.jar" sourcepath="ext/src/jetty-all-9.1.4.v20140401.jar" />
 	<classpathentry kind="lib" path="ext/wicket-1.4.21.jar" sourcepath="ext/src/wicket-1.4.21.jar" />
 	<classpathentry kind="lib" path="ext/wicket-auth-roles-1.4.21.jar" sourcepath="ext/src/wicket-auth-roles-1.4.21.jar" />
 	<classpathentry kind="lib" path="ext/wicket-extensions-1.4.21.jar" sourcepath="ext/src/wicket-extensions-1.4.21.jar" />

build.moxie

 
 # Convenience properties for dependencies
 properties: {
-  jetty.version  : 8.1.13.v20130916
+  jetty.version  : 9.1.4.v20140401
   wicket.version : 1.4.21
   lucene.version : 4.6.0
   jgit.version   : 3.3.1.201403241930-r
 - compile 'org.slf4j:slf4j-api:1.6.6' :war :fedclient :authority
 - compile 'org.slf4j:slf4j-log4j12:1.6.6' :war :fedclient :authority
 - compile 'javax.mail:mail:1.4.3' :war :authority
-- compile 'javax.servlet:javax.servlet-api:3.0.1' :fedclient
-- compile 'org.eclipse.jetty.aggregate:jetty-webapp:${jetty.version}' @jar
-- compile 'org.eclipse.jetty:jetty-ajp:${jetty.version}' @jar
+- compile 'javax.servlet:javax.servlet-api:3.1.0' :fedclient
+- compile 'org.eclipse.jetty.aggregate:jetty-all:${jetty.version}' @jar
 - compile 'org.apache.wicket:wicket:${wicket.version}' :war !org.mockito
 - compile 'org.apache.wicket:wicket-auth-roles:${wicket.version}' :war !org.mockito
 - compile 'org.apache.wicket:wicket-extensions:${wicket.version}' :war !org.mockito

gitblit.iml

       </library>
     </orderEntry>
     <orderEntry type="module-library">
-      <library name="javax.servlet-api-3.0.1.jar">
+      <library name="javax.servlet-api-3.1.0.jar">
         <CLASSES>
-          <root url="jar://$MODULE_DIR$/ext/javax.servlet-api-3.0.1.jar!/" />
+          <root url="jar://$MODULE_DIR$/ext/javax.servlet-api-3.1.0.jar!/" />
         </CLASSES>
         <JAVADOC />
         <SOURCES>
-          <root url="jar://$MODULE_DIR$/ext/src/javax.servlet-api-3.0.1.jar!/" />
+          <root url="jar://$MODULE_DIR$/ext/src/javax.servlet-api-3.1.0.jar!/" />
         </SOURCES>
       </library>
     </orderEntry>
     <orderEntry type="module-library">
-      <library name="jetty-webapp-8.1.13.v20130916.jar">
+      <library name="jetty-all-9.1.4.v20140401.jar">
         <CLASSES>
-          <root url="jar://$MODULE_DIR$/ext/jetty-webapp-8.1.13.v20130916.jar!/" />
+          <root url="jar://$MODULE_DIR$/ext/jetty-all-9.1.4.v20140401.jar!/" />
         </CLASSES>
         <JAVADOC />
         <SOURCES>
-          <root url="jar://$MODULE_DIR$/ext/src/jetty-webapp-8.1.13.v20130916.jar!/" />
-        </SOURCES>
-      </library>
-    </orderEntry>
-    <orderEntry type="module-library">
-      <library name="jetty-ajp-8.1.13.v20130916.jar">
-        <CLASSES>
-          <root url="jar://$MODULE_DIR$/ext/jetty-ajp-8.1.13.v20130916.jar!/" />
-        </CLASSES>
-        <JAVADOC />
-        <SOURCES>
-          <root url="jar://$MODULE_DIR$/ext/src/jetty-ajp-8.1.13.v20130916.jar!/" />
+          <root url="jar://$MODULE_DIR$/ext/src/jetty-all-9.1.4.v20140401.jar!/" />
         </SOURCES>
       </library>
     </orderEntry>

releases.moxie

     - Option to allow LDAP users to directly authenticate without performing LDAP searches (pr-162)
     - Replace JCommander with args4j to be consistent with other tools (ticket-28)
     - Sort repository urls by descending permissions and by transport security within equal permissions
-    - Move to Java 7
+    - Move to Java 7 & updated to Jetty 9.1.4
+    - dropped AJP support because it has been removed from upstream Jetty
+    - dropped settings: server.useNio, server.ajpPort, server.ajpBindInterface
+    - dropped GO parameters: --ajpPort, --useNio
     additions:
     - Added an SSH daemon with public key authentication (issue-369, ticket-6)
     - Added beginnings of a plugin framework for extending Gitblit (issue-381, ticket-23)
     - Added a setting to control what transports may be used for pushes
     dependencyChanges:
     - Java 7
+    - Jetty 9.1.4
     - args4j 2.0.26
     - JGit 3.3.1
     - Mina SSHD 0.10.1

src/main/java/com/gitblit/GitBlitServer.java

 import java.util.Scanner;
 
 import org.apache.log4j.PropertyConfigurator;
-import org.eclipse.jetty.ajp.Ajp13SocketConnector;
 import org.eclipse.jetty.security.ConstraintMapping;
 import org.eclipse.jetty.security.ConstraintSecurityHandler;
-import org.eclipse.jetty.server.Connector;
+import org.eclipse.jetty.server.HttpConfiguration;
+import org.eclipse.jetty.server.HttpConnectionFactory;
 import org.eclipse.jetty.server.Server;
-import org.eclipse.jetty.server.bio.SocketConnector;
-import org.eclipse.jetty.server.nio.SelectChannelConnector;
+import org.eclipse.jetty.server.ServerConnector;
 import org.eclipse.jetty.server.session.HashSessionManager;
-import org.eclipse.jetty.server.ssl.SslConnector;
-import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
-import org.eclipse.jetty.server.ssl.SslSocketConnector;
 import org.eclipse.jetty.util.security.Constraint;
 import org.eclipse.jetty.util.thread.QueuedThreadPool;
 import org.eclipse.jetty.webapp.WebAppContext;
 		String osversion = System.getProperty("os.version");
 		logger.info("Running on " + osname + " (" + osversion + ")");
 
-		List<Connector> connectors = new ArrayList<Connector>();
-
-		// conditionally configure the http connector
-		if (params.port > 0) {
-			Connector httpConnector = createConnector(params.useNIO, params.port, settings.getInteger(Keys.server.threadPoolSize, 50));
-			String bindInterface = settings.getString(Keys.server.httpBindInterface, null);
-			if (!StringUtils.isEmpty(bindInterface)) {
-				logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}",
-						params.port, bindInterface));
-				httpConnector.setHost(bindInterface);
-			}
-			if (params.port < 1024 && !isWindows()) {
-				logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
-			}
-			if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {
-				// redirect HTTP requests to HTTPS
-				if (httpConnector instanceof SelectChannelConnector) {
-					((SelectChannelConnector) httpConnector).setConfidentialPort(params.securePort);
-				} else {
-					((SocketConnector) httpConnector).setConfidentialPort(params.securePort);
-				}
-			}
-			connectors.add(httpConnector);
+		QueuedThreadPool threadPool = new QueuedThreadPool();
+		int maxThreads = settings.getInteger(Keys.server.threadPoolSize, 50);
+		if (maxThreads > 0) {
+			threadPool.setMaxThreads(maxThreads);
 		}
 
+		Server server = new Server(threadPool);
+		server.setStopAtShutdown(true);
+
 		// conditionally configure the https connector
 		if (params.securePort > 0) {
 			File certificatesConf = new File(baseFolder, X509Utils.CA_CONFIG);
 			});
 
 			if (serverKeyStore.exists()) {
-				Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword,
-						caRevocationList, params.useNIO, params.securePort, settings.getInteger(Keys.server.threadPoolSize, 50), params.requireClientCertificates);
+				/*
+				 * HTTPS
+				 */
+				logger.info("Setting up HTTPS transport on port " + params.securePort);
+				GitblitSslContextFactory factory = new GitblitSslContextFactory(params.alias,
+						serverKeyStore, serverTrustStore, params.storePassword, caRevocationList);
+				if (params.requireClientCertificates) {
+					factory.setNeedClientAuth(true);
+				} else {
+					factory.setWantClientAuth(true);
+				}
+
+				ServerConnector connector = new ServerConnector(server, factory);
+				connector.setSoLingerTime(-1);
+				connector.setIdleTimeout(30000);
+				connector.setPort(params.securePort);
 				String bindInterface = settings.getString(Keys.server.httpsBindInterface, null);
 				if (!StringUtils.isEmpty(bindInterface)) {
 					logger.warn(MessageFormat.format(
-							"Binding ssl connector on port {0,number,0} to {1}", params.securePort,
+							"Binding HTTPS transport on port {0,number,0} to {1}", params.securePort,
 							bindInterface));
-					secureConnector.setHost(bindInterface);
+					connector.setHost(bindInterface);
 				}
 				if (params.securePort < 1024 && !isWindows()) {
 					logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
 				}
-				connectors.add(secureConnector);
+
+				server.addConnector(connector);
 			} else {
 				logger.warn("Failed to find or load Keystore?");
-				logger.warn("SSL connector DISABLED.");
+				logger.warn("HTTPS transport DISABLED.");
 			}
 		}
 
-		// conditionally configure the ajp connector
-		if (params.ajpPort > 0) {
-			Connector ajpConnector = createAJPConnector(params.ajpPort);
-			String bindInterface = settings.getString(Keys.server.ajpBindInterface, null);
+		// conditionally configure the http transport
+		if (params.port > 0) {
+			/*
+			 * HTTP
+			 */
+			logger.info("Setting up HTTP transport on port " + params.port);
+
+			HttpConfiguration httpConfig = new HttpConfiguration();
+			if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {
+				httpConfig.setSecureScheme("https");
+				httpConfig.setSecurePort(params.securePort);
+			}
+	        httpConfig.setSendServerVersion(false);
+	        httpConfig.setSendDateHeader(false);
+
+			ServerConnector connector = new ServerConnector(server, new HttpConnectionFactory(httpConfig));
+			connector.setSoLingerTime(-1);
+			connector.setIdleTimeout(30000);
+			connector.setPort(params.port);
+			String bindInterface = settings.getString(Keys.server.httpBindInterface, null);
 			if (!StringUtils.isEmpty(bindInterface)) {
-				logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}",
-						params.ajpPort, bindInterface));
-				ajpConnector.setHost(bindInterface);
+				logger.warn(MessageFormat.format("Binding HTTP transport on port {0,number,0} to {1}",
+						params.port, bindInterface));
+				connector.setHost(bindInterface);
 			}
-			if (params.ajpPort < 1024 && !isWindows()) {
+			if (params.port < 1024 && !isWindows()) {
 				logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
 			}
-			connectors.add(ajpConnector);
+
+			server.addConnector(connector);
 		}
 
 		// tempDir is where the embedded Gitblit web application is expanded and
 			logger.warn("Failed to create temp dir " + tempDir.getAbsolutePath());
 		}
 
-		Server server = new Server();
-		server.setStopAtShutdown(true);
-		server.setConnectors(connectors.toArray(new Connector[connectors.size()]));
-
 		// Get the execution path of this class
 		// We use this to set the WAR path.
 		ProtectionDomain protectionDomain = GitBlitServer.class.getProtectionDomain();
 		return new GitblitContext(settings, baseFolder);
 	}
 
-	/**
-	 * Creates an http connector.
-	 *
-	 * @param useNIO
-	 * @param port
-	 * @param threadPoolSize
-	 * @return an http connector
-	 */
-	private Connector createConnector(boolean useNIO, int port, int threadPoolSize) {
-		Connector connector;
-		if (useNIO) {
-			logger.info("Setting up NIO SelectChannelConnector on port " + port);
-			SelectChannelConnector nioconn = new SelectChannelConnector();
-			nioconn.setSoLingerTime(-1);
-			if (threadPoolSize > 0) {
-				nioconn.setThreadPool(new QueuedThreadPool(threadPoolSize));
-			}
-			connector = nioconn;
-		} else {
-			logger.info("Setting up SocketConnector on port " + port);
-			SocketConnector sockconn = new SocketConnector();
-			if (threadPoolSize > 0) {
-				sockconn.setThreadPool(new QueuedThreadPool(threadPoolSize));
-			}
-			connector = sockconn;
-		}
-
-		connector.setPort(port);
-		connector.setMaxIdleTime(30000);
-		return connector;
-	}
-
-	/**
-	 * Creates an https connector.
-	 *
-	 * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later.
-	 * oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
-	 *
-	 * @param certAlias
-	 * @param keyStore
-	 * @param clientTrustStore
-	 * @param storePassword
-	 * @param caRevocationList
-	 * @param useNIO
-	 * @param port
-	 * @param threadPoolSize
-	 * @param requireClientCertificates
-	 * @return an https connector
-	 */
-	private Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore,
-			String storePassword, File caRevocationList, boolean useNIO,  int port, int threadPoolSize,
-			boolean requireClientCertificates) {
-		GitblitSslContextFactory factory = new GitblitSslContextFactory(certAlias,
-				keyStore, clientTrustStore, storePassword, caRevocationList);
-		SslConnector connector;
-		if (useNIO) {
-			logger.info("Setting up NIO SslSelectChannelConnector on port " + port);
-			SslSelectChannelConnector ssl = new SslSelectChannelConnector(factory);
-			ssl.setSoLingerTime(-1);
-			if (requireClientCertificates) {
-				factory.setNeedClientAuth(true);
-			} else {
-				factory.setWantClientAuth(true);
-			}
-			if (threadPoolSize > 0) {
-				ssl.setThreadPool(new QueuedThreadPool(threadPoolSize));
-			}
-			connector = ssl;
-		} else {
-			logger.info("Setting up NIO SslSocketConnector on port " + port);
-			SslSocketConnector ssl = new SslSocketConnector(factory);
-			if (threadPoolSize > 0) {
-				ssl.setThreadPool(new QueuedThreadPool(threadPoolSize));
-			}
-			connector = ssl;
-		}
-		connector.setPort(port);
-		connector.setMaxIdleTime(30000);
-
-		return connector;
-	}
-
-	/**
-	 * Creates an ajp connector.
-	 *
-	 * @param port
-	 * @return an ajp connector
-	 */
-	private Connector createAJPConnector(int port) {
-		logger.info("Setting up AJP Connector on port " + port);
-		Ajp13SocketConnector ajp = new Ajp13SocketConnector();
-		ajp.setPort(port);
-		if (port < 1024 && !isWindows()) {
-			logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
-		}
-		return ajp;
-	}
-
 	/**
 	 * Tests to see if the operating system is Windows.
 	 *
 		/*
 		 * JETTY Parameters
 		 */
-		@Option(name = "--useNio", usage = "Use NIO Connector else use Socket Connector.")
-		public Boolean useNIO = FILESETTINGS.getBoolean(Keys.server.useNio, true);
-
 		@Option(name = "--httpPort", usage = "HTTP port for to serve. (port <= 0 will disable this connector)", metaVar="PORT")
 		public Integer port = FILESETTINGS.getInteger(Keys.server.httpPort, 0);
 
 		@Option(name = "--httpsPort", usage = "HTTPS port to serve.  (port <= 0 will disable this connector)", metaVar="PORT")
 		public Integer securePort = FILESETTINGS.getInteger(Keys.server.httpsPort, 8443);
 
-		@Option(name = "--ajpPort", usage = "AJP port to serve.  (port <= 0 will disable this connector)", metaVar="PORT")
-		public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0);
-
 		@Option(name = "--gitPort", usage = "Git Daemon port to serve.  (port <= 0 will disable this connector)", metaVar="PORT")
 		public Integer gitPort = FILESETTINGS.getInteger(Keys.git.daemonPort, 9418);
 

src/main/java/com/gitblit/GitblitSslContextFactory.java

 
 		this.caRevocationList = caRevocationList;
 
-		// disable renegotiation unless this is a patched JVM
-		boolean allowRenegotiation = false;
-		String v = System.getProperty("java.version");
-		if (v.startsWith("1.7")) {
-			allowRenegotiation = true;
-		} else if (v.startsWith("1.6")) {
-			// 1.6.0_22 was first release with RFC-5746 implemented fix.
-			if (v.indexOf('_') > -1) {
-				String b = v.substring(v.indexOf('_') + 1);
-				if (Integer.parseInt(b) >= 22) {
-					allowRenegotiation = true;
-				}
-			}
-		}
-		if (allowRenegotiation) {
-			logger.info("   allowing SSL renegotiation on Java " + v);
-			setAllowRenegotiate(allowRenegotiation);
-		}
-
-
 		if (!StringUtils.isEmpty(certAlias)) {
 			logger.info("   certificate alias = " + certAlias);
 			setCertAlias(certAlias);
 		}
 		setKeyStorePassword(storePassword);
-		setTrustStore(clientTrustStore.getAbsolutePath());
+		setTrustStorePath(clientTrustStore.getAbsolutePath());
 		setTrustStorePassword(storePassword);
 
 		logger.info("   keyStorePath   = " + keyStore.getAbsolutePath());

src/site/features.mkd

 - Integrated GUI tool to facilitate x509 PKI including ssl and client certificate generation, client certificate revocation, and client certificate distribution
 - Single text file for configuring server and gitblit
 - A Windows service installation script and configuration tool
-- Built-in AJP connector for Apache httpd
 
 ## Limitations
 - Built-in access controls are not branch-based, they are repository-based.

src/site/setup_go.mkd

     --baseFolder           The default base folder for all relative file reference settings
     --repositoriesFolder   Git Repositories Folder
     --userService          Authentication and Authorization Service (filename or fully qualified classname)
-    --useNio               Use NIO Connector else use Socket Connector.
     --httpPort             HTTP port for to serve. (port <= 0 will disable this connector)
     --httpsPort            HTTPS port to serve.  (port <= 0 will disable this connector)
-    --ajpPort              AJP port to serve.  (port <= 0 will disable this connector)
+    --sshPort              SSH Daemon port to serve.  (port <= 0 will disable this daemon)
+    --gitPort              Git Daemon port to serve.  (port <= 0 will disable this daemon)
     --alias                Alias in keystore of SSL cert to use for https serving
     --storePassword        Password for SSL (https) keystore.
     --shutdownPort         Port for Shutdown Monitor to listen on. (port <= 0 will disable this monitor)

src/site/setup_proxy.mkd

 ## Running Gitblit behind Apache
 
-Gitblit runs fine behind Apache.  You may use either *mod_proxy* (GO or WAR) or *mod_proxy_ajp* (GO).
+Gitblit runs fine behind Apache.
 
 Each Linux distribution may vary on the exact configuration of Apache 2.2.  
 Here is a sample configuration that works on Debian 7.0 (Wheezy), your distribution may be different.
 ln -s ../mods-available/proxy.load proxy.load
 ln -s ../mods-available/proxy_balancer.load proxy_balancer.load
 ln -s ../mods-available/proxy_http.load proxy_http.load
-ln -s ../mods-available/proxy_ajp.load proxy_ajp.load
 ```
 ### Configuring Apache to use the proxy modules
 
 # context path for your repository url.
 # If you are not using subdomain proxying, then ignore this setting.
 #RequestHeader set X-Forwarded-Context /
-
-#ProxyPass /gitblit ajp://localhost:8009/gitblit
 ```
 
 **Please** make sure to:  
     1. Review the security of these settings as appropriate for your deployment
-    2. Uncomment the *ProxyPass* setting for whichever connection you prefer (http/ajp)
+    2. Uncomment the *ProxyPass* setting
     3. Correctly set the ports and context paths both in the *ProxyPass* definition and your Gitblit installation  
-    If you are using Gitblit GO you can easily configure the AJP connector by specifying a non-zero AJP port.  
-    Please remember that on Linux/UNIX, ports < 1024 require root permissions to open.
     4. Set *web.mountParameters=false* in `gitblit.properties` or `web.xml` this will use parameterized URLs.  
     Alternatively, you can respecify *web.forwardSlashCharacter*.