Support using ResourceLoader to load SSL keystore and truststore

[justin-tay]

I currently register and use a custom URLStreamHandlerFactory to customise the resource that is being loaded for the keystore and the truststore due to how ResourceUtils.getURL is being used to load the keystore and truststore.

However this approach doesn't work in a native image because registering a custom URLStreamHandlerFactory is still not supported in a native image.

[scottfrederick]

@justin-tay We can consider this as part of some other SSL changes we are making. If we did something like this, it would be an enhancement that would be included in a minor release, and would not be done in a 3.0.x patch release.

In the meantime, you could consider creating your own class of type org.springframework.boot.web.server.SslStoreProvider to read the keystore and truststore in the same way your URLStreamHandlerFactory is loading them, and then setting your SslStoreProvider into the auto-configured TomcatServletWebServerFactory. That should be easier than what you are doing now and be more native-friendly. Does that meet your needs in the short term?

[justin-tay]

Yes writing a custom SslStoreProvider does meet my needs in the short term. Thanks.

[justin-tay]

One thing I noted when writing a custom SslStoreProvider is that even things like org.springframework.boot.web.server.CertificateParser and org.springframework.boot.web.server.PrivateKeyParser are using ResourceUtils.getURL so I had to copy and modify quite a number of classes.

[scottfrederick]

@justin-tay Those parser classes you mentioned are package-private, as we don't intend for them to be used as general purpose utility classes outside of Spring Boot's SSL support code. So you would have had to copy them to your code anyway if you want the same behavior in your code. It's likely we can do something to address this re-use in Spring Boot 3.1. Using ResourceLoader everywhere will require more design and thought.