tessl/maven-io-grpc--grpc-alts
gRPC ALTS (Application Layer Transport Security) implementation for secure and authenticated communication between Google Cloud VMs
—
Pending
server-builders.mddocs/
Server Builders
High-level builders for creating secure gRPC servers with ALTS authentication.
Required Imports
import io.grpc.alts.AltsServerBuilder;
import io.grpc.Server;
import io.grpc.BindableService;
import io.grpc.ServerServiceDefinition;
import io.grpc.ServerInterceptor;
import io.grpc.ServerStreamTracer;
import io.grpc.ServerTransportFilter;
import io.grpc.HandlerRegistry;
import io.grpc.CompressorRegistry;
import io.grpc.DecompressorRegistry;
import java.io.File;
import java.util.concurrent.Executor;
import java.util.concurrent.TimeUnit;Capabilities
ALTS Server Builder
Creates a gRPC server that accepts ALTS-secured connections from authenticated Google Cloud VMs.
/**
* gRPC secure server builder used for ALTS. Adds necessary ALTS support to create
* a production server on Google Cloud Platform.
*/
@ExperimentalApi("https://github.com/grpc/grpc-java/issues/4151")
public final class AltsServerBuilder extends ForwardingServerBuilder<AltsServerBuilder> {
/**
* Creates a gRPC server builder for the given port
* @param port the port number to bind to
* @return AltsServerBuilder instance
*/
public static AltsServerBuilder forPort(int port);
/**
* Enables untrusted ALTS for testing. Disables Google Cloud Platform checks.
* @return this builder for chaining
*/
public AltsServerBuilder enableUntrustedAltsForTesting();
/**
* Sets a custom handshaker service address for testing
* @param handshakerAddress the handshaker service address
* @return this builder for chaining
*/
public AltsServerBuilder setHandshakerAddressForTesting(String handshakerAddress);
/**
* Sets the handshake timeout
* @param timeout the timeout value
* @param unit the time unit
* @return this builder for chaining
*/
public AltsServerBuilder handshakeTimeout(long timeout, TimeUnit unit);
/**
* Uses the direct executor for server operations
* @return this builder for chaining
*/
public AltsServerBuilder directExecutor();
/**
* Adds a stream tracer factory
* @param factory the stream tracer factory
* @return this builder for chaining
*/
public AltsServerBuilder addStreamTracerFactory(ServerStreamTracer.Factory factory);
/**
* Adds a transport filter
* @param filter the transport filter
* @return this builder for chaining
*/
public AltsServerBuilder addTransportFilter(ServerTransportFilter filter);
/**
* Sets the executor for server operations
* @param executor the executor
* @return this builder for chaining
*/
public AltsServerBuilder executor(Executor executor);
/**
* Adds a service definition
* @param service the service definition
* @return this builder for chaining
*/
public AltsServerBuilder addService(ServerServiceDefinition service);
/**
* Adds a bindable service implementation
* @param bindableService the bindable service
* @return this builder for chaining
*/
public AltsServerBuilder addService(BindableService bindableService);
/**
* Sets the fallback handler registry
* @param fallbackRegistry the fallback handler registry
* @return this builder for chaining
*/
public AltsServerBuilder fallbackHandlerRegistry(HandlerRegistry fallbackRegistry);
/**
* Sets the decompressor registry
* @param registry the decompressor registry
* @return this builder for chaining
*/
public AltsServerBuilder decompressorRegistry(DecompressorRegistry registry);
/**
* Sets the compressor registry
* @param registry the compressor registry
* @return this builder for chaining
*/
public AltsServerBuilder compressorRegistry(CompressorRegistry registry);
/**
* Adds a server interceptor
* @param interceptor the server interceptor
* @return this builder for chaining
*/
public AltsServerBuilder intercept(ServerInterceptor interceptor);
/**
* Attempts to set TLS transport security. Not supported for ALTS servers.
* @param certChain the certificate chain file
* @param privateKey the private key file
* @return this builder (never reached)
* @throws UnsupportedOperationException always thrown - TLS configuration not supported for ALTS
*/
public AltsServerBuilder useTransportSecurity(File certChain, File privateKey);
/**
* Builds the server with ALTS security
* @return the configured Server
*/
public Server build();
}Usage Examples:
import io.grpc.alts.AltsServerBuilder;
import io.grpc.Server;
import io.grpc.BindableService;
// Basic ALTS server
Server server = AltsServerBuilder.forPort(8080)
.addService(new MyServiceImpl())
.build();
server.start();
server.awaitTermination();
// Advanced ALTS server configuration
Server advancedServer = AltsServerBuilder.forPort(8080)
.addService(new MyServiceImpl())
.addService(new AnotherServiceImpl())
.handshakeTimeout(30, TimeUnit.SECONDS)
.executor(Executors.newFixedThreadPool(10))
.intercept(new LoggingInterceptor())
.addTransportFilter(new CustomTransportFilter())
.build();
// Testing configuration
Server testServer = AltsServerBuilder.forPort(8080)
.addService(new TestServiceImpl())
.enableUntrustedAltsForTesting()
.setHandshakerAddressForTesting("localhost:9999")
.build();Server Configuration
Service Registration
Add your gRPC service implementations using either:
addService(ServerServiceDefinition)for pre-built service definitionsaddService(BindableService)for service implementations
Execution Control
Configure how the server handles requests:
executor(Executor)- Custom thread pool for request processingdirectExecutor()- Process requests on the network threads (for low-latency scenarios)
Interceptors and Filters
Add cross-cutting concerns:
intercept(ServerInterceptor)- Add interceptors for logging, authentication, etc.addTransportFilter(ServerTransportFilter)- Add transport-level filtersaddStreamTracerFactory(ServerStreamTracer.Factory)- Add stream tracing
Compression
Configure message compression:
compressorRegistry(CompressorRegistry)- Set available compressorsdecompressorRegistry(DecompressorRegistry)- Set available decompressors
Timeouts
Configure connection timeouts:
handshakeTimeout(long, TimeUnit)- Set ALTS handshake timeout
Server Lifecycle
import io.grpc.alts.AltsServerBuilder;
import io.grpc.Server;
// Build and start server
Server server = AltsServerBuilder.forPort(8080)
.addService(new MyServiceImpl())
.build();
// Start the server
server.start();
System.out.println("Server started on port 8080");
// Add shutdown hook for graceful termination
Runtime.getRuntime().addShutdownHook(new Thread(() -> {
System.out.println("Shutting down server...");
server.shutdown();
try {
server.awaitTermination(5, TimeUnit.SECONDS);
} catch (InterruptedException e) {
server.shutdownNow();
}
}));
// Wait for termination
server.awaitTermination();Security Considerations
- ALTS Only: The server only accepts ALTS-secured connections from authenticated Google Cloud VMs
- No TLS Configuration: ALTS servers cannot use TLS transport security - calling
useTransportSecurity()will throwUnsupportedOperationException - Mutual Authentication: Both client and server identities are verified during the handshake
- Testing: Never use testing methods (
enableUntrustedAltsForTesting()) in production environments - Port Binding: Choose appropriate ports that don't conflict with other services
- Service Accounts: Clients must use valid Google Cloud service accounts to connect
Install with Tessl CLI
npx tessl i tessl/maven-io-grpc--grpc-alts