tessl/maven-io-grpc--grpc-alts
gRPC ALTS (Application Layer Transport Security) implementation for secure and authenticated communication between Google Cloud VMs
—
Pending
server-credentials.mddocs/
Server Credentials
Lower-level credential objects for custom server security configuration, providing fine-grained control over ALTS authentication settings for gRPC servers.
Capabilities
ALTS Server Credentials
Provides secure ALTS authentication for gRPC servers running on Google Cloud Platform.
/**
* Server credentials for ALTS authentication on Google Cloud Platform
*/
@ExperimentalApi("https://github.com/grpc/grpc-java/issues/4151")
public final class AltsServerCredentials {
/**
* Creates ALTS server credentials with default settings
* @return ServerCredentials configured for ALTS
*/
public static ServerCredentials create();
/**
* Creates a new builder for customizing ALTS server credentials
* @return Builder instance
*/
public static Builder newBuilder();
/**
* Builder for customizing ALTS server credentials
*/
@ExperimentalApi("https://github.com/grpc/grpc-java/issues/4151")
public static final class Builder {
/**
* Enables untrusted ALTS for testing. Disables Google Cloud Platform checks.
* @return this builder for chaining
*/
public Builder enableUntrustedAltsForTesting();
/**
* Sets a custom handshaker service address for testing
* @param handshakerAddress the handshaker service address
* @return this builder for chaining
*/
public Builder setHandshakerAddressForTesting(String handshakerAddress);
/**
* Builds the server credentials
* @return the configured ServerCredentials
*/
public ServerCredentials build();
}
}Usage Examples:
import io.grpc.alts.AltsServerCredentials;
import io.grpc.ServerCredentials;
import io.grpc.Grpc;
import io.grpc.Server;
// Basic ALTS server credentials
ServerCredentials creds = AltsServerCredentials.create();
Server server = Grpc.newServerBuilderForPort(8080, creds)
.addService(new MyServiceImpl())
.build();
server.start();
// Customized server credentials for testing
ServerCredentials testCreds = AltsServerCredentials.newBuilder()
.enableUntrustedAltsForTesting()
.setHandshakerAddressForTesting("localhost:9999")
.build();
Server testServer = Grpc.newServerBuilderForPort(8080, testCreds)
.addService(new TestServiceImpl())
.build();
testServer.start();Integration with gRPC Core
Server credentials integrate with the core gRPC Grpc.newServerBuilderForPort() API:
import io.grpc.Grpc;
import io.grpc.Server;
import io.grpc.ServerCredentials;
import io.grpc.BindableService;
// Use credentials with Grpc.newServerBuilderForPort()
ServerCredentials credentials = AltsServerCredentials.create();
Server server = Grpc.newServerBuilderForPort(8080, credentials)
.addService(new MyServiceImpl())
.handshakeTimeout(30, TimeUnit.SECONDS)
.executor(Executors.newFixedThreadPool(10))
.build();
server.start();Server Lifecycle with Credentials
import io.grpc.alts.AltsServerCredentials;
import io.grpc.ServerCredentials;
import io.grpc.Grpc;
import io.grpc.Server;
import java.util.concurrent.TimeUnit;
public class AltsServerExample {
public static void main(String[] args) throws Exception {
// Create server credentials
ServerCredentials creds = AltsServerCredentials.create();
// Build and start server
Server server = Grpc.newServerBuilderForPort(8080, creds)
.addService(new MyGrpcServiceImpl())
.build()
.start();
System.out.println("ALTS server started on port 8080");
// Add shutdown hook
Runtime.getRuntime().addShutdownHook(new Thread(() -> {
System.out.println("Shutting down ALTS server...");
server.shutdown();
try {
if (!server.awaitTermination(5, TimeUnit.SECONDS)) {
server.shutdownNow();
}
} catch (InterruptedException e) {
server.shutdownNow();
}
}));
// Wait for termination
server.awaitTermination();
}
}Testing Configuration
For development and testing environments, server credentials support special testing modes:
import io.grpc.alts.AltsServerCredentials;
import io.grpc.ServerCredentials;
// Testing credentials that bypass GCP environment checks
ServerCredentials testCreds = AltsServerCredentials.newBuilder()
.enableUntrustedAltsForTesting()
.setHandshakerAddressForTesting("localhost:9999")
.build();
// Use with local handshaker service for integration testing
Server testServer = Grpc.newServerBuilderForPort(8080, testCreds)
.addService(new TestServiceImpl())
.build();Security Considerations
- Production Usage: Always use
AltsServerCredentials.create()in production - Testing Methods: Never use
enableUntrustedAltsForTesting()in production environments - Google Cloud Platform: ALTS server credentials only work on authenticated Google Cloud VMs
- Mutual Authentication: Both client and server identities are verified during the ALTS handshake
- Handshaker Service: The server communicates with Google's ALTS handshaker service for authentication
Comparison with Server Builders
Server credentials provide lower-level control compared to AltsServerBuilder:
| Feature | AltsServerCredentials | AltsServerBuilder |
|---|---|---|
| Abstraction Level | Low-level credential object | High-level builder |
| Integration | Works with Grpc.newServerBuilderForPort() | Self-contained builder |
| Configuration | Limited to credential settings | Full server configuration |
| Use Case | Custom server setups | Standard ALTS servers |
Choose AltsServerCredentials when you need to integrate ALTS with custom server configurations or existing gRPC server code.
Install with Tessl CLI
npx tessl i tessl/maven-io-grpc--grpc-alts