diff options
author | Andreas Eriksen <andreer@verizonmedia.com> | 2019-11-14 11:45:57 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-11-14 11:45:57 +0100 |
commit | bf057fb22f9c917d616031a0cd32597b315bb803 (patch) | |
tree | 32ea0dd80156b08f3eeb56c45bb67b13f5ac709c /config-model | |
parent | eefeb095cb136450e69dabd25b43250775cb98d7 (diff) | |
parent | ef4041420dc828726fbac4198b367d8ecf3dec65 (diff) |
Merge pull request #11294 from vespa-engine/andreer/do-not-enforce-client-auth-outside-public
do not enforce client auth outside public system (yet)
Diffstat (limited to 'config-model')
2 files changed, 7 insertions, 4 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java index 93eaeb0565a..d00ce3974fa 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java @@ -17,12 +17,15 @@ public class HostedSslConnectorFactory extends ConnectorFactory { private static final List<String> INSECURE_WHITELISTED_PATHS = List.of("/status.html"); + private final boolean enforceClientAuth; + public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets) { - this(serverName, tlsSecrets, null); + this(serverName, tlsSecrets, null, false); } - public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates) { + public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates, boolean enforceClientAuth) { super("tls4443", 4443, createSslProvider(serverName, tlsSecrets, tlsCaCertificates)); + this.enforceClientAuth = enforceClientAuth; } private static ConfiguredDirectSslProvider createSslProvider( @@ -41,7 +44,7 @@ public class HostedSslConnectorFactory extends ConnectorFactory { super.getConfig(connectorBuilder); connectorBuilder.tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder() .pathWhitelist(INSECURE_WHITELISTED_PATHS) - .enable(true)); + .enable(enforceClientAuth)); } } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index 484021ad4d5..073503e9341 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -338,7 +338,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { JettyHttpServer server = cluster.getHttp().getHttpServer(); String serverName = server.getComponentId().getName(); HostedSslConnectorFactory connectorFactory = authorizeClient - ? new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get(), deployState.tlsClientAuthority().get()) + ? new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get(), deployState.tlsClientAuthority().get(), true) : new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get()); server.addConnector(connectorFactory); } |