diff options
author | andreer <andreer@verizonmedia.com> | 2019-11-14 10:32:55 +0100 |
---|---|---|
committer | andreer <andreer@verizonmedia.com> | 2019-11-14 10:32:55 +0100 |
commit | ef4041420dc828726fbac4198b367d8ecf3dec65 (patch) | |
tree | 26a60f6b6b4bdb2b259177eb06a70aaec54ece08 /config-model | |
parent | 03d90c743ae83cfea09be55cb7f1787aa8c8453b (diff) |
do not enforce client auth outside public system (yet)
Diffstat (limited to 'config-model')
2 files changed, 7 insertions, 4 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java index 93eaeb0565a..d00ce3974fa 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java @@ -17,12 +17,15 @@ public class HostedSslConnectorFactory extends ConnectorFactory { private static final List<String> INSECURE_WHITELISTED_PATHS = List.of("/status.html"); + private final boolean enforceClientAuth; + public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets) { - this(serverName, tlsSecrets, null); + this(serverName, tlsSecrets, null, false); } - public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates) { + public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates, boolean enforceClientAuth) { super("tls4443", 4443, createSslProvider(serverName, tlsSecrets, tlsCaCertificates)); + this.enforceClientAuth = enforceClientAuth; } private static ConfiguredDirectSslProvider createSslProvider( @@ -41,7 +44,7 @@ public class HostedSslConnectorFactory extends ConnectorFactory { super.getConfig(connectorBuilder); connectorBuilder.tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder() .pathWhitelist(INSECURE_WHITELISTED_PATHS) - .enable(true)); + .enable(enforceClientAuth)); } } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index 484021ad4d5..073503e9341 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -338,7 +338,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { JettyHttpServer server = cluster.getHttp().getHttpServer(); String serverName = server.getComponentId().getName(); HostedSslConnectorFactory connectorFactory = authorizeClient - ? new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get(), deployState.tlsClientAuthority().get()) + ? new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get(), deployState.tlsClientAuthority().get(), true) : new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get()); server.addConnector(connectorFactory); } |