summaryrefslogtreecommitdiffstats
path: root/config-model
diff options
context:
space:
mode:
authorandreer <andreer@verizonmedia.com>2019-11-14 10:32:55 +0100
committerandreer <andreer@verizonmedia.com>2019-11-14 10:32:55 +0100
commitef4041420dc828726fbac4198b367d8ecf3dec65 (patch)
tree26a60f6b6b4bdb2b259177eb06a70aaec54ece08 /config-model
parent03d90c743ae83cfea09be55cb7f1787aa8c8453b (diff)
do not enforce client auth outside public system (yet)
Diffstat (limited to 'config-model')
-rw-r--r--config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java9
-rw-r--r--config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java2
2 files changed, 7 insertions, 4 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
index 93eaeb0565a..d00ce3974fa 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
@@ -17,12 +17,15 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
private static final List<String> INSECURE_WHITELISTED_PATHS = List.of("/status.html");
+ private final boolean enforceClientAuth;
+
public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets) {
- this(serverName, tlsSecrets, null);
+ this(serverName, tlsSecrets, null, false);
}
- public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates) {
+ public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates, boolean enforceClientAuth) {
super("tls4443", 4443, createSslProvider(serverName, tlsSecrets, tlsCaCertificates));
+ this.enforceClientAuth = enforceClientAuth;
}
private static ConfiguredDirectSslProvider createSslProvider(
@@ -41,7 +44,7 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
super.getConfig(connectorBuilder);
connectorBuilder.tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder()
.pathWhitelist(INSECURE_WHITELISTED_PATHS)
- .enable(true));
+ .enable(enforceClientAuth));
}
}
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index 484021ad4d5..073503e9341 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -338,7 +338,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
JettyHttpServer server = cluster.getHttp().getHttpServer();
String serverName = server.getComponentId().getName();
HostedSslConnectorFactory connectorFactory = authorizeClient
- ? new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get(), deployState.tlsClientAuthority().get())
+ ? new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get(), deployState.tlsClientAuthority().get(), true)
: new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get());
server.addConnector(connectorFactory);
}