From 11682f96c58cd3ef457d81fa5f61f71a628be07d Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@verizonmedia.com>
Date: Tue, 13 Aug 2019 15:01:18 +0200
Subject: Add Jetty handler that enforces TLS client authentication at http
 layer

---
 .../src/main/resources/configdefinitions/jdisc.http.connector.def | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def')

diff --git a/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def b/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def
index c6c6fad345b..9ffcc9c41b5 100644
--- a/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def
+++ b/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def
@@ -73,3 +73,11 @@ ssl.caCertificateFile               string default=""
 
 # Client authentication mode. See SSLEngine.getNeedClientAuth()/getWantClientAuth() for details.
 ssl.clientAuth                      enum { DISABLED, WANT_AUTH, NEED_AUTH }  default=DISABLED
+
+# Enforce TLS client authentication for https requests at the http layer.
+# Intended to be used with connectors with optional client authentication enabled.
+# 401 status code is returned for requests from non-authenticated clients.
+tlsClientAuthEnforcer.enable          bool   default=false
+
+# Paths where client authentication should not be enforced. To be used in combination with NEED_AUTH. Typically used for health checks.
+tlsClientAuthEnforcer.pathWhitelist[]  string
-- 
cgit v1.2.3