Alon Bar-Lev has uploaded a new change for review. Change subject: authentication: pki: cleanup ......................................................................
authentication: pki: cleanup - no need for static context verifier - support non secured with no store - simplify flow Change-Id: Ie12f9bb3156ef280147a19c55bab019517b33ee9 Signed-off-by: Alon Bar-Lev <[email protected]> --- M ovirt-engine-reports/EngineAuthentication/src/main/java/org/ovirt/authentication/EngineSimplePreAuthFilter.java 1 file changed, 49 insertions(+), 47 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-reports refs/changes/34/23534/1 diff --git a/ovirt-engine-reports/EngineAuthentication/src/main/java/org/ovirt/authentication/EngineSimplePreAuthFilter.java b/ovirt-engine-reports/EngineAuthentication/src/main/java/org/ovirt/authentication/EngineSimplePreAuthFilter.java index 9ca1336..78ead0d 100755 --- a/ovirt-engine-reports/EngineAuthentication/src/main/java/org/ovirt/authentication/EngineSimplePreAuthFilter.java +++ b/ovirt-engine-reports/EngineAuthentication/src/main/java/org/ovirt/authentication/EngineSimplePreAuthFilter.java @@ -63,11 +63,6 @@ private final Log logger = LogFactory.getLog(EngineSimplePreAuthFilter.class); private boolean sslIgnoreCertErrors = false; private boolean sslIgnoreHostVerification = false; - private static final HostnameVerifier IgnoredHostnameVerifier = new HostnameVerifier() { - public boolean verify(String hostname, SSLSession session) { - return true; - } - }; @Override protected Object getPreAuthenticatedCredentials(HttpServletRequest arg0) { @@ -124,31 +119,62 @@ * This method creates the URL connection, whether it is a secured connection or not. */ private HttpURLConnection createURLConnection() throws IOException, NoSuchAlgorithmException, CertificateException, KeyStoreException, KeyManagementException { - boolean secured = servletURL.startsWith("https"); + + logger.debug( + String.format( + "createURLConnection: servletURL=%s, sslIgnoreCertErrors=%s, sslIgnoreHostVerification=%s, trustStorePath=%s", + servletURL, + sslIgnoreCertErrors, + sslIgnoreHostVerification, + trustStorePath + ) + ); URL url = new URL(servletURL); - HttpURLConnection servletConnection; + HttpURLConnection servletConnection = (HttpURLConnection) url.openConnection(); - if (secured) { - if (trustStorePassword == null || trustStorePath == null) { - logger.error("The Supplied URL is secured, however no trust store path or password were supplied."); - return null; + if ("https".equals(url.getProtocol())) { + TrustManager[] trustManagers; + if (sslIgnoreCertErrors) { + trustManagers = new TrustManager[] { + new X509TrustManager() { + @Override + public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException {} + @Override + public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException {} + @Override + public X509Certificate[] getAcceptedIssuers() { + return new X509Certificate[] {}; + } + } + }; } - HttpsURLConnection securedConnection = (HttpsURLConnection) url.openConnection(); - KeyStore trustStore = KeyStore.getInstance(trustStoreType); - trustStore.load(new FileInputStream(trustStorePath), trustStorePassword.toCharArray()); - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - trustManagerFactory.init(trustStore); + else { + if (trustStorePassword == null || trustStorePath == null) { + throw new RuntimeException("The Supplied URL is secured, however no trust store path or password were supplied."); + } + KeyStore trustStore = KeyStore.getInstance(trustStoreType); + trustStore.load(new FileInputStream(trustStorePath), trustStorePassword.toCharArray()); + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + trustManagerFactory.init(trustStore); + trustManagers = trustManagerFactory.getTrustManagers(); + } + SSLContext ctx = SSLContext.getInstance(sslProtocol); - initSslcontext(ctx, trustManagerFactory); - securedConnection.setSSLSocketFactory(ctx.getSocketFactory()); + ctx.init(null, trustManagers, null); + + HttpsURLConnection httpsConnection = (HttpsURLConnection)servletConnection; + httpsConnection.setSSLSocketFactory(ctx.getSocketFactory()); if (sslIgnoreHostVerification) { - logger.debug("sslIgnoreHostVerification mode"); - securedConnection.setHostnameVerifier(IgnoredHostnameVerifier); + httpsConnection.setHostnameVerifier( + new HostnameVerifier() { + @Override + public boolean verify(String hostname, SSLSession session) { + return true; + } + } + ); } - servletConnection = securedConnection; - } else { - servletConnection = (HttpURLConnection) url.openConnection(); } servletConnection.setRequestMethod("POST"); @@ -158,30 +184,6 @@ servletConnection.setRequestProperty("Content-Type","application/x-www-form-urlencoded"); return servletConnection; - } - - private void initSslcontext(SSLContext ctx, TrustManagerFactory trustManagerFactory) throws KeyManagementException { - if (sslIgnoreCertErrors) { - logger.debug("sslIgnoreCertErrors mode"); - ctx.init(null, new TrustManager[] { new X509TrustManager() { - - @Override - public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { - } - - @Override - public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { - } - - @Override - public X509Certificate[] getAcceptedIssuers() { - return new X509Certificate[0]; - } - - } }, null); - } else { - ctx.init(null, trustManagerFactory.getTrustManagers(), null); - } } /* -- To view, visit http://gerrit.ovirt.org/23534 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie12f9bb3156ef280147a19c55bab019517b33ee9 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-reports Gerrit-Branch: master Gerrit-Owner: Alon Bar-Lev <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
