Dmitry Mashkov created NIFI-7064:
------------------------------------
Summary: Support 2-way SSL by InvokeHTTP processor
Key: NIFI-7064
URL: https://issues.apache.org/jira/browse/NIFI-7064
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework, Security
Affects Versions: 1.10.0
Reporter: Dmitry Mashkov
Attachments: InvokeHTTP_2-way_SSL_support.patch
HandleHTTPRequest processor as server, supports 2Way SSL( ie client
authentication). InvokeHTTP processor as client, unfortunately not. I would
like provide my patch for InvokeHTTP processor.See attach.
Here some comments for code.
I added Client.Auth methods
I added hostname validator.
Due to original code base and chosen HTTP client, I changed OkHttpClient
reference to OkHttpClient.Builder for host validation handler. I have not way
to support EL in properties and pass them to handler from setupto trigger via
context.
{code:java}
AtomicReference<OkHttpClient.Builder> okHttpClientBuilderAtomicReferenc{code}
Most hard and long operations done before while scheduler starts, building
client is relatively lightweight.
Some comments about host validator, reasons to do this. My case is build
RESTful services with 2-way SSL authentication by IP. Remote client can be a
servers at same time, like mutual communication, but no domains, only IPs in
green field. More over, clients can change dynamically their IP due to selected
channel, LAN or Cellular, here is not way to provide SAN to certificate at
configuration. Now you can provide dynamically via EL/param IP addresses to
check hostname for client authentication.
PS. It's not clear code, why processor build SSLContext in SSL Context
Controlller, but not use it anyhow? This is strange and unclear, possibly, here
we can reduce the code.
PPS. It not clear, how to build tests for this case.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
