[GitHub] [james-project] chibenwa commented on a change in pull request #750: JAMES-3672 : Support TLS authentication via client certificate

[GitBox]

chibenwa commented on a change in pull request #750:
URL: https://github.com/apache/james-project/pull/750#discussion_r751048756



##########
File path: 
server/protocols/protocols-library/src/test/resources/testServerPlain.xml
##########
@@ -0,0 +1,9 @@
+<testerver enabled="true">
+    <jmxName>testserver-custom</jmxName>
+    <bind>0.0.0.0:25</bind>

Review comment:
       ```suggestion
       <bind>0.0.0.0:0</bind>
   ```
   
   Bonding a non fixed port is cleaner as it ensures the build can run several 
time concurrently on the same computer.
   
   Port can then be retrieved programmatically in the tests.

##########
File path: 
protocols/netty/src/main/java/org/apache/james/protocols/netty/AbstractSSLAwareChannelPipelineFactory.java
##########
@@ -64,6 +66,12 @@ public ChannelPipeline getPipeline() throws Exception {
             if (enabledCipherSuites != null && enabledCipherSuites.length > 0) 
{
                 engine.setEnabledCipherSuites(enabledCipherSuites);
             }
+            if (Boolean.TRUE.equals(clientAuth)) {
+                engine.setNeedClientAuth(true);
+            }
+            if (Boolean.FALSE.equals(clientAuth)) {
+                engine.setWantClientAuth(true);
+            }

Review comment:
       ```suggestion
               if (clientAuth) {
                   engine.setNeedClientAuth(true);
               } else {
                   engine.setWantClientAuth(true);
               }
   ```
   
   Looks simpler?

##########
File path: 
server/apps/distributed-app/docs/modules/ROOT/pages/configure/ssl.adoc
##########
@@ -84,6 +84,29 @@ Please note `JKS` keystore format is also supported (default 
value if no keystor
 </tls>
 ....
 
+When you enable TLS, you may also configure the server to request a client 
certificate for authentication:

Review comment:
       ```suggestion
   === Client authentication via certificates
   
   When you enable TLS, you may also configure the server to request a client 
certificate for authentication:
   ```
   
   We might like to have a dedicated (sub) section dedicated to client 
authentication...

##########
File path: 
protocols/netty/src/main/java/org/apache/james/protocols/netty/BasicChannelUpstreamHandler.java
##########
@@ -215,6 +215,14 @@ protected ProtocolSession 
createSession(ChannelHandlerContext ctx) throws Except
             if (enabledCipherSuites != null && enabledCipherSuites.length > 0) 
{
                 engine.setEnabledCipherSuites(enabledCipherSuites);
             }
+            Boolean clientAuth = secure.getClientAuth();
+            if (Boolean.TRUE.equals(clientAuth)) {
+                engine.setNeedClientAuth(true);
+            }
+            if (Boolean.FALSE.equals(clientAuth)) {
+                engine.setWantClientAuth(true);
+            }

Review comment:
       Idem
   
   ```suggestion
               if (clientAuth) {
                   engine.setNeedClientAuth(true);
               } else {
                   engine.setWantClientAuth(true);
               }
   ```
   
   ?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org
For additional commands, e-mail: notifications-h...@james.apache.org