[GitHub] [nifi] exceptionfactory commented on a change in pull request #4737: NIFI-8096 Deprecated ClientAuth references in SSLContextService
exceptionfactory commented on a change in pull request #4737: URL: https://github.com/apache/nifi/pull/4737#discussion_r552900595 ## File path: nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java ## @@ -193,7 +193,7 @@ .description("Client Authentication policy for TLS connections. Required when SSL Context Service configured.") .required(false) .allowableValues(ClientAuth.values()) -.defaultValue(ClientAuth.REQUIRED.name()) Review comment: Previous behavior inferred requiring a client certificate when the `SSLContextService` was configured with trust store properties, falling back to wanting a client certificate in the absence of trust store properties. Making `REQUIRED` the default value going forward sounds like the best approach. Perhaps putting a comment in future release notes indicating this change in behavior would be worthwhile for users of `ListenHTTP` who do not require clients to provide certificates. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on a change in pull request #4737: NIFI-8096 Deprecated ClientAuth references in SSLContextService
exceptionfactory commented on a change in pull request #4737: URL: https://github.com/apache/nifi/pull/4737#discussion_r552897870 ## File path: nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java ## @@ -56,26 +56,36 @@ } /** - * Returns a configured {@link SSLContext} from the populated configuration values. This method is preferred - * over the overloaded method which accepts the deprecated {@link ClientAuth} enum. + * Create and initialize {@link SSLContext} using configured properties. This method is preferred over deprecated + * create methods due to not requiring a client authentication policy. + * + * @return {@link SSLContext} initialized using configured properties + */ +SSLContext createContext(); + +/** + * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated + * due to {@link org.apache.nifi.security.util.ClientAuth} not being applicable or used when initializing the + * {@link SSLContext} * * @param clientAuth the desired level of client authentication * @return the configured SSLContext * @throws ProcessException if there is a problem configuring the context */ -SSLContext createSSLContext(final org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException; +@Deprecated +SSLContext createSSLContext(org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException; /** * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated Review comment: Added This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on a change in pull request #4737: NIFI-8096 Deprecated ClientAuth references in SSLContextService
exceptionfactory commented on a change in pull request #4737: URL: https://github.com/apache/nifi/pull/4737#discussion_r552897747 ## File path: nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java ## @@ -56,26 +56,36 @@ } /** - * Returns a configured {@link SSLContext} from the populated configuration values. This method is preferred - * over the overloaded method which accepts the deprecated {@link ClientAuth} enum. + * Create and initialize {@link SSLContext} using configured properties. This method is preferred over deprecated + * create methods due to not requiring a client authentication policy. + * + * @return {@link SSLContext} initialized using configured properties + */ +SSLContext createContext(); + +/** + * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated Review comment: Added This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on a change in pull request #4737: NIFI-8096 Deprecated ClientAuth references in SSLContextService
exceptionfactory commented on a change in pull request #4737: URL: https://github.com/apache/nifi/pull/4737#discussion_r552897685 ## File path: nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java ## @@ -238,41 +238,55 @@ public TlsConfiguration createTlsConfiguration() { } /** - * Returns a configured {@link SSLContext} from the populated configuration values. This method is preferred - * over the overloaded method which accepts the deprecated {@link ClientAuth} enum. + * Create and initialize {@link SSLContext} using configured properties. This method is preferred over deprecated + * methods due to not requiring a client authentication policy. Invokes createTlsConfiguration() to prepare + * properties for processing. + * + * @return {@link SSLContext} initialized using configured properties + */ +@Override +public SSLContext createContext() { +final TlsConfiguration tlsConfiguration = createTlsConfiguration(); +if (!tlsConfiguration.isTruststorePopulated()) { +getLogger().warn("Trust Store properties not found: using platform default Certificate Authorities"); +} + +try { +final TrustManager[] trustManagers = SslContextFactory.getTrustManagers(tlsConfiguration); +return SslContextFactory.createSslContext(tlsConfiguration, trustManagers); +} catch (final TlsException e) { +getLogger().error("Unable to create SSLContext: {}", new String[]{e.getLocalizedMessage()}); +throw new ProcessException("Unable to create SSLContext", e); +} +} + +/** + * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated + * due to the Client Authentication policy not being applicable when initializing the SSLContext * * @param clientAuth the desired level of client authentication * @return the configured SSLContext * @throws ProcessException if there is a problem configuring the context */ +@Deprecated @Override public SSLContext createSSLContext(final org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException { -try { -final TlsConfiguration tlsConfiguration = createTlsConfiguration(); -if (!tlsConfiguration.isTruststorePopulated()) { -getLogger().warn("Trust Store properties not found: using platform default Certificate Authorities"); -} -final TrustManager[] trustManagers = SslContextFactory.getTrustManagers(tlsConfiguration); -return SslContextFactory.createSslContext(tlsConfiguration, trustManagers, clientAuth); -} catch (TlsException e) { -getLogger().error("Encountered an error creating the SSL context from the SSL context service: {}", new String[]{e.getLocalizedMessage()}); -throw new ProcessException("Error creating SSL context", e); -} +return createContext(); } /** * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated Review comment: Added This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org