felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Willem Janssen <janwillem.jans...@luminis.eu>
Subject Re: Accepting all client certificates (FELIX-4797)
Date Fri, 06 Mar 2015 11:02:35 GMT

> On 06 Mar 2015, at 11:41, Carsten Ziegeler <cziegeler@apache.org> wrote:
> Am 05.03.15 um 16:06 schrieb Pascal Mainini:
>> I understand your point about the setting beeing dangerous (however I
>> would expect someone configuring authentication with client certificates
>> to be able to grasp the implications of it ;-)
> Yeah, that would be ideal :)
>> We see the following possibilities:
>> 1. (for completness) patch as-is
>> 2. The patch but without metatype-definitions (thus the feature could
>>   not directly be configured over configmgr-gui, needing more
>>   interaction from the user)
>> 3. Extend the code to make this injectable as a service
>> What do you think?
> Ok, I guess 3. is maybe really overkill, especially as we would have to
> introduce an API package for the Jetty implementation (which we
> currently do not have).

Actually, we have: you could create your own ConnectorFactory in which you
create your own all-trusting SSLContext and add it to your own (SSL-based)
ServerConnector. You could register this connector factory as managed
service as well so you can configure it at runtime if you would like.

> 1. scares me :) , 2. sounds like a good compromise for me.

I still would prefer not to include this patch at all: it is rather hard to
get client certificates properly configured (have been involved in such
situation a couple of times), and IMO this setting would give users a fake
sense of security as it appears that everything is accepted and looks well,
while in fact it isn’t.

Met vriendelijke groeten | Kind regards

Jan Willem Janssen | Software Architect
+31 631 765 814

My world is revolving around INAETICS and Amdatu

Luminis Technologies B.V.
Churchillplein 1
7314 BZ   Apeldoorn
+31 88 586 46 00


KvK (CoC) 09 16 28 93
BTW (VAT) NL8169.78.566.B.01

View raw message