You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2022/07/26 17:20:11 UTC
[knox] branch master updated: KNOX-2772 - add configuration for jetty renegotiation (#605)
This is an automated email from the ASF dual-hosted git repository.
lmccay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 07cd031e1 KNOX-2772 - add configuration for jetty renegotiation (#605)
07cd031e1 is described below
commit 07cd031e1ee2e6be14308749d61cb5a495a6fe11
Author: 南慧荣 <na...@gmail.com>
AuthorDate: Wed Jul 27 01:20:06 2022 +0800
KNOX-2772 - add configuration for jetty renegotiation (#605)
---
.../apache/knox/gateway/config/impl/GatewayConfigImpl.java | 6 ++++++
.../knox/gateway/services/security/impl/JettySSLService.java | 2 ++
.../knox/gateway/config/impl/GatewayConfigImplTest.java | 12 ++++++++++++
.../gateway/services/security/impl/JettySSLServiceTest.java | 1 +
.../main/java/org/apache/knox/gateway/GatewayTestConfig.java | 5 +++++
.../java/org/apache/knox/gateway/config/GatewayConfig.java | 2 ++
6 files changed, 28 insertions(+)
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
index 3e45bac36..ba572a23b 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
@@ -177,6 +177,7 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig {
private static final String SSL_EXCLUDE_PROTOCOLS = "ssl.exclude.protocols";
private static final String SSL_INCLUDE_CIPHERS = "ssl.include.ciphers";
private static final String SSL_EXCLUDE_CIPHERS = "ssl.exclude.ciphers";
+ private static final String SSL_RENEGOTIATION = "ssl.renegotiation";
// END BACKWARD COMPATIBLE BLOCK
public static final String DEFAULT_HTTP_PORT = "8888";
@@ -602,6 +603,11 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig {
return list;
}
+ @Override
+ public boolean isSSLRenegotiationAllowed() {
+ return getBoolean(SSL_RENEGOTIATION, true);
+ }
+
@Override
public boolean isClientAuthNeeded() {
return Boolean.parseBoolean(get( CLIENT_AUTH_NEEDED, "false" ));
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java
index 867e3df88..55f297ecf 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java
@@ -224,6 +224,8 @@ public class JettySSLService implements SSLService {
if (sslExcludeProtocols != null && !sslExcludeProtocols.isEmpty()) {
sslContextFactory.setExcludeProtocols( sslExcludeProtocols.toArray(new String[0]) );
}
+
+ sslContextFactory.setRenegotiationAllowed(config.isSSLRenegotiationAllowed());
return sslContextFactory;
}
diff --git a/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java b/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java
index 5ec699b53..9fe737edd 100644
--- a/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java
+++ b/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java
@@ -167,6 +167,18 @@ public class GatewayConfigImplTest {
assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
}
+ // KNOX-2772
+ @Test
+ public void testisSSLRenegotiationAllowed() {
+ GatewayConfigImpl config = new GatewayConfigImpl();
+ boolean isSSLRenegotiationAllowed = config.isSSLRenegotiationAllowed();
+ assertThat( isSSLRenegotiationAllowed, is(true));
+
+ config.set("ssl.renegotiation", "false");
+ isSSLRenegotiationAllowed = config.isSSLRenegotiationAllowed();
+ assertThat( isSSLRenegotiationAllowed, is(false));
+ }
+
@Test( timeout = TestUtils.SHORT_TIMEOUT )
public void testGlobalRulesServices() {
GatewayConfigImpl config = new GatewayConfigImpl();
diff --git a/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java b/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java
index eb667ea0d..51cdf0508 100644
--- a/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java
+++ b/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java
@@ -481,6 +481,7 @@ public class JettySSLServiceTest {
expect(config.getIncludedSSLCiphers()).andReturn(null).atLeastOnce();
expect(config.getExcludedSSLCiphers()).andReturn(null).atLeastOnce();
expect(config.getExcludedSSLProtocols()).andReturn(null).atLeastOnce();
+ expect(config.isSSLRenegotiationAllowed()).andReturn(true).atLeastOnce();
return config;
}
diff --git a/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java b/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
index 24d07b430..e493892bc 100644
--- a/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
+++ b/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
@@ -300,6 +300,11 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig {
return excludedSSLCiphers;
}
+ @Override
+ public boolean isSSLRenegotiationAllowed() {
+ return true;
+ }
+
public void setExcludedSSLCiphers( List<String> list ) {
excludedSSLCiphers = list;
}
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
index bf6eee3b1..68cf6ff15 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
@@ -177,6 +177,8 @@ public interface GatewayConfig {
List<String> getExcludedSSLCiphers();
+ boolean isSSLRenegotiationAllowed();
+
boolean isHadoopKerberosSecured();
String getKerberosConfig();