Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Honor play settings on AkkaHttpServer for client auth in SSL #8642

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dwijnand merged 3 commits into from
Oct 3, 2018
Merged

Honor play settings on AkkaHttpServer for client auth in SSL #8642

dwijnand merged 3 commits into from
Oct 3, 2018

Conversation

@ignasi35
Copy link
Member

@ignasi35 ignasi35 commented Sep 28, 2018
edited by dwijnand
Loading

Fixes

AkkaHttpServer didn't honour some HTTPS-related settings:

play {
  server {
    # HTTPS configuration
    https {
      # Whether JSSE want client auth mode should be used. This means, the server
      # will request a client certificate, but won't fail if one isn't provided.
      wantClientAuth = false

      # Whether JSSE need client auth mode should be used. This means, the server
      # will request a client certificate, and will fail and terminate the session
      # if one isn't provided.
      needClientAuth = false
    }
  }
}
```

@ignasi35 ignasi35 self-assigned this Sep 28, 2018
@ignasi35 ignasi35 added this to the Play 2.6.20 milestone Sep 28, 2018
@ignasi35
Copy link
Member Author

ignasi35 commented Sep 28, 2018

I marked it as needs-backport but it actually needs forward-port (we don't have a label for that).

@dwijnand
Copy link
Member

dwijnand commented Sep 28, 2018

(we don't have a label for that)

Buy contact lenses.

dwijnand
dwijnand approved these changes Sep 28, 2018
View reviewed changes
Copy link
Member

@dwijnand dwijnand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks reasonable to me!

marcospereira
marcospereira reviewed Sep 28, 2018
View reviewed changes
framework/src/play-akka-http-server/src/main/scala/play/core/server/AkkaHttpServer.scala Outdated
val sslContext = mockSslContext()
ConnectionContext.https(sslContext = sslContext)

val playServerConfig = context.config.configuration.get[Configuration]("play.server")
Copy link
Member

@marcospereira marcospereira Sep 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we made parserSettings and createServerSettings overridable, we should make the same here. I think that what we have for parserSettings (lazy val and create method) is what we should do here.

Copy link
Contributor

@octonato octonato Sep 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

parserSettings is not a lazy val

marcospereira
marcospereira reviewed Sep 28, 2018
View reviewed changes
framework/src/play-akka-http-server/src/main/scala/play/core/server/AkkaHttpServer.scala Outdated
val sslContext = mockSslContext()
ConnectionContext.https(sslContext = sslContext)

val playServerConfig = context.config.configuration.get[Configuration]("play.server")
Copy link
Member

@marcospereira marcospereira Sep 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a serverConfig you can reuse here.

Copy link
Member Author

@ignasi35 ignasi35 Sep 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call. Missed that.

marcospereira
marcospereira reviewed Sep 28, 2018
View reviewed changes
framework/src/play-akka-http-server/src/main/scala/play/core/server/AkkaHttpServer.scala Outdated

val playServerConfig = context.config.configuration.get[Configuration]("play.server")
val clientAuth: Option[TLSClientAuth] =
if (playServerConfig.get[Boolean]("https.needClientAuth")) {
Copy link
Member

@marcospereira marcospereira Sep 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add a comment saying that need has a precedence over want?

Copy link
Member Author

@ignasi35 ignasi35 Sep 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBH, I'm not entirely sure what is the precedence. The Java API for SSLEngine only indicates that invoking both setNeedClientAuth and setWantClientAuth override each other so last wins. Using an ADT is better but forces us to choose. The implementation in NettyServer also gives need precedence over want (https://github.com/playframework/playframework/blob/master/framework/src/play-netty-server/src/main/scala/play/core/server/NettyServer.scala#L170-L175)

https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLEngine.html#setNeedClientAuth-boolean-

Copy link
Member

@dwijnand dwijnand Sep 29, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Intuitively, in English, need has precedence over want. I need oxygen. I want gelato.

@ignasi35
Copy link
Member Author

ignasi35 commented Sep 28, 2018

Buy contact lenses.

puts contact lenses on top of glasses

@ignasi35
Copy link
Member Author

ignasi35 commented Sep 28, 2018

We discussed two choices to test this:

  1. a scripted tests that reuses the reproducer but it's a scripted test that will require some rework or depending on curl and exec
  2. create a purely programmatic test that:
    1. creates a client CA and a client certificate in keystore client.jks
    2. creates a server CA and a server certificate in keystore server.jks
    3. adds each CA as a trusted element on the other keystore client.jks
    4. programmatically start a play app with netty or akka http backends (with SSL enabled and configured to use server.jks. The play app must enable needClientAuth.
    5. programatically start a client configured to use client.jks
      NOTE: in 2. certificate should use the appropriate CN (probably localhost) .

@octonato
Copy link
Contributor

octonato commented Sep 28, 2018

puts contact lenses on top of glasses

try putting it behind

@dwijnand dwijnand merged commit d286269 into playframework:2.6.x Oct 3, 2018
@octonato octonato mentioned this pull request Oct 4, 2018
Closed
@ignasi35 ignasi35 mentioned this pull request Oct 8, 2018
Open
@marcospereira marcospereira mentioned this pull request Nov 6, 2018
Merged
marcospereira added a commit that referenced this pull request Nov 6, 2018
@marcospereira
Honor play settings on AkkaHttpServer for client auth in SSL (#8642) (#…
c02784f 
…8774)

`AkkaHttpServer` didn't honour some HTTPS-related settings:

````
play {
  server {
    # HTTPS configuration
    https {
      # Whether JSSE want client auth mode should be used. This means, the server
      # will request a client certificate, but won't fail if one isn't provided.
      wantClientAuth = false

      # Whether JSSE need client auth mode should be used. This means, the server
      # will request a client certificate, and will fail and terminate the session
      # if one isn't provided.
      needClientAuth = false
    }
  }
}
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@octonato octonato Awaiting requested review from octonato

2 more reviewers

@marcospereira marcospereira marcospereira left review comments

@dwijnand dwijnand dwijnand approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@ignasi35 ignasi35

Labels

None yet

Projects

None yet

Milestone

Play 2.6.20

Development

Successfully merging this pull request may close these issues.

4 participants

@ignasi35 @dwijnand @octonato @marcospereira