From db29818ecd6c806fa056306ae91c1e4df839c549 Mon Sep 17 00:00:00 2001 From: anhefti Date: Mon, 30 Sep 2019 16:11:54 +0200 Subject: [PATCH] update production setup --- .../ethz/seb/sebserver/WebSecurityConfig.java | 56 +++++++++++-------- 1 file changed, 34 insertions(+), 22 deletions(-) diff --git a/src/main/java/ch/ethz/seb/sebserver/WebSecurityConfig.java b/src/main/java/ch/ethz/seb/sebserver/WebSecurityConfig.java index 9c76f1a8..aa17eeba 100644 --- a/src/main/java/ch/ethz/seb/sebserver/WebSecurityConfig.java +++ b/src/main/java/ch/ethz/seb/sebserver/WebSecurityConfig.java @@ -22,6 +22,7 @@ import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang3.StringUtils; import org.apache.http.client.HttpClient; +import org.apache.http.conn.ssl.TrustAllStrategy; import org.apache.http.impl.client.HttpClients; import org.apache.http.ssl.SSLContextBuilder; import org.slf4j.Logger; @@ -156,31 +157,42 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements E final String truststoreFilePath = env .getProperty("server.ssl.trust-store", ""); + SSLContext sslContext = null; if (StringUtils.isBlank(truststoreFilePath)) { - throw new IllegalArgumentException("Missing trust-store file path"); + + log.info("Securing outgoing calls without trust-store by trusting all certificates"); + + sslContext = org.apache.http.ssl.SSLContexts + .custom() + .loadTrustMaterial(null, new TrustAllStrategy()) + .build(); + + } else { + + log.info("Securing with defined trust-store"); + + final File trustStoreFile = ResourceUtils.getFile("file:" + truststoreFilePath); + + final char[] password = env + .getProperty("server.ssl.trust-store-password", "") + .toCharArray(); + + if (password.length < 3) { + log.error("Missing or incorrect trust-store password: " + String.valueOf(password)); + throw new IllegalArgumentException("Missing or incorrect trust-store password"); + } + + // Set the specified trust-store also on javax.net.ssl level + System.setProperty("javax.net.ssl.trustStore", truststoreFilePath); + System.setProperty("javax.net.ssl.trustStorePassword", String.valueOf(password)); + + sslContext = SSLContextBuilder + .create() + .loadTrustMaterial(trustStoreFile, password) + .setKeyStoreType("pkcs12") + .build(); } - final File trustStoreFile = ResourceUtils.getFile("file:" + truststoreFilePath); - - final char[] password = env - .getProperty("server.ssl.trust-store-password", "") - .toCharArray(); - - if (password.length < 3) { - log.error("Missing or incorrect trust-store password: " + String.valueOf(password)); - throw new IllegalArgumentException("Missing or incorrect trust-store password"); - } - - // Set the specified trust-store also on javax.net.ssl level - System.setProperty("javax.net.ssl.trustStore", truststoreFilePath); - System.setProperty("javax.net.ssl.trustStorePassword", String.valueOf(password)); - - final SSLContext sslContext = SSLContextBuilder - .create() - .loadTrustMaterial(trustStoreFile, password) - .setKeyStoreType("pkcs12") - .build(); - final HttpClient client = HttpClients.custom() .setSSLContext(sslContext) .build();