Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Validating server certificates in Jetty HTTP Client 9.3.5.v20151012

Hi,

On Fri, Apr 15, 2016 at 6:20 PM, Alaric Snell-Pym
<alaric@xxxxxxxxxxxxxxxx> wrote:
> For my application, I need to disallow connections to certain IP ranges.
> I need to do this check with the actual IP that Jetty is about to
> connect to; I can't just resolve the hostname and check all its IPs are
> valid, then pass the URL on to Jetty, because the hostname->IP mappings
> could be changed at that point by a sufficiently clever attacker.
>
> My first attempt was to pass in my own HttpClientTransport to the
> HttpClient constructor. I subclassed the default
> HttpClientTransportOverHttp, overriding the
> connect(InetSocketAddress,Map<String,Object>) method with one that
> performed my IP address validation on the provided address, threw a
> SecurityException if it was bad, and otherwise delegated to
> super.connect(...).
>
> However, connect() never seemed to actually be called, so my IP address
> validation never happened.

That would be strange. HttpClientTransport.connect() is the sole way
to open a *new* connection to a host.
HttpClient pools connections, so perhaps you made an initial request
that opened the connection, and you were expecting the checks to
happen on a second request to the same destination ?

> What I ended up doing was...

Too complicated :)

HttpClientTransport.connect() *is* being called, and perhaps that's
the way to go.
Alternatively you can provide your own SocketAddressResolver to HttpClient.

-- 
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.


Back to the top