Unverified Commit abc1eb7f authored by Dave Cridland's avatar Dave Cridland Committed by GitHub

Merge pull request #1040 from guusdk/OF-1191_Mutual-authentication

OF-1191: Add BOSH mutual authentication config to admin console.
parents 82173602 37e0e8a9
...@@ -3225,6 +3225,13 @@ httpbind.settings.xff.forwarded_host=HTTP header for proxied Host (X-Forwarded-H ...@@ -3225,6 +3225,13 @@ httpbind.settings.xff.forwarded_host=HTTP header for proxied Host (X-Forwarded-H
httpbind.settings.xff.host_name=Host name to be returned for all proxied responses: httpbind.settings.xff.host_name=Host name to be returned for all proxied responses:
httpbind.settings.xff.label_disable=Disabled httpbind.settings.xff.label_disable=Disabled
httpbind.settings.xff.label_disable_info=Disable XFF support httpbind.settings.xff.label_disable_info=Disable XFF support
httpbind.settings.clientauth.boxtitle=Mutual Authentication
httpbind.settings.clientauth.info=In addition to requiring peers to use encryption (which will force them to verify the security certificates of this Openfire instance) an additional level of security can be enabled. With this option, the server can be configured to verify certificates that are to be provided by the peers. This is commonly referred to as 'mutual authentication'.
httpbind.settings.clientauth.label_disabled=<b>Disabled</b> - Peer certificates are not verified.
httpbind.settings.clientauth.label_wanted=<b>Wanted</b> - Peer certificates are verified, but only when they are presented by the peer.
httpbind.settings.clientauth.label_needed=<b>Needed</b> - A connection cannot be established if the peer does not present a valid certificate.
# Profile Settings # Profile Settings
profile-settings.title=Profile Settings profile-settings.title=Profile Settings
......
...@@ -2477,6 +2477,13 @@ httpbind.settings.xff.forwarded_host=Encabezado HTTP para el host con proxy (X-F ...@@ -2477,6 +2477,13 @@ httpbind.settings.xff.forwarded_host=Encabezado HTTP para el host con proxy (X-F
httpbind.settings.xff.host_name=Nombre de host a retornar para todas las respuestas con proxy: httpbind.settings.xff.host_name=Nombre de host a retornar para todas las respuestas con proxy:
httpbind.settings.xff.label_disable=Desactivado httpbind.settings.xff.label_disable=Desactivado
httpbind.settings.xff.label_disable_info=Desactivar XFF httpbind.settings.xff.label_disable_info=Desactivar XFF
httpbind.settings.clientauth.boxtitle=Autenticación Mutua
httpbind.settings.clientauth.info=Además de requerir que los pares usen cifrado (lo cual los fuerza a verificar la seguridad de los certificados de esta instancia de Openfire) se puede habilitar un nivel adicional de seguridad. Con esta opción en servidor puede ser configurado para que verifique los certificados provistos por los pares. A esto se le llama &#39;autenticación mutua&#39;.
httpbind.settings.clientauth.label_disabled=<b>Deshabilitado</b> - Los certificados de los pares no serán verificados.
httpbind.settings.clientauth.label_wanted=<b>Esperado</b> - Los certificados de los pares se verifican pero solo cuando son presentados por el par.
httpbind.settings.clientauth.label_needed=<b>Necesario</b> - No se puede establecer una conexión si el par no presentan un certificado válido.
# Profile Settings # Profile Settings
profile-settings.title=Configuración de Perfil profile-settings.title=Configuración de Perfil
......
...@@ -2681,6 +2681,11 @@ httpbind.settings.xff.label_disable=Отключить ...@@ -2681,6 +2681,11 @@ httpbind.settings.xff.label_disable=Отключить
httpbind.settings.xff.label_disable_info=Отключить поддержку XFF httpbind.settings.xff.label_disable_info=Отключить поддержку XFF
httpbind.settings.script.group=Сценарий скрипта httpbind.settings.script.group=Сценарий скрипта
httpbind.settings.crossdomain.group=Междоменные правила httpbind.settings.crossdomain.group=Междоменные правила
httpbind.settings.clientauth.boxtitle=Взаимная проверка подлинности
httpbind.settings.clientauth.info=В дополнение к требованию одноранговых узлов использовать шифрование (которое заставит их проверять сертификаты безопасности этого сервера Openfire), может быть включен дополнительный уровень безопасности. С помощью этой опции сервер может быть настроен для проверки сертификатов, которые должны быть партнерами. Это обычно называют &#39;взаимной аутентификацией&#39;.
httpbind.settings.clientauth.label_disabled=<b>Отключена</b> - Одноранговые сертификаты не проверяются.
httpbind.settings.clientauth.label_wanted=<b>Желательна</b> - Одноранговые сертификаты проверяются, но только тогда, когда они партнеры.
httpbind.settings.clientauth.label_needed=<b>Необходима</b> - Невозможно установить соединение, если абонент не предъявит действительный сертификат.
# Настройки профиля # Настройки профиля
......
...@@ -2236,6 +2236,11 @@ httpbind.settings.xff.forwarded_host=HTTP头中代理主机名称(X-Forwarded-Ho ...@@ -2236,6 +2236,11 @@ httpbind.settings.xff.forwarded_host=HTTP头中代理主机名称(X-Forwarded-Ho
httpbind.settings.xff.host_name=对全部代理回答所返回的主机名: httpbind.settings.xff.host_name=对全部代理回答所返回的主机名:
httpbind.settings.xff.label_disable=禁用 httpbind.settings.xff.label_disable=禁用
httpbind.settings.xff.label_disable_info=禁HTTP代理的XFF头。 httpbind.settings.xff.label_disable_info=禁HTTP代理的XFF头。
httpbind.settings.clientauth.boxtitle=相互认证设置
httpbind.settings.clientauth.info=
httpbind.settings.clientauth.label_disabled=<b>禁止</b> - 对等证书未验证。
httpbind.settings.clientauth.label_wanted=<b>可选</b> - 当要去时才会验证时,才对等证书进行验证。
httpbind.settings.clientauth.label_needed=<b>必须</b> - 如果对方不能出示一个有效证书,连接不能建立。
# Profile Settings # Profile Settings
......
...@@ -22,6 +22,11 @@ ...@@ -22,6 +22,11 @@
<%@ page import="org.jivesoftware.util.StringUtils" %> <%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="java.util.HashMap" %> <%@ page import="java.util.HashMap" %>
<%@ page import="java.util.Map" %> <%@ page import="java.util.Map" %>
<%@ page import="org.jivesoftware.openfire.Connection" %>
<%@ page import="org.jivesoftware.openfire.spi.ConnectionConfiguration" %>
<%@ page import="org.jivesoftware.openfire.spi.ConnectionManagerImpl" %>
<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
<%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %> <%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ taglib uri="admin" prefix="admin" %> <%@ taglib uri="admin" prefix="admin" %>
...@@ -47,6 +52,17 @@ ...@@ -47,6 +52,17 @@
final boolean isCORSEnabled = ParamUtils.getBooleanParameter( request, "CORSEnabled", serverManager.isCORSEnabled() ); final boolean isCORSEnabled = ParamUtils.getBooleanParameter( request, "CORSEnabled", serverManager.isCORSEnabled() );
final boolean isXFFEnabled = ParamUtils.getBooleanParameter( request, "XFFEnabled", serverManager.isXFFEnabled() ); final boolean isXFFEnabled = ParamUtils.getBooleanParameter( request, "XFFEnabled", serverManager.isXFFEnabled() );
final String CORSDomains = ParamUtils.getParameter( request, "CORSDomains", true ); final String CORSDomains = ParamUtils.getParameter( request, "CORSDomains", true );
final ConnectionManagerImpl manager = (ConnectionManagerImpl) XMPPServer.getInstance().getConnectionManager();
final ConnectionConfiguration configuration = manager.getListener( ConnectionType.BOSH_C2S, true ).generateConnectionConfiguration();
final String mutualAuthenticationText = ParamUtils.getParameter( request, "mutualauthentication", true );
final Connection.ClientAuth mutualAuthentication;
if ( mutualAuthenticationText == null || mutualAuthenticationText.isEmpty() ) {
mutualAuthentication = configuration.getClientAuth();
} else {
mutualAuthentication = Connection.ClientAuth.valueOf( mutualAuthenticationText );
}
try try
{ {
serverManager.setHttpBindPorts( requestedPort, requestedSecurePort ); serverManager.setHttpBindPorts( requestedPort, requestedSecurePort );
...@@ -57,6 +73,7 @@ ...@@ -57,6 +73,7 @@
serverManager.setXFFServerHeader( ParamUtils.getParameter( request, "XFFServerHeader" ) ); serverManager.setXFFServerHeader( ParamUtils.getParameter( request, "XFFServerHeader" ) );
serverManager.setXFFHostHeader( ParamUtils.getParameter( request, "XFFHostHeader" ) ); serverManager.setXFFHostHeader( ParamUtils.getParameter( request, "XFFHostHeader" ) );
serverManager.setXFFHostName( ParamUtils.getParameter( request, "XFFHostName" ) ); serverManager.setXFFHostName( ParamUtils.getParameter( request, "XFFHostName" ) );
manager.getListener( ConnectionType.BOSH_C2S, true ).setClientAuth( mutualAuthentication );
} }
catch ( Exception e ) catch ( Exception e )
{ {
...@@ -93,10 +110,14 @@ ...@@ -93,10 +110,14 @@
csrfParam = StringUtils.randomString( 15 ); csrfParam = StringUtils.randomString( 15 );
CookieUtils.setCookie( request, response, "csrf", csrfParam, -1 ); CookieUtils.setCookie( request, response, "csrf", csrfParam, -1 );
final ConnectionManagerImpl manager = (ConnectionManagerImpl) XMPPServer.getInstance().getConnectionManager();
final ConnectionConfiguration configuration = manager.getListener( ConnectionType.BOSH_C2S, true ).generateConnectionConfiguration();
pageContext.setAttribute( "csrf", csrfParam ); pageContext.setAttribute( "csrf", csrfParam );
pageContext.setAttribute( "errors", errorMap ); pageContext.setAttribute( "errors", errorMap );
pageContext.setAttribute( "serverManager", serverManager ); pageContext.setAttribute( "serverManager", serverManager );
pageContext.setAttribute( "crossDomainContent", FlashCrossDomainServlet.getCrossDomainContent() ); pageContext.setAttribute( "crossDomainContent", FlashCrossDomainServlet.getCrossDomainContent() );
pageContext.setAttribute( "configuration", configuration );
%> %>
<html> <html>
...@@ -186,6 +207,31 @@ ...@@ -186,6 +207,31 @@
</table> </table>
</admin:contentBox> </admin:contentBox>
<fmt:message key="httpbind.settings.clientauth.boxtitle" var="clientauthboxtitle"/>
<admin:contentBox title="${clientauthboxtitle}">
<p><fmt:message key="httpbind.settings.clientauth.info"/></p>
<table cellpadding="3" cellspacing="0" border="0" class="tlsconfig">
<tr valign="middle">
<td>
<input type="radio" name="mutualauthentication" value="disabled" id="mutualauthentication-disabled" ${configuration.clientAuth.name() eq 'disabled' ? 'checked' : ''}/>
<label for="mutualauthentication-disabled"><fmt:message key="httpbind.settings.clientauth.label_disabled"/></label>
</td>
</tr>
<tr valign="middle">
<td>
<input type="radio" name="mutualauthentication" value="wanted" id="mutualauthentication-wanted" ${configuration.clientAuth.name() eq 'wanted' ? 'checked' : ''}/>
<label for="mutualauthentication-wanted"><fmt:message key="httpbind.settings.clientauth.label_wanted"/></label>
</td>
</tr>
<tr valign="middle">
<td>
<input type="radio" name="mutualauthentication" value="needed" id="mutualauthentication-needed" ${configuration.clientAuth.name() eq 'needed' ? 'checked' : ''}/>
<label for="mutualauthentication-needed"><fmt:message key="httpbind.settings.clientauth.label_needed"/></label>
</td>
</tr>
</table>
</admin:contentBox>
<fmt:message key="httpbind.settings.script.group" var="script_boxtitle"/> <fmt:message key="httpbind.settings.script.group" var="script_boxtitle"/>
<admin:contentBox title="${script_boxtitle}"> <admin:contentBox title="${script_boxtitle}">
<table cellpadding="3" cellspacing="0" border="0"> <table cellpadding="3" cellspacing="0" border="0">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment