Commit ed65536b authored by Dave Cridland's avatar Dave Cridland Committed by Guus der Kinderen

OF-1322 Do not do EXTERNAL without trusted cert (#786)

parent 7b3df357
......@@ -196,6 +196,24 @@ public class SASLAuthentication {
{
final Element result = DocumentHelper.createElement( new QName( "mechanisms", new Namespace( "", SASL_NAMESPACE ) ) );
for (String mech : getSupportedMechanisms()) {
if (mech.equals("EXTERNAL")) {
boolean trustedCert = false;
if (session.isSecure()) {
final LocalClientSession localClientSession = (LocalClientSession)session;
if (localClientSession != null) {
final Connection connection = localClientSession.getConnection();
final KeyStore keyStore = connection.getConfiguration().getIdentityStore().getStore();
final KeyStore trustStore = connection.getConfiguration().getTrustStore().getStore();
final X509Certificate trusted = CertificateManager.getEndEntityCertificate(connection.getPeerCertificates(), keyStore, trustStore);
if (trusted != null) {
trustedCert = true;
}
}
}
if (trustedCert == false) {
continue; // Do not offer EXTERNAL.
}
}
final Element mechanism = result.addElement("mechanism");
mechanism.setText(mech);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment