[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-users] Validating server certificates in Jetty HTTP Client 9.3.5.v20151012
|
Hi,
On Fri, Apr 15, 2016 at 6:20 PM, Alaric Snell-Pym
<alaric@xxxxxxxxxxxxxxxx> wrote:
> For my application, I need to disallow connections to certain IP ranges.
> I need to do this check with the actual IP that Jetty is about to
> connect to; I can't just resolve the hostname and check all its IPs are
> valid, then pass the URL on to Jetty, because the hostname->IP mappings
> could be changed at that point by a sufficiently clever attacker.
>
> My first attempt was to pass in my own HttpClientTransport to the
> HttpClient constructor. I subclassed the default
> HttpClientTransportOverHttp, overriding the
> connect(InetSocketAddress,Map<String,Object>) method with one that
> performed my IP address validation on the provided address, threw a
> SecurityException if it was bad, and otherwise delegated to
> super.connect(...).
>
> However, connect() never seemed to actually be called, so my IP address
> validation never happened.
That would be strange. HttpClientTransport.connect() is the sole way
to open a *new* connection to a host.
HttpClient pools connections, so perhaps you made an initial request
that opened the connection, and you were expecting the checks to
happen on a second request to the same destination ?
> What I ended up doing was...
Too complicated :)
HttpClientTransport.connect() *is* being called, and perhaps that's
the way to go.
Alternatively you can provide your own SocketAddressResolver to HttpClient.
--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.