Hi Ian,
+1
I like the idea of making an API out of this. One thing to remember is
that this API would be part of discovery.impl rather than discovery.api -
since the discovery.api does not make any assumptions on how
instances/clusters discover each other. Nevertheless I think it's a good
idea.
Additionally, I wonder if we could also include the possibility of
encrypting/decrypting the payload that discovery.impl sends around via the
topology connectors? It could be a separate service - eg
DiscoveryPayloadHandler - and provide methods to encrypt and
decrypt/verify.
Cheers,
Stefan
On 10/8/13 7:40 PM, "Ian Boston" <i...@tfd.co.uk> wrote:
>Hi,
>The whitelist configuration in this servlet is causing some problems
>where the contents of the whitelist is potentially large and changing,
>since it requires constant re-configuration.
>
>Would it be possible to have a API service that is consulted if
>present to check if the request is allowed. For those that want to use
>the service they would configure the whitelist to reject everything
>while the service was not present so avoid startup issues.
>
>eg
>
>+ @Reference(cardinality=ReferenceCardinality.OPTIONAL_UNARY)
>+ private WhiteListProvider whiteListProvider;
>
> /** Checks if the provided request's remote server is whitelisted **/
>
> private boolean isWhitelisted(final SlingHttpServletRequest request) {
>+ if (whiteListProvider != null) {
>+ whiteListProvider.isWhitelisted(request);
>+ }
> if (whitelist.contains(request.getRemoteAddr())) {
>
> return true;
>
> } else if (whitelist.contains(request.getRemoteHost())) {
>
> return true;
>
> }
>
> logger.info("isWhitelisted: rejecting " + request.getRemoteAddr()
>
> + ", " + request.getRemoteHost());
>
> return false;
>
> }
>
>
>and in the API, presumably discovery api.
>
>public interface WhiteListProvider {
>
> private boolean isWhitelisted(HttpServletRequest request);
>
>}
>
>
>Best Regards
>Ian
