On 9 October 2013 09:16, Stefan Egli <[email protected]> wrote: > Hi Ian, > > +1 > > I like the idea of making an API out of this. One thing to remember is > that this API would be part of discovery.impl rather than discovery.api - > since the discovery.api does not make any assumptions on how > instances/clusters discover each other. Nevertheless I think it's a good > idea.
Ok, thats probably easier if its Ok for the Discovery Impl to export a package. I forgot 1 thing, there will need to be support for creating the aspects of the request that make it trusted, as well as white listing it. > > Additionally, I wonder if we could also include the possibility of > encrypting/decrypting the payload that discovery.impl sends around via the > topology connectors? It could be a separate service - eg > DiscoveryPayloadHandler - and provide methods to encrypt and > decrypt/verify. That would be a larger patch, but would also work. If its going to cover all bases, does it need to be outside the Discovery impl ? I've started a jira for this [1] Best Regards Ian 1 https://issues.apache.org/jira/browse/SLING-3154 > > Cheers, > Stefan > > On 10/8/13 7:40 PM, "Ian Boston" <[email protected]> wrote: > >>Hi, >>The whitelist configuration in this servlet is causing some problems >>where the contents of the whitelist is potentially large and changing, >>since it requires constant re-configuration. >> >>Would it be possible to have a API service that is consulted if >>present to check if the request is allowed. For those that want to use >>the service they would configure the whitelist to reject everything >>while the service was not present so avoid startup issues. >> >>eg >> >>+ @Reference(cardinality=ReferenceCardinality.OPTIONAL_UNARY) >>+ private WhiteListProvider whiteListProvider; >> >> /** Checks if the provided request's remote server is whitelisted **/ >> >> private boolean isWhitelisted(final SlingHttpServletRequest request) { >>+ if (whiteListProvider != null) { >>+ whiteListProvider.isWhitelisted(request); >>+ } >> if (whitelist.contains(request.getRemoteAddr())) { >> >> return true; >> >> } else if (whitelist.contains(request.getRemoteHost())) { >> >> return true; >> >> } >> >> logger.info("isWhitelisted: rejecting " + request.getRemoteAddr() >> >> + ", " + request.getRemoteHost()); >> >> return false; >> >> } >> >> >>and in the API, presumably discovery api. >> >>public interface WhiteListProvider { >> >> private boolean isWhitelisted(HttpServletRequest request); >> >>} >> >> >>Best Regards >>Ian >
