Package org.apache.druid.server.security

Interface TLSCertificateChecker

All Known Implementing Classes:

DefaultTLSCertificateChecker

public interface TLSCertificateChecker

This extension point allows developers to replace the standard TLS certificate checks with custom checks. By default, a DefaultTLSCertificateChecker is used, which simply delegates to the base X509ExtendedTrustManager.

Method Summary

Modifier and Type	Method	Description
void	checkClient(X509Certificate[] chain, String authType, SSLEngine engine, X509ExtendedTrustManager baseTrustManager)	This method allows an extension to replace the standard X509ExtendedTrustManager.checkClientTrusted(X509Certificate[], String, SSLEngine) method.
void	checkServer(X509Certificate[] chain, String authType, SSLEngine engine, X509ExtendedTrustManager baseTrustManager)	This method allows an extension to replace the standard X509ExtendedTrustManager.checkServerTrusted(X509Certificate[], String, SSLEngine) method.

Method Details

checkClient

void checkClient(X509Certificate[] chain,
 String authType,
 SSLEngine engine,
 X509ExtendedTrustManager baseTrustManager)
          throws CertificateException

This method allows an extension to replace the standard X509ExtendedTrustManager.checkClientTrusted(X509Certificate[], String, SSLEngine) method. This controls the certificate check used by Druid's server, checking certificates for internal requests made by other Druid services and user-submitted requests.

Parameters:

chain - See docs for X509ExtendedTrustManager.checkClientTrusted(X509Certificate[], String, SSLEngine).

authType - See docs for X509ExtendedTrustManager.checkClientTrusted(X509Certificate[], String, SSLEngine).

engine - See docs for X509ExtendedTrustManager.checkClientTrusted(X509Certificate[], String, SSLEngine).

baseTrustManager - The base trust manager. An extension should call baseTrustManager.checkClientTrusted(chain, authType, engine) if/when it wishes to use the standard check in addition to custom checks.

Throws:

CertificateException

checkServer

void checkServer(X509Certificate[] chain,
 String authType,
 SSLEngine engine,
 X509ExtendedTrustManager baseTrustManager)
          throws CertificateException

This method allows an extension to replace the standard X509ExtendedTrustManager.checkServerTrusted(X509Certificate[], String, SSLEngine) method. This controls the certificate check used by Druid's internal client, used to validate the certificates of other Druid services.

Parameters:

chain - See docs for X509ExtendedTrustManager.checkServerTrusted(X509Certificate[], String, SSLEngine).

authType - See docs for X509ExtendedTrustManager.checkServerTrusted(X509Certificate[], String, SSLEngine).

engine - See docs for X509ExtendedTrustManager.checkServerTrusted(X509Certificate[], String, SSLEngine).

baseTrustManager - The base trust manager. An extension should call baseTrustManager.checkServerTrusted(chain, authType, engine) if/when it wishes to use the standard check in addition to custom checks.

Throws:

CertificateException