better support for application level authentication #2322
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
boaks
force-pushed
the
appl_auth
branch
2 times, most recently
from
0cda1d1 to
9158115
Compare
boaks
changed the title
Signed-off-by: Achim Kraus <[email protected]>
boaks
force-pushed
the
appl_auth
branch
3 times, most recently
from
cf37103 to
7f2f98a
Compare
Ensure to execute tasks even after shutdown. Signed-off-by: Achim Kraus <[email protected]>
Add execute and createTask. Rename refreshAutoResumptionTime into updateLastMessageNanos. Signed-off-by: Achim Kraus <[email protected]>
Cleanup principal's toString. Signed-off-by: Achim Kraus <[email protected]>
Remove obsolete casts. Signed-off-by: Achim Kraus <[email protected]>
Signed-off-by: Achim Kraus <[email protected]>
Signed-off-by: Achim Kraus <[email protected]>
Signed-off-by: Achim Kraus <[email protected]>
Use Connection ID to identify DLTS context also for outgoing messages, if available. Signed-off-by: Achim Kraus <[email protected]>
Signed-off-by: Achim Kraus <[email protected]>
If the CertificateAuthenticationMode.WANTED is used but no common client certificate type is available, don't fail. Signed-off-by: Achim Kraus <[email protected]>
Keep last message nanos closer to last update time of the LeastRecentlyUpdatedCache. Convert "synchronized" eviction handler to use write lock. Signed-off-by: Achim Kraus <[email protected]>
Signed-off-by: Achim Kraus <[email protected]>
Signed-off-by: Achim Kraus <[email protected]>
boaks
force-pushed
the
appl_auth
branch
2 times, most recently
from
5b787f5 to
b10df26
Compare
Enables better support for clients using an anonymous DTLS handshake and authorize the request on the application level, e.g. username/password or tokens. In combination with proxies, this enables to "offload" the authentication from dtls and move it into a REST API. Signed-off-by: Achim Kraus <[email protected]>
Add access to connector's application-authorization to endpoint and exchange. Signed-off-by: Achim Kraus <[email protected]>
Signed-off-by: Achim Kraus <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For some application and proxies, it may be advantageous to use a common HTTP authentication pattern, where the client stays on TLS level anonymous and applies it's authentication then on application level, e.g. username/password or tokens.
This PR improves the support for that by adding an
ApplicationPrincipal, anApplicationAuthorizerand a new configuration "DTLS.APPLICATION_AUTHORIZATION", which enables the new anonymous client support.If enabled, anonymous clients will be removed after a short time (about 2-3 minutes), if the application doesn't authorize them using the
ApplicationAuthorizer.