[TECH] CAS Security : add hostnameverifier optional property, activated by default

3062f2f8 · Makhtar DIAGNE · 7184e129 · 3062f2f8 · 3062f2f8
Commit 3062f2f8 authored 4 years ago by Makhtar DIAGNE
--- a/commons/commons-security/src/main/java/fr/gouv/vitamui/commons/security/client/config/BaseCasSecurityConfigurer.java
+++ b/commons/commons-security/src/main/java/fr/gouv/vitamui/commons/security/client/config/BaseCasSecurityConfigurer.java
@@ -54,6 +54,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;

+import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManagerFactory;
@@ -108,6 +109,9 @@ public abstract class BaseCasSecurityConfigurer extends WebSecurityConfigurerAda
    @NotNull
    private String casTrustStoreType;

+    @Value("${cas.ssl.hostname-verification:true}")
+    protected Boolean hostnameVerification;
+
    @Value("${cas.callback-url}")
    @NotNull
    private String casCallbackUrl;
@@ -159,9 +163,9 @@ public abstract class BaseCasSecurityConfigurer extends WebSecurityConfigurerAda
            if (sslSocketFactory == null) {
                sslSocketFactory = SSLContext.getDefault().getSocketFactory();
            }
-
+            final HostnameVerifier hostnameVerifier = hostnameVerification ? null : TrustAllHostnameVerifier.INSTANCE;
            final Cas30ServiceTicketValidator validator = new Cas30ServiceTicketValidator(casInternalUrl);
-            validator.setURLConnectionFactory(new TrustedHttpURLConnectionFactory(null, sslSocketFactory));
+            validator.setURLConnectionFactory(new TrustedHttpURLConnectionFactory(hostnameVerifier, sslSocketFactory));
            return validator;
        }
        catch (final Exception e) {

--- a/commons/commons-security/src/main/java/fr/gouv/vitamui/commons/security/client/config/TrustAllHostnameVerifier.java
+++ b/commons/commons-security/src/main/java/fr/gouv/vitamui/commons/security/client/config/TrustAllHostnameVerifier.java
+/**
+ * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2019-2020)
+ * and the signatories of the "VITAM - Accord du Contributeur" agreement.
+ *
+ * contact@programmevitam.fr
+ *
+ * This software is a computer program whose purpose is to implement
+ * implement a digital archiving front-office system for the secure and
+ * efficient high volumetry VITAM solution.
+ *
+ * This software is governed by the CeCILL-C license under French law and
+ * abiding by the rules of distribution of free software.  You can  use,
+ * modify and/ or redistribute the software under the terms of the CeCILL-C
+ * license as circulated by CEA, CNRS and INRIA at the following URL
+ * "http://www.cecill.info".
+ *
+ * As a counterpart to the access to the source code and  rights to copy,
+ * modify and redistribute granted by the license, users are provided only
+ * with a limited warranty  and the software's author,  the holder of the
+ * economic rights,  and the successive licensors  have only  limited
+ * liability.
+ *
+ * In this respect, the user's attention is drawn to the risks associated
+ * with loading,  using,  modifying and/or developing or reproducing the
+ * software by the user in light of its specific status of free software,
+ * that may mean  that it is complicated to manipulate,  and  that  also
+ * therefore means  that it is reserved for developers  and  experienced
+ * professionals having in-depth computer knowledge. Users are therefore
+ * encouraged to load and test the software's suitability as regards their
+ * requirements in conditions enabling the security of their systems and/or
+ * data to be ensured and,  more generally, to use and operate it in the
+ * same conditions as regards security.
+ *
+ * The fact that you are presently reading this means that you have had
+ * knowledge of the CeCILL-C license and that you accept its terms.
+ */
+package fr.gouv.vitamui.commons.security.client.config;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLSession;
+
+ /**
+ * Implementation of {@link HostnameVerifier} which allows ANY hosts.
+ *
+ *
+ */
+
+public class TrustAllHostnameVerifier implements HostnameVerifier {
+
+    public static final TrustAllHostnameVerifier INSTANCE = new TrustAllHostnameVerifier();
+
+    private TrustAllHostnameVerifier() {
+    }
+
+    @Override
+    public boolean verify(String hostname, SSLSession sslSession) {
+        return true;
+    }
+}