NIFIREG-296 - Added comments and removed explicit call to setEndpointIdentificationAlgorithm(null). This is called by SslContextFactory.Server()
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/JettyITServerCustomizer.java b/nifi-registry-core/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/JettyITServerCustomizer.java
index 403a138..c0ff5b1 100644
--- a/nifi-registry-core/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/JettyITServerCustomizer.java
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/JettyITServerCustomizer.java
@@ -33,7 +33,10 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-
+/**
+ * This customizer fixes integration tests. The customizer is the only way we can pass config from Spring Boot to Jetty.
+ * It sets the endpointIdentificationAlgorithm to null, which stops the Jetty server attempting to validate a hostname in the client certificate's SAN.
+ **/
@Component
public class JettyITServerCustomizer implements WebServerFactoryCustomizer<JettyServletWebServerFactory> {
@@ -79,12 +82,10 @@
}
private SslContextFactory createSslContextFactory(Ssl properties) {
+ // Calling SslContextFactory.Server() calls setEndpointIdentificationAlgorithm(null).
+ // This ensures that Jetty server does not attempt to validate a hostname in the client certificate's SAN.
final SslContextFactory.Server contextFactory = new SslContextFactory.Server();
- // The ONE thing we needed to do: set endpoint ID algorithm to null. This ensures that Jetty server does
- // not attempt to validate a hostname in the client certificate's SAN.
- contextFactory.setEndpointIdentificationAlgorithm(null);
-
// if needClientAuth is false then set want to true so we can optionally use certs
if(properties.getClientAuth() == Ssl.ClientAuth.NEED) {
LOGGER.info("Setting Jetty's SSLContextFactory needClientAuth to true");
@@ -128,4 +129,4 @@
return contextFactory;
}
-}
\ No newline at end of file
+}