NIFI-8288 Removed OkHttpClientUtils to reduce reliance on nifi-security-utils

- Added createTrustManager() on SSLContextService
- Removed nifi-security-utils and okhttp dependencies from nifi-web-utils

Signed-off-by: Nathan Gough <thenatog@gmail.com>

This closes #4869.

nifi-commons/nifi-web-utils/pom.xml

@@ -22,16 +22,6 @@
     </parent>
     <artifactId>nifi-web-utils</artifactId>
     <dependencies>
-        <dependency>
-            <groupId>org.apache.nifi</groupId>
-            <artifactId>nifi-security-utils</artifactId>
-            <version>1.14.0-SNAPSHOT</version>
-        </dependency>
-        <dependency>
-            <groupId>commons-codec</groupId>
-            <artifactId>commons-codec</artifactId>
-            <version>1.14</version>
-        </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
@@ -97,10 +87,5 @@
             <groupId>org.slf4j</groupId>
             <artifactId>jcl-over-slf4j</artifactId>
         </dependency>
-        <dependency>
-            <groupId>com.squareup.okhttp3</groupId>
-            <artifactId>okhttp</artifactId>
-            <version>${okhttp.version}</version>
-        </dependency>
     </dependencies>
 </project>

nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/security/util/OkHttpClientUtils.java

@@ -1,69 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.security.util;
-
-import java.security.UnrecoverableKeyException;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
-import okhttp3.OkHttpClient;
-import org.apache.nifi.processor.exception.ProcessException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * This class contains utility methods for working with the {@link OkHttpClient} that many components use for external HTTP communication.
- */
-public class OkHttpClientUtils {
-    private static final Logger logger = LoggerFactory.getLogger(OkHttpClientUtils.class);
-
-    /**
-     * If the {@link TlsConfiguration} contains valid properties to configure an
-     * {@link SSLSocketFactory}, parses the necessary values and applies the config to the client
-     * builder. If the properties are not populated, no action is taken.
-     *
-     * @param tlsConfiguration the TLS configuration container object
-     * @param okHttpClient     the OkHttp client builder
-     * @return true if the TLS configuration was applied to the builder
-     */
-    public static boolean applyTlsToOkHttpClientBuilder(TlsConfiguration tlsConfiguration, OkHttpClient.Builder okHttpClient) {
-        try {
-            final X509TrustManager trustManager = SslContextFactory.getX509TrustManager(tlsConfiguration);
-            if (trustManager == null) {
-                return false;
-            }
-
-            final SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration, new TrustManager[]{trustManager});
-            if (sslContext == null) {
-                return false;
-            }
-
-            final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
-            okHttpClient.sslSocketFactory(sslSocketFactory, trustManager);
-            return true;
-        } catch (TlsException e) {
-            if (e.getCause() instanceof UnrecoverableKeyException) {
-                logger.error("Key password may be incorrect or not set. Check your keystore passwords." + e.getMessage());
-            } else {
-                logger.error("Encountered an error configuring TLS: {}", e.getLocalizedMessage());
-                throw new ProcessException("Error configuring TLS", e);
-            }
-        }
-        return false;
-    }
-}

nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/filter/SanitizeContextPathFilter.java

@@ -23,7 +23,8 @@ import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
-import org.apache.nifi.util.StringUtils;
+
+import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.web.util.WebUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/util/ClientUtils.java

@@ -1,116 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.util;
-
-import javax.ws.rs.client.Client;
-import javax.ws.rs.client.Entity;
-import javax.ws.rs.client.Invocation;
-import javax.ws.rs.client.WebTarget;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.MultivaluedHashMap;
-import javax.ws.rs.core.Response;
-import java.net.URI;
-import java.util.Map;
-
-/**
- *
- */
-public class ClientUtils {
-
-    private final Client client;
-
-    public ClientUtils(Client client) {
-        this.client = client;
-    }
-
-    /**
-     * Gets the content at the specified URI.
-     *
-     * @param uri the URI to get the content of
-     * @return the client response resulting from getting the content of the URI
-     */
-    public Response get(final URI uri) {
-        return get(uri, null);
-    }
-
-    /**
-     * Gets the content at the specified URI using the given query parameters.
-     *
-     * @param uri the URI to get the content of
-     * @param queryParams the query parameters to use in the request
-     * @return the client response resulting from getting the content of the URI
-     */
-    public Response get(final URI uri, final Map<String, String> queryParams) {
-        // perform the request
-        WebTarget webTarget = client.target(uri);
-        if (queryParams != null) {
-            for (final Map.Entry<String, String> queryEntry : queryParams.entrySet()) {
-                webTarget = webTarget.queryParam(queryEntry.getKey(), queryEntry.getValue());
-            }
-        }
-
-        return webTarget.request().accept(MediaType.APPLICATION_JSON).get();
-    }
-
-    /**
-     * Performs a POST using the specified url and entity body.
-     *
-     * @param uri the URI to post to
-     * @param entity the item to post
-     * @return the client response of the request
-     */
-    public Response post(URI uri, Object entity) {
-        // get the resource
-        Invocation.Builder builder = client.target(uri).request().accept(MediaType.APPLICATION_JSON);
-
-        // perform the request
-        return builder.post(Entity.json(entity));
-    }
-
-    /**
-     * Performs a POST using the specified url and form data.
-     *
-     * @param uri the uri to post to
-     * @param formData the data to post
-     * @return the client response of the post
-     */
-    public Response post(URI uri, Map<String, String> formData) {
-        // convert the form data
-        final MultivaluedHashMap<String, String> entity = new MultivaluedHashMap();
-        for (String key : formData.keySet()) {
-            entity.add(key, formData.get(key));
-        }
-
-        // get the resource
-        Invocation.Builder builder = client.target(uri).request().accept(MediaType.APPLICATION_JSON);
-
-        // get the resource
-        return builder.post(Entity.form(entity));
-    }
-
-    /**
-     * Performs a HEAD request to the specified URI.
-     *
-     * @param uri the uri to request the head of
-     * @return the client response of the request
-     */
-    public Response head(final URI uri) {
-        // perform the request
-        WebTarget webTarget = client.target(uri);
-        return webTarget.request().head();
-    }
-}

nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-processors/pom.xml

@@ -138,12 +138,6 @@ language governing permissions and limitations under the License. -->
             <artifactId>nifi-standard-record-utils</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
-        <dependency>
-            <groupId>org.apache.nifi</groupId>
-            <artifactId>nifi-web-utils</artifactId>
-            <version>1.14.0-SNAPSHOT</version>
-            <scope>compile</scope>
-        </dependency>
     </dependencies>
 
     <build>

nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-processors/src/main/java/org/apache/nifi/processors/elasticsearch/AbstractElasticsearchHttpProcessor.java

@@ -46,11 +46,12 @@ import org.apache.nifi.processor.exception.ProcessException;
 import org.apache.nifi.processor.util.StandardValidators;
 import org.apache.nifi.proxy.ProxyConfiguration;
 import org.apache.nifi.proxy.ProxySpec;
-import org.apache.nifi.security.util.OkHttpClientUtils;
-import org.apache.nifi.security.util.TlsConfiguration;
 import org.apache.nifi.ssl.SSLContextService;
 import org.apache.nifi.util.StringUtils;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.X509TrustManager;
+
 /**
  * A base class for Elasticsearch processors that use the HTTP API
  */
@@ -208,8 +209,9 @@ public abstract class AbstractElasticsearchHttpProcessor extends AbstractElastic
         // Apply the TLS configuration if present
         final SSLContextService sslService = context.getProperty(PROP_SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
         if (sslService != null) {
-            final TlsConfiguration tlsConfiguration = sslService.createTlsConfiguration();
-            OkHttpClientUtils.applyTlsToOkHttpClientBuilder(tlsConfiguration, okHttpClient);
+            final SSLContext sslContext = sslService.createContext();
+            final X509TrustManager trustManager = sslService.createTrustManager();
+            okHttpClient.sslSocketFactory(sslContext.getSocketFactory(), trustManager);
         }
 
         okHttpClientAtomicReference.set(okHttpClient.build());

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml

@@ -67,7 +67,7 @@
         </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
-            <artifactId>nifi-web-utils</artifactId>
+            <artifactId>nifi-security-utils</artifactId>
         </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/src/main/java/org/apache/nifi/cluster/coordination/http/replication/okhttp/OkHttpReplicationClient.java

@@ -37,6 +37,9 @@ import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import java.util.zip.GZIPInputStream;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 import javax.ws.rs.HttpMethod;
 import javax.ws.rs.core.MultivaluedHashMap;
 import javax.ws.rs.core.MultivaluedMap;
@@ -53,7 +56,7 @@ import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.cluster.coordination.http.replication.HttpReplicationClient;
 import org.apache.nifi.cluster.coordination.http.replication.PreparedRequest;
 import org.apache.nifi.remote.protocol.http.HttpHeaders;
-import org.apache.nifi.security.util.OkHttpClientUtils;
+import org.apache.nifi.security.util.SslContextFactory;
 import org.apache.nifi.security.util.StandardTlsConfiguration;
 import org.apache.nifi.security.util.TlsConfiguration;
 import org.apache.nifi.stream.io.GZIPOutputStream;
@@ -317,8 +320,11 @@ public class OkHttpReplicationClient implements HttpReplicationClient {
 
         // Apply the TLS configuration, if present
         try {
-            TlsConfiguration tlsConfiguration = StandardTlsConfiguration.fromNiFiProperties(properties);
-            tlsConfigured = OkHttpClientUtils.applyTlsToOkHttpClientBuilder(tlsConfiguration, okHttpClientBuilder);
+            final TlsConfiguration tlsConfiguration = StandardTlsConfiguration.fromNiFiProperties(properties);
+            final X509TrustManager trustManager = SslContextFactory.getX509TrustManager(tlsConfiguration);
+            final SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration, new TrustManager[]{trustManager});
+            okHttpClientBuilder.sslSocketFactory(sslContext.getSocketFactory(), trustManager);
+            tlsConfigured = true;
         } catch (Exception e) {
             // Legacy expectations around this client are that it does not throw an exception on invalid TLS configuration
             // TODO: The only current use of this class is ThreadPoolRequestReplicatorFactoryBean#getObject() which should be evaluated to see if that can change

nifi-nar-bundles/nifi-framework-bundle/nifi-stateless-bundle/nifi-stateless-engine/pom.xml

@@ -82,6 +82,11 @@
             <groupId>org.glassfish.jersey.core</groupId>
             <artifactId>jersey-client</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>okhttp</artifactId>
+            <version>${okhttp.version}</version>
+        </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>

nifi-nar-bundles/nifi-framework-bundle/nifi-stateless-bundle/nifi-stateless-engine/src/main/java/org/apache/nifi/extensions/NexusExtensionClient.java

@@ -22,14 +22,17 @@ import okhttp3.OkHttpClient;
 import okhttp3.Request;
 import okhttp3.Response;
 import org.apache.nifi.bundle.BundleCoordinate;
-import org.apache.nifi.security.util.OkHttpClientUtils;
+import org.apache.nifi.security.util.SslContextFactory;
 import org.apache.nifi.security.util.TlsConfiguration;
+import org.apache.nifi.security.util.TlsException;
 import org.apache.nifi.stateless.config.SslConfigurationUtil;
 import org.apache.nifi.stateless.config.SslContextDefinition;
 import org.apache.nifi.util.FormatUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.X509TrustManager;
 import java.io.FilterInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -104,7 +107,13 @@ public class NexusExtensionClient implements ExtensionClient {
 
         if (sslContextDefinition != null) {
             final TlsConfiguration tlsConfiguration = SslConfigurationUtil.createTlsConfiguration(sslContextDefinition);
-            OkHttpClientUtils.applyTlsToOkHttpClientBuilder(tlsConfiguration, okHttpClientBuilder);
+            try {
+                final X509TrustManager trustManager = SslContextFactory.getX509TrustManager(tlsConfiguration);
+                final SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration);
+                okHttpClientBuilder.sslSocketFactory(sslContext.getSocketFactory(), trustManager);
+            } catch (final TlsException e) {
+                throw new IllegalArgumentException("TLS Configuration Failed: Check SSL Context Properties", e);
+            }
         }
 
         return okHttpClientBuilder.build();

nifi-nar-bundles/nifi-framework-bundle/nifi-stateless-bundle/nifi-stateless-engine/src/main/java/org/apache/nifi/stateless/config/PropertiesFileFlowDefinitionParser.java

@@ -26,8 +26,9 @@ import okhttp3.ResponseBody;
 import org.apache.nifi.registry.client.NiFiRegistryException;
 import org.apache.nifi.registry.flow.VersionedFlowSnapshot;
 import org.apache.nifi.registry.flow.VersionedFlowSnapshotMetadata;
-import org.apache.nifi.security.util.OkHttpClientUtils;
+import org.apache.nifi.security.util.SslContextFactory;
 import org.apache.nifi.security.util.TlsConfiguration;
+import org.apache.nifi.security.util.TlsException;
 import org.apache.nifi.stateless.core.RegistryUtil;
 import org.apache.nifi.stateless.engine.StatelessEngineConfiguration;
 import org.apache.nifi.stateless.flow.DataflowDefinition;
@@ -37,6 +38,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.X509TrustManager;
 import java.io.BufferedReader;
 import java.io.ByteArrayInputStream;
 import java.io.File;
@@ -354,7 +356,13 @@ public class PropertiesFileFlowDefinitionParser implements DataflowDefinitionPar
 
         if (sslContextDefinition != null) {
             final TlsConfiguration tlsConfiguration = SslConfigurationUtil.createTlsConfiguration(sslContextDefinition);
-            OkHttpClientUtils.applyTlsToOkHttpClientBuilder(tlsConfiguration, clientBuilder);
+            try {
+                final X509TrustManager trustManager = SslContextFactory.getX509TrustManager(tlsConfiguration);
+                final SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration);
+                clientBuilder.sslSocketFactory(sslContext.getSocketFactory(), trustManager);
+            } catch (final TlsException e) {
+                throw new IllegalArgumentException("TLS Configuration Failed: Check SSL Context Properties", e);
+            }
         }
 
         final OkHttpClient client = clientBuilder.build();

nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/test/java/org/apache/nifi/processors/solr/MockSSLContextService.java

@@ -1,101 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.processors.solr;
-
-import javax.net.ssl.SSLContext;
-import org.apache.nifi.controller.AbstractControllerService;
-import org.apache.nifi.processor.exception.ProcessException;
-import org.apache.nifi.security.util.TlsConfiguration;
-import org.apache.nifi.ssl.SSLContextService;
-
-/**
- * Mock implementation (copied from unit and integration tests) so we don't need to have a real keystore/truststore available for testing.
- *
- * // TODO: Remove and use regular mocking or Groovy rather than shell implementation
- */
-public class MockSSLContextService extends AbstractControllerService implements SSLContextService {
-
-    @Override
-    public TlsConfiguration createTlsConfiguration() {
-        return null;
-    }
-
-    @Override
-    public SSLContext createContext() {
-        return null;
-    }
-
-    @Override
-    public SSLContext createSSLContext(org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException {
-        return null;
-    }
-
-    @Override
-    public SSLContext createSSLContext(SSLContextService.ClientAuth clientAuth) throws ProcessException {
-        return null;
-    }
-
-    @Override
-    public String getTrustStoreFile() {
-        return null;
-    }
-
-    @Override
-    public String getTrustStoreType() {
-        return null;
-    }
-
-    @Override
-    public String getTrustStorePassword() {
-        return null;
-    }
-
-    @Override
-    public boolean isTrustStoreConfigured() {
-        return false;
-    }
-
-    @Override
-    public String getKeyStoreFile() {
-        return null;
-    }
-
-    @Override
-    public String getKeyStoreType() {
-        return null;
-    }
-
-    @Override
-    public String getKeyStorePassword() {
-        return null;
-    }
-
-    @Override
-    public String getKeyPassword() {
-        return null;
-    }
-
-    @Override
-    public boolean isKeyStoreConfigured() {
-        return false;
-    }
-
-    @Override
-    public String getSslAlgorithm() {
-        return null;
-    }
-}

nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/test/java/org/apache/nifi/processors/solr/QuerySolrIT.java

@@ -638,7 +638,8 @@ public class QuerySolrIT {
         runner.setProperty(SolrUtils.SOLR_LOCATION, SOLR_LOCATION);
         runner.setProperty(SolrUtils.COLLECTION, SOLR_COLLECTION);
 
-        final SSLContextService sslContextService = new MockSSLContextService();
+        final SSLContextService sslContextService = Mockito.mock(SSLContextService.class);
+        Mockito.when(sslContextService.getIdentifier()).thenReturn("ssl-context");
         runner.addControllerService("ssl-context", sslContextService);
         runner.enableControllerService(sslContextService);
 

nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/test/java/org/apache/nifi/processors/solr/TestPutSolrContentStream.java

@@ -374,7 +374,8 @@ public class TestPutSolrContentStream {
         runner.setProperty(SolrUtils.SOLR_LOCATION, "https://localhost:8443/solr");
         runner.assertNotValid();
 
-        final SSLContextService sslContextService = new MockSSLContextService();
+        final SSLContextService sslContextService = Mockito.mock(SSLContextService.class);
+        Mockito.when(sslContextService.getIdentifier()).thenReturn("ssl-context");
         runner.addControllerService("ssl-context", sslContextService);
         runner.enableControllerService(sslContextService);
 
@@ -389,7 +390,8 @@ public class TestPutSolrContentStream {
         runner.setProperty(SolrUtils.SOLR_LOCATION, "http://localhost:8443/solr");
         runner.assertValid();
 
-        final SSLContextService sslContextService = new MockSSLContextService();
+        final SSLContextService sslContextService = Mockito.mock(SSLContextService.class);
+        Mockito.when(sslContextService.getIdentifier()).thenReturn("ssl-context");
         runner.addControllerService("ssl-context", sslContextService);
         runner.enableControllerService(sslContextService);
 

nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/test/java/org/apache/nifi/processors/solr/TestPutSolrRecord.java

@@ -541,7 +541,8 @@ public class TestPutSolrRecord {
         runner.setProperty(SolrUtils.SOLR_LOCATION, "https://localhost:8443/solr");
         runner.assertNotValid();
 
-        final SSLContextService sslContextService = new MockSSLContextService();
+        final SSLContextService sslContextService = Mockito.mock(SSLContextService.class);
+        Mockito.when(sslContextService.getIdentifier()).thenReturn("ssl-context");
         runner.addControllerService("ssl-context", sslContextService);
         runner.enableControllerService(sslContextService);
 
@@ -562,7 +563,8 @@ public class TestPutSolrRecord {
         runner.setProperty(SolrUtils.SOLR_LOCATION, "http://localhost:8443/solr");
         runner.assertValid();
 
-        final SSLContextService sslContextService = new MockSSLContextService();
+        final SSLContextService sslContextService = Mockito.mock(SSLContextService.class);
+        Mockito.when(sslContextService.getIdentifier()).thenReturn("ssl-context");
         runner.addControllerService("ssl-context", sslContextService);
         runner.enableControllerService(sslContextService);
 

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/pom.xml

@@ -389,12 +389,6 @@
             <version>${nifi.groovy.version}</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.apache.nifi</groupId>
-            <artifactId>nifi-web-utils</artifactId>
-            <version>1.14.0-SNAPSHOT</version>
-            <scope>compile</scope>
-        </dependency>
         <dependency>
             <groupId>org.hamcrest</groupId>
             <artifactId>hamcrest-all</artifactId>

nifi-nar-bundles/nifi-standard-services/nifi-lookup-services-bundle/nifi-lookup-services/pom.xml

@@ -169,12 +169,6 @@
             <version>${nifi.groovy.version}</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.apache.nifi</groupId>
-            <artifactId>nifi-web-utils</artifactId>
-            <version>1.14.0-SNAPSHOT</version>
-            <scope>compile</scope>
-        </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
             <artifactId>nifi-security-utils</artifactId>

nifi-nar-bundles/nifi-standard-services/nifi-lookup-services-bundle/nifi-lookup-services/src/main/java/org/apache/nifi/lookup/RestLookupService.java

@@ -48,8 +48,6 @@ import org.apache.nifi.record.path.FieldValue;
 import org.apache.nifi.record.path.RecordPath;
 import org.apache.nifi.record.path.validation.RecordPathValidator;
 import org.apache.nifi.schema.access.SchemaNotFoundException;
-import org.apache.nifi.security.util.OkHttpClientUtils;
-import org.apache.nifi.security.util.TlsConfiguration;
 import org.apache.nifi.serialization.MalformedRecordException;
 import org.apache.nifi.serialization.RecordReader;
 import org.apache.nifi.serialization.RecordReaderFactory;
@@ -60,6 +58,9 @@ import org.apache.nifi.serialization.record.RecordSchema;
 import org.apache.nifi.ssl.SSLContextService;
 import org.apache.nifi.util.StringUtils;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.X509TrustManager;
+
 import java.io.BufferedInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -234,8 +235,9 @@ public class RestLookupService extends AbstractControllerService implements Reco
         // Apply the TLS configuration if present
         final SSLContextService sslService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
         if (sslService != null) {
-            final TlsConfiguration tlsConfiguration = sslService.createTlsConfiguration();
-            OkHttpClientUtils.applyTlsToOkHttpClientBuilder(tlsConfiguration, builder);
+            final SSLContext sslContext = sslService.createContext();
+            final X509TrustManager trustManager = sslService.createTrustManager();
+            builder.sslSocketFactory(sslContext.getSocketFactory(), trustManager);
         }
 
         client = builder.build();

nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/pom.xml

@@ -94,11 +94,5 @@
             <artifactId>jetty-server</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.apache.nifi</groupId>
-            <artifactId>nifi-web-utils</artifactId>
-            <version>1.14.0-SNAPSHOT</version>
-            <scope>compile</scope>
-        </dependency>
     </dependencies>
 </project>

nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/OAuth2TokenProviderImpl.java

@@ -22,6 +22,8 @@ import java.io.IOException;
 import java.util.List;
 import java.util.Map;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.X509TrustManager;
+
 import okhttp3.FormBody;
 import okhttp3.OkHttpClient;
 import okhttp3.Request;
@@ -34,8 +36,6 @@ import org.apache.nifi.components.PropertyDescriptor;
 import org.apache.nifi.controller.AbstractControllerService;
 import org.apache.nifi.controller.ConfigurationContext;
 import org.apache.nifi.processor.exception.ProcessException;
-import org.apache.nifi.security.util.OkHttpClientUtils;
-import org.apache.nifi.security.util.TlsConfiguration;
 import org.apache.nifi.ssl.SSLContextService;
 import org.apache.nifi.util.StringUtils;
 
@@ -89,8 +89,8 @@ public class OAuth2TokenProviderImpl extends AbstractControllerService implement
         OkHttpClient.Builder clientBuilder = new OkHttpClient.Builder();
 
         if (sslService != null) {
-            final TlsConfiguration tlsConfiguration = sslService.createTlsConfiguration();
-            OkHttpClientUtils.applyTlsToOkHttpClientBuilder(tlsConfiguration, clientBuilder);
+            final X509TrustManager trustManager = sslService.createTrustManager();
+            clientBuilder.sslSocketFactory(sslContext.getSocketFactory(), trustManager);
         }
 
         return clientBuilder;

nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java

@@ -25,6 +25,7 @@ import java.util.List;
 import java.util.Map;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 
 import org.apache.nifi.annotation.documentation.CapabilityDescription;
 import org.apache.nifi.annotation.documentation.Tags;
@@ -252,7 +253,7 @@ public class StandardSSLContextService extends AbstractControllerService impleme
             final TrustManager[] trustManagers = SslContextFactory.getTrustManagers(tlsConfiguration);
             return SslContextFactory.createSslContext(tlsConfiguration, trustManagers);
         } catch (final TlsException e) {
-            getLogger().error("Unable to create SSLContext: {}", new String[]{e.getLocalizedMessage()});
+            getLogger().error("Unable to create SSLContext: {}", e.getLocalizedMessage());
             throw new ProcessException("Unable to create SSLContext", e);
         }
     }
@@ -288,6 +289,24 @@ public class StandardSSLContextService extends AbstractControllerService impleme
         return createContext();
     }
 
+    /**
+     * Create X.509 Trust Manager using configured properties
+     *
+     * @return {@link X509TrustManager} initialized using configured properties
+     */
+    @Override
+    public X509TrustManager createTrustManager() {
+        try {
+            final X509TrustManager trustManager = SslContextFactory.getX509TrustManager(createTlsConfiguration());
+            if (trustManager == null) {
+                throw new ProcessException("X.509 Trust Manager not found using configured properties");
+            }
+            return trustManager;
+        } catch (final TlsException e) {
+            throw new ProcessException("Unable to create X.509 Trust Manager", e);
+        }
+    }
+
     @Override
     public String getTrustStoreFile() {
         return configContext.getProperty(TRUSTSTORE).getValue();

nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java

@@ -24,6 +24,8 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.X509TrustManager;
+
 import org.apache.nifi.annotation.documentation.CapabilityDescription;
 import org.apache.nifi.annotation.documentation.Tags;
 import org.apache.nifi.components.AllowableValue;
@@ -89,6 +91,13 @@ public interface SSLContextService extends ControllerService {
     @Deprecated
     SSLContext createSSLContext(ClientAuth clientAuth) throws ProcessException;
 
+    /**
+     * Create X.509 Trust Manager using configured properties
+     *
+     * @return {@link X509TrustManager} initialized using configured properties
+     */
+    X509TrustManager createTrustManager();
+
     String getTrustStoreFile();
 
     String getTrustStoreType();

nifi-nar-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/pom.xml

@@ -108,11 +108,6 @@
             <artifactId>nifi-expression-language</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
-        <dependency>
-            <groupId>org.apache.nifi</groupId>
-            <artifactId>nifi-web-utils</artifactId>
-            <version>1.14.0-SNAPSHOT</version>
-        </dependency>
         <dependency>
             <groupId>javax.servlet</groupId>
             <artifactId>javax.servlet-api</artifactId>