axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From thomas.che...@ascentialsoftware.com
Subject RE: Specific TrustManager for Axis client over SSL
Date Fri, 08 Nov 2002 04:19:00 GMT
Thanks for the help, I appreciate.

I am actually not strongly attached to TLS vs SSL (I put TLS in my example
as I extracted most of it from the JSSE reference help). I guess I need to
get back to the JSSE documentation to understand how to configure my JVM to
use my TrustManager. Worst case, if I do not find a way to do it, I can
probably do what you suggest which does not seem too bad.

Thanks again.

Thomas


-----Original Message-----
From: Richard Sitze [mailto:rsitze@us.ibm.com] 
Sent: Thursday, November 07, 2002 6:02 PM
To: axis-dev@xml.apache.org
Subject: Re: Specific TrustManager for Axis client over SSL


Don't worry so much about the AXIS SocketFactory classes, they don't map 
to what you think they map to...  they are purely internal.

The DEFAULT behavior in AXIS is to use JSSE directly, which allows you to 
configure your security as-per the Java security model - see the JSSE 
documentation on how to register and install for your JVM.  If you can 
configure the JVM to use your TrustManager, you will not have anything 
more to do on the AXIS end of things.  Unfortunately, not everything can 
be done via Java security settings/configuration.  For example, you can 
only use SSL.  If you want to use TLS (transport layer security) instead, 
you must write your own code to register/configure the security system... 
and that is exactly what the SunJSSESocketFactory code does (ignore the 
class comment that says SSL).  It demonstrates how YOU can override the 
JVM configuration.

Now, I'm not an expert in this area, so I cannot say if your code is 
correct or not... but assuming that it is (you want TLS instead of SSL, 
and that you cannot otherwise configure the TrustManager), then: 1.  copy
SunJSSESocketFactory to MyJSSESocketFactory 2.  have MyJSSESocketFactory
implement SecureSocketFactory (that's a bug 
in JSSESocketFactory & SunJSSESocketFactory).
3.  modify the MyJSSESocketFactory.getContext() method to use your trust 
manager & return the context... (let Axis handle the SocketFactory):

     ....
     TrustManager[] myTM = new TrustManager [] { new MyTrustManager() }; 
     SSLContext ctx = SSLContext.getInstance ("TLS"); 
     ctx.init (null, myTM, null); 
     return ctx;


Then, create a jar file containing:
          my/package/MyJSSESocketFactory.class
 META-INF/services/org.apache.axis.components.net.SecureSocketFactory

This last file must contain a single line of text that directs Axis to 
your implementation.  In this case, put in
          my/package/MyJSSESocketFactory

Finally, drop your Jar file into the CLASSPATH where Axis will be able to 
locate the service declaration and your implementation.

Happy Trails, <ras>

*******************************************
Richard A. Sitze
IBM WebSphere WebServices Development




thomas.cherel@ascentialsoftware.com
11/07/2002 03:17 PM
Please respond to axis-dev
 
        To:     axis-dev@xml.apache.org
        cc: 
        Subject:        Specific TrustManager for Axis client over SSL

 



I wanted to define my own TrustManager to define customized actions when 
web service server is not trusted. 
It seems that the way to do it is to use the axis.socketSecureFactory 
property to define your own socket factory. 
But it also seem that the axis SocketFactory interface to implement is a 
proprietary one (org/apache/axis/components/net/SocketFactory.java).
The problem in my case is that I do not want to create a new SocketFactory 
class, I'd like to reuse the default one provided by JSSE.
I guess I can write a wrapper on top of the default JSSE one, but it does 
not seem trivial to do so. 
According to what I understood form the JSSE documentation, I need to do 
something like that: 
TrustManager[] myTM = new TrustManager [] { new MyTrustManager() }; 
SSLContext ctx = SSLContext.getInstance ("TLS"); 
ctx.init (null, myTM, null); 
SocketFactory socketFactory = ctx.getSocketFactory(); 
And I do not have to write my own SocketFactory in order to do that. 
Am I missing something or the only way is to write my own socket factory? 
Thanks. 
Thomas 

Mime
View raw message