axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tootell, James" <jctoot...@anteon.com>
Subject RE: WSDL2Java and SSL
Date Fri, 23 Sep 2005 18:01:18 GMT
Chris:
 
    I ran into a similar problem and from what I could gather you only
have two choices but they depend on how concerned you are about
certificate authentication.  You can either retrieve the certificate and
manually install it ahead of time (using keytool with the trustcacerts
flag) or accept ALL certificates (which is what I had to do).  Your
connections will still be encrypted using SSL but there's no
authentication.  
 
There seems to be a flaw in JSSE that SSL certs cannot be dynamically
imported AND used in the same JVM instance.  To clarify, you can
dynamically install them but they won't be read until the JVM is
restarted.  If you find a way around this, I'd love to hear about it.
 
    The solution for me was to create an "IndiscriminateTrustManager"
that implements javax.net.ssl.TrustManager and
javax.net.ssl.X509TrustManager and hardwire all the boolean tests:
 
    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        return null;
    }
    public boolean isServerTrusted(
        java.security.cert.X509Certificate[] certs) {
        return true;
    }
    public boolean isClientTrusted(
        java.security.cert.X509Certificate[] certs) {
        return true;
    }
    public void checkServerTrusted(
        java.security.cert.X509Certificate[] certs,
        String authType)
        throws java.security.cert.CertificateException {
        return;
    }
    public void checkClientTrusted(
        java.security.cert.X509Certificate[] certs,
        String authType)
        throws java.security.cert.CertificateException {
        return;
    }
 
Then you have to modify org.apache.axis.components.net.JSSESocketFactory
to use IndiscriminateTrustManager.  I have a method called
trustAllHttpsCertificates as follows:
 
    private static void trustAllHttpsCertificates() throws Exception {
        
            //Create a trust manager that does not validate certificate
chains: 
            javax.net.ssl.TrustManager[] lTrustManagers =
                new javax.net.ssl.TrustManager[1];
        
            javax.net.ssl.TrustManager lTrustManager = 
                new
org.apache.axis.components.net.IndiscriminateTrustManager();
 
            lTrustManagers[0] = lTrustManager;
        
            javax.net.ssl.SSLContext lSslContext =
                javax.net.ssl.SSLContext.getInstance("SSL");
 
            lSslContext.init(null, lTrustManagers, null);
            
            javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(
                lSslContext.getSocketFactory());
        
        } 
 
Then, in JSSESocketFactory.init() and .create(), you have to call
trustAllHttpsCertificates.
 
 
Hope this helps and, like I said, if you find a more elegant way around
this please let me know.
 
Jim Tootell 

System Design, Development, 

     & Integration Department

Anteon  Corporation

2251 San Diego Ave.

Suite A240

San Diego, CA  92110
(619) 542-0240 x123 
mailto:jctootell@anteon.com 

 

There are 10 kinds of people: 

  those who understand binary and those who don't.

 
 


________________________________

	From: Chris Hall [mailto:chris@zingy.com] 
	Sent: Friday, September 23, 2005 10:06 AM
	To: axis-user@ws.apache.org
	Subject: WSDL2Java and SSL 
	
	

	Hi all, I'd be very grateful for any help that you can offer me
with this issue.

	 

	I'm writing code to interact with a WSDL specified web service
that uses SSL certificates to verify that a given request is legitimate.
That is, SSL is both used to create a secure connection against third
parties, but also to establish trust in that connection between the two
parties.  I've used WSDL2Java to create some client java code which
makes the SOAP request.

	 

	When I run this code, I get a not trusted type error from the
server, after SSL handshaking is correctly executed (I do not get a
javax.net.ssl.SSLHandshakeException).  If I take the same SOAP request
and pipe it into an SSLSocket (that is, I take the generated SOAP from
the WSDL2Java generated code and send it to the server with my own
socket management code) I get a successful response from the server.  In
both cases the correct certificate is being put into the client's
keystore with java system properties.

	 

	So there seems to be something going wrong with how the
WSDL2Java generated code sends the SOAP request, but not with how it
creates the SOAP and not with now it initiates the connection.

	 

	Can anyone offer me any insight?  

	 

	Thanks so much,

	--Chris

	 


Mime
View raw message