axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: Axis SSL authentication help!
Date Wed, 14 Nov 2012 13:43:58 GMT



You need 2 different webapps 
one which implements  SunFakeTrustSocketFactory for implementing unsigned server certs
..which would NEVER be used in Production Environment
this would allow someone's client to hack in with their own self-signed certs

one which implements http://ws.apache.org/axis/java/apiDocs/org/apache/axis/components/net/SunJSSESocketFactory.html
provided requesting client has a valid (public) key of type RSA AND your client or B2B requesting
entity supports JSSE key exchange
this would prevent someone's client to hack in with their own self-signed certs

so the question is are you implementing with self-signed certs OR are you using CA level certs
(such as certs obtained from Verisign or Thawte)

Martin 
______________________________________________  
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten
wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist
unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet
keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen
wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire
prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe
quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information
seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les
email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune
responsabilité pour le contenu fourni.


Date: Tue, 13 Nov 2012 22:27:37 -0800
From: akmeref@yahoo.com
Subject: Re: Axis SSL authentication help!
To: java-user@axis.apache.org

Also why are you mentioning about the refactoring to different web apps? I am asking about
client side code

        From: Martin Gainty <mgainty@hotmail.com>
 To: java-user@axis.apache.org 
 Sent: Wednesday, November 14, 2012 4:03 AM
 Subject: RE: Axis SSL authentication help!
   





 need to skip any server authentication in some requests (e.g. use SunFakeTrustSocketFactory).

MG>you need to retask this to use 2 separate webapps
MG>one which will authenticate your credentials with MySSLSocketFactory
MG>one which not authenticate which will use SunFakeTrustSocketFactory

MG>this is very clumsy and your options for specifying the security algorithm of your choosing
as well as custom keysize are quite limited
MG>why not use Axis2 and engage the Rampart Security Module?
MG>Martin

Date: Tue, 13 Nov 2012 13:37:28 -0800
From: akmeref@yahoo.com
Subject: Axis SSL authentication help!
To: java-user@axis.apache.org

Hi,I am
 using Axis 1 and need to do SSL authentication of a web service.I found that I need to use:
AxisProperties.setProperty("axis.socketSecureFactory",
    "com.example.MySSLSocketFactory"); to set my custom factory and trust managers.Problem:
I also need to skip any server authentication in some requests (e.g. use SunFakeTrustSocketFactory).I
assume that this AxisProperties.setProperty is some central property that affects all threads,
right? So how could I implement my use case?Keep reseting AxisProperties.setProperty before
each web service call? Is this the proper way? But I found this bug ticket
 that seems to complaint that once the socket factory is set in AxisProperties it is cached
and any new setting has not
 effect:https://issues.apache.org/jira/browse/AXIS-2751?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabsIs
there a workarround for this?If you could help me here it would be great guys!Thank you 	
 	   		  


     		 	   		  
Mime
View raw message