commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julius Davies" <juliusdav...@gmail.com>
Subject Re: FTP Client Using SSL
Date Sat, 27 Jan 2007 19:43:58 GMT
ps.  If you are interested, here's how you provide the hook to "
not-yet-commons-ssl.jar".

Add a new "config property" (config file, System.getProperty(), get/set
bean... however you normally do these things) to your library.  The property
should be something like this:

"org.apache.commons.net.ssl.clientFactory"

If the property is not, your library should probably just default to this:

HttpsURLConnection.getDefaultSSLSocketFactory();

That's usually preferable to SSLSocketFactory.getDefault() because
HttpsURLConnection's default socket factory will magically use the browser's
ssl-proxy settings and client certs if Java is being run from "Webstart" or
from an applet.  (And, seriously, you never know where someone is going to
use your library!)

Anyway... back to "not-yet-commons-ssl"....

Suppose the following is set:

org.apache.commons.net.ssl.factory=a.b.c.SSL

The contract of the "hook" is that the class specified will contain a static
getDefault() method, so you can use this to get the factory:


        Class c = Class.forName( "a.b.c.SSL" );
        Method m = c.getMethod( "getDefault", null );
        SSLSocketFactory sf = (SSLSocketFactory) m.invoke( null, null );


Meanwhile, the application developer who's using your library can then do
something like this to specify a particular set of TrustAnchors, Client
Certificates, special validation, etc, that they know they need when using
SSL in their environment.  (Really handy for dealing with self-signed "dev"
certs in a way that doesn't pollute every SSL socket then created anywhere
in the JVM!).

package a.b.c;
public class SSL extends org.apache.commons.ssl.SSLClient {

  public SSL() throws GeneralSecurityException, IOException {
    super();
    super.setCheckCRL( true );
    super.setCheckHostname( false );
    super.setCheckExpiry( false );

    TrustMaterial tm = new TrustMaterial( "/path/to/certs.pem" );
    char[] password = "secret".toCharArray();
    KeyMaterial km = new KeyMaterial( "/path/to/pkcs12.der", password );

    super.setTrustMaterial( tm );
    super.setKeyMaterial( km );
  }
}


The nice thing about this hook:  "commons-net" doesn't have to include ANY
reference to "not-yet-commons-ssl".  There's no compile-time dependency, and
certainly no runtime dependency.  The static getDefault() method is already
a standard part of javax.net.ssl.SSLSocketFactory!  Application developers
using your library *could* specify this!

org.apache.commons.net.ssl.clientFactory=javax.net.ssl.SSLSocketFactory


(I guess in FTP's case, you also need to create Server-Sockets for those
weird "PASSIVE" connections?... But it's all the same - just one more line
of config that can be ignored since you'll safely default to "
javax.net.ssl.SSLServerSocketFactory.getDefault()" anyway unless people want
to get fancy with not-yet-commons-ssl's "SSLServer" class).


yours,

Julius
http://juliusdavies.ca/commons-ssl/


On 1/27/07, Julius Davies <juliusdavies@gmail.com> wrote:
>
> Hi,
>
> I thought I'd mention that "not-yet-commons-ssl-0.3.5" might be useful
> when using FTPS:
>
> http://juliusdavies.ca/commons-ssl/
>
> Apache has recieved my personal CLA, and my company's CCLA.  I'm still
> waiting for the CCLA to come back in the mail before I formally start
> incubation.
>
> yours,
>
> Julius
>
>
> On 1/24/07, Rory Winston <rwinston@eircom.net> wrote:
> >
> > Hi Gene
> >
> > I am hoping to have it out soon, other commitments permitting. Any
> > testing you can do is much appreciated.
> >
> > Thanks
> > Rory
> >
> > gwenning@comcast.net wrote:
> >
> >
>
>
> --
> yours,
>
> Julius Davies
> 416-652-0183
> http://juliusdavies.ca/




-- 
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message