commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julius Davies" <juliusdav...@gmail.com>
Subject Re: FTP Client Using SSL
Date Sat, 27 Jan 2007 20:12:33 GMT
Whoops!  My example forgot to include its "getDefault()" method!

package a.b.c;
public class SSL extends org.apache.commons.ssl.SSLClient {

  public static SSLSocketFactory getDefault()
    throws GeneralSecurityException, IOException {
    return new SSL();
  }

  public SSL() throws GeneralSecurityException, IOException {
    super();
    super.setCheckCRL( true );
    super.setCheckHostname ( false );
    super.setCheckExpiry( false );

    TrustMaterial tm = new TrustMaterial( "/path/to/certs.pem" );
    char[] password = "secret".toCharArray();
    KeyMaterial km = new KeyMaterial( "/path/to/pkcs12.der", password );

    super.setTrustMaterial( tm );
    super.setKeyMaterial( km );
  }
}



On 1/27/07, Julius Davies <juliusdavies@gmail.com> wrote:
>
> ps.  If you are interested, here's how you provide the hook to "
> not-yet-commons-ssl.jar".
>
> Add a new "config property" (config file, System.getProperty(), get/set
> bean... however you normally do these things) to your library.  The property
> should be something like this:
>
> "org.apache.commons.net.ssl.clientFactory"
>
> If the property is not, your library should probably just default to this:
>
> HttpsURLConnection.getDefaultSSLSocketFactory();
>
> That's usually preferable to SSLSocketFactory.getDefault() because
> HttpsURLConnection's default socket factory will magically use the browser's
> ssl-proxy settings and client certs if Java is being run from "Webstart" or
> from an applet.  (And, seriously, you never know where someone is going to
> use your library!)
>
> Anyway... back to "not-yet-commons-ssl"....
>
> Suppose the following is set:
>
> org.apache.commons.net.ssl.factory=a.b.c.SSL
>
> The contract of the "hook" is that the class specified will contain a
> static getDefault() method, so you can use this to get the factory:
>
>
>         Class c = Class.forName( "a.b.c.SSL" );
>         Method m = c.getMethod( "getDefault", null );
>         SSLSocketFactory sf = (SSLSocketFactory) m.invoke( null, null );
>
>
> Meanwhile, the application developer who's using your library can then do
> something like this to specify a particular set of TrustAnchors, Client
> Certificates, special validation, etc, that they know they need when using
> SSL in their environment.  (Really handy for dealing with self-signed "dev"
> certs in a way that doesn't pollute every SSL socket then created anywhere
> in the JVM!).
>
> package a.b.c;
> public class SSL extends org.apache.commons.ssl.SSLClient {
>
>   public SSL() throws GeneralSecurityException, IOException {
>     super();
>     super.setCheckCRL( true );
>     super.setCheckHostname ( false );
>     super.setCheckExpiry( false );
>
>     TrustMaterial tm = new TrustMaterial( "/path/to/certs.pem" );
>     char[] password = "secret".toCharArray();
>     KeyMaterial km = new KeyMaterial( "/path/to/pkcs12.der", password );
>
>     super.setTrustMaterial( tm );
>     super.setKeyMaterial( km );
>   }
> }
>
>
> The nice thing about this hook:  "commons-net" doesn't have to include ANY
> reference to "not-yet-commons-ssl".  There's no compile-time dependency, and
> certainly no runtime dependency.  The static getDefault() method is already
> a standard part of javax.net.ssl.SSLSocketFactory!  Application developers
> using your library *could* specify this!
>
> org.apache.commons.net.ssl.clientFactory=javax.net.ssl.SSLSocketFactory
>
>
> (I guess in FTP's case, you also need to create Server-Sockets for those
> weird "PASSIVE" connections?... But it's all the same - just one more line
> of config that can be ignored since you'll safely default to "
> javax.net.ssl.SSLServerSocketFactory.getDefault()" anyway unless people
> want to get fancy with not-yet-commons-ssl's "SSLServer" class).
>
>
> yours,
>
> Julius
> http://juliusdavies.ca/commons-ssl/
>
>
> On 1/27/07, Julius Davies <juliusdavies@gmail.com> wrote:
> >
> > Hi,
> >
> > I thought I'd mention that "not-yet-commons-ssl-0.3.5" might be useful
> > when using FTPS:
> >
> > http://juliusdavies.ca/commons-ssl/
> >
> > Apache has recieved my personal CLA, and my company's CCLA.  I'm still
> > waiting for the CCLA to come back in the mail before I formally start
> > incubation.
> >
> > yours,
> >
> > Julius
> >
> >

-- 
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message