cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: a solution for ssl client via java code
Date Thu, 24 Apr 2008 21:09:06 GMT

Flipping to dev@cxf.apache.org....


I'm definitely open to this idea.  Feel free to log a jira and attach a 
patch.   I may have Fred look at it a bit before applying it, but I 
think the idea has some merits.  Certainly may be easier to configure 
some security stuff if they user is very familliar with JSSE  and the 
SSLSocketFactory stuff instead of the CXF apis.

Dan



On Thursday 24 April 2008, Julius Davies wrote:
> If I succeed at subscribing, I'd like to mention two things:
>
> #1.  Just some minor editing to Sudip's great instructions.
>
> #2.  Things would be easier if TLSClientParameters could include
> setSSLSocketFactory/getSSLSocketFactory.  That way people could do
> this:
>
> // Just a sub-class of javax.net.ssl.SSLSocketFactory
> SSLClient client = new SSLClient();
> client.addTrustMaterial( TrustMaterial.DEFAULT );
> client.addTrustMaterial( new TrustMaterial( "/path/to/self-signed.pem"
> ) ); // To be different, let's allow for expired certificates (not
> recommended). client.setCheckHostname( true );  // default setting is
> "true" for SSLClient client.setCheckExpiry( false );   // default
> setting is "true" for SSLClient client.setCheckCRL( true );       //
> default setting is "true" for SSLClient
>
> // This method doesn't exist yet, but if people are interested, I'll
> send a patch.
> tlsClientParameters.setSSLSocketFactory(client);
>
>
> CXF wouldn't need to know anything about not-yet-commons-ssl, because
> org.apache.commons.ssl.SSLClient is a subclass of
> javax.net.ssl.SSLSocketFactory!
>
>
> Would CXF be interested in a patch like that?  Other fancy libraries
> that offer handy sub-classes of javax.net.ssl.SSLSocketFactory would
> also benefit.
>
> (This should probably be sent to dev, not users - now people searching
> through google are going to start complaining that the
> tlsClientParameters.setSSLSocketFactory() method is missing!)
>
> yours,
>
> Julius
>
> On Thu, Apr 24, 2008 at 9:16 AM, sudip shrestha <sudipx@gmail.com> 
wrote:
> > I have worked with the developer, Julius Davies
> > (http://juliusdavies.ca/commons-ssl/), of the commons-ssl solution
> > which he currently refers to "not-yet-commons-ssl" to work out a
> > very simple and resuable solution to develop a java client for ssl
> > based connetions.  This library encapsulates all the internal ssl
> > connections details.  I am posting this for the benefit of those who
> > are trying to develop a client without spring.
> >
> > 1. First download the commons-ssl library from
> > http://juliusdavies.ca/commons-ssl/download.html and extract the
> > .jar file, then run the following command:
> > java -jar not-yet-commons-ssl-0.3.10.jar -t localhost:443 -tm
> > /yourPathTo/host.crt
> >
> > 2. Then copy the section between -----BEGIN CERTIFICATE----- and
> > -----END CERTIFICATE----- and put it in a Certificate.java file or
> > whichever way you prefer.
> >
> > Then I have provided the code below:
> > 3. Client Code:
> >                 JaxWsProxyFactoryBean factory = new
> > JaxWsProxyFactoryBean(); factory.setServiceClass( HelloWorld.class
> > ); factory.setAddress( "https://localhost/services/HelloWorld" );
> >                  HelloWorld port = (HelloWorld) factory.create();
> >
> >                 Client client = ClientProxy.getClient( port );
> >                 HTTPConduit httpConduit = (HTTPConduit)
> > client.getConduit(); TLSClientParameters tlsParams = new
> > TLSClientParameters(); tlsParams.setSecureSocketProtocol("SSL");
> >                 FiltersType filters = new FiltersType();
> >                
> > filters.getInclude().add("SSL_RSA_WITH_RC4_128_MD5");
> > filters.getInclude().add("SSL_RSA_WITH_RC4_128_SHA");
> > tlsParams.setCipherSuitesFilter(filters);
> >
> >
> >                 tlsParams.setTrustManagers( getTrustManagers() );
> > //<<=====================from step 4.
> >                 httpConduit.setTlsClientParameters(tlsParams);
> >
> >
> > 4. getTrustManagers function:
> >
> > private TrustManager[] getTrustManagers()
> >                 throws java.security.NoSuchAlgorithmException,
> > java.security.KeyStoreException, java.io.IOException,
> > java.security.GeneralSecurityException
> >         {
> >                 byte[] pemCert = Certificates.pemCert_localhost;
> > //<<===========comes from your Certificate.java file where you would
> > store the cert content from step 2.
> >
> >                 TrustChain tc = new TrustChain();
> >                 tc.addTrustMaterial( new TrustMaterial( pemCert ) );
> >                 tc.addTrustMaterial( TrustMaterial.CACERTS );
> >                 return ( TrustManager[] )tc.getTrustManagers();
> >          }



-- 
J. Daniel Kulp
Principal Engineer, IONA
dkulp@apache.org
http://www.dankulp.com/blog

Mime
View raw message