hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raul Acevedo <r...@cantara.com>
Subject Re: how to do client authentication
Date Fri, 30 Nov 2007 00:40:00 GMT
Hi Julius, thanks for your suggestion.  I'm a little hesitant to add a
library from a non-Apache source.  Do you know why my original example
would give an error, or what essentially your code does that is
different that allows it to work?

Thanks,

Raul

On Thu, 2007-11-29 at 11:29 -0800, Julius Davies wrote:
> Hi, Raul,
> 
> I use this technique:
> 
> http://www.juliusdavies.ca/commons-ssl/TrustExample.java.html
> 
> 
> But I usually change the name of the scheme to something like
> "https-foo://", so that only "https-foo://" uses the client cert, and
> "https://" continues to behave as before.  So maybe more like this:
> 
> 
> HttpSecureProtocol f = new HttpSecureProtocol();
> 
> // might as well trust the usual suspects:
> f.addTrustMaterial(TrustMaterial.CACERTS);
> 
> // add client cert
> char[] pwd = {'p','w','d'};
> f.setKeyMaterial(new KeyMaterial("/path/to/file.jks", pwd);
> 
> Protocol clientHttps = new Protocol("https-foo", f, 443);
> Protocol.registerProtocol("https-foo", clientHttps);
> 
> HttpClient client = new HttpClient();
> GetMethod httpget = new GetMethod("https-foo://www.server.com/");
> client.executeMethod(httpget);
> 
> 
> NOTE:  This assumes not-yet-commons-ssl.jar is on your classpath, and
> that you're using that instead of compiling the httpclient "contrib"
> code on your own.  Not-Yet-Commons-SSL already has these in its jar
> file:
> 
> AuthSSLProtocolSocketFactory
> EasySSLProtocolSocketFactory
> StrictSSLProtocolSocketFactory
> 
> 
> Good luck!  It's been working well for me for years.
> 
> yours,
> 
> Julius
> 
> 
> On Nov 29, 2007 9:47 AM, Raul Acevedo <raul@cantara.com> wrote:
> > I don't want to omit keystore and truststore; I'm doing bidirectional
> > (client and server) SSL authentication, that's the whole point.
> >
> > Do you know why I get the SocketException?  In general, has anyone
> > successfully done both client and server SSL authentication with
> > HttpClient without using the javax.net.ssl.keyStore and trustStore
> > properties?
> >
> > Raul
> >
> >
> > On Nov 29, 2007, at 3:19 AM, Oleg Kalnichevski wrote:
> >
> > >
> > > On Wed, 2007-11-28 at 20:08 -0800, Raul Acevedo wrote:
> > >> Is there a way to do client authentication with HttpClient without
> > >> setting javax.net.ssl.keyStore?
> > >>
> > >> I tried the following code after building the contrib files:
> > >>
> > >>     HttpClient httpClient = new HttpClient();
> > >>     URL keyStoreURL = new URL("file:/home/raul/keyStore.jks");
> > >>     URL trustStoreURL = new URL("file:/home/raul/trustStore.jks");
> > >>     AuthSSLProtocolSocketFactory socketFactory =
> > >>         new AuthSSLProtocolSocketFactory(
> > >>                 keyStoreURL, "keyStorePassword", trustStoreURL,
> > >> "trustStorePassword");
> > >>     Protocol httpsProtocol = new Protocol(url.getProtocol(),
> > >> socketFactory, url.getPort());
> > >>     httpClient.getHostConfiguration().setHost(url.getHost(),
> > >> url.getPort(), httpsProtocol);
> > >>
> > >> But this fails with:
> > >>
> > >>     java.net.SocketException: Default SSL context init failed: null
> > >>
> > >> Thanks,
> > >>
> > >> Raul Acevedo
> > >> http://www.cantara.com
> > >>
> > >
> > > Paul,
> > >
> > > (1) Keystore is optional. You can safely omit it.
> > > (2) Implement a custom trust manager that trusts anything. This way
> > > you
> > > will not need a truststore.
> > > (3) Implement your own protocol socket factory that initializes the
> > > SSL
> > > context with your own trust-anything trust manager. You can use
> > > EasySSLProtocolSocketFactory as a starting point.
> > >
> > > Hope this helps,
> > >
> > > Oleg
> > >
> > >>
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message