hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raul Acevedo <r...@cantara.com>
Subject Re: how to do client authentication
Date Fri, 30 Nov 2007 03:54:15 GMT
Well I looked more carefully at Julius' example and other sample code
and figured out my problem is I was missing the
Protocol.registerProtocol line.

Unfortunately this sets the protocol handler globally, which is why
Julius does a little hack of registering using "https-foo" and changing
the URL to be "https-foo://blah".  This works but I'm not crazy about
it.  Is there another way of setting the protocol handler for only a
specific request?  In the end I'm trying to set the keystore per
request, not globally.

Thanks,

Raul

On Thu, 2007-11-29 at 11:29 -0800, Julius Davies wrote:
> Hi, Raul,
> 
> I use this technique:
> 
> http://www.juliusdavies.ca/commons-ssl/TrustExample.java.html
> 
> 
> But I usually change the name of the scheme to something like
> "https-foo://", so that only "https-foo://" uses the client cert, and
> "https://" continues to behave as before.  So maybe more like this:
> 
> 
> HttpSecureProtocol f = new HttpSecureProtocol();
> 
> // might as well trust the usual suspects:
> f.addTrustMaterial(TrustMaterial.CACERTS);
> 
> // add client cert
> char[] pwd = {'p','w','d'};
> f.setKeyMaterial(new KeyMaterial("/path/to/file.jks", pwd);
> 
> Protocol clientHttps = new Protocol("https-foo", f, 443);
> Protocol.registerProtocol("https-foo", clientHttps);
> 
> HttpClient client = new HttpClient();
> GetMethod httpget = new GetMethod("https-foo://www.server.com/");
> client.executeMethod(httpget);
> 
> 
> NOTE:  This assumes not-yet-commons-ssl.jar is on your classpath, and
> that you're using that instead of compiling the httpclient "contrib"
> code on your own.  Not-Yet-Commons-SSL already has these in its jar
> file:
> 
> AuthSSLProtocolSocketFactory
> EasySSLProtocolSocketFactory
> StrictSSLProtocolSocketFactory
> 
> 
> Good luck!  It's been working well for me for years.
> 
> yours,
> 
> Julius
> 
> 
> On Nov 29, 2007 9:47 AM, Raul Acevedo <raul@cantara.com> wrote:
> > I don't want to omit keystore and truststore; I'm doing bidirectional
> > (client and server) SSL authentication, that's the whole point.
> >
> > Do you know why I get the SocketException?  In general, has anyone
> > successfully done both client and server SSL authentication with
> > HttpClient without using the javax.net.ssl.keyStore and trustStore
> > properties?
> >
> > Raul
> >
> >
> > On Nov 29, 2007, at 3:19 AM, Oleg Kalnichevski wrote:
> >
> > >
> > > On Wed, 2007-11-28 at 20:08 -0800, Raul Acevedo wrote:
> > >> Is there a way to do client authentication with HttpClient without
> > >> setting javax.net.ssl.keyStore?
> > >>
> > >> I tried the following code after building the contrib files:
> > >>
> > >>     HttpClient httpClient = new HttpClient();
> > >>     URL keyStoreURL = new URL("file:/home/raul/keyStore.jks");
> > >>     URL trustStoreURL = new URL("file:/home/raul/trustStore.jks");
> > >>     AuthSSLProtocolSocketFactory socketFactory =
> > >>         new AuthSSLProtocolSocketFactory(
> > >>                 keyStoreURL, "keyStorePassword", trustStoreURL,
> > >> "trustStorePassword");
> > >>     Protocol httpsProtocol = new Protocol(url.getProtocol(),
> > >> socketFactory, url.getPort());
> > >>     httpClient.getHostConfiguration().setHost(url.getHost(),
> > >> url.getPort(), httpsProtocol);
> > >>
> > >> But this fails with:
> > >>
> > >>     java.net.SocketException: Default SSL context init failed: null
> > >>
> > >> Thanks,
> > >>
> > >> Raul Acevedo
> > >> http://www.cantara.com
> > >>
> > >
> > > Paul,
> > >
> > > (1) Keystore is optional. You can safely omit it.
> > > (2) Implement a custom trust manager that trusts anything. This way
> > > you
> > > will not need a truststore.
> > > (3) Implement your own protocol socket factory that initializes the
> > > SSL
> > > context with your own trust-anything trust manager. You can use
> > > EasySSLProtocolSocketFactory as a starting point.
> > >
> > > Hope this helps,
> > >
> > > Oleg
> > >
> > >>
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message