hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: how to do client authentication
Date Fri, 30 Nov 2007 09:37:47 GMT

On Thu, 2007-11-29 at 19:54 -0800, Raul Acevedo wrote:
> Well I looked more carefully at Julius' example and other sample code
> and figured out my problem is I was missing the
> Protocol.registerProtocol line.
> 
> Unfortunately this sets the protocol handler globally, which is why
> Julius does a little hack of registering using "https-foo" and changing
> the URL to be "https-foo://blah".  This works but I'm not crazy about
> it.  Is there another way of setting the protocol handler for only a
> specific request?  In the end I'm trying to set the keystore per
> request, not globally.
> 

Just use a custom HostConfiguration 

http://jakarta.apache.org/httpcomponents/httpclient-3.x/apidocs/org/apache/commons/httpclient/HttpClient.html#executeMethod(org.apache.commons.httpclient.HostConfiguration,%20org.apache.commons.httpclient.HttpMethod)

Make sure you use _relative_ request URIs when passing a custom
HostConfiguration to the HttpClient.html#executeMethod.

Oleg

> Thanks,
> 
> Raul
> 
> On Thu, 2007-11-29 at 11:29 -0800, Julius Davies wrote:
> > Hi, Raul,
> > 
> > I use this technique:
> > 
> > http://www.juliusdavies.ca/commons-ssl/TrustExample.java.html
> > 
> > 
> > But I usually change the name of the scheme to something like
> > "https-foo://", so that only "https-foo://" uses the client cert, and
> > "https://" continues to behave as before.  So maybe more like this:
> > 
> > 
> > HttpSecureProtocol f = new HttpSecureProtocol();
> > 
> > // might as well trust the usual suspects:
> > f.addTrustMaterial(TrustMaterial.CACERTS);
> > 
> > // add client cert
> > char[] pwd = {'p','w','d'};
> > f.setKeyMaterial(new KeyMaterial("/path/to/file.jks", pwd);
> > 
> > Protocol clientHttps = new Protocol("https-foo", f, 443);
> > Protocol.registerProtocol("https-foo", clientHttps);
> > 
> > HttpClient client = new HttpClient();
> > GetMethod httpget = new GetMethod("https-foo://www.server.com/");
> > client.executeMethod(httpget);
> > 
> > 
> > NOTE:  This assumes not-yet-commons-ssl.jar is on your classpath, and
> > that you're using that instead of compiling the httpclient "contrib"
> > code on your own.  Not-Yet-Commons-SSL already has these in its jar
> > file:
> > 
> > AuthSSLProtocolSocketFactory
> > EasySSLProtocolSocketFactory
> > StrictSSLProtocolSocketFactory
> > 
> > 
> > Good luck!  It's been working well for me for years.
> > 
> > yours,
> > 
> > Julius
> > 
> > 
> > On Nov 29, 2007 9:47 AM, Raul Acevedo <raul@cantara.com> wrote:
> > > I don't want to omit keystore and truststore; I'm doing bidirectional
> > > (client and server) SSL authentication, that's the whole point.
> > >
> > > Do you know why I get the SocketException?  In general, has anyone
> > > successfully done both client and server SSL authentication with
> > > HttpClient without using the javax.net.ssl.keyStore and trustStore
> > > properties?
> > >
> > > Raul
> > >
> > >
> > > On Nov 29, 2007, at 3:19 AM, Oleg Kalnichevski wrote:
> > >
> > > >
> > > > On Wed, 2007-11-28 at 20:08 -0800, Raul Acevedo wrote:
> > > >> Is there a way to do client authentication with HttpClient without
> > > >> setting javax.net.ssl.keyStore?
> > > >>
> > > >> I tried the following code after building the contrib files:
> > > >>
> > > >>     HttpClient httpClient = new HttpClient();
> > > >>     URL keyStoreURL = new URL("file:/home/raul/keyStore.jks");
> > > >>     URL trustStoreURL = new URL("file:/home/raul/trustStore.jks");
> > > >>     AuthSSLProtocolSocketFactory socketFactory =
> > > >>         new AuthSSLProtocolSocketFactory(
> > > >>                 keyStoreURL, "keyStorePassword", trustStoreURL,
> > > >> "trustStorePassword");
> > > >>     Protocol httpsProtocol = new Protocol(url.getProtocol(),
> > > >> socketFactory, url.getPort());
> > > >>     httpClient.getHostConfiguration().setHost(url.getHost(),
> > > >> url.getPort(), httpsProtocol);
> > > >>
> > > >> But this fails with:
> > > >>
> > > >>     java.net.SocketException: Default SSL context init failed: null
> > > >>
> > > >> Thanks,
> > > >>
> > > >> Raul Acevedo
> > > >> http://www.cantara.com
> > > >>
> > > >
> > > > Paul,
> > > >
> > > > (1) Keystore is optional. You can safely omit it.
> > > > (2) Implement a custom trust manager that trusts anything. This way
> > > > you
> > > > will not need a truststore.
> > > > (3) Implement your own protocol socket factory that initializes the
> > > > SSL
> > > > context with your own trust-anything trust manager. You can use
> > > > EasySSLProtocolSocketFactory as a starting point.
> > > >
> > > > Hope this helps,
> > > >
> > > > Oleg
> > > >
> > > >>
> > 
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message