hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julius Davies" <juliusdav...@gmail.com>
Subject Re: how to do client authentication
Date Thu, 29 Nov 2007 19:29:41 GMT
Hi, Raul,

I use this technique:

http://www.juliusdavies.ca/commons-ssl/TrustExample.java.html


But I usually change the name of the scheme to something like
"https-foo://", so that only "https-foo://" uses the client cert, and
"https://" continues to behave as before.  So maybe more like this:


HttpSecureProtocol f = new HttpSecureProtocol();

// might as well trust the usual suspects:
f.addTrustMaterial(TrustMaterial.CACERTS);

// add client cert
char[] pwd = {'p','w','d'};
f.setKeyMaterial(new KeyMaterial("/path/to/file.jks", pwd);

Protocol clientHttps = new Protocol("https-foo", f, 443);
Protocol.registerProtocol("https-foo", clientHttps);

HttpClient client = new HttpClient();
GetMethod httpget = new GetMethod("https-foo://www.server.com/");
client.executeMethod(httpget);


NOTE:  This assumes not-yet-commons-ssl.jar is on your classpath, and
that you're using that instead of compiling the httpclient "contrib"
code on your own.  Not-Yet-Commons-SSL already has these in its jar
file:

AuthSSLProtocolSocketFactory
EasySSLProtocolSocketFactory
StrictSSLProtocolSocketFactory


Good luck!  It's been working well for me for years.

yours,

Julius


On Nov 29, 2007 9:47 AM, Raul Acevedo <raul@cantara.com> wrote:
> I don't want to omit keystore and truststore; I'm doing bidirectional
> (client and server) SSL authentication, that's the whole point.
>
> Do you know why I get the SocketException?  In general, has anyone
> successfully done both client and server SSL authentication with
> HttpClient without using the javax.net.ssl.keyStore and trustStore
> properties?
>
> Raul
>
>
> On Nov 29, 2007, at 3:19 AM, Oleg Kalnichevski wrote:
>
> >
> > On Wed, 2007-11-28 at 20:08 -0800, Raul Acevedo wrote:
> >> Is there a way to do client authentication with HttpClient without
> >> setting javax.net.ssl.keyStore?
> >>
> >> I tried the following code after building the contrib files:
> >>
> >>     HttpClient httpClient = new HttpClient();
> >>     URL keyStoreURL = new URL("file:/home/raul/keyStore.jks");
> >>     URL trustStoreURL = new URL("file:/home/raul/trustStore.jks");
> >>     AuthSSLProtocolSocketFactory socketFactory =
> >>         new AuthSSLProtocolSocketFactory(
> >>                 keyStoreURL, "keyStorePassword", trustStoreURL,
> >> "trustStorePassword");
> >>     Protocol httpsProtocol = new Protocol(url.getProtocol(),
> >> socketFactory, url.getPort());
> >>     httpClient.getHostConfiguration().setHost(url.getHost(),
> >> url.getPort(), httpsProtocol);
> >>
> >> But this fails with:
> >>
> >>     java.net.SocketException: Default SSL context init failed: null
> >>
> >> Thanks,
> >>
> >> Raul Acevedo
> >> http://www.cantara.com
> >>
> >
> > Paul,
> >
> > (1) Keystore is optional. You can safely omit it.
> > (2) Implement a custom trust manager that trusts anything. This way
> > you
> > will not need a truststore.
> > (3) Implement your own protocol socket factory that initializes the
> > SSL
> > context with your own trust-anything trust manager. You can use
> > EasySSLProtocolSocketFactory as a starting point.
> >
> > Hope this helps,
> >
> > Oleg
> >
> >>


-- 
yours,

Julius Davies
250-592-2284 (Home)
250-893-4579 (Mobile)
http://juliusdavies.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message