tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: truststoreFile vs javax.net.ssl.trustStore
Date Thu, 19 Aug 2010 17:29:08 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Estanislao,

On 8/16/2010 4:34 AM, Estanislao Gonzalez wrote:
> thanks a lot for your help! I've solved the matter but I have still some
> questions and some interesting findings I would like to share, so please
> continue reading this email :-)

Glad you found the problem and that things are working and/or making
sense, now.

> My proposal to this people was to read the connector configuration and
> set up httpclient in a proper way. To my knowledge this could be done
> this way:
> ---
>       Connector[] connectors =
> org.apache.catalina.ServerFactory.getServer().findService("Catalina").findConnectors();
> 
>       for (Connector connector : connectors) {
>           if (connector.getSecure()) {
>               String tsFile =
> (String)connector.getAttribute("truststoreFile");
>               String tsPass =
> (String)connector.getAttribute("truststorePass");
>               if (tsFile != null) {
>                   //this is the connector we are looking for
>                   if (tsPass == null) tsPass = "changeit";    //tomcat
> default
>                                     //file and pass are known, set up
> httpclient properly
>                  break;
>               }
>           }
>       }

This procedure has several problems:

1. You never know which connector you're going to get. If multiple
connectors are configured, you might guess the wrong one.

2. This library might not have access to Tomcat code when used, so this
procedure wouldn't be at all valid in those environments.

3. Even when used within Tomcat, it may not be appropriate to configure
the library to share Tomcat's trustStore.

What would be better is having the library allow you to configure the
trust store to be used, and then you duplicate the configuration you
already have for Tomcat.

> You mentioned that setting the JVM variable with the truststoreFile and
> pass will do. But this will show the password to anyone making a ps...
> or am I missing something?

That is correct. There are other ways of setting system properties,
though. You can call System.setProperty before the library is
initialized and you should be okay. You can read the system properties
from a file and they won't show up in a process listing.

> Do you see any problem or better solution? I think the best way is
> letting tomcat handle the whole configuration from servlet.xml file,
> and, if required, accessing the configuration from those servlet that
> requires to.

No, Tomcat should use its own configuration and the httpclient should
use it's own separate configuration. If they allow you to configure the
trustStore via some mechanism, then use it. If they don't allow you to
do that, you should file an enhancement request since this really is a
requirement for a useful library of this kind.

Good luck,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxtaeQACgkQ9CaO5/Lv0PCI+ACcCJZ3L4h3pE2+hvhLd3KgbA9+
oJQAn3flSOKsHF9G/SMjqINc//Ioh1JA
=gOxo
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message