You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-user@xml.apache.org by George I Matkovits <ma...@uswest.net> on 2000/09/18 17:30:37 UTC
Re: SOAP and SSL support
>
I am in the process of committing my SSL changes to the Soap2_0 base. It should be in the latest base (and tested) later
this week. I will have documentation with the samples.
I could send you the code directly as it is (tested only with the 1st version of Soap2_0 and not with the latest in CVS).
You will have to do your own build.
Regards - George
> Shlomi Afia wrote:
>
> I would like to implement a secured SOAP client (SSL over HTTP).
> Does the soap 2.0 support this option?
> What are the changes that I should make to the Apache SOAP samples (AddressBook, Calculator) in order to work with SSL?
>
> Thanks,
> Shlomi.
Re: SOAP and SSL support
Posted by George I Matkovits <ma...@uswest.net>.
All is well. I have the new code (with Soap.properties ++) done yesterday (NO port problems, works to/from Apache with Tomcat behind it over
both HTTP and HTTPS). I am currently stress testing it. I will be doing some more simplification today, some more testing over the weekend
and will probably post it to apache on Monday.
Thanks for the System.Properties URL 'magic', that really made the 'new URL' hassle go away!
Regards - George
Nathan Wray wrote:
> I realized last night that my replacement HTTPUtils reintroduces the port bug (you have to specify the port, even for the default port).
> I know we can fix this by manually setting the port if it's (-1), but shouldn't the URL class know what the default port is? The
> connection succeeds to the server so the right port is being used, but the header that the server receives has a "-1" in it for the
> port. Where is that header generated? At what level does the URL code know what the default port is for a protocol, and how can we
> retrieve it to fix that header?
>
> Didn't read the secure soap extensions mail but I'll look for it.
>
> George I Matkovits wrote:
>
> > Thank you. Now I am happy about SSL-SOAP. I did miss this API and hated the required changes to the samples. The Soap.properties file
> > will take care of this. Open Source Development is really wonderful. Someone is always out there to find the last bug and
> > architectural issues.
> > Thanks again - George
> > p.s. Now I can really start concentrating on the Security Extensions. Did you manage to read the 'SecureSoap' Note I posted on this
> > forum about 10 days ago?
> > Regards - George
> >
> > Nathan Wray wrote:
> >
> > > Hi George, sorry I took so long to get back. Attached is a modified HTTPUtils.java.
> > >
> > > Notice that this version
> > > Doesn't use SecurityUtils.java (so loading the soap.properties file is missing)
> > > Works with arbitrary protocols on arbitrary ports (ie https on 448)
> > > Uses the client-specified URL object
> > >
> > > This requires that the user sets the system property
> > > System.setProperty("java.protocol.handler.pkgs",
> > > "com.sun.net.ssl.internal.www.protocol");
> > >
> > > either dynamically (as above) or via a property file BEFORE they create a URL object with "https", this may be what you were
> > > missing before. This is important, Java will treat https as an invalid protocol until the above system call is made. This is a
> > > JSSE/Java requirement, not unique to SOAP, so I don't think it's an issue if the SOAP library doesn't address it. From there the
> > > URL object works as designed.
> > >
> > > Since it uses the client URL object it should be thread safe, yada yada yada. Consider the attached code as untested
> > > proof-of-concept. Didn't really dive into the other aspects of the class as I only needed arbitrary ports to work. There may be
> > > unused variables in the method now. The proxy stuff should still be solid once the properties are loaded, that could be introduced
> > > anywhere as static code.
> > >
> > > -Nathan
> > >
> > > George I Matkovits wrote:
> > >
> > > > Thanks for your comment. I had to 'mangle' the client URL because new URL does not work with https. That is the reason for the
> > > > mangling. Would you have any more suggestions for code improvement, please? I will put in a lock to make it thread safe!
> > > > Regards - George
> > > >
> > > > Nathan Wray wrote:
> > > >
> > > > > George;
> > > > >
> > > > > First off, thank you for your work on making the HTTPUtils class more generalized for SSL use.
> > > > >
> > > > > I have an early release of the Secure Soap changes, and I was a little surprised that they are not a drop-in replacement for
> > > > > the existing HTTPUtils class, that is, you must initialize the server URL into the SecurityUtils class before use, and the
> > > > > url parameter to HTTPUtils.post is ignored. I also noticed that the SecurityUtils class uses a static class variable to
> > > > > store the target URL, so either the client must only use one server URL or the classes are not thread safe.
> > > > >
> > > > > Please disregard if these issues been resolved already, as I said I'm using what I'm sure is an early release.
> > > > >
> > > > > -Nathan
> > > > >
> > > > > George I Matkovits wrote:
> > > > >
> > > > > > >
> > > > > >
> > > > > > I am in the process of committing my SSL changes to the Soap2_0 base. It should be in the latest base (and tested) later
> > > > > > this week. I will have documentation with the samples.
> > > > > > I could send you the code directly as it is (tested only with the 1st version of Soap2_0 and not with the latest in CVS).
> > > > > > You will have to do your own build.
> > > > > > Regards - George
> > > > > >
> > > > > > > Shlomi Afia wrote:
> > > > > > >
> > > > > > > I would like to implement a secured SOAP client (SSL over HTTP).
> > > > > > > Does the soap 2.0 support this option?
> > > > > > > What are the changes that I should make to the Apache SOAP samples (AddressBook, Calculator) in order to work with SSL?
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Shlomi.
> > > > >
> > > > > --
> > > > > Nathan Wray
> > > > > nwray@mich.com
> > > > > --
> > > > > I've seen the
> > > > > Rains of the real world
> > > > > Come forward on the plain
> > > > > I've seen the Kansas of your sweet little myth
> > > > > You've never seen it, no,
> > > > > I'm half sick on the drinks you mixed
> > > > > Through your
> > > > >
> > > > > True dreams
> > > > > Of Wichita
> > > > > --
> > > > > Soul Coughing, "True Dreams of Wichita"
> > >
> > > --
> > > Nathan Wray
> > > nwray@mich.com
> > > --
> > > if you think technology can
> > > solve your problems, then you
> > > don't understand your
> > > problems and you
> > > don't understand
> > > technology
> > >
> > > ------------------------------------------------------------
> > > Name: HTTPUtils.java
> > > HTTPUtils.java Type: Java Source (application/x-unknown-content-type-java_auto_file)
> > > Encoding: base64
> > >
> > > Name: portTest.java
> > > portTest.java Type: Java Source (application/x-unknown-content-type-java_auto_file)
> > > Encoding: base64
>
> --
> Nathan Wray
> nwray@mich.com
> --
> if you think technology can
> solve your problems, then you
> don't understand your
> problems and you
> don't understand
> technology
Re: SOAP and SSL support
Posted by George I Matkovits <ma...@uswest.net>.
All is well. I have the new code (with Soap.properties ++) done yesterday (NO port problems, works to/from Apache with Tomcat behind it over
both HTTP and HTTPS). I am currently stress testing it. I will be doing some more simplification today, some more testing over the weekend
and will probably post it to apache on Monday.
Thanks for the System.Properties URL 'magic', that really made the 'new URL' hassle go away!
Regards - George
Nathan Wray wrote:
> I realized last night that my replacement HTTPUtils reintroduces the port bug (you have to specify the port, even for the default port).
> I know we can fix this by manually setting the port if it's (-1), but shouldn't the URL class know what the default port is? The
> connection succeeds to the server so the right port is being used, but the header that the server receives has a "-1" in it for the
> port. Where is that header generated? At what level does the URL code know what the default port is for a protocol, and how can we
> retrieve it to fix that header?
>
> Didn't read the secure soap extensions mail but I'll look for it.
>
> George I Matkovits wrote:
>
> > Thank you. Now I am happy about SSL-SOAP. I did miss this API and hated the required changes to the samples. The Soap.properties file
> > will take care of this. Open Source Development is really wonderful. Someone is always out there to find the last bug and
> > architectural issues.
> > Thanks again - George
> > p.s. Now I can really start concentrating on the Security Extensions. Did you manage to read the 'SecureSoap' Note I posted on this
> > forum about 10 days ago?
> > Regards - George
> >
> > Nathan Wray wrote:
> >
> > > Hi George, sorry I took so long to get back. Attached is a modified HTTPUtils.java.
> > >
> > > Notice that this version
> > > Doesn't use SecurityUtils.java (so loading the soap.properties file is missing)
> > > Works with arbitrary protocols on arbitrary ports (ie https on 448)
> > > Uses the client-specified URL object
> > >
> > > This requires that the user sets the system property
> > > System.setProperty("java.protocol.handler.pkgs",
> > > "com.sun.net.ssl.internal.www.protocol");
> > >
> > > either dynamically (as above) or via a property file BEFORE they create a URL object with "https", this may be what you were
> > > missing before. This is important, Java will treat https as an invalid protocol until the above system call is made. This is a
> > > JSSE/Java requirement, not unique to SOAP, so I don't think it's an issue if the SOAP library doesn't address it. From there the
> > > URL object works as designed.
> > >
> > > Since it uses the client URL object it should be thread safe, yada yada yada. Consider the attached code as untested
> > > proof-of-concept. Didn't really dive into the other aspects of the class as I only needed arbitrary ports to work. There may be
> > > unused variables in the method now. The proxy stuff should still be solid once the properties are loaded, that could be introduced
> > > anywhere as static code.
> > >
> > > -Nathan
> > >
> > > George I Matkovits wrote:
> > >
> > > > Thanks for your comment. I had to 'mangle' the client URL because new URL does not work with https. That is the reason for the
> > > > mangling. Would you have any more suggestions for code improvement, please? I will put in a lock to make it thread safe!
> > > > Regards - George
> > > >
> > > > Nathan Wray wrote:
> > > >
> > > > > George;
> > > > >
> > > > > First off, thank you for your work on making the HTTPUtils class more generalized for SSL use.
> > > > >
> > > > > I have an early release of the Secure Soap changes, and I was a little surprised that they are not a drop-in replacement for
> > > > > the existing HTTPUtils class, that is, you must initialize the server URL into the SecurityUtils class before use, and the
> > > > > url parameter to HTTPUtils.post is ignored. I also noticed that the SecurityUtils class uses a static class variable to
> > > > > store the target URL, so either the client must only use one server URL or the classes are not thread safe.
> > > > >
> > > > > Please disregard if these issues been resolved already, as I said I'm using what I'm sure is an early release.
> > > > >
> > > > > -Nathan
> > > > >
> > > > > George I Matkovits wrote:
> > > > >
> > > > > > >
> > > > > >
> > > > > > I am in the process of committing my SSL changes to the Soap2_0 base. It should be in the latest base (and tested) later
> > > > > > this week. I will have documentation with the samples.
> > > > > > I could send you the code directly as it is (tested only with the 1st version of Soap2_0 and not with the latest in CVS).
> > > > > > You will have to do your own build.
> > > > > > Regards - George
> > > > > >
> > > > > > > Shlomi Afia wrote:
> > > > > > >
> > > > > > > I would like to implement a secured SOAP client (SSL over HTTP).
> > > > > > > Does the soap 2.0 support this option?
> > > > > > > What are the changes that I should make to the Apache SOAP samples (AddressBook, Calculator) in order to work with SSL?
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Shlomi.
> > > > >
> > > > > --
> > > > > Nathan Wray
> > > > > nwray@mich.com
> > > > > --
> > > > > I've seen the
> > > > > Rains of the real world
> > > > > Come forward on the plain
> > > > > I've seen the Kansas of your sweet little myth
> > > > > You've never seen it, no,
> > > > > I'm half sick on the drinks you mixed
> > > > > Through your
> > > > >
> > > > > True dreams
> > > > > Of Wichita
> > > > > --
> > > > > Soul Coughing, "True Dreams of Wichita"
> > >
> > > --
> > > Nathan Wray
> > > nwray@mich.com
> > > --
> > > if you think technology can
> > > solve your problems, then you
> > > don't understand your
> > > problems and you
> > > don't understand
> > > technology
> > >
> > > ------------------------------------------------------------
> > > Name: HTTPUtils.java
> > > HTTPUtils.java Type: Java Source (application/x-unknown-content-type-java_auto_file)
> > > Encoding: base64
> > >
> > > Name: portTest.java
> > > portTest.java Type: Java Source (application/x-unknown-content-type-java_auto_file)
> > > Encoding: base64
>
> --
> Nathan Wray
> nwray@mich.com
> --
> if you think technology can
> solve your problems, then you
> don't understand your
> problems and you
> don't understand
> technology
Re: SOAP and SSL support
Posted by Nathan Wray <nw...@mich.com>.
I realized last night that my replacement HTTPUtils reintroduces the port bug (you have to specify the port, even for the default port).
I know we can fix this by manually setting the port if it's (-1), but shouldn't the URL class know what the default port is? The
connection succeeds to the server so the right port is being used, but the header that the server receives has a "-1" in it for the
port. Where is that header generated? At what level does the URL code know what the default port is for a protocol, and how can we
retrieve it to fix that header?
Didn't read the secure soap extensions mail but I'll look for it.
George I Matkovits wrote:
> Thank you. Now I am happy about SSL-SOAP. I did miss this API and hated the required changes to the samples. The Soap.properties file
> will take care of this. Open Source Development is really wonderful. Someone is always out there to find the last bug and
> architectural issues.
> Thanks again - George
> p.s. Now I can really start concentrating on the Security Extensions. Did you manage to read the 'SecureSoap' Note I posted on this
> forum about 10 days ago?
> Regards - George
>
> Nathan Wray wrote:
>
> > Hi George, sorry I took so long to get back. Attached is a modified HTTPUtils.java.
> >
> > Notice that this version
> > Doesn't use SecurityUtils.java (so loading the soap.properties file is missing)
> > Works with arbitrary protocols on arbitrary ports (ie https on 448)
> > Uses the client-specified URL object
> >
> > This requires that the user sets the system property
> > System.setProperty("java.protocol.handler.pkgs",
> > "com.sun.net.ssl.internal.www.protocol");
> >
> > either dynamically (as above) or via a property file BEFORE they create a URL object with "https", this may be what you were
> > missing before. This is important, Java will treat https as an invalid protocol until the above system call is made. This is a
> > JSSE/Java requirement, not unique to SOAP, so I don't think it's an issue if the SOAP library doesn't address it. From there the
> > URL object works as designed.
> >
> > Since it uses the client URL object it should be thread safe, yada yada yada. Consider the attached code as untested
> > proof-of-concept. Didn't really dive into the other aspects of the class as I only needed arbitrary ports to work. There may be
> > unused variables in the method now. The proxy stuff should still be solid once the properties are loaded, that could be introduced
> > anywhere as static code.
> >
> > -Nathan
> >
> > George I Matkovits wrote:
> >
> > > Thanks for your comment. I had to 'mangle' the client URL because new URL does not work with https. That is the reason for the
> > > mangling. Would you have any more suggestions for code improvement, please? I will put in a lock to make it thread safe!
> > > Regards - George
> > >
> > > Nathan Wray wrote:
> > >
> > > > George;
> > > >
> > > > First off, thank you for your work on making the HTTPUtils class more generalized for SSL use.
> > > >
> > > > I have an early release of the Secure Soap changes, and I was a little surprised that they are not a drop-in replacement for
> > > > the existing HTTPUtils class, that is, you must initialize the server URL into the SecurityUtils class before use, and the
> > > > url parameter to HTTPUtils.post is ignored. I also noticed that the SecurityUtils class uses a static class variable to
> > > > store the target URL, so either the client must only use one server URL or the classes are not thread safe.
> > > >
> > > > Please disregard if these issues been resolved already, as I said I'm using what I'm sure is an early release.
> > > >
> > > > -Nathan
> > > >
> > > > George I Matkovits wrote:
> > > >
> > > > > >
> > > > >
> > > > > I am in the process of committing my SSL changes to the Soap2_0 base. It should be in the latest base (and tested) later
> > > > > this week. I will have documentation with the samples.
> > > > > I could send you the code directly as it is (tested only with the 1st version of Soap2_0 and not with the latest in CVS).
> > > > > You will have to do your own build.
> > > > > Regards - George
> > > > >
> > > > > > Shlomi Afia wrote:
> > > > > >
> > > > > > I would like to implement a secured SOAP client (SSL over HTTP).
> > > > > > Does the soap 2.0 support this option?
> > > > > > What are the changes that I should make to the Apache SOAP samples (AddressBook, Calculator) in order to work with SSL?
> > > > > >
> > > > > > Thanks,
> > > > > > Shlomi.
> > > >
> > > > --
> > > > Nathan Wray
> > > > nwray@mich.com
> > > > --
> > > > I've seen the
> > > > Rains of the real world
> > > > Come forward on the plain
> > > > I've seen the Kansas of your sweet little myth
> > > > You've never seen it, no,
> > > > I'm half sick on the drinks you mixed
> > > > Through your
> > > >
> > > > True dreams
> > > > Of Wichita
> > > > --
> > > > Soul Coughing, "True Dreams of Wichita"
> >
> > --
> > Nathan Wray
> > nwray@mich.com
> > --
> > if you think technology can
> > solve your problems, then you
> > don't understand your
> > problems and you
> > don't understand
> > technology
> >
> > ------------------------------------------------------------
> > Name: HTTPUtils.java
> > HTTPUtils.java Type: Java Source (application/x-unknown-content-type-java_auto_file)
> > Encoding: base64
> >
> > Name: portTest.java
> > portTest.java Type: Java Source (application/x-unknown-content-type-java_auto_file)
> > Encoding: base64
--
Nathan Wray
nwray@mich.com
--
if you think technology can
solve your problems, then you
don't understand your
problems and you
don't understand
technology
Re: SOAP and SSL support
Posted by Nathan Wray <nw...@mich.com>.
I realized last night that my replacement HTTPUtils reintroduces the port bug (you have to specify the port, even for the default port).
I know we can fix this by manually setting the port if it's (-1), but shouldn't the URL class know what the default port is? The
connection succeeds to the server so the right port is being used, but the header that the server receives has a "-1" in it for the
port. Where is that header generated? At what level does the URL code know what the default port is for a protocol, and how can we
retrieve it to fix that header?
Didn't read the secure soap extensions mail but I'll look for it.
George I Matkovits wrote:
> Thank you. Now I am happy about SSL-SOAP. I did miss this API and hated the required changes to the samples. The Soap.properties file
> will take care of this. Open Source Development is really wonderful. Someone is always out there to find the last bug and
> architectural issues.
> Thanks again - George
> p.s. Now I can really start concentrating on the Security Extensions. Did you manage to read the 'SecureSoap' Note I posted on this
> forum about 10 days ago?
> Regards - George
>
> Nathan Wray wrote:
>
> > Hi George, sorry I took so long to get back. Attached is a modified HTTPUtils.java.
> >
> > Notice that this version
> > Doesn't use SecurityUtils.java (so loading the soap.properties file is missing)
> > Works with arbitrary protocols on arbitrary ports (ie https on 448)
> > Uses the client-specified URL object
> >
> > This requires that the user sets the system property
> > System.setProperty("java.protocol.handler.pkgs",
> > "com.sun.net.ssl.internal.www.protocol");
> >
> > either dynamically (as above) or via a property file BEFORE they create a URL object with "https", this may be what you were
> > missing before. This is important, Java will treat https as an invalid protocol until the above system call is made. This is a
> > JSSE/Java requirement, not unique to SOAP, so I don't think it's an issue if the SOAP library doesn't address it. From there the
> > URL object works as designed.
> >
> > Since it uses the client URL object it should be thread safe, yada yada yada. Consider the attached code as untested
> > proof-of-concept. Didn't really dive into the other aspects of the class as I only needed arbitrary ports to work. There may be
> > unused variables in the method now. The proxy stuff should still be solid once the properties are loaded, that could be introduced
> > anywhere as static code.
> >
> > -Nathan
> >
> > George I Matkovits wrote:
> >
> > > Thanks for your comment. I had to 'mangle' the client URL because new URL does not work with https. That is the reason for the
> > > mangling. Would you have any more suggestions for code improvement, please? I will put in a lock to make it thread safe!
> > > Regards - George
> > >
> > > Nathan Wray wrote:
> > >
> > > > George;
> > > >
> > > > First off, thank you for your work on making the HTTPUtils class more generalized for SSL use.
> > > >
> > > > I have an early release of the Secure Soap changes, and I was a little surprised that they are not a drop-in replacement for
> > > > the existing HTTPUtils class, that is, you must initialize the server URL into the SecurityUtils class before use, and the
> > > > url parameter to HTTPUtils.post is ignored. I also noticed that the SecurityUtils class uses a static class variable to
> > > > store the target URL, so either the client must only use one server URL or the classes are not thread safe.
> > > >
> > > > Please disregard if these issues been resolved already, as I said I'm using what I'm sure is an early release.
> > > >
> > > > -Nathan
> > > >
> > > > George I Matkovits wrote:
> > > >
> > > > > >
> > > > >
> > > > > I am in the process of committing my SSL changes to the Soap2_0 base. It should be in the latest base (and tested) later
> > > > > this week. I will have documentation with the samples.
> > > > > I could send you the code directly as it is (tested only with the 1st version of Soap2_0 and not with the latest in CVS).
> > > > > You will have to do your own build.
> > > > > Regards - George
> > > > >
> > > > > > Shlomi Afia wrote:
> > > > > >
> > > > > > I would like to implement a secured SOAP client (SSL over HTTP).
> > > > > > Does the soap 2.0 support this option?
> > > > > > What are the changes that I should make to the Apache SOAP samples (AddressBook, Calculator) in order to work with SSL?
> > > > > >
> > > > > > Thanks,
> > > > > > Shlomi.
> > > >
> > > > --
> > > > Nathan Wray
> > > > nwray@mich.com
> > > > --
> > > > I've seen the
> > > > Rains of the real world
> > > > Come forward on the plain
> > > > I've seen the Kansas of your sweet little myth
> > > > You've never seen it, no,
> > > > I'm half sick on the drinks you mixed
> > > > Through your
> > > >
> > > > True dreams
> > > > Of Wichita
> > > > --
> > > > Soul Coughing, "True Dreams of Wichita"
> >
> > --
> > Nathan Wray
> > nwray@mich.com
> > --
> > if you think technology can
> > solve your problems, then you
> > don't understand your
> > problems and you
> > don't understand
> > technology
> >
> > ------------------------------------------------------------
> > Name: HTTPUtils.java
> > HTTPUtils.java Type: Java Source (application/x-unknown-content-type-java_auto_file)
> > Encoding: base64
> >
> > Name: portTest.java
> > portTest.java Type: Java Source (application/x-unknown-content-type-java_auto_file)
> > Encoding: base64
--
Nathan Wray
nwray@mich.com
--
if you think technology can
solve your problems, then you
don't understand your
problems and you
don't understand
technology
Re: SOAP and SSL support
Posted by George I Matkovits <ma...@uswest.net>.
Thank you. Now I am happy about SSL-SOAP. I did miss this API and hated the required changes to the samples. The Soap.properties file
will take care of this. Open Source Development is really wonderful. Someone is always out there to find the last bug and
architectural issues.
Thanks again - George
p.s. Now I can really start concentrating on the Security Extensions. Did you manage to read the 'SecureSoap' Note I posted on this
forum about 10 days ago?
Regards - George
Nathan Wray wrote:
> Hi George, sorry I took so long to get back. Attached is a modified HTTPUtils.java.
>
> Notice that this version
> Doesn't use SecurityUtils.java (so loading the soap.properties file is missing)
> Works with arbitrary protocols on arbitrary ports (ie https on 448)
> Uses the client-specified URL object
>
> This requires that the user sets the system property
> System.setProperty("java.protocol.handler.pkgs",
> "com.sun.net.ssl.internal.www.protocol");
>
> either dynamically (as above) or via a property file BEFORE they create a URL object with "https", this may be what you were
> missing before. This is important, Java will treat https as an invalid protocol until the above system call is made. This is a
> JSSE/Java requirement, not unique to SOAP, so I don't think it's an issue if the SOAP library doesn't address it. From there the
> URL object works as designed.
>
> Since it uses the client URL object it should be thread safe, yada yada yada. Consider the attached code as untested
> proof-of-concept. Didn't really dive into the other aspects of the class as I only needed arbitrary ports to work. There may be
> unused variables in the method now. The proxy stuff should still be solid once the properties are loaded, that could be introduced
> anywhere as static code.
>
> -Nathan
>
> George I Matkovits wrote:
>
> > Thanks for your comment. I had to 'mangle' the client URL because new URL does not work with https. That is the reason for the
> > mangling. Would you have any more suggestions for code improvement, please? I will put in a lock to make it thread safe!
> > Regards - George
> >
> > Nathan Wray wrote:
> >
> > > George;
> > >
> > > First off, thank you for your work on making the HTTPUtils class more generalized for SSL use.
> > >
> > > I have an early release of the Secure Soap changes, and I was a little surprised that they are not a drop-in replacement for
> > > the existing HTTPUtils class, that is, you must initialize the server URL into the SecurityUtils class before use, and the
> > > url parameter to HTTPUtils.post is ignored. I also noticed that the SecurityUtils class uses a static class variable to
> > > store the target URL, so either the client must only use one server URL or the classes are not thread safe.
> > >
> > > Please disregard if these issues been resolved already, as I said I'm using what I'm sure is an early release.
> > >
> > > -Nathan
> > >
> > > George I Matkovits wrote:
> > >
> > > > >
> > > >
> > > > I am in the process of committing my SSL changes to the Soap2_0 base. It should be in the latest base (and tested) later
> > > > this week. I will have documentation with the samples.
> > > > I could send you the code directly as it is (tested only with the 1st version of Soap2_0 and not with the latest in CVS).
> > > > You will have to do your own build.
> > > > Regards - George
> > > >
> > > > > Shlomi Afia wrote:
> > > > >
> > > > > I would like to implement a secured SOAP client (SSL over HTTP).
> > > > > Does the soap 2.0 support this option?
> > > > > What are the changes that I should make to the Apache SOAP samples (AddressBook, Calculator) in order to work with SSL?
> > > > >
> > > > > Thanks,
> > > > > Shlomi.
> > >
> > > --
> > > Nathan Wray
> > > nwray@mich.com
> > > --
> > > I've seen the
> > > Rains of the real world
> > > Come forward on the plain
> > > I've seen the Kansas of your sweet little myth
> > > You've never seen it, no,
> > > I'm half sick on the drinks you mixed
> > > Through your
> > >
> > > True dreams
> > > Of Wichita
> > > --
> > > Soul Coughing, "True Dreams of Wichita"
>
> --
> Nathan Wray
> nwray@mich.com
> --
> if you think technology can
> solve your problems, then you
> don't understand your
> problems and you
> don't understand
> technology
>
> ------------------------------------------------------------
> Name: HTTPUtils.java
> HTTPUtils.java Type: Java Source (application/x-unknown-content-type-java_auto_file)
> Encoding: base64
>
> Name: portTest.java
> portTest.java Type: Java Source (application/x-unknown-content-type-java_auto_file)
> Encoding: base64
Re: SOAP and SSL support
Posted by George I Matkovits <ma...@uswest.net>.
Thank you. Now I am happy about SSL-SOAP. I did miss this API and hated the required changes to the samples. The Soap.properties file
will take care of this. Open Source Development is really wonderful. Someone is always out there to find the last bug and
architectural issues.
Thanks again - George
p.s. Now I can really start concentrating on the Security Extensions. Did you manage to read the 'SecureSoap' Note I posted on this
forum about 10 days ago?
Regards - George
Nathan Wray wrote:
> Hi George, sorry I took so long to get back. Attached is a modified HTTPUtils.java.
>
> Notice that this version
> Doesn't use SecurityUtils.java (so loading the soap.properties file is missing)
> Works with arbitrary protocols on arbitrary ports (ie https on 448)
> Uses the client-specified URL object
>
> This requires that the user sets the system property
> System.setProperty("java.protocol.handler.pkgs",
> "com.sun.net.ssl.internal.www.protocol");
>
> either dynamically (as above) or via a property file BEFORE they create a URL object with "https", this may be what you were
> missing before. This is important, Java will treat https as an invalid protocol until the above system call is made. This is a
> JSSE/Java requirement, not unique to SOAP, so I don't think it's an issue if the SOAP library doesn't address it. From there the
> URL object works as designed.
>
> Since it uses the client URL object it should be thread safe, yada yada yada. Consider the attached code as untested
> proof-of-concept. Didn't really dive into the other aspects of the class as I only needed arbitrary ports to work. There may be
> unused variables in the method now. The proxy stuff should still be solid once the properties are loaded, that could be introduced
> anywhere as static code.
>
> -Nathan
>
> George I Matkovits wrote:
>
> > Thanks for your comment. I had to 'mangle' the client URL because new URL does not work with https. That is the reason for the
> > mangling. Would you have any more suggestions for code improvement, please? I will put in a lock to make it thread safe!
> > Regards - George
> >
> > Nathan Wray wrote:
> >
> > > George;
> > >
> > > First off, thank you for your work on making the HTTPUtils class more generalized for SSL use.
> > >
> > > I have an early release of the Secure Soap changes, and I was a little surprised that they are not a drop-in replacement for
> > > the existing HTTPUtils class, that is, you must initialize the server URL into the SecurityUtils class before use, and the
> > > url parameter to HTTPUtils.post is ignored. I also noticed that the SecurityUtils class uses a static class variable to
> > > store the target URL, so either the client must only use one server URL or the classes are not thread safe.
> > >
> > > Please disregard if these issues been resolved already, as I said I'm using what I'm sure is an early release.
> > >
> > > -Nathan
> > >
> > > George I Matkovits wrote:
> > >
> > > > >
> > > >
> > > > I am in the process of committing my SSL changes to the Soap2_0 base. It should be in the latest base (and tested) later
> > > > this week. I will have documentation with the samples.
> > > > I could send you the code directly as it is (tested only with the 1st version of Soap2_0 and not with the latest in CVS).
> > > > You will have to do your own build.
> > > > Regards - George
> > > >
> > > > > Shlomi Afia wrote:
> > > > >
> > > > > I would like to implement a secured SOAP client (SSL over HTTP).
> > > > > Does the soap 2.0 support this option?
> > > > > What are the changes that I should make to the Apache SOAP samples (AddressBook, Calculator) in order to work with SSL?
> > > > >
> > > > > Thanks,
> > > > > Shlomi.
> > >
> > > --
> > > Nathan Wray
> > > nwray@mich.com
> > > --
> > > I've seen the
> > > Rains of the real world
> > > Come forward on the plain
> > > I've seen the Kansas of your sweet little myth
> > > You've never seen it, no,
> > > I'm half sick on the drinks you mixed
> > > Through your
> > >
> > > True dreams
> > > Of Wichita
> > > --
> > > Soul Coughing, "True Dreams of Wichita"
>
> --
> Nathan Wray
> nwray@mich.com
> --
> if you think technology can
> solve your problems, then you
> don't understand your
> problems and you
> don't understand
> technology
>
> ------------------------------------------------------------
> Name: HTTPUtils.java
> HTTPUtils.java Type: Java Source (application/x-unknown-content-type-java_auto_file)
> Encoding: base64
>
> Name: portTest.java
> portTest.java Type: Java Source (application/x-unknown-content-type-java_auto_file)
> Encoding: base64
Re: SOAP and SSL support
Posted by Nathan Wray <nw...@mich.com>.
Hi George, sorry I took so long to get back. Attached is a modified HTTPUtils.java.
Notice that this version
Doesn't use SecurityUtils.java (so loading the soap.properties file is missing)
Works with arbitrary protocols on arbitrary ports (ie https on 448)
Uses the client-specified URL object
This requires that the user sets the system property
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
either dynamically (as above) or via a property file BEFORE they create a URL object with "https", this may be what you were
missing before. This is important, Java will treat https as an invalid protocol until the above system call is made. This is a
JSSE/Java requirement, not unique to SOAP, so I don't think it's an issue if the SOAP library doesn't address it. From there the
URL object works as designed.
Since it uses the client URL object it should be thread safe, yada yada yada. Consider the attached code as untested
proof-of-concept. Didn't really dive into the other aspects of the class as I only needed arbitrary ports to work. There may be
unused variables in the method now. The proxy stuff should still be solid once the properties are loaded, that could be introduced
anywhere as static code.
-Nathan
George I Matkovits wrote:
> Thanks for your comment. I had to 'mangle' the client URL because new URL does not work with https. That is the reason for the
> mangling. Would you have any more suggestions for code improvement, please? I will put in a lock to make it thread safe!
> Regards - George
>
> Nathan Wray wrote:
>
> > George;
> >
> > First off, thank you for your work on making the HTTPUtils class more generalized for SSL use.
> >
> > I have an early release of the Secure Soap changes, and I was a little surprised that they are not a drop-in replacement for
> > the existing HTTPUtils class, that is, you must initialize the server URL into the SecurityUtils class before use, and the
> > url parameter to HTTPUtils.post is ignored. I also noticed that the SecurityUtils class uses a static class variable to
> > store the target URL, so either the client must only use one server URL or the classes are not thread safe.
> >
> > Please disregard if these issues been resolved already, as I said I'm using what I'm sure is an early release.
> >
> > -Nathan
> >
> > George I Matkovits wrote:
> >
> > > >
> > >
> > > I am in the process of committing my SSL changes to the Soap2_0 base. It should be in the latest base (and tested) later
> > > this week. I will have documentation with the samples.
> > > I could send you the code directly as it is (tested only with the 1st version of Soap2_0 and not with the latest in CVS).
> > > You will have to do your own build.
> > > Regards - George
> > >
> > > > Shlomi Afia wrote:
> > > >
> > > > I would like to implement a secured SOAP client (SSL over HTTP).
> > > > Does the soap 2.0 support this option?
> > > > What are the changes that I should make to the Apache SOAP samples (AddressBook, Calculator) in order to work with SSL?
> > > >
> > > > Thanks,
> > > > Shlomi.
> >
> > --
> > Nathan Wray
> > nwray@mich.com
> > --
> > I've seen the
> > Rains of the real world
> > Come forward on the plain
> > I've seen the Kansas of your sweet little myth
> > You've never seen it, no,
> > I'm half sick on the drinks you mixed
> > Through your
> >
> > True dreams
> > Of Wichita
> > --
> > Soul Coughing, "True Dreams of Wichita"
--
Nathan Wray
nwray@mich.com
--
if you think technology can
solve your problems, then you
don't understand your
problems and you
don't understand
technology
Re: SOAP and SSL support
Posted by Nathan Wray <nw...@mich.com>.
Hi George, sorry I took so long to get back. Attached is a modified HTTPUtils.java.
Notice that this version
Doesn't use SecurityUtils.java (so loading the soap.properties file is missing)
Works with arbitrary protocols on arbitrary ports (ie https on 448)
Uses the client-specified URL object
This requires that the user sets the system property
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
either dynamically (as above) or via a property file BEFORE they create a URL object with "https", this may be what you were
missing before. This is important, Java will treat https as an invalid protocol until the above system call is made. This is a
JSSE/Java requirement, not unique to SOAP, so I don't think it's an issue if the SOAP library doesn't address it. From there the
URL object works as designed.
Since it uses the client URL object it should be thread safe, yada yada yada. Consider the attached code as untested
proof-of-concept. Didn't really dive into the other aspects of the class as I only needed arbitrary ports to work. There may be
unused variables in the method now. The proxy stuff should still be solid once the properties are loaded, that could be introduced
anywhere as static code.
-Nathan
George I Matkovits wrote:
> Thanks for your comment. I had to 'mangle' the client URL because new URL does not work with https. That is the reason for the
> mangling. Would you have any more suggestions for code improvement, please? I will put in a lock to make it thread safe!
> Regards - George
>
> Nathan Wray wrote:
>
> > George;
> >
> > First off, thank you for your work on making the HTTPUtils class more generalized for SSL use.
> >
> > I have an early release of the Secure Soap changes, and I was a little surprised that they are not a drop-in replacement for
> > the existing HTTPUtils class, that is, you must initialize the server URL into the SecurityUtils class before use, and the
> > url parameter to HTTPUtils.post is ignored. I also noticed that the SecurityUtils class uses a static class variable to
> > store the target URL, so either the client must only use one server URL or the classes are not thread safe.
> >
> > Please disregard if these issues been resolved already, as I said I'm using what I'm sure is an early release.
> >
> > -Nathan
> >
> > George I Matkovits wrote:
> >
> > > >
> > >
> > > I am in the process of committing my SSL changes to the Soap2_0 base. It should be in the latest base (and tested) later
> > > this week. I will have documentation with the samples.
> > > I could send you the code directly as it is (tested only with the 1st version of Soap2_0 and not with the latest in CVS).
> > > You will have to do your own build.
> > > Regards - George
> > >
> > > > Shlomi Afia wrote:
> > > >
> > > > I would like to implement a secured SOAP client (SSL over HTTP).
> > > > Does the soap 2.0 support this option?
> > > > What are the changes that I should make to the Apache SOAP samples (AddressBook, Calculator) in order to work with SSL?
> > > >
> > > > Thanks,
> > > > Shlomi.
> >
> > --
> > Nathan Wray
> > nwray@mich.com
> > --
> > I've seen the
> > Rains of the real world
> > Come forward on the plain
> > I've seen the Kansas of your sweet little myth
> > You've never seen it, no,
> > I'm half sick on the drinks you mixed
> > Through your
> >
> > True dreams
> > Of Wichita
> > --
> > Soul Coughing, "True Dreams of Wichita"
--
Nathan Wray
nwray@mich.com
--
if you think technology can
solve your problems, then you
don't understand your
problems and you
don't understand
technology
Re: SOAP and SSL support
Posted by George I Matkovits <ma...@uswest.net>.
Thanks for your comment. I had to 'mangle' the client URL because new URL does not work with https. That is the reason for the
mangling. Would you have any more suggestions for code improvement, please? I will put in a lock to make it thread safe!
Regards - George
Nathan Wray wrote:
> George;
>
> First off, thank you for your work on making the HTTPUtils class more generalized for SSL use.
>
> I have an early release of the Secure Soap changes, and I was a little surprised that they are not a drop-in replacement for
> the existing HTTPUtils class, that is, you must initialize the server URL into the SecurityUtils class before use, and the
> url parameter to HTTPUtils.post is ignored. I also noticed that the SecurityUtils class uses a static class variable to
> store the target URL, so either the client must only use one server URL or the classes are not thread safe.
>
> Please disregard if these issues been resolved already, as I said I'm using what I'm sure is an early release.
>
> -Nathan
>
> George I Matkovits wrote:
>
> > >
> >
> > I am in the process of committing my SSL changes to the Soap2_0 base. It should be in the latest base (and tested) later
> > this week. I will have documentation with the samples.
> > I could send you the code directly as it is (tested only with the 1st version of Soap2_0 and not with the latest in CVS).
> > You will have to do your own build.
> > Regards - George
> >
> > > Shlomi Afia wrote:
> > >
> > > I would like to implement a secured SOAP client (SSL over HTTP).
> > > Does the soap 2.0 support this option?
> > > What are the changes that I should make to the Apache SOAP samples (AddressBook, Calculator) in order to work with SSL?
> > >
> > > Thanks,
> > > Shlomi.
>
> --
> Nathan Wray
> nwray@mich.com
> --
> I've seen the
> Rains of the real world
> Come forward on the plain
> I've seen the Kansas of your sweet little myth
> You've never seen it, no,
> I'm half sick on the drinks you mixed
> Through your
>
> True dreams
> Of Wichita
> --
> Soul Coughing, "True Dreams of Wichita"
Re: SOAP and SSL support
Posted by George I Matkovits <ma...@uswest.net>.
Thanks for your comment. I had to 'mangle' the client URL because new URL does not work with https. That is the reason for the
mangling. Would you have any more suggestions for code improvement, please? I will put in a lock to make it thread safe!
Regards - George
Nathan Wray wrote:
> George;
>
> First off, thank you for your work on making the HTTPUtils class more generalized for SSL use.
>
> I have an early release of the Secure Soap changes, and I was a little surprised that they are not a drop-in replacement for
> the existing HTTPUtils class, that is, you must initialize the server URL into the SecurityUtils class before use, and the
> url parameter to HTTPUtils.post is ignored. I also noticed that the SecurityUtils class uses a static class variable to
> store the target URL, so either the client must only use one server URL or the classes are not thread safe.
>
> Please disregard if these issues been resolved already, as I said I'm using what I'm sure is an early release.
>
> -Nathan
>
> George I Matkovits wrote:
>
> > >
> >
> > I am in the process of committing my SSL changes to the Soap2_0 base. It should be in the latest base (and tested) later
> > this week. I will have documentation with the samples.
> > I could send you the code directly as it is (tested only with the 1st version of Soap2_0 and not with the latest in CVS).
> > You will have to do your own build.
> > Regards - George
> >
> > > Shlomi Afia wrote:
> > >
> > > I would like to implement a secured SOAP client (SSL over HTTP).
> > > Does the soap 2.0 support this option?
> > > What are the changes that I should make to the Apache SOAP samples (AddressBook, Calculator) in order to work with SSL?
> > >
> > > Thanks,
> > > Shlomi.
>
> --
> Nathan Wray
> nwray@mich.com
> --
> I've seen the
> Rains of the real world
> Come forward on the plain
> I've seen the Kansas of your sweet little myth
> You've never seen it, no,
> I'm half sick on the drinks you mixed
> Through your
>
> True dreams
> Of Wichita
> --
> Soul Coughing, "True Dreams of Wichita"
Re: SOAP and SSL support
Posted by Nathan Wray <nw...@mich.com>.
George;
First off, thank you for your work on making the HTTPUtils class more generalized for SSL use.
I have an early release of the Secure Soap changes, and I was a little surprised that they are not a drop-in replacement for
the existing HTTPUtils class, that is, you must initialize the server URL into the SecurityUtils class before use, and the
url parameter to HTTPUtils.post is ignored. I also noticed that the SecurityUtils class uses a static class variable to
store the target URL, so either the client must only use one server URL or the classes are not thread safe.
Please disregard if these issues been resolved already, as I said I'm using what I'm sure is an early release.
-Nathan
George I Matkovits wrote:
> >
>
> I am in the process of committing my SSL changes to the Soap2_0 base. It should be in the latest base (and tested) later
> this week. I will have documentation with the samples.
> I could send you the code directly as it is (tested only with the 1st version of Soap2_0 and not with the latest in CVS).
> You will have to do your own build.
> Regards - George
>
> > Shlomi Afia wrote:
> >
> > I would like to implement a secured SOAP client (SSL over HTTP).
> > Does the soap 2.0 support this option?
> > What are the changes that I should make to the Apache SOAP samples (AddressBook, Calculator) in order to work with SSL?
> >
> > Thanks,
> > Shlomi.
--
Nathan Wray
nwray@mich.com
--
I've seen the
Rains of the real world
Come forward on the plain
I've seen the Kansas of your sweet little myth
You've never seen it, no,
I'm half sick on the drinks you mixed
Through your
True dreams
Of Wichita
--
Soul Coughing, "True Dreams of Wichita"
Re: SOAP and SSL support
Posted by Nathan Wray <nw...@mich.com>.
George;
First off, thank you for your work on making the HTTPUtils class more generalized for SSL use.
I have an early release of the Secure Soap changes, and I was a little surprised that they are not a drop-in replacement for
the existing HTTPUtils class, that is, you must initialize the server URL into the SecurityUtils class before use, and the
url parameter to HTTPUtils.post is ignored. I also noticed that the SecurityUtils class uses a static class variable to
store the target URL, so either the client must only use one server URL or the classes are not thread safe.
Please disregard if these issues been resolved already, as I said I'm using what I'm sure is an early release.
-Nathan
George I Matkovits wrote:
> >
>
> I am in the process of committing my SSL changes to the Soap2_0 base. It should be in the latest base (and tested) later
> this week. I will have documentation with the samples.
> I could send you the code directly as it is (tested only with the 1st version of Soap2_0 and not with the latest in CVS).
> You will have to do your own build.
> Regards - George
>
> > Shlomi Afia wrote:
> >
> > I would like to implement a secured SOAP client (SSL over HTTP).
> > Does the soap 2.0 support this option?
> > What are the changes that I should make to the Apache SOAP samples (AddressBook, Calculator) in order to work with SSL?
> >
> > Thanks,
> > Shlomi.
--
Nathan Wray
nwray@mich.com
--
I've seen the
Rains of the real world
Come forward on the plain
I've seen the Kansas of your sweet little myth
You've never seen it, no,
I'm half sick on the drinks you mixed
Through your
True dreams
Of Wichita
--
Soul Coughing, "True Dreams of Wichita"