You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Chris Hall <ch...@zingy.com> on 2005/09/26 17:20:25 UTC

RE: WSDL2Java and SSL

Thanks for your help James.  Unfortunately, I am not running the server in
question, only the client.  So I can't make the server permissive, I need to
configure my (WSDL2Java) client correctly.
 
Sorry if I was unclear!
--Chris
 
-----------------------
 
Chris:
 
    I ran into a similar problem and from what I could gather you only
have two choices but they depend on how concerned you are about
certificate authentication.  You can either retrieve the certificate and
manually install it ahead of time (using keytool with the trustcacerts
flag) or accept ALL certificates (which is what I had to do).  Your
connections will still be encrypted using SSL but there's no
authentication.  
 
There seems to be a flaw in JSSE that SSL certs cannot be dynamically
imported AND used in the same JVM instance.  To clarify, you can
dynamically install them but they won't be read until the JVM is
restarted.  If you find a way around this, I'd love to hear about it.
 
    The solution for me was to create an "IndiscriminateTrustManager"
that implements javax.net.ssl.TrustManager and
javax.net.ssl.X509TrustManager and hardwire all the boolean tests:
 
    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        return null;
    }
    public boolean isServerTrusted(
        java.security.cert.X509Certificate[] certs) {
        return true;
    }
    public boolean isClientTrusted(
        java.security.cert.X509Certificate[] certs) {
        return true;
    }
    public void checkServerTrusted(
        java.security.cert.X509Certificate[] certs,
        String authType)
        throws java.security.cert.CertificateException {
        return;
    }
    public void checkClientTrusted(
        java.security.cert.X509Certificate[] certs,
        String authType)
        throws java.security.cert.CertificateException {
        return;
    }
 
Then you have to modify org.apache.axis.components.net.JSSESocketFactory
to use IndiscriminateTrustManager.  I have a method called
trustAllHttpsCertificates as follows:
 
    private static void trustAllHttpsCertificates() throws Exception {
        
            //Create a trust manager that does not validate certificate
chains: 
            javax.net.ssl.TrustManager[] lTrustManagers =
                new javax.net.ssl.TrustManager[1];
        
            javax.net.ssl.TrustManager lTrustManager = 
                new
org.apache.axis.components.net.IndiscriminateTrustManager();
 
            lTrustManagers[0] = lTrustManager;
        
            javax.net.ssl.SSLContext lSslContext =
                javax.net.ssl.SSLContext.getInstance("SSL");
 
            lSslContext.init(null, lTrustManagers, null);
            
            javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(
                lSslContext.getSocketFactory());
        
        } 
 
Then, in JSSESocketFactory.init() and .create(), you have to call
trustAllHttpsCertificates.
 
 
Hope this helps and, like I said, if you find a more elegant way around
this please let me know.
 
Jim Tootell 
 
System Design, Development, 
 
     & Integration Department
 
Anteon  Corporation
 
2251 San Diego Ave.
 
Suite A240
 
San Diego, CA  92110
(619) 542-0240 x123 
mailto:jctootell@anteon.com 
 
 
 
There are 10 kinds of people: 
 
  those who understand binary and those who don't.
 
 
 
 
 
________________________________
 
        From: Chris Hall [mailto:chris@zingy.com] 
        Sent: Friday, September 23, 2005 10:06 AM
        To: axis-user@ws.apache.org
        Subject: WSDL2Java and SSL 
        
        
 
        Hi all, I'd be very grateful for any help that you can offer me
with this issue.
 
         
 
        I'm writing code to interact with a WSDL specified web service
that uses SSL certificates to verify that a given request is legitimate.
That is, SSL is both used to create a secure connection against third
parties, but also to establish trust in that connection between the two
parties.  I've used WSDL2Java to create some client java code which
makes the SOAP request.
 
         
 
        When I run this code, I get a not trusted type error from the
server, after SSL handshaking is correctly executed (I do not get a
javax.net.ssl.SSLHandshakeException).  If I take the same SOAP request
and pipe it into an SSLSocket (that is, I take the generated SOAP from
the WSDL2Java generated code and send it to the server with my own
socket management code) I get a successful response from the server.  In
both cases the correct certificate is being put into the client's
keystore with java system properties.
 
         
 
        So there seems to be something going wrong with how the
WSDL2Java generated code sends the SOAP request, but not with how it
creates the SOAP and not with now it initiates the connection.
 
         
 
        Can anyone offer me any insight?  
 
         
 
        Thanks so much,
 
        --Chris