You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@ws.apache.org by Starsscream Desepticon <ka...@yahoo.co.uk> on 2005/09/21 14:32:55 UTC
I need to encrypt xmlrpc calls
Hello
How do you encrypt XmlRpc messages? I've had a look at
Xml Security, but it is for encrypting/signing Xml
messages (documents). When using XmlRpc I don't touch
Xml directly. So is there a way of making my XmlRpc
methods save?
Thanks!
___________________________________________________________
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com
RE: I need to encrypt xmlrpc calls
Posted by John Southerland <jo...@southerland-consulting.com>.
The client code needed to automagically connect to a self signed cert is not
as straight forward as one may hope.
I feel compelled to share this code, it was the vain of my existence for
several days:
(One or more of these may be needed for the code snapshot to compile; I have
more code supporting an older version buried within my app, so pick and
choose)
import java.security.*;
import java.security.spec.*;
import java.security.cert.*;
import javax.crypto.*;
import org.apache.xmlrpc.*;
import org.apache.xmlrpc.secure.*;
import javax.net.ssl.SSLSocketFactory;
import com.sun.net.ssl.*;
private class WorkAroundX509TrustManager implements X509TrustManager
{
public boolean isClientTrusted(X509Certificate[] chain){ return
true; }
public boolean isServerTrusted(X509Certificate[] chain){
return true; }
public X509Certificate[] getAcceptedIssuers(){ return null;
}
}
private class WorkAroundHostnameVerifier implements HostnameVerifier
{
public boolean verify(String hostname, String session) {
return true; }
}
if (host.url.startsWith("https:")) {
Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
w.protocol");
X509TrustManager tm = new
WorkAroundX509TrustManager();
KeyManager []km = null;
TrustManager []tma = {tm};
HostnameVerifier hmv = new
WorkAroundHostnameVerifier();
SSLContext sc =
SSLContext.getInstance("ssl");
sc.init(km,tma,new
java.security.SecureRandom());
SSLSocketFactory sf1 =
sc.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(sf1);
HttpsURLConnection.setDefaultHostnameVerifier(hmv);
NetPermission np = new
NetPermission("setDefaultAuthenticator");
this.secureClient = new
SecureXmlRpcClient(host.url);
this.secureClient.setBasicAuthentication(host.user, host.getPass());
this.secure=true;
}else{
this.client = new XmlRpcClient(host.url);
this.client.setBasicAuthentication(host.user, host.getPass());
this.secure=false;
}
The server is too easy of course:
logger.info("Starting HTTPS Server with
keystore: " + config.keyfile);
SecurityTool.setKeyStore(config.keyfile);
SecurityTool.setKeyStorePassword("YourKeyStorePasswordHere");
SecureWebServer server = new
SecureWebServer(config.port);
Please forgive my usurping of the secure routines, I am not so worried about
the encryption layer, I have control of the server and the clients for this
app.
I know the errors generated from hitting a self signed cert are more than a
little annoying though for some system programmers. Bits and pieces of this
are documented somewhere, but who has the time.
Please spare me the debate about not signing your own keys, it will fail to
stir the emotions you may hope in me.
It is a pleasure to finally be able to contribute a sober message on this
list.
Good Luck, John
PS: I would like to note that I used to encrypt data on the wire before
converting to XmlRpc and it was not fun, nor was the speed any better. In
fact I believe ssl to be one of the fastest encryption protocols available
today. My two cents.
John Buren Southerland
Southerland Consulting
801.467.8090(office)
214.734.8099(cell)
john@southerland-consulting.com
_____
From: Nicolas Hoibian [mailto:nicolas.hoibian@gmail.com]
Sent: Wednesday, September 21, 2005 8:54 AM
To: xmlrpc-user@ws.apache.org
Subject: Re: I need to encrypt xmlrpc calls
Sorry about the reply order. The correct sentence is :
"I think i did encrypt communications" , using SSL and the tools provided
with the xmlrpc classes.
The client parameters are a bit more complicated. I'll post the code on this
ml if you're interrested.
Nicolas Hoibian
2005/9/21, Nicolas Hoibian <ni...@gmail.com>:
2005/9/21, Tino Wildenhain <ti...@wildenhain.de>:
Starsscream Desepticon schrieb:
> Hello
>
> How do you encrypt XmlRpc messages? I've had a look at
> Xml Security, but it is for encrypting/signing Xml
> messages (documents). When using XmlRpc I don't touch
> Xml directly. So is there a way of making my XmlRpc
> methods save?
XMLRPC works over HTTP, so you usually just encrypt the
transport channel, meaning you use https (ssl).
HTH
Tino
I think i did so, using the Security Tool provided with xmlrpc and some
black magic java keystore
//code in main :
SecurityTool.setKeyStore("keystoreFile");
SecurityTool.setTrustStore("keystoreFile");
SecurityTool.setKeyStorePassword("keystorePassword");
SecurityTool.setTrustStorePassword("keystorePassword");
server = new SecureWebServer(port);
server.addHandler("$default", handler);
server.start();
//code end
correct me if i m wrong, please.
Nicolas Hoibian
Re: I need to encrypt xmlrpc calls
Posted by Nicolas Hoibian <ni...@gmail.com>.
Sorry about the reply order. The correct sentence is :
"I think i did encrypt communications" , using SSL and the tools provided
with the xmlrpc classes.
The client parameters are a bit more complicated. I'll post the code on this
ml if you're interrested.
Nicolas Hoibian
2005/9/21, Nicolas Hoibian <ni...@gmail.com>:
>
>
> 2005/9/21, Tino Wildenhain <ti...@wildenhain.de>:
> >
> > Starsscream Desepticon schrieb:
> > > Hello
> > >
> > > How do you encrypt XmlRpc messages? I've had a look at
> > > Xml Security, but it is for encrypting/signing Xml
> > > messages (documents). When using XmlRpc I don't touch
> > > Xml directly. So is there a way of making my XmlRpc
> > > methods save?
> >
> > XMLRPC works over HTTP, so you usually just encrypt the
> > transport channel, meaning you use https (ssl).
> >
> > HTH
> > Tino
> >
>
> I think i did so, using the Security Tool provided with xmlrpc and some
> black magic java keystore
> //code in main :
> SecurityTool.setKeyStore("keystoreFile");
> SecurityTool.setTrustStore("keystoreFile");
> SecurityTool.setKeyStorePassword("keystorePassword");
> SecurityTool.setTrustStorePassword("keystorePassword");
>
> server = new SecureWebServer(port);
> server.addHandler("$default", handler);
> server.start();
> //code end
>
> correct me if i m wrong, please.
>
> Nicolas Hoibian
>
>
>
Re: I need to encrypt xmlrpc calls
Posted by Nicolas Hoibian <ni...@gmail.com>.
2005/9/21, Tino Wildenhain <ti...@wildenhain.de>:
>
> Starsscream Desepticon schrieb:
> > Hello
> >
> > How do you encrypt XmlRpc messages? I've had a look at
> > Xml Security, but it is for encrypting/signing Xml
> > messages (documents). When using XmlRpc I don't touch
> > Xml directly. So is there a way of making my XmlRpc
> > methods save?
>
> XMLRPC works over HTTP, so you usually just encrypt the
> transport channel, meaning you use https (ssl).
>
> HTH
> Tino
>
I think i did so, using the Security Tool provided with xmlrpc and some
black magic java keystore
//code in main :
SecurityTool.setKeyStore("keystoreFile");
SecurityTool.setTrustStore("keystoreFile");
SecurityTool.setKeyStorePassword("keystorePassword");
SecurityTool.setTrustStorePassword("keystorePassword");
server = new SecureWebServer(port);
server.addHandler("$default", handler);
server.start();
//code end
correct me if i m wrong, please.
Nicolas Hoibian
Re: I need to encrypt xmlrpc calls
Posted by Tino Wildenhain <ti...@wildenhain.de>.
Starsscream Desepticon schrieb:
> Thanks!
>
> The reason we're using XmlRpc is, because it's
> lightweight - SSL isn't. It's probably not a good idea
> to encrypt argument/return manually?
err. where is ssl not lightweight? Ok, the connection
costs a bit more but you need to do it one or the
other way anyway. ssl is at least implementation
lightweight.
(dont know if java makes it a bit more complex)
Re: I need to encrypt xmlrpc calls
Posted by Starsscream Desepticon <ka...@yahoo.co.uk>.
Thanks!
The reason we're using XmlRpc is, because it's
lightweight - SSL isn't. It's probably not a good idea
to encrypt argument/return manually?
--- Tino Wildenhain <ti...@wildenhain.de> wrote:
> Starsscream Desepticon schrieb:
> > Hello
> >
> > How do you encrypt XmlRpc messages? I've had a
> look at
> > Xml Security, but it is for encrypting/signing Xml
> > messages (documents). When using XmlRpc I don't
> touch
> > Xml directly. So is there a way of making my
> XmlRpc
> > methods save?
>
> XMLRPC works over HTTP, so you usually just encrypt
> the
> transport channel, meaning you use https (ssl).
>
> HTH
> Tino
>
___________________________________________________________
How much free photo storage do you get? Store your holiday
snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com
Re: I need to encrypt xmlrpc calls
Posted by Tino Wildenhain <ti...@wildenhain.de>.
Starsscream Desepticon schrieb:
> Hello
>
> How do you encrypt XmlRpc messages? I've had a look at
> Xml Security, but it is for encrypting/signing Xml
> messages (documents). When using XmlRpc I don't touch
> Xml directly. So is there a way of making my XmlRpc
> methods save?
XMLRPC works over HTTP, so you usually just encrypt the
transport channel, meaning you use https (ssl).
HTH
Tino