You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cocoon.apache.org by Andrei Lunjov <an...@gmail.com> on 2010/09/09 23:39:18 UTC
[C3] How to/where to disable certificate check accessing HTTPS
Hi all,
I was working a lot with Cocoon 2.0 and 2.1, did something with 2.2 but
I am new to 3.0, so I need some guidance to habits. Please excuse my
stupid questions.
I need to access HTTPS URL using XMLGenerator. Unfortunately the target
site has an invalid certificate and HTTPS URLConnection implementation
throws an exception.
I more or less know how to ignore it with Java APIs, but I wonder where
should I place this code to co-work with Cocoon? My own Generator seems
to be a big copy-paste. An advice please? :)
Thanks,
Andrei
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org
Re: [C3] How to/where to disable certificate check accessing HTTPS
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andrei,
On 9/10/2010 4:35 PM, Andrei Lunjov wrote:
> One more thing was needed:
>
> HostnameVerifier verifyEverything = new HostnameVerifier() {
> public boolean verify(String hostname, SSLSession session) {
> return true; }
> };
>
> HttpsURLConnection.setDefaultHostnameVerifier( verifyEverything );
Thanks for pointing that out.
> This works for me now.
> And yes, make this check switchable per resource would be very useful.
I tried following the code around for 2.1.11 and it gets quite
complicated: there is a class that resolves URLs into InputSources that
doesn't look like it's got access to the Generator's configuration. In
short: this doesn't look like a simple fix. Instead, it appears that a
more extensive re-factoring would be necessary in order to achieve your
goal.
That being said, you could adapt the disableSSLCertificateChecking
method I posted to allow only ignore SSL validity checks for the URLs
that you want. Otherwise, invoke the default (or, at least,
previously-configured) SSLSocketFactory.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkyOKkcACgkQ9CaO5/Lv0PAGNgCeNg8naC1hevgSraZ9XOg1qpmf
bb4AoI6ffY4XnPugALMDJarpOoX/1HEX
=yZSj
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org
Re: [C3] How to/where to disable certificate check accessing HTTPS
Posted by Andrei Lunjov <an...@gmail.com>.
Thank you a lot, Christopher!
Me blind idiot - didn't mark
HttpsURLConnection.setDefaultSSLSocketFactory is static! :)
Very simple indeed - I implemented ServletContextListener and added it
*-block-deployment.xweb in my block.
One more thing was needed:
HostnameVerifier verifyEverything = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true; }
};
HttpsURLConnection.setDefaultHostnameVerifier( verifyEverything );
This works for me now.
And yes, make this check switchable per resource would be very useful.
Thanks,
Andrei
10.09.2010 21:17, Christopher Schultz пишет:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Andrei,
>
> On 9/10/2010 4:05 AM, Andrei Lunjov wrote:
>
>> Hi Jos,
>>
>> I just try to do:
>>
>> <map:generate src="https://asite.with.invalid.cert/some/resource"/>
>>
>> And sun.net.www.protocol.https.HttpsURLConnectionImpl if I remember
>> right throws an exception.
>> Cert is invalid, so adding it trust store is questionable.
>> I'd like to ignore the cert check at all, something like this:
>> http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html
>> And it's a big question for me what would be a best way add this
>> modification, preferably so I can switch cert check on and off for
>> different resources.
>>
> The code below will disable SSL checking for /all/ resources, and can
> easily be put into a ServletContextListener in order to modify the SSL
> cert checking behavior for a webapp at startup (that is, it's relatively
> easy to just slap this into an existing Cocoon installation).
>
> public static void disableSSLCertificateChecking()
> throws NoSuchAlgorithmException, KeyManagementException
> {
> TrustManager[] trustAllCerts = new TrustManager[] {
> new X509TrustManager() {
> public X509Certificate[] getAcceptedIssuers() {
> return null;
> }
> public void checkClientTrusted(X509Certificate[] certs,
> String authType) {
> }
> public void checkServerTrusted(X509Certificate[] certs,
> String authType) {
> }
> }
> };
>
> SSLContext sc = SSLContext.getInstance("SSL");
>
> sc.init(null, trustAllCerts, new java.security.SecureRandom());
>
>
> HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
> }
>
> As I mentioned, this won't help with the resource-specific connections.
>
> The code above could be adapted to work inside a generator in order to
> exempt that single resource from SSL certificate checking. Maybe I'll
> take a look at the Cocoon code and propose a patch if it's useful.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkyKdiYACgkQ9CaO5/Lv0PAiWQCcCKh0Y03+D8DOhetTpe2Dh/I+
> s10Anj8vsvxh9/lzCQTmGimQOU925yhS
> =kADE
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
> For additional commands, e-mail: users-help@cocoon.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org
Re: [C3] How to/where to disable certificate check accessing HTTPS
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andrei,
On 9/10/2010 4:05 AM, Andrei Lunjov wrote:
> Hi Jos,
>
> I just try to do:
>
> <map:generate src="https://asite.with.invalid.cert/some/resource"/>
>
> And sun.net.www.protocol.https.HttpsURLConnectionImpl if I remember
> right throws an exception.
> Cert is invalid, so adding it trust store is questionable.
> I'd like to ignore the cert check at all, something like this:
> http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html
> And it's a big question for me what would be a best way add this
> modification, preferably so I can switch cert check on and off for
> different resources.
The code below will disable SSL checking for /all/ resources, and can
easily be put into a ServletContextListener in order to modify the SSL
cert checking behavior for a webapp at startup (that is, it's relatively
easy to just slap this into an existing Cocoon installation).
public static void disableSSLCertificateChecking()
throws NoSuchAlgorithmException, KeyManagementException
{
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs,
String authType) {
}
public void checkServerTrusted(X509Certificate[] certs,
String authType) {
}
}
};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
}
As I mentioned, this won't help with the resource-specific connections.
The code above could be adapted to work inside a generator in order to
exempt that single resource from SSL certificate checking. Maybe I'll
take a look at the Cocoon code and propose a patch if it's useful.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkyKdiYACgkQ9CaO5/Lv0PAiWQCcCKh0Y03+D8DOhetTpe2Dh/I+
s10Anj8vsvxh9/lzCQTmGimQOU925yhS
=kADE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org
Re: [C3] How to/where to disable certificate check accessing HTTPS
Posted by Andrei Lunjov <an...@gmail.com>.
Hi Jos,
I just try to do:
<map:generate src="https://asite.with.invalid.cert/some/resource"/>
And sun.net.www.protocol.https.HttpsURLConnectionImpl if I remember
right throws an exception.
Cert is invalid, so adding it trust store is questionable.
I'd like to ignore the cert check at all, something like this:
http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html
And it's a big question for me what would be a best way add this
modification, preferably so I can switch cert check on and off for
different resources.
Andrei
10.09.2010 07:25, Jos Snellings пишет:
> Hi Andrej,
>
> Could you please provide a little bit more detail on what you want to
> accomplish?
> Is it that you need in your sitemap to forward some urls to a secure
> site?
>
> Cheers,
> Jos
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
> For additional commands, e-mail: users-help@cocoon.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org
Re: [C3] How to/where to disable certificate check accessing HTTPS
Posted by Jos Snellings <Jo...@pandora.be>.
Hi Andrej,
Could you please provide a little bit more detail on what you want to
accomplish?
Is it that you need in your sitemap to forward some urls to a secure site?
Cheers,
Jos
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org