You are viewing a plain text version of this content. The canonical link for it is here.
Posted to xmlrpc-dev@ws.apache.org by jo...@apache.org on 2006/07/15 03:58:35 UTC
svn commit: r422130 - in /webservices/xmlrpc/trunk/src: changes/changes.xml
site/apt/advanced.apt site/apt/ssl.apt site/site.xml
Author: jochen
Date: Fri Jul 14 18:58:34 2006
New Revision: 422130
URL: http://svn.apache.org/viewvc?rev=422130&view=rev
Log:
Added docs for accessing an SSL server. (XMLRPC-93)
Added:
webservices/xmlrpc/trunk/src/site/apt/ssl.apt
Modified:
webservices/xmlrpc/trunk/src/changes/changes.xml
webservices/xmlrpc/trunk/src/site/apt/advanced.apt
webservices/xmlrpc/trunk/src/site/site.xml
Modified: webservices/xmlrpc/trunk/src/changes/changes.xml
URL: http://svn.apache.org/viewvc/webservices/xmlrpc/trunk/src/changes/changes.xml?rev=422130&r1=422129&r2=422130&view=diff
==============================================================================
--- webservices/xmlrpc/trunk/src/changes/changes.xml (original)
+++ webservices/xmlrpc/trunk/src/changes/changes.xml Fri Jul 14 18:58:34 2006
@@ -13,6 +13,9 @@
Fixed an invalid index, that caused the ReflectiveXmlRpcHandler to fail
detecting a method.
</action>
+ <action dev="jochen" type="enhancement">
+ Added documentation for accessing an SSL server.
+ </action>
</release>
<release version="3.0b1" date="24-Jun-2006">
<action dev="hgomez" type="add">
Modified: webservices/xmlrpc/trunk/src/site/apt/advanced.apt
URL: http://svn.apache.org/viewvc/webservices/xmlrpc/trunk/src/site/apt/advanced.apt?rev=422130&r1=422129&r2=422130&view=diff
==============================================================================
--- webservices/xmlrpc/trunk/src/site/apt/advanced.apt (original)
+++ webservices/xmlrpc/trunk/src/site/apt/advanced.apt Fri Jul 14 18:58:34 2006
@@ -1,9 +1,8 @@
- --------------------
- Advanced Programming
- --------------------
+ ---------------------------
+ Advanced Programming Topics
+ ---------------------------
- The Apache XML-RPC library offers some advanced techniques, which
- are being described on this page.
+ This page describes some advanced topics.
Dynamic proxies
Added: webservices/xmlrpc/trunk/src/site/apt/ssl.apt
URL: http://svn.apache.org/viewvc/webservices/xmlrpc/trunk/src/site/apt/ssl.apt?rev=422130&view=auto
==============================================================================
--- webservices/xmlrpc/trunk/src/site/apt/ssl.apt (added)
+++ webservices/xmlrpc/trunk/src/site/apt/ssl.apt Fri Jul 14 18:58:34 2006
@@ -0,0 +1,130 @@
+ ---------
+ Using SSL
+ ---------
+
+ This page describes how to configure a client for using SSL (aka https).
+ Server configuration is out of this documents scope, because it clearly
+ depends on the webserver. We refer, for example, to the
+ {{{http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html} Tomcat SSL HowTo}}
+ or to the FAQ entry on
+ {{{http://www.mortbay.org/jetty/faq?s=400-Security&t=ssl} SSL with Jetty}}.
+
+Background
+
+ Client configuration for SSL is not as simple as one might expect. This
+ is surprising, because using SSL with a browser is as simple as typing in
+ an https URL into the browsers input field.
+
+ Thus, the first thing to keep in mind: Never start with Apache XML-RPC as
+ a client. It is much better to create a simple static page and point your
+ browser to the static pages URL. If you get this working, then you may
+ assume that all remaining problems rest with the client.
+
+ If you did that, you may have noticed, that the browser brings up a
+ warning, that your web server is "not trusted". This is typically the
+ case, if you did not buy a certificate: For the case of simplicity,
+ developers are typically creating a so-called "self-signed certificate".
+
+ And that's exactly your most likely problem: Like pressing the browsers
+ button to "Accept the certificate" (temporarily or permanently), you've
+ got to tell your Java client, that you want to accept the certificate.
+
+Choose the right URL
+
+ Typically, your server may be accessible with multiple URL's. For example,
+ on my machine the following URL's will all reach the same servlet:
+
+ https://mcjwi.eur.ad.sag/xmlrpc
+ https://localhost/xmlrpc
+ https://127.0.0.1/xmlrpc
+
+ Unfortunately, at most one will work in the most cases. The question is:
+ How do I choose the right one?
+
+ The answer is given by the certificate field CN. For example, my self
+ certified key looks like this:
+
+ Owner: CN=mcjwi.eur.ad.sag, OU=-, O=-, L=-, ST=-, C=-
+ Issuer: CN=mcjwi.eur.ad.sag, OU=-, O=-, L=-, ST=-, C=-
+
+ Note, that you've got to pick a proper CN when generating the certificate!
+ If you are self-certifying the key and the keytool asks you for your own
+ name: Ignore it. In your case the proper reply is the host name.
+
+The quick and dirty solution
+
+ Yes, there is a quick and dirty solution: Just tell your client, that you
+ want to accept any certificate, regardless of issuer and host. This can be
+ done by installing a custom TrustManager and a HostnameVerifier. Add the
+ following code to your clients initialization:
+
+-----------------------------------------------------------------------------------
+ import java.security.cert.X509Certificate;
+
+ import javax.net.ssl.HostnameVerifier;
+ import javax.net.ssl.HttpsURLConnection;
+ import javax.net.ssl.SSLContext;
+ import javax.net.ssl.SSLSession;
+ import javax.net.ssl.TrustManager;
+ import javax.net.ssl.X509TrustManager;
+
+ // Create a trust manager that does not validate certificate chains
+ TrustManager[] trustAllCerts = new TrustManager[] {
+ new X509TrustManager() {
+ public X509Certificate[] getAcceptedIssuers() {
+ return null;
+ }
+
+ public void checkClientTrusted(X509Certificate[] certs, String authType) {
+ // Trust always
+ }
+
+ public void checkServerTrusted(X509Certificate[] certs, String authType) {
+ // Trust always
+ }
+ }
+ };
+
+ // Install the all-trusting trust manager
+ SSLContext sc = SSLContext.getInstance("SSL");
+ // Create empty HostnameVerifier
+ HostnameVerifier hv = new HostnameVerifier() {
+ public boolean verify(String arg0, SSLSession arg1) {
+ return true;
+ }
+ };
+
+ sc.init(null, trustAllCerts, new java.security.SecureRandom());
+ HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
+ HttpsURLConnection.setDefaultHostnameVerifier(hv);
+-----------------------------------------------------------------------------------
+
+The recommended solution
+
+ Needless to say, the quick and dirty solution may is insecure, because it can
+ your requests can be intercepted by a man-in-the-middle attack. Fortunately,
+ there is also a clean solution: Import the servers public key into your
+ truststore.
+
+ As a first step, you've got to obtain the servers public key. Assuming, that
+ the key is in your keystore, you may export it by running
+
+-----------------------------------------------------------------------------------
+ keytool -export -alias tomcat -rfc -file tomcat.crt
+-----------------------------------------------------------------------------------
+
+ This example would export the public key named "tomcat" (which is used by
+ Tomcat) into the file "tomcat.crt". The key would be read from your default
+ keystore, which is the file .keystore in your home directory (something like
+ "c:\Documents and Settings\jwi\.keystore" on windows or "/home/jwi/.keystore"
+ on Linux/Unix).
+
+ Obviously, this first step must be done on the server. The second step would
+ be to create a truststore on your client by importing the file "tomcat.crt":
+
+-----------------------------------------------------------------------------------
+ keytool -import -alias servercert -file tomcat.crt -keystore truststore
+-----------------------------------------------------------------------------------
+
+ The option "-keystore truststore" specifies a file name. Of course, this may
+ as well be an absolute path.
Modified: webservices/xmlrpc/trunk/src/site/site.xml
URL: http://svn.apache.org/viewvc/webservices/xmlrpc/trunk/src/site/site.xml?rev=422130&r1=422129&r2=422130&view=diff
==============================================================================
--- webservices/xmlrpc/trunk/src/site/site.xml (original)
+++ webservices/xmlrpc/trunk/src/site/site.xml Fri Jul 14 18:58:34 2006
@@ -16,6 +16,7 @@
<item name="Client Classes" href="/client.html"/>
<item name="Server Side XML-RPC" href="/server.html"/>
<item name="Vendor Extensions" href="/extensions.html"/>
+ <item name="SSL" href="/ssl.html"/>
<item name="Advanced Techniques" href="/advanced.html"/>
<item name="XML-RPC Types" href="/types.html"/>
<item name="Download" href="/download.html"/>
---------------------------------------------------------------------
To unsubscribe, e-mail: xmlrpc-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: xmlrpc-dev-help@ws.apache.org