You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by sudip shrestha <su...@gmail.com> on 2008/04/24 18:16:24 UTC
a solution for ssl client via java code
I have worked with the developer, Julius Davies (
http://juliusdavies.ca/commons-ssl/), of the commons-ssl solution which he
currently refers to "not-yet-commons-ssl" to work out a very simple and
resuable solution to develop a java client for ssl based connetions. This
library encapsulates all the internal ssl connections details. I am posting
this for the benefit of those who are trying to develop a client
without spring.
1. First download the commons-ssl library from
http://juliusdavies.ca/commons-ssl/download.html and extract the .jar file,
then run the following command:
java -jar not-yet-commons-ssl-0.3.10.jar -t localhost:443 -tm
/yourPathTo/host.crt
2. Then copy the section between -----BEGIN CERTIFICATE----- and -----END
CERTIFICATE----- and put it in a Certificate.java file or whichever way you
prefer.
Then I have provided the code below:
3. Client Code:
JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
factory.setServiceClass( HelloWorld.class );
factory.setAddress( "https://localhost/services/HelloWorld"
);
HelloWorld port = (HelloWorld) factory.create();
Client client = ClientProxy.getClient( port );
HTTPConduit httpConduit = (HTTPConduit)
client.getConduit();
TLSClientParameters tlsParams = new TLSClientParameters();
tlsParams.setSecureSocketProtocol("SSL");
FiltersType filters = new FiltersType();
filters.getInclude().add("SSL_RSA_WITH_RC4_128_MD5");
filters.getInclude().add("SSL_RSA_WITH_RC4_128_SHA");
tlsParams.setCipherSuitesFilter(filters);
tlsParams.setTrustManagers( getTrustManagers() );
//<<=====================from step 4.
httpConduit.setTlsClientParameters(tlsParams);
4. getTrustManagers function:
private TrustManager[] getTrustManagers()
throws java.security.NoSuchAlgorithmException,
java.security.KeyStoreException, java.io.IOException,
java.security.GeneralSecurityException
{
byte[] pemCert = Certificates.pemCert_localhost;
//<<===========comes from your Certificate.java file where you would store
the cert content from step 2.
TrustChain tc = new TrustChain();
tc.addTrustMaterial( new TrustMaterial( pemCert ) );
tc.addTrustMaterial( TrustMaterial.CACERTS );
return ( TrustManager[] )tc.getTrustManagers();
}
Re: a solution for ssl client via java code
Posted by Julius Davies <ju...@gmail.com>.
Hi, dev@cxf,
I've opened a ticket for this, and attached a patch.
https://issues.apache.org/jira/browse/CXF-1549
The patch is meant to show the approach. If you like it, I'll add
unit tests and maybe see if I can even run some code in an environment
to try it out.
yours,
Julius
On Thu, Apr 24, 2008 at 2:09 PM, Daniel Kulp <dk...@apache.org> wrote:
>
> Flipping to dev@cxf.apache.org....
>
>
> I'm definitely open to this idea. Feel free to log a jira and attach a
> patch. I may have Fred look at it a bit before applying it, but I
> think the idea has some merits. Certainly may be easier to configure
> some security stuff if they user is very familliar with JSSE and the
> SSLSocketFactory stuff instead of the CXF apis.
>
> Dan
>
>
>
>
> On Thursday 24 April 2008, Julius Davies wrote:
>
>
> > If I succeed at subscribing, I'd like to mention two things:
> >
> > #1. Just some minor editing to Sudip's great instructions.
> >
> > #2. Things would be easier if TLSClientParameters could include
> > setSSLSocketFactory/getSSLSocketFactory. That way people could do
> > this:
> >
> > // Just a sub-class of javax.net.ssl.SSLSocketFactory
> > SSLClient client = new SSLClient();
> > client.addTrustMaterial( TrustMaterial.DEFAULT );
> > client.addTrustMaterial( new TrustMaterial( "/path/to/self-signed.pem"
> > ) ); // To be different, let's allow for expired certificates (not
> > recommended). client.setCheckHostname( true ); // default setting is
> > "true" for SSLClient client.setCheckExpiry( false ); // default
> > setting is "true" for SSLClient client.setCheckCRL( true ); //
> > default setting is "true" for SSLClient
> >
> > // This method doesn't exist yet, but if people are interested, I'll
> > send a patch.
> > tlsClientParameters.setSSLSocketFactory(client);
> >
> >
> > CXF wouldn't need to know anything about not-yet-commons-ssl, because
> > org.apache.commons.ssl.SSLClient is a subclass of
> > javax.net.ssl.SSLSocketFactory!
> >
> >
> > Would CXF be interested in a patch like that? Other fancy libraries
> > that offer handy sub-classes of javax.net.ssl.SSLSocketFactory would
> > also benefit.
> >
> > (This should probably be sent to dev, not users - now people searching
> > through google are going to start complaining that the
> > tlsClientParameters.setSSLSocketFactory() method is missing!)
> >
> > yours,
> >
> > Julius
> >
> > On Thu, Apr 24, 2008 at 9:16 AM, sudip shrestha <su...@gmail.com>
> wrote:
> > > I have worked with the developer, Julius Davies
> > > (http://juliusdavies.ca/commons-ssl/), of the commons-ssl solution
> > > which he currently refers to "not-yet-commons-ssl" to work out a
> > > very simple and resuable solution to develop a java client for ssl
> > > based connetions. This library encapsulates all the internal ssl
> > > connections details. I am posting this for the benefit of those who
> > > are trying to develop a client without spring.
> > >
> > > 1. First download the commons-ssl library from
> > > http://juliusdavies.ca/commons-ssl/download.html and extract the
> > > .jar file, then run the following command:
> > > java -jar not-yet-commons-ssl-0.3.10.jar -t localhost:443 -tm
> > > /yourPathTo/host.crt
> > >
> > > 2. Then copy the section between -----BEGIN CERTIFICATE----- and
> > > -----END CERTIFICATE----- and put it in a Certificate.java file or
> > > whichever way you prefer.
> > >
> > > Then I have provided the code below:
> > > 3. Client Code:
> > > JaxWsProxyFactoryBean factory = new
> > > JaxWsProxyFactoryBean(); factory.setServiceClass( HelloWorld.class
> > > ); factory.setAddress( "https://localhost/services/HelloWorld" );
> > > HelloWorld port = (HelloWorld) factory.create();
> > >
> > > Client client = ClientProxy.getClient( port );
> > > HTTPConduit httpConduit = (HTTPConduit)
> > > client.getConduit(); TLSClientParameters tlsParams = new
> > > TLSClientParameters(); tlsParams.setSecureSocketProtocol("SSL");
> > > FiltersType filters = new FiltersType();
> > >
> > > filters.getInclude().add("SSL_RSA_WITH_RC4_128_MD5");
> > > filters.getInclude().add("SSL_RSA_WITH_RC4_128_SHA");
> > > tlsParams.setCipherSuitesFilter(filters);
> > >
> > >
> > > tlsParams.setTrustManagers( getTrustManagers() );
> > > //<<=====================from step 4.
> > > httpConduit.setTlsClientParameters(tlsParams);
> > >
> > >
> > > 4. getTrustManagers function:
> > >
> > > private TrustManager[] getTrustManagers()
> > > throws java.security.NoSuchAlgorithmException,
> > > java.security.KeyStoreException, java.io.IOException,
> > > java.security.GeneralSecurityException
> > > {
> > > byte[] pemCert = Certificates.pemCert_localhost;
> > > //<<===========comes from your Certificate.java file where you would
> > > store the cert content from step 2.
> > >
> > > TrustChain tc = new TrustChain();
> > > tc.addTrustMaterial( new TrustMaterial( pemCert ) );
> > > tc.addTrustMaterial( TrustMaterial.CACERTS );
> > > return ( TrustManager[] )tc.getTrustManagers();
> > > }
>
>
>
> --
>
>
> J. Daniel Kulp
> Principal Engineer, IONA
> dkulp@apache.org
> http://www.dankulp.com/blog
>
--
yours,
Julius Davies
250-592-2284 (Home)
250-893-4579 (Mobile)
http://juliusdavies.ca/
Re: a solution for ssl client via java code
Posted by Fred Dushin <fr...@dushin.net>.
Absolutely. The config is designed to reflect the JSSE APIs as much
as possible, so anything we can do to improve that, the better.
-Fred
On Apr 24, 2008, at 5:09 PM, Daniel Kulp wrote:
> Certainly may be easier to configure
> some security stuff if they user is very familliar with JSSE and the
> SSLSocketFactory stuff instead of the CXF apis.
Re: a solution for ssl client via java code
Posted by Daniel Kulp <dk...@apache.org>.
Flipping to dev@cxf.apache.org....
I'm definitely open to this idea. Feel free to log a jira and attach a
patch. I may have Fred look at it a bit before applying it, but I
think the idea has some merits. Certainly may be easier to configure
some security stuff if they user is very familliar with JSSE and the
SSLSocketFactory stuff instead of the CXF apis.
Dan
On Thursday 24 April 2008, Julius Davies wrote:
> If I succeed at subscribing, I'd like to mention two things:
>
> #1. Just some minor editing to Sudip's great instructions.
>
> #2. Things would be easier if TLSClientParameters could include
> setSSLSocketFactory/getSSLSocketFactory. That way people could do
> this:
>
> // Just a sub-class of javax.net.ssl.SSLSocketFactory
> SSLClient client = new SSLClient();
> client.addTrustMaterial( TrustMaterial.DEFAULT );
> client.addTrustMaterial( new TrustMaterial( "/path/to/self-signed.pem"
> ) ); // To be different, let's allow for expired certificates (not
> recommended). client.setCheckHostname( true ); // default setting is
> "true" for SSLClient client.setCheckExpiry( false ); // default
> setting is "true" for SSLClient client.setCheckCRL( true ); //
> default setting is "true" for SSLClient
>
> // This method doesn't exist yet, but if people are interested, I'll
> send a patch.
> tlsClientParameters.setSSLSocketFactory(client);
>
>
> CXF wouldn't need to know anything about not-yet-commons-ssl, because
> org.apache.commons.ssl.SSLClient is a subclass of
> javax.net.ssl.SSLSocketFactory!
>
>
> Would CXF be interested in a patch like that? Other fancy libraries
> that offer handy sub-classes of javax.net.ssl.SSLSocketFactory would
> also benefit.
>
> (This should probably be sent to dev, not users - now people searching
> through google are going to start complaining that the
> tlsClientParameters.setSSLSocketFactory() method is missing!)
>
> yours,
>
> Julius
>
> On Thu, Apr 24, 2008 at 9:16 AM, sudip shrestha <su...@gmail.com>
wrote:
> > I have worked with the developer, Julius Davies
> > (http://juliusdavies.ca/commons-ssl/), of the commons-ssl solution
> > which he currently refers to "not-yet-commons-ssl" to work out a
> > very simple and resuable solution to develop a java client for ssl
> > based connetions. This library encapsulates all the internal ssl
> > connections details. I am posting this for the benefit of those who
> > are trying to develop a client without spring.
> >
> > 1. First download the commons-ssl library from
> > http://juliusdavies.ca/commons-ssl/download.html and extract the
> > .jar file, then run the following command:
> > java -jar not-yet-commons-ssl-0.3.10.jar -t localhost:443 -tm
> > /yourPathTo/host.crt
> >
> > 2. Then copy the section between -----BEGIN CERTIFICATE----- and
> > -----END CERTIFICATE----- and put it in a Certificate.java file or
> > whichever way you prefer.
> >
> > Then I have provided the code below:
> > 3. Client Code:
> > JaxWsProxyFactoryBean factory = new
> > JaxWsProxyFactoryBean(); factory.setServiceClass( HelloWorld.class
> > ); factory.setAddress( "https://localhost/services/HelloWorld" );
> > HelloWorld port = (HelloWorld) factory.create();
> >
> > Client client = ClientProxy.getClient( port );
> > HTTPConduit httpConduit = (HTTPConduit)
> > client.getConduit(); TLSClientParameters tlsParams = new
> > TLSClientParameters(); tlsParams.setSecureSocketProtocol("SSL");
> > FiltersType filters = new FiltersType();
> >
> > filters.getInclude().add("SSL_RSA_WITH_RC4_128_MD5");
> > filters.getInclude().add("SSL_RSA_WITH_RC4_128_SHA");
> > tlsParams.setCipherSuitesFilter(filters);
> >
> >
> > tlsParams.setTrustManagers( getTrustManagers() );
> > //<<=====================from step 4.
> > httpConduit.setTlsClientParameters(tlsParams);
> >
> >
> > 4. getTrustManagers function:
> >
> > private TrustManager[] getTrustManagers()
> > throws java.security.NoSuchAlgorithmException,
> > java.security.KeyStoreException, java.io.IOException,
> > java.security.GeneralSecurityException
> > {
> > byte[] pemCert = Certificates.pemCert_localhost;
> > //<<===========comes from your Certificate.java file where you would
> > store the cert content from step 2.
> >
> > TrustChain tc = new TrustChain();
> > tc.addTrustMaterial( new TrustMaterial( pemCert ) );
> > tc.addTrustMaterial( TrustMaterial.CACERTS );
> > return ( TrustManager[] )tc.getTrustManagers();
> > }
--
J. Daniel Kulp
Principal Engineer, IONA
dkulp@apache.org
http://www.dankulp.com/blog
Re: a solution for ssl client via java code
Posted by Daniel Kulp <dk...@apache.org>.
On Thursday 24 April 2008, Julius Davies wrote:
> Hi, users@cxf.apache.org,
>
> I'd like to add some refinements to this but I can't seem to subscribe
> to the mailing list.
>
> cxf-user-subscribe@incubator.apache.org is telling me the mailing list
> has moved.
List has now officially moved. Send the note to:
users-subscribe@cxf.apache.org
--
J. Daniel Kulp
Principal Engineer, IONA
dkulp@apache.org
http://www.dankulp.com/blog
Re: a solution for ssl client via java code
Posted by Julius Davies <ju...@gmail.com>.
Hi, users@cxf.apache.org,
I'd like to add some refinements to this but I can't seem to subscribe
to the mailing list.
cxf-user-subscribe@incubator.apache.org is telling me the mailing list
has moved.
If I succeed at subscribing, I'd like to mention two things:
#1. Just some minor editing to Sudip's great instructions.
#2. Things would be easier if TLSClientParameters could include
setSSLSocketFactory/getSSLSocketFactory. That way people could do
this:
// Just a sub-class of javax.net.ssl.SSLSocketFactory
SSLClient client = new SSLClient();
client.addTrustMaterial( TrustMaterial.DEFAULT );
client.addTrustMaterial( new TrustMaterial( "/path/to/self-signed.pem" ) );
// To be different, let's allow for expired certificates (not recommended).
client.setCheckHostname( true ); // default setting is "true" for SSLClient
client.setCheckExpiry( false ); // default setting is "true" for SSLClient
client.setCheckCRL( true ); // default setting is "true" for SSLClient
// This method doesn't exist yet, but if people are interested, I'll
send a patch.
tlsClientParameters.setSSLSocketFactory(client);
CXF wouldn't need to know anything about not-yet-commons-ssl, because
org.apache.commons.ssl.SSLClient is a subclass of
javax.net.ssl.SSLSocketFactory!
Would CXF be interested in a patch like that? Other fancy libraries
that offer handy sub-classes of javax.net.ssl.SSLSocketFactory would
also benefit.
(This should probably be sent to dev, not users - now people searching
through google are going to start complaining that the
tlsClientParameters.setSSLSocketFactory() method is missing!)
yours,
Julius
On Thu, Apr 24, 2008 at 9:16 AM, sudip shrestha <su...@gmail.com> wrote:
> I have worked with the developer, Julius Davies
> (http://juliusdavies.ca/commons-ssl/), of the commons-ssl solution which he
> currently refers to "not-yet-commons-ssl" to work out a very simple and
> resuable solution to develop a java client for ssl based connetions. This
> library encapsulates all the internal ssl connections details. I am posting
> this for the benefit of those who are trying to develop a client without
> spring.
>
> 1. First download the commons-ssl library from
> http://juliusdavies.ca/commons-ssl/download.html and extract the .jar file,
> then run the following command:
> java -jar not-yet-commons-ssl-0.3.10.jar -t localhost:443 -tm
> /yourPathTo/host.crt
>
> 2. Then copy the section between -----BEGIN CERTIFICATE----- and -----END
> CERTIFICATE----- and put it in a Certificate.java file or whichever way you
> prefer.
>
> Then I have provided the code below:
> 3. Client Code:
> JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
> factory.setServiceClass( HelloWorld.class );
> factory.setAddress( "https://localhost/services/HelloWorld"
> );
> HelloWorld port = (HelloWorld) factory.create();
>
> Client client = ClientProxy.getClient( port );
> HTTPConduit httpConduit = (HTTPConduit) client.getConduit();
> TLSClientParameters tlsParams = new TLSClientParameters();
> tlsParams.setSecureSocketProtocol("SSL");
> FiltersType filters = new FiltersType();
> filters.getInclude().add("SSL_RSA_WITH_RC4_128_MD5");
> filters.getInclude().add("SSL_RSA_WITH_RC4_128_SHA");
> tlsParams.setCipherSuitesFilter(filters);
>
>
> tlsParams.setTrustManagers( getTrustManagers() );
> //<<=====================from step 4.
> httpConduit.setTlsClientParameters(tlsParams);
>
>
> 4. getTrustManagers function:
>
> private TrustManager[] getTrustManagers()
> throws java.security.NoSuchAlgorithmException,
> java.security.KeyStoreException, java.io.IOException,
> java.security.GeneralSecurityException
> {
> byte[] pemCert = Certificates.pemCert_localhost;
> //<<===========comes from your Certificate.java file where you would store
> the cert content from step 2.
>
> TrustChain tc = new TrustChain();
> tc.addTrustMaterial( new TrustMaterial( pemCert ) );
> tc.addTrustMaterial( TrustMaterial.CACERTS );
> return ( TrustManager[] )tc.getTrustManagers();
> }
>
--
yours,
Julius Davies
250-592-2284 (Home)
250-893-4579 (Mobile)
http://juliusdavies.ca/