You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by am am <ak...@yahoo.com> on 2012/11/13 22:37:28 UTC
Axis SSL authentication help!
Hi,
I am using Axis 1 and need to do SSL authentication of a web service.
I found that I need to use: AxisProperties.setProperty("axis.socketSecureFactory","com.example.MySSLSocketFactory"); to set my custom factory and trust managers.
Problem: I also need to skip any server authentication in some requests (e.g. use SunFakeTrustSocketFactory).
I assume that this AxisProperties.setProperty is some central property that affects all threads, right? So how could I implement my use case?
Keep reseting AxisProperties.setProperty before each web service call? Is this the proper way? But I found this bug ticket that seems to complaint that once the socket factory is set in AxisProperties it is cached and any new setting has not effect:https://issues.apache.org/jira/browse/AXIS-2751?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabs
Is there a workarround for this?
If you could help me here it would be great guys!
Thank you
Re: Axis SSL authentication help!
Posted by am am <ak...@yahoo.com>.
I am using Tomcat. But the question is about client side. NOT server side
________________________________
From: Martin Gainty <mg...@hotmail.com>
To: java-user@axis.apache.org
Sent: Thursday, November 15, 2012 9:22 PM
Subject: RE: Axis SSL authentication help!
Good Point
if...you start the webapp with init-params ...later on you try change the value(s) of those properties (but you notice the change to init-params has no effect)
since the init-param properties are already populated you're stuck with those for the lifetime of the webapp
For dynamically changing information such as new values from UI or updated attributes from events I would not use properties and opt for reading (and writing) to database
We could respond which cache-disable directives would work (if you tell us which container you are using)
Finally..never put any webapp which accepts self-signed certs into production!
Obrigado,
Martin
______________________________________________
Por favor...não alterar ou interromper esta comunicação.
________________________________
From: oscaster@hotmail.com
To: java-user@axis.apache.org
Subject: RE: Axis SSL authentication help!
Date: Thu, 15 Nov 2012 08:17:51 +0100
Sure properties are global, this kind of info is cached
Regards
________________________________
Date: Wed, 14 Nov 2012 22:14:23 -0800
From: akmeref@yahoo.com
Subject: Re: Axis SSL authentication help!
To: java-user@axis.apache.org
So AxisProperties is global? From the docs it is unclear if they are bound to threads or classloader
________________________________
From: Andreas Veithen <an...@gmail.com>
To: java-user <ja...@axis.apache.org>
Sent: Wednesday, November 14, 2012 10:51 PM
Subject: Re: Axis SSL authentication help!
I think that the socket factory is cached. Therefore changing the
properties after the first request will have no effect.
What I would do is to write my own socket factory that implements the
necessary logic to distinguish between the two cases.
Andreas
On Wed, Nov 14, 2012 at 9:42 PM, am am <ak...@yahoo.com> wrote:
> No. I have a web service client that uses axis1 to consume web services from
> server A and server B. For server A I need to do authentication while for
> server B there is no such need. So the problem is on my client side where I
> need to configure axis to do authentication on some of the requests (based
> on my truststore) and NOT do authentication in other requests using
> SunJSSESocketFactory. The way I understand it (docs are not clear)
> AxisProperties will override each other per
request. Right? Is my problem
> clearer now?
>
> From: Martin Gainty <mg...@hotmail.com>
> To: java-user@axis.apache.org
> Sent: Wednesday, November 14, 2012 3:43 PM
>
> Subject: RE: Axis SSL authentication help!
>
>
>
> You need 2 different webapps
> one which implements SunFakeTrustSocketFactory for implementing unsigned
> server certs ..which would NEVER be used in Production Environment
> this would allow someone's client to hack in with their own self-signed
> certs
>
> one which implements
> http://ws.apache.org/axis/java/apiDocs/org/apache/axis/components/net/SunJSSESocketFactory.html
> provided requesting client has a valid (public) key of type RSA AND
your
> client or B2B requesting entity supports JSSE key exchange
> this would prevent someone's client to hack in with their own self-signed
> certs
>
> so the question is are you implementing with self-signed certs OR are you
> using CA level certs (such as certs obtained from Verisign or Thawte)
>
> Martin
> ______________________________________________
> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
>
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
> dient lediglich dem Austausch von Informationen und entfaltet keine
> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
> E-Mails koennen wir keine Haftung fuer den Inhalt
uebernehmen.
>
> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
> destinataire prévu, nous te demandons avec bonté que pour satisfaire
> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
> de ceci est interdite. Ce message sert à l'information seulement et n'aura
> pas n'importe quel effet légalement obligatoire. Étant donné que les email
> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
> aucune responsabilité pour le contenu fourni.
>
>
>
>
> Date: Tue, 13 Nov 2012 22:27:37 -0800
> From: akmeref@yahoo.com
> Subject: Re: Axis SSL authentication help!
> To: java-user@axis.apache.org
>
> Also
why are you mentioning about the refactoring to different web apps? I
> am asking about client side code
>
> From: Martin Gainty <mg...@hotmail.com>
> To: java-user@axis.apache.org
> Sent: Wednesday, November 14, 2012 4:03 AM
> Subject: RE: Axis SSL authentication help!
>
> need to skip any server authentication in some requests (e.g. use
> SunFakeTrustSocketFactory).
>
> MG>you need to retask this to use 2 separate webapps
> MG>one which will authenticate your credentials with MySSLSocketFactory
> MG>one which not authenticate which will use SunFakeTrustSocketFactory
>
> MG>this is very clumsy and your options for specifying the security
> algorithm of your choosing as well
as custom keysize are quite limited
> MG>why not use Axis2 and engage the Rampart Security Module?
> MG>Martin
>
> Date: Tue, 13 Nov 2012 13:37:28 -0800
> From: akmeref@yahoo.com
> Subject: Axis SSL authentication help!
> To: java-user@axis.apache.org
>
> Hi,
> I am using Axis 1 and need to do SSL authentication of a web service.
> I found that I need to use:
> AxisProperties.setProperty("axis.socketSecureFactory",
> "com.example.MySSLSocketFactory"); to set my custom factory and trust
> managers.
> Problem: I also need to skip any server authentication in some requests
> (e.g. use SunFakeTrustSocketFactory).
> I assume that this AxisProperties.setProperty is some central property
that
> affects all threads, right? So how could I implement my use case?
> Keep reseting AxisProperties.setProperty before each web service call? Is
> this the proper way? But I found this bug ticket that seems to complaint
> that once the socket factory is set in AxisProperties it is cached and any
> new setting has not
> effect:https://issues.apache.org/jira/browse/AXIS-2751?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabs
> Is there a workarround for this?
> If you could help me here it would be great guys!
> Thank you
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org
RE: Axis SSL authentication help!
Posted by Martin Gainty <mg...@hotmail.com>.
Good Point
if...you start the webapp with init-params ...later on you try change the value(s) of those properties (but you notice the change to init-params has no effect)
since the init-param properties are already populated you're stuck with those for the lifetime of the webapp
For dynamically changing information such as new values from UI or updated attributes from events I would not use properties and opt for reading (and writing) to database
We could respond which cache-disable directives would work (if you tell us which container you are using)
Finally..never put any webapp which accepts self-signed certs into production!
Obrigado,
Martin
______________________________________________
Por favor...não alterar ou interromper esta comunicação.
From: oscaster@hotmail.com
To: java-user@axis.apache.org
Subject: RE: Axis SSL authentication help!
Date: Thu, 15 Nov 2012 08:17:51 +0100
Sure properties are global, this kind of info is cached
Regards
Date: Wed, 14 Nov 2012 22:14:23 -0800
From: akmeref@yahoo.com
Subject: Re: Axis SSL authentication help!
To: java-user@axis.apache.org
So AxisProperties is global? From the docs it is unclear if they are bound to threads or classloader
From: Andreas Veithen <an...@gmail.com>
To: java-user <ja...@axis.apache.org>
Sent: Wednesday, November 14, 2012 10:51 PM
Subject: Re: Axis SSL authentication help!
I think that the socket factory is cached. Therefore changing the
properties after the first request will have no effect.
What I would do is to write my own socket factory that implements the
necessary logic to distinguish between the two cases.
Andreas
On Wed, Nov 14, 2012 at 9:42 PM, am am <ak...@yahoo.com> wrote:
> No. I have a web service client that uses axis1 to consume web services from
> server A and server B. For server A I need to do authentication while for
> server B there is no such need. So the problem is on my client side where I
> need to configure axis to do authentication on some of the requests (based
> on my truststore) and NOT do authentication in other requests using
> SunJSSESocketFactory. The way I understand it (docs are not clear)
> AxisProperties will override each other per
request. Right? Is my problem
> clearer now?
>
> From: Martin Gainty <mg...@hotmail.com>
> To: java-user@axis.apache.org
> Sent: Wednesday, November 14, 2012 3:43 PM
>
> Subject: RE: Axis SSL authentication help!
>
>
>
> You need 2 different webapps
> one which implements SunFakeTrustSocketFactory for implementing unsigned
> server certs ..which would NEVER be used in Production Environment
> this would allow someone's client to hack in with their own self-signed
> certs
>
> one which implements
> http://ws.apache.org/axis/java/apiDocs/org/apache/axis/components/net/SunJSSESocketFactory.html
> provided requesting client has a valid (public) key of type RSA AND
your
> client or B2B requesting entity supports JSSE key exchange
> this would prevent someone's client to hack in with their own self-signed
> certs
>
> so the question is are you implementing with self-signed certs OR are you
> using CA level certs (such as certs obtained from Verisign or Thawte)
>
> Martin
> ______________________________________________
> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
>
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
> dient lediglich dem Austausch von Informationen und entfaltet keine
> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
> E-Mails koennen wir keine Haftung fuer den Inhalt
uebernehmen.
>
> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
> destinataire prévu, nous te demandons avec bonté que pour satisfaire
> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
> de ceci est interdite. Ce message sert à l'information seulement et n'aura
> pas n'importe quel effet légalement obligatoire. Étant donné que les email
> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
> aucune responsabilité pour le contenu fourni.
>
>
>
>
> Date: Tue, 13 Nov 2012 22:27:37 -0800
> From: akmeref@yahoo.com
> Subject: Re: Axis SSL authentication help!
> To: java-user@axis.apache.org
>
> Also
why are you mentioning about the refactoring to different web apps? I
> am asking about client side code
>
> From: Martin Gainty <mg...@hotmail.com>
> To: java-user@axis.apache.org
> Sent: Wednesday, November 14, 2012 4:03 AM
> Subject: RE: Axis SSL authentication help!
>
> need to skip any server authentication in some requests (e.g. use
> SunFakeTrustSocketFactory).
>
> MG>you need to retask this to use 2 separate webapps
> MG>one which will authenticate your credentials with MySSLSocketFactory
> MG>one which not authenticate which will use SunFakeTrustSocketFactory
>
> MG>this is very clumsy and your options for specifying the security
> algorithm of your choosing as well
as custom keysize are quite limited
> MG>why not use Axis2 and engage the Rampart Security Module?
> MG>Martin
>
> Date: Tue, 13 Nov 2012 13:37:28 -0800
> From: akmeref@yahoo.com
> Subject: Axis SSL authentication help!
> To: java-user@axis.apache.org
>
> Hi,
> I am using Axis 1 and need to do SSL authentication of a web service.
> I found that I need to use:
> AxisProperties.setProperty("axis.socketSecureFactory",
> "com.example.MySSLSocketFactory"); to set my custom factory and trust
> managers.
> Problem: I also need to skip any server authentication in some requests
> (e.g. use SunFakeTrustSocketFactory).
> I assume that this AxisProperties.setProperty is some central property
that
> affects all threads, right? So how could I implement my use case?
> Keep reseting AxisProperties.setProperty before each web service call? Is
> this the proper way? But I found this bug ticket that seems to complaint
> that once the socket factory is set in AxisProperties it is cached and any
> new setting has not
> effect:https://issues.apache.org/jira/browse/AXIS-2751?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabs
> Is there a workarround for this?
> If you could help me here it would be great guys!
> Thank you
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org
RE: Axis SSL authentication help!
Posted by Oscar Rugama <os...@hotmail.com>.
Sure properties are global, this kind of info is cached
Regards
Date: Wed, 14 Nov 2012 22:14:23 -0800
From: akmeref@yahoo.com
Subject: Re: Axis SSL authentication help!
To: java-user@axis.apache.org
So AxisProperties is global? From the docs it is unclear if they are bound to threads or classloader
From: Andreas Veithen <an...@gmail.com>
To: java-user <ja...@axis.apache.org>
Sent: Wednesday, November 14, 2012 10:51 PM
Subject: Re: Axis SSL authentication help!
I think that the socket factory is cached. Therefore changing the
properties after the first request will have no effect.
What I would do is to write my own socket factory that implements the
necessary logic to distinguish between the two cases.
Andreas
On Wed, Nov 14, 2012 at 9:42 PM, am am <ak...@yahoo.com> wrote:
> No. I have a web service client that uses axis1 to consume web services from
> server A and server B. For server A I need to do authentication while for
> server B there is no such need. So the problem is on my client side where I
> need to configure axis to do authentication on some of the requests (based
> on my truststore) and NOT do authentication in other requests using
> SunJSSESocketFactory. The way I understand it (docs are not clear)
> AxisProperties will override each other per
request. Right? Is my problem
> clearer now?
>
> From: Martin Gainty <mg...@hotmail.com>
> To: java-user@axis.apache.org
> Sent: Wednesday, November 14, 2012 3:43 PM
>
> Subject: RE: Axis SSL authentication help!
>
>
>
> You need 2 different webapps
> one which implements SunFakeTrustSocketFactory for implementing unsigned
> server certs ..which would NEVER be used in Production Environment
> this would allow someone's client to hack in with their own self-signed
> certs
>
> one which implements
> http://ws.apache.org/axis/java/apiDocs/org/apache/axis/components/net/SunJSSESocketFactory.html
> provided requesting client has a valid (public) key of type RSA AND
your
> client or B2B requesting entity supports JSSE key exchange
> this would prevent someone's client to hack in with their own self-signed
> certs
>
> so the question is are you implementing with self-signed certs OR are you
> using CA level certs (such as certs obtained from Verisign or Thawte)
>
> Martin
> ______________________________________________
> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
>
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
> dient lediglich dem Austausch von Informationen und entfaltet keine
> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
> E-Mails koennen wir keine Haftung fuer den Inhalt
uebernehmen.
>
> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
> destinataire prévu, nous te demandons avec bonté que pour satisfaire
> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
> de ceci est interdite. Ce message sert à l'information seulement et n'aura
> pas n'importe quel effet légalement obligatoire. Étant donné que les email
> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
> aucune responsabilité pour le contenu fourni.
>
>
>
>
> Date: Tue, 13 Nov 2012 22:27:37 -0800
> From: akmeref@yahoo.com
> Subject: Re: Axis SSL authentication help!
> To: java-user@axis.apache.org
>
> Also
why are you mentioning about the refactoring to different web apps? I
> am asking about client side code
>
> From: Martin Gainty <mg...@hotmail.com>
> To: java-user@axis.apache.org
> Sent: Wednesday, November 14, 2012 4:03 AM
> Subject: RE: Axis SSL authentication help!
>
> need to skip any server authentication in some requests (e.g. use
> SunFakeTrustSocketFactory).
>
> MG>you need to retask this to use 2 separate webapps
> MG>one which will authenticate your credentials with MySSLSocketFactory
> MG>one which not authenticate which will use SunFakeTrustSocketFactory
>
> MG>this is very clumsy and your options for specifying the security
> algorithm of your choosing as well
as custom keysize are quite limited
> MG>why not use Axis2 and engage the Rampart Security Module?
> MG>Martin
>
> Date: Tue, 13 Nov 2012 13:37:28 -0800
> From: akmeref@yahoo.com
> Subject: Axis SSL authentication help!
> To: java-user@axis.apache.org
>
> Hi,
> I am using Axis 1 and need to do SSL authentication of a web service.
> I found that I need to use:
> AxisProperties.setProperty("axis.socketSecureFactory",
> "com.example.MySSLSocketFactory"); to set my custom factory and trust
> managers.
> Problem: I also need to skip any server authentication in some requests
> (e.g. use SunFakeTrustSocketFactory).
> I assume that this AxisProperties.setProperty is some central property
that
> affects all threads, right? So how could I implement my use case?
> Keep reseting AxisProperties.setProperty before each web service call? Is
> this the proper way? But I found this bug ticket that seems to complaint
> that once the socket factory is set in AxisProperties it is cached and any
> new setting has not
> effect:https://issues.apache.org/jira/browse/AXIS-2751?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabs
> Is there a workarround for this?
> If you could help me here it would be great guys!
> Thank you
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org
Re: Axis SSL authentication help!
Posted by am am <ak...@yahoo.com>.
So AxisProperties is global? From the docs it is unclear if they are bound to threads or classloader
________________________________
From: Andreas Veithen <an...@gmail.com>
To: java-user <ja...@axis.apache.org>
Sent: Wednesday, November 14, 2012 10:51 PM
Subject: Re: Axis SSL authentication help!
I think that the socket factory is cached. Therefore changing the
properties after the first request will have no effect.
What I would do is to write my own socket factory that implements the
necessary logic to distinguish between the two cases.
Andreas
On Wed, Nov 14, 2012 at 9:42 PM, am am <ak...@yahoo.com> wrote:
> No. I have a web service client that uses axis1 to consume web services from
> server A and server B. For server A I need to do authentication while for
> server B there is no such need. So the problem is on my client side where I
> need to configure axis to do authentication on some of the requests (based
> on my truststore) and NOT do authentication in other requests using
> SunJSSESocketFactory. The way I understand it (docs are not clear)
> AxisProperties will override each other per request. Right? Is my problem
> clearer now?
>
> From: Martin Gainty <mg...@hotmail.com>
> To: java-user@axis.apache.org
> Sent: Wednesday, November 14, 2012 3:43 PM
>
> Subject: RE: Axis SSL authentication help!
>
>
>
> You need 2 different webapps
> one which implements SunFakeTrustSocketFactory for implementing unsigned
> server certs ..which would NEVER be used in Production Environment
> this would allow someone's client to hack in with their own self-signed
> certs
>
> one which implements
> http://ws.apache.org/axis/java/apiDocs/org/apache/axis/components/net/SunJSSESocketFactory.html
> provided requesting client has a valid (public) key of type RSA AND your
> client or B2B requesting entity supports JSSE key exchange
> this would prevent someone's client to hack in with their own self-signed
> certs
>
> so the question is are you implementing with self-signed certs OR are you
> using CA level certs (such as certs obtained from Verisign or Thawte)
>
> Martin
> ______________________________________________
> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
>
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
> dient lediglich dem Austausch von Informationen und entfaltet keine
> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
>
> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
> destinataire prévu, nous te demandons avec bonté que pour satisfaire
> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
> de ceci est interdite. Ce message sert à l'information seulement et n'aura
> pas n'importe quel effet légalement obligatoire. Étant donné que les email
> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
> aucune responsabilité pour le contenu fourni.
>
>
>
>
> Date: Tue, 13 Nov 2012 22:27:37 -0800
> From: akmeref@yahoo.com
> Subject: Re: Axis SSL authentication help!
> To: java-user@axis.apache.org
>
> Also why are you mentioning about the refactoring to different web apps? I
> am asking about client side code
>
> From: Martin Gainty <mg...@hotmail.com>
> To: java-user@axis.apache.org
> Sent: Wednesday, November 14, 2012 4:03 AM
> Subject: RE: Axis SSL authentication help!
>
> need to skip any server authentication in some requests (e.g. use
> SunFakeTrustSocketFactory).
>
> MG>you need to retask this to use 2 separate webapps
> MG>one which will authenticate your credentials with MySSLSocketFactory
> MG>one which not authenticate which will use SunFakeTrustSocketFactory
>
> MG>this is very clumsy and your options for specifying the security
> algorithm of your choosing as well as custom keysize are quite limited
> MG>why not use Axis2 and engage the Rampart Security Module?
> MG>Martin
>
> Date: Tue, 13 Nov 2012 13:37:28 -0800
> From: akmeref@yahoo.com
> Subject: Axis SSL authentication help!
> To: java-user@axis.apache.org
>
> Hi,
> I am using Axis 1 and need to do SSL authentication of a web service.
> I found that I need to use:
> AxisProperties.setProperty("axis.socketSecureFactory",
> "com.example.MySSLSocketFactory"); to set my custom factory and trust
> managers.
> Problem: I also need to skip any server authentication in some requests
> (e.g. use SunFakeTrustSocketFactory).
> I assume that this AxisProperties.setProperty is some central property that
> affects all threads, right? So how could I implement my use case?
> Keep reseting AxisProperties.setProperty before each web service call? Is
> this the proper way? But I found this bug ticket that seems to complaint
> that once the socket factory is set in AxisProperties it is cached and any
> new setting has not
> effect:https://issues.apache.org/jira/browse/AXIS-2751?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabs
> Is there a workarround for this?
> If you could help me here it would be great guys!
> Thank you
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org
Re: Axis SSL authentication help!
Posted by Andreas Veithen <an...@gmail.com>.
I think that the socket factory is cached. Therefore changing the
properties after the first request will have no effect.
What I would do is to write my own socket factory that implements the
necessary logic to distinguish between the two cases.
Andreas
On Wed, Nov 14, 2012 at 9:42 PM, am am <ak...@yahoo.com> wrote:
> No. I have a web service client that uses axis1 to consume web services from
> server A and server B. For server A I need to do authentication while for
> server B there is no such need. So the problem is on my client side where I
> need to configure axis to do authentication on some of the requests (based
> on my truststore) and NOT do authentication in other requests using
> SunJSSESocketFactory. The way I understand it (docs are not clear)
> AxisProperties will override each other per request. Right? Is my problem
> clearer now?
>
> From: Martin Gainty <mg...@hotmail.com>
> To: java-user@axis.apache.org
> Sent: Wednesday, November 14, 2012 3:43 PM
>
> Subject: RE: Axis SSL authentication help!
>
>
>
> You need 2 different webapps
> one which implements SunFakeTrustSocketFactory for implementing unsigned
> server certs ..which would NEVER be used in Production Environment
> this would allow someone's client to hack in with their own self-signed
> certs
>
> one which implements
> http://ws.apache.org/axis/java/apiDocs/org/apache/axis/components/net/SunJSSESocketFactory.html
> provided requesting client has a valid (public) key of type RSA AND your
> client or B2B requesting entity supports JSSE key exchange
> this would prevent someone's client to hack in with their own self-signed
> certs
>
> so the question is are you implementing with self-signed certs OR are you
> using CA level certs (such as certs obtained from Verisign or Thawte)
>
> Martin
> ______________________________________________
> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
>
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
> dient lediglich dem Austausch von Informationen und entfaltet keine
> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
>
> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
> destinataire prévu, nous te demandons avec bonté que pour satisfaire
> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
> de ceci est interdite. Ce message sert à l'information seulement et n'aura
> pas n'importe quel effet légalement obligatoire. Étant donné que les email
> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
> aucune responsabilité pour le contenu fourni.
>
>
>
>
> Date: Tue, 13 Nov 2012 22:27:37 -0800
> From: akmeref@yahoo.com
> Subject: Re: Axis SSL authentication help!
> To: java-user@axis.apache.org
>
> Also why are you mentioning about the refactoring to different web apps? I
> am asking about client side code
>
> From: Martin Gainty <mg...@hotmail.com>
> To: java-user@axis.apache.org
> Sent: Wednesday, November 14, 2012 4:03 AM
> Subject: RE: Axis SSL authentication help!
>
> need to skip any server authentication in some requests (e.g. use
> SunFakeTrustSocketFactory).
>
> MG>you need to retask this to use 2 separate webapps
> MG>one which will authenticate your credentials with MySSLSocketFactory
> MG>one which not authenticate which will use SunFakeTrustSocketFactory
>
> MG>this is very clumsy and your options for specifying the security
> algorithm of your choosing as well as custom keysize are quite limited
> MG>why not use Axis2 and engage the Rampart Security Module?
> MG>Martin
>
> Date: Tue, 13 Nov 2012 13:37:28 -0800
> From: akmeref@yahoo.com
> Subject: Axis SSL authentication help!
> To: java-user@axis.apache.org
>
> Hi,
> I am using Axis 1 and need to do SSL authentication of a web service.
> I found that I need to use:
> AxisProperties.setProperty("axis.socketSecureFactory",
> "com.example.MySSLSocketFactory"); to set my custom factory and trust
> managers.
> Problem: I also need to skip any server authentication in some requests
> (e.g. use SunFakeTrustSocketFactory).
> I assume that this AxisProperties.setProperty is some central property that
> affects all threads, right? So how could I implement my use case?
> Keep reseting AxisProperties.setProperty before each web service call? Is
> this the proper way? But I found this bug ticket that seems to complaint
> that once the socket factory is set in AxisProperties it is cached and any
> new setting has not
> effect:https://issues.apache.org/jira/browse/AXIS-2751?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabs
> Is there a workarround for this?
> If you could help me here it would be great guys!
> Thank you
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org
Re: Axis SSL authentication help!
Posted by am am <ak...@yahoo.com>.
No. I have a web service client that uses axis1 to consume web services from server A and server B. For server A I need to do authentication while for server B there is no such need. So the problem is on my client side where I need to configure axis to do authentication on some of the requests (based on my truststore) and NOT do authentication in other requests using SunJSSESocketFactory. The way I understand it (docs are not clear) AxisProperties will override each other per request. Right? Is my problem clearer now?
________________________________
From: Martin Gainty <mg...@hotmail.com>
To: java-user@axis.apache.org
Sent: Wednesday, November 14, 2012 3:43 PM
Subject: RE: Axis SSL authentication help!
You need 2 different webapps
one which implements SunFakeTrustSocketFactory for implementing unsigned server certs
..which would NEVER be used in Production Environment
this would allow someone's client to hack in with their own self-signed certs
one which implements http://ws.apache.org/axis/java/apiDocs/org/apache/axis/components/net/SunJSSESocketFactory.html
provided requesting client has a valid (public) key of type RSA AND your client or B2B requesting entity supports JSSE key exchange
this would prevent someone's client to hack in with their own self-signed certs
so the question is are you implementing with self-signed certs OR are you using CA level certs (such as certs obtained from Verisign or Thawte)
Martin
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
________________________________
Date: Tue, 13 Nov 2012 22:27:37 -0800
From: akmeref@yahoo.com
Subject: Re: Axis SSL authentication help!
To: java-user@axis.apache.org
Also why are you mentioning about the refactoring to different web apps? I am asking about client side code
________________________________
From: Martin Gainty <mg...@hotmail.com>
To: java-user@axis.apache.org
Sent: Wednesday, November 14, 2012 4:03 AM
Subject: RE: Axis SSL authentication help!
need to skip any server authentication in some requests (e.g. use SunFakeTrustSocketFactory).
MG>you need to retask this to use 2 separate webapps
MG>one which will authenticate your credentials with MySSLSocketFactory
MG>one which not authenticate which will use SunFakeTrustSocketFactory
MG>this is very clumsy and your options for specifying the security algorithm of your choosing as well as custom keysize are quite limited
MG>why not use Axis2 and engage the Rampart Security Module?
MG>Martin
________________________________
Date: Tue, 13 Nov 2012 13:37:28 -0800
From: akmeref@yahoo.com
Subject: Axis SSL authentication help!
To: java-user@axis.apache.org
Hi,
I am using Axis 1 and need to do SSL authentication of a web service.
I found that I need to use: AxisProperties.setProperty("axis.socketSecureFactory","com.example.MySSLSocketFactory"); to set my custom factory and trust managers.
Problem: I also need to skip any server authentication in some requests (e.g. use SunFakeTrustSocketFactory).
I assume that this AxisProperties.setProperty is some central property that affects all threads, right? So how could I implement my use case?
Keep reseting AxisProperties.setProperty before each web service call? Is this the proper way? But I found this bug ticket that seems to complaint that once the socket factory is set in AxisProperties it is cached and any new setting has not effect:https://issues.apache.org/jira/browse/AXIS-2751?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabs
Is there a workarround for this?
If you could help me here it would be great guys!
Thank you
RE: Axis SSL authentication help!
Posted by Martin Gainty <mg...@hotmail.com>.
You need 2 different webapps
one which implements SunFakeTrustSocketFactory for implementing unsigned server certs
..which would NEVER be used in Production Environment
this would allow someone's client to hack in with their own self-signed certs
one which implements http://ws.apache.org/axis/java/apiDocs/org/apache/axis/components/net/SunJSSESocketFactory.html
provided requesting client has a valid (public) key of type RSA AND your client or B2B requesting entity supports JSSE key exchange
this would prevent someone's client to hack in with their own self-signed certs
so the question is are you implementing with self-signed certs OR are you using CA level certs (such as certs obtained from Verisign or Thawte)
Martin
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
Date: Tue, 13 Nov 2012 22:27:37 -0800
From: akmeref@yahoo.com
Subject: Re: Axis SSL authentication help!
To: java-user@axis.apache.org
Also why are you mentioning about the refactoring to different web apps? I am asking about client side code
From: Martin Gainty <mg...@hotmail.com>
To: java-user@axis.apache.org
Sent: Wednesday, November 14, 2012 4:03 AM
Subject: RE: Axis SSL authentication help!
need to skip any server authentication in some requests (e.g. use SunFakeTrustSocketFactory).
MG>you need to retask this to use 2 separate webapps
MG>one which will authenticate your credentials with MySSLSocketFactory
MG>one which not authenticate which will use SunFakeTrustSocketFactory
MG>this is very clumsy and your options for specifying the security algorithm of your choosing as well as custom keysize are quite limited
MG>why not use Axis2 and engage the Rampart Security Module?
MG>Martin
Date: Tue, 13 Nov 2012 13:37:28 -0800
From: akmeref@yahoo.com
Subject: Axis SSL authentication help!
To: java-user@axis.apache.org
Hi,I am
using Axis 1 and need to do SSL authentication of a web service.I found that I need to use: AxisProperties.setProperty("axis.socketSecureFactory",
"com.example.MySSLSocketFactory"); to set my custom factory and trust managers.Problem: I also need to skip any server authentication in some requests (e.g. use SunFakeTrustSocketFactory).I assume that this AxisProperties.setProperty is some central property that affects all threads, right? So how could I implement my use case?Keep reseting AxisProperties.setProperty before each web service call? Is this the proper way? But I found this bug ticket
that seems to complaint that once the socket factory is set in AxisProperties it is cached and any new setting has not
effect:https://issues.apache.org/jira/browse/AXIS-2751?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabsIs there a workarround for this?If you could help me here it would be great guys!Thank you
Re: Axis SSL authentication help!
Posted by am am <ak...@yahoo.com>.
Also why are you mentioning about the refactoring to different web apps? I am asking about client side code
________________________________
From: Martin Gainty <mg...@hotmail.com>
To: java-user@axis.apache.org
Sent: Wednesday, November 14, 2012 4:03 AM
Subject: RE: Axis SSL authentication help!
need to skip any server authentication in some requests (e.g. use SunFakeTrustSocketFactory).
MG>you need to retask this to use 2 separate webapps
MG>one which will authenticate your credentials with MySSLSocketFactory
MG>one which not authenticate which will use SunFakeTrustSocketFactory
MG>this is very clumsy and your options for specifying the security algorithm of your choosing as well as custom keysize are quite limited
MG>why not use Axis2 and engage the Rampart Security Module?
MG>Martin
________________________________
Date: Tue, 13 Nov 2012 13:37:28 -0800
From: akmeref@yahoo.com
Subject: Axis SSL authentication help!
To: java-user@axis.apache.org
Hi,
I am using Axis 1 and need to do SSL authentication of a web service.
I found that I need to use: AxisProperties.setProperty("axis.socketSecureFactory","com.example.MySSLSocketFactory"); to set my custom factory and trust managers.
Problem: I also need to skip any server authentication in some requests (e.g. use SunFakeTrustSocketFactory).
I assume that this AxisProperties.setProperty is some central property that affects all threads, right? So how could I implement my use case?
Keep reseting AxisProperties.setProperty before each web service call? Is this the proper way? But I found this bug ticket that seems to complaint that once the socket factory is set in AxisProperties it is cached and any new setting has not effect:https://issues.apache.org/jira/browse/AXIS-2751?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabs
Is there a workarround for this?
If you could help me here it would be great guys!
Thank you
Re: Axis SSL authentication help!
Posted by am am <ak...@yahoo.com>.
I can't upgrade to Axis 2 and one of the main reasons is that I am consuming a WSDL that use RPC-Encoding.
As far as I know this is not supported in Axis2 right?
So now I am in deadend?
________________________________
From: Martin Gainty <mg...@hotmail.com>
To: java-user@axis.apache.org
Sent: Wednesday, November 14, 2012 4:03 AM
Subject: RE: Axis SSL authentication help!
need to skip any server authentication in some requests (e.g. use SunFakeTrustSocketFactory).
MG>you need to retask this to use 2 separate webapps
MG>one which will authenticate your credentials with MySSLSocketFactory
MG>one which not authenticate which will use SunFakeTrustSocketFactory
MG>this is very clumsy and your options for specifying the security algorithm of your choosing as well as custom keysize are quite limited
MG>why not use Axis2 and engage the Rampart Security Module?
MG>Martin
________________________________
Date: Tue, 13 Nov 2012 13:37:28 -0800
From: akmeref@yahoo.com
Subject: Axis SSL authentication help!
To: java-user@axis.apache.org
Hi,
I am using Axis 1 and need to do SSL authentication of a web service.
I found that I need to use: AxisProperties.setProperty("axis.socketSecureFactory","com.example.MySSLSocketFactory"); to set my custom factory and trust managers.
Problem: I also need to skip any server authentication in some requests (e.g. use SunFakeTrustSocketFactory).
I assume that this AxisProperties.setProperty is some central property that affects all threads, right? So how could I implement my use case?
Keep reseting AxisProperties.setProperty before each web service call? Is this the proper way? But I found this bug ticket that seems to complaint that once the socket factory is set in AxisProperties it is cached and any new setting has not effect:https://issues.apache.org/jira/browse/AXIS-2751?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabs
Is there a workarround for this?
If you could help me here it would be great guys!
Thank you
RE: Axis SSL authentication help!
Posted by Martin Gainty <mg...@hotmail.com>.
need to skip any server authentication in some requests (e.g. use SunFakeTrustSocketFactory).
MG>you need to retask this to use 2 separate webapps
MG>one which will authenticate your credentials with MySSLSocketFactory
MG>one which not authenticate which will use SunFakeTrustSocketFactory
MG>this is very clumsy and your options for specifying the security algorithm of your choosing as well as custom keysize are quite limited
MG>why not use Axis2 and engage the Rampart Security Module?
MG>Martin
Date: Tue, 13 Nov 2012 13:37:28 -0800
From: akmeref@yahoo.com
Subject: Axis SSL authentication help!
To: java-user@axis.apache.org
Hi,I am using Axis 1 and need to do SSL authentication of a web service.I found that I need to use: AxisProperties.setProperty("axis.socketSecureFactory",
"com.example.MySSLSocketFactory"); to set my custom factory and trust managers.Problem: I also need to skip any server authentication in some requests (e.g. use SunFakeTrustSocketFactory).I assume that this AxisProperties.setProperty is some central property that affects all threads, right? So how could I implement my use case?Keep reseting AxisProperties.setProperty before each web service call? Is this the proper way? But I found this bug ticket that seems to complaint that once the socket factory is set in AxisProperties it is cached and any new setting has not
effect:https://issues.apache.org/jira/browse/AXIS-2751?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabsIs there a workarround for this?If you could help me here it would be great guys!Thank you