You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by th...@ascentialsoftware.com on 2002/11/07 22:17:14 UTC
Specific TrustManager for Axis client over SSL
I wanted to define my own TrustManager to define customized actions when web
service server is not trusted.
It seems that the way to do it is to use the axis.socketSecureFactory
property to define your own socket factory.
But it also seem that the axis SocketFactory interface to implement is a
proprietary one (org/apache/axis/components/net/SocketFactory.java).
The problem in my case is that I do not want to create a new SocketFactory
class, I'd like to reuse the default one provided by JSSE.
I guess I can write a wrapper on top of the default JSSE one, but it does
not seem trivial to do so.
According to what I understood form the JSSE documentation, I need to do
something like that:
TrustManager[] myTM = new TrustManager [] { new MyTrustManager() };
SSLContext ctx = SSLContext.getInstance ("TLS");
ctx.init (null, myTM, null);
SocketFactory socketFactory = ctx.getSocketFactory();
And I do not have to write my own SocketFactory in order to do that.
Am I missing something or the only way is to write my own socket factory?
Thanks.
Thomas
Re: Specific TrustManager for Axis client over SSL
Posted by Richard Sitze <rs...@us.ibm.com>.
Don't worry so much about the AXIS SocketFactory classes, they don't map
to what you think they map to... they are purely internal.
The DEFAULT behavior in AXIS is to use JSSE directly, which allows you to
configure your security as-per the Java security model - see the JSSE
documentation on how to register and install for your JVM. If you can
configure the JVM to use your TrustManager, you will not have anything
more to do on the AXIS end of things. Unfortunately, not everything can
be done via Java security settings/configuration. For example, you can
only use SSL. If you want to use TLS (transport layer security) instead,
you must write your own code to register/configure the security system...
and that is exactly what the SunJSSESocketFactory code does (ignore the
class comment that says SSL). It demonstrates how YOU can override the
JVM configuration.
Now, I'm not an expert in this area, so I cannot say if your code is
correct or not... but assuming that it is (you want TLS instead of SSL,
and that you cannot otherwise configure the TrustManager), then:
1. copy SunJSSESocketFactory to MyJSSESocketFactory
2. have MyJSSESocketFactory implement SecureSocketFactory (that's a bug
in JSSESocketFactory & SunJSSESocketFactory).
3. modify the MyJSSESocketFactory.getContext() method to use your trust
manager & return the context... (let Axis handle the SocketFactory):
....
TrustManager[] myTM = new TrustManager [] { new MyTrustManager() };
SSLContext ctx = SSLContext.getInstance ("TLS");
ctx.init (null, myTM, null);
return ctx;
Then, create a jar file containing:
my/package/MyJSSESocketFactory.class
META-INF/services/org.apache.axis.components.net.SecureSocketFactory
This last file must contain a single line of text that directs Axis to
your implementation. In this case, put in
my/package/MyJSSESocketFactory
Finally, drop your Jar file into the CLASSPATH where Axis will be able to
locate the service declaration and your implementation.
Happy Trails, <ras>
*******************************************
Richard A. Sitze
IBM WebSphere WebServices Development
thomas.cherel@ascentialsoftware.com
11/07/2002 03:17 PM
Please respond to axis-dev
To: axis-dev@xml.apache.org
cc:
Subject: Specific TrustManager for Axis client over SSL
I wanted to define my own TrustManager to define customized actions when
web service server is not trusted.
It seems that the way to do it is to use the axis.socketSecureFactory
property to define your own socket factory.
But it also seem that the axis SocketFactory interface to implement is a
proprietary one (org/apache/axis/components/net/SocketFactory.java).
The problem in my case is that I do not want to create a new SocketFactory
class, I'd like to reuse the default one provided by JSSE.
I guess I can write a wrapper on top of the default JSSE one, but it does
not seem trivial to do so.
According to what I understood form the JSSE documentation, I need to do
something like that:
TrustManager[] myTM = new TrustManager [] { new MyTrustManager() };
SSLContext ctx = SSLContext.getInstance ("TLS");
ctx.init (null, myTM, null);
SocketFactory socketFactory = ctx.getSocketFactory();
And I do not have to write my own SocketFactory in order to do that.
Am I missing something or the only way is to write my own socket factory?
Thanks.
Thomas