You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by th...@ascentialsoftware.com on 2002/11/07 22:17:14 UTC

Specific TrustManager for Axis client over SSL

I wanted to define my own TrustManager to define customized actions when web
service server is not trusted.
It seems that the way to do it is to use the axis.socketSecureFactory
property to define your own socket factory.
But it also seem that the axis SocketFactory interface to implement is a
proprietary one (org/apache/axis/components/net/SocketFactory.java).
The problem in my case is that I do not want to create a new SocketFactory
class, I'd like to reuse the default one provided by JSSE.
I guess I can write a wrapper on top of the default JSSE one, but it does
not seem trivial to do so.

According to what I understood form the JSSE documentation, I need to do
something like that:

TrustManager[] myTM = new TrustManager [] { new MyTrustManager() };
SSLContext ctx = SSLContext.getInstance ("TLS");
ctx.init (null, myTM, null);
SocketFactory socketFactory = ctx.getSocketFactory();

And I do not have to write my own SocketFactory in order to do that.
Am I missing something or the only way is to write my own socket factory?

Thanks.

Thomas

Re: Specific TrustManager for Axis client over SSL

Posted by Richard Sitze <rs...@us.ibm.com>.

Don't worry so much about the AXIS SocketFactory classes, they don't map 
to what you think they map to...  they are purely internal.

The DEFAULT behavior in AXIS is to use JSSE directly, which allows you to 
configure your security as-per the Java security model - see the JSSE 
documentation on how to register and install for your JVM.  If you can 
configure the JVM to use your TrustManager, you will not have anything 
more to do on the AXIS end of things.  Unfortunately, not everything can 
be done via Java security settings/configuration.  For example, you can 
only use SSL.  If you want to use TLS (transport layer security) instead, 
you must write your own code to register/configure the security system... 
and that is exactly what the SunJSSESocketFactory code does (ignore the 
class comment that says SSL).  It demonstrates how YOU can override the 
JVM configuration.

Now, I'm not an expert in this area, so I cannot say if your code is 
correct or not... but assuming that it is (you want TLS instead of SSL, 
and that you cannot otherwise configure the TrustManager), then:
1.  copy SunJSSESocketFactory to MyJSSESocketFactory
2.  have MyJSSESocketFactory implement SecureSocketFactory (that's a bug 
in JSSESocketFactory & SunJSSESocketFactory).
3.  modify the MyJSSESocketFactory.getContext() method to use your trust 
manager & return the context... (let Axis handle the SocketFactory):

     ....
     TrustManager[] myTM = new TrustManager [] { new MyTrustManager() }; 
     SSLContext ctx = SSLContext.getInstance ("TLS"); 
     ctx.init (null, myTM, null); 
     return ctx;


Then, create a jar file containing:
          my/package/MyJSSESocketFactory.class
 META-INF/services/org.apache.axis.components.net.SecureSocketFactory

This last file must contain a single line of text that directs Axis to 
your implementation.  In this case, put in
          my/package/MyJSSESocketFactory

Finally, drop your Jar file into the CLASSPATH where Axis will be able to 
locate the service declaration and your implementation.

Happy Trails, <ras>

*******************************************
Richard A. Sitze
IBM WebSphere WebServices Development




thomas.cherel@ascentialsoftware.com
11/07/2002 03:17 PM
Please respond to axis-dev
 
        To:     axis-dev@xml.apache.org
        cc: 
        Subject:        Specific TrustManager for Axis client over SSL

 



I wanted to define my own TrustManager to define customized actions when 
web service server is not trusted. 
It seems that the way to do it is to use the axis.socketSecureFactory 
property to define your own socket factory. 
But it also seem that the axis SocketFactory interface to implement is a 
proprietary one (org/apache/axis/components/net/SocketFactory.java).
The problem in my case is that I do not want to create a new SocketFactory 
class, I'd like to reuse the default one provided by JSSE.
I guess I can write a wrapper on top of the default JSSE one, but it does 
not seem trivial to do so. 
According to what I understood form the JSSE documentation, I need to do 
something like that: 
TrustManager[] myTM = new TrustManager [] { new MyTrustManager() }; 
SSLContext ctx = SSLContext.getInstance ("TLS"); 
ctx.init (null, myTM, null); 
SocketFactory socketFactory = ctx.getSocketFactory(); 
And I do not have to write my own SocketFactory in order to do that. 
Am I missing something or the only way is to write my own socket factory? 
Thanks. 
Thomas