ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Southerland" <j...@southerland-consulting.com>
Subject RE: I need to encrypt xmlrpc calls
Date Wed, 21 Sep 2005 15:51:28 GMT
The client code needed to automagically connect to a self signed cert is not
as straight forward as one may hope.

I feel compelled to share this code, it was the vain of my existence for
several days:

(One or more of these may be needed for the code snapshot to compile; I have
more code supporting an older version buried within my app, so pick and
choose)

import java.security.*;

import java.security.spec.*;

import java.security.cert.*;

import javax.crypto.*;

import org.apache.xmlrpc.*;

import org.apache.xmlrpc.secure.*;

import javax.net.ssl.SSLSocketFactory;

import com.sun.net.ssl.*;

 

        private class WorkAroundX509TrustManager implements X509TrustManager
{

            public boolean isClientTrusted(X509Certificate[] chain){ return
true; }

                public boolean isServerTrusted(X509Certificate[] chain){
return true; }

                public X509Certificate[] getAcceptedIssuers(){ return null;
}

        }

 

        private class WorkAroundHostnameVerifier implements HostnameVerifier
{

                public boolean verify(String hostname, String session) {
return true; }

        }

if (host.url.startsWith("https:")) {

                                Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());

 
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
w.protocol");

                                X509TrustManager tm = new
WorkAroundX509TrustManager();

                                KeyManager []km = null;

                                TrustManager []tma = {tm};

                                HostnameVerifier hmv = new
WorkAroundHostnameVerifier();

                                SSLContext sc =
SSLContext.getInstance("ssl");

                                sc.init(km,tma,new
java.security.SecureRandom());

                                SSLSocketFactory sf1 =
sc.getSocketFactory();

 
HttpsURLConnection.setDefaultSSLSocketFactory(sf1);

 
HttpsURLConnection.setDefaultHostnameVerifier(hmv);

                                NetPermission np = new
NetPermission("setDefaultAuthenticator");

                                this.secureClient = new
SecureXmlRpcClient(host.url);

 
this.secureClient.setBasicAuthentication(host.user, host.getPass());

                                this.secure=true;

                        }else{

                                this.client = new XmlRpcClient(host.url);

 
this.client.setBasicAuthentication(host.user, host.getPass());

                                this.secure=false;

                        }

 

The server is too easy of course:

                                logger.info("Starting HTTPS Server with
keystore: " + config.keyfile);

                                SecurityTool.setKeyStore(config.keyfile);

 
SecurityTool.setKeyStorePassword("YourKeyStorePasswordHere");

                                SecureWebServer server = new
SecureWebServer(config.port);

 

Please forgive my usurping of the secure routines, I am not so worried about
the encryption layer, I have control of the server and the clients for this
app.

I know the errors generated from hitting a self signed cert are more than a
little annoying though for some system programmers.  Bits and pieces of this
are documented somewhere, but who has the time.  

Please spare me the debate about not signing your own keys, it will fail to
stir the emotions you may hope in me.

It is a pleasure to finally be able to contribute a sober message on this
list.

Good Luck, John

 

PS: I would like to note that I used to encrypt data on the wire before
converting to XmlRpc and it was not fun, nor was the speed any better.  In
fact I believe ssl to be one of the fastest encryption protocols available
today.  My two cents.

 

 

John Buren Southerland

Southerland Consulting

801.467.8090(office)

214.734.8099(cell)

john@southerland-consulting.com

  _____  

From: Nicolas Hoibian [mailto:nicolas.hoibian@gmail.com] 
Sent: Wednesday, September 21, 2005 8:54 AM
To: xmlrpc-user@ws.apache.org
Subject: Re: I need to encrypt xmlrpc calls

 

Sorry about the reply order. The correct sentence is :
"I think i did encrypt communications" , using SSL and the tools provided
with the xmlrpc classes.
The client parameters are a bit more complicated. I'll post the code on this
ml if you're interrested.

Nicolas Hoibian

2005/9/21, Nicolas Hoibian <nicolas.hoibian@gmail.com>:

 

2005/9/21, Tino Wildenhain <tino@wildenhain.de>:

Starsscream Desepticon schrieb:
> Hello
>
> How do you encrypt XmlRpc messages? I've had a look at
> Xml Security, but it is for encrypting/signing Xml
> messages (documents). When using XmlRpc I don't touch 
> Xml directly. So is there a way of making my XmlRpc
> methods save?

XMLRPC works over HTTP, so you usually just encrypt the
transport channel, meaning you use https (ssl).

HTH
Tino


I think i did so, using the Security Tool provided with xmlrpc and some
black magic java keystore
//code in main : 
SecurityTool.setKeyStore("keystoreFile");
SecurityTool.setTrustStore("keystoreFile");
SecurityTool.setKeyStorePassword("keystorePassword");
SecurityTool.setTrustStorePassword("keystorePassword");
            
server = new SecureWebServer(port);
server.addHandler("$default", handler);
server.start();
//code end

correct me if i m wrong, please.

Nicolas Hoibian



 


Mime
View raw message