Re: how to do client authentication
On Thu, 2007-11-29 at 19:54 -0800, Raul Acevedo wrote: > Well I looked more carefully at Julius' example and other sample code > and figured out my problem is I was missing the > Protocol.registerProtocol line. > > Unfortunately this sets the protocol handler globally, which is why > Julius does a little hack of registering using "https-foo" and changing > the URL to be "https-foo://blah". This works but I'm not crazy about > it. Is there another way of setting the protocol handler for only a > specific request? In the end I'm trying to set the keystore per > request, not globally. > Just use a custom HostConfiguration http://jakarta.apache.org/httpcomponents/httpclient-3.x/apidocs/org/apache/commons/httpclient/HttpClient.html#executeMethod(org.apache.commons.httpclient.HostConfiguration,%20org.apache.commons.httpclient.HttpMethod) Make sure you use _relative_ request URIs when passing a custom HostConfiguration to the HttpClient.html#executeMethod. Oleg > Thanks, > > Raul > > On Thu, 2007-11-29 at 11:29 -0800, Julius Davies wrote: > > Hi, Raul, > > > > I use this technique: > > > > http://www.juliusdavies.ca/commons-ssl/TrustExample.java.html > > > > > > But I usually change the name of the scheme to something like > > "https-foo://", so that only "https-foo://" uses the client cert, and > > "https://"; continues to behave as before. So maybe more like this: > > > > > > HttpSecureProtocol f = new HttpSecureProtocol(); > > > > // might as well trust the usual suspects: > > f.addTrustMaterial(TrustMaterial.CACERTS); > > > > // add client cert > > char[] pwd = {'p','w','d'}; > > f.setKeyMaterial(new KeyMaterial("/path/to/file.jks", pwd); > > > > Protocol clientHttps = new Protocol("https-foo", f, 443); > > Protocol.registerProtocol("https-foo", clientHttps); > > > > HttpClient client = new HttpClient(); > > GetMethod httpget = new GetMethod("https-foo://www.server.com/"); > > client.executeMethod(httpget); > > > > > > NOTE: This assumes not-yet-commons-ssl.jar is on your classpath, and > > that you're using that instead of compiling the httpclient "contrib" > > code on your own. Not-Yet-Commons-SSL already has these in its jar > > file: > > > > AuthSSLProtocolSocketFactory > > EasySSLProtocolSocketFactory > > StrictSSLProtocolSocketFactory > > > > > > Good luck! It's been working well for me for years. > > > > yours, > > > > Julius > > > > > > On Nov 29, 2007 9:47 AM, Raul Acevedo <[EMAIL PROTECTED]> wrote: > > > I don't want to omit keystore and truststore; I'm doing bidirectional > > > (client and server) SSL authentication, that's the whole point. > > > > > > Do you know why I get the SocketException? In general, has anyone > > > successfully done both client and server SSL authentication with > > > HttpClient without using the javax.net.ssl.keyStore and trustStore > > > properties? > > > > > > Raul > > > > > > > > > On Nov 29, 2007, at 3:19 AM, Oleg Kalnichevski wrote: > > > > > > > > > > > On Wed, 2007-11-28 at 20:08 -0800, Raul Acevedo wrote: > > > >> Is there a way to do client authentication with HttpClient without > > > >> setting javax.net.ssl.keyStore? > > > >> > > > >> I tried the following code after building the contrib files: > > > >> > > > >> HttpClient httpClient = new HttpClient(); > > > >> URL keyStoreURL = new URL("file:/home/raul/keyStore.jks"); > > > >> URL trustStoreURL = new URL("file:/home/raul/trustStore.jks"); > > > >> AuthSSLProtocolSocketFactory socketFactory = > > > >> new AuthSSLProtocolSocketFactory( > > > >> keyStoreURL, "keyStorePassword", trustStoreURL, > > > >> "trustStorePassword"); > > > >> Protocol httpsProtocol = new Protocol(url.getProtocol(), > > > >> socketFactory, url.getPort()); > > > >> httpClient.getHostConfiguration().setHost(url.getHost(), > > > >> url.getPort(), httpsProtocol); > > > >> > > > >> But this fails with: > > > >> > > > >> java.net.SocketException: Default SSL context init failed: null > > > >> > > > >> Thanks, > > > >> > > > >> Raul Acevedo > > > >> http://www.cantara.com > > > >> > > > > > > > > Paul, > > > > > > > > (1) Keystore is optional. You can safely omit it. > > > > (2) Implement a custom trust manager that trusts anything. This way > > > > you > > > > will not need a truststore. > > > > (3) Implement your own protocol socket factory that initializes the > > > > SSL > > > > context with your own trust-anything trust manager. You can use > > > > EasySSLProtocolSocketFactory as a starting point. > > > > > > > > Hope this helps, > > > > > > > > Oleg > > > > > > > >> > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to do client authentication
On Thu, 2007-11-29 at 16:40 -0800, Raul Acevedo wrote: > Hi Julius, thanks for your suggestion. I'm a little hesitant to add a > library from a non-Apache source. (1) There is enough bad code in the Apache code repository. (2) There are plans to bring nyc-ssl over to Apache Oleg > Do you know why my original example > would give an error, or what essentially your code does that is > different that allows it to work? > > Thanks, > > Raul > > On Thu, 2007-11-29 at 11:29 -0800, Julius Davies wrote: > > Hi, Raul, > > > > I use this technique: > > > > http://www.juliusdavies.ca/commons-ssl/TrustExample.java.html > > > > > > But I usually change the name of the scheme to something like > > "https-foo://", so that only "https-foo://" uses the client cert, and > > "https://"; continues to behave as before. So maybe more like this: > > > > > > HttpSecureProtocol f = new HttpSecureProtocol(); > > > > // might as well trust the usual suspects: > > f.addTrustMaterial(TrustMaterial.CACERTS); > > > > // add client cert > > char[] pwd = {'p','w','d'}; > > f.setKeyMaterial(new KeyMaterial("/path/to/file.jks", pwd); > > > > Protocol clientHttps = new Protocol("https-foo", f, 443); > > Protocol.registerProtocol("https-foo", clientHttps); > > > > HttpClient client = new HttpClient(); > > GetMethod httpget = new GetMethod("https-foo://www.server.com/"); > > client.executeMethod(httpget); > > > > > > NOTE: This assumes not-yet-commons-ssl.jar is on your classpath, and > > that you're using that instead of compiling the httpclient "contrib" > > code on your own. Not-Yet-Commons-SSL already has these in its jar > > file: > > > > AuthSSLProtocolSocketFactory > > EasySSLProtocolSocketFactory > > StrictSSLProtocolSocketFactory > > > > > > Good luck! It's been working well for me for years. > > > > yours, > > > > Julius > > > > > > On Nov 29, 2007 9:47 AM, Raul Acevedo <[EMAIL PROTECTED]> wrote: > > > I don't want to omit keystore and truststore; I'm doing bidirectional > > > (client and server) SSL authentication, that's the whole point. > > > > > > Do you know why I get the SocketException? In general, has anyone > > > successfully done both client and server SSL authentication with > > > HttpClient without using the javax.net.ssl.keyStore and trustStore > > > properties? > > > > > > Raul > > > > > > > > > On Nov 29, 2007, at 3:19 AM, Oleg Kalnichevski wrote: > > > > > > > > > > > On Wed, 2007-11-28 at 20:08 -0800, Raul Acevedo wrote: > > > >> Is there a way to do client authentication with HttpClient without > > > >> setting javax.net.ssl.keyStore? > > > >> > > > >> I tried the following code after building the contrib files: > > > >> > > > >> HttpClient httpClient = new HttpClient(); > > > >> URL keyStoreURL = new URL("file:/home/raul/keyStore.jks"); > > > >> URL trustStoreURL = new URL("file:/home/raul/trustStore.jks"); > > > >> AuthSSLProtocolSocketFactory socketFactory = > > > >> new AuthSSLProtocolSocketFactory( > > > >> keyStoreURL, "keyStorePassword", trustStoreURL, > > > >> "trustStorePassword"); > > > >> Protocol httpsProtocol = new Protocol(url.getProtocol(), > > > >> socketFactory, url.getPort()); > > > >> httpClient.getHostConfiguration().setHost(url.getHost(), > > > >> url.getPort(), httpsProtocol); > > > >> > > > >> But this fails with: > > > >> > > > >> java.net.SocketException: Default SSL context init failed: null > > > >> > > > >> Thanks, > > > >> > > > >> Raul Acevedo > > > >> http://www.cantara.com > > > >> > > > > > > > > Paul, > > > > > > > > (1) Keystore is optional. You can safely omit it. > > > > (2) Implement a custom trust manager that trusts anything. This way > > > > you > > > > will not need a truststore. > > > > (3) Implement your own protocol socket factory that initializes the > > > > SSL > > > > context with your own trust-anything trust manager. You can use > > > > EasySSLProtocolSocketFactory as a starting point. > > > > > > > > Hope this helps, > > > > > > > > Oleg > > > > > > > >> > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to do client authentication
Well I looked more carefully at Julius' example and other sample code and figured out my problem is I was missing the Protocol.registerProtocol line. Unfortunately this sets the protocol handler globally, which is why Julius does a little hack of registering using "https-foo" and changing the URL to be "https-foo://blah". This works but I'm not crazy about it. Is there another way of setting the protocol handler for only a specific request? In the end I'm trying to set the keystore per request, not globally. Thanks, Raul On Thu, 2007-11-29 at 11:29 -0800, Julius Davies wrote: > Hi, Raul, > > I use this technique: > > http://www.juliusdavies.ca/commons-ssl/TrustExample.java.html > > > But I usually change the name of the scheme to something like > "https-foo://", so that only "https-foo://" uses the client cert, and > "https://"; continues to behave as before. So maybe more like this: > > > HttpSecureProtocol f = new HttpSecureProtocol(); > > // might as well trust the usual suspects: > f.addTrustMaterial(TrustMaterial.CACERTS); > > // add client cert > char[] pwd = {'p','w','d'}; > f.setKeyMaterial(new KeyMaterial("/path/to/file.jks", pwd); > > Protocol clientHttps = new Protocol("https-foo", f, 443); > Protocol.registerProtocol("https-foo", clientHttps); > > HttpClient client = new HttpClient(); > GetMethod httpget = new GetMethod("https-foo://www.server.com/"); > client.executeMethod(httpget); > > > NOTE: This assumes not-yet-commons-ssl.jar is on your classpath, and > that you're using that instead of compiling the httpclient "contrib" > code on your own. Not-Yet-Commons-SSL already has these in its jar > file: > > AuthSSLProtocolSocketFactory > EasySSLProtocolSocketFactory > StrictSSLProtocolSocketFactory > > > Good luck! It's been working well for me for years. > > yours, > > Julius > > > On Nov 29, 2007 9:47 AM, Raul Acevedo <[EMAIL PROTECTED]> wrote: > > I don't want to omit keystore and truststore; I'm doing bidirectional > > (client and server) SSL authentication, that's the whole point. > > > > Do you know why I get the SocketException? In general, has anyone > > successfully done both client and server SSL authentication with > > HttpClient without using the javax.net.ssl.keyStore and trustStore > > properties? > > > > Raul > > > > > > On Nov 29, 2007, at 3:19 AM, Oleg Kalnichevski wrote: > > > > > > > > On Wed, 2007-11-28 at 20:08 -0800, Raul Acevedo wrote: > > >> Is there a way to do client authentication with HttpClient without > > >> setting javax.net.ssl.keyStore? > > >> > > >> I tried the following code after building the contrib files: > > >> > > >> HttpClient httpClient = new HttpClient(); > > >> URL keyStoreURL = new URL("file:/home/raul/keyStore.jks"); > > >> URL trustStoreURL = new URL("file:/home/raul/trustStore.jks"); > > >> AuthSSLProtocolSocketFactory socketFactory = > > >> new AuthSSLProtocolSocketFactory( > > >> keyStoreURL, "keyStorePassword", trustStoreURL, > > >> "trustStorePassword"); > > >> Protocol httpsProtocol = new Protocol(url.getProtocol(), > > >> socketFactory, url.getPort()); > > >> httpClient.getHostConfiguration().setHost(url.getHost(), > > >> url.getPort(), httpsProtocol); > > >> > > >> But this fails with: > > >> > > >> java.net.SocketException: Default SSL context init failed: null > > >> > > >> Thanks, > > >> > > >> Raul Acevedo > > >> http://www.cantara.com > > >> > > > > > > Paul, > > > > > > (1) Keystore is optional. You can safely omit it. > > > (2) Implement a custom trust manager that trusts anything. This way > > > you > > > will not need a truststore. > > > (3) Implement your own protocol socket factory that initializes the > > > SSL > > > context with your own trust-anything trust manager. You can use > > > EasySSLProtocolSocketFactory as a starting point. > > > > > > Hope this helps, > > > > > > Oleg > > > > > >> > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to do client authentication
Hi Julius, thanks for your suggestion. I'm a little hesitant to add a library from a non-Apache source. Do you know why my original example would give an error, or what essentially your code does that is different that allows it to work? Thanks, Raul On Thu, 2007-11-29 at 11:29 -0800, Julius Davies wrote: > Hi, Raul, > > I use this technique: > > http://www.juliusdavies.ca/commons-ssl/TrustExample.java.html > > > But I usually change the name of the scheme to something like > "https-foo://", so that only "https-foo://" uses the client cert, and > "https://"; continues to behave as before. So maybe more like this: > > > HttpSecureProtocol f = new HttpSecureProtocol(); > > // might as well trust the usual suspects: > f.addTrustMaterial(TrustMaterial.CACERTS); > > // add client cert > char[] pwd = {'p','w','d'}; > f.setKeyMaterial(new KeyMaterial("/path/to/file.jks", pwd); > > Protocol clientHttps = new Protocol("https-foo", f, 443); > Protocol.registerProtocol("https-foo", clientHttps); > > HttpClient client = new HttpClient(); > GetMethod httpget = new GetMethod("https-foo://www.server.com/"); > client.executeMethod(httpget); > > > NOTE: This assumes not-yet-commons-ssl.jar is on your classpath, and > that you're using that instead of compiling the httpclient "contrib" > code on your own. Not-Yet-Commons-SSL already has these in its jar > file: > > AuthSSLProtocolSocketFactory > EasySSLProtocolSocketFactory > StrictSSLProtocolSocketFactory > > > Good luck! It's been working well for me for years. > > yours, > > Julius > > > On Nov 29, 2007 9:47 AM, Raul Acevedo <[EMAIL PROTECTED]> wrote: > > I don't want to omit keystore and truststore; I'm doing bidirectional > > (client and server) SSL authentication, that's the whole point. > > > > Do you know why I get the SocketException? In general, has anyone > > successfully done both client and server SSL authentication with > > HttpClient without using the javax.net.ssl.keyStore and trustStore > > properties? > > > > Raul > > > > > > On Nov 29, 2007, at 3:19 AM, Oleg Kalnichevski wrote: > > > > > > > > On Wed, 2007-11-28 at 20:08 -0800, Raul Acevedo wrote: > > >> Is there a way to do client authentication with HttpClient without > > >> setting javax.net.ssl.keyStore? > > >> > > >> I tried the following code after building the contrib files: > > >> > > >> HttpClient httpClient = new HttpClient(); > > >> URL keyStoreURL = new URL("file:/home/raul/keyStore.jks"); > > >> URL trustStoreURL = new URL("file:/home/raul/trustStore.jks"); > > >> AuthSSLProtocolSocketFactory socketFactory = > > >> new AuthSSLProtocolSocketFactory( > > >> keyStoreURL, "keyStorePassword", trustStoreURL, > > >> "trustStorePassword"); > > >> Protocol httpsProtocol = new Protocol(url.getProtocol(), > > >> socketFactory, url.getPort()); > > >> httpClient.getHostConfiguration().setHost(url.getHost(), > > >> url.getPort(), httpsProtocol); > > >> > > >> But this fails with: > > >> > > >> java.net.SocketException: Default SSL context init failed: null > > >> > > >> Thanks, > > >> > > >> Raul Acevedo > > >> http://www.cantara.com > > >> > > > > > > Paul, > > > > > > (1) Keystore is optional. You can safely omit it. > > > (2) Implement a custom trust manager that trusts anything. This way > > > you > > > will not need a truststore. > > > (3) Implement your own protocol socket factory that initializes the > > > SSL > > > context with your own trust-anything trust manager. You can use > > > EasySSLProtocolSocketFactory as a starting point. > > > > > > Hope this helps, > > > > > > Oleg > > > > > >> > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to do client authentication
Hi, Raul, I use this technique: http://www.juliusdavies.ca/commons-ssl/TrustExample.java.html But I usually change the name of the scheme to something like "https-foo://", so that only "https-foo://" uses the client cert, and "https://"; continues to behave as before. So maybe more like this: HttpSecureProtocol f = new HttpSecureProtocol(); // might as well trust the usual suspects: f.addTrustMaterial(TrustMaterial.CACERTS); // add client cert char[] pwd = {'p','w','d'}; f.setKeyMaterial(new KeyMaterial("/path/to/file.jks", pwd); Protocol clientHttps = new Protocol("https-foo", f, 443); Protocol.registerProtocol("https-foo", clientHttps); HttpClient client = new HttpClient(); GetMethod httpget = new GetMethod("https-foo://www.server.com/"); client.executeMethod(httpget); NOTE: This assumes not-yet-commons-ssl.jar is on your classpath, and that you're using that instead of compiling the httpclient "contrib" code on your own. Not-Yet-Commons-SSL already has these in its jar file: AuthSSLProtocolSocketFactory EasySSLProtocolSocketFactory StrictSSLProtocolSocketFactory Good luck! It's been working well for me for years. yours, Julius On Nov 29, 2007 9:47 AM, Raul Acevedo <[EMAIL PROTECTED]> wrote: > I don't want to omit keystore and truststore; I'm doing bidirectional > (client and server) SSL authentication, that's the whole point. > > Do you know why I get the SocketException? In general, has anyone > successfully done both client and server SSL authentication with > HttpClient without using the javax.net.ssl.keyStore and trustStore > properties? > > Raul > > > On Nov 29, 2007, at 3:19 AM, Oleg Kalnichevski wrote: > > > > > On Wed, 2007-11-28 at 20:08 -0800, Raul Acevedo wrote: > >> Is there a way to do client authentication with HttpClient without > >> setting javax.net.ssl.keyStore? > >> > >> I tried the following code after building the contrib files: > >> > >> HttpClient httpClient = new HttpClient(); > >> URL keyStoreURL = new URL("file:/home/raul/keyStore.jks"); > >> URL trustStoreURL = new URL("file:/home/raul/trustStore.jks"); > >> AuthSSLProtocolSocketFactory socketFactory = > >> new AuthSSLProtocolSocketFactory( > >> keyStoreURL, "keyStorePassword", trustStoreURL, > >> "trustStorePassword"); > >> Protocol httpsProtocol = new Protocol(url.getProtocol(), > >> socketFactory, url.getPort()); > >> httpClient.getHostConfiguration().setHost(url.getHost(), > >> url.getPort(), httpsProtocol); > >> > >> But this fails with: > >> > >> java.net.SocketException: Default SSL context init failed: null > >> > >> Thanks, > >> > >> Raul Acevedo > >> http://www.cantara.com > >> > > > > Paul, > > > > (1) Keystore is optional. You can safely omit it. > > (2) Implement a custom trust manager that trusts anything. This way > > you > > will not need a truststore. > > (3) Implement your own protocol socket factory that initializes the > > SSL > > context with your own trust-anything trust manager. You can use > > EasySSLProtocolSocketFactory as a starting point. > > > > Hope this helps, > > > > Oleg > > > >> -- yours, Julius Davies 250-592-2284 (Home) 250-893-4579 (Mobile) http://juliusdavies.ca/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to do client authentication
I don't want to omit keystore and truststore; I'm doing bidirectional (client and server) SSL authentication, that's the whole point. Do you know why I get the SocketException? In general, has anyone successfully done both client and server SSL authentication with HttpClient without using the javax.net.ssl.keyStore and trustStore properties? Raul On Nov 29, 2007, at 3:19 AM, Oleg Kalnichevski wrote: On Wed, 2007-11-28 at 20:08 -0800, Raul Acevedo wrote: Is there a way to do client authentication with HttpClient without setting javax.net.ssl.keyStore? I tried the following code after building the contrib files: HttpClient httpClient = new HttpClient(); URL keyStoreURL = new URL("file:/home/raul/keyStore.jks"); URL trustStoreURL = new URL("file:/home/raul/trustStore.jks"); AuthSSLProtocolSocketFactory socketFactory = new AuthSSLProtocolSocketFactory( keyStoreURL, "keyStorePassword", trustStoreURL, "trustStorePassword"); Protocol httpsProtocol = new Protocol(url.getProtocol(), socketFactory, url.getPort()); httpClient.getHostConfiguration().setHost(url.getHost(), url.getPort(), httpsProtocol); But this fails with: java.net.SocketException: Default SSL context init failed: null Thanks, Raul Acevedo http://www.cantara.com Paul, (1) Keystore is optional. You can safely omit it. (2) Implement a custom trust manager that trusts anything. This way you will not need a truststore. (3) Implement your own protocol socket factory that initializes the SSL context with your own trust-anything trust manager. You can use EasySSLProtocolSocketFactory as a starting point. Hope this helps, Oleg - To unsubscribe, e-mail: httpclient-user- [EMAIL PROTECTED] For additional commands, e-mail: httpclient-user- [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: httpclient-user- [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to do client authentication
On Wed, 2007-11-28 at 20:08 -0800, Raul Acevedo wrote: > Is there a way to do client authentication with HttpClient without > setting javax.net.ssl.keyStore? > > I tried the following code after building the contrib files: > > HttpClient httpClient = new HttpClient(); > URL keyStoreURL = new URL("file:/home/raul/keyStore.jks"); > URL trustStoreURL = new URL("file:/home/raul/trustStore.jks"); > AuthSSLProtocolSocketFactory socketFactory = > new AuthSSLProtocolSocketFactory( > keyStoreURL, "keyStorePassword", trustStoreURL, > "trustStorePassword"); > Protocol httpsProtocol = new Protocol(url.getProtocol(), socketFactory, > url.getPort()); > httpClient.getHostConfiguration().setHost(url.getHost(), url.getPort(), > httpsProtocol); > > But this fails with: > > java.net.SocketException: Default SSL context init failed: null > > Thanks, > > Raul Acevedo > http://www.cantara.com > Paul, (1) Keystore is optional. You can safely omit it. (2) Implement a custom trust manager that trusts anything. This way you will not need a truststore. (3) Implement your own protocol socket factory that initializes the SSL context with your own trust-anything trust manager. You can use EasySSLProtocolSocketFactory as a starting point. Hope this helps, Oleg > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]