users@glassfish.java.net

Re: Using JSS/NSS from inside glassfish

From: <glassfish_at_javadesktop.org>
Date: Thu, 18 Dec 2008 11:44:37 PST

> There is no need to do anything special in the application.

You may be answering a different question than the one I had asked, however your answer turns out to be partially correct anyway: My servlet (running in glassfish) needs to make an OUTGOING SSLSocket connection to another server (I don't actually care how the webserver is configured for INCOMING https).

When my servlet asks for the SSLSocketFactory provided by the container (using HttpsURLConnection.getSSLSocketFactory()) the object I get back is a:

            com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl

This is a JSSE socket, and NOT a JSS/NSS socket and at first I though this was a problem; however as it turns out: this SocketFactory IS backed by the NSS truststore anyways. Removing the trust for the foreign server from the domain's NSS truststore and re-adding it confirms this.

 - It is not clear if glassfish uses the NSS libraries directly (via. new the java 6 PKCS11 stuff) -- or accesses them through JSS, it would be helpful to know.

The original question was: how to I use JSS/NSS from within a servlet.

The problem with doing so, as I see it is this:
 - In order to use JSS/NSS directly you must first call CryptoManager.initialize(config) (static method)
 - The actual java class in scope for any servlet is that servlet's private copy of CryptoManager which is different the the container's copy of CryptoManager (since the web container and servlet have different classloaders). Which is why CryptoManager says it is not initialized in a call to CryptoManager.getInstance().
- CryptoManager seems to rely on static member variables which will start off in an un-initialized state for the servet's copy of the class, even though the native NSS library is properly initialized (by the container)

- Thus: a call to CryptoManager.initialize() FAILS with the exception in an earlier post, but JSS/NSS still functions fine after that -- probably because NSS is a native library and is actually already initialized by the container, and since the container and servlet run in the same process (that of the JVM) once the JSS classes have the proper static state to let them think that the NSS has been initialized, they function properly.
[Message sent by forum member 'suggarglider' (suggarglider)]

http://forums.java.net/jive/thread.jspa?messageID=322468
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.