jsr339-experts@jax-rs-spec.java.net

[jsr339-experts] Re: [jax-rs-spec users] Re: Re: Client security configuration proposal for JAX-RS 2.0

From: Bill Burke <bburke_at_redhat.com>
Date: Wed, 06 Feb 2013 08:44:55 -0500

On 2/5/2013 6:55 PM, Marek Potociar wrote:
> Hello experts,
>
> I made another stab at this one. Please review:
>
> https://github.com/mpotociar/jax-rs/commit/00b33d12245849ac967cbb129daa09fcb008ddd6
>
> Here's the change summary:
>
> - ClientFactory merged with and renamed to ClientBuilder.
> - Added new security-related setters to ClientBuilder (sslContext,
> keyStore, trustStore, hostnameVerifier).
> - The new ClientBuilder now implements Configurable.
> - Added ClientBuilder.newBuilder() static method.
> - Updated examples and javadoc references to ClientFactory.
>

Thank you.

Javadoc suggestion for keystore()

Append this:

"This
config setting is only required if you want to enable 2-way SSL
connections (client cert authentication)."

Javadoc suggestion for truststore()

Append this:

"If you do not set the truststore or disable trust management, then
trust management reverts to JDK defaults."

> I have to say that I went as far as I could go. Clarifications, javadoc
> fixes, typos, method renames and similar comments and suggestions are,
> of course, always welcome. But, please, do not try to sneak any more
> features into this proposal (esp. not related to SSL), otherwise I may
> be inclined to go with the "not have it at all" option...
>

This was in my original proposal so I need to hightlight it again....

There are many instances where users just want/need to communicate over
SSL and don't care about trust management or they just don't have access
to the certificates they want to trust. I can't stress enough how often
this occurs! Its actually quite complicated to set up SSL to disable
trust management. So I strongly suggest adding this capability.

/**
  * Calling this method will disable SSL trust management
  * and hostname verification. <i>NOTE</i> this
  * is a security hole and should only be applied for testing purposes
  * and situations when you cannot or do not care to verify the identity
  * of the host you are communicating with.
  */
ClientBuilder disableTrustManagement()



> Please, send your feedback by Thursday CoB.
>

So, the experts work is done CoB Thursday?

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com