[jax-rs-spec users] [jsr339-experts] Re: Re: Re: Client security configuration proposal for JAX-RS 2.0

From: Bill Burke <>
Date: Wed, 06 Feb 2013 08:44:55 -0500

On 2/5/2013 6:55 PM, Marek Potociar wrote:
> Hello experts,
> I made another stab at this one. Please review:
> Here's the change summary:
> - ClientFactory merged with and renamed to ClientBuilder.
> - Added new security-related setters to ClientBuilder (sslContext,
> keyStore, trustStore, hostnameVerifier).
> - The new ClientBuilder now implements Configurable.
> - Added ClientBuilder.newBuilder() static method.
> - Updated examples and javadoc references to ClientFactory.

Thank you.

Javadoc suggestion for keystore()

Append this:

config setting is only required if you want to enable 2-way SSL
connections (client cert authentication)."

Javadoc suggestion for truststore()

Append this:

"If you do not set the truststore or disable trust management, then
trust management reverts to JDK defaults."

> I have to say that I went as far as I could go. Clarifications, javadoc
> fixes, typos, method renames and similar comments and suggestions are,
> of course, always welcome. But, please, do not try to sneak any more
> features into this proposal (esp. not related to SSL), otherwise I may
> be inclined to go with the "not have it at all" option...

This was in my original proposal so I need to hightlight it again....

There are many instances where users just want/need to communicate over
SSL and don't care about trust management or they just don't have access
to the certificates they want to trust. I can't stress enough how often
this occurs! Its actually quite complicated to set up SSL to disable
trust management. So I strongly suggest adding this capability.

  * Calling this method will disable SSL trust management
  * and hostname verification. <i>NOTE</i> this
  * is a security hole and should only be applied for testing purposes
  * and situations when you cannot or do not care to verify the identity
  * of the host you are communicating with.
ClientBuilder disableTrustManagement()

> Please, send your feedback by Thursday CoB.

So, the experts work is done CoB Thursday?

Bill Burke
JBoss, a division of Red Hat