users@jersey.java.net

Re: [Jersey] Jersey client - ssl support?

From: Peter Coppens <pc.subscriptions_at_gmail.com>
Date: Fri, 20 Jun 2008 11:02:23 +0200

Yes, occasionally things turn out easier than what one expects

Something I did run into is that the Jersey client bails out when the CN of
the server certificate does not match the url. For testing purposes that is
a bit of nuisance, but it is not blocking.

Anyway, many thanks for your support!

Peter

On 20/06/08 10:47, "Paul Sandoz" <Paul.Sandoz_at_Sun.COM> wrote:

> Peter Coppens wrote:
>> Well...apparently it is already working :)
>>
>
> Wow! i forgot that you can set default information statically. This is
> great.
>
> So if there were multiple clients with different certificate
> requirements we could have a property:
>
> com.sun.jersey.client.property.SSLSocketFactory
>
> whose value is an instance of SSLSocketFactory. And then if that
> property is present we can call:
>
> setSSLSocketFactory
>
> Paul.
>
>> At least I can get it going by initializing an SSLContext and setting that
>> as the default context on HttpsUrlConnection
>>
>> A bit like...
>>
>>
>> if(base.startsWith("https")) {
>> KeyStore ks = KeyStore.getInstance("JKS");
>> ks.load(null, null);
>> CertificateFactory cf = CertificateFactory.getInstance("X.509");
>> X509Certificate the_cert = (X509Certificate)cf.generateCertificate(
>> new FileInputStream("trust.crt"));
>> ks.setCertificateEntry("server_cert",the_cert);
>> TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
>> tmf.init(ks);
>>
>> // Client certificate and key for key manager
>> KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
>> KeyStore ks2 = KeyStore.getInstance("pkcs12");
>> ks2.load(new FileInputStream(
>> new File("keystore.p12")),"pc2luma".toCharArray());
>> kmf.init(ks2, "password".toCharArray());
>>
>> // SSL Context
>> SSLContext ctx = SSLContext.getInstance("TLS");
>> KeyManager[] km = kmf.getKeyManagers();
>> TrustManager[] tm = tmf.getTrustManagers();
>> ctx.init (km, tm, null);
>> // SSL connection with context
>> HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
>>
>> }
>>
>>
>> Wonderful indeed :)
>>
>> Peter
>>
>> On 20/06/08 08:48, "Paul Sandoz" <Paul.Sandoz_at_Sun.COM> wrote:
>>
>>> On Jun 19, 2008, at 7:09 PM, Peter Coppens wrote:
>>>
>>>>
>>>>
>>>> On 19/06/08 18:36, "Paul Sandoz" <Paul.Sandoz_at_Sun.COM> wrote:
>>>>
>>>>> Hi Peter,
>>>>>
>>>>> It is possible to use https but currently not possible to set the
>>>>> client
>>>>> certificate.
>>>> Ok, pity.
>>> Let's try and get this into the 0.9 release.
>>>
>>>
>>>> Thanks for the info. Is https support available in the 0.8 code
>>>> base?
>>> Yes. Just use the "https" scheme in the URIs you use.
>>>
>>>
>>>>> Do you have any experience utilizing HttpsURLConnection to achieve
>>>>> what
>>>>> you require? if so you might be able to help me :-)
>>>> Not yet...but as it seems I am going to write the client part
>>>> myself I soon
>>>> will ;). Not being hindered by any upfront knowledge on jersey
>>>> internals, I
>>>> can try to get something into the code base or alternatively, come
>>>> up with
>>>> some standalone client code. Any guidance from your end?
>>>>
>>> If you want to try using the code base then this would be the way i
>>> would go about it:
>>>
>>> - it is possible to add properties to the Client and ClientConfig
>>> (see the pattern for setting say if redirection is followed
>>> or not). I suspect we could use this for the developer to add the
>>> appropriate mechanism (an SSL factory?)
>>>
>>> - The following class:
>>>
>>> com.sun.jersey.impl.client.urlconnection.URLConnectionClientHandler
>>>
>>> does all the work with HttpURLConnection (see line 153). But it
>>> could check to see if the instance is of
>>> HttpsURLConnection and then set additional properties on it.
>>>
>>> Paul.
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
>> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>>