org.apache.commons.httpclient.contrib.ssl
Class AuthSSLProtocolSocketFactory

java.lang.Object
  extended by javax.net.SocketFactory
      extended by javax.net.ssl.SSLSocketFactory
          extended by org.apache.commons.ssl.SSLClient
              extended by org.apache.commons.ssl.HttpSecureProtocol
                  extended by org.apache.commons.httpclient.contrib.ssl.AuthSSLProtocolSocketFactory
All Implemented Interfaces:
org.apache.commons.httpclient.protocol.ProtocolSocketFactory, org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory

public class AuthSSLProtocolSocketFactory
extends HttpSecureProtocol

AuthSSLProtocolSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates and to authenticate to the HTTPS server using a private key.

AuthSSLProtocolSocketFactory will enable server authentication when supplied with a truststore file containg one or several trusted certificates. The client secure socket will reject the connection during the SSL session handshake if the target HTTPS server attempts to authenticate itself with a non-trusted certificate.

Use JDK keytool utility to import a trusted certificate and generate a truststore file:

     keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
    

AuthSSLProtocolSocketFactory will enable client authentication when supplied with a keystore file containg a private key/public certificate pair. The client secure socket will use the private key to authenticate itself to the target HTTPS server during the SSL session handshake if requested to do so by the server. The target HTTPS server will in its turn verify the certificate presented by the client in order to establish client's authenticity

Use the following sequence of actions to generate a keystore file

Example of using custom protocol socket factory for a specific host:

     Protocol authhttps = new Protocol("https",
          new AuthSSLProtocolSocketFactory(
              new URL("file:my.keystore"), "mypassword",
              new URL("file:my.truststore"), "mypassword"), 443);
 

HttpClient client = new HttpClient(); client.getHostConfiguration().setHost("localhost", 443, authhttps); // use relative url only GetMethod httpget = new GetMethod("/"); client.executeMethod(httpget);

Example of using custom protocol socket factory per default instead of the standard one:

     Protocol authhttps = new Protocol("https",
          new AuthSSLProtocolSocketFactory(
              new URL("file:my.keystore"), "mypassword",
              new URL("file:my.truststore"), "mypassword"), 443);
     Protocol.registerProtocol("https", authhttps);
 

HttpClient client = new HttpClient(); GetMethod httpget = new GetMethod("https://localhost/"); client.executeMethod(httpget);

Author:
Oleg Kalnichevski

DISCLAIMER: HttpClient developers DO NOT actively support this component. The component is provided as a reference material, which may be inappropriate for use without additional customization.


Constructor Summary
AuthSSLProtocolSocketFactory(java.net.URL keystoreUrl, java.lang.String keystorePassword, java.net.URL truststoreUrl, java.lang.String truststorePassword)
          Constructor for AuthSSLProtocolSocketFactory.
 
Method Summary
 
Methods inherited from class org.apache.commons.ssl.HttpSecureProtocol
createSocket
 
Methods inherited from class org.apache.commons.ssl.SSLClient
addTrustMaterial, createSocket, createSocket, createSocket, createSocket, createSocket, createSocket, createSocket, getAssociatedCertificateChain, getCheckCRL, getCheckExpiry, getCheckHostname, getConnectTimeout, getCurrentServerChain, getDefaultCipherSuites, getDefaultProtocol, getEnabledCiphers, getEnabledProtocols, getHostnameVerifier, getNeedClientAuth, getSoTimeout, getSSLContext, getSSLWrapperFactory, getSupportedCipherSuites, getTrustChain, getUseClientMode, getWantClientAuth, isSecure, setCheckCRL, setCheckExpiry, setCheckHostname, setConnectTimeout, setDefaultProtocol, setDnsOverride, setEnabledCiphers, setEnabledProtocols, setHostnameVerifier, setIsSecure, setKeyMaterial, setNeedClientAuth, setSoTimeout, setSSLWrapperFactory, setTrustMaterial, setUseClientMode, setWantClientAuth, useDefaultJavaCiphers, useStrongCiphers
 
Methods inherited from class javax.net.ssl.SSLSocketFactory
getDefault
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory
createSocket
 
Methods inherited from interface org.apache.commons.httpclient.protocol.ProtocolSocketFactory
createSocket, createSocket
 

Constructor Detail

AuthSSLProtocolSocketFactory

public AuthSSLProtocolSocketFactory(java.net.URL keystoreUrl,
                                    java.lang.String keystorePassword,
                                    java.net.URL truststoreUrl,
                                    java.lang.String truststorePassword)
                             throws java.security.GeneralSecurityException,
                                    java.io.IOException
Constructor for AuthSSLProtocolSocketFactory. Either a keystore or truststore file must be given. Otherwise SSL context initialization error will result.

Parameters:
keystoreUrl - URL of the keystore file. May be null if HTTPS client authentication is not to be used.
keystorePassword - Password to unlock the keystore. IMPORTANT: this implementation assumes that the same password is used to protect the key and the keystore itself.
truststoreUrl - URL of the truststore file. May be null if HTTPS server authentication is not to be used.
truststorePassword - Password to unlock the truststore.
Throws:
java.security.GeneralSecurityException
java.io.IOException