Class AuthSSLProtocolSocketFactory
- All Implemented Interfaces:
ProtocolSocketFactory
,SecureProtocolSocketFactory
AuthSSLProtocolSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates and to authenticate to the HTTPS server using a private key.
AuthSSLProtocolSocketFactory will enable server authentication when supplied with
a truststore
file containg one or several trusted certificates.
The client secure socket will reject the connection during the SSL session handshake
if the target HTTPS server attempts to authenticate itself with a non-trusted
certificate.
Use JDK keytool utility to import a trusted certificate and generate a truststore file:
keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
AuthSSLProtocolSocketFactory will enable client authentication when supplied with
a keystore
file containg a private key/public certificate pair.
The client secure socket will use the private key to authenticate itself to the target
HTTPS server during the SSL session handshake if requested to do so by the server.
The target HTTPS server will in its turn verify the certificate presented by the client
in order to establish client's authenticity
Use the following sequence of actions to generate a keystore file
-
Use JDK keytool utility to generate a new key
keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystore
For simplicity use the same password for the key as that of the keystore -
Issue a certificate signing request (CSR)
keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore
-
Send the certificate request to the trusted Certificate Authority for signature. One may choose to act as her own CA and sign the certificate request using a PKI tool, such as OpenSSL.
-
Import the trusted CA root certificate
keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore
-
Import the PKCS#7 file containg the complete certificate chain
keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore
-
Verify the content the resultant keystore file
keytool -list -v -keystore my.keystore
Example of using custom protocol socket factory for a specific host:
Protocol authhttps = new Protocol("https", new AuthSSLProtocolSocketFactory( new URL("file:my.keystore"), "mypassword", new URL("file:my.truststore"), "mypassword"), 443); HttpClient client = new HttpClient(); client.getHostConfiguration().setHost("localhost", 443, authhttps); // use relative url only GetMethod httpget = new GetMethod("/"); client.executeMethod(httpget);
Example of using custom protocol socket factory per default instead of the standard one:
Protocol authhttps = new Protocol("https", new AuthSSLProtocolSocketFactory( new URL("file:my.keystore"), "mypassword", new URL("file:my.truststore"), "mypassword"), 443); Protocol.registerProtocol("https", authhttps); HttpClient client = new HttpClient(); GetMethod httpget = new GetMethod("https://localhost/"); client.executeMethod(httpget);
-
Constructor Summary
ConstructorDescriptionAuthSSLProtocolSocketFactory
(URL keystoreUrl, String keystorePassword, URL truststoreUrl, String truststorePassword) Constructor for AuthSSLProtocolSocketFactory. -
Method Summary
Modifier and TypeMethodDescriptioncreateSocket
(String host, int port) Gets a new socket connection to the given host.createSocket
(String host, int port, InetAddress clientHost, int clientPort) Gets a new socket connection to the given host.createSocket
(String host, int port, InetAddress localAddress, int localPort, HttpConnectionParams params) Attempts to get a new socket connection to the given host within the given time limit.createSocket
(Socket socket, String host, int port, boolean autoClose) Returns a socket connected to the given host that is layered over an existing socket.
-
Constructor Details
-
AuthSSLProtocolSocketFactory
public AuthSSLProtocolSocketFactory(URL keystoreUrl, String keystorePassword, URL truststoreUrl, String truststorePassword) Constructor for AuthSSLProtocolSocketFactory. Either a keystore or truststore file must be given. Otherwise SSL context initialization error will result.- Parameters:
keystoreUrl
- URL of the keystore file. May be null if HTTPS client authentication is not to be used.keystorePassword
- Password to unlock the keystore. IMPORTANT: this implementation assumes that the same password is used to protect the key and the keystore itself.truststoreUrl
- URL of the truststore file. May be null if HTTPS server authentication is not to be used.truststorePassword
- Password to unlock the truststore.
-
-
Method Details
-
createSocket
public Socket createSocket(String host, int port, InetAddress localAddress, int localPort, HttpConnectionParams params) throws IOException, UnknownHostException, ConnectTimeoutException Attempts to get a new socket connection to the given host within the given time limit.To circumvent the limitations of older JREs that do not support connect timeout a controller thread is executed. The controller thread attempts to create a new socket within the given limit of time. If socket constructor does not return until the timeout expires, the controller terminates and throws an
ConnectTimeoutException
- Specified by:
createSocket
in interfaceProtocolSocketFactory
- Parameters:
host
- the host name/IPport
- the port on the hostclientHost
- the local host name/IP to bind the socket toclientPort
- the port on the local machineparams
-Http connection parameters
- Returns:
- Socket a new socket
- Throws:
IOException
- if an I/O error occurs while creating the socketUnknownHostException
- if the IP address of the host cannot be determinedConnectTimeoutException
- if socket cannot be connected within the given time limit
-
createSocket
public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort) throws IOException, UnknownHostException Description copied from interface:ProtocolSocketFactory
Gets a new socket connection to the given host.- Specified by:
createSocket
in interfaceProtocolSocketFactory
- Parameters:
host
- the host name/IPport
- the port on the hostclientHost
- the local host name/IP to bind the socket toclientPort
- the port on the local machine- Returns:
- Socket a new socket
- Throws:
IOException
- if an I/O error occurs while creating the socketUnknownHostException
- if the IP address of the host cannot be determined- See Also:
-
createSocket
Description copied from interface:ProtocolSocketFactory
Gets a new socket connection to the given host.- Specified by:
createSocket
in interfaceProtocolSocketFactory
- Parameters:
host
- the host name/IPport
- the port on the host- Returns:
- Socket a new socket
- Throws:
IOException
- if an I/O error occurs while creating the socketUnknownHostException
- if the IP address of the host cannot be determined- See Also:
-
createSocket
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException Description copied from interface:SecureProtocolSocketFactory
Returns a socket connected to the given host that is layered over an existing socket. Used primarily for creating secure sockets through proxies.- Specified by:
createSocket
in interfaceSecureProtocolSocketFactory
- Parameters:
socket
- the existing sockethost
- the host name/IPport
- the port on the hostautoClose
- a flag for closing the underling socket when the created socket is closed- Returns:
- Socket a new socket
- Throws:
IOException
- if an I/O error occurs while creating the socketUnknownHostException
- if the IP address of the host cannot be determined- See Also:
-