Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Attach client certificates with Axis2?

Tags:

java

ssl

ssl-certificate

axis

axis2

Is it possible to easily attach a client certificate to a Axis2 stub generated using wsdl2java? I need to change the client certificate dynamically on a per-request basis, so simply storing it in the keystore won't work for our case.

I've found examples where this is being done for non-SOAP calls, but could not find anything related to using the Axis client stubs. Trying to hack the XML for the SOAP call is an option I guess, albiet a painful one! Groan!

like image 215
Sunny Avatar asked Dec 26 '11 22:12

Sunny

1 Answers

If you want to change which certificate is used depending on which connection is made, you'll need to configure an SSLContext to do so, as described in this answer: https://stackoverflow.com/a/3713147/372643

As far as I know, Axis 2 uses Apache HttpClient 3.x, so you'll need to follow its way of configuring the SSLContext (and X509KeyManager if needed). The easiest way might be to configure Apache HttpClient's global https protocol handler with your SSLContext, set up with an X509KeyManager configured to choose the client certificate as you require (via chooseClientAlias).

If the issuers and the connected Socket (probably the remote address) are not enough for deciding which certificate to choose, you may need to implement a more complex logic which will almost inevitably require careful synchronization with the rest of your application.

EDIT:

Once you've built your SSLContext and X509KeyManager, you need to pass them to Apache HttpClient 3.x. For this, you can build your own SecureProtocolSocketFactory, which will build the socket from this SSLContext (via an SSLSocketFactory, see SSLContext methods). There are examples in the Apache HttpClient 3.x SSL guide. Avoid EasySSLProtocolSocketFactory, since it won't check any server cert (thereby allowing for MITM attacks). You could also try this implementation.

Note that you only really need to customize your X509KeyManager, you can initialize your SSLContext (via init) with null for the other parameters to keep the default values (in particular the default trust settings).

Then, "install" this SecureProtocolSocketFactory globally for Apache HttpClient 3.x using something like this:

Protocol.registerProtocol("https", new Protocol("https",
   (ProtocolSocketFactory)secureProtocolSocketFactory, 443));
like image 197
Bruno Avatar answered Oct 12 '22 07:10

Bruno
Sign in to Comment

Related questions

eclipse mylyn with redmine
Java Generics: How does method inference work when wildcard is being used in the method parameters?
Merging two web cameras streaming into a single live streaming - Programmatically
Randomly getting elements in a HashMap or HashSet without looping
Does Java volatile variables impose a happens-before relationship before it is read?
Are there any issues what so ever with running Eclipse with OpenJDK under Linux?
Appending TimeStamp in log file name of Java util logger
Charset.defaultCharset() get different result under JDK1.7 and JDK 1.6
Can org.bouncycastle.openssl.PEMReader read java.security.PrivateKey?
How to read hadoop sequential file?
Real-time identification of non-speech, non-music sound from a continuous microphone stream
phonetic spelling in Python and Java [closed]
Does clang/libclang have Java bindings?
Port Forwarding
How is lazySet in Java's Atomic* classes implemented?
specification driven packet format parsing?
JSR 303 Custom constraint Override
Double-checked locking, NetBeans confuses me?
Java clipboardOwner Purpose?
Berkeley DB error: The je.lck file could not be locked

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!