Package edu.uiuc.ncsa.security.util.ssl

Class VerifyingHTTPClientFactory

java.lang.Object

edu.uiuc.ncsa.security.util.ssl.VerifyingHTTPClientFactory

All Implemented Interfaces:

Logable

public class VerifyingHTTPClientFactory
extends Object
implements Logable

Creates HTTP clients which validate connections against a keystore.

Created by Jeff Gaynor
on Aug 7, 2010 at 2:59:21 PM

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	VerifyingHTTPClientFactory.X509TrustManagerFacade	A facade for trust managers.

Field Summary

Fields

Modifier and Type	Field	Description
static int	DEFAULT_CONNECTION_TIMEOUT	The default amount of time a connection should wait before timing out.

Constructor Summary

Constructors

Constructor	Description
VerifyingHTTPClientFactory(MyLoggingFacade logger, SSLConfiguration sslConfiguration)

Method Summary

Modifier and Type	Method	Description
void	debug(String x)	Write a debug message to the log.
void	error(String x)	Write an error message to the log.
org.apache.http.client.HttpClient	getClient(String host)	Creates an HTTPS-aware client that will verify the cert chain and host when called.
org.apache.http.client.HttpClient	getClient(String host, int connectionTimeout, int socketTimeout)
org.apache.http.client.HttpClient	getClient(X509TrustManager x509TrustManager)
org.apache.http.client.HttpClient	getClient(X509TrustManager x509TrustManager, int connectionTimeout, int socketTimeout)
protected X509TrustManager	getDefaultTrustManager()
protected KeyManagerFactory	getKeyManagerFactory()
protected KeyManager[]	getKeyManagers()
protected KeyStore	getKeyStore()
MyLoggingFacade	getLogger()
protected org.apache.http.conn.ssl.SSLSocketFactory	getSocketFactory(X509TrustManager tm)	Configure the socket factory using an SSL context.
SSLConfiguration	getSSLConfiguration()
boolean	hasKeyStore()
void	info(String x)	Write an informational message to the log
boolean	isDebugOn()	Query if debugging is enabled for this logger.
boolean	isStrictHostnames()	Whether to allow strict hostname verification.
MyTrustManager	newMyTrustManager()	Returns a NEW trust manager with each call since the trust manager needs to have its host set.
void	setDebugOn(boolean setOn)	Enable/disable debugging for this logger
protected void	setKeyManagerFactory(KeyManagerFactory keyManagerFactory)
protected void	setKeyStore(KeyStore keyStore)
void	setSSLConfiguration(SSLConfiguration sslConfiguration)
void	setStrictHostnames(boolean strictHostnames)
void	warn(String x)	Write a warning to the log.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_CONNECTION_TIMEOUT

public static int DEFAULT_CONNECTION_TIMEOUT

The default amount of time a connection should wait before timing out. (has to be an int since we are using HTTPClient)

Constructor Detail

VerifyingHTTPClientFactory

public VerifyingHTTPClientFactory(MyLoggingFacade logger,
                                  SSLConfiguration sslConfiguration)

Method Detail

isStrictHostnames

public boolean isStrictHostnames()

Whether to allow strict hostname verification. The default is true. Generally you do not want to set this to false without and excellent reason since it will relax security. It is, however, warranted in certain cases (such as in testing environments with self-signed certs whose host names aren't quite right.) Generally if you have to set this to false in a production environment, there is something wrong with the server's certificates.

Returns:

setStrictHostnames

public void setStrictHostnames(boolean strictHostnames)

debug

public void debug(String x)

Description copied from interface: Logable

Write a debug message to the log.

Specified by:

debug in interface Logable

isDebugOn

public boolean isDebugOn()

Description copied from interface: Logable

Query if debugging is enabled for this logger.

Specified by:

isDebugOn in interface Logable

Returns:

setDebugOn

public void setDebugOn(boolean setOn)

Description copied from interface: Logable

Enable/disable debugging for this logger

Specified by:

setDebugOn in interface Logable

info

public void info(String x)

Description copied from interface: Logable

Write an informational message to the log

Specified by:

info in interface Logable

warn

public void warn(String x)

Description copied from interface: Logable

Write a warning to the log. This indicates a severe, but non-fatal condition exists.

Specified by:

warn in interface Logable

error

public void error(String x)

Description copied from interface: Logable

Write an error message to the log. Typically this is invoked as the last command before throwing an exception.

Specified by:

error in interface Logable

getLogger

public MyLoggingFacade getLogger()

getClient

public org.apache.http.client.HttpClient getClient(String host)
                                            throws IOException,
                                                   NoSuchAlgorithmException,
                                                   KeyStoreException

Creates an HTTPS-aware client that will verify the cert chain and host when called. This is a specific requirement for certain applications and requires that there be a trust root path set as well. I.e., this is for very specific requirements such as the CILogon delegation server callback to the portal. Generally you should just use the built in http client with the right protocol.

Parameters:

host -

Returns:

Throws:

IOException

NoSuchAlgorithmException

KeyStoreException

getDefaultTrustManager

protected X509TrustManager getDefaultTrustManager()
                                           throws NoSuchAlgorithmException,
                                                  KeyStoreException

Throws:

NoSuchAlgorithmException

KeyStoreException

getClient

public org.apache.http.client.HttpClient getClient(String host,
                                                   int connectionTimeout,
                                                   int socketTimeout)
                                            throws IOException,
                                                   NoSuchAlgorithmException,
                                                   KeyStoreException

Throws:

IOException

NoSuchAlgorithmException

KeyStoreException

getClient

public org.apache.http.client.HttpClient getClient(X509TrustManager x509TrustManager)

getClient

public org.apache.http.client.HttpClient getClient(X509TrustManager x509TrustManager,
                                                   int connectionTimeout,
                                                   int socketTimeout)

getSocketFactory

protected org.apache.http.conn.ssl.SSLSocketFactory getSocketFactory(X509TrustManager tm)
                                                              throws IOException,
                                                                     GeneralSecurityException

Configure the socket factory using an SSL context. This loads the keystore, grabs its trust manager then adds a custom trust manager.

Parameters:

tm -

Returns:

Throws:

IOException

KeyStoreException

GeneralSecurityException

hasKeyStore

public boolean hasKeyStore()

newMyTrustManager

public MyTrustManager newMyTrustManager()
                                 throws IOException

Returns a NEW trust manager with each call since the trust manager needs to have its host set. Note that this defaults to injecting

Returns:

Throws:

IOException

getKeyManagerFactory

protected KeyManagerFactory getKeyManagerFactory()
                                          throws IOException,
                                                 GeneralSecurityException

Throws:

IOException

GeneralSecurityException

getKeyStore

protected KeyStore getKeyStore()
                        throws IOException,
                               GeneralSecurityException

Throws:

IOException

GeneralSecurityException

setKeyStore

protected void setKeyStore(KeyStore keyStore)

setKeyManagerFactory

protected void setKeyManagerFactory(KeyManagerFactory keyManagerFactory)

getKeyManagers

protected KeyManager[] getKeyManagers()
                               throws IOException,
                                      GeneralSecurityException

Throws:

IOException

GeneralSecurityException

getSSLConfiguration

public SSLConfiguration getSSLConfiguration()

setSSLConfiguration

public void setSSLConfiguration(SSLConfiguration sslConfiguration)