java - Apache HttpClient 4.3 and x509 client certificate to authenticate -
now looking solution regarding task how rewrite deprecated solution client side x509 certificate authentication via httpcomponentsmessagesender (not relevant).
for example, deprecated solution is:
sslsocketfactory lschemesocketfactory = new sslsocketfactory(this.keystore, this.keystorepassword); scheme sch = new scheme("https", 443, lschemesocketfactory); defaulthttpclient httpclient = (defaulthttpclient)gethttpclient(); httpclient.getconnectionmanager().getschemeregistry().register(sch); as new solution closeablehttpclient using:
sslcontextbuilder sslcontextbuilder = sslcontexts.custom() // key store must contain key/cert of client .loadkeymaterial(keystore, keystorepassword.tochararray()); if (truststore != null) { // key store must contain certs needed , trusted verify servers cert sslcontextbuilder.loadtrustmaterial(truststore); } sslcontext sslcontext = sslcontextbuilder.build(); layeredconnectionsocketfactory sslsf = new sslconnectionsocketfactory(sslcontext); // create registry of custom connection socket factories supported // protocol schemes / https registry<connectionsocketfactory> socketfactoryregistry = registrybuilder.<connectionsocketfactory>create() .register("https", sslsf) .register("http", new plainconnectionsocketfactory()) .build(); poolinghttpclientconnectionmanager connpoolcontrol = new poolinghttpclientconnectionmanager(socketfactoryregistry); setconnpoolcontrol(connpoolcontrol); getclientbuilder().setsslsocketfactory(sslsf); i still 403 forbidden server. when use "deprecated" version of solution, works great. ssl certificate signed thawte.
any idea? thanks
tomas, maybe it's late, hope others... there method, i'm using create closeablehttpclient using apache httpclient 4.3:
public static closeablehttpclient prepareclient() { try { sslcontext sslcontext = sslcontexts.custom().loadtrustmaterial(null, new trustselfsignedstrategy()).usetls().build(); httpclientbuilder builder = httpclientbuilder.create(); sslconnectionsocketfactory sslconnectionfactory = new sslconnectionsocketfactory(sslcontext, sslconnectionsocketfactory.allow_all_hostname_verifier); builder.setsslsocketfactory(sslconnectionfactory); registry<connectionsocketfactory> registry = registrybuilder.<connectionsocketfactory>create() .register("https", sslconnectionfactory) .register("http", new plainconnectionsocketfactory()) .build(); httpclientconnectionmanager ccm = new basichttpclientconnectionmanager(registry); builder.setconnectionmanager(ccm); return builder.build(); } catch (exception ex) { return null; } } apache foundation moved org.apache.http.conn.ssl.sslcontextbuilder, org.apache.http.conn.ssl.sslcontexts , org.apache.http.conn.ssl.sslsocketfactory deprecated starting 4.4 version, there can find apache client 4.5.2 api depracated list. so, pervious method can changed this:
public static closeablehttpclient prepareclient() { try { sslcontext sslcontext = sslcontexts.custom() .loadtrustmaterial(null, new trustselfsignedstrategy()).build(); httpclientbuilder builder = httpclientbuilder.create(); sslconnectionsocketfactory sslconnectionfactory = new sslconnectionsocketfactory(sslcontext.getsocketfactory(), new noophostnameverifier()); builder.setsslsocketfactory(sslconnectionfactory); registry<connectionsocketfactory> registry = registrybuilder.<connectionsocketfactory>create() .register("https", sslconnectionfactory) .register("http", new plainconnectionsocketfactory()) .build(); httpclientconnectionmanager ccm = new basichttpclientconnectionmanager(registry); builder.setconnectionmanager(ccm); return builder.build(); } catch (exception ex) { log.error("couldn't create httpclient!! {}", ex.getmessage(), ex); return null; } } the no_op hostnameverifier turns hostname verification off. implementation no-op, , never throws sslexception.
if need verify hostname, can use defaulthostnameverifier or can implement custom hostname verifier.
Comments
Post a Comment