Axis 运行时动态抉择 证书（select a certifiate at runtime）

Axis 运行时动态选择 证书（select a certifiate at runtime）

?

目 錄

1. The Motivation
2. The Problem
3. The Solution
4. Usage / Configuration
5. Getting the code
6. Shortcomings
7. Comments, Feedback, Support

The base SecureSocketFactory (JSSE!SocketFactory) cannot be configured dynamically. It is configured using environment variables, which is not suitable if it is desired to change the client certificate at run-time.

The SunJSSE!SocketFactory?is more configurable, accepting a keyfile parameter from the Axis configuration at run-time. This is the one to use, however, by itself it does not do all that we need, so we have provided an extension of this class (see below)...

Even the SunJSSE!SocketFactory?does not accept all the configurations we need (eg: truststore config)

Even were the SocketFactory fully configurable to our desires, dynamic configuration at runtime would not be possible. This is beacause Axis caches the instantiated SocketFactories, meaning settings are applied only once.

The cacheing of SocketFactories occurs in a component called SocketFactoryFactory, the cache remembers one entry per protocol. So, the moment you make the first call over https, a SocketFactory is created for the protocol https using the currently configured parameters. After this no new SocketFactories are created for https, even if the parameters (eg keystore name) change.

A modified SocketFactoryFactory, which implements a cacheing scheme in which the keystore name is considered

An extension to SunJSSE!SocketFactory?which allows more configuration from Axis

An Axis EngineConfiguration class,?SSL!ClientAxisConfig, which holds the SSL paramters, and sets everything up

Replace the SocketFactoryFactory class with your new version. This can be done in one of three ways (method 1 is safest):

Find the original class file within axis.jar (it lives in org/apache/axis/components/net) and delete it, replace it with the modified class filePlace the modified class file in a new JAR, and make sure this JAR loads before axis.jar (eg call it _axis.jar)For webapps, place the modified class file within your WEB-INF/classes folder. It seems tomcat loads these before axis.jar

Use the SSL!ClientAxisConfig?class to initialize your Axis client before making a call (see example below)

When you want to use a different certificate, create a new SSL!ClientAxisConfig, with updated paramters, and use it to create a new Axis client. This client will use the new certificate.

切換行號

   1 // create config   2 boolean logging = false; // no logging   3 SSLClientAxisEngineConfig axisConfig = new SSLClientAxisEngineConfig();   4 axisConfig.setKeystore("/path/to/clientkey.p12");   5 axisConfig.setKeystoreType("PKCS12");   6 axisConfig.setKeystorePassword("changeit");   7 axisConfig.setTruststore("/path/to/truststore.jks");   8 axisConfig.setTruststoreType("JKS");   9 axisConfig.setTruststorePassword("changeit");  10 if (logging)  11     axisConfig.setDebugBaseDir("/path/to/logs");  12 axisConfig.initialize(logging);  13 // initialize service  14 URL soapURL = new URL("https://myserver.com/myapp/services/mywebserviceport");  15 MyWebServiceServiceLocator locator = new MyServiceLocator(axisConfig);  16 MyWebServicePort port = locator.getMyWebServicePort(soapURL);  17 MyWebServiceBindingStub stub = (MyWebServiceBindingStub) port;  18 // make a call to the webservice (assume no params for this operation)  19 MyResultType result = stub.myoperation1();

Should you have questions about the code, please feel free to contact me (the Author) at: runger --AT-- aon.at