Fellow Shindig Developers,
I have a tough question regarding certificates. We have a server set up that
requires the acceptance of a certificate to access a URL which the server
hosts. If I access the URL via a web browser, the browser prompts the user to
trust the certificate (i.e. add an exception for the certificate in Firefox)
prior to using the service. Once I trust the certificate, all is well. From a
Shindig/gadget perspective, however, we don't have a pretty UI to prompt the
user to accept the certificate. We request the URL within a gadget using
osapi.http.get() as follows:
var params = {
"href": "https://myhost.com/irequireacertificate";,
"headers": {
"Authorization": ["Basic xYz123"],
"User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
rv:5.0) Gecko/20100101 Firefox/5.0"],
"Accept":
["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,application/json"],
"Accept-Encoding": ["gzip, deflate"],
"Accept-Charset": ["ISO-8859-1,utf-8;q=0.7,*;q=0.7"]
};
osapi.http.get(params).execute(function(resp) {
console.log(resp);
});
Invoking the request throws the following exception from BasicHttpFetcher:
Caused by: org.apache.shindig.gadgets.GadgetException:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at
org.apache.shindig.gadgets.http.BasicHttpFetcher.fetch(BasicHttpFetcher.java:389)
at
org.apache.shindig.gadgets.http.DefaultRequestPipeline.execute(DefaultRequestPipeline.java:104)
at
org.apache.shindig.gadgets.servlet.HttpRequestHandler.execute(HttpRequestHandler.java:231)
... 33 more
I suspect (and a quick Google search agrees) that this is likely because the
server requires a certificate to be trusted, but Shindig's BasicHttpFetcher is
unable to handle this challenge, so things blow up. What type of strategy
should we use for gadgets handling certificates? I don't have enough expertise
with SSL certificates for a credible recommendation.
Thanks!
- Eric W.
