Re: pax-web: setting X509TrustManager

Tue, 08 Jun 2010 10:01:18 -0700 

Hello,
Just to add a few details on how it can be done with Jetty, here is a sample configuration (I've used the ops4j names for this example). I think what we would be looking for is some advice regarding how to do it with Pax Web properly. 


It would require using the jSSLutils jar (from the jetty connector), 
and, with Jetty 6, an extra class that extends 
org.mortbay.jetty.security.SslSocketConnector (or the select connector) 
to be able to set the SSLContext (I think I could provide this).



<Configure id="Server" class="org.eclipse.jetty.server.Server">
  <New class="org.jsslutils.keystores.KeyStoreLoader">

    <Set name="keyStoreType"><SystemProperty 
name="org.ops4j.pax.web.ssl.keystore.type" default="JKS" /></Set>
    <Set name="keyStorePath"><SystemProperty 
name="org.ops4j.pax.web.ssl.keystore" /></Set>
    <Set name="keyStorePassword"><SystemProperty 
name="org.ops4j.pax.web.ssl.password" /></Set>

    <Call id="keystore" name="loadKeyStore"><Arg /></Call>
  </New>

  <New class="org.jsslutils.sslcontext.PKIXSSLContextFactory">
    <Arg><Ref id="keystore" /></Arg>
    <Arg><SystemProperty name="org.ops4j.pax.web.ssl.keypassword" /></Arg>
    <Arg />

    <Set name="trustManagerWrapper"><New 
class="org.jsslutils.sslcontext.trustmanagers.TrustAllClientsWrappingTrustManager$Wrapper" 
/></Set>

    <Call id="context" name="buildSSLContext">
      <Arg>TLS</Arg>
    </Call>
  </New>

  <Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">

        <Set name="Port"><SystemProperty 
name="org.osgi.service.http.port.secure" default="8443" /></Set>

        <Set name="maxIdleTime">30000</Set>
        <Set name="Acceptors">2</Set>
        <Set name="AcceptQueueSize">100</Set>
        <Set name="sslContext">
          <Ref id="context" />
        </Set>
        <Set name="wantClientAuth">true</Set>
      </New>
    </Arg>
  </Call>
</Configure>


More examples are available from:
http://code.google.com/p/jsslutils/wiki/JettyUsage


Best wishes,

Bruno.



On 08/06/10 17:34, Reto Bachmann-Gmuer wrote:

Hello

I wold like to set an X509TrustManager to support self-signed client
certificates (for use with foaf+ssl), I think one way of doing this is
by providing a jetty.xml in a fragment bundle. However I'm not sure
that's the best approach or if there's a way to do without this.I I'm
not sure how jetty would be able to load the implementation of
X509TrustManager, I guess I would have to add this to the fragment
bundle as well.

Cheers,
reto



_______________________________________________
general mailing list
[email protected]
http://lists.ops4j.org/mailman/listinfo/general



_______________________________________________
general mailing list
[email protected]
http://lists.ops4j.org/mailman/listinfo/general






















					Reply via email to