No. I have a web service client that uses axis1 to consume web services from server A and server B. For server A I need to do authentication while for server B there is no such need. So the problem is on my client side where I need to configure axis to do authentication on some of the requests (based on my truststore) and NOT do authentication in other requests using SunJSSESocketFactory. The way I understand it (docs are not clear) AxisProperties will override each other per request. Right? Is my problem clearer now?
________________________________ From: Martin Gainty <mgai...@hotmail.com> To: java-user@axis.apache.org Sent: Wednesday, November 14, 2012 3:43 PM Subject: RE: Axis SSL authentication help! You need 2 different webapps one which implements SunFakeTrustSocketFactory for implementing unsigned server certs ..which would NEVER be used in Production Environment this would allow someone's client to hack in with their own self-signed certs one which implements http://ws.apache.org/axis/java/apiDocs/org/apache/axis/components/net/SunJSSESocketFactory.html provided requesting client has a valid (public) key of type RSA AND your client or B2B requesting entity supports JSSE key exchange this would prevent someone's client to hack in with their own self-signed certs so the question is are you implementing with self-signed certs OR are you using CA level certs (such as certs obtained from Verisign or Thawte) Martin ______________________________________________ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. ________________________________ Date: Tue, 13 Nov 2012 22:27:37 -0800 From: akme...@yahoo.com Subject: Re: Axis SSL authentication help! To: java-user@axis.apache.org Also why are you mentioning about the refactoring to different web apps? I am asking about client side code ________________________________ From: Martin Gainty <mgai...@hotmail.com> To: java-user@axis.apache.org Sent: Wednesday, November 14, 2012 4:03 AM Subject: RE: Axis SSL authentication help! need to skip any server authentication in some requests (e.g. use SunFakeTrustSocketFactory). MG>you need to retask this to use 2 separate webapps MG>one which will authenticate your credentials with MySSLSocketFactory MG>one which not authenticate which will use SunFakeTrustSocketFactory MG>this is very clumsy and your options for specifying the security algorithm of your choosing as well as custom keysize are quite limited MG>why not use Axis2 and engage the Rampart Security Module? MG>Martin ________________________________ Date: Tue, 13 Nov 2012 13:37:28 -0800 From: akme...@yahoo.com Subject: Axis SSL authentication help! To: java-user@axis.apache.org Hi, I am using Axis 1 and need to do SSL authentication of a web service. I found that I need to use: AxisProperties.setProperty("axis.socketSecureFactory","com.example.MySSLSocketFactory"); to set my custom factory and trust managers. Problem: I also need to skip any server authentication in some requests (e.g. use SunFakeTrustSocketFactory). I assume that this AxisProperties.setProperty is some central property that affects all threads, right? So how could I implement my use case? Keep reseting AxisProperties.setProperty before each web service call? Is this the proper way? But I found this bug ticket that seems to complaint that once the socket factory is set in AxisProperties it is cached and any new setting has not effect:https://issues.apache.org/jira/browse/AXIS-2751?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabs Is there a workarround for this? If you could help me here it would be great guys! Thank you
