List of usage examples for org.apache.http.conn.ssl StrictHostnameVerifier StrictHostnameVerifier
StrictHostnameVerifier
From source file:org.opensaml.security.httpclient.impl.TrustEngineTLSSocketFactoryTest.java
@Test(expectedExceptions = SSLPeerUnverifiedException.class) public void testFailUntrustedCert() throws IOException { X509Credential cred = getCredential("foo-1A1-good.crt"); List<Credential> emptyCreds = new ArrayList<>(); ExplicitKeyTrustEngine trustEngine = new ExplicitKeyTrustEngine(new StaticCredentialResolver(emptyCreds)); httpContext.setAttribute(HttpClientSecurityConstants.CONTEXT_KEY_TRUST_ENGINE, trustEngine); trustEngineFactory = new TrustEngineTLSSocketFactory( buildInnerSSLFactory(Collections.singletonList((Certificate) cred.getEntityCertificate()), hostname),/*w ww .j a v a2s . com*/ new StrictHostnameVerifier()); Socket socket = trustEngineFactory.createSocket(httpContext); try { trustEngineFactory.connectSocket(0, socket, new HttpHost(hostname, 443, "https"), null, null, httpContext); } catch (Exception e) { Assert.assertEquals( httpContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_SERVER_TLS_CREDENTIAL_TRUSTED), Boolean.FALSE); throw e; } }
From source file:org.opensaml.security.httpclient.impl.SecurityEnhancedTLSSocketFactoryTest.java
@Test(expectedExceptions = SSLPeerUnverifiedException.class) public void testFailUntrustedCert() throws IOException { X509Credential cred = getCredential("foo-1A1-good.crt"); List<Credential> emptyCreds = new ArrayList<>(); ExplicitKeyTrustEngine trustEngine = new ExplicitKeyTrustEngine(new StaticCredentialResolver(emptyCreds)); httpContext.setAttribute(HttpClientSecurityConstants.CONTEXT_KEY_TRUST_ENGINE, trustEngine); securityEnhancedSocketFactory = new SecurityEnhancedTLSSocketFactory( buildInnerSSLFactory(Collections.singletonList((Certificate) cred.getEntityCertificate()), hostname),//from w w w . ja v a 2 s. co m new StrictHostnameVerifier()); Socket socket = securityEnhancedSocketFactory.createSocket(httpContext); try { securityEnhancedSocketFactory.connectSocket(0, socket, new HttpHost(hostname, 443, "https"), null, null, httpContext); } catch (Exception e) { Assert.assertEquals( httpContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_SERVER_TLS_CREDENTIAL_TRUSTED), Boolean.FALSE); throw e; } }
From source file:org.opensaml.security.httpclient.HttpClientSecuritySupportTest.java
@Test public void testMarshalSecurityParametersWithReplacement() { HttpClientContext context = HttpClientContext.create(); context.setCredentialsProvider(new BasicCredentialsProvider()); context.setAttribute(CONTEXT_KEY_TRUST_ENGINE, new MockTrustEngine()); context.setAttribute(CONTEXT_KEY_CRITERIA_SET, new CriteriaSet()); context.setAttribute(CONTEXT_KEY_TLS_PROTOCOLS, Lists.newArrayList("foo")); context.setAttribute(CONTEXT_KEY_TLS_CIPHER_SUITES, Lists.newArrayList("foo")); context.setAttribute(CONTEXT_KEY_CLIENT_TLS_CREDENTIAL, new BasicX509Credential(cert)); context.setAttribute(CONTEXT_KEY_HOSTNAME_VERIFIER, new StrictHostnameVerifier()); HttpClientSecurityParameters params = new HttpClientSecurityParameters(); params.setCredentialsProvider(new BasicCredentialsProvider()); params.setTLSTrustEngine(new MockTrustEngine()); params.setTLSCriteriaSet(new CriteriaSet()); params.setTLSProtocols(Lists.newArrayList("foo")); params.setTLSCipherSuites(Lists.newArrayList("foo")); params.setClientTLSCredential(new BasicX509Credential(cert)); params.setHostnameVerifier(new StrictHostnameVerifier()); HttpClientSecuritySupport.marshalSecurityParameters(context, params, true); Assert.assertSame(context.getCredentialsProvider(), params.getCredentialsProvider()); Assert.assertSame(context.getAttribute(CONTEXT_KEY_TRUST_ENGINE), params.getTLSTrustEngine()); Assert.assertSame(context.getAttribute(CONTEXT_KEY_CRITERIA_SET), params.getTLSCriteriaSet()); Assert.assertSame(context.getAttribute(CONTEXT_KEY_TLS_PROTOCOLS), params.getTLSProtocols()); Assert.assertSame(context.getAttribute(CONTEXT_KEY_TLS_CIPHER_SUITES), params.getTLSCipherSuites()); Assert.assertSame(context.getAttribute(CONTEXT_KEY_CLIENT_TLS_CREDENTIAL), params.getClientTLSCredential()); Assert.assertSame(context.getAttribute(CONTEXT_KEY_HOSTNAME_VERIFIER), params.getHostnameVerifier()); }
From source file:org.opensaml.security.httpclient.impl.TrustEngineTLSSocketFactoryTest.java
@Test(expectedExceptions = SSLException.class) public void testFailBadHostname() throws IOException { X509Credential cred = getCredential("foo-1A1-good.crt"); ExplicitKeyTrustEngine trustEngine = new ExplicitKeyTrustEngine(new StaticCredentialResolver(cred)); httpContext.setAttribute(HttpClientSecurityConstants.CONTEXT_KEY_TRUST_ENGINE, trustEngine); trustEngineFactory = new TrustEngineTLSSocketFactory( buildInnerSSLFactory(Collections.singletonList((Certificate) cred.getEntityCertificate()), "bogus.example.com"), new StrictHostnameVerifier()); Socket socket = trustEngineFactory.createSocket(httpContext); try {/*from w ww . ja v a2s .c om*/ trustEngineFactory.connectSocket(0, socket, new HttpHost("bogus.example.com", 443, "https"), null, null, httpContext); } catch (Exception e) { Assert.assertEquals( httpContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_SERVER_TLS_CREDENTIAL_TRUSTED), Boolean.TRUE); throw e; } }
From source file:org.opensaml.security.httpclient.impl.SecurityEnhancedTLSSocketFactoryTest.java
@Test(expectedExceptions = SSLException.class) public void testFailBadHostname() throws IOException { X509Credential cred = getCredential("foo-1A1-good.crt"); ExplicitKeyTrustEngine trustEngine = new ExplicitKeyTrustEngine(new StaticCredentialResolver(cred)); httpContext.setAttribute(HttpClientSecurityConstants.CONTEXT_KEY_TRUST_ENGINE, trustEngine); securityEnhancedSocketFactory = new SecurityEnhancedTLSSocketFactory( buildInnerSSLFactory(Collections.singletonList((Certificate) cred.getEntityCertificate()), "bogus.example.com"), new StrictHostnameVerifier()); Socket socket = securityEnhancedSocketFactory.createSocket(httpContext); try {//ww w . j av a 2 s.co m securityEnhancedSocketFactory.connectSocket(0, socket, new HttpHost("bogus.example.com", 443, "https"), null, null, httpContext); } catch (Exception e) { Assert.assertEquals( httpContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_SERVER_TLS_CREDENTIAL_TRUSTED), Boolean.TRUE); throw e; } }
From source file:org.sonatype.nexus.client.rest.jersey.NexusClientFactoryImpl.java
protected ApacheHttpClient4 doCreateHttpClientFor(final ConnectionInfo connectionInfo, final XStream xstream) { final ApacheHttpClient4Config config = new DefaultApacheHttpClient4Config(); config.getSingletons().add(new XStreamXmlProvider(xstream, APPLICATION_XML_UTF8_TYPE)); // set _real_ URL for baseUrl, and not a redirection (typically http instead of https) config.getProperties().put(PROPERTY_FOLLOW_REDIRECTS, Boolean.FALSE); applyAuthenticationIfAny(connectionInfo, config); applyProxyIfAny(connectionInfo, config); // obey JSSE defined system properties config.getProperties().put(ApacheHttpClient4Config.PROPERTY_CONNECTION_MANAGER, new PoolingClientConnectionManager(SchemeRegistryFactory.createSystemDefault())); final ApacheHttpClient4 client = ApacheHttpClient4.create(config); // set UA// w w w . j a v a 2s . c om client.getClientHandler().getHttpClient().getParams().setParameter(CoreProtocolPNames.USER_AGENT, "Nexus-Client/" + discoverClientVersion()); // "tweak" HTTPS scheme as requested final TrustStrategy trustStrategy; switch (connectionInfo.getSslCertificateValidation()) { case NONE: trustStrategy = new TrustStrategy() { @Override public boolean isTrusted(final X509Certificate[] chain, final String authType) throws CertificateException { return true; } }; break; case LAX: trustStrategy = new TrustSelfSignedStrategy(); break; default: trustStrategy = null; } final X509HostnameVerifier hostnameVerifier; switch (connectionInfo.getSslCertificateHostnameValidation()) { case NONE: hostnameVerifier = new AllowAllHostnameVerifier(); break; case STRICT: hostnameVerifier = new StrictHostnameVerifier(); break; default: hostnameVerifier = new BrowserCompatHostnameVerifier(); } try { final SSLSocketFactory ssf = new SSLSocketFactory(trustStrategy, hostnameVerifier); final Scheme tweakedHttpsScheme = new Scheme("https", 443, ssf); client.getClientHandler().getHttpClient().getConnectionManager().getSchemeRegistry() .register(tweakedHttpsScheme); } catch (Exception e) { Throwables.propagate(e); } // NXCM-4547 JERSEY-1293 Enforce proxy setting on httpclient enforceProxyUri(config, client); if (LOG.isDebugEnabled()) { client.addFilter(new LoggingFilter()); } client.addFilter(new RequestFilters()); return client; }
From source file:org.opensaml.security.httpclient.impl.TrustEngineTLSSocketFactoryTest.java
@Test(expectedExceptions = SSLPeerUnverifiedException.class) public void testFailNoCertsInSession() throws IOException { X509Credential cred = getCredential("foo-1A1-good.crt"); ExplicitKeyTrustEngine trustEngine = new ExplicitKeyTrustEngine(new StaticCredentialResolver(cred)); httpContext.setAttribute(HttpClientSecurityConstants.CONTEXT_KEY_TRUST_ENGINE, trustEngine); // Pass an empty cert list, to simulate unlikely condition of SSLSession not having any peerCertificates trustEngineFactory = new TrustEngineTLSSocketFactory( buildInnerSSLFactory(new ArrayList<Certificate>(), hostname), new StrictHostnameVerifier()); Socket socket = trustEngineFactory.createSocket(httpContext); trustEngineFactory.connectSocket(0, socket, new HttpHost(hostname, 443, "https"), null, null, httpContext); }
From source file:org.keycloak.connections.httpclient.HttpClientBuilder.java
public CloseableHttpClient build() { X509HostnameVerifier verifier = null; if (this.verifier != null) verifier = new VerifierWrapper(this.verifier); else {/*from w w w. j a v a2s . c o m*/ switch (policy) { case ANY: verifier = new AllowAllHostnameVerifier(); break; case WILDCARD: verifier = new BrowserCompatHostnameVerifier(); break; case STRICT: verifier = new StrictHostnameVerifier(); break; } } try { SSLConnectionSocketFactory sslsf = null; SSLContext theContext = sslContext; if (disableTrustManager) { theContext = SSLContext.getInstance("TLS"); theContext.init(null, new TrustManager[] { new PassthroughTrustManager() }, new SecureRandom()); verifier = new AllowAllHostnameVerifier(); sslsf = new SSLConnectionSocketFactory(theContext, verifier); } else if (theContext != null) { sslsf = new SSLConnectionSocketFactory(theContext, verifier); } else if (clientKeyStore != null || truststore != null) { theContext = createSslContext("TLS", clientKeyStore, clientPrivateKeyPassword, truststore, null); sslsf = new SSLConnectionSocketFactory(theContext, verifier); } else { final SSLContext tlsContext = SSLContext.getInstance("TLS"); tlsContext.init(null, null, null); sslsf = new SSLConnectionSocketFactory(tlsContext, verifier); } RequestConfig requestConfig = RequestConfig.custom().setConnectTimeout((int) establishConnectionTimeout) .setSocketTimeout((int) socketTimeout).build(); org.apache.http.impl.client.HttpClientBuilder builder = HttpClients.custom() .setDefaultRequestConfig(requestConfig).setSSLSocketFactory(sslsf) .setMaxConnTotal(connectionPoolSize).setMaxConnPerRoute(maxPooledPerRoute) .setConnectionTimeToLive(connectionTTL, connectionTTLUnit); if (proxyMappings != null && !proxyMappings.isEmpty()) { builder.setRoutePlanner(new ProxyMappingsAwareRoutePlanner(proxyMappings)); } if (maxConnectionIdleTime > 0) { // Will start background cleaner thread builder.evictIdleConnections(maxConnectionIdleTime, maxConnectionIdleTimeUnit); } if (disableCookies) builder.disableCookieManagement(); return builder.build(); } catch (Exception e) { throw new RuntimeException(e); } }
From source file:org.opensaml.security.httpclient.HttpClientSecuritySupportTest.java
@Test public void testMarshalSecurityParametersWithoutReplacement() { HttpClientContext context = HttpClientContext.create(); CredentialsProvider credProvider = new BasicCredentialsProvider(); TrustEngine<X509Credential> trustEngine = new MockTrustEngine(); CriteriaSet criteriaSet = new CriteriaSet(); List<String> protocols = Lists.newArrayList("foo"); List<String> cipherSuites = Lists.newArrayList("foo"); X509Credential clientTLSCred = new BasicX509Credential(cert); HostnameVerifier verifier = new StrictHostnameVerifier(); context.setCredentialsProvider(credProvider); context.setAttribute(CONTEXT_KEY_TRUST_ENGINE, trustEngine); context.setAttribute(CONTEXT_KEY_CRITERIA_SET, criteriaSet); context.setAttribute(CONTEXT_KEY_TLS_PROTOCOLS, protocols); context.setAttribute(CONTEXT_KEY_TLS_CIPHER_SUITES, cipherSuites); context.setAttribute(CONTEXT_KEY_CLIENT_TLS_CREDENTIAL, clientTLSCred); context.setAttribute(CONTEXT_KEY_HOSTNAME_VERIFIER, verifier); HttpClientSecurityParameters params = new HttpClientSecurityParameters(); params.setCredentialsProvider(new BasicCredentialsProvider()); params.setTLSTrustEngine(new MockTrustEngine()); params.setTLSCriteriaSet(new CriteriaSet()); params.setTLSProtocols(Lists.newArrayList("foo")); params.setTLSCipherSuites(Lists.newArrayList("foo")); params.setClientTLSCredential(new BasicX509Credential(cert)); params.setHostnameVerifier(new StrictHostnameVerifier()); HttpClientSecuritySupport.marshalSecurityParameters(context, params, false); Assert.assertSame(context.getCredentialsProvider(), credProvider); Assert.assertSame(context.getAttribute(CONTEXT_KEY_TRUST_ENGINE), trustEngine); Assert.assertSame(context.getAttribute(CONTEXT_KEY_CRITERIA_SET), criteriaSet); Assert.assertSame(context.getAttribute(CONTEXT_KEY_TLS_PROTOCOLS), protocols); Assert.assertSame(context.getAttribute(CONTEXT_KEY_TLS_CIPHER_SUITES), cipherSuites); Assert.assertSame(context.getAttribute(CONTEXT_KEY_CLIENT_TLS_CREDENTIAL), clientTLSCred); Assert.assertSame(context.getAttribute(CONTEXT_KEY_HOSTNAME_VERIFIER), verifier); }
From source file:org.keycloak.adapters.cloned.HttpClientBuilder.java
public HttpClient build() { X509HostnameVerifier verifier = null; if (this.verifier != null) verifier = new VerifierWrapper(this.verifier); else {/* w w w. j av a 2 s . c o m*/ switch (policy) { case ANY: verifier = new AllowAllHostnameVerifier(); break; case WILDCARD: verifier = new BrowserCompatHostnameVerifier(); break; case STRICT: verifier = new StrictHostnameVerifier(); break; } } try { SSLSocketFactory sslsf = null; SSLContext theContext = sslContext; if (disableTrustManager) { theContext = SSLContext.getInstance("SSL"); theContext.init(null, new TrustManager[] { new PassthroughTrustManager() }, new SecureRandom()); verifier = new AllowAllHostnameVerifier(); sslsf = new SniSSLSocketFactory(theContext, verifier); } else if (theContext != null) { sslsf = new SniSSLSocketFactory(theContext, verifier); } else if (clientKeyStore != null || truststore != null) { sslsf = new SniSSLSocketFactory(SSLSocketFactory.TLS, clientKeyStore, clientPrivateKeyPassword, truststore, null, verifier); } else { final SSLContext tlsContext = SSLContext.getInstance(SSLSocketFactory.TLS); tlsContext.init(null, null, null); sslsf = new SniSSLSocketFactory(tlsContext, verifier); } SchemeRegistry registry = new SchemeRegistry(); registry.register(new Scheme("http", 80, PlainSocketFactory.getSocketFactory())); Scheme httpsScheme = new Scheme("https", 443, sslsf); registry.register(httpsScheme); ClientConnectionManager cm = null; if (connectionPoolSize > 0) { ThreadSafeClientConnManager tcm = new ThreadSafeClientConnManager(registry, connectionTTL, connectionTTLUnit); tcm.setMaxTotal(connectionPoolSize); if (maxPooledPerRoute == 0) maxPooledPerRoute = connectionPoolSize; tcm.setDefaultMaxPerRoute(maxPooledPerRoute); cm = tcm; } else { cm = new SingleClientConnManager(registry); } BasicHttpParams params = new BasicHttpParams(); params.setParameter(ClientPNames.COOKIE_POLICY, CookiePolicy.BROWSER_COMPATIBILITY); if (proxyHost != null) { params.setParameter(ConnRoutePNames.DEFAULT_PROXY, proxyHost); } if (socketTimeout > -1) { HttpConnectionParams.setSoTimeout(params, (int) socketTimeoutUnits.toMillis(socketTimeout)); } if (establishConnectionTimeout > -1) { HttpConnectionParams.setConnectionTimeout(params, (int) establishConnectionTimeoutUnits.toMillis(establishConnectionTimeout)); } DefaultHttpClient client = new DefaultHttpClient(cm, params); if (disableCookieCache) { client.setCookieStore(new CookieStore() { @Override public void addCookie(Cookie cookie) { //To change body of implemented methods use File | Settings | File Templates. } @Override public List<Cookie> getCookies() { return Collections.emptyList(); } @Override public boolean clearExpired(Date date) { return false; //To change body of implemented methods use File | Settings | File Templates. } @Override public void clear() { //To change body of implemented methods use File | Settings | File Templates. } }); } return client; } catch (Exception e) { throw new RuntimeException(e); } }