Tuesday, 22 November 2005

Apache XML-RPC over HTTPS

« Stakhanov, Wikipedia and stranger languages | Main | Improving my blojsom installation »

Some scattered notes about using Apache XML-RPC over HTTPS.

Example code:

import java.net.MalformedURLException;
import java.net.URL;
import java.util.Vector;

import org.apache.xmlrpc.CommonsXmlRpcTransport;
import org.apache.xmlrpc.XmlRpcRequest;
import org.apache.xmlrpc.secure.SecureXmlRpcClient;
import org.apache.xmlrpc.secure.SecurityTool;

public class XMLRPCClientSample
{

    public static void main(String[] args)
    {
        try
        {
            String serverLocation = "https://host.name/path";

/*m1*/      System.setProperty(
	        "javax.net.ssl.trustStore", "/keystore.path/keystore.name"); 
/*m2*/      System.setProperty(
		"javax.net.ssl.trustStorePassword", "keystore.password");    

/*m3*/      SecurityTool.setKeyStore(
		"/keystore.path/keystore.name"); 		             
/*m4*/      SecurityTool.setKeyStorePassword(
		"keystore.password");   		                     

/*m5*/      SecureXmlRpcClient client = new SecureXmlRpcClient(serverLocation);
            client.setup();

/*m6*/      CommonsXmlRpcTransport transport = 
                new CommonsXmlRpcTransport(new URL(serverLocation));         
/*m7*/      transport.setBasicAuthentication("user.name", "user.password");       

            Vector params;

            params = new Vector();
            params.add("param");

            XmlRpcRequest request = new XmlRpcRequest("method", params);

            Object o = client.execute(request, transport);
            System.out.println(o);
        }
        catch (MalformedURLException e)
        {
            e.printStackTrace();
            System.exit(1);
        }
        catch (Exception e)
        {
            e.printStackTrace();
            System.exit(1);
        }

    }

}

If the key of the server you are connecting is not signed by a trusted certificate authority, the certificate is not automatically trusted. In order to force the certificate to be trusted, you must:

  1. import it into a keystore file (cacerts) using the keytool program;
  2. add the instructions marked /*m1*/, /*m2*/, /*m3*/ and /*m4*/ for specifing which keystore to use. Of course, rather of hard coding in instructions /*m1*/ and /*m2*/ these properties' values, you could invoke your executable with -Djavax.net.ssl.trustStore=/keystor.path/keystore.name -Djavax.net.ssl.trustStorePassword=keystore.password options.
    If you omit instructions /*m1*/ and /*m2*/ the exception below is thrown:
    java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    If you omit instead instructions /*m3*/ and /*m4*/ the exception below is thrown:
    java.net.SocketException: Default SSL context init failed: null
    Anyway, this double pointer to the same information seems to me a little bit redundant :-( ;
  3. to download the server certificate (in order to import it into the keystore) you can use Microsoft Internet Explorer that is good for this stuff. Presently, that isn't possible (AFAIK) with Mozilla or Firefox!
    If you haven't Microsoft Internet Explorer in hand (as me), you can use openssl:
    pic@stakhanov:~$ openssl s_client -connect host.name:443 -showcerts
    CONNECTED(00000003)
    [...]
    
    Thanks to Emanuele Vicentini (my favorite system administrator ;-) that suggested it;
  4. The authentication parameters could be set using the setBasicAuthentication method in org.apache.xmlrpc.XmlRpcClient but it's deprecated. In fact you have to use the homonym method in CommonXmlRpcTransport as in instruction marked /*m7*/ (see Apache XML-RPC javadocs).
    In this way one have to specify the same server location in two places: in instructions /*m5*/ and /*m6*/. Again, this seems to me redundant and error-prone;
  5. the example is useful only if you can configure HTTPS globally and that isn't always the case.
Posted by Nicola Piccinini at 2:32 AM CET in devel/

Comments on this entry:

Left by Milicic Marko at 12 Mar 6:47 PM

Hi,

Thank you for this helpfull article, but is there any chance that you write some article about setting up server side.

Left by pic at 13 Mar 11:57 PM

no, sorry, I have no experience about the server side of xml-rpc, nor I have plans to deal with it soon.