andreacavalli/netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Explanation on implementing client cert auth

Browse Source
This commit is contained in:
Trustin Lee 2010-01-25 11:40:47 +00:00
parent d5ad5a47ac
commit a8eda60857
2 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/main/java/org/jboss/netty/example/securechat/SecureChatServerPipelineFactory.java
View File

@ -47,6 +47,9 @@ public class SecureChatServerPipelineFactory implements
// and accept any invalid certificates in the client side. // and accept any invalid certificates in the client side.
// You will need something more complicated to identify both // You will need something more complicated to identify both
// and server in the real world. // and server in the real world.
//
// Read SecureChatSslContextFactory
// if you need client certificate authentication.
SSLEngine engine = SSLEngine engine =
SecureChatSslContextFactory.getServerContext().createSSLEngine(); SecureChatSslContextFactory.getServerContext().createSSLEngine();

23
src/main/java/org/jboss/netty/example/securechat/SecureChatSslContextFactory.java
View File

@ -18,16 +18,37 @@ package org.jboss.netty.example.securechat;
import java.security.KeyStore; import java.security.KeyStore;
import java.security.Security; import java.security.Security;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext; import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import org.jboss.netty.handler.ssl.SslHandler;
/** /**
* Creates a bogus {@link SSLContext}. A client-side context created by this * Creates a bogus {@link SSLContext}. A client-side context created by this
* factory accepts any certificate even if it is invalid. A server-side context * factory accepts any certificate even if it is invalid. A server-side context
* created by this factory sends a bogus certificate defined in {@link SecureChatKeyStore}. * created by this factory sends a bogus certificate defined in {@link SecureChatKeyStore}.
* * <p>
* You will have to create your context differently in a real world application. * You will have to create your context differently in a real world application.
* *
* <h3>Client Certificate Authentication</h3>
*
* To enable client certificate authentication:
* <ul>
* <li>Enable client authentication on the server side by calling
* {@link SSLEngine#setNeedClientAuth(boolean)} before creating
* {@link SslHandler}.</li>
* <li>When initializing an {@link SSLContext} on the client side,
* specify the {@link KeyManager} that contains the client certificate as
* the first argument of {@link SSLContext#init(KeyManager[], javax.net.ssl.TrustManager[], java.security.SecureRandom)}.</li>
* <li>When initializing an {@link SSLContext} on the server side,
* specify the proper {@link TrustManager} as the second argument of
* {@link SSLContext#init(KeyManager[], javax.net.ssl.TrustManager[], java.security.SecureRandom)}
* to validate the the client certificate.</li>
* </ul>
*
* @author The Netty Project (netty-dev@lists.jboss.org) * @author The Netty Project (netty-dev@lists.jboss.org)
* @author Trustin Lee (trustin@gmail.com) * @author Trustin Lee (trustin@gmail.com)
* *