5-18 Programming Security for Oracle WebLogic Server
NulledHostnameVerifier class which always returns true for the comparison. The sample allows the WebLogic SSL client to connect to any SSL server regardless of the
servers hostname and digital certificate SubjectDN comparison.
Example 5–6 Hostname Verifier Sample Code Fragment
public class NulledHostnameVerifier implements weblogic.security.SSL.HostnameVerifier {
public boolean verifyString urlHostname, javax.net.ssl.SSLSession session { return true;
} }
5.4.5 Using a Trust Manager
The weblogic.security.SSL.TrustManager interface provides the ability to:
■
Ignore specific certificate validation errors
■
Perform additional validation on the peer certificate chain
When an SSL client connects to an instance of WebLogic Server, the server presents its digital certificate chain to the client for authentication. That chain could contain an
invalid digital certificate. The SSL specification says that the client should drop the SSL connection upon discovery of an invalid certificate. You can use a custom
implementation of the TrustManager interface to control when to continue or discontinue an SSL handshake. Using a trust manager, you can ignore certain
validation errors, optionally perform custom validation checks, and then decide whether or not to continue the handshake.
Use the weblogic.security.SSL.TrustManager interface to create a trust manager. The interface contains a set of error codes for certificate verification. You can
also perform additional validation on the peer certificate and interrupt the SSL handshake if need be. After a digital certificate has been verified, the
weblogic.security.SSL.TrustManager interface uses a callback function to override the result of verifying the digital certificate. You can associate an instance of a
trust manager with an SSL context through the setTrustManager method.
You can only set up a trust manger programmatically; its use cannot be defined through the Administration Console or on the command-line.
Example 5–7 shows code fragments from the NulledTrustManager example; the
complete example is located at SAMPLES_ HOME\server\examples\src\examples\security\sslclient directory in the
NulledTrustManager.java file. The SSLSocketClient example uses the custom trust manager. The SSLSocketClient shows how to set up a new SSL connection by
using an SSL context with the trust manager.
Note: This interface takes new style certificates and replaces the
weblogic.security.SSL.TrustManagerJSSE interface, which is deprecated.
Note:
Depending on the checks performed, use of a trust manager may potentially impact performance.
Using SSL Authentication in Java Clients 5-19
Example 5–7 NulledTrustManager Sample Code Fragments
package examples.security.sslclient; import weblogic.security.SSL.TrustManager;
import java.security.cert.X509Certificate; ...
public class NulledTrustManager implements TrustManager{ public boolean certificateCallbackX509Certificate[] o, int validateErr {
System.out.println --- Do Not Use In Production ---\n +
By using this NulledTrustManager, the trust in + the servers identity is completely lost.\n +
--------------------------------; for int i=0; io.length; i++
System.out.println certificate + i + -- + o[i].toString; return true;
} }
5.4.6 Using the CertPath Trust Manager