Using SSL Authentication in Java Clients 5-19 Example 5–7 NulledTrustManager Sample Code Fragments package examples.security.sslclient; import weblogic.security.SSL.TrustManager; import java.security.cert.X509Certificate; ... public class NulledTrustManager implements TrustManager{ public boolean certificateCallbackX509Certificate[] o, int validateErr { System.out.println --- Do Not Use In Production ---\n + By using this NulledTrustManager, the trust in + the servers identity is completely lost.\n + --------------------------------; for int i=0; io.length; i++ System.out.println certificate + i + -- + o[i].toString; return true; } }

5.4.6 Using the CertPath Trust Manager

The CertPathTrustManager, weblogic.security.SSL.CertPathTrustManager, makes use of the default security realms configured CertPath validation providers to perform extra validation such as revocation checking. By default, application code using outbound SSL in the server has access only to the built-in SSL certificate validation. However, application code can specify the CertPathTrustManager in order to access any additional certificate validation that the administrator has configured for the server. If you want your application code to also run the CertPath validators, the application code should use the CertPathTrustManager. There are three ways to use this class: ■ The Trust Manager calls the configured CertPathValidators only if the administrator has set a switch on the SSLMBean stating that outbound SSL should use the validators. That is, the application completely delegates validation to whatever the administrator configures. You use the setUseConfiguredSSLValidation method for this purpose. This is the default. ■ The Trust Manager always calls any configured CertPathValidators. You use the setBuiltinSSLValidationAndCertPathValidators method for this purpose. ■ The Trust Manager never calls any configured CertPathValidators. You use the setBuiltinSSLValidationOnly method for this purpose.

5.4.7 Using a Handshake Completed Listener

The javax.net.ssl.HandshakeCompletedListener interface defines how an SSL client receives notifications about the completion of an SSL protocol handshake on a given SSL connection. Example 5–8 shows code fragments from the MyListener example; the complete example is located at SAMPLES_ HOME\server\examples\src\examples\security\sslclient directory in the MyListener.java file. 5-20 Programming Security for Oracle WebLogic Server Example 5–8 MyListener HandshakeCompletedListener Sample Code Fragments package examples.security.sslclient; import java.io.File; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.io.FileInputStream; import javax.net.ssl.HandshakeCompletedListener; import java.util.Hashtable; import javax.net.ssl.SSLSession; ... public class MyListener implements HandshakeCompletedListener { public void handshakeCompletedjavax.net.ssl.HandshakeCompletedEvent event { SSLSession session = event.getSession; System.out.printlnHandshake Completed with peer + session.getPeerHost; System.out.println cipher: + session.getCipherSuite; Certificate[] certs = null; try { certs = session.getPeerCertificates; } catch SSLPeerUnverifiedException puv { certs = null; } if certs = null { System.out.println peer certificates:; for int z=0; zcerts.length; z++ System.out.println certs[+z+]: + certs[z]; } else { System.out.printlnNo peer certificates presented; } } }

5.4.8 Using an SSLContext