JCE keystore and untrusted sites

byMarcin Cylke
May 2, 2011
2 minute read

Recently at work I was in need of connecting to a web service exposed via HTTPS. I’ve been doing this from inside Servicemix 3.3.1, which may seem a bit inhibiting, but that was a requirement. Nevertheless I’ve been trying my luck with the included ser…Recently at work I was in need of connecting to a web service exposed via HTTPS. I’ve been doing this from inside Servicemix 3.3.1, which may seem a bit inhibiting, but that was a requirement. Nevertheless I’ve been trying my luck with the included ser…

Recently at work I was in need of connecting to a web service exposed via HTTPS. I’ve been doing this from inside Servicemix 3.3.1, which may seem a bit inhibiting, but that was a requirement. Nevertheless I’ve been trying my luck with the included servicemix-http-2008.01 component. I’ve created a simple Service Unit using that component and made connection attempt. Unfortunately I’ve encountered issues with the SSL conversation negotiation. I had to dig deeper into the servicemix-http code to find out these had something to do with my JCE keystore. Read more to find out what happened!

Ok, so I had my xbean.xml for http component looking like this:

As you can see this is a proxy adapter to some outside service exposed via secured HTTP protocol. Since it’s HTTPS I’ve specified some SSL parameters. It was sufficient in my case to just pass the keystore file and it’s password.

I’ve created my keystore.jks file in smx_home/conf with password servicemix in the following manner:

You can see what’s in this file with this command:

At this point I thought, that having a configured keystore and my component would suffice. Wrong! As soon as I’ve tried to connect to the external service I got an exception:

Hmmm.. this looks pretty nasty, but it’s not that bad. As one can read here, it’s associated with the other site’s having an untrusted (unsigned) certificate. Assuming you actually trust the other end of the communication and this situation is ok for you, you should add the servers certificate to your keystore. The previously mentioned link contained a little java class that would do just that. You can find it here (original code) InstallCert.java or you can look into my slightly changed version here at github.

You should call it as follows, assuming that file keystore.jks is in the current directory:

What you’ll probably see, when you execute this app is this:

Please note that there is a prompt (Enter certificate to add to trusted keystore…) in which you can enter the certificate number you wish to add to your keystore.

After all those steps my request got through and I could happily query HTTPS service as long as I wanted to! Great!

Possible problems

In my search for this problem’s solution I’ve encountered this kind of exception:

A little googling led me to this StackOverflow question.

It seems that you cannot have multiple keys with different passwords in the same keystore and use KeyManagerFactory class. Oh well…

Ending

To sum up, the solution given works, but in my opinion using the InstallCert.java app is rather dirty. I’ve been wondering, do you know other ways of doing that thing?

Marcin Cylke

— Previous article

Using Eclipse snippets for faster JUnit test creation (with Mockito!)

Next article —

Few thoughts on Crockford's "JavaScript: The Good Parts"

Log4j and MDC in Grails

byRafał Nowak
November 5, 2013

Log4j provides very useful feature: MDC - mapped diagnostic context. It can be used to store data in context of current thread. It may sound scary a bit but idea is simple.

My post is based on post http://burtbeckwith.com/blog/?p=521 from Burt Beckwith's excellent blog, it's definitely worth checking if you are interested in Grails.

Short background story...

Suppose we want to do logging our brand new shopping system and we want to have in each log customer's shopping basket number. And our system can be used at once by many users who can perform many transactions, actions like adding items and so on. How can we achieve that? Of course we can add basket number in every place where we do some logging but this task would be boring and error-prone.

Instead of this we can use MDC to store variable with basket number in map.

In fact MDC can be treated as map of custom values for current thread that can be used by logger.

How to do that with Grails?

Using MDC with Grails is quite simple. All we need to do is to create our own custom filter which works for given urls and puts our data in MDC.

Filters in Grails are classes in directory grails-app/conf/* which names end with *Filters.groovy postfix. We can create this class manually or use Grails command:

grails create-filters info.rnowak.App.Basket

In result class named BasketFilters will be created in grails-app/conf/info/rnowak/UberApp.

Initially filter class looks a little bit empty:

class BasketFilters {
    def filters = {
        all(controller:'*', action:'*') {
            before = {

            }
            after = { Map model ->

            }
            afterView = { Exception e ->

            }
        }
    }
}

All we need to do is fill empty closures, modify filter properties and put some data into MDC.

all is the general name of our filter, as class BasketFilters (plural!) can contain many various filters. You can name it whatever you want, for this post let assume it will be named basketFilter.

Another thing is change of filter parameters. According to official documentation (link) we can customize our filter in many ways. You can specify controller to be filtered, its actions, filtered urls and so on. In our example you can stay with default option where filter is applied to every action of every controller. If you are interested in filtering only some urls, use uri parameter with expression describing desired urls to be filtered.

Three closures that are already defined in template have their function and they are started in these conditions:

before - as name says, it is executed before filtered action takes place
after - similarly, it is called after the action
afterView - called after rendering of the actions view

Ok, so now we know what are these mysterious methods and when they are called. But what can be done within them? In official Grails docs (link again) under section 7.6.3 there is a list of properties that are available to use in filter.

With that knowledge, we can proceed to implementing filter.

Putting something into MDC in filter

What we want to do is quite easy: we want to retrieve basket number from parameters and put it into MDC in our filter:

class BasketFilters {
    def filters = {
        basketFilter(controller:'*', action:'*') {
            before = {
                MDC.put("basketNumber", params.basketNumber ?: "")
            }
            after = { Map model ->
                MDC.remove("basketNumber")
            }
        }
    }
}

We retrieve basket number from Grails params map and then we put in map under specified key ("basketNumber" in this case), which will be later used in logger conversion pattern. It is important to remove custom value after processing of action to avoid leaks.

So we are putting something into MDC. But how make use of it in logs?

We can refer to custom data in MDC in conversion patter using syntax: %X{key}, where key is our key we used in filter to put data, like:

def conversionPattern = "%d{yyyy-MM-dd HH:mm:ss} %-5p %t [%c{1}] %X{basketNumber} - %m%n"

And that's it :) We've put custom data in log4j MDC and successfully used it in logs to display interesting values.

DDevelopment & Design

Udana Warsjawa V – 100. spotkanie WJUG

byBartek Zdanowski
October 27, 2012

Nigdy nie piszę relacji z imprez. Dzisiaj mam nastrój.To była V edycja. Dotychczas współorganizowałem edycje III i IV. Tej nie organizowałem i bardzo dobrze, bo powstała nowa zwarta grupa zdolna organizować imprezy WJUGowe. Super.Rozpoczęcie ...