Skip to content

Secure Socket

Purpose

Build and create secure socket configurations of the Apache Http Client http://hc.apache.org/httpcomponents-client-4.5.x/tutorial/html/index.html

Methods

Binding name: p6.securesocket

Method: SecureContextBuilder contextBuilder()

Creates a new SecureContextBuilder that can be used to build a SecureContext that is used to obtain a CloseableHttpClient or an HttpClientBuilder

SecureContextBuilder

  • setType( SecureContext.BundleType type )
    • See below.
  • setStrict( boolean strict )
    • true to enable strict hostname validation (otherwise no hostname verification will be performed)
  • setTrustSelfSigned( boolean trustSelfSigned )
    • true to accept self signed server certificates
  • setIdentityPrivateKeyPath( String identityPrivateKeyPath )
    • The path or URI to PEM formatted private key to read and build into a client identity store
  • setIdentityCertsPaths( List identityCertsPaths )
    • A List of paths or URIs to PEM formatted certificate bundles to read and build into a client identity store
  • setIdentityCertsPaths( String csvIdentityCertsPaths )
    • A comma separated list of paths or URIs to PEM formatted certificate bundles to read and build into a client identity store
  • setTrustCertsPaths( List trustCertsPaths )
    • A List of paths or URIs to PEM formatted certificate bundles to read and build into a trust store
  • setSNIServerNames( String sniServerNames )
    • A comma separated list of desired SNIServerNames. Server names of type host_name are used in a Server Name Indication (SNI) extension. As described in section 3, “Server Name Indication”, of TLS Extensions (RFC 6066), “HostName” contains the fully qualified DNS hostname of the server, as understood by the client

SecureContext.BundleType

  • ONE_WAY
    • Only the client validates the server to ensure that it receives data from the intended server
  • TWO_WAY
    • Both client and server authenticate each other to ensure that both parties involved in the communication are trusted
  • ONE_WAY_TRUST_ANY (default)
    • As ONE_WAY except that ANY server connection is trusted
  • TWO_WAY_TRUST_ANY
    • As TWO_WAY except that ANY server connection is trusted
  • NONE
    • A pass-thru type that allows plain http client connections (all other setters are ignored)

Method: CloseableHttpClient clientBuild( SecureContext secureContext )

Given a context built by the SecureContextBuilder an Apache HttpClient is created with a correctly defined https connection factory.

Method: HttpClientBuilder clientBuilder( SecureContext secureContext )

Given a context built by the SecureContextBuilder an Apache HttpClientBuilder is created with a correctly defined https connection factory. Access to the ‘builder’ allows the user to further enhance the behaviour of the HttpClient built

Examples

import org.apache.http.client.methods.HttpGet

def httpClient = securesocket.clientBuild( p6.securesocket.contextBuilder().build() )

def getMethod = new HttpGet( "https://www.amalto.com" )
def response = httpClient.execute( getMethod )

import org.apache.http.client.methods.HttpGet
import org.apache.http.client.config.RequestConfig

def ctx = p6.securesocket.contextBuilder().setType( SecureContext.BundleType.ONE_WAY ).build();
def cb = p6.securesocket.clientBuilder( ctx );

def timeout = 60

def config = RequestConfig.custom()
    .setConnectTimeout( timeout * 1000 )
    .setConnectionRequestTimeout( timeout * 1000 )
    .setSocketTimeout( timeout * 1000 )
    .build()

def httpClient = cb
    .disableAuthCaching()
    .disableAutomaticRetries()
    .disableCookieManagement()
    .setDefaultRequestConfig( config )
    .build()

def getMethod = new HttpGet( "https://www.amalto.com" )

def response = httpClient.execute( getMethod )

With SNI

import org.apache.http.client.methods.HttpGet
import org.apache.http.client.config.RequestConfig

def ctx = p6.securesocket.contextBuilder()
    .setType( SecureContext.BundleType.ONE_WAY )
    .setSNIServerNames( 'tls-v1-2.badssl.com' )
    .build();


def cb = p6.securesocket.clientBuilder( ctx );

def timeout = 60

def config = RequestConfig.custom()
    .setConnectTimeout( timeout * 1000 )
    .setConnectionRequestTimeout( timeout * 1000 )
    .setSocketTimeout( timeout * 1000 )
    .build()

def httpClient = cb
    .disableAuthCaching()
    .disableAutomaticRetries()
    .disableCookieManagement()
    .setDefaultRequestConfig( config )
    .build()

def getMethod = new HttpGet( 'https://tls-v1-2.badssl.com:1012/' )

def response = httpClient.execute( getMethod )

import org.apache.http.client.methods.HttpPost
import org.apache.http.client.config.RequestConfig

def ctx = p6.securesocket.contextBuilder()
    .setType( SecureContext.BundleType.TWO_WAY_TRUST_ANY )
    .setIdentityPrivateKeyPath( "file://${P6_DATA}/resources/certificates/privatekey.pem" )
    .setIdentityCertsPaths( "file://${P6_DATA}/resources/certificates/publickey.pem" )
    .build();

p6.securesocket.clientBuild( ctx ).withCloseable { client ->

    def response = client.execute( new HttpPost( "https://httpbin.org/post" ) )
}

import org.apache.http.client.methods.HttpPost
import org.apache.http.client.config.RequestConfig

def ctx = p6.securesocket.contextBuilder()
    .setType( SecureContext.BundleType.NONE )
    .build();

p6.securesocket.clientBuild( ctx ).withCloseable { client ->

    def response = client.execute( new HttpGet( "http://localhost:8091/metrics" ) )
}