2

Is there a way to request an access token over SSL using Apache oltu? It works great if I don't use https (port 8443) but just use http...

The code I have:

OAuthClient oAuthClient = new OAuthClient(new URLConnectionClient());

OAuthClientRequest request = OAuthClientRequest.tokenLocation(MessageFormat.format("https://{0}:8443/applicationId/oauth/token", host)) //
        .setGrantType(GrantType.PASSWORD) //
        .setUsername("username") //
        .setPassword("password") //
        .setClientId("clientId") //
        .buildBodyMessage();

OAuthAccessTokenResponse oAuthResponse = oAuthClient.accessToken(request);

I get following exception message:

    org.apache.oltu.oauth2.common.exception.OAuthSystemException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found
at org.apache.oltu.oauth2.client.URLConnectionClient.execute(URLConnectionClient.java:108)
at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:65)
at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:55)
at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:71)

I know there is this way to fix this by overwriting the HostnameVerifier of the HttpsURLConnection, but is there a way to achieve this in apache oltu?:

static {
    //for localhost testing only
    javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(
    new javax.net.ssl.HostnameVerifier(){

        public boolean verify(String hostname,
                javax.net.ssl.SSLSession sslSession) {
            if (hostname.equals("localhost")) {
                return true;
            }
            return false;
        }
    });
}
Mathias G.
  • 4,875
  • 3
  • 39
  • 60

1 Answers1

1

URLConnectionClient uses HttpsURLConnection so your code should work; have you tried?

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • When setting the DefaultHostnameVerifier, I got following exception:`org.apache.oltu.oauth2.common.exception.OAuthSystemException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.apache.oltu.oauth2.client.URLConnectionClient.execute(URLConnectionClient.java:108)`. That's why I thought it wasn't working... – Mathias G. Dec 31 '14 at 10:18
  • 1
    ok, so you use a self-signed/untrusted cert as well as one that does not match the hostname; then you do not only need to override the hostname verification but also the trust manager as described in http://stackoverflow.com/questions/11857417/x509trustmanager-override-without-allowing-all-certs – Hans Z. Dec 31 '14 at 10:24