0

Currently, I'm using the maven-jaxb2-plugin to generate Java artefacts while consuming a soap web services via SSL. I configured my pom.xml per the answer here. But the certificate I used didn't contain any DNS/IP subjects of server. Then there will be some javax ssl exceptions for no alternative name for IP address if my wsdl url is like 'https://XXX.XXX.XXX.XXX:9443/services/testWS?wsdl' in pom.xml. Is there any way to configure jaxb to disable the hostname verification? Thanks.

<build>
<plugins>
    <plugin>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-maven-plugin</artifactId>
    </plugin>
    <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>properties-maven-plugin</artifactId>
        <version>1.0-alpha-2</version>
        <executions>
            <execution>
                <goals>
                    <goal>set-system-properties</goal>
                </goals>
                <configuration>
                    <properties>
                        <property>
                            <name>javax.net.ssl.keyStore</name>
                            <value>${basedir}/src/test/key.jks</value>
                        </property>
                        <property>
                            <name>javax.net.ssl.keyStorePassword</name>
                            <value>changeit</value>
                        </property>
                    </properties>
                </configuration>
            </execution>
        </executions>
    </plugin>
    <plugin>
        <groupId>org.jvnet.jaxb2.maven2</groupId>
        <artifactId>maven-jaxb2-plugin</artifactId>
        <version>0.12.3</version>
        <executions>
            <execution>
                <id>testproxy.wsdl</id>
                <goals>
                    <goal>generate</goal>
                </goals>
                <configuration>
                    <schemaLanguage>WSDL</schemaLanguage>
                    <generatePackage>my.wsdl.testproxy</generatePackage>
                    <schemas>
                        <schema>
                            <url>http://XXX.XXX.XXX.XXX:9443/services/testWS?wsdl</url>
                        </schema>
                    </schemas>
                </configuration>
            </execution>
        </executions>
    </plugin>
</plugins>
</build>
Community
  • 1
  • 1
Jim Xinyan Wei
  • 1
  • 1
  • Disabling hostname validation is nearly the same as disabling all validation of the certificate. Thus you disable an essential part of TLS security, i.e. the proper authentication of the peer. This makes man-in-the-middle attacks possible. – Steffen Ullrich Jul 10 '15 at 06:12
  • Well, yes, you're right. It may cause a security leak. But it is just for a testing in development environment. – Jim Xinyan Wei Jul 11 '15 at 06:53
  • Then why do you want to disable name verification only instead of disabling complete validation of certificate? Because from standpoint of a potential attacker this is about the same. Apart from that you might just use local hosts entries with an appropriate name to IP mapping for testing so you can use the real name but with another IP for testing. Much better to test is this way than to forget to enable certificate validation later. – Steffen Ullrich Jul 11 '15 at 07:08

1 Answers1

0

I generally don't recommend builds which depend on online resources of any kind. Consider making a local copy of the WSDL you want to compile and use a catalog file to rewrite the URI of the online resource to a local resource.

Disclaimer: I'm the author of the .

lexicore
  • 42,748
  • 17
  • 132
  • 221