i have a question regarding TSL/SSL. I am programming a client-server application using Spring HTTP-Invoker. The client is a "classic" desktop application which is distributed via webstart. The server will be running on Tomcat/JBoss. I already tested the invocation with a test-service and it worked like a charm, but now i am trying to use SSL to encrypt the channel. I will post my client-code for clarification:
<bean id="checkFuntionalityService" class="org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean">
<property name="serviceUrl" value="https://localhost:8443/test-server/remoting/checkFuntionalityService" />
<property name="serviceInterface" value="at.test.common.remote.CheckFuntionalityService" />
<property name="httpInvokerRequestExecutor">
<bean class="org.springframework.remoting.httpinvoker.HttpComponentsHttpInvokerRequestExecutor">
<property name="readTimeout" value="5000" />
<property name="connectTimeout" value="5000" />
</bean>
</property>
</bean>
I tried this with a self-signed certificate, which i put into my cacerts store and it works, but i still have some questions:
Is there a way to use a different keystore/truststore on client-side (e.g. classpath:config/test.jks)? My plan is to put my certificate into a new keystore, which i would put into the client project. Is this possible and if so: how can i use this store on client-side? I know a better way would be a certificate from a trusted CA, but this is not an option atm. Also i can't put the key in every users cacerts store. Any hints for me?
I am also open for any kind of suggestions. Shall i stick to HTTP-Invoker? I could also use Spring RMI-Invoker, i understand that pretty much the only difference is that the HTTP-Invoker uses HTTP-Post to transfer the binary content, which is more unlikely to be blocked by a firewall, right? But what if firewall configuration is not an issue for me? Shall i use RMI or stick with HTTP-Invoker even then?
