This package provides classes to interactively let the user accept or refuse
invalid server certificates in a way similar to the behaviour of modern
webbrowsers.
Customizing the checking of server certificates is normally done in Java by
implementing both a {@link java.net.HostnameVerifier} and a {@link
javax.net.ssl.X509TrustManager}. The HostnameVerifier
is
responsible for matching the hostname of the server against the server, while
the TrustManager
does the different checks on the validity of the
certificate chain. A HostnameVerifier
implementation cannot do
both, since its verify()
method is only called when the
hostname does not match. On the other a (X509)TrustManager
implementation does not get the hostname of the server. Since we like the user
to get only one prompt upon error, we extend
{@link javax.net.ssl.HttpsURLConnection} into
{@link nl.nikhef.slcshttps.trust.HttxURLConnection} which sets static hostname
and port fields inside the
{@link nl.nikhef.slcshttps.trust.TrustManagerImpl} class. Note that this means
that HttxURLConnection
is not thread-safe, but it is hard to
implement this in any case, since the set of already accepted certificates should be
global accross threads.
All checks are now done using only the TrustManager
which
internally uses {@link nl.nikhef.slcshttps.trust.HostnameChecker} and
{@link nl.nikhef.slcshttps.trust.CertChainChecker} for this.
@see nl.nikhef.slcshttps
@see http://www.nikhef.nl/pub/projects/grid/slcshttps/
@since 0.1