|
Replies:
3
-
Last Post:
Mar 25, 2008 9:31 PM
by: marshalking
|
|
|
|
|
|
|
Suggestion of extending functionality of DefaultCallbackHandler
Posted:
Mar 10, 2008 6:25 PM
|
|
|
The DefaultCallbackHandler is quite good in most cases, but it does have some limitations that I hope can be solved soon.
Using JKS keystore and truststore is an assumption in design, which is OK for me, but
it doesn't allow you to change the truststore dynamically at runtime in the
DefaultCallbackHandler. Let's imagine such a scenario: I have a certificate service that
the client can dynamically download any certificate she wants to use. We can add the
downloaded certs to JKS truststore, however the DefaultCallbackHandler wouldn't pick it
up because the trustStore is initialized only once. Also as trustStore is private,
currently there is no easy way to do that except implementing a customerized
CallbackHandler, which is somewhat a copy of the DefaultCallbackHandler.
I don't know if there are any conflicts in the design to add this capability but by simply
open a setter or re-initialize function for trustStore, we can achieve the functionality of
changing trustStore dynamically, which will be much more flexible in real world.
|
|
|
|
|
|
|
Re: Suggestion of extending functionality of DefaultCallbackHandler
Posted:
Mar 17, 2008 8:34 PM
in response to: marshalking
|
|
|
The question seem to have been solved in this thread: http://forums.java.net/jive/thread.jspa?threadID=35643
The solution was to write your own KeyStoreCallbackHandler and TrustStoreCallbackHandler, which is acceptable. And we have to use the latest build of metro...
|
|
|
|
|
|
|
|
|
Re: Suggestion of extending functionality of DefaultCallbackHandler
Posted:
Mar 17, 2008 11:21 PM
in response to: marshalking
|
|
|
Hi,
If you write your own CallbackHandler then you are not tied to the keystore, truststore model and can get things from anywhere.
With the new KeyStoreCallbackHandler and TrustStoreCallbackHandler that is supported we still initialize the Keystore and Truststore only once. We don't try to do it with every call. Let me know if this is not the right model for you. We can support (under a configurable option) calling the TrustStoreCallbackHandler and KeyStoreCallbackHandler for every request but that seems to be an overkill to me (of course it depends on what you really do inside the CBH)..
Thanks.
|
|
|
|
|
|
|
|
|
Re: Suggestion of extending functionality of DefaultCallbackHandler
Posted:
Mar 25, 2008 9:31 PM
in response to: kumarjayanti
|
|
|
Thanks, Kumar. As long as there is a mechanism for me to use customized KeyStore and TrustStores through CallbackHandlers or whatever, I am satisfied because I can re-load certificates in my own handler. So there is no obvious requirement for the run-time to initialize the Keystore and Truststore more than once.
BTW, when will these 2 new CallbackHandlers feature come out as official version? Currently I'm using a nightly build.
Regards.
|
|
|
|
|
java.net RSS
