Details
-
Type:
Improvement
-
Status:
In Progress
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: HTTPBuilder-0.5.1
-
Fix Version/s: HTTPBuilder-0.5.3
-
Component/s: HttpBuilder
-
Labels:None
-
Number of attachments :
Description
On occasion, one has to work with servers that have invalid or self-signed certificates. In these cases it's useful to be able to disable certificate verification. Unfortunately, this is far harder than it should be with HTTPBuilder. Admittedly it's pretty ugly with HttpClient!
I suggest a constructor argument, insecure: true perhaps, that basically does what my custom HTTPBuilder does:
class MyInsecureClient extends HTTPBuilder { MyInsecureClient(baseUrl) { super(baseUrl) def oldParams = client.params def sslContext = SSLContext.getInstance("SSL") // Set up a TrustManager that trusts everything. sslContext.init(null, [ new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted(X509Certificate[] certs, String authType) { } public void checkServerTrusted(X509Certificate[] certs, String authType) { } } ] as TrustManager[], new SecureRandom()) // Set up a socket factory that doesn't verify hostnames. def sf = new SSLSocketFactory(sslContext, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER) def httpsScheme = new Scheme("https", sf, 443) def schemeRegistry = new SchemeRegistry() schemeRegistry.register httpsScheme def cm = new SingleClientConnManager(oldParams, schemeRegistry); this.client = new DefaultHttpClient(cm, oldParams) } }
I suggest a constructor argument because it would be nice to use this with RESTClient as well.