0

Our web application calls several web services internally using Jersey client API. Few services are secure and we use certificates to authenticate.

Due to some reasons we want to disable hostname verification on few services.

So I searched for some examples and found the below links and the service started working as expected after disabling the verification.

Link1, link2, link3

While going through the third link I noticed a call to HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);

I am assuming that, because of the above call, hostname verification will be disabled on all subsequent web service calls.

If my assumption is right, how do I disable verification only on a particular service?

HostnameVerifier allHostsValid = new HostnameVerifier() { 
    public boolean verify(String hostname, SSLSession session) {
     if(hostname.equals("xyz")) {
         return true; 
     } else {
         // How do I implement this section?
         // if I return false will the server perform the verification? If not how do I implement this?
     }
    } 
};
Community
  • 1
  • 1
Krishna Chaitanya
  • 2,199
  • 3
  • 31
  • 56

1 Answers1

1

In you're using HttpsUrlConnection directly then once you've opened the connection (with URL.openConnection()) you can call connection.setHostnameVerifier(allHostsValid) to set the hostname verifier for that single connection.

EDIT:

As you're using Jersey, it looks like there are two options depending on whether you're using Jersey 1 or 2.

For Jersey 2 you can set the Hostname Verifier on the ClientBuilder when you create the client.

ClientBuilder.newBuilder().hostnameVerifier(allHostsValid).build();

You'd want to make two clients and use a different one depending on which service you were connecting to. However, there is a warning in the jersey docs noting that that this only works with certain connector providers, and I'm not sure which you'd be using.

This is a standard API so it should work for any compliant JAX-RS 2.0 client (including Liberty's jaxrsClient-2.0 feature).

For Jersey 1 it looks like you can set a property on the client or on the client request.

HTTPSProperties httpsProps = new HTTPSProperties(allHostsValid);
client.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, httpsProps);
Azquelt
  • 1,086
  • 11
  • 14
  • We are using Jersey client. So I think I have to figure out a way to tell jersey to do it only for the current connection. Thank you – Krishna Chaitanya Apr 06 '17 at 12:34
  • Sorry, I missed that you were using the Jersey client and jumped straight to the part where you were calling `HttpsURLConnection.setDefaultHostnameVerifier`. I've updated the answer with some information relating to Jersey and other JAX-RS clients, though it's not something I've implemented myself. – Azquelt Apr 06 '17 at 12:57
  • Sure no problem. I will try to identify. If jersey does not provide any any option I will use HttpURLConnection class – Krishna Chaitanya Apr 06 '17 at 12:59