• Post Reply Bookmark Topic Watch Topic
  • New Topic

Problem using XmlRpc with SSL in web browser  RSS feed

Sean McGarvey
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have been trying desparately for weeks to get SSL working with an existing application that uses XmlRpc between a servlet running on a web server and an applet running through a web browser.

I found the following code online:

import java.util.*;
import java.net.*;
import com.sun.net.ssl.*;
import java.security.cert.X509Certificate;
import java.security.Security;
import javax.net.ssl.SSLSocketFactory;
//import helma.xmlrpc.XmlRpcClient;
import marquee.xmlrpc.*;

/** * SecureXmlRpcClient provides an XML-RPC client that can operate over SSL and that can negotiate
* basic authorization. It is simply a wrapper of Security and URL configuration around an instance
* of the XML-RPC client implementation provided by the marquee package */

public class SecureXmlRpcClient{
private String username;
private String password;
private String urlstring;
private XmlRpcClient client;

/** * Requires the url of the XML-RPC service, the user and password for authentication */
public SecureXmlRpcClient(String urlstring, String username,String password) throws Exception{
this.username = username;
this.password = password;
this.urlstring = urlstring;
//Configuration work to provide SSL support
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

//Currently server cert is not signed by a CA //so work around by using own TrustManager
X509TrustManager tm = new WorkAroundX509TrustManager();
KeyManager []km = null;
TrustManager []tma = {tm};
SSLContext sc = SSLContext.getInstance("ssl");
sc.init(km,tma,new java.security.SecureRandom());
SSLSocketFactory sf1 = sc.getSocketFactory();

//end workaround for non-CA signed server cert
//Configuration work to allow negotation of basic authroisation

NetPermission np = new NetPermission("setDefaultAuthenticator");
BasicAuthenticator ba = new BasicAuthenticator(username, password);
//this.client = new XmlRpcClient(urlstring);
this.client = new XmlRpcClient("server",443,"/app/XmlRpcManager");

/** * Execute the required XML-RPC procedure with the required parameters (traffic between the * client and server will be encrypted if the url was s secure one) */

// public Object execute (String s, Vector v)throws Exception{
// return client.execute(s,v);
// }
public Object invoke (String s, Object v[])throws Exception{
return client.invoke(s,v);

/** * Inner class to provide a permisive TrustManager for non CA signed server certificates) */
private class WorkAroundX509TrustManager implements X509TrustManager {
public boolean isClientTrusted(X509Certificate[] chain){
return true;
public boolean isServerTrusted(X509Certificate[] chain){
return true;
public X509Certificate[] getAcceptedIssuers(){
return null;

/** * Inner class to provide an implemtation of Authenticator */
private class BasicAuthenticator extends Authenticator {
private String username = "";
private String password = "";

public BasicAuthenticator(String username, String password){
this.username = username;
this.password = password;
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication(this.username, this.password.toCharArray());

The problem seems to be that the client cannot execute the addProvider call:

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

and the following error is raised when it tries to:

java.security.AccessControlException: access denied (java.security.SecurityPermission insertProvider.SunJSSE)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkSecurityAccess(Unknown Source)
at sun.plugin.security.ActivatorSecurityManager.checkSecurityAccess(Unknown Source)
at java.security.Security.check(Unknown Source)
at java.security.Security.insertProviderAt(Unknown Source)
at java.security.Security.addProvider(Unknown Source)

If anyone has any ideas, I would GREATLY APPRECIATE it. Some sample source code of a working example where the client runs in a web browser would be fantastic.

Thank you,
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!