public interface SSLFTPValidator
SSLFTPValidator
s are used for validating server certificates
and may also be used to provide user-feedback when making secure
connections to servers. Server certificates are validated when control
channels are switched to SSL, which happens when the
SSLFTPClient.auth(String)
method is called.
A standard validator, SSLFTPStandardValidator
, is provided.
New validators may be extended from this validator or written from scratch
by implementing the SSLFTPValidator
interface. In either case,
if a validator other than the standard validator is required it must be
installed using the SSLFTPClient.setCustomValidator(SSLFTPValidator)
method. This method must be called before the SSLFTPClient.auth(string)
method is called so that it is ready when it is required.
To see the basic tests that should be applied to the server certificate, please
see the documentation for SSLFTPStandardValidator
.
Note that validators are not required to check that the root certificate
in the certificate-chain passed to the validateServerCertificate(boolean, java.util.Vector, java.lang.String)
is one
the root certificates that were loaded into the client. This is done automatically
prior to the call to the validator.
Note also that in version 1.0 of edtFTPj/SSL, the SSLFTPValidator is invoked only if the certificate's root has been successfully validated. If the certificate's root is not recognized, an exception is thrown stating that the the CA is unknown. This means that it is not possible to override the rejection of connections with servers whose CA is unknown by writing a specialized SSLFTPValidator. Future versions of edtFTPj/SSL will make it possible to do this, should it be required.
Modifier and Type | Method and Description |
---|---|
boolean |
validateServerCertificate(boolean recommendValidate,
java.util.Vector certificateChain,
java.lang.String serverHostName)
Validates a server certificate.
|
boolean validateServerCertificate(boolean recommendValidate, java.util.Vector certificateChain, java.lang.String serverHostName) throws SSLFTPException
true
if the certificate is found to be valid and should either return
false
or throw an SSLFTPException
if it is invalid.recommendValidate
- flag indicating whether the client recommends
that the certificate should be accepted. It will be true
if the (1) the server's certificate was verified from the root certificates
or (2) server validation has been switched off
(see SSLFTPClient.setValidateServer(boolean)
).certificateChain
- chain of certificates (SSLFTPCertificate
objects) with the server's certificate appearing last and the root certificate
issuer (usually a Certificate Authority - CA) appearing first. Under most
circumstances, the vector has only 2 elements; the certificate of the
CA and the certificate of the server.serverHostName
- the host-name of the server that we are connected to.
This should usually be matched with the CN (Common Name) in the server
certificate's subject-name. The server certificate is the last element
of the certificateChain
vector.true
if the certificate is valid. If the certificate
is invalid then the method should either return false
or throw
an SSLFTPException
with details describing the failure.
If false
is returned then a generic server certificate validation
failure exception will be thrown.SSLFTPException
- May be thrown if the certificate is found to be invalid.Copyright © 2001-2014 Enterprise Distributed Technologies Ltd. All Rights Reserved.