Skip to main content

Developing with XCC

Creating a Trust Manager

This section describes how to use a simple Trust Manager for X.509-based authentication. The Trust Manager shown here does not validate certificate chains and is therefore unsafe and should not be used for production code. See your Java documentation for details on how to create a more robust Trust Manager for your specific application or how to obtain a Certificate Authority from a keystore.

To enable SSL access using a trust manager, import the following classes in addition to those described in Coding Basics:

import javax.net.ssl.SSLContext;
import com.marklogic.xcc.SecurityOptions;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.security.KeyManagementException;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateException;

Create a trust manager and pass it to the SSLContext.init() method:

protected SecurityOptions newTrustOptions()
  throws Exception
{
  TrustManager[] trust = new TrustManager[] { 
    new X509TrustManager() {
      public void checkClientTrusted(
        X509Certificate[] x509Certificates, 
        String s
      )
      throws CertificateException {
        // nothing to do
      }
      public void checkServerTrusted(
        X509Certificate[] x509Certificates, 
        String s)
      throws CertificateException 
      {
        // nothing to do
      }
      public X509Certificate[] getAcceptedIssuers() {
        return null;
      }
    }
  };
  SSLContext sslContext = SSLContext.getInstance("SSLv3");
  sslContext.init(null, trust, null);
  return new SecurityOptions(sslContext);
}

Call ContentSourceFactory.newContentSource() with a host name, port, username, password, and SSL security options defined by newTrustOptions():

ContentSource cs = 
  ContentSourceFactory.newContentSource (host,
                                         port,
                                         username,
                                         password,
                                         null,
                                         newTrustOptions());

Note

If you are passing a URI to ContentSourceFactory.newContentSource(), specify a connection scheme of xccs, rather than xcc, as shown in Accessing a Keystore.