An XML-RPC application can be made secure using two ways:
Start the XML-RPC server in an SSL/TLS enabled web server and write an XML-RPC client to communicate with the server or use an SSL enabled XML-RPC framework.
1. Using XmlRpcServlet
In Chapter 17, we have seen that Apache XML-RPC provides a servlet XmlRpcServlet, which has an automatically embedded instance of XmlRpcServer and may be installed to an existing tomcat web server to serve XML-RPC requests. To make the communication secured, it is a good idea to configure the tomcat web server so that it runs over SSL. A description is already given in Section 17.6. The procedure of installing XmlRpcServlet is also given in Chapter 17. So, configure tomcat to make it SSL-enabled and install XmlRpcServlet. Assume that the SSL-enabled tomcat web server runs on a computer having IP address 172.16.5.81 on port 8 4 43. The URL of the servlet XmlRpcServlet will then be https://172.16.5 .81:8 4 4 3/xmlrpc/servlet. This URL may be used in the XML-RPC client application. The modified XML-RPC client that uses SSL communication is shown below:
//SSLClient.java
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession;
import org.apache.xmlrpc.client.*;
import java.net.URL;
public class SSLClient {
public static void main (String [] args) {
try {
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
public boolean verify(String host, SSLSession ss) { return true; }
});
XmlRpcClient client = new XmlRpcClient();
XmlRpcClientConfigImpl config = new XmlRpcClientConfigImpl();
config.setServerURL(new URL(nhttps://n+args[0]+n:8443/xmlrpc/servletn));
client.setConfig(config);
int n = 6;
Object[] params = new Object[]{ new Integer(n)};
System.out.println(”Sent : ”+n);
Integer result = (Integer)client.execute(”Factorial.fact”, params);
System.out.println(”Received : ”+result);
} catch (Exception e) {
e.printStackTrace();
}
}
}
The modified code is shown using bold font. To run the application, copy tomcat.cer (described in Section 19.4.7) to the client directory and import it in the client’s trust store (client.ts) using the following command:
keytool -import -v -keystore client.ts -storepass 123456 -file tomcat.cer
Start the tomcat web server. Now, start the client using the following command:
java -cp ..\lib\*;. -Djavax.net.ssl.trustStore=client.ts –
Djavax.net.ssl.trustStorePassword=123456 SSLClient 172.16.5.81
2. Using Secure XML-RPC
Apache XML-RPC version 2.0.1 also provides a framework that works on SSL. The security is provided by two primary class files SecureWebServer and SecureXmlRpcClient (provided in the package org.apache.xmlrpc.secure). The SecureWebServer class is used to create a secure XML- RPC server. A sample usage of this class is shown (SslXmlRpcServer.java) below:
//SslXmlRpcServer.java import org.apache.xmlrpc.secure.*;
public class SslXmlRpcServer {
public int fact(int n) {
System.out.println(”Received : ”+n);
int prod = 1;
for(int i = 2; i <= n; i++) prod *= i;
System.out.println(”Sent : ”+prod);
return prod;
} public static void main(String args[]) {
SecureWebServer web=new SecureWebServer(6789);
web.addHandler(”Factorial”, new SslXmlRpcServer());
web.start();
System.out.println(”XML-RPC server ready…”);
}
}
To create a secure XML-RPC client, we use SecureXmlRpcClient class. The source code of this client (ssiXmlRpcClient.java) is given below:
//SslXmlRpcClient.java
import java.util.*;
import javax.net.ssl.*;
import org.apache.xmlrpc.secure.*;
public class SslXmlRpcClient {
public static void main(String args[]) {
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
public boolean verify(String host, SSLSession ss) { return true; }
}); try {
SecureXmlRpcClient client=new
SecureXmlRpcClient(”https://”+args[0]+”:6789”);
Vector params= new Vector();
int n = 5;
params.add(n);
System.out.println(”Sent : ” + n);
Object result = client.execute(”Factorial.fact”,params);
System.out.println(”Received : ”+result);
} catch (Exception e) {
e.printStackTrace();
}
}
}
To run this application, we have to download a JAR file containing XML-RPC 2.0.1 classes and interfaces. We downloaded xmlrpc-2.0.1.jar from http://www.java2s.eom/Code/Jar/x/ Downloadxmlrpc201jar.htm. Since, SecureWebServer and SecureXmlRpcClient classes use a set of utilities for encoding and decoding text and binary data, we need Apache Commons Codec (TM) software that provides implementations of common encoders and decoders such as Base64, Hex, Phonetic and URLs. These utilities (as commons-codec-i.9.jar file) can be downloaded from http://commons.apache.org/proper/commons-codec/download_codec.cgi. Now create the following directory structure. Place the JAR files in lib directory. Also place SslXmlRpcServer.java and SslXmlRpcClient.java in the server and client directory respectively.
Now go to the server directory and create a key store (server.ks) using the following command:
keytool -genkey -alias mykey -keyalg RSA -keystore server.ks -storepass 123456 -keypass 123456 -dname ”CN=U. K. Roy, OU=IT, O=JU, L=Kolkata, ST=WB, C=IN”
Now, export the certificate to a file server.cer using the following command:
keytool -export -alias mykey -keystore server.ks -storepass 123456 -file server.cer
Now, copy this server.cer file to the client directory and use the following command to import this certificate in the client’s trust store (client.ts):
keytool -import -v -keystore client.ts -storepass 123456 -file server.cer
The application is now ready to run. Go to the server directory and use the following command to compile the server:
javac -cp ..\lib\*;. *.java
Now, start the server using the following command:
java -cp ..\lib\*;. -Djavax.net.ssl.keyStore=server.ks –
Djavax.net.ssl.keyStorePassword=123456 SslXmlRpcServer
Go to the client directory and use the following command to compile the client:
javac -cp ..\lib\*;. *.java
Now, start the client using the following command:
java -cp ..\lib\*;. -Djavax.net.ssl.trustStore=client.ts –
Djavax.net.ssl.trustStorePassword=123456 SslXmlRpcClient 172.16.5.81
Source: Uttam Kumar Roy (2015), Advanced Java programming, Oxford University Press.