 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / June 2007https client
I am trying to write a basic https client. It will contact an https site, post authentication details, follow some links, and retrieve some information. This all seems like I am reinventing the wheel, but I am struggling to find example code. Could someone point me to what I am missing, or a tutorial. TIA Shane  SignatureQ: Why do mathematicians often confuse Christmas and Halloween? A: Because Oct 31 = Dec 25. For example, Apache HTTPClient at http://jakarta.apache.org/commons/httpclient/features.html. > I am trying to write a basic https client. It will contact an https site, > post authentication details, follow some links, and retrieve some > information. This all seems like I am reinventing the wheel, but I am > struggling to find example code. An example is attached below. Arne ============================================== import java.net.*; import java.io.*; import java.security.*; import java.security.cert.*; import javax.net.ssl.*; public class HttpsGetAuth { public static void main(String[] args) { try { SSLContext sslctx = SSLContext.getInstance("SSL"); sslctx.init(null, new X509TrustManager[] { new MyTrustManager() }, null); HttpsURLConnection.setDefaultSSLSocketFactory(sslctx.getSocketFactory()); //HttpsURLConnection.setDefaultHostnameVerifier(new MyHostnameVerifier()); Authenticator.setDefault(new MyAuthenticator()); URL url = new URL("https://www.xxxx.dk/prot4.html"); HttpsURLConnection con = (HttpsURLConnection) url.openConnection(); if (con.getResponseCode() == HttpsURLConnection.HTTP_OK) { InputStream is = con.getInputStream(); OutputStream os = new FileOutputStream("C:\\z.z"); byte[] b = new byte[1000]; int n; while ((n = is.read(b)) >= 0) { os.write(b, 0, n); } os.close(); is.close(); } con.disconnect(); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } catch (KeyManagementException e) { e.printStackTrace(); } catch (MalformedURLException e) { e.printStackTrace(); } catch (FileNotFoundException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } } } class MyTrustManager implements X509TrustManager { public void checkClientTrusted(X509Certificate[] chain, String authType) { } public void checkServerTrusted(X509Certificate[] chain, String authType) { } public X509Certificate[] getAcceptedIssuers() { return null; } } //class MyHostnameVerifier implements HostnameVerifier { // public boolean verify(String urlHostName, SSLSession session) { // return true; // } //} class MyAuthenticator extends Authenticator { protected PasswordAuthentication getPasswordAuthentication() { return new PasswordAuthentication("xxxx", "xxxx".toCharArray()); } } >> I am trying to write a basic https client. It will contact an https >> site, post authentication details, follow some links, and retrieve some [quoted text clipped - 78 lines] > } > } Awesome, thanks guys, that's what I needed SignatureQ: What is the difference between a mathematician and a philosopher? A: The mathematician only needs paper, pencil, and a trash bin for his work - the philosopher can do without the trash bin... Did you actually get this to work? I am attempting something similar. First I tried a simple url using https protocal. That returns the page with the login in form. I filled in the parameters and sent it back. The login site did not recognize the login request. Second I followed the code below, with the exact same result. I can get the main login page, but after filling in the form and posting the correct response, the site did not respond as logged in. _________ I suspect that the encryption is not working but I do not know how the diagnose that. Thanks for any help. >>> I am trying to write a basic https client. It will contact an https >>> site, post authentication details, follow some links, and retrieve some [quoted text clipped - 80 lines] > > Awesome, thanks guys, that's what I needed > public X509Certificate[] getAcceptedIssuers() { > return null; > } > } This 'trust-em-all' TrustManager has been spattered all over the Web but if that method ever gets called an NPE is likely to result. It doesn't comply with its specification. >> public X509Certificate[] getAcceptedIssuers() { >> return null; [quoted text clipped - 4 lines] > if that method ever gets called an NPE is likely to result. It doesn't > comply with its specification. It should probably return an array with no elements. Well ... Arne > It should probably return an array with no elements. It should definitely not return null when the specification says specifically that its return value is non-null. > Well ... Well, ... the whole idea of a trust-em-all TrustManager is inane to begin with. Why use SSL at all if you're prepared to trust anybody at the other end? This thing is only required when servers use self-signed certificates, and servers aren't supposed to do that. The resulting system is not secure. > Arne Vajh?j wrote: > <snip> > Well, ... the whole idea of a trust-em-all TrustManager is inane to > begin with. Why use SSL at all if you're prepared to trust anybody at > the other end? Because SSL provides many more services other than authentication? > Because SSL provides many more services other than authentication? Yes, but what good are they without authentication? IMHO it is a huge misconception to think that an encrypted but not authenticated line is somehow 'secure'. Granted, nobody can intervene into your communication, but what does that help given that you cannot be sure who you are actually talking to? /philipp > > Because SSL provides many more services other than authentication? > [quoted text clipped - 5 lines] > > /philipp I didn't mean authentication doesn't take place at all, only that it is not necessary during the SSL handshake. For example, when you do your Internet Banking you authenticate yourself to the bank using a username and password after the SSL transport is established. It doesn't stop you from taking advantage of the confidentiality and integrity provided by SSL layer. - Graham > I didn't mean authentication doesn't take place at all, only that it > is not necessary during the SSL handshake. For example, when you do > your Internet Banking you authenticate yourself to the bank using a > username and password after the SSL transport is established. It > doesn't stop you from taking advantage of the confidentiality and > integrity provided by SSL layer. True, but still there's TLS authentication involved ... if your browser would not validate the certificate of the bank's server I would not really want to enter my username and password in the first place :) /philipp > Yes, but what good are they without authentication? IMHO it is a huge > misconception to think that an encrypted but not authenticated line is > somehow 'secure'. Exactly, and that's exactly what it says in RFC2246. > > Because SSL provides many more services other than authentication? > [quoted text clipped - 3 lines] > communication, but what does that help given that you cannot be sure > who you are actually talking to? I guess that depends a lot on the context. Arne > I guess that depends a lot on the context. It depends on the context providing authentication, no two ways about it. And as SSL already has a triple-strength A-grade mechanism for that why wouldn't you use it? And why would you build a trapdoor to allow that to be breached so you could substitute something of your own, inevitably much weaker? Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.