https client

[Shane]

I am trying to write a basic https client. It will contact an https site,
post authentication details, follow some links, and retrieve some
information. This all seems like I am reinventing the wheel, but I am
struggling to find example code.

Could someone point me to what I am missing, or a tutorial.

TIA
Shane

 

[Ben_]

For example, Apache HTTPClient at
http://jakarta.apache.org/commons/httpclient/features.html.

 

[=?ISO-8859-1?Q?Arne_Vajh=F8j?=]

I am trying to write a basic https client. It will contact an https site,
post authentication details, follow some links, and retrieve some
information. This all seems like I am reinventing the wheel, but I am
struggling to find example code.

An example is attached below.

Arne

==============================================

import java.net.*;
import java.io.*;
import java.security.*;
import java.security.cert.*;

import javax.net.ssl.*;

public class HttpsGetAuth {
public static void main(String[] args) {
try {
SSLContext sslctx = SSLContext.getInstance("SSL");
sslctx.init(null, new X509TrustManager[] { new
MyTrustManager() }, null);

HttpsURLConnection.setDefaultSSLSocketFactory(sslctx.getSocketFactory());
//HttpsURLConnection.setDefaultHostnameVerifier(new
MyHostnameVerifier());
Authenticator.setDefault(new MyAuthenticator());
URL url = new URL("https://www.xxxx.dk/prot4.html");
HttpsURLConnection con = (HttpsURLConnection)
url.openConnection();
if (con.getResponseCode() == HttpsURLConnection.HTTP_OK) {
InputStream is = con.getInputStream();
OutputStream os = new FileOutputStream("C:\\z.z");
byte[] b = new byte[1000];
int n;
while ((n = is.read(b)) >= 0) {
os.write(b, 0, n);
}
os.close();
is.close();
}
con.disconnect();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (KeyManagementException e) {
e.printStackTrace();
} catch (MalformedURLException e) {
e.printStackTrace();
} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
}

class MyTrustManager implements X509TrustManager
{
public void checkClientTrusted(X509Certificate[] chain, String
authType) {
}
public void checkServerTrusted(X509Certificate[] chain, String
authType) {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}

//class MyHostnameVerifier implements HostnameVerifier {
// public boolean verify(String urlHostName, SSLSession session) {
// return true;
// }
//}

class MyAuthenticator extends Authenticator {
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication("xxxx", "xxxx".toCharArray());
}
}

 

[Shane]

I am trying to write a basic https client. It will contact an https
site, post authentication details, follow some links, and retrieve some
information. This all seems like I am reinventing the wheel, but I am
struggling to find example code.

An example is attached below.

Arne

==============================================

import java.net.*;
import java.io.*;
import java.security.*;
import java.security.cert.*;

import javax.net.ssl.*;

public class HttpsGetAuth {
public static void main(String[] args) {
try {
SSLContext sslctx = SSLContext.getInstance("SSL");
sslctx.init(null, new X509TrustManager[] { new
MyTrustManager() }, null);

HttpsURLConnection.setDefaultSSLSocketFactory(sslctx.getSocketFactory());
//HttpsURLConnection.setDefaultHostnameVerifier(new
MyHostnameVerifier());
Authenticator.setDefault(new MyAuthenticator());
URL url = new URL("https://www.xxxx.dk/prot4.html");
HttpsURLConnection con = (HttpsURLConnection)
url.openConnection();
if (con.getResponseCode() == HttpsURLConnection.HTTP_OK) {
InputStream is = con.getInputStream();
OutputStream os = new FileOutputStream("C:\\z.z");
byte[] b = new byte[1000];
int n;
while ((n = is.read(b)) >= 0) {
os.write(b, 0, n);
}
os.close();
is.close();
}
con.disconnect();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (KeyManagementException e) {
e.printStackTrace();
} catch (MalformedURLException e) {
e.printStackTrace();
} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
}

class MyTrustManager implements X509TrustManager
{
public void checkClientTrusted(X509Certificate[] chain, String
authType) {
}
public void checkServerTrusted(X509Certificate[] chain, String
authType) {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}

//class MyHostnameVerifier implements HostnameVerifier {
// public boolean verify(String urlHostName, SSLSession session) {
// return true;
// }
//}

class MyAuthenticator extends Authenticator {
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication("xxxx", "xxxx".toCharArray());
}
}

Awesome, thanks guys, that's what I needed

 

[Esmond Pitt]

public X509Certificate[] getAcceptedIssuers() {
return null;
}
}

This 'trust-em-all' TrustManager has been spattered all over the Web but
if that method ever gets called an NPE is likely to result. It doesn't
comply with its specification.

 

[=?ISO-8859-1?Q?Arne_Vajh=F8j?=]

public X509Certificate[] getAcceptedIssuers() {
return null;
}
}

This 'trust-em-all' TrustManager has been spattered all over the Web but
if that method ever gets called an NPE is likely to result. It doesn't
comply with its specification.

It should probably return an array with no elements.

Well ...

Arne

 

[Esmond Pitt]

It should probably return an array with no elements.

It should definitely not return null when the specification says
specifically that its return value is non-null.

Well ...

Well, ... the whole idea of a trust-em-all TrustManager is inane to
begin with. Why use SSL at all if you're prepared to trust anybody at
the other end? This thing is only required when servers use self-signed
certificates, and servers aren't supposed to do that. The resulting
system is not secure.

 

[Graham]

Arne Vajhøj wrote:
<snip>
Well, ... the whole idea of a trust-em-all TrustManager is inane to
begin with. Why use SSL at all if you're prepared to trust anybody at
the other end?

Because SSL provides many more services other than authentication?

 

[Philipp Leitner]

Because SSL provides many more services other than authentication?

Yes, but what good are they without authentication? IMHO it is a huge
misconception to think that an encrypted but not authenticated line is
somehow 'secure'. Granted, nobody can intervene into your
communication, but what does that help given that you cannot be sure
who you are actually talking to?

/philipp

 

[Graham]

Yes, but what good are they without authentication? IMHO it is a huge
misconception to think that an encrypted but not authenticated line is
somehow 'secure'. Granted, nobody can intervene into your
communication, but what does that help given that you cannot be sure
who you are actually talking to?

/philipp

I didn't mean authentication doesn't take place at all, only that it
is not necessary during the SSL handshake. For example, when you do
your Internet Banking you authenticate yourself to the bank using a
username and password after the SSL transport is established. It
doesn't stop you from taking advantage of the confidentiality and
integrity provided by SSL layer.

- Graham

 

[Philipp Leitner]

I didn't mean authentication doesn't take place at all, only that it

is not necessary during the SSL handshake. For example, when you do
your Internet Banking you authenticate yourself to the bank using a
username and password after the SSL transport is established. It
doesn't stop you from taking advantage of the confidentiality and
integrity provided by SSL layer.

True, but still there's TLS authentication involved ... if your
browser would not validate the certificate of the bank's server I
would not really want to enter my username and password in the first
place

/philipp

 

[Esmond Pitt]

Yes, but what good are they without authentication? IMHO it is a huge
misconception to think that an encrypted but not authenticated line is
somehow 'secure'.

Exactly, and that's exactly what it says in RFC2246.

 

[=?ISO-8859-1?Q?Arne_Vajh=F8j?=]

Yes, but what good are they without authentication? IMHO it is a huge
misconception to think that an encrypted but not authenticated line is
somehow 'secure'. Granted, nobody can intervene into your
communication, but what does that help given that you cannot be sure
who you are actually talking to?

I guess that depends a lot on the context.

Arne

 

[Esmond Pitt]

I guess that depends a lot on the context.

It depends on the context providing authentication, no two ways about
it. And as SSL already has a triple-strength A-grade mechanism for that
why wouldn't you use it? And why would you build a trapdoor to allow
that to be breached so you could substitute something of your own,
inevitably much weaker?

 

[G. Garrett Campbell]

Did you actually get this to work?

I am attempting something similar.

First I tried a simple url using https protocal. That returns the page with
the login in form.
I filled in the parameters and sent it back. The login site did not
recognize the login request.

Second I followed the code below, with the exact same result. I can get the
main login page, but
after filling in the form and posting the correct response, the site did not
respond as logged in.

_________

I suspect that the encryption is not working but I do not know how the
diagnose that.

Thanks for any help.

I am trying to write a basic https client. It will contact an https
site, post authentication details, follow some links, and retrieve some
information. This all seems like I am reinventing the wheel, but I am
struggling to find example code.

An example is attached below.

Arne

==============================================

import java.net.*;
import java.io.*;
import java.security.*;
import java.security.cert.*;

import javax.net.ssl.*;

public class HttpsGetAuth {
public static void main(String[] args) {
try {
SSLContext sslctx = SSLContext.getInstance("SSL");
sslctx.init(null, new X509TrustManager[] { new
MyTrustManager() }, null);

HttpsURLConnection.setDefaultSSLSocketFactory(sslctx.getSocketFactory());
//HttpsURLConnection.setDefaultHostnameVerifier(new
MyHostnameVerifier());
Authenticator.setDefault(new MyAuthenticator());
URL url = new URL("https://www.xxxx.dk/prot4.html");
HttpsURLConnection con = (HttpsURLConnection)
url.openConnection();
if (con.getResponseCode() == HttpsURLConnection.HTTP_OK) {
InputStream is = con.getInputStream();
OutputStream os = new FileOutputStream("C:\\z.z");
byte[] b = new byte[1000];
int n;
while ((n = is.read(b)) >= 0) {
os.write(b, 0, n);
}
os.close();
is.close();
}
con.disconnect();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (KeyManagementException e) {
e.printStackTrace();
} catch (MalformedURLException e) {
e.printStackTrace();
} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
}

class MyTrustManager implements X509TrustManager
{
public void checkClientTrusted(X509Certificate[] chain, String
authType) {
}
public void checkServerTrusted(X509Certificate[] chain, String
authType) {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}

//class MyHostnameVerifier implements HostnameVerifier {
// public boolean verify(String urlHostName, SSLSession session) {
// return true;
// }
//}

class MyAuthenticator extends Authenticator {
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication("xxxx", "xxxx".toCharArray());
}
}

Awesome, thanks guys, that's what I needed