https client

Discussion in 'Java' started by Shane, Jun 4, 2007.

  1. Shane

    Shane Guest

    I am trying to write a basic https client. It will contact an https site,
    post authentication details, follow some links, and retrieve some
    information. This all seems like I am reinventing the wheel, but I am
    struggling to find example code.

    Could someone point me to what I am missing, or a tutorial.

    TIA
    Shane
    --
    Q: Why do mathematicians often confuse Christmas and Halloween?
    A: Because Oct 31 = Dec 25.
     
    Shane, Jun 4, 2007
    #1
    1. Advertising

  2. Shane

    Ben_ Guest

    Ben_, Jun 4, 2007
    #2
    1. Advertising

  3. Shane wrote:
    > I am trying to write a basic https client. It will contact an https site,
    > post authentication details, follow some links, and retrieve some
    > information. This all seems like I am reinventing the wheel, but I am
    > struggling to find example code.


    An example is attached below.

    Arne

    ==============================================

    import java.net.*;
    import java.io.*;
    import java.security.*;
    import java.security.cert.*;

    import javax.net.ssl.*;

    public class HttpsGetAuth {
    public static void main(String[] args) {
    try {
    SSLContext sslctx = SSLContext.getInstance("SSL");
    sslctx.init(null, new X509TrustManager[] { new
    MyTrustManager() }, null);

    HttpsURLConnection.setDefaultSSLSocketFactory(sslctx.getSocketFactory());
    //HttpsURLConnection.setDefaultHostnameVerifier(new
    MyHostnameVerifier());
    Authenticator.setDefault(new MyAuthenticator());
    URL url = new URL("https://www.xxxx.dk/prot4.html");
    HttpsURLConnection con = (HttpsURLConnection)
    url.openConnection();
    if (con.getResponseCode() == HttpsURLConnection.HTTP_OK) {
    InputStream is = con.getInputStream();
    OutputStream os = new FileOutputStream("C:\\z.z");
    byte[] b = new byte[1000];
    int n;
    while ((n = is.read(b)) >= 0) {
    os.write(b, 0, n);
    }
    os.close();
    is.close();
    }
    con.disconnect();
    } catch (NoSuchAlgorithmException e) {
    e.printStackTrace();
    } catch (KeyManagementException e) {
    e.printStackTrace();
    } catch (MalformedURLException e) {
    e.printStackTrace();
    } catch (FileNotFoundException e) {
    e.printStackTrace();
    } catch (IOException e) {
    e.printStackTrace();
    }
    }
    }

    class MyTrustManager implements X509TrustManager
    {
    public void checkClientTrusted(X509Certificate[] chain, String
    authType) {
    }
    public void checkServerTrusted(X509Certificate[] chain, String
    authType) {
    }
    public X509Certificate[] getAcceptedIssuers() {
    return null;
    }
    }

    //class MyHostnameVerifier implements HostnameVerifier {
    // public boolean verify(String urlHostName, SSLSession session) {
    // return true;
    // }
    //}

    class MyAuthenticator extends Authenticator {
    protected PasswordAuthentication getPasswordAuthentication() {
    return new PasswordAuthentication("xxxx", "xxxx".toCharArray());
    }
    }
     
    =?ISO-8859-1?Q?Arne_Vajh=F8j?=, Jun 5, 2007
    #3
  4. Shane

    Shane Guest

    Arne Vajhøj wrote:

    > Shane wrote:
    >> I am trying to write a basic https client. It will contact an https
    >> site, post authentication details, follow some links, and retrieve some
    >> information. This all seems like I am reinventing the wheel, but I am
    >> struggling to find example code.

    >
    > An example is attached below.
    >
    > Arne
    >
    > ==============================================
    >
    > import java.net.*;
    > import java.io.*;
    > import java.security.*;
    > import java.security.cert.*;
    >
    > import javax.net.ssl.*;
    >
    > public class HttpsGetAuth {
    > public static void main(String[] args) {
    > try {
    > SSLContext sslctx = SSLContext.getInstance("SSL");
    > sslctx.init(null, new X509TrustManager[] { new
    > MyTrustManager() }, null);
    >
    > HttpsURLConnection.setDefaultSSLSocketFactory(sslctx.getSocketFactory());
    > //HttpsURLConnection.setDefaultHostnameVerifier(new
    > MyHostnameVerifier());
    > Authenticator.setDefault(new MyAuthenticator());
    > URL url = new URL("https://www.xxxx.dk/prot4.html");
    > HttpsURLConnection con = (HttpsURLConnection)
    > url.openConnection();
    > if (con.getResponseCode() == HttpsURLConnection.HTTP_OK) {
    > InputStream is = con.getInputStream();
    > OutputStream os = new FileOutputStream("C:\\z.z");
    > byte[] b = new byte[1000];
    > int n;
    > while ((n = is.read(b)) >= 0) {
    > os.write(b, 0, n);
    > }
    > os.close();
    > is.close();
    > }
    > con.disconnect();
    > } catch (NoSuchAlgorithmException e) {
    > e.printStackTrace();
    > } catch (KeyManagementException e) {
    > e.printStackTrace();
    > } catch (MalformedURLException e) {
    > e.printStackTrace();
    > } catch (FileNotFoundException e) {
    > e.printStackTrace();
    > } catch (IOException e) {
    > e.printStackTrace();
    > }
    > }
    > }
    >
    > class MyTrustManager implements X509TrustManager
    > {
    > public void checkClientTrusted(X509Certificate[] chain, String
    > authType) {
    > }
    > public void checkServerTrusted(X509Certificate[] chain, String
    > authType) {
    > }
    > public X509Certificate[] getAcceptedIssuers() {
    > return null;
    > }
    > }
    >
    > //class MyHostnameVerifier implements HostnameVerifier {
    > // public boolean verify(String urlHostName, SSLSession session) {
    > // return true;
    > // }
    > //}
    >
    > class MyAuthenticator extends Authenticator {
    > protected PasswordAuthentication getPasswordAuthentication() {
    > return new PasswordAuthentication("xxxx", "xxxx".toCharArray());
    > }
    > }


    Awesome, thanks guys, that's what I needed
    --
    Q: What is the difference between a mathematician and a philosopher?
    A: The mathematician only needs paper, pencil, and a trash bin for his
    work - the philosopher can do without the trash bin...
     
    Shane, Jun 5, 2007
    #4
  5. Shane

    Esmond Pitt Guest

    Arne Vajhøj wrote:
    > public X509Certificate[] getAcceptedIssuers() {
    > return null;
    > }
    > }


    This 'trust-em-all' TrustManager has been spattered all over the Web but
    if that method ever gets called an NPE is likely to result. It doesn't
    comply with its specification.
     
    Esmond Pitt, Jun 6, 2007
    #5
  6. Esmond Pitt wrote:
    > Arne Vajhøj wrote:
    >> public X509Certificate[] getAcceptedIssuers() {
    >> return null;
    >> }
    >> }

    >
    > This 'trust-em-all' TrustManager has been spattered all over the Web but
    > if that method ever gets called an NPE is likely to result. It doesn't
    > comply with its specification.


    It should probably return an array with no elements.

    Well ...

    Arne
     
    =?ISO-8859-1?Q?Arne_Vajh=F8j?=, Jun 6, 2007
    #6
  7. Shane

    Esmond Pitt Guest

    Arne Vajhøj wrote:
    > It should probably return an array with no elements.


    It should definitely not return null when the specification says
    specifically that its return value is non-null.

    > Well ...


    Well, ... the whole idea of a trust-em-all TrustManager is inane to
    begin with. Why use SSL at all if you're prepared to trust anybody at
    the other end? This thing is only required when servers use self-signed
    certificates, and servers aren't supposed to do that. The resulting
    system is not secure.
     
    Esmond Pitt, Jun 6, 2007
    #7
  8. Shane

    Graham Guest

    On 6 Jun, 09:38, Esmond Pitt <> wrote:
    > Arne Vajhøj wrote:
    > <snip>
    > Well, ... the whole idea of a trust-em-all TrustManager is inane to
    > begin with. Why use SSL at all if you're prepared to trust anybody at
    > the other end?


    Because SSL provides many more services other than authentication?
     
    Graham, Jun 6, 2007
    #8
  9. > Because SSL provides many more services other than authentication?

    Yes, but what good are they without authentication? IMHO it is a huge
    misconception to think that an encrypted but not authenticated line is
    somehow 'secure'. Granted, nobody can intervene into your
    communication, but what does that help given that you cannot be sure
    who you are actually talking to?

    /philipp
     
    Philipp Leitner, Jun 6, 2007
    #9
  10. Shane

    Graham Guest

    On 6 Jun, 11:58, Philipp Leitner <> wrote:
    > > Because SSL provides many more services other than authentication?

    >
    > Yes, but what good are they without authentication? IMHO it is a huge
    > misconception to think that an encrypted but not authenticated line is
    > somehow 'secure'. Granted, nobody can intervene into your
    > communication, but what does that help given that you cannot be sure
    > who you are actually talking to?
    >
    > /philipp


    I didn't mean authentication doesn't take place at all, only that it
    is not necessary during the SSL handshake. For example, when you do
    your Internet Banking you authenticate yourself to the bank using a
    username and password after the SSL transport is established. It
    doesn't stop you from taking advantage of the confidentiality and
    integrity provided by SSL layer.

    - Graham
     
    Graham, Jun 6, 2007
    #10
  11. > I didn't mean authentication doesn't take place at all, only that it
    > is not necessary during the SSL handshake. For example, when you do
    > your Internet Banking you authenticate yourself to the bank using a
    > username and password after the SSL transport is established. It
    > doesn't stop you from taking advantage of the confidentiality and
    > integrity provided by SSL layer.


    True, but still there's TLS authentication involved ... if your
    browser would not validate the certificate of the bank's server I
    would not really want to enter my username and password in the first
    place :)

    /philipp
     
    Philipp Leitner, Jun 6, 2007
    #11
  12. Shane

    Esmond Pitt Guest

    Philipp Leitner wrote:
    > Yes, but what good are they without authentication? IMHO it is a huge
    > misconception to think that an encrypted but not authenticated line is
    > somehow 'secure'.


    Exactly, and that's exactly what it says in RFC2246.
     
    Esmond Pitt, Jun 7, 2007
    #12
  13. Philipp Leitner wrote:
    > > Because SSL provides many more services other than authentication?

    >
    > Yes, but what good are they without authentication? IMHO it is a huge
    > misconception to think that an encrypted but not authenticated line is
    > somehow 'secure'. Granted, nobody can intervene into your
    > communication, but what does that help given that you cannot be sure
    > who you are actually talking to?


    I guess that depends a lot on the context.

    Arne
     
    =?ISO-8859-1?Q?Arne_Vajh=F8j?=, Jun 9, 2007
    #13
  14. Shane

    Esmond Pitt Guest

    Arne Vajhøj wrote:
    > I guess that depends a lot on the context.


    It depends on the context providing authentication, no two ways about
    it. And as SSL already has a triple-strength A-grade mechanism for that
    why wouldn't you use it? And why would you build a trapdoor to allow
    that to be breached so you could substitute something of your own,
    inevitably much weaker?
     
    Esmond Pitt, Jun 13, 2007
    #14
  15. Did you actually get this to work?

    I am attempting something similar.

    First I tried a simple url using https protocal. That returns the page with
    the login in form.
    I filled in the parameters and sent it back. The login site did not
    recognize the login request.

    Second I followed the code below, with the exact same result. I can get the
    main login page, but
    after filling in the form and posting the correct response, the site did not
    respond as logged in.

    _________

    I suspect that the encryption is not working but I do not know how the
    diagnose that.

    Thanks for any help.
    "Shane" <-a-geek.net> wrote in message
    news:f435f4$1gm$...
    > Arne Vajhøj wrote:
    >
    >> Shane wrote:
    >>> I am trying to write a basic https client. It will contact an https
    >>> site, post authentication details, follow some links, and retrieve some
    >>> information. This all seems like I am reinventing the wheel, but I am
    >>> struggling to find example code.

    >>
    >> An example is attached below.
    >>
    >> Arne
    >>
    >> ==============================================
    >>
    >> import java.net.*;
    >> import java.io.*;
    >> import java.security.*;
    >> import java.security.cert.*;
    >>
    >> import javax.net.ssl.*;
    >>
    >> public class HttpsGetAuth {
    >> public static void main(String[] args) {
    >> try {
    >> SSLContext sslctx = SSLContext.getInstance("SSL");
    >> sslctx.init(null, new X509TrustManager[] { new
    >> MyTrustManager() }, null);
    >>
    >> HttpsURLConnection.setDefaultSSLSocketFactory(sslctx.getSocketFactory());
    >> //HttpsURLConnection.setDefaultHostnameVerifier(new
    >> MyHostnameVerifier());
    >> Authenticator.setDefault(new MyAuthenticator());
    >> URL url = new URL("https://www.xxxx.dk/prot4.html");
    >> HttpsURLConnection con = (HttpsURLConnection)
    >> url.openConnection();
    >> if (con.getResponseCode() == HttpsURLConnection.HTTP_OK) {
    >> InputStream is = con.getInputStream();
    >> OutputStream os = new FileOutputStream("C:\\z.z");
    >> byte[] b = new byte[1000];
    >> int n;
    >> while ((n = is.read(b)) >= 0) {
    >> os.write(b, 0, n);
    >> }
    >> os.close();
    >> is.close();
    >> }
    >> con.disconnect();
    >> } catch (NoSuchAlgorithmException e) {
    >> e.printStackTrace();
    >> } catch (KeyManagementException e) {
    >> e.printStackTrace();
    >> } catch (MalformedURLException e) {
    >> e.printStackTrace();
    >> } catch (FileNotFoundException e) {
    >> e.printStackTrace();
    >> } catch (IOException e) {
    >> e.printStackTrace();
    >> }
    >> }
    >> }
    >>
    >> class MyTrustManager implements X509TrustManager
    >> {
    >> public void checkClientTrusted(X509Certificate[] chain, String
    >> authType) {
    >> }
    >> public void checkServerTrusted(X509Certificate[] chain, String
    >> authType) {
    >> }
    >> public X509Certificate[] getAcceptedIssuers() {
    >> return null;
    >> }
    >> }
    >>
    >> //class MyHostnameVerifier implements HostnameVerifier {
    >> // public boolean verify(String urlHostName, SSLSession session) {
    >> // return true;
    >> // }
    >> //}
    >>
    >> class MyAuthenticator extends Authenticator {
    >> protected PasswordAuthentication getPasswordAuthentication() {
    >> return new PasswordAuthentication("xxxx", "xxxx".toCharArray());
    >> }
    >> }

    >
    > Awesome, thanks guys, that's what I needed
    > --
    > Q: What is the difference between a mathematician and a philosopher?
    > A: The mathematician only needs paper, pencil, and a trash bin for his
    > work - the philosopher can do without the trash bin...
    >
     
    G. Garrett Campbell, Jun 18, 2007
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Zorba
    Replies:
    0
    Views:
    951
    Zorba
    Jun 4, 2004
  2. Subra Mallampalli
    Replies:
    0
    Views:
    434
    Subra Mallampalli
    Oct 2, 2003
  3. Axel
    Replies:
    8
    Views:
    1,108
    Adrienne Boswell
    Apr 27, 2009
  4. jotto
    Replies:
    4
    Views:
    396
    jotto
    Oct 2, 2006
  5. Naveen Dhanuka
    Replies:
    1
    Views:
    287
Loading...

Share This Page