POST to secure server

[RVic]

I have an application that must run in windows which must post to a servletrunning on a secure server. I can WinSCP into that server, and I can use PuTTY to ssh into that server. But I am quite clueless how I can post to a servlet there? Is there something I can pass in posting, or something I do with my URLConnection or URL variable to allow me access as I get with WinSCP or PuTTY? Thank you.

URL postURL = new URL(servletURL);
HttpURLConnection conn = (HttpURLConnection) postURL.openConnection();
conn.setRequestMethod("POST");
conn.setDoOutput(true);
conn.setUseCaches(false);
conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
conn.connect();
StringBuilder sb = new StringBuilder();
sb.append(vtkey+"="+ paramval);
out.write(sb.toString());
out.flush();

 

[markspace]

I have an application that must run in windows which must post to a
servlet running on a secure server. I can WinSCP into that server,
and I can use PuTTY to ssh into that server. But I am quite clueless
how I can post to a servlet there? ....
out.write(sb.toString());
out.flush();

out.close();

Generally speaking, you must close the TCP connection or the server
won't "recognize" that you are done sending data.

I seem to recall that Java's built-in HttpConnection is kind of
primitive and doesn't really implement everything you'd expect for a
real HTTP connection. In particular, I think you have to handle cookies
yourself, which might be causing the server code to break if it doesn't
see the cookies it's expecting.

I think the Apache Commons library has an HTTP class that handles things
more automagically. Try their HttpClient if you can't figure out what
the built-in version needs:

<http://hc.apache.org/>

 

[Roedy Green]

I have an application that must run in windows which must post to a servlet=
running on a secure server. I can WinSCP into that server, and I can use P=
uTTY to ssh into that server. But I am quite clueless how I can post to a s=
ervlet there? Is there something I can pass in posting, or something I do w=
ith my URLConnection or URL variable to allow me access as I get with WinSC=
P or PuTTY? Thank you.

for sample code see http://mindprod.com/jgloss/http.html
--
Roedy Green Canadian Mind Products http://mindprod.com
Motors make noise, and that tells you about the feelings and attitudes
that went into it. Something was more important than sensory pleasure --
nobody would invent a chair or dish that smelled bad or that made horrible
noises -- why were motors invented noisy? How could they possibly be
considered complete or successful inventions with this glaring defect?
Unless, of course, the aggressive, hostile, assaultive sound actually served
to express some impulse of the owner.
~ Philip Slater (born: 1927 age: 85)
The Wayward Gate: Science and the Supernatural

 

[RVic]

Thanks for all your responses. I'm finding out from the client that they have no exposed URLs that my servlet call can come in on, and they need to somehow provide that on their end.

OTOH, because I need to get this project done ad get it done beyond the crawl of academic beureaucracy, couldn't I simply read and write to a socket (in lie of a servlet), forget about the post, just wrap and unwrap the parameters I would otherwise post, that I could access somehow with ssh through java?

Thanks in advance.

 

[RVic]

If I ssh in.....trying to think this through, how might I replicate a post to a servlet? Not sure on this last step, wouldn't I need a socket listenerrunning on the target where I otherwise would have had a servlet running? Thanks for your thoughts and ideas here.

 

[Silvio]

I have an application that must run in windows which must post to a servlet running on a secure server. I can WinSCP into that server, and I can use PuTTY to ssh into that server. But I am quite clueless how I can post to a servlet there? Is there something I can pass in posting, or something I do with my URLConnection or URL variable to allow me access as I get with WinSCP or PuTTY? Thank you.

URL postURL = new URL(servletURL);
HttpURLConnection conn = (HttpURLConnection) postURL.openConnection();
conn.setRequestMethod("POST");
conn.setDoOutput(true);
conn.setUseCaches(false);
conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
conn.connect();
StringBuilder sb = new StringBuilder();
sb.append(vtkey+"="+ paramval);
out.write(sb.toString());
out.flush();

There are two options: you either post via HTTP or HTTPS directly to the
servlet (possibly passing through reverse proxies or NAT at the server
side) or you need to create an SSH tunnel first and use the tunnel to
reach the servlet.

The former will only work if the servlet is accessible from the outer
world. The latter will require you to create the tunnel from the client
side using the SSH connection for transport. Putty can create the tunnel
for you but this requires setting up the tunnel manually. If you want to
create the tunnel from inside the application you would need an SSH
library. JSCH would be a good candidate since it is open source and it
supports tunnelling. Having set up the tunnel you can simply post to
localhost.

Silvio

 

[RVic]

Thank you. I was thinking I would have to create a socket listener on the server side once I had an ssh connection set up with Jsch. I am looking through the Jsch examples (I am enclosing one in particular caled ViaHTTP) but I cannot, for the life of me, see how I would then perform my Post within that framework? Can you please explain further? Thank you!


String proxy_host;
int proxy_port;

try{
JSch jsch=new JSch();

String host=null;
if(arg.length>0){
host=arg[0];
}
else{
host=JOptionPane.showInputDialog("Enter username@hostname",
System.getProperty("user.name")+
"@localhost");
}
String user=host.substring(0, host.indexOf('@'));
host=host.substring(host.indexOf('@')+1);

Session session=jsch.getSession(user, host, 22);

String proxy=JOptionPane.showInputDialog("Enter proxy server",
"hostnameort");
proxy_host=proxy.substring(0, proxy.indexOf(':'));
proxy_port=Integer.parseInt(proxy.substring(proxy.indexOf(':')+1));

session.setProxy(new ProxyHTTP(proxy_host, proxy_port));

// username and password will be given via UserInfo interface.
UserInfo ui=new MyUserInfo();
session.setUserInfo(ui);

session.connect();

Channel channel=session.openChannel("shell");

channel.setInputStream(System.in);
channel.setOutputStream(System.out);

channel.connect();
}
catch(Exception e){
System.out.println(e);
}

 

[Silvio]

Thank you. I was thinking I would have to create a socket listener on the server side once I had an ssh connection set up with Jsch. I am looking through the Jsch examples (I am enclosing one in particular caled ViaHTTP) but I cannot, for the life of me, see how I would then perform my Post within that framework? Can you please explain further? Thank you!


String proxy_host;
int proxy_port;

try{
JSch jsch=new JSch();

String host=null;
if(arg.length>0){
host=arg[0];
}
else{
host=JOptionPane.showInputDialog("Enter username@hostname",
System.getProperty("user.name")+
"@localhost");
}
String user=host.substring(0, host.indexOf('@'));
host=host.substring(host.indexOf('@')+1);

Session session=jsch.getSession(user, host, 22);

String proxy=JOptionPane.showInputDialog("Enter proxy server",
"hostnameort");
proxy_host=proxy.substring(0, proxy.indexOf(':'));
proxy_port=Integer.parseInt(proxy.substring(proxy.indexOf(':')+1));

session.setProxy(new ProxyHTTP(proxy_host, proxy_port));

// username and password will be given via UserInfo interface.
UserInfo ui=new MyUserInfo();
session.setUserInfo(ui);

session.connect();

Channel channel=session.openChannel("shell");

channel.setInputStream(System.in);
channel.setOutputStream(System.out);

channel.connect();
}
catch(Exception e){
System.out.println(e);
}

I am guessing you meant this as a reply to my post...

If you setup a tunnel using JSCH (which requires adding an addition
connection property string to the connection that specifies the server
destination hostort and the local port on the client side then any
communication going through localhostort on the client will be
tunnelled via SSH and reach the destination hostort on the server side.
So assuming that there is an existing servlet on the server side that is
listening for HTTP requests on port 80 on the same box you make the SSH
connection to you server hostort would be localhost:80 and you could
use any desired port on the client side, lets say 8080. After that you
can use new URL("http://localhost:8080/path/to/the/servlet/") and do a
normal post from the client. The tunnel will automagically make your
request reach the servlet.

Despite what others have said the standard HTTP client in Java works
fine and will probably give you what you need. If the servlet might barf
on the URL because of the localhost:8080 you could even use any
imaginable URL like new URL("http://www.whatever.com/path/to/servlet/")
and use the proxy option of URL#openConnection to get traffic through
localhost:8080.

Good luck,

Silvio

 

[RVic]

Silvio, Thank you -- but I am a little confused by what you say. Right now, using JSCH I can connect with:

JSch jsch = new JSch();
Session session = jsch.getSession("me"/*user*/, "moonprod"/*serverURL*/);
session.setPort(22);
session.setPassword(password);
session.connect();

And the servlet I must reach is on Tomcat on the server on port 28080 which would be hit as http://moonprod:28080/servlets/myservlet
What are you saying, below, that I should change? Thank you!



<<If you setup a tunnel using JSCH (which requires adding an addition
connection property string to the connection that specifies the server
destination hostort and the local port on the client side then any
communication going through localhostort on the client will be
tunnelled via SSH and reach the destination hostort on the server side.
So assuming that there is an existing servlet on the server side that is
listening for HTTP requests on port 80 on the same box you make the SSH
connection to you server hostort would be localhost:80 and you could
use any desired port on the client side, lets say 8080. After that you
can use new URL("http://localhost:8080/path/to/the/servlet/") and do a
normal post from the client. The tunnel will automagically make your
request reach the servlet. >>

 

[RVic]

lipsa, Yes I do not know what silvio means -- not even sure why I would need to port forward it? Thank you.

 

[Arved Sandstrom]

Thanks for all your responses. I'm finding out from the client that they have no exposed URLs that my servlet call can come in on, and they need to somehow provide that on their end.

[ SNIP ]

Errr, to me that means that someone set up the servlet engine (Tomcat or
whatever) with HTTP/HTTPS ports that are blocked by a firewall. And they
are simply saying that they need to open up those ports.

I'd let the client do just that.

AHS

 

[markspace]

Thanks for all your responses. I'm finding out from the client that
they have no exposed URLs that my servlet call can come in on, and
they need to somehow provide that on their end.

[ SNIP ]

Errr, to me that means that someone set up the servlet engine (Tomcat or
whatever) with HTTP/HTTPS ports that are blocked by a firewall. And they
are simply saying that they need to open up those ports.

I'd let the client do just that.

Well, firewall or DMZ plus gateway, or whatever else they might be using
to protect their systems from teh hax. But yes, the general idea is
that the client should do something about it (and probably only the
client can).

 

[Silvio]

lipsa, Yes I do not know what silvio means -- not even sure why I would need to port forward it? Thank you.

Your replies arrive at strange places...

What Lipska posted is right on the money. In JSCH it is called port
forwarding because they do not know what they would be forwarding but
since in your case you would effectively be forwarding HTTP through the
SSH connection it becomes tunnelling.

If you can access the servlet directly at
http://moonprod:28080/servlets/myservlet (like you said in your other
post that was also misplaced) then you would not need the SSH
connection. However, if the servlet is not publicly accessible creating
the tunnel is the only option.

Thank you Lipska for clarifying my post. This stuff is everyday routine
for me so I may have rushed through the explanation.

Silvio

 

[Silvio]

Thanks for all your responses. I'm finding out from the client that
they have no exposed URLs that my servlet call can come in on, and
they need to somehow provide that on their end.

[ SNIP ]

Errr, to me that means that someone set up the servlet engine (Tomcat or
whatever) with HTTP/HTTPS ports that are blocked by a firewall. And they
are simply saying that they need to open up those ports.

I'd let the client do just that.

The OP has already said that due to 'academic bureaucracy that is not an
option although I agree it's the ideal solution.

I thought the port forwarding solution was quite neat although I haven't
tried it so I don't know if it would actually work.

lipska

Hello Lipska,

Yes, it works. And to boot it performs quite well.

I run a load-balancing clustered (custom scripting) system off a small
but constantly varying VPS park. The system communicates with lots of
external servers that only accept SSH from one specific IP address I
own. Behind the firewalls they have stuff like SQL-Server instances,
FTP/HTTP servers etc. running that I need to access.

Setting up a VPN would be an option but due to the volatile nature of my
server park this is very inconvenient. Using SSH to tunnel through my
steady factor IP works just as well and is just as safe.

You gotta love SSH. (And thank god for SSHFS).

Silvio

 

[Arved Sandstrom]

Thanks for all your responses. I'm finding out from the client that
they have no exposed URLs that my servlet call can come in on, and
they need to somehow provide that on their end.

[ SNIP ]

Errr, to me that means that someone set up the servlet engine (Tomcat or
whatever) with HTTP/HTTPS ports that are blocked by a firewall. And they
are simply saying that they need to open up those ports.

I'd let the client do just that.

The OP has already said that due to 'academic bureaucracy that is not an
option although I agree it's the ideal solution.

He also used the term "client". If that's actually the relationship, to
me that changes the entire equation here. The OP is clearly talking to
these folks, based on his wording above, so it does sound like there is
a work relationship.

Given that, the client opening up a port or two in a firewall is
absolutely an option. What's totally an option is for him to get
educated a bit more on networking, and talk a bit more to the client,
before tackling an unfamiliar (to him) technique that may be no
timesaver at all.

I thought the port forwarding solution was quite neat although I haven't
tried it so I don't know if it would actually work.

lipska

It would work, in all its various permutations (forward ports for a
single request, open a tunnel for lengthier work etc etc). I do this
often for things like exposing a DB on a protected box so that a client
program on a different box sees it as being on localhost maybe with a
different port.

AHS

 

[RVic]

The client is a University, and they are not too responsive or cooperative,more just "We don't know what you are talking about make it work we won't help you."

So after two days of waiting for them to open it to me, I decided there must be an alternative way.

Now, they have decided to migrate the server, so U have no way of testing it until they let me know the new one is up. So as soon as I can, I will test the port forwarding using Jsch here. I already know the servlet and clentwork flawlessly (they use basic authentication and encrypt the post parameters -- there would be very little problem even if they exposed it to the outside world) as I have run them communicating together on my local -- so if there is a problem when I run it then it is because i have the tunnel setup incorrectly.

Thank you guys for your elp -- I will report back here hopedfully within the next 24 hours. RVic

 

[Arved Sandstrom]

On 27/03/13 23:11, Arved Sandstrom wrote:
On 03/27/2013 09:34 AM, RVic wrote:
Thanks for all your responses. I'm finding out from the client that
they have no exposed URLs that my servlet call can come in on, and
they need to somehow provide that on their end.
[ SNIP ]

Errr, to me that means that someone set up the servlet engine
(Tomcat or
whatever) with HTTP/HTTPS ports that are blocked by a firewall. And
they
are simply saying that they need to open up those ports.

I'd let the client do just that.

The OP has already said that due to 'academic bureaucracy that is not an
option although I agree it's the ideal solution.

He also used the term "client". If that's actually the relationship, to
me that changes the entire equation here. The OP is clearly talking to
these folks, based on his wording above, so it does sound like there is
a work relationship.

Given that, the client opening up a port or two in a firewall is
absolutely an option.

Well possibly, I remember trying to get root access to a Solaris box
back in the day when I was a drunken bum, er I mean student, it was
something akin to asking for access to the deans personal bank account.
There were meetings and meetings and meetings to plan meetings ... it
took three weeks just to get the cave dwelling troglodyte who managed
these things to set up a single Solaris box, and I was writing software
*for* the University.

As I see it, if the target server has ssh up and the developer can use
ssh to implement a solution then that means he can do so without waiting
an eternity for some doofus to open up a port then that sounds like a
solution to me, in fact, it's such a neat solution that I'm tempted to
get a tunnel set up to one of my remote servers and give it a go.

Incidentally, Zenmap reports three open ports on moonprod.com one of
which may be an httpd on 80 so it looks like they have it fairly tightly
locked down.

lipska

Lipska the Kat©: Troll hunter, sandbox destroyer
and farscape dreamer of Aeryn Sun

I think everyone's been in situations where infrastructure requests are
handled glacially, or are rejected, or are modified.

I'm thinking I (we) don't know enough about what's going on here. We
know next to nothing about the client's network setup; we have no idea
who exactly the OP talked to (a networking type, or a barely technical
customer?).

Like I said, I use exactly this SSH approach now, and have used it in
the past. I can tell you this, I've never used it for a webserver. That
is unusual enough that to me it signals lack of information that the OP
would do well to acquire.

AHS

 

[RVic]

Gentlemen,

It works, I'm able to hit the server now (though my servlet returns a 500 error, and I need to look in the tomcat logs to figure out why that might be) at least I am able to connect. Thanks for all your help on this. RVic.

 

[Silvio]

Gentlemen,

It works, I'm able to hit the server now (though my servlet returns a 500 error, and I need to look in the tomcat logs to figure out why that might be) at least I am able to connect. Thanks for all your help on this. RVic.

Good for you. And glad to hear we could be of service.

Cheers.

 

[Joerg Meier]

Never give up, never surrender

By Grabthar's Hammer, you shall be avenged!

Liebe Gruesse,
Joerg