I am currently testing the waters of SSL, and am new to the SSL stuff. As a part of my research, I came across two different implementations of SSL in the java space.
First, let me state my requirement, which is very simple, I just need a process to post data to a URL using https.
Among the two solutions, the first one is a pure Java implementation (using only the core Java classes) and the other one uses the Apache HTTPClient to do it's http.
Initially, as a part of my testing, I would get the infamous "unable to find valid certification path to requested target " exception, and this I figured happens when the certificate (received from the server) is not part of the Java key store. Once I add the certificate to the Java Key store, the application works fine in both cases. However, in my use of HTTPClient, I noticed the use of SSLSocketFactory.
When I tested HttpClient with the following code,
HttpClient httpClient = new HttpClient();
PostMethod postMethod = new PostMethod(target);
postMethod.setQueryString("someQueryString");
try {
httpClient.executeMethod(postMethod);
System.out.println("Response code: " + postMethod.getStatusLine());
BufferedReader in = new BufferedReader (new InputStreamReader(postMethod.getResponseBodyAsStream()));
String temp;
while ((temp = in.readLine()) != null){
response += temp + "\n";
}
temp = null;
in.close ();
System.out.println("Server response:\n'" + response + "'");
} catch (HttpException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}finally{
postMethod.releaseConnection();
}
it worked fine, so I am not sure what is the use of SSLSocketFactory implementations? I initially thought this is useful, when we want to automate the addition of the certificate t开发者_开发百科o the key store. Am I right in that analysis?
If my analysis is true, which implementation is better?
- Is it better to just manually install the certificate? What are the cons of this approach? and will the certificate expire? If it does, would I have to install a new certificate again?
- Or should I automate the whole key store addition functionality using SSLSocketFactory?
Your inputs would be greatly appreciated. Thank you.
You should do neither. There are existing solutions to this.
From the docs:
There are several custom socket factories available in our contribution package. They can be a good start for those who seek to tailor the behavior of the HTTPS protocol to the specific needs of their application:
EasySSLProtocolSocketFactory can be used to create SSL connections that allow the target server to authenticate with a self-signed certificate.
StrictSSLProtocolSocketFactory can be used to create SSL connections that can optionally perform host name verification in order to help preventing man-in-the-middle type of attacks.
AuthSSLProtocolSocketFactory can be used to optionally enforce mutual client/server authentication. This is the most flexible implementation of a protocol socket factory. It allows for customization of most, if not all, aspects of the SSL authentication.
I came across two different implementations of SSL in the java space.
No you didn't. You came across the built-in JSSE and some stuff that Apache has built around it. The message 'unable to find valid certification path to requested target' for example comes from JSSE, indeed from JCE.
The only other implementation of JSSE itself that I am aware of is in the IBM JVM.
精彩评论