Using HTTPS with REST in Java

Question

I have a REST server made in Grizzly that uses HTTPS and works wonderfully with Firefox   Here s the code     Build a new Servlet Adapter  ServletAdapter adapter new ServletAdapter    adapter addInitParameter  com sun jersey config property packages    My services    adapter addInitParameter ResourceConfig PROPERTY CONTAINER REQUEST FILTERS  SecurityFilter class getName     adapter setContextPath       adapter setServletInstance new ServletContainer        Configure SSL  See instructions at the top of this file on how these files are generated   SSLConfig ssl new SSLConfig    String keystoreFile Main class getResource  resources keystore server jks   toURI   getPath    System out printf  Using keystore at   s   keystoreFile   ssl setKeyStoreFile keystoreFile   ssl setKeyStorePass  asdfgh       Build the web server  GrizzlyWebServer webServer new GrizzlyWebServer getPort 9999      true      Add the servlet  webServer addGrizzlyAdapter adapter  new String             Set SSL webServer setSSLConfig ssl      Start it up  System out println String format  Jersey app started with WADL available at         sapplication wadl n            https   localhost 9999      webServer start      Now  I try to reach it in Java   SSLContext ctx null  try       ctx   SSLContext getInstance  SSL      catch  NoSuchAlgorithmException e1        e1 printStackTrace      ClientConfig config new DefaultClientConfig    config getProperties   put HTTPSProperties PROPERTY HTTPS PROPERTIES  new HTTPSProperties null ctx    WebResource service Client create new DefaultClientConfig    resource  https   localhost 9999        Attempt to view the user s page  try      service          path  user   username           get String class       And get   com sun jersey api client ClientHandlerException  javax net ssl SSLHandshakeException  sun security validator ValidatorException  PKIX path building failed  sun security provider certpath SunCertPathBuilderException  unable to find valid certification path to requested target  at com sun jersey client urlconnection URLConnectionClientHandler handle URLConnectionClientHandler java 128   at com sun jersey api client Client handle Client java 453   at com sun jersey api client WebResource handle WebResource java 557   at com sun jersey api client WebResource get WebResource java 179    From examples that I ve found on the web  it seems like I would need to setup a Truststore then setup some sort of TrustManager   This seems like a lot of code and setup work for my simple little project   Is there an easier way to just say  I trust this cert and point to a  cert file

User · Answer

The answer of delfuego is the simplest way to solve the certificate problem  But  in my case  one of our third party url  using https   updated their certificate every 2 months automatically  It means that I have to import the cert to our Java trust store manually every 2 months as well  Sometimes it caused production problems  So  I made a method to solve it with SecureRestClientTrustManager to be able to consume https url without importing the cert file  Here is the method        public static String doPostSecureWithHeader String url  String body  Map headers              throws Exception           log info  start doPostSecureWithHeader     url     with param     body           long startTime          long endTime          startTime   System currentTimeMillis            Client client          client   Client create            WebResource webResource          webResource   null          String output   null          try              SSLContext sslContext   null              SecureRestClientTrustManager secureRestClientTrustManager   new SecureRestClientTrustManager                sslContext   SSLContext getInstance  SSL                sslContext              init null                      new javax net ssl TrustManager     secureRestClientTrustManager                        null               DefaultClientConfig defaultClientConfig   new DefaultClientConfig                defaultClientConfig              getProperties                put com sun jersey client urlconnection HTTPSProperties PROPERTY HTTPS PROPERTIES                      new com sun jersey client urlconnection HTTPSProperties                              getHostnameVerifier    sslContext                 client   Client create defaultClientConfig               webResource   client resource url                if headers  null    headers size   0                   for  Map Entry entry   headers entrySet                         webResource setProperty entry getKey    entry getValue                                                 WebResource Builder builder                        webResource accept  application json                if headers  null    headers size   0                   for  Map Entry entry   headers entrySet                         builder header entry getKey    entry getValue                                                  ClientResponse response   builder                      post ClientResponse class  body               output   response getEntity String class                     catch Exception e               log error e getMessage   e               if e toString   contains  One or more of query value parameters are null                     output  -1                             if e toString   contains  401 Unauthorized                     throw e                                  finally               if  client   null                    client destroy                                    endTime   System currentTimeMillis            log info  time hit    url    selama     endTime - startTime      milliseconds dengan output     output           return output

User · Answer

When you say  is there an easier way to    trust this cert   that s exactly what you re doing by adding the cert to your Java trust store   And this is very  very easy to do  and there s nothing you need to do within your client app to get that trust store recognized or utilized   On your client machine  find where your cacerts file is  that s your default Java trust store  and is  by default  located at  lt java-home gt  lib security certs cacerts   Then  type the following   keytool -import -alias  lt Name for the cert gt  -file  lt the  cer file gt  -keystore  lt path to cacerts gt    That will import the cert into your trust store  and after this  your client app will be able to connect to your Grizzly HTTPS server without issue   If you don t want to import the cert into your default trust store -- i e   you just want it to be available to this one client app  but not to anything else you run on your JVM on that machine -- then you can create a new trust store just for your app   Instead of passing keytool the path to the existing  default cacerts file  pass keytool the path to your new trust store file   keytool -import -alias  lt Name for the cert gt  -file  lt the  cer file gt  -keystore  lt path to new trust store gt    You ll be asked to set and verify a new password for the trust store file   Then  when you start your client app  start it with the following parameters   java -Djavax net ssl trustStore  lt path to new trust store gt  -Djavax net ssl trustStorePassword  lt trust store password gt    Easy cheesy  really

User · Answer

Here s the painful route       SSLContext ctx   null      try           KeyStore trustStore          trustStore   KeyStore getInstance  JKS            trustStore load new FileInputStream  C   truststore client                     asdfgh  toCharArray             TrustManagerFactory tmf   TrustManagerFactory                  getInstance  SunX509            tmf init trustStore           ctx   SSLContext getInstance  SSL            ctx init null  tmf getTrustManagers    null         catch  NoSuchAlgorithmException e1            e1 printStackTrace          catch  KeyStoreException e            e printStackTrace          catch  CertificateException e            e printStackTrace          catch  FileNotFoundException e            e printStackTrace          catch  IOException e            e printStackTrace          catch  KeyManagementException e            e printStackTrace              ClientConfig config   new DefaultClientConfig        config getProperties   put HTTPSProperties PROPERTY HTTPS PROPERTIES              new HTTPSProperties null  ctx         WebResource service   Client create config  resource               https   localhost 9999         service addFilter new HTTPBasicAuthFilter username  password            Attempt to view the user s page      try           service path  user     username  get String class         catch  Exception e            e printStackTrace            Gotta love those six different caught exceptions      There are certainly some refactoring to simplify the code a bit   But  I like delfuego s -D options on the VM   I wish there was a javax net ssl trustStore static property that I could just set   Just two lines of code and done   Anyone know where that would be   This may be too much to ask  but  ideally the keytool would not be used   Instead  the trustedStore would be created dynamically by the code and the cert is added at runtime   There must be a better answer

User · Answer

Something to keep in mind is that this error isn t only due to self signed certs   The new Entrust CA certs fail with the same error  and the right thing to do is to update the server with the appropriate root certs  not to disable this important security feature

User · Answer

Check this out  http   code google com p resting   I could use resting to consume  HTTPS REST services

[java] Using HTTPS with REST in Java

Examples related to java

Examples related to rest

Examples related to ssl

Examples related to x509