My application makes multiple web calls in order to get authentication. I need to store this session in a cookie. I wanted to use Cookie Manager but after doing some research, I found out it is only available to API 9 and above and my application needs to be backward compatible.
I make my web connections using HTTPURLConnection to a secure HTTPS. Quick example of my code
public String iStream_to_String(InputStream is)
{
BufferedReader rd = new BufferedReader(new InputStreamReader(is), 4096);
String line;
StringBuilder sb = new StringBuilder();
try
{
while ((line = rd.readLine()) != null)
{
sb.append(line);
}
rd.close();
} catch (IOException e)
{
e.printStackTrace();
}
String contentOfMyInputStream = sb.toString();
return contentOfMyInputStream;
}
final static HostnameVerifier DO_NOT_VERIFY = new HostnameVerifier()
{
public boolean verify(String hostname, SSLSession session)
{
return true;
}
};
/**
* Trust every server - dont check for any certificate
*/
private static void trustAllHosts()
{
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]
{ new X509TrustManager()
{
public java.security.cert.X509Certificate[] getAcceptedIssuers()
{
return new java.security.cert.X509Certificate[]
{};
}
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws CertificateException
{
}
public void checkServerTrusted(X509Certificate[] chain,
String authType) throws CertificateException
{
}
} };
// Install the all-trusting trust manager
try
{
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection
.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e)
{
e.printStackTrace();
}
}
Then I make a request like so
try
{
url = new URL(url1);
trustAllHosts();
HttpsURLConnection https = (HttpsURLConnection) url.openConnection();
https.setHostnameVerifier(DO_NOT_VERIFY);
http = https;
InputStream in = new BufferedInputStream(http.getInputStream());
sAuthenticateP1 = iStream_to_String(in);
in.close();
} catch (Exception e)
{
e.printStackTrace();
}
The full authentication is done in 4 steps. I need to have it so the session is remembered throughout the 4 steps. Seeing I can't use CookieManager, I have been looking around for other ways of doing this, but can't seem to find any. Would anyone be able to point me in the right direction.
Thanks in advance!!
Figured it out. Incase anyone else is having similar problem, will give quick outline of code. As I said before mine is a several step authentication process. So after the first request, after you have received a response, take the cookie like so
String cookie = http.getRequestProperty("Cookie");
if (cookie != null && cookie.length() > 0)
{
sCookie = cookie;
Log.v("cookie2", sCookie);
}
sCookie is a static string variable I have set up. Then in the next request, after this line
https = (HttpsURLConnection) url.openConnection();
Just put
https.setRequestProperty("Cookie", sCookie);
https.setRequestMethod("POST");
https.setDoInput(true);
https.setDoOutput(true);
And do the same thing for each request after that requires the session, and it should work fine
Related
I'm writing a mod for a game in Java to check to see if the player has voted using a server methods to get the Steam ID. I can't get a good response from what I'm seeing. Every response is an IOException which I've had print out "Invalid Response Code".
I've tried implementing what I've seen in similar mods for https connections, but I am not getting anywhere with it.
try {
HttpsURLConnection connection = (HttpsURLConnection) new URL( "https://somewebsite.com/"
).openConnection();
connection.setSSLSocketFactory(createTrustAllSocketFactory());
int responseCode = connection.getResponseCode();
if (responseCode != 200) throw new IOException("Invalid response code.");
InputStream in = connection.getInputStream();
ByteArrayOutputStream stringBuffer = new ByteArrayOutputStream();
byte[] buffer = new byte[256];
int len = 0;
while (len != -1) {
stringBuffer.write(buffer, 0, len);
len = in.read(buffer);
}
String result = new String(stringBuffer.toByteArray(), StandardCharsets.UTF_8);
if (result.equals("1")) {
try {
performer.addMoney(MonetaryConstants.COIN_COPPER * 5);
performer.getCommunicator().sendNormalServerMessage("Thanks for voting! Your rewards have been added to your bank.");
} catch (IOException ex) {
performer.getCommunicator().sendAlertServerMessage("Failed to add reward. Please submit a support ticket.");
ex.printStackTrace();
}
}
private static SSLSocketFactory createTrustAllSocketFactory() throws IOException {
try {
SSLContext ctx = SSLContext.getInstance("TLS");
TrustManager[] trustManagers = {
new X509TrustManager() {
#Override
public void checkClientTrusted(X509Certificate[] chain, String authType) {
/* empty */
}
#Override
public void checkServerTrusted(X509Certificate[] chain, String authType) {
/* empty */
}
#Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}
};
ctx.init(null, trustManagers, null);
return ctx.getSocketFactory();
} catch (GeneralSecurityException ex) {
throw new IOException(ex);
}
}
The expectation is that when the command is issued in-game, the server will call the external site with the player's steam ID and generate either a 0 or 1 based on if they have voted.
Actual is getting a bad response code.
While I was changing from open weather api to dark sky api, I found a problem with the connection.
I simply want to get the JSON-response from that api and with the open weather map api, everything worked just well. Now I decided to use the dark sky api instead. I just adapted everything as always but it doesn't work.
Maybe it has a problem with https? (the dark sky api uses an https-URL where the open weather map api used an http-URL).
Anyway, I catch an IOException in
inputStream = connection.getInputStream();
Here is my class:
import com.nymvno.hiob.prototyp_v30.Utils.Utils;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
public class WeatherHttpClient {
public String getWeatherData(String place) {
HttpURLConnection connection;
InputStream inputStream;
try {
connection = (HttpURLConnection) (new URL(Utils.BASE_URL + place)).openConnection();
connection.setRequestMethod("GET");
connection.setDoInput(true);
connection.setDoOutput(true);
connection.connect();
//Read the response
StringBuffer stringBuffer = new StringBuffer();
inputStream = connection.getInputStream();
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
String line;
while ((line = bufferedReader.readLine()) != null) {
stringBuffer.append(line + "\r\n");
}
inputStream.close();
connection.disconnect();
return stringBuffer.toString();
} catch (IOException e) {
e.printStackTrace();
}
return null;
}
}
You must have to varify your host name from your Application class
check my code
public class MyApp extends Application{
#Override
public void onCreate(){
super.onCreate();
handleSSLHandshake();
}
#SuppressLint("TrulyRandom")
public static void handleSSLHandshake() {
try {
TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
#Override
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
}
#Override
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
}
#Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new java.security.cert.X509Certificate[0];
}
}};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
#Override
public boolean verify(String hostname, SSLSession arg1) {
if(hostname.equalsIgnoreCase("your host name")){
return true;
}else {
return false;
}
}
});
} catch (Exception ignored) {
}
}
}
As you have mentioned, there is just a difference of http/https protocol. For URLS, having https protocols, you must use HttpsURLConnection API rather than HttpURLConnection. If you use HttpURLConnection API for https url exception will be thrown. For further details you may refer below link.
https://developer.android.com/reference/javax/net/ssl/HttpsURLConnection.html
Dear SO Community of Awesomeness,
I'm building a secure app that deals with sensitive information. The app communicates with my own RESTful API over SSL. I don't want to limit the app to the specific certificate I was issued, but rather to trust only certificates issued by my provider, e.g. Comodo. That way I can extend and reissue the certificate without having to release an app update.
I found a great resource for getting this done here but Android 6 deprecated HttpClient and switched to HttpsURLConnection. Google has their own approach posted here. On implementation, however, I noticed that instead of throwing a "not trusted" exception for a different certificate, it just forced the usage of the local CA cert which is not the behavior I intended.
Does anyone have a reference for trusting only a specific CA using HttpsURLConnection?
OK I solved it, figured I would post the solution in case anyone else hits the same problem. Here is the code to use to get a JSON file using HttpsUrlConnection:
(...)
public static class GetJsonTask extends AsyncTask<Void, Integer, AsyncResponse> {
protected String jsonData;
protected IGetJsonListener listener;
protected Context context = null;
protected String strUrl;
public GetJsonTask(Context c, IGetJsonListener l, String strUrl) {
super();
listener = l;
context = c;
this.strUrl = strUrl;
}
#Override
protected AsyncResponse doInBackground(Void... Void) {
JsonObject jsonObjectResult = new JsonObject();
APIStatus status;
if (isConnected(context)) {
HttpsURLConnection httpsURLConnection=null;
try {
//THIS IS KEY: context contains only our CA cert
SSLContext sslContext = getSSLContext(context);
if (sslContext != null) {
//for HTTP BASIC AUTH if your server implements this
//String encoded = Base64.encodeToString(
// ("your_user_name" + ":" + "your_pwd").getBytes(),
// Base64.DEFAULT);
URL url = new URL(strUrl);
httpsURLConnection = (HttpsURLConnection) url.openConnection();
httpsURLConnection.setRequestMethod("GET");
httpsURLConnection.setRequestProperty("Content-length", "0");
httpsURLConnection.setUseCaches(false);
httpsURLConnection.setAllowUserInteraction(false);
//FOR HTTP BASIC AUTH
//httpsURLConnection.setRequestProperty("Authorization", "Basic " + encoded);
//THIS IS KEY: Set connection to use custom socket factory
httpsURLConnection.setSSLSocketFactory(sslContext.getSocketFactory());
//httpsURLConnection.setConnectTimeout(timeout);
//httpsURLConnection.setReadTimeout(timeout);
httpsURLConnection.connect();
status = getStatusFromCode(httpsURLConnection.getResponseCode());
listener.getJsonShowProgress(90);
if (status == APIStatus.OK) {
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpsURLConnection.getInputStream()));
StringBuilder stringBuilder = new StringBuilder();
String line;
while ((line = bufferedReader.readLine()) != null) {
stringBuilder.append(line);
}
bufferedReader.close();
JsonParser parser = new JsonParser();
String s = stringBuilder.toString();
jsonObjectResult = (JsonObject) parser.parse(s);
}
} else
status = APIStatus.AUTH_ERROR;
listener.getJsonShowProgress(99);
//THIS IS KEY: this exception is thrown if the certificate
//is signed by a CA that is not our CA
} catch (SSLHandshakeException e) {
status = APIStatus.AUTH_ERROR;
//React to what is probably a man-in-the-middle attack
} catch (IOException e) {
status = APIStatus.NET_ERROR;
} catch (JsonParseException e) {
status = APIStatus.JSON_ERROR;
} catch (Exception e) {
status = APIStatus.UNKNOWN_ERROR;
} finally {
if (httpsURLConnection != null)
httpsURLConnection.disconnect();
}
} else {
status = APIStatus.NET_ERROR;
}
// if not successful issue another call for the next hour.
AsyncResponse response = new AsyncResponse();
response.jsonData = jsonObjectResult;
response.opStatus = status;
return response;
}
#Override
protected void onPreExecute() {
super.onPreExecute();
if (listener != null)
listener.getJsonStartProgress();
}
#Override
protected void onProgressUpdate(Integer... progress) {
listener.getJsonShowProgress(progress[0]);
}
#Override
protected void onPostExecute(AsyncResponse result) {
listener.getJsonFinished(result.jsonData, result.opStatus);
}
public interface IGetJsonListener {
void getJsonStartProgress();
void getJsonShowProgress(int percent);
void getJsonFinished(JsonObject resJson, APIStatus status);
}
}
private static SSLContext getSSLContext(Context context){
//Mostly taken from the Google code link in the question.
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
AssetManager am = context.getAssets();
//THIS IS KEY: Your CA's cert stored in /assets/
InputStream caInput = new BufferedInputStream(am.open("RootCA.crt"));
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
//System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
caInput.close();
}
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
// Create an SSLContext that uses our TrustManager
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
return sslContext;
} catch (Exception e){
return null;
}
}
public enum APIStatus {
OK("OK.", 200), //all went well
JSON_ERROR("Error parsing response.", 1),
NET_ERROR("Network error.", 2), //we couldn't reach the server
UNKNOWN_ERROR("Unknown error.", 3), //some sh*t went down
AUTH_ERROR("Authentication error.", 401), //credentials where wrong
SERVER_ERROR("Internal server error.", 500), //server code crashed
TIMEOUT("Operation timed out.", 408); //network too slow or server overloaded
private String stringValue;
private int intValue;
private APIStatus(String toString, int value) {
stringValue = toString;
intValue = value;
}
#Override
public String toString() {
return stringValue;
}
}
private static APIStatus getStatusFromCode(int code) {
if (code==200 || code==201) {
return APIStatus.OK;
}else if (code == 401) {
return APIStatus.AUTH_ERROR;
} else if (code == 500) {
return APIStatus.SERVER_ERROR;
} else if (code == 408) {
return APIStatus.TIMEOUT;
} else {
return APIStatus.UNKNOWN_ERROR;
}
}
private static class AsyncResponse {
public APIStatus opStatus;
public JsonObject jsonData;
}
(...)
Usage is fairly straightforward:
public class MyClass implements IGetJsonListener {
(...)
new GetJsonTask(context, this, "https://your.url.com/").execute();
#Override
public void getJsonFinished(JsonObject resJson, APIStatus status) {
//Handle JSON content from web here
(...)
}
(...)
}
I'd love to hear any improvements you have.
Hell everyone,
I have set up the java webservices on tomcat + ssl Connection by the link below
http://www.mkyong.com/webservices/jax-ws/deploy-jax-ws-web-services-on-tomcat-ssl-connection/ . It works fine.
My question now is here in this code the client part does not authencticate certificate or ssl connection, I have part only to check the hostname,by hostname verifier,but now I have a self-signed certificate, and not sure what should I do.
how to extend this class. I find few codes from forum but i do not get an entire idea, where the keystore or truststore come from. Reference to any blog or link that guide me is much appreciated.
My Client code is below
public IExample create() throws MalformedURLException{
try{
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
// Trust always
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
// Trust always
}
} };
// Install the all-trusting trust manager
sc = SSLContext.getInstance("SSL");
// Create empty HostnameVerifier
HostnameVerifier hv = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession arg1) {
if(hostname.equals(arg1.getPeerHost()) && hostname.equals("example.com"))
{
return true;
}else{
return false;
}
}
};
sc.init(null,trustAllCerts , new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(hv);
}
catch(Exception e){
e.printStackTrace();
}
try{
URL url = new URL( urlString );
//1st argument service URI, refer to wsdl document above
//2nd argument is service name, refer to wsdl document above
QName qname = new QName("http://synchronization.ws/", "ExampleImplclass");
Service service = Service.create(url, qname);
IExample iExample = service.getPort(IExample.class);
return iExample;
}catch(Exception e)
{
e.printStackTrace();
return null;
}
}
I am writing a simple https client that will pull down the html of a webpage over https. I can connect to the webpage fine however the html I pull down is gibberish.
public String GetWebPageHTTPS(String URI){
BufferedReader read;
URL inputURI;
String line;
String renderedPage = "";
try{
inputURI = new URL(URI);
HttpsURLConnection connect;
connect = (HttpsURLConnection)inputURI.openConnection();
connect.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401");
read = new BufferedReader (new InputStreamReader(connect.getInputStream()));
while ((line = read.readLine()) != null)
renderedPage += line;
read.close();
}
catch (MalformedURLException e){
e.printStackTrace();
}
catch (IOException e){
e.printStackTrace();
}
return renderedPage;
}
When I pass it a string like https://kat.ph/ around 10,000 characters of gibberish is returned
EDIT
Here is my modified code for self-signing certs however I'm still getting the encrypted stream:
public String GetWebPageHTTPS(String URI){
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
}
};
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (GeneralSecurityException e) {
}
try {
System.out.println("URI: " + URI);
URL url = new URL(URI);
} catch (MalformedURLException e) {
}
BufferedReader read;
URL inputURI;
String line;
String renderedPage = "";
try{
inputURI = new URL(URI);
HttpsURLConnection connect;
connect = (HttpsURLConnection)inputURI.openConnection();
read = new BufferedReader (new InputStreamReader(connect.getInputStream()));
while ((line = read.readLine()) != null)
renderedPage += line;
read.close();
}
catch (MalformedURLException e){
e.printStackTrace();
}
catch (IOException e){
e.printStackTrace();
}
return renderedPage;
}
"is it compressed by any chance? stackoverflow.com/questions/8249522/…" – Mahesh Guruswamy
yes, turns out it was just gzip compressed here is my work around for this
public String GetWebPageGzipHTTP(String URI){
String html = "";
try {
URLConnection connect = new URL(URI).openConnection();
BufferedReader in = null;
connect.setReadTimeout(10000);
connect.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401");
if (connect.getHeaderField("Content-Encoding")!=null && connect.getHeaderField("Content-Encoding").equals("gzip")){
in = new BufferedReader(new InputStreamReader(new GZIPInputStream(connect.getInputStream())));
} else {
in = new BufferedReader(new InputStreamReader(connect.getInputStream()));
}
String inputLine;
while ((inputLine = in.readLine()) != null){
html+=inputLine;
}
in.close();
return html;
} catch (Exception e) {
return html;
}
}
}
HTTPS always presents a Certificate and the further communication happens on a secure encrypted channel. That is why what you are receiving looks like gibberish.
For any signed certificates, HttpsURLConnection will do the work for you and everything works. Things become muddy when the Certificate is not signed by a certificate authority. In such instances if you open that URL from a browser, it will present the Certificate for you to examine and accept before continuing.
Looks like you have the similar issue here. What you need to do is to tell Java to accept self-signed certificates without complaining. You have two options here, either download the certificate (just open the URL in any browser and it will show you how to) and add it to the keystore inn your JVM or create your own TrustManager and disable the Certificate Validate.
See this SO answer for details of both these options. https://stackoverflow.com/a/2893932/2385178