Secure Your Sockets with JSSE
Pages: 1, 2, 3, 4, 5

Securing Java Clients

Your Java applications may also require clients to support SSL. Client-side SSL is even easier to support than server-side SSL. Listing 7 presents a basic text-based Java browser. You can use it for browsing text-based Web pages. For example, if you enter java Browser http://onjava.com, you'll get a ton of HTML markup.

Listing 8 presents SecureBrowser, which extends Browser to provide SSL support. You can run SecureBrowser against a site that implements SSL, such as Sun's secure web site. For example, java SecureBrowser https://www.sun.com will establish a secure connection to Sun's web page and download a lot of markup securely.

The trick to implementing SSL on the client is to register JSSE and set the java.protocol.handler.pkgs system property so that JSSE automatically is used to handle https URLs.

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");

In this Article: The Java Secure Socket Extension Downloading and Installing JSSE Listing 1. The ShowJavaHome program. Certificates, Keystores, and Truststores Listing 3. The ShowTrustStore program. Generating a Server Certificate A Secure Web Server Compiling and Running SecureServer How SecureServer Works Listing 4. A simple HTTP server. Listing 5. Extending the HTTP sever with SSL support. Listing 6. A sample HTML file (index.htm). Securing Java Clients Listing 8. A Browser that Supports Basic SSL Performing Mutual Authentication Creating a Client Certificate Modifying SecureServer and SecureBrowser Seeing it in Action

You may wonder what happens when you run SecureBrowser against SecureServer. It doesn't work. That's because SecureBrowser won't accept SecureServer's phony certificate. However, we can trick SecureBrowser into accepting SecureServer's certificate. Here's how:

1. Use

   keytool

   to export the server certificate from the certs keystore.

   keytool -export -keystore certs -alias jamie -file server.cer
   
   Enter keystore password:  serverkspw
   Certificate stored in file <server.cer>

2. Use keytool to create a new keystore named jssecacerts (which will be used as a truststore by SecureBrowser). Import server.cer into jssecacerts.

   keytool -import -keystore jssecacerts -alias jamie -file server.cer
Enter keystore password: 12345678
Owner: CN=enpower, OU=Software Development, O=Toolery.com, L=Chula Vista, ST=CA, C=US
Issuer: CN=enpower, OU=Software Development, O=Toolery.com, L=Chula Vista, ST=CA, C=US
Serial number: 3ae5d0fc
Valid from: Tue Apr 24 12:16:12 PDT 2001 until: Mon Jul 23 12:16:12 PDT 2001
Certificate fingerprints:
     MD5: A9:00:67:FF:7A:1B:D4:4A:D5:33:72:97:C5:88:0B:6D
     SHA1: 16:40:79:8A:11:BC:F8:AE:96:0D:FF:30:46:B5:62:0F:E2:18:56:7F
Trust this certificate? [no]: y
Certificate was added to keystore

3. Finally, copy jssecacerts to the lib/security subdirectory of your java.home directory. (On your client machine.)

   Now SecureBrowser will use jssecacerts as a truststore to authenticate SecureServer.

When I run SecureBrowser against SecureServer, I get the following output:

java SecureBrowser https://enpower/
THE HEADERS
-----------
KEY: Content-Length
VALUE: 487
KEY: Content-Type
VALUE: text/html
THE CONTENT
-----------
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
   <title>Welcome to Java Security using JSSE</title>
</head>

<body>
<h1>Welcome to Java Security using JSSE</h1>

<p>This page was securely sent using SSL version 3.0.</p>
</body>
</html>

---

Listing 7. A Basic Java Browser.

import java.io.*;
import java.net.*;
import java.security.*;

// A simple text-based browser
public class Browser {
  String urlString;

  // You must supply the URL to be browsed
  public static void main(String[] args) throws Exception {
     if(args.length != 1) {
      System.out.println("Usage: java Browser url");
      System.exit(1);
     }
     Browser browser = new Browser(args[0]);
     browser.run();
   }
   // Construct a browser object
   public Browser(String urlString) {
     this.urlString = urlString;
   }
   // Get the URL
  public void run() throws Exception {
     URL url = new URL(urlString);
     HttpURLConnection urlc = (HttpURLConnection) url.openConnection();
     System.out.println("THE HEADERS");
     System.out.println("-----------");
     for(int i=1;;++i) {
       String key;
       String value;
       if((key = urlc.getHeaderFieldKey(i)) == null) break;
       if((value = urlc.getHeaderField(i)) == null) break;
       System.out.println("KEY: " + key);
       System.out.println("VALUE: " + value);
     }
     BufferedReader reader = new BufferedReader(
       new InputStreamReader(urlc.getInputStream()));
     String line;
     System.out.println("THE CONTENT");
     System.out.println("-----------");
     while((line = reader.readLine()) != null) System.out.println(line);
  }
}

---

---

Listing 8. A Browser that Supports Basic SSL

import java.io.*;
import java.net.*;
import java.security.*;

// Extend Browser to use SSL
public class SecureBrowser extends Browser {
  // Must supply URL in command line
  public static void main(String[] args) throws Exception {
     if(args.length != 1) {
      System.out.println("Usage: java SecureBrowser url");
      System.exit(1);
     }
     SecureBrowser browser = new SecureBrowser(args[0]);
     browser.run();
   }
   // Construct a SecureBrowser
   public SecureBrowser(String urlString) {
     super(urlString);
     // Register JSSE
     Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
     // Here's the trick!
     // Simply set the protocol handler property to use SSL.
     System.setProperty("java.protocol.handler.pkgs",
       "com.sun.net.ssl.internal.www.protocol");
   }
}


---

Pages: 1, 2, 3, 4, 5

Next Page