Java-Gaming.org    
Featured games (81)
games approved by the League of Dukes
Games in Showcase (481)
Games in Android Showcase (110)
games submitted by our members
Games in WIP (548)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1]
  ignore  |  Print  
  URLConnection and SSL  (Read 3066 times)
0 Members and 1 Guest are viewing this topic.
Offline psiegel

Junior Member




Adamant about gaming.


« Posted 2003-11-05 13:52:43 »

Cas asked me to give a bit of brain dump on SSL as I use it in Danger Maze, so I thought the Networking topic seemed a more appropriate place for it.  

I'm going to assume you know how to set up a web server using SSL.  Read up on your apache docs if not, or whatever web server you happen to be using.  Personally, I'm using Apache 2 on a RedHat Linux server, and found the book "Official RedHat Linux Administrator's Guide" has an excellent section in the web server chapter about setting up SSL.

Now then, presuiming you want to make a connection from a java client to your SSL web server, here we go.   We're going to use a java.net.URLConnection object, just like you would to make a get/post request over regular http.  But we're going to override the Trust Manager for that connection.  So first thing is, we need a TrustManager class.

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  
31  
32  
import java.io.*;
import java.net.*;
import javax.net.ssl.*;

class MyTrustManager extends X509TrustManager {
 
  protected static X509Certificate     kCert;

  static {
    FileInputStream fis = new FileInputStream("mycert.cer");
    BufferedInputStream bis = new BufferedInputStream(fis);
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    kCert = (X509Certificate)cf.generateCertificate(bis);
  }

  public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException
  {
  }

  public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException
  {
    for (int i=0;i<certs.length;i++) {
      if (!kCert.equals(certs[i])) {
        throw new CertificateException("Certificate does not match!");
      }
    }
  }

  public X509Certificate[] getAcceptedIssuers() {
    return null;
  }
}


You can see I punted on checkClientTrusted and getAcceptedIssuers.  I'm only interested in making a connection to a known server, so these methods aren't really important to me.

Now, to make the request, it should look like this:

1  
2  
3  
4  
5  
6  
7  
8  
  SSLContext sc = SSLContext.getInstance("SSL");
  TrustManager[] trustManagers = new TrustManager[1];
  trustManager[0] = new MyTrustManager();
  sc.init(null, trustManagers, new java.security.SecureRandom());
  HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

  URL url = new URL("https://myserver.com/myservice");
  URLConnection conn = url.openConnection();


From there you just use the normal means of creating a post or get with the URLConnection object.  One other trick I'll mention that I've done is rather than loading the certificate from a file, you can embed it right into your java class.  Simply make a String variable that has the PEM encoded version of your cert, then create an ByteInputStream around the string.getBytes().  Use this instead of the BufferedInputStream above, and you're all set.

Hope this helps.

--Paul
 

Paul Siegel
Adamant Games, Inc.
http://www.adamantgames.com
Offline psiegel

Junior Member




Adamant about gaming.


« Reply #1 - Posted 2003-11-05 13:55:54 »

One more point -

All this is assuming you're using a self-signed certificate on your web server.  If you paid the big-bucks for a real cert from Verisign or some such, you probably don't need any of this.  I think you could just create your URL object and go.

Paul

Paul Siegel
Adamant Games, Inc.
http://www.adamantgames.com
Offline princec

JGO Kernel


Medals: 362
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #2 - Posted 2003-11-05 20:36:03 »

Er, actually I've got no idea at all how to set up SSL on my webserver :-/ I use IIS (sorry). Any tips on that?

Cas Smiley

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline psiegel

Junior Member




Adamant about gaming.


« Reply #3 - Posted 2003-11-06 10:33:30 »

Tips?  How about, stop using IIS.  Seriously, like half the viruses out there today specifically target IIS servers to propagate themselves.  There is a Windows version of Apache available, so you don't have to go setting up a linux server just to make the switch.

Sorry, that's probably not what you wanted to hear.  Unfortunately I have no experience with IIS.  You'll have to consult your documentation, maybe get a book, or <shudder> contact Microsoft for support.  

To point you in the right direction, what you really want to do is create a self-signed certificate for your web server.  Look for that in your research.  Buying an official cert from Verisign is big bucks.  (Last I checked it was around $400, no doubt it's increased since then).  

Paul

Paul Siegel
Adamant Games, Inc.
http://www.adamantgames.com
Offline blahblahblahh

JGO Coder


Medals: 1


http://t-machine.org


« Reply #4 - Posted 2003-11-06 13:50:57 »

Quote
Tips?

To point you in the right direction, what you really want to do is create a self-signed certificate for your web server.  Look for that in your research.  Buying an official cert from Verisign is big bucks.  (Last I checked it was around $400, no doubt it's increased since then).  


If anyone needs any help on setting up a Java-based SSL server, I've got it mostly licked now Smiley.

A good starting point for java SSL is this link:

http://www.churchillobjects.com/c/11201.html

which includes details of how to use the java key-mgmt tools (distributed with the JDK) to sign certificates etc. IIRC I found one or two errors in it, minor things, and it's not got enough detail to solve a lot of the common problems (note: their troubleshooting section is WRONG; it's explanation of at least one of the Errors/Exceptions is wrong, or was the last time I got that one Sad).

But on the whole, it's nice and simply explained...

malloc will be first against the wall when the revolution comes...
Offline blahblahblahh

JGO Coder


Medals: 1


http://t-machine.org


« Reply #5 - Posted 2004-03-03 16:06:50 »

I can't get *any* of Sun's client SSL examples to work on out-of-the-box 1.4.2 installation, due to "No trusted certificate found".

EDIT: I misread the certificate. Now I simply don't know why a standard JDK install is broken Sad.

malloc will be first against the wall when the revolution comes...
Offline blahblahblahh

JGO Coder


Medals: 1


http://t-machine.org


« Reply #6 - Posted 2004-03-03 21:35:46 »

Quote
I can't get *any* of Sun's client SSL examples to work on out-of-the-box 1.4.2 installation, due to "No trusted certificate found".

EDIT: I misread the certificate. Now I simply don't know why a standard JDK install is broken Sad.


Problem appears to have been that 1.4.2 on linux is/was missing several certificates that are/were present in the windows JDK (1.4.2.something, I think). Copying the windows cacerts over the linux one fixed everything.

(problem existed on several different linux 1.4.2 JVM's at different sites)

malloc will be first against the wall when the revolution comes...
Offline Jeff

JGO Coder




Got any cats?


« Reply #7 - Posted 2004-03-04 03:02:06 »

Hey Blah,

If these are our Win and Linux VMs then pls post a bug that the certs are missing in the Linux distro.  Thanks.

JK

Got a question about Java and game programming?  Just new to the Java Game Development Community?  Try my FAQ.  Its likely you'll learn something!

http://wiki.java.net/bin/view/Games/JeffFAQ
Offline blahblahblahh

JGO Coder


Medals: 1


http://t-machine.org


« Reply #8 - Posted 2004-03-04 07:45:16 »

Quote
Hey Blah,

If these are our Win and Linux VMs then pls post a bug that the certs are missing in the Linux distro.  Thanks.

JK


Smiley Sure. I'd like to find a clean windows and a clean linux install just to 100% confirm before I log a bug though.

If anyone would like to help...you can tell which cacerts you have by looking at the file size. The windows one, with all certs, is a little over 21,000b whereas the linux one, which is missing some certs, is a little over 17,000b.

The files are found at [jdk-driectory]/jre/lib/security/cacerts

malloc will be first against the wall when the revolution comes...
Offline blahblahblahh

JGO Coder


Medals: 1


http://t-machine.org


« Reply #9 - Posted 2004-03-04 09:54:08 »

Not sure, but looks like it's a fixed bug already, it was fixed in a sort of "invisible" release (i.e. no increment to version number, incremented an underscore suffix instead); looks like the affected linux machines were merely a build (or whatever?) behind. I found this, eventually:

Quote

As a side note: Sun's build in certificates (used for SSL+Applets) expires on the 7th january 2004. For that reason there are updated JRE versions (1.4.2_03, 1.4.1_06 and 1.3.1_10).

Also a workaround for importing the new keys:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57436


Confusingly, java -version on the affected linux JVM doesn't document any "_"+anything signifier in the version - it just has "1.4.2-b28".

My mistake. I thought "1.4.2" was a JVM version; at least I know for the future that "1.4.2" is not a version of the JVM, although I wish Sun would adopt "1.4.2.03", and so make it completely clear Sad.

malloc will be first against the wall when the revolution comes...
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline cfmdobbie

Senior Member


Medals: 1


Who, me?


« Reply #10 - Posted 2004-03-04 21:02:15 »

Yeah, that gets to me, too.  Either there's no difference between the builds and the user doesn't need to know, or there are real differences whereupon the user should be told.  This is quite apart from the naming scheme screw up - a basic rule of release management is that if you're releasing version 6.2b you'd better make damn sure any reference to the version number says "6.2b".  Any other policy will eventually cause confusion and misery, probably to the last person you want to annoy. Roll Eyes

Hellomynameis Charlie Dobbie.
Offline cknoll

Junior Member




Flame On!


« Reply #11 - Posted 2004-03-04 23:33:34 »

Aren't we talking about somethign separate from the JVM itself?  Namely: the certificates?  I'm not sure if you would update the jvm version if supporting resources were updated, would you?

-Chris
Offline blahblahblahh

JGO Coder


Medals: 1


http://t-machine.org


« Reply #12 - Posted 2004-03-05 07:33:53 »

Quote
Aren't we talking about somethign separate from the JVM itself?  Namely: the certificates?  I'm not sure if you would update the jvm version if supporting resources were updated, would you?


To re-iterate my earlier post: if you do NOT update, ALL of Sun's official sample code ceases to work. All your correctly-written existing java SSL applications that access standard HTTPS sites cease to work.

This is not a minor issue. I would imagine that over the next few months there will be many java developers who fail to get started with SSL at all because their local JVM appears to be the latest version but isn't, and Sun's own example code won't work "out of the box". For instance, in corporates and universities, where the installed JVM may not be updated very often.

Sun has compounded this problem by *NOT* including the text of the Exception that is thrown in the page described above - if you google for it today, you won't find anything anywhere which tells you about this problem (I've spent many hours looking!). Unfortunately, I don't have any machines left which throw the exception, or else I'd quote it in this thread Smiley.

But the problem will slowly vanish as more people upgrade their JVM's. It shouldn't affect most windows devs because of the auto-update feature they have now (which I believe is the only reason why I had a later windows JVM)

malloc will be first against the wall when the revolution comes...
Offline blahblahblahh

JGO Coder


Medals: 1


http://t-machine.org


« Reply #13 - Posted 2004-03-12 20:27:46 »

Quote

Confusingly, java -version on the affected linux JVM doesn't document any "_"+anything signifier in the version - it just has "1.4.2-b28".

My mistake. I thought "1.4.2" was a JVM version; at least I know for the future that "1.4.2" is not a version of the JVM, although I wish Sun would adopt "1.4.2.03", and so make it completely clear Sad.


Update: Sun has fixed this. Linux now reports "1.4.2_04-b05" as the version (in line with win builds IIRC). I guess that means it was a bug not a feature Wink.

malloc will be first against the wall when the revolution comes...
Pages: [1]
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

atombrot (26 views)
2014-08-19 09:29:53

Tekkerue (25 views)
2014-08-16 06:45:27

Tekkerue (23 views)
2014-08-16 06:22:17

Tekkerue (14 views)
2014-08-16 06:20:21

Tekkerue (22 views)
2014-08-16 06:12:11

Rayexar (60 views)
2014-08-11 02:49:23

BurntPizza (39 views)
2014-08-09 21:09:32

BurntPizza (30 views)
2014-08-08 02:01:56

Norakomi (37 views)
2014-08-06 19:49:38

BurntPizza (67 views)
2014-08-03 02:57:17
List of Learning Resources
by Longor1996
2014-08-16 10:40:00

List of Learning Resources
by SilverTiger
2014-08-05 19:33:27

Resources for WIP games
by CogWheelz
2014-08-01 16:20:17

Resources for WIP games
by CogWheelz
2014-08-01 16:19:50

List of Learning Resources
by SilverTiger
2014-07-31 16:29:50

List of Learning Resources
by SilverTiger
2014-07-31 16:26:06

List of Learning Resources
by SilverTiger
2014-07-31 11:54:12

HotSpot Options
by dleskov
2014-07-08 01:59:08
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!