Trusting to every certificate
Hi all.
I’m working on a web service project. Our workstations tomcats are configured with ssl. So that means we’re connecting to our tomcat over https and port 8443. And of course my web service is running tomcat and if I’m trying to connect it with basic http then I’m getting bullshit errors. For solving this issue I searched google and then I wrote a java method. Let me show you my method.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 | // TODO: This is trusting every certificate. This is not secure for live. Add trusted certificates to tomcat. Think about it. private String sendSoapRequest( String xmlData ){ try{ // TODO: Make this configurable. Don't use configurable things as hardcoded. String hostName = "localhost"; int port = 8443; URLConnection connection = null; URL url = new URL( "https://" + hostName + ":" + port + "/mywebserviceapp/xservice" ); logger.debug( "Hostname: " + url.getHost() ); trustAllCertificates(); connection = url.openConnection(); // TODO: Make this values as configurable // connection.setConnectTimeout( 1000 ); // connection.setReadTimeout( 1000 ); connection.setDoOutput( true ); connection.setDoInput( true ); connection.setUseCaches( false ); connection.setRequestProperty( "Content-Type", "text/xml; charset=UTF-8" ); connection.setRequestProperty( "User-Agent", "Jakarta Commond-HttpClient/3.1" ); connection.setRequestProperty( "Content-Length", "" + xmlData.length() ); Writer wr = new OutputStreamWriter( connection.getOutputStream(), "UTF-8" ); wr.write( xmlData ); wr.flush(); wr.close(); return read( connection.getInputStream() ); } catch( Exception e ){ logger.error( "Error: ", e ); } return null; } private void trustAllCertificates(){ TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager(){ public java.security.cert.X509Certificate[] getAcceptedIssuers(){ return null; } public void checkClientTrusted( X509Certificate[] certs, String authType ){ } public void checkServerTrusted( X509Certificate[] certs, String authType ){ } } }; // Install the all-trusting trust manager try{ SSLContext sc = SSLContext.getInstance( "SSL" ); sc.init( null, trustAllCerts, new java.security.SecureRandom() ); HttpsURLConnection.setDefaultSSLSocketFactory( sc.getSocketFactory() ); } catch( Exception e ){ } // Create all-trusting host name verifier HostnameVerifier allHostsValid = new HostnameVerifier(){ @Override public boolean verify( String arg0, SSLSession arg1 ){ // TODO Auto-generated method stub return false; } }; // Install the all-trusting host verifier HttpsURLConnection.setDefaultHostnameVerifier( allHostsValid ); HostnameVerifier verifier = new HostnameVerifier(){ @Override public boolean verify( String hostname, SSLSession session ){ return true; } }; HttpsURLConnection.setDefaultHostnameVerifier( verifier ); } |
Please let me show the resources:
http://hc.apache.org/httpclient-legacy/sslguide.html
http://www.java-samples.com/showtutorial.php?tutorialid=211
http://www.nakov.com/blog/2009/07/16/disable-certificate-validation-in-java-ssl-connections/
That’s it…
0 yorum